4sysops » Articles

Microsoft Exam 70-640 – Active Directory trusts

Timothy Warner — Tue, 07 Feb 2012 19:05:26 +0000

In this article we will review the subject area “Configure Active Directory trusts” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640)exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) trust relationships.

Microsoft Exam 70-640 – Configure Active Directory Trusts

The “Configuring the Active Directory Infrastructure” deals with some pretty intense material if you are not already an experienced Windows Server administrator. In particular, the subject of trusts can get pretty abstract and difficult to comprehend.

By way of preliminary definition, a trust in Active Directory simply enables user accounts, group accounts, and computer accounts from one domain to access shared resources in another domain. Trusts in Active Directory are bi-directional by default; this is in stark contrast to trusts in Windows NT 4.0, which were one-way only.

We can create and manage trust relationships by using either the Active Directory Domains and Trusts GUI tool or the Netdom command-line utility.

Before you register to take the 70-640 exam, please ensure that you are very comfortable with all technologies and procedures that are referenced in this subobjective:

Forest Trust
Selective Authentication vs. Forest-Wide Authentication
Transitive Trust
External Trust
Shortcut Trust
SID Filtering

Forest Trust

A forest trust is a resource sharing relationship that is defined between two separate Active Directory forests. These forests can be owned by the same organization, or can represent a partnership between two different organizations.

Forest trusts exist between the forest root (first) domains in each forest, and involve quite a bit of flexibility. They can be one-way or two-way, although all forest trusts are transitive (as are domain trusts).

Relevant links:

Selective Authentication vs. Forest-Wide Authentication

Forest-wide authentication is the default behavior for forest trusts in Active Directory. This means that users in one forest’s domain can (potentially) log on to and access resources in any domain in the second forest. This obviously presents some security concerns for many AD administrators. To remedy this, we have the selective authentication feature, in which we can granularly specify which domains are accessible to users across a forest trust.

The selective authentication feature is also known in the interface and in the Microsoft literature as the “authentication firewall.”

Relevant links:

Transitive Trust

As previously stated, Active Directory domain trusts are transitive by default. What this means is that the trust transits, or moves, among connected domains.

In the following figure, we can see that because domain A has an explicit trust relationship defined with domains B and C, users in domain B can access resources in domain C (and vice-versa), even though the two domains don’t have a separate trust relationship defined.

Transitive Active Directory trust

Relevant links:

External Trust

An external trust is a non-transitive trust between a local domain (which for exam purposes almost always assumes a Windows Server 2008 R2 forest functional level) and a forest root domain in another forest.

Although an external trust “looks” like a forest trust because it connects root domains in separate Active Directory forests, Microsoft considers the external trust to be a separate and distinct trust type.

The non-transitive nature of the external trust means that the trusting domain can be highly selective in which forest resources are accessible to the trusted domain. As we discussed earlier, selective authentication allows us to loosen the black-and-white restrictions imposed by an external trust.

External trusts are sometimes used when we need our users need accesses to resources located in a “legacy” Windows NT 4.0 domain or an Active Directory domain that exists in a forest not involved in a forest trust.

NOTE: A related type of external trust is the realm trust, which involves a transitive or non-transitive, one-way or two way link between the Active Directory domain and a Kerberos realm (perhaps a Mac OS X Open Directory master).

Relevant links:

Shortcut Trust

A shortcut trust is a one-way or two-way transitive trust that is explicitly defined between two domains in a forest. We use shortcut trusts as a way to shorten logon times for users who frequently access resources in remote domains.

The dashed line in the following exhibit denotes a shortcut trust defined between domains C and E. Instead of an authentication request from domain C having to “walk the tree” up to domain A, which is the ordinary case, the request is passed directly across the shortcut trust to domain E. This is efficiency, friends!

Active Directory – Shortcut trust

Relevant links:

SID Filtering

As you know, user accounts are known internally by Active Directory not by “friendly” name or username but by the object’s Security Identifier, or SID. When a forest administrator uses the Active Directory Migration Tool (ADMT) or another means to migrate a user account from one domain to another within a forest, AD stores both the new and the old SIDs for the user, which saves the admin from re-adding the user to discretionary access control lists (DACLs) on shared resources. This is called SID history.

SID filtering is a security feature and configurable option in Windows Server 2008 R2 that applies to external trusts. We use SID filtering to allow SIDs from a trusted domain to access our local resources, but to block migrated SIDs/SID history SIDs from coming across the trust.

Relevant links:

Conclusion

I hope that you found this approach to 70-640 exam preparation beneficial. Please feel free to leave your questions, comments, and exam experiences (no braindumps, please) in the comments portion of this post.

In the next post I will provide a sample practice question for the “Configure trusts” topic.

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Microsoft Exam 70-640 – DNS Server settings – Sample question

Timothy Warner — Wed, 01 Feb 2012 17:20:17 +0000

Yesterday, I covered the subobjective DNS Server settings of the Microsoft Exam 70-640. Today, I will discuss the corresponding sample practice question.

The sample question

You are the administrator of an Active Directory domain named 4sysopslab.com. Your organization has established a strategic partnership with another company; this company consists of an Active Directory domain named fakedomain.local. Each organization’s IT security policy mandates that a minimum amount of information be exchanged between the two corporate networks.

You receive complaints from 4sysopslab.com users who are unable to resolve host names from the fakedomain.local domain.

Which of the following actions should you perform in order to enable 4sysopslab.com users to connect to fakedomain.local resources by using host names?

A. Ask the fakedomain.local administrator to create a stub zone for the 4sysopslab.com domain

B. Create a stub zone for the fakedomain.local domain.

C. Create a secondary zone for fakedomain.local within the 4sysopslab.com domain.

D. Configure conditional forwarding for the 4sysopslab.com domain.

The Correct Answer, Explanation, and Analysis

The correct answer here is D; we must configure conditional forwarding to the fakedomain.local domain from the 4sysopslab.com domain. In this case we have two requirements:

We must strictly limit the amount of data transfer between organizations for security purposes
We need to enable 4sysopslab.com users to resolve fakedomain.local resources by using DNS host names.

Therefore, we must configure our top-level internal DNS server to conditionally forward host name resolution requests for the fakedomain.local domain.

One strong hint that we are dealing with the resolution of non-public DNS names is the reference to a .local domain name.

We also need to cleave to the test-taker’s truism of never “reading into” IT certification items. In other words, we must read each word in the item stem and assume nothing else about the environment.

Recall that in the item stem it is stated that OUR users complain of not being able to resolve fakedomain.local names. We neither know nor care (for the purposes of this practice exam item) how well or poorly fakedomain.local users can resolve 4sysopslab.com host names.

The answer choices in this item use a potentially confusing format. In other words, you must be able to cleanly delineate the two DNS domains involved. This also means you must perform extra-careful analysis on each choice to make sure you understand exactly what is being offered as a solution.

This item also requires some detailed content knowledge of Windows Server 2008 DNS. If, for instance, you are fuzzy about what a stub zone is, then you immediately lost 50 percent of your available answer choices. (Take-home message: Know all about DNS stub zones before you sit for this test.)

You also have to compare each answer choice to the requirements set forth in the item stem. At first blush, the notion of installing a secondary DNS zone for fakedomain.local within the 4sysopslab.com infrastructure looks pretty good. However, this choice can be dismissed immediately when we remember that data sharing must be minimized between the two Active Directory forests.

Conclusion

I often tell my students that passing a Microsoft certification exam involves possessing a healthy mix of the following three skills:

Subject matter proficiency
Test-taking proficiency
Familiarity with Microsoft marketing literature

The third bullet point is only intended partially tongue-in-cheek. As I mentioned in my previous post in this series, I have observed certification candidates fail their Microsoft exam because they applied too much of their real-world experience and not enough of the Microsoft-published approaches to their technology.

