SlideShare a Scribd company logo
MCTS 70 640 Cert Guide Windows Server 2008
Active Directory Configuring 1st Edition Don
Poulton download
https://ebookgate.com/product/mcts-70-640-cert-guide-windows-
server-2008-active-directory-configuring-1st-edition-don-poulton/
Get Instant Ebook Downloads – Browse at https://ebookgate.com
Get Your Digital Files Instantly: PDF, ePub, MOBI and More
Quick Digital Downloads: PDF, ePub, MOBI and Other Formats
MCTS 70 642 Exam Cram WIndows Server 2008 Network
Infrastructure Configuring 1st Edition Don Poulton
https://ebookgate.com/product/mcts-70-642-exam-cram-windows-
server-2008-network-infrastructure-configuring-1st-edition-don-
poulton/
MCTS 70 620 Exam Prep Microsoft Windows Vista
Configuring 1 PAP/CDR Edition Don Poulton
https://ebookgate.com/product/mcts-70-620-exam-prep-microsoft-
windows-vista-configuring-1-pap-cdr-edition-don-poulton/
MCTS Self Paced Training Kit Exam 70 652 Configuring
Windows Server Virtualization Nelson Ruest
https://ebookgate.com/product/mcts-self-paced-training-kit-
exam-70-652-configuring-windows-server-virtualization-nelson-
ruest/
Mastering Active Directory for Windows Server 2003 3rd
ed Edition Robert R. King
https://ebookgate.com/product/mastering-active-directory-for-
windows-server-2003-3rd-ed-edition-robert-r-king/
MCITP Guide to Microsoft Windows Server 2008 Enterprise
Administration Exam 70 647 1st Edition Darril Gibson
https://ebookgate.com/product/mcitp-guide-to-microsoft-windows-
server-2008-enterprise-administration-exam-70-647-1st-edition-
darril-gibson/
MCTS Self Paced Training Kit Exam 70 680 Configuring
Windows 7 1 Har/Dvdr Edition Ian Mclean
https://ebookgate.com/product/mcts-self-paced-training-kit-
exam-70-680-configuring-windows-7-1-har-dvdr-edition-ian-mclean/
How to Cheat at Designing a Windows Server 2003 Active
Directory Infrastructure 1st Edition B. Barber
https://ebookgate.com/product/how-to-cheat-at-designing-a-
windows-server-2003-active-directory-infrastructure-1st-edition-
b-barber/
Administering Windows Server 2008 Server Core 1st
Edition Mueller
https://ebookgate.com/product/administering-windows-
server-2008-server-core-1st-edition-mueller/
Exam 70 647 Windows Server 2008 Enterprise
Administrator Lab Manual 1st Edition Microsoft Official
Academic Course
https://ebookgate.com/product/exam-70-647-windows-
server-2008-enterprise-administrator-lab-manual-1st-edition-
microsoft-official-academic-course/
MCTS 70 640 Cert Guide Windows Server 2008 Active Directory Configuring 1st Edition Don Poulton
Pearson
800 East 96th Street
Indianapolis, Indiana 46240 USA
MCTS 70-640 Cert Guide:
Windows Server 2008 Active
Directory, Configuring
Don Poulton
Wow! eBook <WoweBook.Com>
MCTS 70-640 Cert Guide: Windows Server 2008
Active Directory, Configuring
Copyright © 2011 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval sys-
tem, or transmitted by any means, electronic, mechanical, photocopying, recording, or
otherwise, without written permission from the publisher. No patent liability is
assumed with respect to the use of the information contained herein. Although every
precaution has been taken in the preparation of this book, the publisher and author
assume no responsibility for errors or omissions. Nor is any liability assumed for dam-
ages resulting from the use of the information contained herein.
ISBN-13: 978-0-7897-4708-2
ISBN-10: 0-7897-4708-1
Library of Congress Cataloging-in-Publication Data:
Poulton, Don.
MCTS 70-640 cert guide : Windows server 2008 Active directory,
configuring / Don Poulton.
p. cm.
ISBN 978-0-7897-4708-2 (hardcover w/CD)
1. Microsoft Windows server--Examinations--Study guides. 2. Operating
systems (Computers)--Examinations--Study guides. 3. Directory services
(Computer network technology)--Examinations--Study guides. 4. Local
area networks (Computer networks)--Management--Examinations--Study
guides. 5. Telecommunications engineers--Certification. 6. Electronic
data processing personnel--Certification. I. Title. II. Title: Windows
server 2008 Active directory, configuring.
QA76.76.O63P6685 2011
005.4'476--dc22
2010043593
Printed in the United States of America
First Printing: December 2010
Bulk Sales
Que Publishing offers excellent discounts on this book when ordered in quantity for
bulk purchases or special sales. For more information, please contact
U.S. Corporate and Government Sales
1-800-382-3419 corpsales@pearsontechgroup.com
For sales outside of the U.S., please contact
International Sales international@pearson.com
ii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Associate Publisher
Dave Dusthimer
Acquisitions Editor
Betsy Brown
Development Editor
Box Twelve
Communications, Inc.
Managing Editor
Sandra Schroeder
Project Editor
Mandie Frank
Copy Editor
Mike Henry
Indexer
Erika Millen
Proofreader
Megan Wade
Technical Editor
Chris Crayton
Publishing Coordinator
Vanessa Evans
Multimedia Developer
Dan Scherf
Designer
Gary Adair
Page Layout
Mark Shirar
Trademarks
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized.
Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this book should not be
regarded as affecting the validity of any trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is
implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor
responsibility to any person or entity with respect to any loss or damages arising from the information contained in this
book or from the use of the CD or programs accompanying it.
Wow! eBook <WoweBook.Com>
Contents at a Glance
Introduction 3
Chapter 1 Getting Started with Active Directory 17
Chapter 2 Installing and Configuring DNS for Active Directory 43
Chapter 3 Installing Active Directory Domain Services 73
Chapter 4 Configuring DNS Server Settings and Replication 107
Chapter 5 Global Catalogs and Operations Masters 143
Chapter 6 Configuring Active Directory Sites and Replication 173
Chapter 7 Additional Active Directory Roles 205
Chapter 8 Read-Only Domain Controllers 251
Chapter 9 Active Directory User and Group Accounts 281
Chapter 10 Trust Relationships in Active Directory 321
Chapter 11 Creating and Applying Group Policy Objects 345
Chapter 12 Group Policy Software Deployment 393
Chapter 13 Account Policies and Audit Policies 417
Chapter 14 Monitoring Active Directory 453
Chapter 15 Maintaining Active Directory 515
Chapter 16 Installing and Configuring Certificate Services 559
Chapter 17 Managing Certificate Templates, Enrollments,
and Certificate Revocation 587
Practice Exam 629
Answers to Practice Exam 691
Appendix A Answers to the “Do I Know This Already?” Quizzes 729
Appendix B Installing Windows Server 2008 R2 763
Glossary 773
Index 796
Elements Available on CD
Appendix C Memory Tables 3
Appendix D Memory Tables Answer Key 3
iii
Wow! eBook <WoweBook.Com>
Table of Contents
Introduction 3
Goals and Methods 3
How This Book Is Organized 4
Study and Exam Preparation Tips 7
Learning Styles 7
Study Tips 8
Study Strategies 9
Pretesting Yourself 10
Exam Prep Tips 10
Microsoft 70-640 Exam Topics 12
Chapter 1 Getting Started with Active Directory 17
The Foundation of Active Directory 17
X.500 17
LDAP 18
Naming Standards of X.500 and LDAP 19
Distinguished Names 19
Relative Distinguished Names 20
User Principal Names 21
Globally Unique Identifiers 21
Security Identifiers 21
Active Directory Canonical Names 22
The Building Blocks of Active Directory 22
Namespaces 22
Objects 23
Containers 24
Schemas 24
Global Catalogs 24
Partitions 25
Logical Components of Active Directory 26
Domains 26
Trees 27
Forests 27
Organizational Units 29
Sites 30
Domain Controllers 31
iv MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
Global Catalog Servers 31
Operations Masters 32
New Features of Active Directory in Windows Server 2008 33
Server Manager 35
Adding Roles and Features 36
Command-Line Server Management 36
Windows Server 2008 R2 37
Summary 40
Chapter 2 Installing and Configuring DNS for Active Directory 43
“Do I Know This Already?” Quiz 43
The Hierarchical Nature of DNS 48
Installing DNS on Windows Server 2008 R2 49
Configuring DNS Zones 51
DNS Zone Types 52
Primary Zones 53
Secondary Zones 53
Stub Zones 53
Active Directory–Integrated Zones 53
GlobalNames Zones 54
DNS Name Server Roles 55
Primary Name Server 55
Secondary Name Server 55
Caching-Only Server 56
Forwarders 56
Creating DNS Zones 57
Forward Lookup Zones 57
Reverse Lookup Zones 59
DNS Resource Records 61
Configuring DNS Zone Properties 62
Configuring Zone Types 63
Adding Authoritative DNS Servers to a Zone 63
Dynamic, Nondynamic, and Secure Dynamic DNS 64
Zone Scavenging 65
Time to Live 66
Integrating DNS with WINS 68
Command-Line DNS Server Administration 69
Review All the Key Topics 71
v
Wow! eBook <WoweBook.Com>
Complete the Tables and Lists from Memory 71
Definitions of Key Terms 71
Chapter 3 Installing Active Directory Domain Services 73
“Do I Know This Already?” Quiz 73
Planning the Active Directory Namespace 77
Subdividing the Active Directory Namespace 77
Administrative or Geographical Organization of Domains 78
Use of Multiple Trees 79
Best Practices 80
Creating Forests and Domains 81
Requirements for Installing Active Directory Domain Services 81
Installing Active Directory Domain Services 82
New Forests 83
New Domains in Existing Forests 88
Existing Domains 89
Performing Unattended Installations of Active Directory 90
Server Core Domain Controllers 92
Removing Active Directory 92
Interoperability with Previous Versions of Active Directory 93
Forest and Domain Functional Levels 94
Upgrading Domain and Forest Functional Levels 95
The Adprep Utility 96
Running the Adprep /forestprep Command 96
Running the Adprep /domainprep Command 97
Upgrading a Windows Server 2003 Domain Controller 97
Additional Forest and Domain Configuration Tasks 98
Verifying the Proper Installation of Active Directory 98
Active Directory Migration Tool v.3.1 100
Alternative User Principal Name Suffixes 101
Review All the Key Topics 103
Complete the Tables and Lists from Memory 103
Definitions of Key Terms 104
Chapter 4 Configuring DNS Server Settings and Replication 107
“Do I Know This Already?” Quiz 107
Configuring DNS Server Settings 112
Forwarding 112
Conditional Forwarders 114
vi MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
Root Hints 116
Configuring Zone Delegation 117
Debug Logging 119
Event Logging 121
DNS Security Extensions 121
Advanced Server Options 123
Server Options 123
Round Robin 124
Disable Recursion 125
Name Checking 125
Loading Zone Data 126
Server Scavenging 126
Monitoring DNS 127
Configuring Zone Transfers and Replication 128
Replication Scope 128
Types of Zone Transfers 130
Full Zone Transfer 130
Incremental Zone Transfer 131
Configuring Zone Transfers 132
Configuring DNS Notify 133
Secure Zone Transfers 134
Configuring Name Servers 136
Application Directory Partitions 138
Installing and Configuring Application Directory Partitions 138
Creating Application Directory Partition Replicas 139
Application Directory Partition Reference Domains 139
Review All the Key Topics 140
Complete the Tables and Lists from Memory 140
Definitions of Key Terms 140
Chapter 5 Global Catalogs and Operations Masters 143
“Do I Know This Already?” Quiz 143
Configuring Global Catalog Servers 148
Planning the Placement of Global Catalog Servers 148
Promoting Domain Controllers to Global Catalog Servers 150
Using Universal Group Membership Caching 151
Using Partial Attribute Sets 152
vii
Wow! eBook <WoweBook.Com>
Configuring Operations Masters 153
Schema Master 153
Configuring the Schema 154
Extending the Schema 155
Deactivating Schema Objects 159
Domain Naming Master 160
PDC Emulator 160
Time Service 161
Infrastructure Master 162
RID Master 162
Placement of Operations Masters 163
Transferring and Seizing of Operations Master Roles 164
Transferring Operations Master Roles 165
Seizing Operations Masters Roles 167
Review All the Key Topics 169
Complete the Tables and Lists from Memory 169
Definitions of Key Terms 170
Chapter 6 Configuring Active Directory Sites and Replication 173
“Do I Know This Already?” Quiz 173
The Need for Active Directory Sites 178
Configuring Sites and Subnets 179
Creating Sites 180
Adding Domain Controllers 181
Creating and Using Subnets 182
Site Links, Site Link Bridges, and Bridgehead Servers 184
The Need for Site Links and Site Link Bridges 184
Configuring Site Links 185
Site Link Bridges 185
Site Link Costs 186
Sites Infrastructure 189
Knowledge Consistency Checker 189
Intersite Topology Generator 189
Configuring Active Directory Replication 189
Concepts of Active Directory Replication 190
Intersite and Intrasite Replication 191
Distributed File System 192
One-Way Replication 193
viii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
Bridgehead Servers 193
Replication Protocols 194
Ports Used for Intersite Replication 195
Replication Scheduling 196
Intersite Replication Scheduling 196
Intrasite Replication Scheduling 198
Forcing Intersite Replication 200
Review All the Key Topics 201
Complete the Tables and Lists from Memory 202
Definitions of Key Terms 202
Chapter 7 Additional Active Directory Roles 205
“Do I Know This Already?” Quiz 205
New Server Roles and Features 210
Active Directory Lightweight Directory Services 211
Installing AD LDS 213
Installing the AD LDS Role 213
Installing AD LDS Instances 214
Configuring Data Within AD LDS 217
Using the ADSI Edit Snap-in 217
Using Ldp.exe 218
Using the Active Directory Schema Snap-in 220
Using the Active Directory Sites and Services Snap-in 221
Migrating to AD LDS 221
Configuring an Authentication Server 222
Creating AD LDS User Accounts and Groups 222
Binding to an AD LDS Instance with an AD LDS User 224
Using AD LDS on Server Core 224
Active Directory Rights Management Services 225
Installing AD RMS 226
Certificate Request and Installation 228
Self-Enrollments 230
Delegation 230
Active Directory Metadirectory Services 231
Active Directory Federation Services 231
Installing the AD FS Server Role 233
Configuring Trust Policies 236
User and Group Claim Mapping 237
ix
Wow! eBook <WoweBook.Com>
Configuring Federation Trusts 238
Creating Claims 239
Creating Account Stores 240
Enabling Applications 241
Creating Federation Trusts 242
Windows Server 2008 R2 Virtualization 244
Review All the Key Topics 247
Complete the Tables and Lists from Memory 247
Definitions of Key Terms 248
Chapter 8 Read-Only Domain Controllers 251
“Do I Know This Already?” Quiz 251
Installing a Read-Only Domain Controller 254
Planning the Use of RODCs 254
Installing RODCs 256
Prestaging an RODC 257
Managing a Read-Only Domain Controller 259
Unidirectional Replication 260
Administrator Role Separation 261
Read-Only DNS 262
BitLocker 263
Preparing Your Computer to Use BitLocker 265
Enabling BitLocker 265
Managing BitLocker 269
Replication of Passwords 270
Planning a Password Replication Policy 271
Configuring a Password Replication Policy 272
Credential Caching 273
Administering the RODC’s Authentication Lists 275
syskey 276
Review all the Key Topics 278
Definitions of Key Terms 278
Chapter 9 Active Directory User and Group Accounts 281
“Do I Know This Already?” Quiz 281
Creating User and Group Accounts 286
Introducing User Accounts 286
Introducing Group Accounts 287
Creating User, Computer, and Group Accounts 288
x MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
Use of Template Accounts 290
Using Bulk Import to Automate Account Creation 291
Csvde 292
Ldifde 293
Dsadd 294
Additional Command-Line Tools 295
Scripts 296
Configuring the UPN 296
UPN Suffixes 296
Adding or Removing UPN Suffixes 297
Configuring Contacts 298
Creating Distribution Lists 299
Managing and Maintaining Accounts 300
Creating Organizational Units 301
Configuring Group Membership 304
AGDLP/AGUDLP 306
Account Resets 308
Deny Domain Local Group 308
Protected Admin 309
Local Versus Domain Groups 310
Deprovisioning Accounts 312
Delegating Administrative Control of Active Directory Objects 313
Review All the Key Topics 317
Complete the Tables and Lists from Memory 318
Definitions of Key Terms 318
Chapter 10 Trust Relationships in Active Directory 321
“Do I Know This Already?” Quiz 321
Types of Trust Relationships 325
Transitive Trusts 325
Forest Trusts 326
External Trusts and Realm Trusts 326
Shortcut Trusts 327
Creating and Configuring Trust Relationships 328
Creating a Forest Trust Relationship 329
Creating External Trust Relationships 335
Creating Realm Trust Relationships 336
Creating Shortcut Trust Relationships 337
xi
Wow! eBook <WoweBook.Com>
Managing Trust Relationships 338
Validating Trust Relationships 338
Authentication Scope 338
SID Filtering 340
Removing a Cross-forest Trust Relationship 341
Review All the Key Topics 343
Complete the Tables and Lists from Memory 343
Definitions of Key Terms 343
Chapter 11 Creating and Applying Group Policy Objects 345
“Do I Know This Already?” Quiz 345
Overview of Group Policy 351
Components of Group Policy 351
Group Policy Containers 352
Group Policy Templates 352
New Features of Group Policy in Windows Server 2008 and
Windows Server 2008 R2 354
Creating and Applying GPOs 355
Managing GPOs 359
Linking GPOs 360
Managing GPO Links 361
Deleting a GPO 362
Delegating Control of GPOs 362
Specifying a Domain Controller 365
Configuring GPO Hierarchy and Processing Priority 365
OU Hierarchy 367
Enforced 367
Block Inheritance 369
Modifying the Sequence of GPO Application 370
Disabling User Objects 370
Group Policy Filtering 371
Security Filtering of GPOs 371
Windows Management Instrumentation 374
Windows PowerShell 374
Configuring GPO Templates 376
Group Policy Loopback Processing 377
User Rights 378
ADMX Central Store 379
Administrative Templates 380
xii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
Restricted Groups 384
Starter GPOs 385
Shell Access Policies 387
Review All the Key Topics 389
Complete the Tables and Lists from Memory 389
Definitions of Key Terms 390
Chapter 12 Group Policy Software Deployment 393
“Do I Know This Already?” Quiz 393
Types of Software Deployment 398
Assigning and Publishing Software 399
Assigning Software to Users 399
Assigning Software to Computers 399
Publishing Software to Users 399
Deploying Software Using Group Policy 400
ZAP Files 402
Software Installation Properties 403
Software Package Properties 405
Upgrading Software 407
Use of Transform Files to Modify Software Packages 409
Redeployment of Upgraded Software 411
Removal of Software 413
Review All the Key Topics 414
Complete the Tables and Lists from Memory 414
Definitions of Key Terms 414
Chapter 13 Account Policies and Audit Policies 417
“Do I Know This Already?” Quiz 417
Use of Group Policy to Configure Security 422
Configuring Account Policies 422
Domain Password Policies 423
Account Lockout 426
Unlocking an Account 427
Kerberos Policy 428
Fine-Grained Password Policies 428
Password Settings Precedence 429
Configuring Fine-Grained Password Policies 430
Managing Fine-Grained Password Policies 435
Viewing the Resultant PSO 435
xiii
Wow! eBook <WoweBook.Com>
Security Options 436
Using Additional Security Configuration Tools 439
Auditing of Active Directory Services 441
New Features of Active Directory Auditing 441
Using GPOs to Configure Auditing 442
Available Auditing Categories 442
Configuring Basic Auditing Policies 443
Configuring Advanced Audit Policies 446
Using Auditpol.exe to Configure Auditing 447
Review All the Key Topics 449
Complete the Tables and Lists from Memory 450
Definitions of Key Terms 450
Chapter 14 Monitoring Active Directory 453
“Do I Know This Already?” Quiz 453
Tools Used to Monitor Active Directory 459
Network Monitor 459
Task Manager 463
Configuring Application Priority 465
Event Viewer 466
Customizing Event Viewer 468
Customizing Event Viewer Detail 470
Reliability and Performance Monitor 471
Resource Monitor 473
Reliability Monitor 473
Performance Monitor 476
Data Collector Sets 479
Windows System Resource Manager 484
Server Performance Advisor 486
Monitoring and Troubleshooting Active Directory Replication 487
replmon 487
repadmin 491
replicate 491
showmeta 492
showreps 492
add 492
sync 493
syncall 493
xiv MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
showconn 493
replsummary 494
dcdiag 494
Troubleshooting the Application of Group Policy Objects 496
Resultant Set of Policy 496
Planning Mode/Group Policy Modeling 497
Logging Mode/Group Policy Results 501
Using the Delegation of Control Wizard 509
Gpresult 509
Review All the Key Topics 512
Complete the Tables and Lists from Memory 513
Definitions of Key Terms 513
Chapter 15 Maintaining Active Directory 515
“Do I Know This Already?” Quiz 515
Backing Up and Recovering Active Directory 520
Backup Permissions 521
Use of Windows Server Backup 521
Installing Windows Server Backup 521
Backing Up Critical Volumes of a Domain Controller 522
The wbadmin Command 525
Scheduling a Backup 526
Using Removable Media 527
Recovering Active Directory 528
Directory Services Restore Mode 528
Performing a Nonauthoritative Restore 529
Using the wbadmin Command to Recover Your Server 534
Performing an Authoritative Restore 536
Recovering Back-Links of Authoritatively Restored Objects 537
Performing a Full Server Recovery of a Domain Controller 538
Linked-Value Replication and Authoritative Restore of Group Memberships 539
The Active Directory Recycle Bin 540
Enabling the Active Directory Recycle Bin 541
Using the Active Directory Recycle Bin to Restore Deleted Objects 543
Backing Up and Restoring GPOs 545
Backing Up GPOs 545
Restoring GPOs 545
Importing GPOs 547
Using Scripts for Group Policy Backup and Restore 548
xv
Wow! eBook <WoweBook.Com>
Offline Maintenance of Active Directory 549
Restartable Active Directory 549
Offline Defragmentation and Compaction 550
Online Defragmentation 551
Offline Defragmentation 551
Active Directory Database Storage Allocation 553
Review All the Key Topics 555
Complete the Tables and Lists from Memory 556
Definitions of Key Terms 556
Chapter 16 Installing and Configuring Certificate Services 559
“Do I Know This Already?” Quiz 559
What’s New with Certificate Services in Windows Server 2008? 563
New Features of Active Directory Certificate Services in
Windows Server 2008 R2 564
Installing Active Directory Certificate Services 565
Configuring Certificate Authority Types and Hierarchies 565
Installing Root CAs 567
Installing Subordinate CAs 571
Understanding Certificate Requests 571
Using Certificate Practice Statements 572
Configuring Certificate Authority Server Settings 573
Installing the Certificates Snap-in 573
Working with Certificate Stores 575
Using Group Policy to Import Certificates 575
Backing Up Certificates and Keys 576
Restoring Certificates and Keys 577
Using Group Policy to Enable Credential Roaming 578
Backing Up and Restoring Certificate Databases 580
Assigning Administration Roles 581
Configuring Certificate Server Permissions 582
Review All the Key Topics 583
Complete the Tables and Lists from Memory 584
Definitions of Key Terms 584
Chapter 17 Managing Certificate Templates, Enrollments,
and Certificate Revocation 587
“Do I Know This Already?” Quiz 587
Managing Certificate Templates 592
xvi MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
Understanding Certificate Template Types 592
Configuring Certificate Templates 593
Securing Template Permissions 595
Enabling the Use of Templates 597
Managing Different Certificate Template Versions 597
Archiving Keys 599
Configuring Key Recovery Agents 599
Managing Certificate Enrollments 602
Understanding Network Device Enrollment Services 602
Enabling Certificate Autoenrollment 605
Configuring Web Enrollment 606
Configuring Smart Card Enrollment 609
Creating Enrollment Agents 610
Using Group Policy to Require Smart Cards for Logon 614
Managing Certificate Revocation 616
Configuring Certificate Revocation Lists 617
Configuring a CRL Distribution Point 619
Troubleshooting CRLs 620
Configuring Online Responders 621
Configuring Responder Properties 622
Adding a Revocation Configuration 623
Configuring Arrays 624
Configuring Authority Information Access 624
Review All the Key Topics 625
Complete the Tables and Lists from Memory 626
Definitions of Key Terms 626
Practice Exam 629
Answers to Practice Exam 691
Appendix A Answers to the “Do I Know This Already?” Quizzes 729
Appendix B Installing Windows Server 2008 R2 763
Glossary 773
Index 796
Elements Available on CD
Appendix C Memory Tables 3
Appendix D Memory Tables Answer Key 3
xvii
Wow! eBook <WoweBook.Com>
About the Author
Don Poulton (A+, Network+, Security+, MCSA, MCSE) is an independent con-
sultant who has been involved with computers since the days of 80-column punch
cards. After a career of more than 20 years in environmental science, Don switched
careers and trained as a Windows NT 4.0 MCSE. He has been involved in consult-
ing with a couple of small training providers as a technical writer, during which
time he wrote training and exam prep materials for Windows NT 4.0, Windows
2000, and Windows XP. Don has written or contributed to several titles, including
Security+ Lab Manual (Que, 2004); MCSA/MCSE 70-299 Exam Cram 2:
Implementing and Administering Security in a Windows 2003 Network (Exam Cram 2)
(Que, 2004); MCSE 70-294 Exam Prep: Planning, Implementing, and Maintaining a
Microsoft Windows Server 2003 Active Directory Infrastructure (Que, 2006); MCTS
70-620 Exam Prep: Microsoft Windows Vista, Configuring (Que, 2008); and MCTS
70-680 Cert Guide: Microsoft Windows 7, Configuring (Que, 2011).