This isn’t necessarily good or bad—it just IS. Best of luck to you in your certification studies.

Relevant resources

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Microsoft exam 70-640 – DNS server settings

Timothy Warner — Tue, 31 Jan 2012 18:30:14 +0000

In this post we continue our trolley ride through the wild and wonderful world of the Microsoft 70-640 Active Directory Configuration certification exam. Today’s subject is Windows Server 2008 DNS server administration.

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring DNS server settings.

What we will do here is cover each of the aforementioned bullet points by providing (a) very brief definitions of each technology; and (b) links to relevant Microsoft resources to foster your certification study.

Exam 70-640 Domain 1, Subobjective 2: Configure DNS server settings

Forwarding

We configure Windows Server 2008 DNS servers as forwarders in order to facilitate the resolution of host names that exist outside of our Active Directory forest. These could be Internet host names or hostnames from other corporate external networks. Conditional forwarding allows administrators to granularly control forwarding to specifically listed DNS domains.

Relevant links:

Root hints

The root hints file is a sort of HOSTs file (statically maintained) that a DNS server uses for external host name lookups. A Windows administrator can disable root hints, update it periodically with the names and IP addresses of the Internet root servers, or populate a custom list of root hints entries.

Relevant links:

Zone delegation

Zone delegation means transferring the authority of part of your DNS namespace to another group or individual. For instance, we might decide to create a DNS delegated subdomain called lab.4sysops.com and give over authority of that domain to our developers. We ourselves would maintain control of the root domain, 4sysops.com.

Relevant links:

Round robin

Round robin is any easy method for establishing load balancing among two or more replica DNS servers. The purpose of Round Robin is to increase host name resolution efficiency and to conserve network load on your DNS servers.

Relevant links:

Disabling recursion

By default, Windows Server 2008 DNS servers use recursion to satisfy name resolution requests on behalf of client devices. The recursion process uses a “walking the DNS tree” metaphor and involves the possibility of querying multiple internal and external DNS servers. To heighten network security, DNS servers that do not need to receive recursive queries should have recursion disabled.

Relevant links:

Debug logging

Windows Server 2008 DNS administrators can enable debug logging in the DNS server as a troubleshooting method. Because the debug logging process, which captures detailed information on DNS query and name resolution traffic, involves significant CPU, memory, and disk space overhead, we should enable debug logging only for the duration in which it is required.

Relevant Links:

Server scavenging

As we already know, we establish zone-wide defaults for resource record aging in the start of authority (SOA) resource record properties. Windows Server 2008 DNS Server has the capability of scouring (or scavenging) its DNS zones and purging outdated records. This scavenging process works both for standard primary zones as well as for Active Directory-integrated zones.

Relevant links:

Conclusion

A note for your consideration: I hand-picked every Microsoft URL in these articles. As you doubtless noticed, some of the articles are formally geared toward a previous version of Windows Server. Don’t be put off by that! I’ve found that in some cases the quality and accuracy of older Microsoft whitepapers and support articles are superior to their ultra-current counterparts. If you do notice a discrepancy, please make a note of it in the comments portion of this post, and I will post a correction immediately.

In the next post I will discuss a sample practice question for the DNS Server settings subobjective.

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Microsoft Exam 70-640 – DNS zone transfers and replication – Sample question

Timothy Warner — Wed, 25 Jan 2012 19:05:54 +0000

Yesterday, I gave a brief overview of the Microsoft exam 70-640 subjective "Configuring DNS zone transfer and replication." In today’s post I will discuss a sample practice question.

In this blog post we continue our study overview of the Microsoft 70-640 Active Directory Configuration certification exam. More to the point, we have been approaching each exam objective one at a time; today’s subject is Windows Server 2008 DNS zone transfers and replication.

The sample question

You are the administrator of an Active Directory domain named 4sysopslab.com. All servers in the organization run Windows Server 2008 R2, and all client computers run Windows 7.

The 4sysopslab.com domain includes 14 domain controllers, all of which also have the DNS Server role installed. To lighten administrative burden, you decide to create a delegated subdomain named exec.4sysopslab.com and pass the zone management to a subset of the administrative staff. However, you need to ensure that only 3 domain controllers receive the DNS zone data during replication/zone transfer.

Which of the following actions should you perform in order to accomplish your goals?

A. Create the new delegation in a new application directory partition.

B. Create the new delegation in the DomainDnsZones application directory partition.

C. Create the new delegation in the ForestDnsZones application directory partition.

D. Create the new delegation in the SYSVOL share.

The correct answer, explanation, and analysis

The correct answer here is A. Application directory partitions are used to control the scope of replication for Active Directory, DNS zones, or custom application information.

We use the dnscmd command-line tool to create, manage, and delete application directory partitions. For instance, we can open an elevated command prompt and run the following command to create a custom application directory partition called EXECZONE on a Windows Server 2008 domain controller named server01:

C:\>dnscmd server01 /CreateDirectoryPartition execzone.4sysopslab.com

We can then enlist our target DNS servers in the newly created application directory partition:

C:\>dnscmd server02 /EnlistDirectoryPartition execzone.4sysopslab.com

Finally, we can change the replication scope for the new zone on all affected DNS servers:

C:\>dnscmd server02 /ZoneChangeDirectoryPartition exec.4sysopslab.com
execzone.4sysopslab.com

Okay—now that we know why the correct answer is what it is, how could we have applied logic and test-taker’s strategy to answering this question correctly?

Well, the first thing you should notice is that in this question all four answer choices have the same stem: “Create the new delegation.” So far, so good. We now can put that aside and focus on the second half of each choice.

This item requires that you understand the difference between application directory partitions and the SYSVOL share. Some test candidates, lacking sufficient background knowledge, might jump on choice D, thinking, “Well, SYSVOL is the seat of Active Directory replication. Thus, this must be where we can customize replication scope for DNS zones.

Not so fast. We aren’t discussing Active Directory replication as such. Instead, we are concerned with replicating DNS zone data to specified servers. I hope that logic would tell you that using the DomainDnsZones or ForestDnsZones partitions can be ruled out immediately because the scope on those partitions does not fit into the requirements of the scenario.

Because we have effectively ruled out choices B, C, and D, this leaves us with A as the only viable choice for this item.

Conclusion

Alrighty then! If you have studied all of our domain 1 blog posts, then you should feel pretty confident with DNS implementation in Windows Server 2008. As you know, most aspects of Active Directory design and function are rooted (pun intended) in DNS; you must be highly proficient with DNS theory and practice to be successful on the Microsoft IT pro certification exams.

In then next several posts we turn our attention to domain 2 in the 70-640 blueprint. Domain 2 involves configuring the Active Directory infrastructure; here is a sneak peek at the section content:

Configuring AD DS forests and domains
Configuring trust relationships
Configuring sites
Configuring AD replication
Configuring the global catalog
Configuring operations masters

Relevant links

In the next pair of posts in this series we will cover the first section of domain 2 in the 70-640 blueprint: configuring Active Directory Domain Services (AD DS) forests and domains.

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Microsoft Exam 70-640 – DNS zone transfers and replication

Timothy Warner — Tue, 24 Jan 2012 19:00:11 +0000

In this blog post we continue our study overview of the Microsoft 70-640 Active Directory Configuration certification exam. Today’s subject is Windows Server 2008 DNS zone transfers and replication.

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring DNS zone transfers and delegation.

Microsoft Exam 70-640 – Configuring DNS zone transfers and replication

DNS replication scope

One of many benefits of storing DNS zone data in Active Directory is that we can leverage application directory partitions to control the scope of Active Directory and DNS zone replication. For instance, we may not want every domain controller in a domain to host a copy of our zone data. The zone replication scope options in Windows Server 2008 are (1) All DNS servers in the forest; (2) All DNS servers in the domain; (3) All domain controllers in the domain; and (4) All domain controllers in a specified application directory partition.

DNS Zone Replication Scope

Relevant Links:

Incremental zone transfer

With standard DNS, incremental zone transfers save network bandwidth and reduce load on your DNS servers. Incremental zone transfer involves a secondary DNS server sending incremental zone transfer (IXFR) queries to its configured primary server instead of full zone transfer (AXFR) queries. Thus, only delta (or changed) resource record data is replicated from the primary to the secondary DNS server.

Relevant Links:

DNS Notify

DNS Notify, formally defined in Request for Comments (RFC) 1996, is a technology whereby primary DNS servers can proactively, well, notify any configured secondary DNS servers of zone changes. The secondary DNS server then “gets the message,” so to speak, and initiates a full or incremental zone transfer from its configured primary.

Relevant Links:

Secure zone transfer

Because an attacker can fingerprint your entire network by capturing DNS zone data, Windows Server 2008 DNS enables administrators to apply confidentiality and integrity to DNS zone transfer data streams by using the industry standard IPsec protocols. Note that this option pertains to standard DNS zone transfers and not AD-integrated zone transfers.

Relevant Links:

Configuring name servers

The actual installation of the DNS Server server role is pretty easy: we can use The Server Manager graphical utility or Windows PowerShell 2.0. Managing a DNS server can be performed with the DNS Server console, with PowerShell, or with a variety of DNS-related command-line tools.

Relevant Links:

Application directory partitions

As previously mentioned, application directory partitions are “compartments” within Active Directory that enterprise applications and services can use for data replication among selected or all domain controllers. For instance, we can store DNS zone data in an application directory partition to tightly control which forest DNS servers receive that zone information.

Relevant Links:

Conclusion

If you studied all of the material in 70-640 domain 1, then you should be pretty cognitively “tight” regarding DNS in Windows Server 2008. Microsoft has, for good reason I think, placed a lot of emphasis on DNS in all of their IT pro certification exams.

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Introduction to the Microsoft Deployment Toolkit (MDT)

Mike Taylor — Thu, 19 Jan 2012 18:50:26 +0000

This series in three parts gives an overview of the Microsoft Deployment Toolkit (MDT) to get started quickly with this free OS deployment toolset.

MDT and WAIK

Microsoft Deployment Toolkit (MDT) is Microsoft’s core tool to automate installing a Windows OS for desktops, servers, and portable or even virtual machines. Ironically, the first thing to about MDT is that it is an iceberg product; underneath the water is 1GB of code from Microsoft called the Windows Automated Installation Kit (WAIK, pronounced “wake”). The WAIK does the bulk of the heavy lifting. MDT itself is a lightweight (25MB) standalone Microsoft management console (mmc) based tool with a comprehensive deployment guide in help-file format.

MDT and WAIK tools

At its simplest, MDT takes source OS setup files and automates the wizard. Advanced use lets you integrate language packs, inject drivers for specific hardware, and add role-based software installs. You can even add WMI rule filtering. Together, MDT and the WAIK allow you to package everything into a single file you can boot and use to build a machine.

The current version of MDT is now 2010 Update 1. Both 32-bit and 64-bit versions are available. The 2012 version is in beta to support SCCM 2012.

Owing to the reliance of the WAIK, MDT includes a feature to download the mandatory prerequisites, WAIK and MSXML 6. Note there are two versions of the WAIK. Version 3.0 (KB3AIK_EN.ISO) is for Windows 7 and 2008 R2. The older version, 1.0, supports Vista and is an img file. To support Windows 7 SP1 deployments, you also need the WAIK supplement version 3.0 (waik_supplement_en-us.iso) that adds WinPE 3.1 but has no WinRE component.

Windows Imaging Format or WIM

The IT industry had long been using disk-based imaging tools. However, with updated hotfixes, security patches, drivers, and new versions of applications you had to update the image continually. This meant you had to start from scratch to clone the updated build. The other main downside of most of these imaging formats was that you needed one image per model, owing to the driver and hardware differences.

Microsoft’s imaging format (Windows Imaging Format, or WIM – avoiding the humor of calling it WIF) is a compressed file that offers single-instance storage and has an XML template description. You can merge WIMs, mount them as a virtual file-system, and edit files as normal and then save changes. If you are building Windows 7, you can even update the WIM offline, injecting drivers or patches directly into the WIM. This makes updating and customizing the build much easier, given the right tools.

In the next post, I will discuss the MDT requirements and the MDT add-ons.

Author: Mike Taylor
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Microsoft Exam 70-640 – Active Directory Forests and Domains – Sample question

Timothy Warner — Wed, 18 Jan 2012 20:00:56 +0000

In the last post I summarized the content underlying domain 2, section 1 (“Configure a forest or a domain”) in the Microsoft 70-640 Active Directory Configuration certification exam blueprint. Today I will provide a sample practice question and a detailed explanation and analysis

You are the administrator of a multi-domain Active Directory forest in which all domain controllers run Windows Server 2003. You want to introduce a new Windows Server 2008 R2 computer as a domain controller into one domain in the environment.

Sample practice question

Which of the following actions should you undertake in order to accomplish your goal?

a. Install the R2 update on all existing Windows Server 2003 domain controllers.

b. Run dcpromo /forestprep on an existing domain controller.

c. Run adprep /domainprep on an existing domain controller.

d. Run admt computer /n on the Windows Server 2008 R2 computer.

The correct answer, explanation, and analysis

The correct answer is C. We need to run adprep /domainprep from an elevated command prompt on one of our Windows Server 2003 domain controllers in order to prepare the forest for the introduction of a new Windows Server 2008 R2 domain controller.

Running adprep from the support\adprep subdirectory on the Windows Server 2008 DVD

The first thing that we need to do in attacking this item is to figure out what’s going on. From the first sentence, we observe that the source domain is working from a “downlevel” perspective with Windows Server 2003. Because Microsoft always stresses their “latest and greatest” technology on their exams, we should already be thinking in terms of adprep and the interoperation among different versions of Active Directory.

Second, we are told outright that we need to add a computer running the most recent version of Windows to our environment. Note that we are NOT being asked to install Active Directory; this allows us to throw away choice B from consideration.

Another easy way to dismiss choice B is to see that we are applying an incorrect parameter to dcpromo; we use the /forestprep and /domainprep switches with the adprep.exe command-line tool.

Finally, we have in choice A what is known as a red herring. A red herring in this context is an answer choice that looks plausible to the untrained eye, but is easily dismissed by somebody with some preexisting technical know-how.

Although the presence or absence of a Release 2 (R2) update to Windows Server definitely does make a difference in terms of domain functional level and the availability of other features, in this case our current environment is running Windows Server 2003—that is all we need to know.

This underscores a test-taking skill that I know that I have harped on in earlier installments of this series but truly does bear repeating again and again. We must be certain never to “read into” Microsoft exam items. If an item stem states that the current environment is populated with Windows Server 2003 computers, then that’s all we are intended to know about it. Service pack levels and associated detritus are completely irrelevant unless they are mentioned explicitly in the question.

Conclusion

I hope that you found working through this sample practice question to be fruitful to your certification studies. If you remain unclear on how to use Adprep and Dcpromo, see the companion piece that I wrote for 4sysops.com. You are also free to leave your questions, comments, and concerns in the comments portion of this post. Happy studying!