In addition, he has worked on programming projects, both in his days as an envi-
ronmental scientist and more recently with Visual Basic to update an older statisti-
cal package used for multivariate analysis of sediment contaminants.
When not working on computers, Don is an avid amateur photographer who has
had his photos displayed in international competitions and published in magazines
such as Michigan Natural Resources Magazine and National Geographic Traveler. Don
also enjoys traveling and keeping fit.
Don lives in Burlington, Ontario, with his wife, Terry.
xviii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
Dedication
I would like to dedicate this book to my wife Terry, who has stood by my side and supported
me throughout the days spent writing this book. This project would not have been possible
without her love and support.
Acknowledgments
I would like to thank all the staff at Pearson and in particular Betsy Brown for mak-
ing this project possible. My sincere thanks goes out to Chris Crayton for his help-
ful technical suggestions, as well as Jeff Riley, development editor, and Mike Henry,
copy editor, for their improvements to the manuscript.
—Don Poulton
xix
Wow! eBook <WoweBook.Com>
About the Technical Reviewer
Christopher A. Crayton is an author, technical editor, technical consultant,
security consultant, trainer, and SkillsUSA state-level technology competition
judge. Formerly, he worked as a computer and networking instructor at Keiser
College (2001 Teacher of the Year); as network administrator for Protocol, a global
electronic customer relationship management (eCRM) company; and at Eastman
Kodak Headquarters as a computer and network specialist. Chris has authored
several print and online books, including The A+ Exams Guide, Second Edition
(Cengage Learning, 2008); Microsoft Windows Vista 70-620 Exam Guide Short Cut
(O’Reilly, 2007); CompTIA A+ Essentials 220-601 Exam Guide Short Cut (O’Reilly,
2007); The A+ Exams Guide (Charles River Media, 2008); The A+ Certification
and PC Repair Handbook (Charles River Media, 2005); The Security+ Exam Guide
(Charles River Media, 2003); and A+ Adaptive Exams (Charles River Media, 2002).
He is also coauthor of the How to Cheat at Securing Your Network (Syngress, 2007).
As an experienced technical editor, Chris has provided many technical edits/reviews
for several major publishing companies, including Pearson Education, McGraw-Hill,
Cengage Learning, Wiley, O’Reilly, Syngress, and Apress. He holds MCSE, A+,
and Network+ certifications.
xx MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Wow! eBook <WoweBook.Com>
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator. We
value your opinion and want to know what we’re doing right, what we could do
better, what areas you’d like to see us publish in, and any other words of wisdom
you’re willing to pass our way.
As an associate publisher for Pearson Publishing, I welcome your comments. You
can email or write me directly to let me know what you did or didn’t like about this
book—as well as what we can do to make our books better.
Please note that I cannot help you with technical problems related to the topic of this book.
We do have a User Services group, however, where I will forward specific technical questions
related to the book.
When you write, please be sure to include this book’s title and author as well as
your name, email address, and phone number. I will carefully review your com-
ments and share them with the author and editors who worked on the book.
Email: feedback@pearsonitcertification.com
Mail: Dave Dusthimer
Associate Publisher
Pearson Education
800 East 96th Street
Indianapolis, IN 46240 USA
Reader Services
Visit our website and register this book at www.pearsonITcertification.com/register
for convenient access to any updates, downloads, or errata that might be available
for this book.
xxi
Wow! eBook <WoweBook.Com>
Wow! eBook <WoweBook.Com>
Introduction
MCTS Windows Server 2008 Active Directory, Configuring Cert Guide (Exam 70-640)
is designed for network administrators, network engineers, and consultants
who are pursuing the Microsoft Certified Technology Specialist (MCTS) or
Microsoft Certified IT Professional (MCITP) certifications for Windows
Server 2008. This book covers the “TS: Microsoft Windows Server 2008
Active Directory, Configuring” exam (70-640), which earns you the Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory,
Configuration certification. The exam is designed to measure your skill and
ability to implement, administer, and troubleshoot Active Directory running
on Windows Server 2008. Microsoft not only tests you on your knowledge of
Active Directory, but it has purposefully developed questions on the exam to
force you to problem-solve in the same way that you would when presented
with a real-life error. Passing this exam demonstrates your competency in
administration.
This book covers all the objectives that Microsoft has established for exam
70-640. It doesn’t offer end-to-end coverage of Active Directory in
Windows Server 2008; rather, it helps you develop the specific core
competencies that you need to master as an Active Directory administrator.
You should be able to pass the exam by learning the material in this book,
without taking a class.
Goals and Methods
The number-one goal of this book is a simple one: to help you get ready to
take—and pass—Microsoft Certification Exam 70-640, “TS: Windows Server
2008 Active Directory, Configuring.” You will find information within this book
that will help ensure your success as you pursue this Microsoft exam and the
Technology Specialist or IT Professional certification.
Because Microsoft certification exams stress problem-solving abilities and rea-
soning more than memorization of terms and facts, our goal is to help you mas-
ter and understand the required objectives for the 70-640 exam.
Wow! eBook <WoweBook.Com>
4 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
To aid you in mastering and understanding the MCTS certification objectives, this
book uses the following methods:
■ Opening topics list: This defines the topics to be covered in the chapter; it also
lists the corresponding 70-640 exam objectives.
■ Do I Know This Already Quizzes: At the beginning of each chapter is a quiz.
The quizzes, and answers/explanations (found in Appendix A), are meant to
gauge your knowledge of the subjects. If the answers to the questions don’t
come readily to you, be sure to read the entire chapter.
■ Foundation Topics: The heart of the chapter. Explains the topics from
a hands-on and a theory-based standpoint. This includes in-depth
descriptions, tables, and figures that are geared to build your knowledge
so that you can pass the exam. The chapters are broken down into several
topics each.
■ Key Topics: The key topics indicate important figures, tables, and lists of infor-
mation that you should know for the exam. They are interspersed throughout
the chapter and are listed in table form at the end of the chapter.
■ Memory Tables: These can be found on the DVD within Appendix C, “Memory
Tables.” Use them to help memorize important information.
■ Key Terms: Key terms without definitions are listed at the end of each chapter.
Write down the definition of each term and check your work against the com-
plete key terms in the glossary.
How This Book Is Organized
Although this book could be read cover-to-cover, it is designed to be flexible and en-
able you to easily move between chapters and sections of chapters to cover just the
material that you need more work with. If you do intend to read all the chapters, the
order in the book is an excellent sequence to use.
Chapter 1, “Getting Started with Active Directory,” is an introductory chapter that
presents the concepts around which Active Directory is built. It serves as a reference
to the material that follows and eases users who are new to Active Directory into
the book. If you have worked with Active Directory in Windows 2000 or Windows
Server 2003, you might want to start with Chapter 2; however, you should take a
look at the overview presented here of new capabilities of Active Directory in
Windows Server 2008 and its R2 update.
Wow! eBook <WoweBook.Com>
Introduction 5
The core chapters, Chapters 2 through 17, cover the following topics:
■ Chapter 2, “Installing and Configuring DNS for Active Directory”: This chapter
focuses on the concepts of Domain Name System (DNS) required for setting up
an Active Directory domain. You learn about how to install DNS on your server
and how to set up and configure DNS zones.
■ Chapter 3, “Installing Active Directory Domain Services”: This chapter shows
you how to set up your first domain. It then continues to discuss creating addi-
tional domain controllers in this domain and child domain controllers. It also
discusses the requirements that must be met when upgrading domains based on
older Windows server versions to allow them to operate in Windows Server
2008 with complete functionality.
■ Chapter 4, “Configuring DNS Server Settings and Replication”: This chapter
builds on Chapter 2 to delve into additional items that you must configure in
server settings, zone transfers, and DNS replication.
■ Chapter 5, “Global Catalogs and Operations Masters”: Proper operation
of global catalog servers and operations masters is vital to the day-to-day
functioning of your domain and forest. This chapter focuses on the
configuration and troubleshooting steps necessary with these specialized
domain controllers.
■ Chapter 6, “Configuring Active Directory Sites and Replication”: Active
Directory divides forests and domains on a geographical basis by using sites.
To function properly, Active Directory depends on data replication among
all its domain controllers. This chapter shows you how to set up sites and
ensure that all directory objects are located in the site corresponding to their
locations. It then continues with configuring replication, both on an intrasite
and intersite basis.
■ Chapter 7, “Additional Active Directory Roles”: This chapter takes care
of other Active Directory roles including Active Directory Lightweight
Directory Services (AD LDS), Active Directory Federation Services (AD FS),
and Active Directory Rights Management Service (AD RMS). AD LDS is
designed to provide additional directory services where an additional
domain and its domain controllers are not required. AD RMS enhances
security in your domain by enabling the creation of rights-protected files
and folders that can be accessed only by authorized users. AD FS provides
a single sign-on capability for authenticating users to multiple web-based
applications.
■ Chapter 8, “Read-Only Domain Controllers”: This chapter discusses how to set
up a read-only domain controller (RODC) and configure its interaction with
Wow! eBook <WoweBook.Com>
6 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
other (writable) domain controllers in your forest. An RODC is useful in a situ-
ation such as a branch office where physical security of the domain controller
might be of concern.
■ Chapter 9, “Active Directory User and Group Accounts”: This chapter shows you
how to create user and group accounts in Active Directory, including methods for
bulk creation of large numbers of accounts. It introduces the various types and
scopes of groups available in Active Directory and the recommended methods
of nesting these groups to facilitate the provision of access to resources in your
forest. It also looks at account properties, creation of organizational units
(OUs), and delegation of control.
■ Chapter 10, “Trust Relationships in Active Directory”: By default, all domains
in a forest trust each other. However, you might need to access objects
located in another forest, and this chapter talks about methods you might
use to provide and troubleshoot such access. Windows Server 2008 provides
several types of trust relationships that can be used for meeting different
requirements.
■ Chapter 11, “Creating and Applying Group Policy Objects”: Group Policy is at
the heart and soul of resource management in Active Directory. This chapter
shows you how to set up Group Policy objects and configure them to apply to
users, groups, and OUs as required. The hierarchy of GPO application and the
methods to modify this hierarchy are also discussed.
■ Chapter 12, “Group Policy Software Deployment”: This chapter shows you how
to use Group Policy for deploying software to large numbers of users so that
they have the applications they need to perform their jobs. You also learn how to
upgrade software when new editions and features become available and how to
remove software when it is no longer required by users.
■ Chapter 13, “Account Policies and Audit Policies”: This chapter expands
the coverage of Group Policy to include policies that govern the safety and
security of accounts in your domain and audit access to Active Directory objects
and components so that you can meet the increasingly complex regulatory
requirements.
■ Chapter 14, “Monitoring Active Directory”: This chapter focuses on the tools
you can use to monitor the functionality of Active Directory. You also learn
about the tools and methods used for monitoring Active Directory replication
as well as the tools and techniques you can use to monitor and troubleshoot the
application of Group Policy.
■ Chapter 15, “Maintaining Active Directory”: This chapter shows you how to
back up, recover, restart, and troubleshoot Active Directory and its components.
Wow! eBook <WoweBook.Com>
Introduction 7
You learn how to perform nonauthoritative and authoritative restore of Active
Directory and how to use the new Windows Server 2008 R2 Active Directory
Recycle Bin.
■ Chapter 16, “Installing and Configuring Certificate Services”: A system of
certificates is vital to carrying out secure business, especially when an Internet
presence is required. This chapter shows you how to set up a hierarchy of
certificate servers within Active Directory and back up, restore, and archive
your certificates and keys.
■ Chapter 17, “Managing Certificate Templates, Enrollments, and Certificate
Revocation”: Certificates issued by your servers require management to ensure
that users requiring certificates can obtain them, and that compromised certifi-
cates are revoked and cannot be used by unauthorized parties. This chapter
looks at these topics and helps you to ensure the security of your certificate
hierarchy.
In addition to the 17 main chapters, this book includes tools to help you verify that
you are prepared to take the exam. The CD includes the glossary, practice test, and
memory tables that you can work through to verify your knowledge of the subject
matter.
Study and Exam Preparation Tips
It’s a rush of adrenaline during the final day before an exam. If you’ve scheduled the
exam on a workday, or following a workday, you will find yourself cursing the tasks
you normally cheerfully perform because the back of your mind is telling you to
read just a bit more, study another scenario, practice another skill so that you will be
able to get this exam out of the way successfully.
The way that Microsoft has designed its tests lately does not help. I remember tak-
ing Microsoft exams many years ago and thoroughly understanding the term paper
certified. Nowadays, you can’t get through a Microsoft exam without knowing the
material so well that when confronted with a problem, whether a scenario or real-
life situation, you can handle the challenge. Instead of trying to show the world how
many MCSEs are out there, Microsoft is trying to prove how difficult it is to achieve
a certification, including the newly created MCTS and MCITP as well as the
MCSE and MCSA, thereby making those who are certified more valuable to their
organizations.
Learning Styles
To best understand the nature of preparation for the test, it is important to un-
derstand learning as a process. You are probably aware of how you best learn new
Wow! eBook <WoweBook.Com>
8 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
material. You might find that outlining works best for you, or, as a visual learner,
you might need to “see” things. Or, as a person who studies kinesthetically, the
hands-on approach serves you best. Whether you need models or examples, or
you just like exploring the interface, or whatever your learning style, solid test
preparation works best when it takes place over time. Obviously, you shouldn’t
start studying for a certification exam the night before you take it; it is very im-
portant to understand that learning is a developmental process. Understanding
learning as a process helps you focus on what you know and what you have yet to
learn.
People study in a combination of different ways: by doing, by seeing, and by hearing
and writing. This book’s design fulfills all three of these study methods. For the
kinesthetic, there are key topics scattered throughout each chapter. You will also dis-
cover step-by-step procedural instructions that walk you through the skills you need
to master Active Directory in Windows Server 2008. The visual learner can find
plenty of screen shots explaining the concepts described in the text. The auditory
learner can reinforce skills by reading out loud and copying down key concepts and
exam tips scattered throughout the book. You can also practice writing down the
meaning of the key terms defined in each chapter, and in completing the memory
tables for most chapters found on the accompanying DVD. While reading this
book, you will realize that it stands the test of time. You will be able to turn to it
over and over again.
Thinking about how you learn should help you recognize that learning takes place
when you are able to match new information to old. You have some previous
experience with computers and networking. Now you are preparing for this
certification exam. Using this book, software, and supplementary materials will
not just add incrementally to what you know; as you study, the organization of
your knowledge actually restructures as you integrate new information into your
existing knowledge base. This leads you to a more comprehensive understanding
of the tasks and concepts outlined in the objectives and of computing in general.
Again, this happens as a result of a repetitive process rather than a singular event.
If you keep this model of learning in mind as you prepare for the exam, you will
make better decisions concerning what to study and how much more studying you
need to do.
Study Tips
There are many ways to approach studying, just as there are many different types of
material to study. However, the tips that follow should work well for the type of ma-
terial covered on Microsoft certification exams.
Wow! eBook <WoweBook.Com>
Introduction 9
Study Strategies
Although individuals vary in the ways they learn information, some basic principles
of learning apply to everyone. You should adopt some study strategies that take
advantage of these principles. One of these principles is that learning can be broken
into various depths. Recognition (of terms, for example) exemplifies a rather sur-
face level of learning in which you rely on a prompt of some sort to elicit recall.
Comprehension or understanding (of the concepts behind the terms, for example)
represents a deeper level of learning than recognition. The ability to analyze a
concept and apply your understanding of it in a new way represents further depth
of learning.
Your learning strategy should enable you to know the material at a level or two
deeper than mere recognition. This will help you perform well on the exams. You
will know the material so thoroughly that you can go beyond the recognition-level
types of questions commonly used in fact-based multiple-choice testing. You will be
able to apply your knowledge to solve new problems.
Macro and Micro Study Strategies
One strategy that can lead to deep learning includes preparing an outline that covers
all the objectives and subobjectives for the particular exam you are planning to take.
You should delve a bit further into the material and include a level or two of detail
beyond the stated objectives and subobjectives for the exam. Then you should
expand the outline by coming up with a statement of definition or a summary for
each point in the outline.
An outline provides two approaches to studying. First, you can study the outline by
focusing on the organization of the material. You can work your way through the
points and subpoints of your outline, with the goal of learning how they relate to
one another. For example, you should be sure you understand how each of the main
objective areas for Exam 70-640 is similar to and different from another. Then you
should do the same thing with the subobjectives; you should be sure you know
which subobjectives pertain to each objective area and how they relate to one
another.
Next, you can work through the outline, focusing on learning the details. You
should memorize and understand terms and their definitions, facts, rules and tactics,
advantages and disadvantages, and so on. In this pass through the outline, you
should attempt to learn detail rather than the big picture (the organizational infor-
mation that you worked on in the first pass through the outline).
Research has shown that attempting to assimilate both types of information at the
same time interferes with the overall learning process. If you separate your studying
into these two approaches, you will perform better on the exam.
Wow! eBook <WoweBook.Com>
10 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Active Study Strategies
The process of writing down and defining objectives, subobjectives, terms, facts, and
definitions promotes a more active learning strategy than merely reading the mate-
rial does. In human information-processing terms, writing forces you to engage in
more active encoding of the information. Simply reading over the information leads
to more passive processing. Using this study strategy, you should focus on writing
down the items that are highlighted in the book—bulleted or numbered lists, key
topics, notes, cautions, and review sections, for example.
You need to determine whether you can apply the information you have learned by
attempting to create examples and scenarios on your own. You should think about
how or where you could apply the concepts you are learning. Again, you should
write down this information to process the facts and concepts in an active fashion.
Common-Sense Strategies
You should follow common-sense practices when studying: You should study when
you are alert, reduce or eliminate distractions, and take breaks when you become
fatigued.
Pretesting Yourself
Pretesting allows you to assess how well you are learning. One of the most impor-
tant aspects of learning is what has been called meta-learning. Meta-learning has to
do with realizing when you know something well or when you need to study some
more. In other words, you recognize how well or how poorly you have learned the
material you are studying.