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Microsoft Exam 70-640 – Active Directory Forests and Domains

Timothy Warner — Tue, 17 Jan 2012 18:15:54 +0000

In this article we will review the subject area “Configure a forest or a domain” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

Microsoft Exam 70-640 – Configure a forest or a domain / Domain 2, Subobjective 1

For each exam domain, I will give you two blog posts. One blog post represents a nutshell summary of the content underlying a particular subobjective from the 70-640 certification exam blueprint. The second blog post presents a representative practice exam question that covers one topic from that content domain.

The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) forest and domains.

Whereas in the first objective domain was centered squarely on DNS, the second domain requires us to understand the planning, deployment, maintenance and troubleshooting of Active Directory Domain Services in Windows Server 2008.

Before you register to take the 70-640 exam, please ensure that you are very comfortable with all technologies referenced in this subobjective:

Removing a domain
Performing an unattended installation of AD DS
Active Directory Migration Tool (ADMT)
Changing domain and forest functional levels
Interoperability with previous version of Active Directory
Multiple UPN suffixes
Forestprep, domainprep

Removing a domain

Removing a domain involves (a) uninstalling AD DS from every domain controller in a given domain, thereby demoting the machines to member servers; (b) “unjoining” each demoted member server from the domain, which renders the boxes as stand-alone servers; and (c) removing the final domain controller in the domain and thereby eradicating the domain itself.

As you know, we use the Active Directory Domain Services Installation Wizard (dcpromo.exe) to both install as well as uninstall Active Directory.

TIP: Before you take any of the Windows Server 2008 exams, make sure you are familiar with the most common Active Directory-related PowerShell cmdlets and their syntax.

Relevant Links:

Performing an unattended AD DS installation

In Microsoft parlance, an unattended installation of AD DS involves crafting a plain text answer file and then feeding that answer file into the Dcpromo utility as an argument. We can use answer files to automate both the installation as well as the removal of Active Directory.

The following screenshot, taken from the Microsoft TechNet site, shows the basic format of a Dcpromo answer file:

Dcpromo answer file format

To launch an unattended answer file in this context, open an elevated command prompt and use the basic statement dcpromo /unattend:<path to the answer file>.

Relevant Links:

Active Directory Migration Tool (ADMT)

As a single-domain forest grows into a multi-forest, multi-domain enterprise, then need arises for method to assist in restructuring domain assets. For instance, we may want to migrate user and group accounts from one domain to another within a forest. By contrast, we may want to move an entire domain from one forest to another.

Microsoft thankfully gives us the Active Directory Migration Tool (ADMT) to help us in our forest and domain restructuring needs. Be advised that despite the installer’s small 4MB footprint, you must have a SQL Server database instance installed and online so ADMT has a place to store its data and metadata.

Once installed, you can work with ADMT either with its graphical interface, or by using the Admt command-line utility.

Active Directory Migration Tool (ADMT)

Relevant Links:

Changing domain and forest functional levels; Interoperability with previous versions of Active Directory

I decided to put both of these subobjectives together because they deal with the same concept; namely the functional level.

In Windows Server, a functional level defines essentially a domain controller compatibility level within a forest or domain. The notion of functional levels is particularly important when our domain includes domain controllers that are running different versions or editions of Windows Server.

Back in “the day,” when Microsoft first gave us Active Directory in Windows 2000 Server, the term “mixed mode” was used to denote a mix of Active Directory and non-Active Directory (read: Windows NT Server 4.0) domain controllers within one domain. The term “native mode” was used to denote a domain in which all domain controllers were “on board” with Active Directory.

The difficult method to raise functional levels is by accessing LDAP directly by using the Adsiedit.msc or Ldp.exe tools. The easier method is to use Active Directory Users and Computers (for domain functional level) or Active Directory Domains and Trusts (for forest functional level).

Recall that we also set a default domain functional level during the AD DS installation process.

NOTE: Microsoft stresses that the raising of a domain or forest functional level is an irreversible process.

Relevant Links:

Multiple UPN suffixes

First of all, a User Principal Name (UPN) is an alternate way to represent a domain user account. UPNs are often confused with e-mail addresses because they have the same format: username@domain.name. In a multidomain environment, you want to ensure that you have UPN suffixes defined for all your domains to give users the ability to log on using those UPN names.

To add UPN suffixes to a forest, we can use the Active Directory Domains and Trusts MMC console.

Relevant Links:

Adding UPN Suffixes

ForestPrep, DomainPrep

As it happens, forestprep and domainprep are not Windows Server 2008 command-line utilities, but are rather arguments (also called switches) that you pass into the adprep command-line tool. Confusing, huh?

We run adprep /forestprep from an elevated command prompt when we want to prepare a so-called “downlevel” Active Directory forest (namely, a forest whose domains run Windows Server 2003 or Windows 2000 Server) for the addition of one or more Windows Server 2008-based domain controllers.

We run adprep /domainprep within each domain to prepare a downlevel domain for the inclusion of one or more Windows Server 2008 domain controllers.

The adprep utility is a sort of “Swiss Army knife” inasmuch as you can perform many Active Directory-related tasks with it, such as preparing a domain for Read-Only Domain Controllers (RODC), etc.

Relevant Links:

Conclusion

I hope that you found this approach to 70-640 exam preparation beneficial. Please feel free to leave your questions, comments, and exam experiences (no braindumps, please).

In the next post I will provide a sample practice question for the “Configure a forest or a domain” topic.

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Microsoft Exam 70-640 – DNS Zones – Sample practice question

Timothy Warner — Wed, 11 Jan 2012 19:35:31 +0000

In the last post I summarized the content underlying the first domain “Configuring DNS Zones” in the 70-640 certification exam. Today I will provide a sample practice question.

Sample practice question

You are the administrator for a Windows Server 2008 R2-based Active Directory domain named 4sysopslab.com. The client base of the organization consists of Windows 7, Windows XP, and Windows NT 4.0 computers. You also support an internal line-of-business (LOB) application that employs legacy technologies that has the hostname genappserv01.4sysopslab.com.

Your name resolution infrastructure includes a GlobalNames zone. After creating a CNAME alias record for the LOB server named lob01, you discover that users are unable to connect to the server by using the lob01 name. Connections using the genappserv01 name function correctly.

Which of the following actions should you take in order to resolve this problem?

a. Verify the properties of the GlobalNames zone in WINS Manager.

b. Use the ping command to attempt a connection to genappserv01.

c. Verify the zone data in DNS Manager

d. Use the tracert command to attempt a connection to lob01

The correct answer, explanation, and analysis

The correct answer in this case is C. In order to troubleshoot this name resolution issue, we should open the DNS Manager MMC console (or the dnscmd command-line utility) and investigate the contents of the GlobalNames zone. Perhaps there was a typo in the CNAME record?

DNS Manager – GlobalNames zone

The last sentence of the previous paragraph actually brings up an important test-taker’s tip: Never “read into” a Microsoft exam item. In other words, stick with the words in the item stem and answer choices themselves and go no further. Believe it or not, you can at times hobble yourself by thinking too much from your own practical experience instead of applying “Microsoft thinking” to the problem.

The incorrect answer choices in an IT certification exam items are known as distracters. Choice a is incorrect because this item has nothing to do with WINS, and the GlobalNames zone is a Windows Server 2008 DNS feature.

Choice b and d are both incorrect because the item stem already states that we are unable to connect to the LOB server using the single label name lob1, and are able to connect by using the DNS host name genappserv01.

Now that we have explained the correct and incorrect answer choices, let’s perform a little deeper analysis on the item itself.