For most people, this can be difficult to assess. Memory tables, practice questions,
and practice tests are useful in that they reveal objectively what you have learned
and what you have not learned. You should use this information to guide review and
further studying. Developmental learning takes place as you cycle through studying,
assessing how well you have learned, reviewing, and assessing again until you feel
you are ready to take the exam.
You might have noticed the practice exam included in this book. You should use it as
part of the learning process. The Exam Gear test-simulation software included on
this book’s CD-ROM also provides you with an excellent opportunity to assess your
knowledge.
You should set a goal for your pretesting. A reasonable goal would be to score con-
sistently in the 90% range.
Exam Prep Tips
After you have mastered the subject matter, the final preparatory step is to under-
stand how the exam will be presented. Make no mistake: An MCTS exam challenges
Wow! eBook <WoweBook.Com>
Introduction 11
both your knowledge and your test-taking skills. Preparing for the 70-640 exam is a
bit different from preparing for those old Microsoft exams. The following is a list of
things that you should consider doing:
■ Combine your skill sets into solutions: In the past, exams would test whether
you knew to select the right letter of a multiple choice answer. Today, you need
to know how to resolve a problem that may involve different aspects of the ma-
terial covered. For example, on exam 70-640 you could be presented with a
problem that requires you to understand how to configure Group Policy to ap-
ply to a specific set of users and not to other users, and to troubleshoot this pol-
icy if it is not properly applied. The skills themselves are simple. Being able to
zero in on what caused the problem and then to resolve it for a specific situation
is what you need to demonstrate. In fact, you should not only be able to select
one answer, but also multiple parts of a total solution.
■ Delve into excruciating details: The exam questions incorporate a great deal of
information in the scenarios. Some of the information is ancillary: It will help
you rule out possible issues, but not necessarily resolve the answer. Some of the
information simply provides you with a greater picture, as you would have in
real life. Some information is key to your solution. For example, you might be
presented with a question that lists the components of an Active Directory do-
main such as the number of server and client computers, the organizational unit
(OU) structure, and so on. When you delve further into the question, you real-
ize that the OU structure is the problem. Other times, you will find that the
OU structure simply eliminates one or more of the answers that you could se-
lect. If you don’t pay attention to what you can eliminate, the answer can elude
you completely. And other times, the hardware configuration simply lets you
know that the hardware is adequate.
■ Microsoft likes to quiz exam takers on the latest modifications of its
technology: From time to time, Microsoft seeds new questions into its exam
database and beta tests these questions on exam takers. During the beta pe-
riod for each question, its answer is not taken into account in computing the
final score. However, when Microsoft is satisfied with the question’s perform-
ance, it becomes live and is scored appropriately. You can expect to see ques-
tions that test your knowledge of the latest changes in Active Directory
technology, including the enhancements introduced in 2009 with Windows
Server 2008 R2.
■ It’s a GUI test: Microsoft has expanded its testing criteria into interface recogni-
tion. You should be able to recognize each dialog box, properties sheet, options,
and defaults. You will be tested on how to perform typical configuration actions
in Active Directory. In fact, Microsoft has begun to include performance-based
questions on its exams that instruct you to perform a given task and presents
Wow! eBook <WoweBook.Com>
12 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Table I-1 Microsoft 70-640 Exam Topics
Chapter Topics 70-640 Exam Objectives Covered
1 The Foundation of Active Directory
The Building Blocks of Active
Directory
New Features of Active Directory in
Windows Server 2008
(n/a)
2 The Hierarchical Nature of DNS
Installing DNS on Windows Server
2008
Configuring DNS Zones
Configuring Domain Name System
(DNS) for Active Directory
■ Configure Zones
3 Planning the Active Directory
Namespace
Creating Forests and Domains
Upgrading Older Versions of Active
Directory
Additional Forest and Domain
Configuration Tasks
Configuring the Active Directory
Infrastructure
■ Configure a forest or a domain
4 Configuring DNS Server Settings
Configuring Zone Transfers and
Replication
Configuring Domain Name System
(DNS) for Active Directory
■ Configure DNS Server Settings
■ Configure DNS Zone Transfers and
Replication
you with a live version of some Active Directory tool. You must complete the
required actions and no others; otherwise, your response will be scored as
incorrect.
■ Practice with a time limit: The tests have always been time restricted, but it
takes more time to read and understand the scenarios now and time is a whole
lot tighter. To get used to the time limits, test yourself with a timer. Know how
long it takes you to read scenarios and select answers.
Microsoft 70-640 Exam Topics
Table I-1 lists the exam topics for the Microsoft 70-640 exam. This table also lists
the book parts in which each exam topic is covered.
Wow! eBook <WoweBook.Com>
Introduction 13
Table I-1 Microsoft 70-640 Exam Topics
Chapter Topics 70-640 Exam Objectives Covered
5 Configuring Global Catalog Servers
Configuring Operations Masters
Configuring the Active Directory
Infrastructure
■ Configure the global catalog
■ Configure operations masters
6 The Need for Active Directory Sites
Configuring Sites and Subnets
Site Links, Site Link Bridges, and
Bridgehead Servers
Configuring Active Directory
Replication
Configuring the Active Directory
Infrastructure
■ Configure sites
■ Configure Active Directory replication
7 New Server Roles and Features
Active Directory Lightweight Directory
Services (AD LDS)
Active Directory Rights Management
Services (AD RMS)
Active Directory Federation Services
(AD FS)
Windows Server 2008 R2 Virtualization
Configuring Additional Active Directory
Server Roles
■ Configure Active Directory Light-
weight Directory Services (AD LDS)
■ Configure Active Directory Rights
Management Service (AD RMS)
■ Configure Active Directory Federation
Services (AD FS)
8 Installing a Read-Only Domain
Controller
Managing a Read-Only Domain
Controller
Configuring Additional Active Directory
Server Roles
■ Configure the read-only domain
controller (RODC)
9 Creating User and Group Accounts
Managing and Maintaining Accounts
Creating and Maintaining Active
Directory Objects
■ Automate creation of Active Directory
accounts
■ Maintain Active Directory accounts
10 Types of Trust Relationships
Creating and Configuring Trust
Relationships
Managing Trust Relationships
Configuring the Active Directory
Infrastructure
■ Configure trusts
Wow! eBook <WoweBook.Com>
14 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Table I-1 Microsoft 70-640 Exam Topics
Chapter Topics 70-640 Exam Objectives Covered
11 Overview of Group Policy
Creating and Applying GPOs
Configuring GPO Templates
Creating and Maintaining Active
Directory Objects
■ Create and apply Group Policy objects
(GPOs)
■ Configure GPO templates
12 Types of Software Deployment
Deploying Software Using Group
Policy
Upgrading Software
Removal of Software
Creating and Maintaining Active
Directory Objects
■ Configure software deployment GPOs
13 Use of Group Policy to Configure
Security
Auditing of Active Directory Services
Creating and Maintaining Active
Directory Objects
■ Configure account policies
■ Configure audit policy by using GPOs
14 Tools Used to Monitor Active
Directory
Monitoring and Troubleshooting Active
Directory Replication
Troubleshooting the Application of
Group Policy Objects
Maintaining the Active Directory
Environment
■ Monitor Active Directory
15 Backing Up and Recovering Active
Directory
Offline Maintenance of Active
Directory
Maintaining the Active Directory
Environment
■ Configure backup and recovery
■ Perform offline maintenance
16 What’s New with Certificate Services in
Windows Server 2008?
Installing Active Directory Certificate
Services
Configuring Certificate Authority
Server Settings
Configuring Active Directory Certificate
Services
■ Install Active Directory Certificate
Services
■ Configure CA server settings
Wow! eBook <WoweBook.Com>
Introduction 15
Table I-1 Microsoft 70-640 Exam Topics
Chapter Topics 70-640 Exam Objectives Covered
17 Managing Certificate Templates
Managing Certificate Enrollments
Managing Certificate Revocation
Configuring Active Directory Certificate
Services
■ Manage certificate templates
■ Manage enrollments
■ Manage certificate revocation
Wow! eBook <WoweBook.Com>
This chapter covers the following subjects:
■ The Foundation of Active Directory: This section describes the X.500 and
Lightweight Directory Access Protocol (LDAP) protocols, which are the
foundations used by Microsoft when it first designed Active Directory.
■ The Building Blocks of Active Directory: This section describes the compo-
nents that Microsoft took from X.500 and LDAP to build the hierarchical
structure that is Active Directory.
■ The Logical Components of Active Directory: This section describes the
logical building blocks that Microsoft assembled in creating the structure of
Active Directory.
■ The New Features of Active Directory in Windows Server 2008: This sec-
tion presents a brief overview of new features added by Microsoft when they
created Windows Server 2008 and its new enhancement, Release 2 (R2).
Wow! eBook <WoweBook.Com>
CHAPTER 1
Getting Started with Active
Directory
Beginning with Windows 2000, Microsoft completely revolutionized its concept
of Windows domains. Gone was the limited size and flat namespace of
Windows NT domains, and in its place was the hierarchical Active Directory
domain structure built on the concepts of X.500 and Lightweight Directory
Access Protocol (LDAP). Active Directory has matured since its beginnings
with Windows Server 2003 and now includes Windows Server 2008’s new
features, improved functionality, and ease of configuration and management.
Those of you who have worked with Active Directory in Windows 2000 or
Windows Server 2003 will be familiar with much of the contents of this chapter.
You might want to skip through to the section that describes what is new with
Active Directory in Windows Server 2008, toward the end of this chapter. For
those of you who are new to server and network management, or those who
have worked with only Windows NT networks, this book begins with a brief
introduction to the concepts that Microsoft used to put Active Directory
together.
The Foundation of Active Directory
Before studying the structure of Active Directory itself, we will take a little time
to introduce the concepts of the X.500 and Lightweight Directory Access
Protocol (LDAP) protocols because these are central to the understanding of
Active Directory and its structure.
X.500
X.500 was originally developed to assist users on a network to locate users else-
where for sending email messages. It used an inverted tree concept to identify
and describe all objects contained in a hierarchical database. First appearing in
1988, it relied on an inverted tree hierarchical structure in which countries
formed the top level (next to the root) and organizations and their organiza-
tional roots formed branches beneath these roots. It was also used to provide
information on applications that need to access resources elsewhere on the
network, or management systems that need to know the name and location of
Wow! eBook <WoweBook.Com>
18 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
objects on the network. The complete hierarchical X.500 system was known as the
directory.
Three types of information were used by X.500 to locate resources:
■ Name services located specific names.
■ Electronic address books identified addresses on the network.
■ Directory services of centrally managed electronic address books that helped
users search across networks.
The complete directory database, called the Directory Information Base (DIB),
provides a total information-locating resource. Entries in the database are known as
objects. These include items such as user accounts, files and folders, and resources
such as printers.
The problem with X.500 was that it proved to be more complex than what was needed
by most organizations. As originally created, it was also much too open for the entire
world to see. In addition, it was expensive and, in its original implementation, was
slower than other resource-locating methods.
LDAP
LDAP is a protocol originally designed by the Internet Engineering Task Force
(IETF) to work as a front-end client service to X.500-compatible directory services.
Alternatively, it can function as a directory service on its own. It is a subset of X.500
that operates on TCP/IP networks and uses a lower level of system resources com-
pared to X.500.
LDAP is used as an Internet directory standard that is capable of providing open ac-
cess to directory services over the Internet or corporate intranet. Using a text-based
query system, it enables users to quickly and easily query directories containing in-
formation such as usernames, email addresses, telephone numbers, and other user
attributes. It has gone through several versions that are defined in Requests for
Comments (RFCs) for use as Internet standards. Active Directory supports versions
2 and 3 of LDAP. The most recent implementations of LDAP go beyond the X.500
standards in providing a solution needed to provide a global directory service. In-
cluded are such features as the support for extended character sets as used by various
global languages and an easier referral mechanism to hand queries from one server
to another. There is also an extension mechanism that will facilitate future develop-
ment of the LDAP standard.
LDAP uses the inverted tree concept originated by X.500 to identify and describe
all objects contained in its database. Entries within LDAP’s inverted tree can include
containers that hold other objects and leaf objects that represent entities such as
people, computers, printers, and so on. Introduced with X.500 and further refined
Wow! eBook <WoweBook.Com>
Chapter 1: Getting Started with Active Directory 19
Root
Que.com
Microsoft
U.S.A.
Country (C)
Organization (O)
Organizational
Unit (OU)
Resources (users, computers,
folders, printers, etc.)
Accounting Management
Production
Canada Australia
Figure 1-1 The LDAP hierarchical naming scheme.
by LDAP is a series of definitions that have carried over into the Active Directory
naming scheme. The hierarchical naming scheme is illustrated in Figure 1-1 and is
explained in the next section.
Naming Standards of X.500 and LDAP
Originating with X.500 and expanded on by LDAP is a series of naming standards
that define the path to any object that has been defined in the directory. Because
Active Directory uses LDAP as the protocol of choice for accessing objects in the
directory, these naming paths and their components are important items that you
should know to fully understand the capabilities of Active Directory. The naming
paths include the distinguished names and relative distinguished names. Additional
identifiers that you should be familiar with include the User Principal Names
(UPNs) and Globally Unique Identifiers (GUIDs).
Distinguished Names
Each object in the LDAP inverted tree is uniquely identified by a distinguished
name (DN) that defines the complete path from the top of the tree to the object.
Wow! eBook <WoweBook.Com>
20 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
The concept of distinguished names, which originated in the X.500 specifications, is
a global one that was laid out with specific goals in mind:
■ To provide an unambiguous representation of the name of any resource
■ To provide a readily understood format for the majority of names
■ To achieve an attractive representation of information within several different
layouts
■ To clearly represent the contents of the object being defined
To achieve these goals, a series of X.500-based delimiters was developed with stan-
dard abbreviation names, some of which are seen in Figure 1-1. The complete speci-
fication of distinguished names, including its complete syntax and full list of
delimiters, is given in RFC 1779. The most common delimiters are as follows:
■ CN = Common Name
■ OU = Organizational Unit
■ DC = Domain Component
■ O = Organization Name
■ C = Country Name
For any given object, the DN is a unique and unambiguous identification of the ob-
ject and its location within the directory structure. In other words, two different ob-
jects can never have exactly the same DN. To specify a DN, include the name of the
object itself, followed by the containers and parent containers holding the name in
order. Note that a distinguished name may contain more than one instance of a
given delimiter. The following is an example of a distinguished name:
CN=Tim Brown,OU=Inventory,DC=Que,DC=com.
NOTE Active Directory snap-in tools generally do not display the DN as shown in
the previous paragraph. This is shown here to illustrate how LDAP recognizes the
components of the DN. However, it is helpful to know the concept of the distin-
guished name and how objects fit together into the Active Directory hierarchy. You
will see more of how this fits together as you progress through this training guide;
for example, when you need to restore Active Directory objects.
Relative Distinguished Names
The relative distinguished name (RDN) is the most granular part of the distin-
guished name that identifies a specific attribute of the object itself. For example, in
the distinguished name given previously, the RDN is the first part: CN = Tim
Brown. Within any given parent container, no two objects can have the same
Wow! eBook <WoweBook.Com>
Chapter 1: Getting Started with Active Directory 21
RDN. There can, however, be two objects within different containers that have the
same RDN.
An analogy could be the fact that more than one city with the same name can exist,
as long as the cities are located in different states, such as Springfield, Illinois, and
Springfield, Massachusetts. The DNs for these cities could be as follows:
CN=Springfield,OU=IL,C=US
and
CN=Springfield,OU=MA,C=US
The CN in these examples defines the exact city as opposed to a different city such
as Chicago or Boston; therefore, the CN is also the RDN here.
User Principal Names
In addition to the DN and RDN described previously, Active Directory uses the
concept of a UPN, which is introduced here because it is intimately related to
these other names. The UPN is a shortcut name for the user that can be the same
as a logon name or email address. For example, referring to the DN described pre-
viously, the UPN could be TimB@inventory.que.com.
Globally Unique Identifiers
Every object stored in Active Directory also has a unique identifier called the
GUID, which is a 128-bit hexadecimal number assigned when the object is created
in Active Directory. The GUID is stored in an attribute called objectGUID, which
exists for every object in Active Directory. Unlike the DN or RDN, this identifier
never changes even if you move or rename the object. For example, an employee
leaves the company and is replaced. You want the new employee to have the same
rights and privileges as the old one, so you rename the user account; this account
retains the GUID of the old account. However, if you were to delete an object and
then later re-create another object with the same DN, the GUID would not be the
same; this is the reason that if you have deleted an object like a user or group ac-
count and then must re-create it, you must re-create all properties and attributes
associated with the object.
Security Identifiers
The security identifier (SID) is a value that uniquely identifies a security principal
such as a user, group, service, or computer account within the Active Directory
forest. When created, every account is issued a SID. These are used to identify se-
curity principals in Windows Server 2008 for access control purposes. No two ob-
jects in the forest may have the same SID. A SID can change under certain
circumstances, such as if a user is moved from one domain to another. Like the
GUID, if you delete an object and later re-create an object with the same name,
the SID would not be the same.
Wow! eBook <WoweBook.Com>
22 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Windows Server 2008 uses the SID, rather than the GUID, in determining object
access, for reasons of backward compatibility. Windows NT 4.0 used the SID for
this purpose, and these SIDs are maintained when a Windows NT domain is up-
graded to Active Directory.
NOTE It is not possible to upgrade a Windows NT domain to Windows Server
2008. If you are still operating such an old domain, you must upgrade to either
Windows 2000 or Windows Server 2003 first. You can then upgrade to Windows
Server 2008. Upgrading of older Active Directory domains is discussed in Appendix
B, “Installing Windows Server 2008 R2.”
Active Directory Canonical Names
This is a version of the DN that Active Directory displays. The canonical name
lists the RDNs from the root downward (that is, in reverse sequence to the DN); it
also does not use the RFC 1779 naming attribute descriptors. However, it does use
the DNS domain name. For the DN given previously, the Active Directory canon-
ical name would be as follows:
Que.com/incentory/TimB
The Building Blocks of Active Directory
Active Directory can support an almost unlimited scope of functions and capabili-
ties in an enterprise network, from small-scale operations to a global-scale multi-
domain enterprise. Microsoft took the concepts of X.500 and LDAP, as already
discussed, and molded them with a series of new components to come up with
Active Directory’s structure. To this end, Active Directory embraces the following
concepts:
■ Namespace
■ Object
■ Container
■ Schema
■ Global Catalog
■ Partition
Each of these concepts is briefly discussed in the following sections.
Namespaces
The concept of a namespace originated with early incarnations of the Internet. This
term refers to a bounded area within which a name is resolved or translated into
information that is encompassed by the name. For an analogy, you can think of a
telephone directory as a type of namespace in which names are resolved to phone
Wow! eBook <WoweBook.Com>
Chapter 1: Getting Started with Active Directory 23
numbers; its area is bounded within the city, county, or other geographic area that
is served by the directory. An example in the computer world is that of a hostname
that represents an IP address. Microsoft took this concept and expanded on it until
it encompassed any type of information that anyone might have a need to locate.
Further, Microsoft made this concept dynamic so that when items were added,
moved, or removed, the directory would reflect these actions. The result was
Active Directory.
Namespaces can be either flat or hierarchical. Flat namespaces have only one level
at which they store information, such as the NetBIOS naming concepts used in
Windows NT 4. Hierarchical namespaces, as the name suggests, use several
levels of name definition, such as those found in an Internet name such as
www.sales.company.com. Here, com represents the top level, company represents a
second-level domain, sales is a subdomain, and www is a web server name. As you
are undoubtedly aware, DNS uses this type of namespace. The DNS naming
scheme is used to create the structure of the Active Directory namespace, permit-
ting interoperability with Internet technologies; therefore, the concept of name-
spaces is central to Active Directory. By integrating this concept with the system’s
directory services, Active Directory facilitates the management of multiple name-
spaces that are often found in the heterogeneous software and hardware environ-
ments of corporate networks.
The two types of namespaces are contiguous and disjointed. They are defined as
follows:
■ Contiguous: The name of child objects in the hierarchy contains the name of
the parent object; for example, the relationship between domains within the
same tree.
■ Disjointed: The name of a child object in the hierarchy does not contain the
name of the parent object; for example, the relationship between different
trees in the same forest.
Objects
An object is any specific item that can be cataloged in Active Directory. Examples
of objects include users, computers, printers, folders, and files. These items are
classified by a distinct set of characteristics, known as attributes. For example, a
user can be characterized by the username, full name, telephone number, email
address, and so on. Note that, in general, objects in the same container have the
same types of attributes but are characterized by different values of these attrib-
utes. The Active Directory schema defines the extent of attributes that can be
specified for any object.
The Active Directory service, in turn, classifies objects into classes. These classes
are logical groupings of similar objects, such as users. Each class is a series of
attributes that define the characteristics of the object.
Wow! eBook <WoweBook.Com>
24 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring
Containers
A container is an object designed to hold other objects within the directory. A folder
could be considered as a container because it holds files and subfolders that are lo-
cated beneath it. Like other objects, containers have their own attributes. Forests,
trees, domains, and OUs are all different types of containers because they all are
designed to contain other objects.
Schemas
The schema is a set of rules that define the classes of objects and their attributes
that can be created in Active Directory. It defines what attributes can be held by
objects of various types, which of the various classes can exist, and what object class
can be a parent of the current object class. For example, the User class can contain
user account objects and possess attributes such as password, group membership,
home folder, and so on.
You can mark attributes as indexed, which means that instances of the attribute are
added to a searchable index and are more easily located by a user searching by the
container in which the attributes are located. This feature improves search time
but increases the size (and replication time) of the Active Directory database.
When you first install Active Directory on a server, a default schema is created,
containing definitions of commonly used objects and properties such as users,
computers, and groups. This default schema also contains definitions of objects
and properties needed for the functioning of Active Directory.
The Active Directory: schema is extensible; that is, you can define new types and
attributes of directory objects, as well as new attributes for existing objects. In do-
ing so, you can adapt the schema to a given type of business; for example, a whole-
saler might want to add a warehouse object to the directory, including information
specific to that business. Additions to the schema are implemented automatically
and stored within the Active Directory database. Applications can be built to ex-
tend the schema and can use such extensions immediately.
WARNING Schema modification—As discussed in Chapter 5, “Global Catalogs
and Operations Masters,” modifying the schema is a serious business. Improper
modifications to the schema can harm or disable the domain controllers or even the
entire network. For this reason, Microsoft has included a group called Schema
Admins. Only members of this group have the right to modify the schema.
Global Catalogs
The global catalog is a central information database that can hold data describing
objects throughout the Active Directory forest namespace. Active Directory builds
up the global catalog by replicating information between all domain controllers in
the forest. In this way, a comprehensive and complete database of all available
Wow! eBook <WoweBook.Com>
Discovering Diverse Content Through
Random Scribd Documents
He waited at his master's board for food;
Then sought his savage kindred in the
wood,
Where grazing all the day, at night he came
To his known lodgings, and his country
dame.
This household beast, that used the
woodland grounds,
Was viewed at first by the young hero's
hounds,
As down the stream he swam, to seek
retreat
In the cool waters, and to quench his heat.
Ascanius, young, and eager of his game,
Soon bent his bow, uncertain in his aim:
But the dire fiend the fatal arrow guides,
Which pierced his bowels through his
panting sides.
The bleeding creature issues from the
floods, }
Possessed with fear, and seeks his known
abodes,}
His old familiar hearth, and household gods.
}
He falls; he fills the house with heavy
groans,
Implores their pity, and his pain bemoans.
Young Silvia beats her breast, and cries
aloud
For succour from the clownish
neighbourhood:
The churls assemble; for the fiend, who lay
In the close woody covert, urged their way.
One with a brand yet burning from the
flame,
Armed with a knotty club another came:
Whate'er they catch or find, without their
care,
Their fury makes an instrument of war.
Tyrrheus, the foster-father of the beast,
Then clenched a hatchet in his horny fist,
But held his hand from the descending
stroke, }
And left his wedge within the cloven oak, }
To whet their courage, and their rage
provoke.}
And now the goddess, exercised in ill,
Who watched an hour to work her impious
will,
Ascends the roof, and to her crooked horn,
Such as was then by Latian shepherds
borne,
Adds all her breath. The rocks and woods
around,
And mountains, tremble at the infernal
sound.
The sacred lake of Trivia from afar, }
The Veline fountains, and sulphureous Nar,
}
Shake at the baleful blast, the signal of the
war.}
Young mothers wildly stare, with fear
possessed,
And strain their helpless infants to their
breast.
The clowns, a boisterous, rude,
ungoverned crew,
With furious haste to the loud summons
flew.
The powers of Troy, then issuing on the
plain,
With fresh recruits their youthful chief
sustain:
Not theirs a raw and unexperienced train,
But a firm body of embattled men.
At first, while fortune favoured neither side,
The fight with clubs and burning brands
was tried:
But now, both parties reinforced, the fields
Are bright with flaming swords and brazen
shields.
A shining harvest either host displays,
And shoots against the sun with equal rays.
Thus, when a black-browed gust begins
to rise, }
White foam at first on the curled ocean
fries; }
Then roars the main, the billows mount the
skies; }
Till, by the fury of the storm full blown,
The muddy bottom o'er the clouds is
thrown.
First Almon falls, old Tyrrheus' eldest
care,
Pierced with an arrow from the distant war:
Fixed in his throat the flying weapon stood,
And stopped his breath, and drank his vital
blood.
Huge heaps of slain around the body rise:
Among the rest, the rich Galesus lies;
A good old man, while peace he preached
in vain,
Amidst the madness of the unruly train:
Five herds, five bleating flocks, his pastures
filled;
His lands a hundred yoke of oxen tilled.
Thus, while in equal scales their fortune
stood,
The Fury bathed them in each other's
blood;
Then, having fixed the fight, exulting flies,
And bears fulfilled her promise to the skies.
To Juno thus she speaks:—"Behold! 'tis
done,
The blood already drawn, the war begun;
The discord is complete; nor can they cease
The dire debate, nor you command the
peace.
Now, since the Latian and the Trojan brood
Have tasted vengeance, and the sweets of
blood;
Speak, and my power shall add this office
more:
The neighbouring nations of the Ausonian
shore
Shall hear the dreadful rumour, from afar,
Of armed invasion, and embrace the war."
Then Juno thus:—"The grateful work is
done,
The seeds of discord sowed, the war
begun:
Frauds, fears, and fury, have possessed the
state,
And fixed the causes of a lasting hate.
A bloody Hymen shall the alliance join
Betwixt the Trojan and Ausonian line:
But thou with speed to night and hell
repair; }
For not the gods, nor angry Jove, will bear
}
Thy lawless wandering walks in upper air. }
Leave what remains to me." Saturnia said:
}
The sullen fiend her sounding wings
displayed, }
Unwilling left the light, and sought the
nether shade. }
In midst of Italy, well known to fame,
There lies a lake (Amsanctus is the name)
Below the lofty mounts: on either side
Thick forests the forbidden entrance hide.
Full in the centre of the sacred wood,
An arm arises of the Stygian flood,
Which, breaking from beneath with
bellowing sound,
Whirls the black waves and rattling stones
around.
Here Pluto pants for breath from out his
cell,
And opens wide the grinning jaws of hell.
To this infernal lake the Fury flies;
Here hides her hated head, and frees the
labouring skies.
Saturnian Juno now, with double care,
Attends the fatal process of the war.
The clowns, returned from battle, bear the
slain,
Implore the gods, and to their king
complain.
The corpse of Almon, and the rest, are
shown:
Shrieks, clamours, murmurs, fill the frighted
town.
Ambitious Turnus in the press appears,
And, aggravating crimes, augments their
fears;
Proclaims his private injuries aloud, }
A solemn promise made, and disavowed; }
A foreign son is sought, and a mixed
mongrel brood. }
Then they, whose mothers, frantic with
their fear, }
In woods and wilds the flags of Bacchus
bear, }
And lead his dances with dishevelled hair, }
Increase the clamour, and the war demand,
(Such was Amata's interest in the land,)
Against the public sanctions of the peace,
Against all omens of their ill success.
With fates averse, the rout in arms resort,
To force their monarch, and insult the court.
But, like a rock unmoved, a rock that braves
The raging tempest and the rising waves—
Propped on himself he stands; his solid
sides
Wash off the sea-weeds, and the sounding
tides—
So stood the pious prince unmoved, and
long
Sustained the madness of the noisy throng.
But, when he found that Juno's power
prevailed,
And all the methods of cool counsel failed,
He calls the gods to witness their offence,
Disclaims the war, asserts his innocence.
"Hurried by fate," he cries, "and borne
before
A furious wind, we leave the faithful shore!
O more than madmen! you yourselves shall
bear
The guilt of blood and sacrilegious war:
Thou, Turnus, shalt atone it by thy fate,
And pray to heaven for peace, but pray too
late.
For me, my stormy voyage at an end,
I to the port of death securely tend.
The funeral pomp which to your kings you
pay,
Is all I want, and all you take away."
He said no more, but, in his walls confined,
Shut out the woes which he too well
divined;
Nor with the rising storm would vainly
strive,
But left the helm, and let the vessel drive.
A solemn custom was observed of old,
Which Latium held, and now the Romans
hold,
Their standard when in fighting fields they
rear }
Against the fierce Hyrcanians, or declare }
The Scythian, Indian, or Arabian war— }
Or from the boasting Parthians would
regain
Their eagles, lost in Carræ's bloody plain.
Two gates of steel (the name of Mars they
bear,
And still are worshipped with religious fear)
Before his temple stand: the dire abode,
And the feared issues of the furious god,
Are fenced with brazen bolts; without the
gates,
The wary guardian Janus doubly waits
Then, when the sacred senate votes the
wars,}
The Roman consul their decree declares, }
And in his robes the sounding gates unbars.
}
The youth in military shouts arise,
And the loud trumpets break the yielding
skies.
These rites, of old by sovereign princes
used,
Were the king's office: but the king refused,
Deaf to their cries, nor would the gates
unbar
Of sacred peace, or loose the imprisoned
war;
But hid his head, and, safe from loud
alarms,
Abhorred the wicked ministry of arms.
Then heaven's imperious queen shot down
from high;
At her approach the brazen hinges fly;
The gates are forced, and every falling bar;
And, like a tempest, issues out the war.
The peaceful cities of the Ausonian shore,
Lulled in their ease, and undisturbed
before,
Are all on fire; and some, with studious
care,
Their restive steeds in sandy plains prepare;
Some their soft limbs in painful marches try,
And war is all their wish, and arms the
general cry.
Part scour their rusty shields with seam;
and part
New grind the blunted axe, and point the
dart:
With joy they view the waving ensigns fly,
And hear the trumpet's clangor pierce the
sky.
Five cities forge their arms—the Atinian
powers,
Antemne, Tibur with her lofty towers,
Ardea the proud, the Crustumerian town:
All these of old were places of renown.
Some hammer helmets for the fighting
field;
Some twine young sallows to support the
shield;
The corselet some, and some the cuishes
mould,
With silver plated, and with ductile gold.
The rustic honours of the scythe and share
Give place to swords and plumes, the pride
of war.
Old faulchions are new tempered in the
fires:
The sounding trumpet every soul inspires.
The word is given; with eager speed they
lace
The shining head-piece, and the shield
embrace.
The neighing steeds are to the chariots
tied;
The trusty weapon sits on every side.
And, now the mighty labour is begun,
Ye Muses, open all your Helicon.
Sing you the chiefs that swayed the
Ausonian land,
Their arms, and armies under their
command;
What warriors in our ancient clime were
bred;
What soldiers followed, and what heroes
led.
For well you know, and can record alone,
What fame to future times conveys but
darkly down.
Mezentius first appeared upon the
plain:
Scorn sate upon his brows, and sour
disdain,
Defying earth and heaven. Etruria lost,
He brings to Turnus' aid his baffled host.
The charming Lausus, full of youthful fire,
Rode in the rank, and next his sullen sire;
To Turnus only second in the grace
Of manly mien, and features of the face.
A skilful horseman, and a huntsman bred,
With fates averse a thousand men he led:
His sire unworthy of so brave a son;
Himself well worthy of a happier throne.
Next Aventinus drives his chariot round
The Latian plains, with palms and laurels
crowned.
Proud of his steeds, he smokes along the
field;
His father's hydra fills his ample shield:
A hundred serpents hiss about the brims; }
The son of Hercules he justly seems, }
By his broad shoulders and gigantic limbs—
}
Of heavenly part, and part of earthly blood,
A mortal woman mixing with a god.
For strong Alcides, after he had slain
The triple Geryon, drove from conquered
Spain
His captive herds; and, thence in triumph
led,
On Tuscan Tyber's flowery banks they fed.
Then, on mount Aventine, the son of Jove
The priestess Rhea found, and forced to
love.
For arms, his men long piles and
javelins bore;
And poles with pointed steel their foes in
battle gore.
Like Hercules himself, his son appears
In savage pomp; a lion's hide he wears;
About his shoulders hangs the shaggy skin;
The teeth and gaping jaws severely grin.
Thus, like the god his father, homely drest,
He strides into the hall, a horrid guest.
Then two twin-brothers from fair Tibur
came,
(Which from their brother Tiburs took the
name,)
Fierce Coras and Catillus, void of fear:
Armed Argive horse they led, and in the
front appear,
Like cloud-born Centaurs, from the
mountain's height
With rapid course descending to the fight;
They rush along, the rattling woods give
way;
The branches bend before their sweepy
sway.
Nor was Præneste's founder wanting
there,
Whom fame reports the son of Mulciber:
Found in the fire, and fostered in the
plains,}
A shepherd and a king at once he reigns, }
And leads to Turnus' aid his country swains.
}
His own Præneste sends a chosen band,
With those who plough Saturnia's Gabine
land;
Besides the succour which cold Anien
yields,
The rocks of Hernicus, and dewy fields,
Anagnia fat, and father Amasene—
A numerous rout, but all of naked men:
Nor arms they wear, nor swords and
bucklers wield,
Nor drive the chariot through the dusty
field,
But whirl from leathern slings huge balls of
lead,
And spoils of yellow wolves adorn their
head;
The left foot naked, when they march to
fight,
But in a bull's raw hide they sheath the
right.
Messapus next, (great Neptune was his
sire,)
Secure of steel, and fated from the fire,
In pomp appears, and with his ardour
warms
A heartless train, unexercised in arms:
The just Faliscans he to battle brings,
And those who live where lake Ciminius
springs;
And where Feronia's grove and temple
stands,
Who till Fescennian or Flavinian lands:
All these in order march, and marching sing
The warlike actions of their sea-born king;
Like a long team of snowy swans on high,
Which clap their wings, and cleave the
liquid sky,
When, homeward from their watery
pastures borne,
They sing, and Asia's lakes their notes
return.
Not one, who heard their music from afar,
Would think these troops an army trained to
war,
But flocks of fowl, that, when the tempests
roar,
With their hoarse gabbling seek the silent
shore.
Then Clausus came, who led a
numerous band
Of troops embodied from the Sabine land,
And, in himself alone, an army brought.
'Twas he the noble Claudian race begot,
The Claudian race, ordained, in times to
come,
To share the greatness of imperial Rome.
He led the Cures forth of old renown,
Mutuscans from their olive-bearing town,
And all the Eretian powers; besides a band
That followed from Velinum's dewy land,
And Amiternian troops, of mighty fame,
And mountaineers, that from Severus came,
And from the craggy cliffs of Tetrica, }
And those where yellow Tyber takes his
way,}
And where Himella's wanton waters play. }
Casperia sends her arms, with those that lie
By Fabaris, and fruitful Foruli:
The warlike aids of Horta next appear,
And the cold Nursians come to close the
rear,
Mixed with the natives born of Latine blood,
Whom Allia washes with her fatal flood.
Not thicker billows beat the Libyan main,
When pale Orion sets in wintery rain,
Nor thicker harvests on rich Hermus rise,
Or Lycian fields, when Phœbus burns the
skies,
Than stand these troops: their bucklers ring
around;
Their trampling turns the turf, and shakes
the solid ground.
High in his chariot then Halesus came,
A foe by birth to Troy's unhappy name:
From Agamemnon born—to Turnus' aid,
A thousand men the youthful hero led,
Who till the Massic soil, for wine renowned,
And fierce Auruncans from their hilly
ground,
And those who live by Sidicinian shores,
And where with shoaly fords Vulturnus
roars,
Cales' and Osca's old inhabitants,
And rough Saticulans, inured to wants.
Light demi-lances from afar they throw,
Fastened with leathern thongs, to gall the
foe.
Short crooked swords in closer fight they
wear,
And on their warding arm light bucklers
bear.
Nor, [OE]balus, shalt thou be left
unsung,
From nymph Sebethis and old Telon sprung,
Who then in Teleboan Capri reigned;
But that short isle the ambitious youth
disdained,
And o'er Campania stretched his ample
sway,
Where swelling Sarnus seeks the Tyrrhene
sea—
O'er Batulum, and where Abella sees,
From her high towers, the harvest of her
trees.[116]
And these (as was the Teuton use of old)
Wield brazen swords, and brazen bucklers
hold;
Sling weighty stones when from afar they
fight;
Their casques are cork, a covering thick and
light.
Next these in rank, the warlike Ufens
went,
And led the mountain troops that Nursia
sent.
The rude Æquiculæ his rule obeyed;
Hunting their sport, and plundering was
their trade.
In arms they ploughed, to battle still
prepared:
Their soil was barren, and their hearts were
hard.
Umbro the priest the proud Marrubians
led,}
By king Archippus sent to Turnus' aid, }
And peaceful olives crowned his hoary
head. }
His wand and holy words, the viper's rage,
And venomed wounds of serpents, could
assuage.
He, when he pleased with powerful juice to
steep
Their temples, shut their eyes in pleasing
sleep.
But vain were Marsian herbs, and magic art,
To cure the wound given by the Dardan
dart.
Yet his untimely fate the Angitian woods
In sighs remurmured to the Fucine floods.
The son of famed Hippolytus was there,
Famed as his sire, and, as his mother, fair;
Whom in Egerian groves Aricia bore,
And nursed his youth along the marshy
shore,
Where great Diana's peaceful altars flame,
In fruitful fields; and Virbius was his name.
Hippolytus, as old records have said,
Was by his stepdame sought to share her
bed:
But, when no female arts his mind could
move,
She turned to furious hate her impious love.
Torn by wild horses on the sandy shore, }
Another's crimes the unhappy hunter bore,
}
Glutting his father's eyes with guiltless
gore.}
But chaste Diana, who his death deplored,
With Æsculapian herbs his life restored:
When Jove, who saw from high, with just
disdain,
The dead inspired with vital breath again,
Struck to the centre, with his flaming dart,
The unhappy founder of the godlike art.
But Trivia kept in secret shades alone,
Her care, Hippolytus, to fate unknown;
And called him Virbius in the Egerian grove,
Where then he lived obscure, but safe from
Jove.
For this, from Trivia's temple and her wood,
}
Are coursers driven, who shed their
master's blood,}
Affrighted by the monsters of the flood. }
His son, the second Virbius, yet retained
His father's art; and warrior steeds he
reined.
Amid the troops, and like the leading
god,
High o'er the rest in arms, the graceful
Turnus rode:
A triple pile of plumes his crest adorned,
On which with belching flames Chimæra
burned:
The more the kindled combat rises higher,
The more with fury burns the blazing fire.
Fair Iö graced his shield; but Iö now
With horns exalted stands, and seems to
low—
A noble charge! Her keeper by her side,
To watch her walks, his hundred eyes
applied;
And on the brims her sire, the watery god,
Rolled from his silver urn his crystal flood.
A cloud of foot succeeds, and fills the fields
With swords, and pointed spears, and
clattering shields;
Of Argive, and of old Sicanian bands,
And those who plough the rich Rutulian
lands;
Auruncan youth, and those Sacrana yields,
And the proud Labicans, with painted
shields,
And those who near Numician streams
reside, }
And those whom Tyber's holy forests hide, }
Or Circe's hills from the main land divide; }
Where Ufens glides along the lowly lands,
Or the black water of Pomptina stands.
Last from the Volscians fair Camilla
came,
And led her warlike troops, a warrior dame:
Unbred to spinning, in the loom unskilled,
She chose the nobler Pallas of the field.
Mixed with the first, the fierce virago
fought,
Sustained the toils of arms, the danger
sought,
Outstripped the winds in speed upon the
plain,
Flew o'er the field, nor hurt the bearded
grain:
She swept the seas, and, as she skimmed
along,
Her flying feet unbathed on billows hung.
Men, boys, and women, stupid with
surprise,
Where'er she passes, fix their wondering
eyes:
Longing they look, and gaping at the sight,
Devour her o'er and o'er with vast delight;
Her purple habit sits with such a grace
On her smooth shoulders, and so suits her
face;
Her head with ringlets of her hair is
crowned,
And in a golden caul the curls are bound.
She shakes her myrtle javelin; and, behind,
Her Lycian quiver dances in the wind.
FOOTNOTES:
[115] Dr Carey substitutes the more sonorous ejaculation, Euoi!
[116] Note III.
NOTES
ON
ÆNEÏS, BOOK VII.
Note I.
Strange to relate! the flames, involved in
smoke, &c.—P. 432.
Virgil, in this place, takes notice of a great secret in the Roman
divination: the lambent fires, which rose above the head, or played
about it, were signs of prosperity; such were those which he
observed in the second Æneïd, which were seen mounting from the
crown of Ascanius—
Ecce, levis summo de vertice visus Iüli
Fundere lumen apex.
Smoky flames (or involved in smoke) were of a mixed omen: such
were those which are here described; for smoke signifies tears,
because it produces them, and flames happiness. And therefore
Virgil says, that this ostent was not only mirabile visu, but
horrendum.
Note II.
Only one daughter heirs my crown and
state.—P. 439.
This has seemed to some an odd passage; that a king should offer
his daughter and heir to a stranger prince, and a wanderer, before
he had seen him, and when he had only heard of his arrival on his
coasts. But these critics have not well considered the simplicity of
former times, when the heroines almost courted the marriage of
illustrious men. Yet Virgil here observes the rule of decency: Lavinia
offers not herself; it is Latinus, who propounds the match; and he
had been foretold, both by an augur and an oracle, that he should
have a foreign son-in-law, who was also a hero;—fathers, in those
ancient ages, considering birth and virtue, more than fortune, in the
placing of their daughters; which I could prove by various examples;
the contrary of which being now practised, I dare not say in our
nation, but in France, has not a little darkened the lustre of their
nobility. That Lavinia was averse to this marriage, and for what
reason, I shall prove in its proper place.
Note III.
--------And where Abella sees,
Welcome to Our Bookstore - The Ultimate Destination for Book Lovers
Are you passionate about books and eager to explore new worlds of
knowledge? At our website, we offer a vast collection of books that
cater to every interest and age group. From classic literature to
specialized publications, self-help books, and children’s stories, we
have it all! Each book is a gateway to new adventures, helping you
expand your knowledge and nourish your soul
Experience Convenient and Enjoyable Book Shopping Our website is more
than just an online bookstore—it’s a bridge connecting readers to the
timeless values of culture and wisdom. With a sleek and user-friendly
interface and a smart search system, you can find your favorite books
quickly and easily. Enjoy special promotions, fast home delivery, and
a seamless shopping experience that saves you time and enhances your
love for reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!
ebookgate.com

More Related Content

PDF
Windows Server 2008 Active Directory Configuration Exam 70 640 Microsoft Offi...
PDF
Deploying Virtual Private Networks With Microsoft Windows Server 2003 Elliot ...