The first few sentences of a Microsoft exam item set the stage for the problem and actual question. Back in the Windows Server 2003 days, item writers added a lot of extraneous information to the prologue part of the item stem in order to confuse test takers. However, things are different with the Windows Server 2008 exams inasmuch as the item stems are more terse and to-the-point.

Some clues in the item stem that we have need for single label name resolution are the references to older versions of Windows and the presence of a “legacy” line of business application. Because WINS is not mentioned in the item scenario, we have to assume that WINS is not in use in the network.

The problem section of the item is careful not to mention specific name resolution types. Instead, you are to infer that in the case of lob01 we are using a GlobalNames short name, and in the case of genappserv01 name we are using traditional DNS host names.

Finally, we need to have enough content familiarity with GlobalNames DNS zones to understand which tools are necessary in order to troubleshoot the problem.

As you can see, I created this practice question with the requirement that the test taker not only have the prerequisite content knowledge, but also have some critical thinking skills to apply in answering the question correctly.

Conclusion

I hope that you found this practice question helpful in your study. If you are fuzzy on what the GlobalNames DNS zone is and how it works, then you should hit up the relevant hyperinks I give below in order to clarify your understanding. Please be aware that Microsoft does in point of fact include every single item listed in their exam blueprint in the live exam.

Microsoft Exam 70-640 – DNS Zones – Overview

Timothy Warner — Tue, 10 Jan 2012 10:16:30 +0000

In this article we will review subject matter “Configuring DNS Zones” of the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

Microsoft Exam 70-640 – Configuring DNS Zones / Domain 1, Subobjective 1

For each exam domain, I will give you two blog posts. One blog post represents a nutshell summary of the content underlying the first domain in the 70-640 certification exam blueprint: Domain Name System, or DNS. The second blog post presents a representative practice exam question that covers one topic from each content domain.

The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring DNS zones.

The first domain in the 70-640 exam is all about Domain Name System, or DNS. Suffice it to say, you should have a pretty comprehensive understanding of how Windows Server 2008 DNS works (from the server and client sides) before you tackle the 70-640 test.

In your exam study, please be sure to focus on every single item listed in each bullet point. In other words, make sure you are comfortable with all of the following aspects of configuring DNS zones:

Dynamic DNS (DDNS) and traditional DNS
Secure DNS
TTL configuration
GlobalNames, Primary, Secondary, stub, and AD-integrated zones
SOA record configuration
Forward and reverse lookups

Dynamic DNS (DDNS)

DDNS is a feature of the Windows Server 2008 DNS Server that enables DNS clients to automatically register and unregister their host names and IP addresses. The convenience is that an administrator doesn’t have to manually tend to the DNS database, which was the case many years ago.

Relevant Links:

Non-Dynamic DNS (NDDNS)

NDDNS is (potentially) useful in very small and/or high security networks in which the DNS administrator wants to be able to control DNS client registrations by hand.

Relevant Links:

Secure Dynamic DNS (SDDNS)

SDDNS enables Windows Server 2008 DNS administrators to apply access control lists (ACLs) to their DNS zones, thereby preventing non-domain member computers and other unauthorized devices from registering with DNS. SDDNS should not be confused with DNSSEC, which is a completely different technology that was added in Windows Server 2008 R2. In a nutshell, DNSSEC is a collection of industry-standard protocols that add data integrity and enhanced authentication to DNS.

Relevant Links:

Time to Live (TTL)

The TTL is a value that is attached to every resource record that specifies how long client devices should cache the data contained in the record. In other words, if my client computer receives a resolution request for yahoo.com from the Yahoo DNS server with a 1-hour TTL, then my computer will store that resolved IP address in memory for 1 hour before requesting refreshed data. We configure the DNS zone’s default TTL by modifying the properties of the Start of Authority (SOA) resource record.

Relevant Links:

GlobalNames

GlobalNames is a new DNS zone type that helps businesses decommission their WINS servers. GlobalNames allows for what Microsoft calls “single label name resolution.” Thus, “legacy” domain computers can communicate using DNS names that mock their deprecated NetBIOS name counterparts.

Relevant Links:

Primary and Secondary Zones

In traditional DNS, primary and secondary zones are considered to be authoritative for a given DNS domain. The difference here is that updates occur on the primary DNS server and are propagated to secondary DNS servers during the zone transfer process. In other words, primary DNS zones are read/write, and secondary DNS zones are read-only.

Relevant Links:

Active Directory-Integrated Zones

AD-integrated zones were a big deal when Microsoft added them to Windows Server. Here we can dynamically replicate DNS zone data to all domain controllers within a domain or even across multiple domains within a forest because the zone data is embedded into the Active Directory database instead of being stored in flat files. Another advantage here is that every DNS server (that is to say, domain controller) can make changes to the DNS zone data. Hence, there is no concept of a read/only secondary zone.

Active Directory-Integrated Zones

Relevant Links:

Stub Zone

A stub zone is a read-only DNS zone that contains only enough resource records to identify the authoritative DNS servers of another zone. We use stub zones in Windows Server 2008 DNS to speed up name resolution in split-domain networks. For instance, the 4sysops.com domain DNS server might have a stub zone for the 4sysopsbackup.com domain. The first domain having a shortcut method of resolving the remote domain’s DNS servers dramatically cuts down on DNS resolution lookups.

Relevant Links:

Start of Authority (SOA)

The SOA record is the most important record in a DNS zone. SOA records contain the global parameters of the zone, including the aforementioned TTL, zone serial number (used in zone transfers), and other critical DNS metadata.

Relevant Links:

Zone Scavenging

Zone scavenging refers to the Windows Server 2008 feature whereby the server periodically scours its authoritative DNS zones and purges outdated resource records. This process can also be initiated manually by an administrator.

Relevant Links:

Forward and Reverse Lookup

In DNS, forward lookup pertains to the resolution of a target system’s IP address from its host name. Reverse lookup involves name resolution of a host name from a given IP address.

Relevant Links:

Conclusion

I hope that you find this approach to 70-640 exam certification study fruitful. Please feel free to leave your questions and comments;

In the next post I will provide a sample practice question for the Configuring DNS Zones topic.

Author: Timothy Warner
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

SCOM 2012 review – Part 8: Dashboards

Paul Schnackenburg — Wed, 28 Dec 2011 19:05:57 +0000

In this final part of the eight part technical review of SCOM 2012 we’ll look at the new dashboard functionality and how they can be displayed in different environments, including SharePoint 2010 and we’ll add some final remarks around SCOM 2012.

While monitoring systems like SCOM collects vast amounts of data, it’s not a matter of collecting the data; it’s a matter of filtering and displaying the right data to the right people at the right time.

There are three primary ways of doing this, you can have alerts that tell you that something is wrong and needs attention, reports showing historical data and dashboards that show actionable, real time data in a visual fashion that can be personalised.

Whereas earlier versions of SCOM had Views and simple dashboards, SCOM 2012 takes it to a whole new level. No longer do you need to group objects before creating a view and the new wizard for creating dashboards makes it very easy to display exactly the right information in the right way. There’s no programming necessary to create your own dashboards.

The wizard is available in both the native console and the web console and the resulting dashboards can be displayed in the Console, the Web Console and SharePoint 2010 (see below) and they look identical in all three environments. SCOM 2012 can have nested dashboards where drilling down into particular data lead to another dashboard.

Creating custom Dashboards is not only useful, it’s also very easy with the new wizard.