PDF
Windows Server Groupware & Network
PDF
MCITP
DOC
Ad cs-step-by-step-guide
PDF
Exam Ref 70-741.pdf
PDF
Exam Ref 70413 Designing And Implementing A Server Infrastructure Steve Suehring
PDF
MCSE 70 293 Exam Prep Planning and Maintaining a Microsoft Windows Server 200...
Windows Server 2008 Active Directory Configuration Exam 70 640 Microsoft Offi...
Deploying Virtual Private Networks With Microsoft Windows Server 2003 Elliot ...
Windows Server Groupware & Network
MCITP
Ad cs-step-by-step-guide
Exam Ref 70-741.pdf
Exam Ref 70413 Designing And Implementing A Server Infrastructure Steve Suehring
MCSE 70 293 Exam Prep Planning and Maintaining a Microsoft Windows Server 200...

Similar to MCTS 70 640 Cert Guide Windows Server 2008 Active Directory Configuring 1st Edition Don Poulton (20)

PDF
Fundamentals
PDF
Developing Applications for the Cloud on the Microsoft Windows Azure Platform...
PDF
Mcse 70293 Exam Prep Planning And Maintaining A Microsoft Windows Server 2003...
PPTX
Windows Azure for IT Pros
PDF
Mysql Cookbook Solutions For Database Developers And Administrators 4th Editi...
PDF
Operating Systems A Concept Based Approach 1st Edition Dhananjay Dhamdhere
PPT
Windowsserver2003twpppt
PDF
PDF MCSE 70 293 Exam Prep Planning and Maintaining a Microsoft Windows Server...
PDF
Active Directory Domain And Trust 2.pdf
PDF
Professional Sql Server 2005 Clr Programming With Stored Procedures Functions...
DOC
jithin
PPT
0505 Windows Server 2008 一日精華營 Part II
PDF
Mastering Nginx Converted Dimitri Aivaliotis
PDF
Fundamentals
PPTX
Windows 2012 R2 Multi Server Management
PPT
Itproadd 01 60 minute version
PDF
Managing A Microsoft Windows Server 2003 Network Enhanced 1st Edition M John ...
PDF
Mcitp course
PDF
Download full ebook of Azure in Action 1st Edition Chris Hay instant download...
PDF
Linux and Windows Integration Certification
Fundamentals
Developing Applications for the Cloud on the Microsoft Windows Azure Platform...
Mcse 70293 Exam Prep Planning And Maintaining A Microsoft Windows Server 2003...
Windows Azure for IT Pros
Mysql Cookbook Solutions For Database Developers And Administrators 4th Editi...
Operating Systems A Concept Based Approach 1st Edition Dhananjay Dhamdhere
Windowsserver2003twpppt
PDF MCSE 70 293 Exam Prep Planning and Maintaining a Microsoft Windows Server...
Active Directory Domain And Trust 2.pdf
Professional Sql Server 2005 Clr Programming With Stored Procedures Functions...
jithin
0505 Windows Server 2008 一日精華營 Part II
Mastering Nginx Converted Dimitri Aivaliotis
Fundamentals
Windows 2012 R2 Multi Server Management
Itproadd 01 60 minute version
Managing A Microsoft Windows Server 2003 Network Enhanced 1st Edition M John ...
Mcitp course
Download full ebook of Azure in Action 1st Edition Chris Hay instant download...
Linux and Windows Integration Certification
Ad

Recently uploaded (20)

PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
PDF
Supply Chain Operations Speaking Notes -ICLT Program
PDF
O7-L3 Supply Chain Operations - ICLT Program
PPTX
master seminar digital applications in india
PPTX
GDM (1) (1).pptx small presentation for students
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
PDF
VCE English Exam - Section C Student Revision Booklet
PPTX
Pharma ospi slides which help in ospi learning
PDF
Classroom Observation Tools for Teachers
PDF
Anesthesia in Laparoscopic Surgery in India
PDF
TR - Agricultural Crops Production NC III.pdf
PDF
Complications of Minimal Access Surgery at WLH
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
PDF
Sports Quiz easy sports quiz sports quiz
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
PPTX
PPH.pptx obstetrics and gynecology in nursing
2.FourierTransform-ShortQuestionswithAnswers.pdf
Supply Chain Operations Speaking Notes -ICLT Program
O7-L3 Supply Chain Operations - ICLT Program
master seminar digital applications in india
GDM (1) (1).pptx small presentation for students
FourierSeries-QuestionsWithAnswers(Part-A).pdf
VCE English Exam - Section C Student Revision Booklet
Pharma ospi slides which help in ospi learning
Classroom Observation Tools for Teachers
Anesthesia in Laparoscopic Surgery in India
TR - Agricultural Crops Production NC III.pdf
Complications of Minimal Access Surgery at WLH
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
102 student loan defaulters named and shamed – Is someone you know on the list?
Abdominal Access Techniques with Prof. Dr. R K Mishra
Sports Quiz easy sports quiz sports quiz
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
PPH.pptx obstetrics and gynecology in nursing
Ad

MCTS 70 640 Cert Guide Windows Server 2008 Active Directory Configuring 1st Edition Don Poulton

  • 1. MCTS 70 640 Cert Guide Windows Server 2008 Active Directory Configuring 1st Edition Don Poulton download https://ebookgate.com/product/mcts-70-640-cert-guide-windows- server-2008-active-directory-configuring-1st-edition-don-poulton/ Get Instant Ebook Downloads – Browse at https://ebookgate.com
  • 2. Get Your Digital Files Instantly: PDF, ePub, MOBI and More Quick Digital Downloads: PDF, ePub, MOBI and Other Formats MCTS 70 642 Exam Cram WIndows Server 2008 Network Infrastructure Configuring 1st Edition Don Poulton https://ebookgate.com/product/mcts-70-642-exam-cram-windows- server-2008-network-infrastructure-configuring-1st-edition-don- poulton/ MCTS 70 620 Exam Prep Microsoft Windows Vista Configuring 1 PAP/CDR Edition Don Poulton https://ebookgate.com/product/mcts-70-620-exam-prep-microsoft- windows-vista-configuring-1-pap-cdr-edition-don-poulton/ MCTS Self Paced Training Kit Exam 70 652 Configuring Windows Server Virtualization Nelson Ruest https://ebookgate.com/product/mcts-self-paced-training-kit- exam-70-652-configuring-windows-server-virtualization-nelson- ruest/ Mastering Active Directory for Windows Server 2003 3rd ed Edition Robert R. King https://ebookgate.com/product/mastering-active-directory-for- windows-server-2003-3rd-ed-edition-robert-r-king/
  • 3. MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration Exam 70 647 1st Edition Darril Gibson https://ebookgate.com/product/mcitp-guide-to-microsoft-windows- server-2008-enterprise-administration-exam-70-647-1st-edition- darril-gibson/ MCTS Self Paced Training Kit Exam 70 680 Configuring Windows 7 1 Har/Dvdr Edition Ian Mclean https://ebookgate.com/product/mcts-self-paced-training-kit- exam-70-680-configuring-windows-7-1-har-dvdr-edition-ian-mclean/ How to Cheat at Designing a Windows Server 2003 Active Directory Infrastructure 1st Edition B. Barber https://ebookgate.com/product/how-to-cheat-at-designing-a- windows-server-2003-active-directory-infrastructure-1st-edition- b-barber/ Administering Windows Server 2008 Server Core 1st Edition Mueller https://ebookgate.com/product/administering-windows- server-2008-server-core-1st-edition-mueller/ Exam 70 647 Windows Server 2008 Enterprise Administrator Lab Manual 1st Edition Microsoft Official Academic Course https://ebookgate.com/product/exam-70-647-windows- server-2008-enterprise-administrator-lab-manual-1st-edition- microsoft-official-academic-course/
  • 5. Pearson 800 East 96th Street Indianapolis, Indiana 46240 USA MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Don Poulton Wow! eBook <WoweBook.Com>
  • 6. MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Copyright © 2011 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval sys- tem, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for dam- ages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-4708-2 ISBN-10: 0-7897-4708-1 Library of Congress Cataloging-in-Publication Data: Poulton, Don. MCTS 70-640 cert guide : Windows server 2008 Active directory, configuring / Don Poulton. p. cm. ISBN 978-0-7897-4708-2 (hardcover w/CD) 1. Microsoft Windows server--Examinations--Study guides. 2. Operating systems (Computers)--Examinations--Study guides. 3. Directory services (Computer network technology)--Examinations--Study guides. 4. Local area networks (Computer networks)--Management--Examinations--Study guides. 5. Telecommunications engineers--Certification. 6. Electronic data processing personnel--Certification. I. Title. II. Title: Windows server 2008 Active directory, configuring. QA76.76.O63P6685 2011 005.4'476--dc22 2010043593 Printed in the United States of America First Printing: December 2010 Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S., please contact International Sales international@pearson.com ii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Associate Publisher Dave Dusthimer Acquisitions Editor Betsy Brown Development Editor Box Twelve Communications, Inc. Managing Editor Sandra Schroeder Project Editor Mandie Frank Copy Editor Mike Henry Indexer Erika Millen Proofreader Megan Wade Technical Editor Chris Crayton Publishing Coordinator Vanessa Evans Multimedia Developer Dan Scherf Designer Gary Adair Page Layout Mark Shirar Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it. Wow! eBook <WoweBook.Com>
  • 7. Contents at a Glance Introduction 3 Chapter 1 Getting Started with Active Directory 17 Chapter 2 Installing and Configuring DNS for Active Directory 43 Chapter 3 Installing Active Directory Domain Services 73 Chapter 4 Configuring DNS Server Settings and Replication 107 Chapter 5 Global Catalogs and Operations Masters 143 Chapter 6 Configuring Active Directory Sites and Replication 173 Chapter 7 Additional Active Directory Roles 205 Chapter 8 Read-Only Domain Controllers 251 Chapter 9 Active Directory User and Group Accounts 281 Chapter 10 Trust Relationships in Active Directory 321 Chapter 11 Creating and Applying Group Policy Objects 345 Chapter 12 Group Policy Software Deployment 393 Chapter 13 Account Policies and Audit Policies 417 Chapter 14 Monitoring Active Directory 453 Chapter 15 Maintaining Active Directory 515 Chapter 16 Installing and Configuring Certificate Services 559 Chapter 17 Managing Certificate Templates, Enrollments, and Certificate Revocation 587 Practice Exam 629 Answers to Practice Exam 691 Appendix A Answers to the “Do I Know This Already?” Quizzes 729 Appendix B Installing Windows Server 2008 R2 763 Glossary 773 Index 796 Elements Available on CD Appendix C Memory Tables 3 Appendix D Memory Tables Answer Key 3 iii Wow! eBook <WoweBook.Com>
  • 8. Table of Contents Introduction 3 Goals and Methods 3 How This Book Is Organized 4 Study and Exam Preparation Tips 7 Learning Styles 7 Study Tips 8 Study Strategies 9 Pretesting Yourself 10 Exam Prep Tips 10 Microsoft 70-640 Exam Topics 12 Chapter 1 Getting Started with Active Directory 17 The Foundation of Active Directory 17 X.500 17 LDAP 18 Naming Standards of X.500 and LDAP 19 Distinguished Names 19 Relative Distinguished Names 20 User Principal Names 21 Globally Unique Identifiers 21 Security Identifiers 21 Active Directory Canonical Names 22 The Building Blocks of Active Directory 22 Namespaces 22 Objects 23 Containers 24 Schemas 24 Global Catalogs 24 Partitions 25 Logical Components of Active Directory 26 Domains 26 Trees 27 Forests 27 Organizational Units 29 Sites 30 Domain Controllers 31 iv MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 9. Global Catalog Servers 31 Operations Masters 32 New Features of Active Directory in Windows Server 2008 33 Server Manager 35 Adding Roles and Features 36 Command-Line Server Management 36 Windows Server 2008 R2 37 Summary 40 Chapter 2 Installing and Configuring DNS for Active Directory 43 “Do I Know This Already?” Quiz 43 The Hierarchical Nature of DNS 48 Installing DNS on Windows Server 2008 R2 49 Configuring DNS Zones 51 DNS Zone Types 52 Primary Zones 53 Secondary Zones 53 Stub Zones 53 Active Directory–Integrated Zones 53 GlobalNames Zones 54 DNS Name Server Roles 55 Primary Name Server 55 Secondary Name Server 55 Caching-Only Server 56 Forwarders 56 Creating DNS Zones 57 Forward Lookup Zones 57 Reverse Lookup Zones 59 DNS Resource Records 61 Configuring DNS Zone Properties 62 Configuring Zone Types 63 Adding Authoritative DNS Servers to a Zone 63 Dynamic, Nondynamic, and Secure Dynamic DNS 64 Zone Scavenging 65 Time to Live 66 Integrating DNS with WINS 68 Command-Line DNS Server Administration 69 Review All the Key Topics 71 v Wow! eBook <WoweBook.Com>
  • 10. Complete the Tables and Lists from Memory 71 Definitions of Key Terms 71 Chapter 3 Installing Active Directory Domain Services 73 “Do I Know This Already?” Quiz 73 Planning the Active Directory Namespace 77 Subdividing the Active Directory Namespace 77 Administrative or Geographical Organization of Domains 78 Use of Multiple Trees 79 Best Practices 80 Creating Forests and Domains 81 Requirements for Installing Active Directory Domain Services 81 Installing Active Directory Domain Services 82 New Forests 83 New Domains in Existing Forests 88 Existing Domains 89 Performing Unattended Installations of Active Directory 90 Server Core Domain Controllers 92 Removing Active Directory 92 Interoperability with Previous Versions of Active Directory 93 Forest and Domain Functional Levels 94 Upgrading Domain and Forest Functional Levels 95 The Adprep Utility 96 Running the Adprep /forestprep Command 96 Running the Adprep /domainprep Command 97 Upgrading a Windows Server 2003 Domain Controller 97 Additional Forest and Domain Configuration Tasks 98 Verifying the Proper Installation of Active Directory 98 Active Directory Migration Tool v.3.1 100 Alternative User Principal Name Suffixes 101 Review All the Key Topics 103 Complete the Tables and Lists from Memory 103 Definitions of Key Terms 104 Chapter 4 Configuring DNS Server Settings and Replication 107 “Do I Know This Already?” Quiz 107 Configuring DNS Server Settings 112 Forwarding 112 Conditional Forwarders 114 vi MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 11. Root Hints 116 Configuring Zone Delegation 117 Debug Logging 119 Event Logging 121 DNS Security Extensions 121 Advanced Server Options 123 Server Options 123 Round Robin 124 Disable Recursion 125 Name Checking 125 Loading Zone Data 126 Server Scavenging 126 Monitoring DNS 127 Configuring Zone Transfers and Replication 128 Replication Scope 128 Types of Zone Transfers 130 Full Zone Transfer 130 Incremental Zone Transfer 131 Configuring Zone Transfers 132 Configuring DNS Notify 133 Secure Zone Transfers 134 Configuring Name Servers 136 Application Directory Partitions 138 Installing and Configuring Application Directory Partitions 138 Creating Application Directory Partition Replicas 139 Application Directory Partition Reference Domains 139 Review All the Key Topics 140 Complete the Tables and Lists from Memory 140 Definitions of Key Terms 140 Chapter 5 Global Catalogs and Operations Masters 143 “Do I Know This Already?” Quiz 143 Configuring Global Catalog Servers 148 Planning the Placement of Global Catalog Servers 148 Promoting Domain Controllers to Global Catalog Servers 150 Using Universal Group Membership Caching 151 Using Partial Attribute Sets 152 vii Wow! eBook <WoweBook.Com>
  • 12. Configuring Operations Masters 153 Schema Master 153 Configuring the Schema 154 Extending the Schema 155 Deactivating Schema Objects 159 Domain Naming Master 160 PDC Emulator 160 Time Service 161 Infrastructure Master 162 RID Master 162 Placement of Operations Masters 163 Transferring and Seizing of Operations Master Roles 164 Transferring Operations Master Roles 165 Seizing Operations Masters Roles 167 Review All the Key Topics 169 Complete the Tables and Lists from Memory 169 Definitions of Key Terms 170 Chapter 6 Configuring Active Directory Sites and Replication 173 “Do I Know This Already?” Quiz 173 The Need for Active Directory Sites 178 Configuring Sites and Subnets 179 Creating Sites 180 Adding Domain Controllers 181 Creating and Using Subnets 182 Site Links, Site Link Bridges, and Bridgehead Servers 184 The Need for Site Links and Site Link Bridges 184 Configuring Site Links 185 Site Link Bridges 185 Site Link Costs 186 Sites Infrastructure 189 Knowledge Consistency Checker 189 Intersite Topology Generator 189 Configuring Active Directory Replication 189 Concepts of Active Directory Replication 190 Intersite and Intrasite Replication 191 Distributed File System 192 One-Way Replication 193 viii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 13. Bridgehead Servers 193 Replication Protocols 194 Ports Used for Intersite Replication 195 Replication Scheduling 196 Intersite Replication Scheduling 196 Intrasite Replication Scheduling 198 Forcing Intersite Replication 200 Review All the Key Topics 201 Complete the Tables and Lists from Memory 202 Definitions of Key Terms 202 Chapter 7 Additional Active Directory Roles 205 “Do I Know This Already?” Quiz 205 New Server Roles and Features 210 Active Directory Lightweight Directory Services 211 Installing AD LDS 213 Installing the AD LDS Role 213 Installing AD LDS Instances 214 Configuring Data Within AD LDS 217 Using the ADSI Edit Snap-in 217 Using Ldp.exe 218 Using the Active Directory Schema Snap-in 220 Using the Active Directory Sites and Services Snap-in 221 Migrating to AD LDS 221 Configuring an Authentication Server 222 Creating AD LDS User Accounts and Groups 222 Binding to an AD LDS Instance with an AD LDS User 224 Using AD LDS on Server Core 224 Active Directory Rights Management Services 225 Installing AD RMS 226 Certificate Request and Installation 228 Self-Enrollments 230 Delegation 230 Active Directory Metadirectory Services 231 Active Directory Federation Services 231 Installing the AD FS Server Role 233 Configuring Trust Policies 236 User and Group Claim Mapping 237 ix Wow! eBook <WoweBook.Com>
  • 14. Configuring Federation Trusts 238 Creating Claims 239 Creating Account Stores 240 Enabling Applications 241 Creating Federation Trusts 242 Windows Server 2008 R2 Virtualization 244 Review All the Key Topics 247 Complete the Tables and Lists from Memory 247 Definitions of Key Terms 248 Chapter 8 Read-Only Domain Controllers 251 “Do I Know This Already?” Quiz 251 Installing a Read-Only Domain Controller 254 Planning the Use of RODCs 254 Installing RODCs 256 Prestaging an RODC 257 Managing a Read-Only Domain Controller 259 Unidirectional Replication 260 Administrator Role Separation 261 Read-Only DNS 262 BitLocker 263 Preparing Your Computer to Use BitLocker 265 Enabling BitLocker 265 Managing BitLocker 269 Replication of Passwords 270 Planning a Password Replication Policy 271 Configuring a Password Replication Policy 272 Credential Caching 273 Administering the RODC’s Authentication Lists 275 syskey 276 Review all the Key Topics 278 Definitions of Key Terms 278 Chapter 9 Active Directory User and Group Accounts 281 “Do I Know This Already?” Quiz 281 Creating User and Group Accounts 286 Introducing User Accounts 286 Introducing Group Accounts 287 Creating User, Computer, and Group Accounts 288 x MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 15. Use of Template Accounts 290 Using Bulk Import to Automate Account Creation 291 Csvde 292 Ldifde 293 Dsadd 294 Additional Command-Line Tools 295 Scripts 296 Configuring the UPN 296 UPN Suffixes 296 Adding or Removing UPN Suffixes 297 Configuring Contacts 298 Creating Distribution Lists 299 Managing and Maintaining Accounts 300 Creating Organizational Units 301 Configuring Group Membership 304 AGDLP/AGUDLP 306 Account Resets 308 Deny Domain Local Group 308 Protected Admin 309 Local Versus Domain Groups 310 Deprovisioning Accounts 312 Delegating Administrative Control of Active Directory Objects 313 Review All the Key Topics 317 Complete the Tables and Lists from Memory 318 Definitions of Key Terms 318 Chapter 10 Trust Relationships in Active Directory 321 “Do I Know This Already?” Quiz 321 Types of Trust Relationships 325 Transitive Trusts 325 Forest Trusts 326 External Trusts and Realm Trusts 326 Shortcut Trusts 327 Creating and Configuring Trust Relationships 328 Creating a Forest Trust Relationship 329 Creating External Trust Relationships 335 Creating Realm Trust Relationships 336 Creating Shortcut Trust Relationships 337 xi Wow! eBook <WoweBook.Com>
  • 16. Managing Trust Relationships 338 Validating Trust Relationships 338 Authentication Scope 338 SID Filtering 340 Removing a Cross-forest Trust Relationship 341 Review All the Key Topics 343 Complete the Tables and Lists from Memory 343 Definitions of Key Terms 343 Chapter 11 Creating and Applying Group Policy Objects 345 “Do I Know This Already?” Quiz 345 Overview of Group Policy 351 Components of Group Policy 351 Group Policy Containers 352 Group Policy Templates 352 New Features of Group Policy in Windows Server 2008 and Windows Server 2008 R2 354 Creating and Applying GPOs 355 Managing GPOs 359 Linking GPOs 360 Managing GPO Links 361 Deleting a GPO 362 Delegating Control of GPOs 362 Specifying a Domain Controller 365 Configuring GPO Hierarchy and Processing Priority 365 OU Hierarchy 367 Enforced 367 Block Inheritance 369 Modifying the Sequence of GPO Application 370 Disabling User Objects 370 Group Policy Filtering 371 Security Filtering of GPOs 371 Windows Management Instrumentation 374 Windows PowerShell 374 Configuring GPO Templates 376 Group Policy Loopback Processing 377 User Rights 378 ADMX Central Store 379 Administrative Templates 380 xii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 17. Restricted Groups 384 Starter GPOs 385 Shell Access Policies 387 Review All the Key Topics 389 Complete the Tables and Lists from Memory 389 Definitions of Key Terms 390 Chapter 12 Group Policy Software Deployment 393 “Do I Know This Already?” Quiz 393 Types of Software Deployment 398 Assigning and Publishing Software 399 Assigning Software to Users 399 Assigning Software to Computers 399 Publishing Software to Users 399 Deploying Software Using Group Policy 400 ZAP Files 402 Software Installation Properties 403 Software Package Properties 405 Upgrading Software 407 Use of Transform Files to Modify Software Packages 409 Redeployment of Upgraded Software 411 Removal of Software 413 Review All the Key Topics 414 Complete the Tables and Lists from Memory 414 Definitions of Key Terms 414 Chapter 13 Account Policies and Audit Policies 417 “Do I Know This Already?” Quiz 417 Use of Group Policy to Configure Security 422 Configuring Account Policies 422 Domain Password Policies 423 Account Lockout 426 Unlocking an Account 427 Kerberos Policy 428 Fine-Grained Password Policies 428 Password Settings Precedence 429 Configuring Fine-Grained Password Policies 430 Managing Fine-Grained Password Policies 435 Viewing the Resultant PSO 435 xiii Wow! eBook <WoweBook.Com>
  • 18. Security Options 436 Using Additional Security Configuration Tools 439 Auditing of Active Directory Services 441 New Features of Active Directory Auditing 441 Using GPOs to Configure Auditing 442 Available Auditing Categories 442 Configuring Basic Auditing Policies 443 Configuring Advanced Audit Policies 446 Using Auditpol.exe to Configure Auditing 447 Review All the Key Topics 449 Complete the Tables and Lists from Memory 450 Definitions of Key Terms 450 Chapter 14 Monitoring Active Directory 453 “Do I Know This Already?” Quiz 453 Tools Used to Monitor Active Directory 459 Network Monitor 459 Task Manager 463 Configuring Application Priority 465 Event Viewer 466 Customizing Event Viewer 468 Customizing Event Viewer Detail 470 Reliability and Performance Monitor 471 Resource Monitor 473 Reliability Monitor 473 Performance Monitor 476 Data Collector Sets 479 Windows System Resource Manager 484 Server Performance Advisor 486 Monitoring and Troubleshooting Active Directory Replication 487 replmon 487 repadmin 491 replicate 491 showmeta 492 showreps 492 add 492 sync 493 syncall 493 xiv MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 19. showconn 493 replsummary 494 dcdiag 494 Troubleshooting the Application of Group Policy Objects 496 Resultant Set of Policy 496 Planning Mode/Group Policy Modeling 497 Logging Mode/Group Policy Results 501 Using the Delegation of Control Wizard 509 Gpresult 509 Review All the Key Topics 512 Complete the Tables and Lists from Memory 513 Definitions of Key Terms 513 Chapter 15 Maintaining Active Directory 515 “Do I Know This Already?” Quiz 515 Backing Up and Recovering Active Directory 520 Backup Permissions 521 Use of Windows Server Backup 521 Installing Windows Server Backup 521 Backing Up Critical Volumes of a Domain Controller 522 The wbadmin Command 525 Scheduling a Backup 526 Using Removable Media 527 Recovering Active Directory 528 Directory Services Restore Mode 528 Performing a Nonauthoritative Restore 529 Using the wbadmin Command to Recover Your Server 534 Performing an Authoritative Restore 536 Recovering Back-Links of Authoritatively Restored Objects 537 Performing a Full Server Recovery of a Domain Controller 538 Linked-Value Replication and Authoritative Restore of Group Memberships 539 The Active Directory Recycle Bin 540 Enabling the Active Directory Recycle Bin 541 Using the Active Directory Recycle Bin to Restore Deleted Objects 543 Backing Up and Restoring GPOs 545 Backing Up GPOs 545 Restoring GPOs 545 Importing GPOs 547 Using Scripts for Group Policy Backup and Restore 548 xv Wow! eBook <WoweBook.Com>
  • 20. Offline Maintenance of Active Directory 549 Restartable Active Directory 549 Offline Defragmentation and Compaction 550 Online Defragmentation 551 Offline Defragmentation 551 Active Directory Database Storage Allocation 553 Review All the Key Topics 555 Complete the Tables and Lists from Memory 556 Definitions of Key Terms 556 Chapter 16 Installing and Configuring Certificate Services 559 “Do I Know This Already?” Quiz 559 What’s New with Certificate Services in Windows Server 2008? 563 New Features of Active Directory Certificate Services in Windows Server 2008 R2 564 Installing Active Directory Certificate Services 565 Configuring Certificate Authority Types and Hierarchies 565 Installing Root CAs 567 Installing Subordinate CAs 571 Understanding Certificate Requests 571 Using Certificate Practice Statements 572 Configuring Certificate Authority Server Settings 573 Installing the Certificates Snap-in 573 Working with Certificate Stores 575 Using Group Policy to Import Certificates 575 Backing Up Certificates and Keys 576 Restoring Certificates and Keys 577 Using Group Policy to Enable Credential Roaming 578 Backing Up and Restoring Certificate Databases 580 Assigning Administration Roles 581 Configuring Certificate Server Permissions 582 Review All the Key Topics 583 Complete the Tables and Lists from Memory 584 Definitions of Key Terms 584 Chapter 17 Managing Certificate Templates, Enrollments, and Certificate Revocation 587 “Do I Know This Already?” Quiz 587 Managing Certificate Templates 592 xvi MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 21. Understanding Certificate Template Types 592 Configuring Certificate Templates 593 Securing Template Permissions 595 Enabling the Use of Templates 597 Managing Different Certificate Template Versions 597 Archiving Keys 599 Configuring Key Recovery Agents 599 Managing Certificate Enrollments 602 Understanding Network Device Enrollment Services 602 Enabling Certificate Autoenrollment 605 Configuring Web Enrollment 606 Configuring Smart Card Enrollment 609 Creating Enrollment Agents 610 Using Group Policy to Require Smart Cards for Logon 614 Managing Certificate Revocation 616 Configuring Certificate Revocation Lists 617 Configuring a CRL Distribution Point 619 Troubleshooting CRLs 620 Configuring Online Responders 621 Configuring Responder Properties 622 Adding a Revocation Configuration 623 Configuring Arrays 624 Configuring Authority Information Access 624 Review All the Key Topics 625 Complete the Tables and Lists from Memory 626 Definitions of Key Terms 626 Practice Exam 629 Answers to Practice Exam 691 Appendix A Answers to the “Do I Know This Already?” Quizzes 729 Appendix B Installing Windows Server 2008 R2 763 Glossary 773 Index 796 Elements Available on CD Appendix C Memory Tables 3 Appendix D Memory Tables Answer Key 3 xvii Wow! eBook <WoweBook.Com>
  • 22. About the Author Don Poulton (A+, Network+, Security+, MCSA, MCSE) is an independent con- sultant who has been involved with computers since the days of 80-column punch cards. After a career of more than 20 years in environmental science, Don switched careers and trained as a Windows NT 4.0 MCSE. He has been involved in consult- ing with a couple of small training providers as a technical writer, during which time he wrote training and exam prep materials for Windows NT 4.0, Windows 2000, and Windows XP. Don has written or contributed to several titles, including Security+ Lab Manual (Que, 2004); MCSA/MCSE 70-299 Exam Cram 2: Implementing and Administering Security in a Windows 2003 Network (Exam Cram 2) (Que, 2004); MCSE 70-294 Exam Prep: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure (Que, 2006); MCTS 70-620 Exam Prep: Microsoft Windows Vista, Configuring (Que, 2008); and MCTS 70-680 Cert Guide: Microsoft Windows 7, Configuring (Que, 2011). In addition, he has worked on programming projects, both in his days as an envi- ronmental scientist and more recently with Visual Basic to update an older statisti- cal package used for multivariate analysis of sediment contaminants. When not working on computers, Don is an avid amateur photographer who has had his photos displayed in international competitions and published in magazines such as Michigan Natural Resources Magazine and National Geographic Traveler. Don also enjoys traveling and keeping fit. Don lives in Burlington, Ontario, with his wife, Terry. xviii MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 23. Dedication I would like to dedicate this book to my wife Terry, who has stood by my side and supported me throughout the days spent writing this book. This project would not have been possible without her love and support. Acknowledgments I would like to thank all the staff at Pearson and in particular Betsy Brown for mak- ing this project possible. My sincere thanks goes out to Chris Crayton for his help- ful technical suggestions, as well as Jeff Riley, development editor, and Mike Henry, copy editor, for their improvements to the manuscript. —Don Poulton xix Wow! eBook <WoweBook.Com>
  • 24. About the Technical Reviewer Christopher A. Crayton is an author, technical editor, technical consultant, security consultant, trainer, and SkillsUSA state-level technology competition judge. Formerly, he worked as a computer and networking instructor at Keiser College (2001 Teacher of the Year); as network administrator for Protocol, a global electronic customer relationship management (eCRM) company; and at Eastman Kodak Headquarters as a computer and network specialist. Chris has authored several print and online books, including The A+ Exams Guide, Second Edition (Cengage Learning, 2008); Microsoft Windows Vista 70-620 Exam Guide Short Cut (O’Reilly, 2007); CompTIA A+ Essentials 220-601 Exam Guide Short Cut (O’Reilly, 2007); The A+ Exams Guide (Charles River Media, 2008); The A+ Certification and PC Repair Handbook (Charles River Media, 2005); The Security+ Exam Guide (Charles River Media, 2003); and A+ Adaptive Exams (Charles River Media, 2002). He is also coauthor of the How to Cheat at Securing Your Network (Syngress, 2007). As an experienced technical editor, Chris has provided many technical edits/reviews for several major publishing companies, including Pearson Education, McGraw-Hill, Cengage Learning, Wiley, O’Reilly, Syngress, and Apress. He holds MCSE, A+, and Network+ certifications. xx MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Wow! eBook <WoweBook.Com>
  • 25. We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way. As an associate publisher for Pearson Publishing, I welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better. Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific technical questions related to the book. When you write, please be sure to include this book’s title and author as well as your name, email address, and phone number. I will carefully review your com- ments and share them with the author and editors who worked on the book. Email: feedback@pearsonitcertification.com Mail: Dave Dusthimer Associate Publisher Pearson Education 800 East 96th Street Indianapolis, IN 46240 USA Reader Services Visit our website and register this book at www.pearsonITcertification.com/register for convenient access to any updates, downloads, or errata that might be available for this book. xxi Wow! eBook <WoweBook.Com>
  • 27. Introduction MCTS Windows Server 2008 Active Directory, Configuring Cert Guide (Exam 70-640) is designed for network administrators, network engineers, and consultants who are pursuing the Microsoft Certified Technology Specialist (MCTS) or Microsoft Certified IT Professional (MCITP) certifications for Windows Server 2008. This book covers the “TS: Microsoft Windows Server 2008 Active Directory, Configuring” exam (70-640), which earns you the Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration certification. The exam is designed to measure your skill and ability to implement, administer, and troubleshoot Active Directory running on Windows Server 2008. Microsoft not only tests you on your knowledge of Active Directory, but it has purposefully developed questions on the exam to force you to problem-solve in the same way that you would when presented with a real-life error. Passing this exam demonstrates your competency in administration. This book covers all the objectives that Microsoft has established for exam 70-640. It doesn’t offer end-to-end coverage of Active Directory in Windows Server 2008; rather, it helps you develop the specific core competencies that you need to master as an Active Directory administrator. You should be able to pass the exam by learning the material in this book, without taking a class. Goals and Methods The number-one goal of this book is a simple one: to help you get ready to take—and pass—Microsoft Certification Exam 70-640, “TS: Windows Server 2008 Active Directory, Configuring.” You will find information within this book that will help ensure your success as you pursue this Microsoft exam and the Technology Specialist or IT Professional certification. Because Microsoft certification exams stress problem-solving abilities and rea- soning more than memorization of terms and facts, our goal is to help you mas- ter and understand the required objectives for the 70-640 exam. Wow! eBook <WoweBook.Com>
  • 28. 4 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring To aid you in mastering and understanding the MCTS certification objectives, this book uses the following methods: ■ Opening topics list: This defines the topics to be covered in the chapter; it also lists the corresponding 70-640 exam objectives. ■ Do I Know This Already Quizzes: At the beginning of each chapter is a quiz. The quizzes, and answers/explanations (found in Appendix A), are meant to gauge your knowledge of the subjects. If the answers to the questions don’t come readily to you, be sure to read the entire chapter. ■ Foundation Topics: The heart of the chapter. Explains the topics from a hands-on and a theory-based standpoint. This includes in-depth descriptions, tables, and figures that are geared to build your knowledge so that you can pass the exam. The chapters are broken down into several topics each. ■ Key Topics: The key topics indicate important figures, tables, and lists of infor- mation that you should know for the exam. They are interspersed throughout the chapter and are listed in table form at the end of the chapter. ■ Memory Tables: These can be found on the DVD within Appendix C, “Memory Tables.” Use them to help memorize important information. ■ Key Terms: Key terms without definitions are listed at the end of each chapter. Write down the definition of each term and check your work against the com- plete key terms in the glossary. How This Book Is Organized Although this book could be read cover-to-cover, it is designed to be flexible and en- able you to easily move between chapters and sections of chapters to cover just the material that you need more work with. If you do intend to read all the chapters, the order in the book is an excellent sequence to use. Chapter 1, “Getting Started with Active Directory,” is an introductory chapter that presents the concepts around which Active Directory is built. It serves as a reference to the material that follows and eases users who are new to Active Directory into the book. If you have worked with Active Directory in Windows 2000 or Windows Server 2003, you might want to start with Chapter 2; however, you should take a look at the overview presented here of new capabilities of Active Directory in Windows Server 2008 and its R2 update. Wow! eBook <WoweBook.Com>
  • 29. Introduction 5 The core chapters, Chapters 2 through 17, cover the following topics: ■ Chapter 2, “Installing and Configuring DNS for Active Directory”: This chapter focuses on the concepts of Domain Name System (DNS) required for setting up an Active Directory domain. You learn about how to install DNS on your server and how to set up and configure DNS zones. ■ Chapter 3, “Installing Active Directory Domain Services”: This chapter shows you how to set up your first domain. It then continues to discuss creating addi- tional domain controllers in this domain and child domain controllers. It also discusses the requirements that must be met when upgrading domains based on older Windows server versions to allow them to operate in Windows Server 2008 with complete functionality. ■ Chapter 4, “Configuring DNS Server Settings and Replication”: This chapter builds on Chapter 2 to delve into additional items that you must configure in server settings, zone transfers, and DNS replication. ■ Chapter 5, “Global Catalogs and Operations Masters”: Proper operation of global catalog servers and operations masters is vital to the day-to-day functioning of your domain and forest. This chapter focuses on the configuration and troubleshooting steps necessary with these specialized domain controllers. ■ Chapter 6, “Configuring Active Directory Sites and Replication”: Active Directory divides forests and domains on a geographical basis by using sites. To function properly, Active Directory depends on data replication among all its domain controllers. This chapter shows you how to set up sites and ensure that all directory objects are located in the site corresponding to their locations. It then continues with configuring replication, both on an intrasite and intersite basis. ■ Chapter 7, “Additional Active Directory Roles”: This chapter takes care of other Active Directory roles including Active Directory Lightweight Directory Services (AD LDS), Active Directory Federation Services (AD FS), and Active Directory Rights Management Service (AD RMS). AD LDS is designed to provide additional directory services where an additional domain and its domain controllers are not required. AD RMS enhances security in your domain by enabling the creation of rights-protected files and folders that can be accessed only by authorized users. AD FS provides a single sign-on capability for authenticating users to multiple web-based applications. ■ Chapter 8, “Read-Only Domain Controllers”: This chapter discusses how to set up a read-only domain controller (RODC) and configure its interaction with Wow! eBook <WoweBook.Com>
  • 30. 6 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring other (writable) domain controllers in your forest. An RODC is useful in a situ- ation such as a branch office where physical security of the domain controller might be of concern. ■ Chapter 9, “Active Directory User and Group Accounts”: This chapter shows you how to create user and group accounts in Active Directory, including methods for bulk creation of large numbers of accounts. It introduces the various types and scopes of groups available in Active Directory and the recommended methods of nesting these groups to facilitate the provision of access to resources in your forest. It also looks at account properties, creation of organizational units (OUs), and delegation of control. ■ Chapter 10, “Trust Relationships in Active Directory”: By default, all domains in a forest trust each other. However, you might need to access objects located in another forest, and this chapter talks about methods you might use to provide and troubleshoot such access. Windows Server 2008 provides several types of trust relationships that can be used for meeting different requirements. ■ Chapter 11, “Creating and Applying Group Policy Objects”: Group Policy is at the heart and soul of resource management in Active Directory. This chapter shows you how to set up Group Policy objects and configure them to apply to users, groups, and OUs as required. The hierarchy of GPO application and the methods to modify this hierarchy are also discussed. ■ Chapter 12, “Group Policy Software Deployment”: This chapter shows you how to use Group Policy for deploying software to large numbers of users so that they have the applications they need to perform their jobs. You also learn how to upgrade software when new editions and features become available and how to remove software when it is no longer required by users. ■ Chapter 13, “Account Policies and Audit Policies”: This chapter expands the coverage of Group Policy to include policies that govern the safety and security of accounts in your domain and audit access to Active Directory objects and components so that you can meet the increasingly complex regulatory requirements. ■ Chapter 14, “Monitoring Active Directory”: This chapter focuses on the tools you can use to monitor the functionality of Active Directory. You also learn about the tools and methods used for monitoring Active Directory replication as well as the tools and techniques you can use to monitor and troubleshoot the application of Group Policy. ■ Chapter 15, “Maintaining Active Directory”: This chapter shows you how to back up, recover, restart, and troubleshoot Active Directory and its components. Wow! eBook <WoweBook.Com>
  • 31. Introduction 7 You learn how to perform nonauthoritative and authoritative restore of Active Directory and how to use the new Windows Server 2008 R2 Active Directory Recycle Bin. ■ Chapter 16, “Installing and Configuring Certificate Services”: A system of certificates is vital to carrying out secure business, especially when an Internet presence is required. This chapter shows you how to set up a hierarchy of certificate servers within Active Directory and back up, restore, and archive your certificates and keys. ■ Chapter 17, “Managing Certificate Templates, Enrollments, and Certificate Revocation”: Certificates issued by your servers require management to ensure that users requiring certificates can obtain them, and that compromised certifi- cates are revoked and cannot be used by unauthorized parties. This chapter looks at these topics and helps you to ensure the security of your certificate hierarchy. In addition to the 17 main chapters, this book includes tools to help you verify that you are prepared to take the exam. The CD includes the glossary, practice test, and memory tables that you can work through to verify your knowledge of the subject matter. Study and Exam Preparation Tips It’s a rush of adrenaline during the final day before an exam. If you’ve scheduled the exam on a workday, or following a workday, you will find yourself cursing the tasks you normally cheerfully perform because the back of your mind is telling you to read just a bit more, study another scenario, practice another skill so that you will be able to get this exam out of the way successfully. The way that Microsoft has designed its tests lately does not help. I remember tak- ing Microsoft exams many years ago and thoroughly understanding the term paper certified. Nowadays, you can’t get through a Microsoft exam without knowing the material so well that when confronted with a problem, whether a scenario or real- life situation, you can handle the challenge. Instead of trying to show the world how many MCSEs are out there, Microsoft is trying to prove how difficult it is to achieve a certification, including the newly created MCTS and MCITP as well as the MCSE and MCSA, thereby making those who are certified more valuable to their organizations. Learning Styles To best understand the nature of preparation for the test, it is important to un- derstand learning as a process. You are probably aware of how you best learn new Wow! eBook <WoweBook.Com>
  • 32. 8 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring material. You might find that outlining works best for you, or, as a visual learner, you might need to “see” things. Or, as a person who studies kinesthetically, the hands-on approach serves you best. Whether you need models or examples, or you just like exploring the interface, or whatever your learning style, solid test preparation works best when it takes place over time. Obviously, you shouldn’t start studying for a certification exam the night before you take it; it is very im- portant to understand that learning is a developmental process. Understanding learning as a process helps you focus on what you know and what you have yet to learn. People study in a combination of different ways: by doing, by seeing, and by hearing and writing. This book’s design fulfills all three of these study methods. For the kinesthetic, there are key topics scattered throughout each chapter. You will also dis- cover step-by-step procedural instructions that walk you through the skills you need to master Active Directory in Windows Server 2008. The visual learner can find plenty of screen shots explaining the concepts described in the text. The auditory learner can reinforce skills by reading out loud and copying down key concepts and exam tips scattered throughout the book. You can also practice writing down the meaning of the key terms defined in each chapter, and in completing the memory tables for most chapters found on the accompanying DVD. While reading this book, you will realize that it stands the test of time. You will be able to turn to it over and over again. Thinking about how you learn should help you recognize that learning takes place when you are able to match new information to old. You have some previous experience with computers and networking. Now you are preparing for this certification exam. Using this book, software, and supplementary materials will not just add incrementally to what you know; as you study, the organization of your knowledge actually restructures as you integrate new information into your existing knowledge base. This leads you to a more comprehensive understanding of the tasks and concepts outlined in the objectives and of computing in general. Again, this happens as a result of a repetitive process rather than a singular event. If you keep this model of learning in mind as you prepare for the exam, you will make better decisions concerning what to study and how much more studying you need to do. Study Tips There are many ways to approach studying, just as there are many different types of material to study. However, the tips that follow should work well for the type of ma- terial covered on Microsoft certification exams. Wow! eBook <WoweBook.Com>
  • 33. Introduction 9 Study Strategies Although individuals vary in the ways they learn information, some basic principles of learning apply to everyone. You should adopt some study strategies that take advantage of these principles. One of these principles is that learning can be broken into various depths. Recognition (of terms, for example) exemplifies a rather sur- face level of learning in which you rely on a prompt of some sort to elicit recall. Comprehension or understanding (of the concepts behind the terms, for example) represents a deeper level of learning than recognition. The ability to analyze a concept and apply your understanding of it in a new way represents further depth of learning. Your learning strategy should enable you to know the material at a level or two deeper than mere recognition. This will help you perform well on the exams. You will know the material so thoroughly that you can go beyond the recognition-level types of questions commonly used in fact-based multiple-choice testing. You will be able to apply your knowledge to solve new problems. Macro and Micro Study Strategies One strategy that can lead to deep learning includes preparing an outline that covers all the objectives and subobjectives for the particular exam you are planning to take. You should delve a bit further into the material and include a level or two of detail beyond the stated objectives and subobjectives for the exam. Then you should expand the outline by coming up with a statement of definition or a summary for each point in the outline. An outline provides two approaches to studying. First, you can study the outline by focusing on the organization of the material. You can work your way through the points and subpoints of your outline, with the goal of learning how they relate to one another. For example, you should be sure you understand how each of the main objective areas for Exam 70-640 is similar to and different from another. Then you should do the same thing with the subobjectives; you should be sure you know which subobjectives pertain to each objective area and how they relate to one another. Next, you can work through the outline, focusing on learning the details. You should memorize and understand terms and their definitions, facts, rules and tactics, advantages and disadvantages, and so on. In this pass through the outline, you should attempt to learn detail rather than the big picture (the organizational infor- mation that you worked on in the first pass through the outline). Research has shown that attempting to assimilate both types of information at the same time interferes with the overall learning process. If you separate your studying into these two approaches, you will perform better on the exam. Wow! eBook <WoweBook.Com>
  • 34. 10 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Active Study Strategies The process of writing down and defining objectives, subobjectives, terms, facts, and definitions promotes a more active learning strategy than merely reading the mate- rial does. In human information-processing terms, writing forces you to engage in more active encoding of the information. Simply reading over the information leads to more passive processing. Using this study strategy, you should focus on writing down the items that are highlighted in the book—bulleted or numbered lists, key topics, notes, cautions, and review sections, for example. You need to determine whether you can apply the information you have learned by attempting to create examples and scenarios on your own. You should think about how or where you could apply the concepts you are learning. Again, you should write down this information to process the facts and concepts in an active fashion. Common-Sense Strategies You should follow common-sense practices when studying: You should study when you are alert, reduce or eliminate distractions, and take breaks when you become fatigued. Pretesting Yourself Pretesting allows you to assess how well you are learning. One of the most impor- tant aspects of learning is what has been called meta-learning. Meta-learning has to do with realizing when you know something well or when you need to study some more. In other words, you recognize how well or how poorly you have learned the material you are studying. For most people, this can be difficult to assess. Memory tables, practice questions, and practice tests are useful in that they reveal objectively what you have learned and what you have not learned. You should use this information to guide review and further studying. Developmental learning takes place as you cycle through studying, assessing how well you have learned, reviewing, and assessing again until you feel you are ready to take the exam. You might have noticed the practice exam included in this book. You should use it as part of the learning process. The Exam Gear test-simulation software included on this book’s CD-ROM also provides you with an excellent opportunity to assess your knowledge. You should set a goal for your pretesting. A reasonable goal would be to score con- sistently in the 90% range. Exam Prep Tips After you have mastered the subject matter, the final preparatory step is to under- stand how the exam will be presented. Make no mistake: An MCTS exam challenges Wow! eBook <WoweBook.Com>
  • 35. Introduction 11 both your knowledge and your test-taking skills. Preparing for the 70-640 exam is a bit different from preparing for those old Microsoft exams. The following is a list of things that you should consider doing: ■ Combine your skill sets into solutions: In the past, exams would test whether you knew to select the right letter of a multiple choice answer. Today, you need to know how to resolve a problem that may involve different aspects of the ma- terial covered. For example, on exam 70-640 you could be presented with a problem that requires you to understand how to configure Group Policy to ap- ply to a specific set of users and not to other users, and to troubleshoot this pol- icy if it is not properly applied. The skills themselves are simple. Being able to zero in on what caused the problem and then to resolve it for a specific situation is what you need to demonstrate. In fact, you should not only be able to select one answer, but also multiple parts of a total solution. ■ Delve into excruciating details: The exam questions incorporate a great deal of information in the scenarios. Some of the information is ancillary: It will help you rule out possible issues, but not necessarily resolve the answer. Some of the information simply provides you with a greater picture, as you would have in real life. Some information is key to your solution. For example, you might be presented with a question that lists the components of an Active Directory do- main such as the number of server and client computers, the organizational unit (OU) structure, and so on. When you delve further into the question, you real- ize that the OU structure is the problem. Other times, you will find that the OU structure simply eliminates one or more of the answers that you could se- lect. If you don’t pay attention to what you can eliminate, the answer can elude you completely. And other times, the hardware configuration simply lets you know that the hardware is adequate. ■ Microsoft likes to quiz exam takers on the latest modifications of its technology: From time to time, Microsoft seeds new questions into its exam database and beta tests these questions on exam takers. During the beta pe- riod for each question, its answer is not taken into account in computing the final score. However, when Microsoft is satisfied with the question’s perform- ance, it becomes live and is scored appropriately. You can expect to see ques- tions that test your knowledge of the latest changes in Active Directory technology, including the enhancements introduced in 2009 with Windows Server 2008 R2. ■ It’s a GUI test: Microsoft has expanded its testing criteria into interface recogni- tion. You should be able to recognize each dialog box, properties sheet, options, and defaults. You will be tested on how to perform typical configuration actions in Active Directory. In fact, Microsoft has begun to include performance-based questions on its exams that instruct you to perform a given task and presents Wow! eBook <WoweBook.Com>