There are three steps to creating a dashboard in SCOM 2012: first select a layout based on the number of cells or columns desired; then add a widget in each cell (types include Alert, Performance and State) and finally configure each widget with a particular scope and criteria as well as display preferences. The Performance widget can now display data from either the Operational or DataWarehouse databases; increasing its usefulness. Apart from the comprehensive built in dashboards third party management packs can add feature packs to support their own widgets. Both SQL Server and Hyper-V have dashboards in the works.

For each cell define what widget you want and configure it’s properties.

To extend the reach of SCOM to non-IT personnel dashboards can now be integrated into SharePoint 2010 using a web part. If the people who are going to view the dashboards aren’t SCOM users the web part can be configured to user shared credentials. The integration works with SharePoint Server 2010 Standard and Enterprise as well as the free Foundation version. In the latter case you can only deploy the web part in the same domain as the web console and you won’t be able to use shared credentials.

The web part comes in the Microsoft.EnterpriseManagement.SharePointIntegration.wsp and is installed using the install-OperationsManager-DashboardViewer.ps1 PowerShell script. The web part is linked to a web console so you’ll need to obtain the exact URI for the dashboard you want displayed by navigating to it in the Web console and copying it from the address bar. If you get an error message that the ticket has expired you need to synchronise the clocks on the server running the Web console and the SharePoint server, they can’t be more than five seconds apart.

The final dashboard in all its glory, best of all it looks the same in all three environments.

Personalisation of dashboards by a user are now stored in the database and thus roam with the user to different PCs and environments, in SCOM 2007 R2 they were stored in the registry on the local machine and thus didn’t follow the user. Dashboards in the web console all have a distinct URL, this also makes it easy to disseminate information to non-technical users, as they can simply bookmark particular dashboards.

The most popular built in dashboard might be the new Management Group Health Dashboard console, also known as the “coffee break”, so named by the developers because it’s designed to give SCOM operators a quick overview of the health of their environment, thus answering the question “can I take a coffee break?”. It monitors both the infrastructure and the functions delivered by the SCOM system.

Conclusion

Although there’s no native support for Windows clustering and we’d like to see deeper monitoring of clustered Java applications in JEE overall SCOM 2012 is a thorough revamp with some very useful new features. The simplified infrastructure and no-brainer High Availability will be welcome in all but the smallest environments while the network monitoring should make all IT Pros troubleshooting lives easier. The extended *nix monitoring and JEE monitoring will be handy in the right environment but perhaps the most intriguing feature will be seeing how SC Orchestrator will glue the entire Systems Center suite together.

Resources

Official SCOM blog

Operations Manager 2012 on the Connect site (Windows Live ID login required)

Author: Paul Schnackenburg
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

How to disable the Shutdown Event Tracker in Windows Server 2008 R2

Timothy Warner — Tue, 27 Dec 2011 19:05:42 +0000

In this article you will learn how the Shutdown Event Tracker works in Windows Server 2008 R2. You will also understand how to disable this functionality if your business needs dictate this action.

Some IT departments are under governmental and/or industry regulations that require them to account for all system downtime. Other IT departments may be mandated by their service-level agreements (SLAs) to provide documentation for any server restarts or shutdowns.

In Microsoft Windows Server 2008 R2, we have the Shutdown Event Tracker to assist us in not only the previously mentioned scenarios, but also for any shutdown-related troubleshooting we may be called to undertake.

How the Shutdown Event Tracker works

In a nutshell, the Shutdown Event Tracker enables Windows systems administrators to provide a reason for any system shutdown or restart event. Let’s clear up some terminology before we proceed any further:

Planned: This is a shutdown or restart event that was accounted for in advance
Unplanned: This is a shutdown or restart event that was not accounted for in advance
Planned + Unexpected: This is a planned shutdown or restart event (for instance, using the power button to shut off a server instead of the Shut Down command) that was unexpected by the operating system
Unplanned + Unexpected: This is an unplanned shutdown or restart event (for example, a power failure) that was unexpected by the operating system

When you perform an orderly shutdown or restart in Windows Server 2008 R2, the default behavior of the operating system is to display the Shutdown Event Tracker dialog box. This is shown in the next figure:

Shutdown Event Tracker dialog

The systems administrator has an opportunity to (a) specify whether the event is planned or unplanned; (b) choose an event category; and (c) provide a comment.

Shutdown-related events are stored in the System event log under Event ID 1074. You should periodically filter this log to isolate and review shutdown-related events.

Shutdown Event Tracker events in Event Log

If your server crashes or suffers an otherwise unexpected restart, the Shutdown Event Tracker is invoked automatically upon the first administrator logon to the system.

How to Disable the Shutdown Event Tracker

If you want to disable the Shutdown Event Tracker, you can do so either by modifying the local Group Policy of the target system, or by editing the Windows Registry.

To use the Group Policy method, open the Run dialog box from the start menu and type gpedit.msc to open the machine’s local Group Policy.

NOTE: You can manage the Shutdown Event Tracker for multiple systems through Active Directory Group Policy.

In Group Policy Editor, navigate to Computer Configuration\Administrative Templates\System, open the Display Shutdown Event Tracker policy, and set it to Disabled. This process is shown in the following screen capture:

Disable Shutdown Event Tracker through Group Policy

If you prefer to use the Registry to perform this action, then type regedit from the Run dialog or an administrative command prompt and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability. Next, open the ShutdownReasonOn value and set it to 0.

Disable Shutdown Event Tracker through Group Policy

Conclusion

By now you should understand the purpose and basic functionality of the Shutdown Event Tracker in Windows Server 2008 R2. You also should know how to disable the feature by using either Group Policy or the Windows Registry.

SCOM 2012 review – Part 7: Linux and JEE monitoring

Paul Schnackenburg — Mon, 26 Dec 2011 19:10:16 +0000

In this seventh part of the eight part technical review of SCOM 2012 we’ll look at cross platform monitoring of Unix and Linux and some welcome improvements there as well as how the new Java Enterprise Edition (JEE) application server monitoring fits in.

Unix and Linux monitoring in SCOM 2012

Monitoring Unix and Linux (*nix) machines is necessary in larger environments because there’s almost always some *nix servers; even in mostly Windows shops and SCOM 2012 brings some very important improvements. The Unix/Linux monitoring covers HP-UX 11i v2 / v3 on PA-RISC and IA64, Sun Solaris 9 on SPARC as well as 10 on SPARC and x86, Red Hat Enterprise Linux 4, 5 and 6 on both x86 and x64, Novell SUSE Linux Enterprise Server 9 on x86, 10 SP1 and 11 on both x86 and x64 along with IBM AIX 5.3, 6.1 and 7.1 on POWER.

SSCOM 2102 Linux monitoring

Compared to SCOM 2007 R2; the 2012 version drops support for Solaris 8; Solaris 11 being very new might make it into RTM, there’s also added support for the iNode filesystem. Preliminary scaling numbers indicate that you can have up to 6000 Unix / Linux computers per management group if you have 50 consoles open, 10 000 per MG if you have 25 open consoles.

SCOM 2007 R2 uses two accounts for monitoring *nix, the Monitoring account is used for 85-90% of the monitoring and was an unprivileged account whereas the Action account that’s used for Syslog gathering and agent maintenance needs to have root credentials on managed systems. SCOM 2012 “fixes” this issue that has caused major issues for security conscious *nix administrators by adding support for sudo and SSH keys.

Sudo support means that a standard account can be setup on managed machines with exactly the required amount of permissions and the latter ensures that all agent maintenance that’s done via SSH is secure. SSH keys need to be in Putty format, if you’re using OpenSSH the keys need to be converted with PuttyGen.

SCOM 2012 also adds new templates for customized monitoring, the new Process Monitor lets you monitor by count (number of processes for instance) and identifies processes by command line arguments (instead of all processes being called “java” for instance) as well as accepting regular expression input for filtering.