  • 36. 12 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 70-640 Exam Objectives Covered 1 The Foundation of Active Directory The Building Blocks of Active Directory New Features of Active Directory in Windows Server 2008 (n/a) 2 The Hierarchical Nature of DNS Installing DNS on Windows Server 2008 Configuring DNS Zones Configuring Domain Name System (DNS) for Active Directory ■ Configure Zones 3 Planning the Active Directory Namespace Creating Forests and Domains Upgrading Older Versions of Active Directory Additional Forest and Domain Configuration Tasks Configuring the Active Directory Infrastructure ■ Configure a forest or a domain 4 Configuring DNS Server Settings Configuring Zone Transfers and Replication Configuring Domain Name System (DNS) for Active Directory ■ Configure DNS Server Settings ■ Configure DNS Zone Transfers and Replication you with a live version of some Active Directory tool. You must complete the required actions and no others; otherwise, your response will be scored as incorrect. ■ Practice with a time limit: The tests have always been time restricted, but it takes more time to read and understand the scenarios now and time is a whole lot tighter. To get used to the time limits, test yourself with a timer. Know how long it takes you to read scenarios and select answers. Microsoft 70-640 Exam Topics Table I-1 lists the exam topics for the Microsoft 70-640 exam. This table also lists the book parts in which each exam topic is covered. Wow! eBook <WoweBook.Com>
  • 37. Introduction 13 Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 70-640 Exam Objectives Covered 5 Configuring Global Catalog Servers Configuring Operations Masters Configuring the Active Directory Infrastructure ■ Configure the global catalog ■ Configure operations masters 6 The Need for Active Directory Sites Configuring Sites and Subnets Site Links, Site Link Bridges, and Bridgehead Servers Configuring Active Directory Replication Configuring the Active Directory Infrastructure ■ Configure sites ■ Configure Active Directory replication 7 New Server Roles and Features Active Directory Lightweight Directory Services (AD LDS) Active Directory Rights Management Services (AD RMS) Active Directory Federation Services (AD FS) Windows Server 2008 R2 Virtualization Configuring Additional Active Directory Server Roles ■ Configure Active Directory Light- weight Directory Services (AD LDS) ■ Configure Active Directory Rights Management Service (AD RMS) ■ Configure Active Directory Federation Services (AD FS) 8 Installing a Read-Only Domain Controller Managing a Read-Only Domain Controller Configuring Additional Active Directory Server Roles ■ Configure the read-only domain controller (RODC) 9 Creating User and Group Accounts Managing and Maintaining Accounts Creating and Maintaining Active Directory Objects ■ Automate creation of Active Directory accounts ■ Maintain Active Directory accounts 10 Types of Trust Relationships Creating and Configuring Trust Relationships Managing Trust Relationships Configuring the Active Directory Infrastructure ■ Configure trusts Wow! eBook <WoweBook.Com>
  • 38. 14 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 70-640 Exam Objectives Covered 11 Overview of Group Policy Creating and Applying GPOs Configuring GPO Templates Creating and Maintaining Active Directory Objects ■ Create and apply Group Policy objects (GPOs) ■ Configure GPO templates 12 Types of Software Deployment Deploying Software Using Group Policy Upgrading Software Removal of Software Creating and Maintaining Active Directory Objects ■ Configure software deployment GPOs 13 Use of Group Policy to Configure Security Auditing of Active Directory Services Creating and Maintaining Active Directory Objects ■ Configure account policies ■ Configure audit policy by using GPOs 14 Tools Used to Monitor Active Directory Monitoring and Troubleshooting Active Directory Replication Troubleshooting the Application of Group Policy Objects Maintaining the Active Directory Environment ■ Monitor Active Directory 15 Backing Up and Recovering Active Directory Offline Maintenance of Active Directory Maintaining the Active Directory Environment ■ Configure backup and recovery ■ Perform offline maintenance 16 What’s New with Certificate Services in Windows Server 2008? Installing Active Directory Certificate Services Configuring Certificate Authority Server Settings Configuring Active Directory Certificate Services ■ Install Active Directory Certificate Services ■ Configure CA server settings Wow! eBook <WoweBook.Com>
  • 39. Introduction 15 Table I-1 Microsoft 70-640 Exam Topics Chapter Topics 70-640 Exam Objectives Covered 17 Managing Certificate Templates Managing Certificate Enrollments Managing Certificate Revocation Configuring Active Directory Certificate Services ■ Manage certificate templates ■ Manage enrollments ■ Manage certificate revocation Wow! eBook <WoweBook.Com>
  • 40. This chapter covers the following subjects: ■ The Foundation of Active Directory: This section describes the X.500 and Lightweight Directory Access Protocol (LDAP) protocols, which are the foundations used by Microsoft when it first designed Active Directory. ■ The Building Blocks of Active Directory: This section describes the compo- nents that Microsoft took from X.500 and LDAP to build the hierarchical structure that is Active Directory. ■ The Logical Components of Active Directory: This section describes the logical building blocks that Microsoft assembled in creating the structure of Active Directory. ■ The New Features of Active Directory in Windows Server 2008: This sec- tion presents a brief overview of new features added by Microsoft when they created Windows Server 2008 and its new enhancement, Release 2 (R2). Wow! eBook <WoweBook.Com>
  • 41. CHAPTER 1 Getting Started with Active Directory Beginning with Windows 2000, Microsoft completely revolutionized its concept of Windows domains. Gone was the limited size and flat namespace of Windows NT domains, and in its place was the hierarchical Active Directory domain structure built on the concepts of X.500 and Lightweight Directory Access Protocol (LDAP). Active Directory has matured since its beginnings with Windows Server 2003 and now includes Windows Server 2008’s new features, improved functionality, and ease of configuration and management. Those of you who have worked with Active Directory in Windows 2000 or Windows Server 2003 will be familiar with much of the contents of this chapter. You might want to skip through to the section that describes what is new with Active Directory in Windows Server 2008, toward the end of this chapter. For those of you who are new to server and network management, or those who have worked with only Windows NT networks, this book begins with a brief introduction to the concepts that Microsoft used to put Active Directory together. The Foundation of Active Directory Before studying the structure of Active Directory itself, we will take a little time to introduce the concepts of the X.500 and Lightweight Directory Access Protocol (LDAP) protocols because these are central to the understanding of Active Directory and its structure. X.500 X.500 was originally developed to assist users on a network to locate users else- where for sending email messages. It used an inverted tree concept to identify and describe all objects contained in a hierarchical database. First appearing in 1988, it relied on an inverted tree hierarchical structure in which countries formed the top level (next to the root) and organizations and their organiza- tional roots formed branches beneath these roots. It was also used to provide information on applications that need to access resources elsewhere on the network, or management systems that need to know the name and location of Wow! eBook <WoweBook.Com>
  • 42. 18 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring objects on the network. The complete hierarchical X.500 system was known as the directory. Three types of information were used by X.500 to locate resources: ■ Name services located specific names. ■ Electronic address books identified addresses on the network. ■ Directory services of centrally managed electronic address books that helped users search across networks. The complete directory database, called the Directory Information Base (DIB), provides a total information-locating resource. Entries in the database are known as objects. These include items such as user accounts, files and folders, and resources such as printers. The problem with X.500 was that it proved to be more complex than what was needed by most organizations. As originally created, it was also much too open for the entire world to see. In addition, it was expensive and, in its original implementation, was slower than other resource-locating methods. LDAP LDAP is a protocol originally designed by the Internet Engineering Task Force (IETF) to work as a front-end client service to X.500-compatible directory services. Alternatively, it can function as a directory service on its own. It is a subset of X.500 that operates on TCP/IP networks and uses a lower level of system resources com- pared to X.500. LDAP is used as an Internet directory standard that is capable of providing open ac- cess to directory services over the Internet or corporate intranet. Using a text-based query system, it enables users to quickly and easily query directories containing in- formation such as usernames, email addresses, telephone numbers, and other user attributes. It has gone through several versions that are defined in Requests for Comments (RFCs) for use as Internet standards. Active Directory supports versions 2 and 3 of LDAP. The most recent implementations of LDAP go beyond the X.500 standards in providing a solution needed to provide a global directory service. In- cluded are such features as the support for extended character sets as used by various global languages and an easier referral mechanism to hand queries from one server to another. There is also an extension mechanism that will facilitate future develop- ment of the LDAP standard. LDAP uses the inverted tree concept originated by X.500 to identify and describe all objects contained in its database. Entries within LDAP’s inverted tree can include containers that hold other objects and leaf objects that represent entities such as people, computers, printers, and so on. Introduced with X.500 and further refined Wow! eBook <WoweBook.Com>
  • 43. Chapter 1: Getting Started with Active Directory 19 Root Que.com Microsoft U.S.A. Country (C) Organization (O) Organizational Unit (OU) Resources (users, computers, folders, printers, etc.) Accounting Management Production Canada Australia Figure 1-1 The LDAP hierarchical naming scheme. by LDAP is a series of definitions that have carried over into the Active Directory naming scheme. The hierarchical naming scheme is illustrated in Figure 1-1 and is explained in the next section. Naming Standards of X.500 and LDAP Originating with X.500 and expanded on by LDAP is a series of naming standards that define the path to any object that has been defined in the directory. Because Active Directory uses LDAP as the protocol of choice for accessing objects in the directory, these naming paths and their components are important items that you should know to fully understand the capabilities of Active Directory. The naming paths include the distinguished names and relative distinguished names. Additional identifiers that you should be familiar with include the User Principal Names (UPNs) and Globally Unique Identifiers (GUIDs). Distinguished Names Each object in the LDAP inverted tree is uniquely identified by a distinguished name (DN) that defines the complete path from the top of the tree to the object. Wow! eBook <WoweBook.Com>
  • 44. 20 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring The concept of distinguished names, which originated in the X.500 specifications, is a global one that was laid out with specific goals in mind: ■ To provide an unambiguous representation of the name of any resource ■ To provide a readily understood format for the majority of names ■ To achieve an attractive representation of information within several different layouts ■ To clearly represent the contents of the object being defined To achieve these goals, a series of X.500-based delimiters was developed with stan- dard abbreviation names, some of which are seen in Figure 1-1. The complete speci- fication of distinguished names, including its complete syntax and full list of delimiters, is given in RFC 1779. The most common delimiters are as follows: ■ CN = Common Name ■ OU = Organizational Unit ■ DC = Domain Component ■ O = Organization Name ■ C = Country Name For any given object, the DN is a unique and unambiguous identification of the ob- ject and its location within the directory structure. In other words, two different ob- jects can never have exactly the same DN. To specify a DN, include the name of the object itself, followed by the containers and parent containers holding the name in order. Note that a distinguished name may contain more than one instance of a given delimiter. The following is an example of a distinguished name: CN=Tim Brown,OU=Inventory,DC=Que,DC=com. NOTE Active Directory snap-in tools generally do not display the DN as shown in the previous paragraph. This is shown here to illustrate how LDAP recognizes the components of the DN. However, it is helpful to know the concept of the distin- guished name and how objects fit together into the Active Directory hierarchy. You will see more of how this fits together as you progress through this training guide; for example, when you need to restore Active Directory objects. Relative Distinguished Names The relative distinguished name (RDN) is the most granular part of the distin- guished name that identifies a specific attribute of the object itself. For example, in the distinguished name given previously, the RDN is the first part: CN = Tim Brown. Within any given parent container, no two objects can have the same Wow! eBook <WoweBook.Com>
  • 45. Chapter 1: Getting Started with Active Directory 21 RDN. There can, however, be two objects within different containers that have the same RDN. An analogy could be the fact that more than one city with the same name can exist, as long as the cities are located in different states, such as Springfield, Illinois, and Springfield, Massachusetts. The DNs for these cities could be as follows: CN=Springfield,OU=IL,C=US and CN=Springfield,OU=MA,C=US The CN in these examples defines the exact city as opposed to a different city such as Chicago or Boston; therefore, the CN is also the RDN here. User Principal Names In addition to the DN and RDN described previously, Active Directory uses the concept of a UPN, which is introduced here because it is intimately related to these other names. The UPN is a shortcut name for the user that can be the same as a logon name or email address. For example, referring to the DN described pre- viously, the UPN could be TimB@inventory.que.com. Globally Unique Identifiers Every object stored in Active Directory also has a unique identifier called the GUID, which is a 128-bit hexadecimal number assigned when the object is created in Active Directory. The GUID is stored in an attribute called objectGUID, which exists for every object in Active Directory. Unlike the DN or RDN, this identifier never changes even if you move or rename the object. For example, an employee leaves the company and is replaced. You want the new employee to have the same rights and privileges as the old one, so you rename the user account; this account retains the GUID of the old account. However, if you were to delete an object and then later re-create another object with the same DN, the GUID would not be the same; this is the reason that if you have deleted an object like a user or group ac- count and then must re-create it, you must re-create all properties and attributes associated with the object. Security Identifiers The security identifier (SID) is a value that uniquely identifies a security principal such as a user, group, service, or computer account within the Active Directory forest. When created, every account is issued a SID. These are used to identify se- curity principals in Windows Server 2008 for access control purposes. No two ob- jects in the forest may have the same SID. A SID can change under certain circumstances, such as if a user is moved from one domain to another. Like the GUID, if you delete an object and later re-create an object with the same name, the SID would not be the same. Wow! eBook <WoweBook.Com>
  • 46. 22 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Windows Server 2008 uses the SID, rather than the GUID, in determining object access, for reasons of backward compatibility. Windows NT 4.0 used the SID for this purpose, and these SIDs are maintained when a Windows NT domain is up- graded to Active Directory. NOTE It is not possible to upgrade a Windows NT domain to Windows Server 2008. If you are still operating such an old domain, you must upgrade to either Windows 2000 or Windows Server 2003 first. You can then upgrade to Windows Server 2008. Upgrading of older Active Directory domains is discussed in Appendix B, “Installing Windows Server 2008 R2.” Active Directory Canonical Names This is a version of the DN that Active Directory displays. The canonical name lists the RDNs from the root downward (that is, in reverse sequence to the DN); it also does not use the RFC 1779 naming attribute descriptors. However, it does use the DNS domain name. For the DN given previously, the Active Directory canon- ical name would be as follows: Que.com/incentory/TimB The Building Blocks of Active Directory Active Directory can support an almost unlimited scope of functions and capabili- ties in an enterprise network, from small-scale operations to a global-scale multi- domain enterprise. Microsoft took the concepts of X.500 and LDAP, as already discussed, and molded them with a series of new components to come up with Active Directory’s structure. To this end, Active Directory embraces the following concepts: ■ Namespace ■ Object ■ Container ■ Schema ■ Global Catalog ■ Partition Each of these concepts is briefly discussed in the following sections. Namespaces The concept of a namespace originated with early incarnations of the Internet. This term refers to a bounded area within which a name is resolved or translated into information that is encompassed by the name. For an analogy, you can think of a telephone directory as a type of namespace in which names are resolved to phone Wow! eBook <WoweBook.Com>
  • 47. Chapter 1: Getting Started with Active Directory 23 numbers; its area is bounded within the city, county, or other geographic area that is served by the directory. An example in the computer world is that of a hostname that represents an IP address. Microsoft took this concept and expanded on it until it encompassed any type of information that anyone might have a need to locate. Further, Microsoft made this concept dynamic so that when items were added, moved, or removed, the directory would reflect these actions. The result was Active Directory. Namespaces can be either flat or hierarchical. Flat namespaces have only one level at which they store information, such as the NetBIOS naming concepts used in Windows NT 4. Hierarchical namespaces, as the name suggests, use several levels of name definition, such as those found in an Internet name such as www.sales.company.com. Here, com represents the top level, company represents a second-level domain, sales is a subdomain, and www is a web server name. As you are undoubtedly aware, DNS uses this type of namespace. The DNS naming scheme is used to create the structure of the Active Directory namespace, permit- ting interoperability with Internet technologies; therefore, the concept of name- spaces is central to Active Directory. By integrating this concept with the system’s directory services, Active Directory facilitates the management of multiple name- spaces that are often found in the heterogeneous software and hardware environ- ments of corporate networks. The two types of namespaces are contiguous and disjointed. They are defined as follows: ■ Contiguous: The name of child objects in the hierarchy contains the name of the parent object; for example, the relationship between domains within the same tree. ■ Disjointed: The name of a child object in the hierarchy does not contain the name of the parent object; for example, the relationship between different trees in the same forest. Objects An object is any specific item that can be cataloged in Active Directory. Examples of objects include users, computers, printers, folders, and files. These items are classified by a distinct set of characteristics, known as attributes. For example, a user can be characterized by the username, full name, telephone number, email address, and so on. Note that, in general, objects in the same container have the same types of attributes but are characterized by different values of these attrib- utes. The Active Directory schema defines the extent of attributes that can be specified for any object. The Active Directory service, in turn, classifies objects into classes. These classes are logical groupings of similar objects, such as users. Each class is a series of attributes that define the characteristics of the object. Wow! eBook <WoweBook.Com>
  • 48. 24 MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring Containers A container is an object designed to hold other objects within the directory. A folder could be considered as a container because it holds files and subfolders that are lo- cated beneath it. Like other objects, containers have their own attributes. Forests, trees, domains, and OUs are all different types of containers because they all are designed to contain other objects. Schemas The schema is a set of rules that define the classes of objects and their attributes that can be created in Active Directory. It defines what attributes can be held by objects of various types, which of the various classes can exist, and what object class can be a parent of the current object class. For example, the User class can contain user account objects and possess attributes such as password, group membership, home folder, and so on. You can mark attributes as indexed, which means that instances of the attribute are added to a searchable index and are more easily located by a user searching by the container in which the attributes are located. This feature improves search time but increases the size (and replication time) of the Active Directory database. When you first install Active Directory on a server, a default schema is created, containing definitions of commonly used objects and properties such as users, computers, and groups. This default schema also contains definitions of objects and properties needed for the functioning of Active Directory. The Active Directory: schema is extensible; that is, you can define new types and attributes of directory objects, as well as new attributes for existing objects. In do- ing so, you can adapt the schema to a given type of business; for example, a whole- saler might want to add a warehouse object to the directory, including information specific to that business. Additions to the schema are implemented automatically and stored within the Active Directory database. Applications can be built to ex- tend the schema and can use such extensions immediately. WARNING Schema modification—As discussed in Chapter 5, “Global Catalogs and Operations Masters,” modifying the schema is a serious business. Improper modifications to the schema can harm or disable the domain controllers or even the entire network. For this reason, Microsoft has included a group called Schema Admins. Only members of this group have the right to modify the schema. Global Catalogs The global catalog is a central information database that can hold data describing objects throughout the Active Directory forest namespace. Active Directory builds up the global catalog by replicating information between all domain controllers in the forest. In this way, a comprehensive and complete database of all available Wow! eBook <WoweBook.Com>
  • 49. Discovering Diverse Content Through Random Scribd Documents
  • 50. He waited at his master's board for food; Then sought his savage kindred in the wood, Where grazing all the day, at night he came To his known lodgings, and his country dame. This household beast, that used the woodland grounds, Was viewed at first by the young hero's hounds, As down the stream he swam, to seek retreat In the cool waters, and to quench his heat. Ascanius, young, and eager of his game, Soon bent his bow, uncertain in his aim: But the dire fiend the fatal arrow guides, Which pierced his bowels through his panting sides. The bleeding creature issues from the floods, } Possessed with fear, and seeks his known abodes,} His old familiar hearth, and household gods. } He falls; he fills the house with heavy groans, Implores their pity, and his pain bemoans. Young Silvia beats her breast, and cries aloud For succour from the clownish neighbourhood: The churls assemble; for the fiend, who lay In the close woody covert, urged their way. One with a brand yet burning from the flame, Armed with a knotty club another came:
  • 51. Whate'er they catch or find, without their care, Their fury makes an instrument of war. Tyrrheus, the foster-father of the beast, Then clenched a hatchet in his horny fist, But held his hand from the descending stroke, } And left his wedge within the cloven oak, } To whet their courage, and their rage provoke.} And now the goddess, exercised in ill, Who watched an hour to work her impious will, Ascends the roof, and to her crooked horn, Such as was then by Latian shepherds borne, Adds all her breath. The rocks and woods around, And mountains, tremble at the infernal sound. The sacred lake of Trivia from afar, } The Veline fountains, and sulphureous Nar, } Shake at the baleful blast, the signal of the war.} Young mothers wildly stare, with fear possessed, And strain their helpless infants to their breast. The clowns, a boisterous, rude, ungoverned crew, With furious haste to the loud summons flew. The powers of Troy, then issuing on the plain,
  • 52. With fresh recruits their youthful chief sustain: Not theirs a raw and unexperienced train, But a firm body of embattled men. At first, while fortune favoured neither side, The fight with clubs and burning brands was tried: But now, both parties reinforced, the fields Are bright with flaming swords and brazen shields. A shining harvest either host displays, And shoots against the sun with equal rays. Thus, when a black-browed gust begins to rise, } White foam at first on the curled ocean fries; } Then roars the main, the billows mount the skies; } Till, by the fury of the storm full blown, The muddy bottom o'er the clouds is thrown. First Almon falls, old Tyrrheus' eldest care, Pierced with an arrow from the distant war: Fixed in his throat the flying weapon stood, And stopped his breath, and drank his vital blood. Huge heaps of slain around the body rise: Among the rest, the rich Galesus lies; A good old man, while peace he preached in vain, Amidst the madness of the unruly train: Five herds, five bleating flocks, his pastures filled; His lands a hundred yoke of oxen tilled.
  • 53. Thus, while in equal scales their fortune stood, The Fury bathed them in each other's blood; Then, having fixed the fight, exulting flies, And bears fulfilled her promise to the skies. To Juno thus she speaks:—"Behold! 'tis done, The blood already drawn, the war begun; The discord is complete; nor can they cease The dire debate, nor you command the peace. Now, since the Latian and the Trojan brood Have tasted vengeance, and the sweets of blood; Speak, and my power shall add this office more: The neighbouring nations of the Ausonian shore Shall hear the dreadful rumour, from afar, Of armed invasion, and embrace the war." Then Juno thus:—"The grateful work is done, The seeds of discord sowed, the war begun: Frauds, fears, and fury, have possessed the state, And fixed the causes of a lasting hate. A bloody Hymen shall the alliance join Betwixt the Trojan and Ausonian line: But thou with speed to night and hell repair; } For not the gods, nor angry Jove, will bear } Thy lawless wandering walks in upper air. }
  • 54. Leave what remains to me." Saturnia said: } The sullen fiend her sounding wings displayed, } Unwilling left the light, and sought the nether shade. } In midst of Italy, well known to fame, There lies a lake (Amsanctus is the name) Below the lofty mounts: on either side Thick forests the forbidden entrance hide. Full in the centre of the sacred wood, An arm arises of the Stygian flood, Which, breaking from beneath with bellowing sound, Whirls the black waves and rattling stones around. Here Pluto pants for breath from out his cell, And opens wide the grinning jaws of hell. To this infernal lake the Fury flies; Here hides her hated head, and frees the labouring skies. Saturnian Juno now, with double care, Attends the fatal process of the war. The clowns, returned from battle, bear the slain, Implore the gods, and to their king complain. The corpse of Almon, and the rest, are shown: Shrieks, clamours, murmurs, fill the frighted town. Ambitious Turnus in the press appears, And, aggravating crimes, augments their fears; Proclaims his private injuries aloud, }
  • 55. A solemn promise made, and disavowed; } A foreign son is sought, and a mixed mongrel brood. } Then they, whose mothers, frantic with their fear, } In woods and wilds the flags of Bacchus bear, } And lead his dances with dishevelled hair, } Increase the clamour, and the war demand, (Such was Amata's interest in the land,) Against the public sanctions of the peace, Against all omens of their ill success. With fates averse, the rout in arms resort, To force their monarch, and insult the court. But, like a rock unmoved, a rock that braves The raging tempest and the rising waves— Propped on himself he stands; his solid sides Wash off the sea-weeds, and the sounding tides— So stood the pious prince unmoved, and long Sustained the madness of the noisy throng. But, when he found that Juno's power prevailed, And all the methods of cool counsel failed, He calls the gods to witness their offence, Disclaims the war, asserts his innocence. "Hurried by fate," he cries, "and borne before A furious wind, we leave the faithful shore! O more than madmen! you yourselves shall bear The guilt of blood and sacrilegious war: Thou, Turnus, shalt atone it by thy fate,
  • 56. And pray to heaven for peace, but pray too late. For me, my stormy voyage at an end, I to the port of death securely tend. The funeral pomp which to your kings you pay, Is all I want, and all you take away." He said no more, but, in his walls confined, Shut out the woes which he too well divined; Nor with the rising storm would vainly strive, But left the helm, and let the vessel drive. A solemn custom was observed of old, Which Latium held, and now the Romans hold, Their standard when in fighting fields they rear } Against the fierce Hyrcanians, or declare } The Scythian, Indian, or Arabian war— } Or from the boasting Parthians would regain Their eagles, lost in Carræ's bloody plain. Two gates of steel (the name of Mars they bear, And still are worshipped with religious fear) Before his temple stand: the dire abode, And the feared issues of the furious god, Are fenced with brazen bolts; without the gates, The wary guardian Janus doubly waits Then, when the sacred senate votes the wars,} The Roman consul their decree declares, } And in his robes the sounding gates unbars. }
  • 57. The youth in military shouts arise, And the loud trumpets break the yielding skies. These rites, of old by sovereign princes used, Were the king's office: but the king refused, Deaf to their cries, nor would the gates unbar Of sacred peace, or loose the imprisoned war; But hid his head, and, safe from loud alarms, Abhorred the wicked ministry of arms. Then heaven's imperious queen shot down from high; At her approach the brazen hinges fly; The gates are forced, and every falling bar; And, like a tempest, issues out the war. The peaceful cities of the Ausonian shore, Lulled in their ease, and undisturbed before, Are all on fire; and some, with studious care, Their restive steeds in sandy plains prepare; Some their soft limbs in painful marches try, And war is all their wish, and arms the general cry. Part scour their rusty shields with seam; and part New grind the blunted axe, and point the dart: With joy they view the waving ensigns fly, And hear the trumpet's clangor pierce the sky. Five cities forge their arms—the Atinian powers,
  • 58. Antemne, Tibur with her lofty towers, Ardea the proud, the Crustumerian town: All these of old were places of renown. Some hammer helmets for the fighting field; Some twine young sallows to support the shield; The corselet some, and some the cuishes mould, With silver plated, and with ductile gold. The rustic honours of the scythe and share Give place to swords and plumes, the pride of war. Old faulchions are new tempered in the fires: The sounding trumpet every soul inspires. The word is given; with eager speed they lace The shining head-piece, and the shield embrace. The neighing steeds are to the chariots tied; The trusty weapon sits on every side. And, now the mighty labour is begun, Ye Muses, open all your Helicon. Sing you the chiefs that swayed the Ausonian land, Their arms, and armies under their command; What warriors in our ancient clime were bred; What soldiers followed, and what heroes led. For well you know, and can record alone, What fame to future times conveys but darkly down.
  • 59. Mezentius first appeared upon the plain: Scorn sate upon his brows, and sour disdain, Defying earth and heaven. Etruria lost, He brings to Turnus' aid his baffled host. The charming Lausus, full of youthful fire, Rode in the rank, and next his sullen sire; To Turnus only second in the grace Of manly mien, and features of the face. A skilful horseman, and a huntsman bred, With fates averse a thousand men he led: His sire unworthy of so brave a son; Himself well worthy of a happier throne. Next Aventinus drives his chariot round The Latian plains, with palms and laurels crowned. Proud of his steeds, he smokes along the field; His father's hydra fills his ample shield: A hundred serpents hiss about the brims; } The son of Hercules he justly seems, } By his broad shoulders and gigantic limbs— } Of heavenly part, and part of earthly blood, A mortal woman mixing with a god. For strong Alcides, after he had slain The triple Geryon, drove from conquered Spain His captive herds; and, thence in triumph led, On Tuscan Tyber's flowery banks they fed. Then, on mount Aventine, the son of Jove The priestess Rhea found, and forced to love.
  • 60. For arms, his men long piles and javelins bore; And poles with pointed steel their foes in battle gore. Like Hercules himself, his son appears In savage pomp; a lion's hide he wears; About his shoulders hangs the shaggy skin; The teeth and gaping jaws severely grin. Thus, like the god his father, homely drest, He strides into the hall, a horrid guest. Then two twin-brothers from fair Tibur came, (Which from their brother Tiburs took the name,) Fierce Coras and Catillus, void of fear: Armed Argive horse they led, and in the front appear, Like cloud-born Centaurs, from the mountain's height With rapid course descending to the fight; They rush along, the rattling woods give way; The branches bend before their sweepy sway. Nor was Præneste's founder wanting there, Whom fame reports the son of Mulciber: Found in the fire, and fostered in the plains,} A shepherd and a king at once he reigns, } And leads to Turnus' aid his country swains. } His own Præneste sends a chosen band, With those who plough Saturnia's Gabine land;
  • 61. Besides the succour which cold Anien yields, The rocks of Hernicus, and dewy fields, Anagnia fat, and father Amasene— A numerous rout, but all of naked men: Nor arms they wear, nor swords and bucklers wield, Nor drive the chariot through the dusty field, But whirl from leathern slings huge balls of lead, And spoils of yellow wolves adorn their head; The left foot naked, when they march to fight, But in a bull's raw hide they sheath the right. Messapus next, (great Neptune was his sire,) Secure of steel, and fated from the fire, In pomp appears, and with his ardour warms A heartless train, unexercised in arms: The just Faliscans he to battle brings, And those who live where lake Ciminius springs; And where Feronia's grove and temple stands, Who till Fescennian or Flavinian lands: All these in order march, and marching sing The warlike actions of their sea-born king; Like a long team of snowy swans on high, Which clap their wings, and cleave the liquid sky, When, homeward from their watery pastures borne,
  • 62. They sing, and Asia's lakes their notes return. Not one, who heard their music from afar, Would think these troops an army trained to war, But flocks of fowl, that, when the tempests roar, With their hoarse gabbling seek the silent shore. Then Clausus came, who led a numerous band Of troops embodied from the Sabine land, And, in himself alone, an army brought. 'Twas he the noble Claudian race begot, The Claudian race, ordained, in times to come, To share the greatness of imperial Rome. He led the Cures forth of old renown, Mutuscans from their olive-bearing town, And all the Eretian powers; besides a band That followed from Velinum's dewy land, And Amiternian troops, of mighty fame, And mountaineers, that from Severus came, And from the craggy cliffs of Tetrica, } And those where yellow Tyber takes his way,} And where Himella's wanton waters play. } Casperia sends her arms, with those that lie By Fabaris, and fruitful Foruli: The warlike aids of Horta next appear, And the cold Nursians come to close the rear, Mixed with the natives born of Latine blood, Whom Allia washes with her fatal flood. Not thicker billows beat the Libyan main, When pale Orion sets in wintery rain,
  • 63. Nor thicker harvests on rich Hermus rise, Or Lycian fields, when Phœbus burns the skies, Than stand these troops: their bucklers ring around; Their trampling turns the turf, and shakes the solid ground. High in his chariot then Halesus came, A foe by birth to Troy's unhappy name: From Agamemnon born—to Turnus' aid, A thousand men the youthful hero led, Who till the Massic soil, for wine renowned, And fierce Auruncans from their hilly ground, And those who live by Sidicinian shores, And where with shoaly fords Vulturnus roars, Cales' and Osca's old inhabitants, And rough Saticulans, inured to wants. Light demi-lances from afar they throw, Fastened with leathern thongs, to gall the foe. Short crooked swords in closer fight they wear, And on their warding arm light bucklers bear. Nor, [OE]balus, shalt thou be left unsung, From nymph Sebethis and old Telon sprung, Who then in Teleboan Capri reigned; But that short isle the ambitious youth disdained, And o'er Campania stretched his ample sway, Where swelling Sarnus seeks the Tyrrhene sea—
  • 64. O'er Batulum, and where Abella sees, From her high towers, the harvest of her trees.[116] And these (as was the Teuton use of old) Wield brazen swords, and brazen bucklers hold; Sling weighty stones when from afar they fight; Their casques are cork, a covering thick and light. Next these in rank, the warlike Ufens went, And led the mountain troops that Nursia sent. The rude Æquiculæ his rule obeyed; Hunting their sport, and plundering was their trade. In arms they ploughed, to battle still prepared: Their soil was barren, and their hearts were hard. Umbro the priest the proud Marrubians led,} By king Archippus sent to Turnus' aid, } And peaceful olives crowned his hoary head. } His wand and holy words, the viper's rage, And venomed wounds of serpents, could assuage. He, when he pleased with powerful juice to steep Their temples, shut their eyes in pleasing sleep. But vain were Marsian herbs, and magic art,
  • 65. To cure the wound given by the Dardan dart. Yet his untimely fate the Angitian woods In sighs remurmured to the Fucine floods. The son of famed Hippolytus was there, Famed as his sire, and, as his mother, fair; Whom in Egerian groves Aricia bore, And nursed his youth along the marshy shore, Where great Diana's peaceful altars flame, In fruitful fields; and Virbius was his name. Hippolytus, as old records have said, Was by his stepdame sought to share her bed: But, when no female arts his mind could move, She turned to furious hate her impious love. Torn by wild horses on the sandy shore, } Another's crimes the unhappy hunter bore, } Glutting his father's eyes with guiltless gore.} But chaste Diana, who his death deplored, With Æsculapian herbs his life restored: When Jove, who saw from high, with just disdain, The dead inspired with vital breath again, Struck to the centre, with his flaming dart, The unhappy founder of the godlike art. But Trivia kept in secret shades alone, Her care, Hippolytus, to fate unknown; And called him Virbius in the Egerian grove, Where then he lived obscure, but safe from Jove. For this, from Trivia's temple and her wood, }
  • 66. Are coursers driven, who shed their master's blood,} Affrighted by the monsters of the flood. } His son, the second Virbius, yet retained His father's art; and warrior steeds he reined. Amid the troops, and like the leading god, High o'er the rest in arms, the graceful Turnus rode: A triple pile of plumes his crest adorned, On which with belching flames Chimæra burned: The more the kindled combat rises higher, The more with fury burns the blazing fire. Fair Iö graced his shield; but Iö now With horns exalted stands, and seems to low— A noble charge! Her keeper by her side, To watch her walks, his hundred eyes applied; And on the brims her sire, the watery god, Rolled from his silver urn his crystal flood. A cloud of foot succeeds, and fills the fields With swords, and pointed spears, and clattering shields; Of Argive, and of old Sicanian bands, And those who plough the rich Rutulian lands; Auruncan youth, and those Sacrana yields, And the proud Labicans, with painted shields, And those who near Numician streams reside, } And those whom Tyber's holy forests hide, } Or Circe's hills from the main land divide; }
  • 67. Where Ufens glides along the lowly lands, Or the black water of Pomptina stands. Last from the Volscians fair Camilla came, And led her warlike troops, a warrior dame: Unbred to spinning, in the loom unskilled, She chose the nobler Pallas of the field. Mixed with the first, the fierce virago fought, Sustained the toils of arms, the danger sought, Outstripped the winds in speed upon the plain, Flew o'er the field, nor hurt the bearded grain: She swept the seas, and, as she skimmed along, Her flying feet unbathed on billows hung. Men, boys, and women, stupid with surprise, Where'er she passes, fix their wondering eyes: Longing they look, and gaping at the sight, Devour her o'er and o'er with vast delight; Her purple habit sits with such a grace On her smooth shoulders, and so suits her face; Her head with ringlets of her hair is crowned, And in a golden caul the curls are bound. She shakes her myrtle javelin; and, behind, Her Lycian quiver dances in the wind.
  • 68. FOOTNOTES: [115] Dr Carey substitutes the more sonorous ejaculation, Euoi! [116] Note III.
  • 69. NOTES ON ÆNEÏS, BOOK VII. Note I. Strange to relate! the flames, involved in smoke, &c.—P. 432. Virgil, in this place, takes notice of a great secret in the Roman divination: the lambent fires, which rose above the head, or played about it, were signs of prosperity; such were those which he observed in the second Æneïd, which were seen mounting from the crown of Ascanius— Ecce, levis summo de vertice visus Iüli Fundere lumen apex. Smoky flames (or involved in smoke) were of a mixed omen: such were those which are here described; for smoke signifies tears, because it produces them, and flames happiness. And therefore
  • 70. Virgil says, that this ostent was not only mirabile visu, but horrendum. Note II. Only one daughter heirs my crown and state.—P. 439. This has seemed to some an odd passage; that a king should offer his daughter and heir to a stranger prince, and a wanderer, before he had seen him, and when he had only heard of his arrival on his coasts. But these critics have not well considered the simplicity of former times, when the heroines almost courted the marriage of illustrious men. Yet Virgil here observes the rule of decency: Lavinia offers not herself; it is Latinus, who propounds the match; and he had been foretold, both by an augur and an oracle, that he should have a foreign son-in-law, who was also a hero;—fathers, in those ancient ages, considering birth and virtue, more than fortune, in the placing of their daughters; which I could prove by various examples; the contrary of which being now practised, I dare not say in our nation, but in France, has not a little darkened the lustre of their nobility. That Lavinia was averse to this marriage, and for what reason, I shall prove in its proper place. Note III. --------And where Abella sees,
  • 71. Welcome to Our Bookstore - The Ultimate Destination for Book Lovers Are you passionate about books and eager to explore new worlds of knowledge? At our website, we offer a vast collection of books that cater to every interest and age group. From classic literature to specialized publications, self-help books, and children’s stories, we have it all! Each book is a gateway to new adventures, helping you expand your knowledge and nourish your soul Experience Convenient and Enjoyable Book Shopping Our website is more than just an online bookstore—it’s a bridge connecting readers to the timeless values of culture and wisdom. With a sleek and user-friendly interface and a smart search system, you can find your favorite books quickly and easily. Enjoy special promotions, fast home delivery, and a seamless shopping experience that saves you time and enhances your love for reading. Let us accompany you on the journey of exploring knowledge and personal growth! ebookgate.com