Java Enterprise Edition monitoring in SCOM 2012

Brand new in SCOM 2012 is comprehensive support for monitoring Java Enterprise Edition (JEE, formerly known as J2E) application servers. The four most common platforms are supported; IBM Websphere 6.1 and 7; RedHat JBoss 4.2, 5.1 and 6; Oracle Weblogic 10g Rel3 and 11g Rel1; and the open source Apache Tomcat 5.5, 6 and 7 on both Windows and Linux with Websphere also supported on AIX and Weblogic on Solaris.

When you’ve imported the Java Management packs matching your environment the application servers will be automatically discovered and standard monitoring will let you know if the application server is running and if resource utilization is within defined thresholds.

If deeper monitoring is needed Microsoft offers an Open Source Java Management Extension (JMX) application called BeanSpy (known during the beta period as JMX Extender) that you load on the application server, it reports to SCOM via either HTTP or HTTPS, with our without basic authentication. BeanSpy being Open Source should allay fears that some companies might have about Microsoft code running on their application servers.

BeanSpy communicates with MBean counters (which are a bit like performance counters in Windows but more feature reach) to monitor individual applications running, frequency and time spent on memory garbage collection as well as over performance of the application server. Memory garbage collection is particularly important as the application is unresponsive during this period.

For custom monitoring SCOM 2012 offers two templates for building your own monitoring management packs; one for Monitoring and one for Performance; both lets you monitor any simple MBean property.

In the next part in the SCOM 2012 review series we’ll look at the vastly improved Dashboard functionality in SCOM 2012 and how to integrate DashBoards into SharePoint.

SCOM 2012 review – Part 6: Application Performance Monitoring (APM)

Paul Schnackenburg — Thu, 22 Dec 2011 00:45:40 +0000

In this sixth part of the SCOM 2012 review series we’ll deep dive into Application Performance Monitoring (APM), formerly known as AVIcode before Microsoft acquired the technology, how it works as well as differences between the stand-alone product and the integrated version in SCOM 2012.

Troubleshooting application performance issues is a very difficult area, often requiring intimate knowledge of the workings of a particular program. Is the problem in the code, the server hardware, the server software or in the network? Developers need deep insight and detailed logs to debug whereas IT Professionals need standard metrics across all applications and a way to easily pinpoint in which tier the problem might lie.

Microsoft acquired AVIcode in late 2010; this product is designed to look for performance problems in application code without requiring instrumentation to have been built in by the developers. The standalone AVIcode product version 5.7 will be the last as it’s now integrated into SCOM as Application Performance Monitoring (APM).

If you’re a current user of AVIcode 5.7 be aware that its management packs won’t work in SCOM 2012 (templates still work though) ; also APM will only work with .NET / web applications, not stand alone executables and it will only monitor IIS 7 / 7.5 not IIS 6. On the upside the infrastructure is totally integrated in SCOM, there’s no separate database and if it’s monitoring a Server 2008/2008 R2 machine with the IIS management pack the agent will automatically be deployed, although it’s not activated. Another improvement is that you can set an overall SLA for all web applications rather than having to configure monitoring for each individual application, the SLA can then be tweaked for particular programs as needed.

For corporations with many IIS web applications the power of APM might just be the feature that justifies the upgrade to SCOM 2012.

When the interceptors are activated and loaded into IIS the server will require a restart, after that, even if you add additional applications to be monitored; only the particular app pool needs to be recycled.

The beauty of the integration becomes apparent when you see network, hardware and OS monitoring right next to the application performance information, making it much easier to zero in on exactly where the problem lies. The actual monitoring is done in the Diagnostics and Advisor consoles. Similar events are grouped and it also lists Session events or “what else did the user do when this problem happened”. Performance counters are also displayed; 15 minutes of OS and hardware data leading up to the event to let you easily determine if the problem is the underlying platform or in the application code. All of this data enables the IT Pro to communicate facts when liaising with developers and DBAs.

The separate Application Diagnostics and the Application Advisor web consoles is probably where developers are going to spend their time troubleshooting, without having to deal with a full SCOM console.

APM can monitor both the server side of an application and the client side (IE only at this stage but support for other browsers is coming) which gives visibility into performance and reliability. The synthetic transaction feature already in SCOM on the other hand gives insight into availability and together the two provided excellent data on overall application performance. APM monitoring carries minimal overhead, as a rule of thumb is uses about 100 MB of memory and increases the CPU load by 5%.

Today there’s no explicit support for APM monitoring of SharePoint 2010 although that is coming and there’s no way to put Advisor reports into a dashboard as there’s no widget for it yet. What’s more concerning is that there won’t be built in support to use APM to monitor cloud applications in Azure at RTM, although this support is “on the roadmap”.

In the next part of this series we’ll examine what’s been improved in the native Unix/Linux monitoring that debuted in SCOM 2007 R2 as well as the brand new Java Application Server monitoring.

Why only (I)T will matter

Michael Pietroforte — Tue, 20 Dec 2011 19:00:03 +0000

In my last post, I claimed that empirical data indicates that Nicholas Carr is wrong and that IT does indeed still matter. In today’s article, I will take my claim up one more notch and assert that only (I)T will matter.

Perhaps Carr’s claim was just a bit premature? Maybe it takes a few more years until IT jobs begin to disappear in the big cloud? Many so-called analysts have been claiming for a while that the rationalization and automatization effects of cloud computing will cost IT jobs.

I believe that these claims are fundamentally flawed because they are based on the false assumption that the realm of IT doesn’t grow anymore. This kind of analysis only takes into account what we do today with IT and then projects that rationalization effects will require fewer IT pros.

The reason why comparisons to technologies such as electricity (Carr’s favorite) are totally beside the point is that innovation in IT is still rapidly growing, whereas those technologies that have indeed been commoditized haven’t seen any noteworthy innovations since their maturation process peaked. Or did you discover any new breathtaking features or capabilities on your power outlets lately?

Recent innovations in IT, such as smartphones and tablets, significantly extended the way we can use IT. And look what is happening in the music, film, and book industries. I could go on about the tremendous effects that social networks, mobile broadband, or the countless innovations in medical IT have on our lives, and I would still not cover all important recent IT innovations. The truth is that IT is only at the beginning of its long innovation journey.

Innovation in IT is accelerating. That means that those organizations that are able to adopt and embrace these new information technologies faster have a significant competitive advantage. Thus IT is not just necessary (which Carr admits) and matters (which Carr denies), it matters more and more because more than ever it separates ambitious, innovative organizations from those that are satisfied with the status quo.

But why will “only” (I)T matter? Unfortunately, a blog post is not sufficient to support this claim. Fortunately, someone else already did this in an amazingly detailed way. That individual is my personal hero, Ray Kurzweil. In a way, he is claiming the exact opposite as Nicholas Carr. I suppose he never wrote the sentence “Only (I)T will matter,” but I feel that this follows from his theory.

Notice that this is meant in the literal sense. In a nutshell, Kurzweil’s theory is that the technological advances grow at an exponential rate, which will lead us to the “singularity”, a time where technological innovation grows so fast that it is beyond the understanding of our current mental capacity. IT is not the only technology involved here, which is why I set the “I” in parentheses. However, IT will certainly play a crucial if not a dominant role.

I know this sounds like far-fetched science fiction, and perhaps Kurzweil is a bit too optimistic (or too pessimistic for Carr followers) when he claims that this will happen in the next 30-40 years or so. However, I believe this scenario is much more likely than a world where innovation in IT has stopped and IT has become a mere commodity. As a matter of fact, Kurzweil has collected an enormous amount of empirical data that indicates that exactly the opposite is happening. IT matters more and more and this at an accelerating pace. You don’t have to be mathematician to predict where this will lead us.

By contrast, Carr’s “analysis” is based on a flawed theory that is nurtured by a technology hostile philosophy. The main reason why he has numerous followers is not because he has convincing arguments to offer, but because many people share his fear of a future dominated by technological progress. Fearful people are an easy target for faulty but consoling arguments. And of course, every CEO and controller who hates to spend more and more money for something he has no clue about loves to hear that IT doesn’t matter anymore.

The main difference between Kurzweil and Carr is that Kurzweil is an IT veteran and innovator (playing in the same league as Bill Gates and Steve Wozniak) who made many predictions through the decades that already came true. On the other hand, Carr has no background at all in IT and is therefore, in my view, not qualified to say anything about IT that goes beyond the fact that he doesn’t like computers and the Internet.

SCOM 2012 review – Part 5: Network Monitoring

Paul Schnackenburg — Mon, 19 Dec 2011 19:05:31 +0000

In this fifth part of the SCOM 2012 RC review series we’ll examine the new Network Monitoring capabilities and the benefits this will bring to IT operations.

Because big organisations often separate the network administration from server operations it can sometimes be difficult to efficiently narrow down if a particular problem is due to the network, the OS, the application or hardware. The new native Network monitoring feature is designed to increase visibility and help IT admins solve problems quicker, it’s not designed to replace specialist network monitoring tools that are probably already part of the network administrator’s toolkit.

Whilst SCOM 2007 R2 offers basic network device monitoring it doesn’t extend to the port level (unless you manually do the work for each individual device based on its Object Identifier (OID)). SCOM 2012 offers support for SNMP 1.0, 2.0 and 3 (but not Netflow) and works with both IPv4 and IPv6. Initial device discovery requires IPv4 addresses on devices so if you have a pure IPv6 network with no IPv4 address allocation this will be an issue. Devices in this context can be switches, routers, load balancers and firewall as well as any other network connectivity gadget that responds to SNMP monitoring.

Make sure your discovery rule(s) is properly scoped to find all the devices you want as you can only have one rule per server.

Discovery of devices can either be explicit where you define (by IP address or ranges) the devices; or recursive in which case SCOM 2012 will glean information from one device to attempt to find other devices. During discovery all SNMP community strings you’ve entered for a Run As account are tried until a correct one is found, be aware that some devices will generate an SNMP trap if too many invalid credentials are tried. The SNMP stack is now native to SCOM 2012 in contrast to SCOM 2007 R2 which used the SNMP stack of the OS. To monitor across firewalls you need to allow SNMP (UDP) and ICMP bi-directionally and port 161 and 162 have to be open (including on the Windows Firewall on management servers). SCOM provides the required firewall rules for Windows Firewall but doesn’t enable them by default.

Beyond the basic monitoring there’s extended monitoring where processor and memory utilization and memory fragmentation along with other device specific objects are tracked if the device is supported by SCOM 2012. To date there are more than 80 vendors on the list and over 800 devices, see the Excel spread sheet here. When a device supports SNMTP traps for system changes (card added, changes to chassis configuration) SCOM 2012 will listen for them. The supported information for each interface depends on how the device manufacturer has implemented monitoring; Management Information Base (MIB) based on RFC 2863 and MIB-II RFC 1213 provides deeper information.

Deep information about each monitored device is only a mouse click away.

In strictly controlled environments where even read only SNMP monitoring is restricted you can opt for ICMP only which will let you know whether a device is responsive or not. If a node is down, all other monitoring is suppressed so that you’re not flooded with alerts about ports and links being down.

But the coolest part of Network Monitoring has to be the port stitching feature that shows which agent monitored node is connected to each port. SCOM will also discover all VLANs and what switches participate in each VLAN, note that only connected ports will be monitored unless you manually add ports to the Critical Network Adapters Group in which case it will always be monitored. For routers it will identify which Cisco Hot Standby Router Protocol (HSRP) groups they participate in. The end result is clear network diagrams that show exactly what systems are connected to witch switch port as well as visually indicating where a problem might lie.

SCOM 2012 has over 200 new items of knowledge for network monitoring and will report on packet errors per switch port for instance. At RC the recommended scalability numbers are about 500 devices per Management Server and about 2000 devices per Management Group; however there’s a comprehensive sizing guide forthcoming. Be aware that you can only have one discovery rule per Management Server so make sure it encompasses all the devices you need to find.

There are four dashboards built in for network monitoring with the Network Vicinity Dashboard providing a visual representation of connected devices within one hop to the selected node, you can increase the number of hops up to five. Be aware that this dashboard won’t identify teamed NICs as such, nor will it show Unix / Linux computers and VMs will be associated with the same network device as the host; the Hyper-V switch does show up as an SNMP device.

The Network Summary Dashboard lets you easily spot the device with the slowest response, highest CPU or interfaces with the highest utilization, most send/receive errors or nodes with the most alerts. From this dashboard you can then pivot into the Network Node Dashboard that lets you view availability statistics for the last 24 or 48 hours, last seven days or last month; this dashboard also shows other utilization statistics for the node. The Network Interface Dashboard drills down to an individual port and lets you see packet statistics for the last 24 hours as well as alerts and interface properties.

There are also five new network monitoring reports and some new tasks in the console such as opening a Telnet session to a device, doing a quick SNMP “get” or performing an SNMP walk of a device. Note that if you’ve authored management packs for network monitoring in SCOM 2007 R2 these will need updating to work with the new functionality, see here for more information.

In the next part of this eight part SCOM 2012 RC overview we’ll look at another crucial piece of the IT puzzle that needs monitoring – applications.

SCOM 2012 review – Part 4: Infrastructure improvements

Paul Schnackenburg — Wed, 14 Dec 2011 19:28:44 +0000

In the fourth part of this SCOM 2012 review series we’ll look at the removal of the Root Management Server (RMS), it’s replacement, how to build a Highly Available SCOM infrastructure easily and acquaint ourselves with the new Resource Pool concept.

Root Management Server (RMS) in SCOM 2007

Because of the unique role that the RMS plays in SCOM 2007 R2 it’s a single point of failure. It’s the connection point for consoles / web consoles, it runs the configuration service, it handles connectors and health aggregation as well as role based access control. The way to build High Availability (HA) in SCOM 2007 R2 is to cluster the RMS server which is operationally and technically complex and also relies on an active / passive model with the associated hardware and licensing costs. There’s also the option to manual promote a secondary management server to RMS in a disaster situation but this isn’t straightforward.

SCOM 2012 high availability

SCOM 2012 changes the game by doing what Exchange and other Microsoft applications have already done by providing HA out of the box. Management servers are pooled and automatically share the load, no server is more important than any other and simply by having several of them availability is ensured. Each server runs the configuration service and they store their data in the database instead of in an XML configuration file / memory like SCOM 2007 R2 did (this file could be up to several GB in large environments), leading to quicker start-up of each management server.

Failover is not instantaneous and it can take up to two minutes whilst the pool reloads managed instances. All management servers should be located in the same datacentre (less than 5ms latency) and you should deploy Gateway servers in other locations. These servers connect SCOM to branch offices or untrusted domains and can also be in resource pools but you can’t mix Management and Gateway servers in the same pool.

In SCOM 2007 R2 the RMS has special characteristics and some current management packs (Exchange 2007 and 2010 are examples, a full list is forthcoming from Microsoft) rely on a RMS to report to. Since there isn’t an RMS server in SCOM 2012 one management server is assigned the RMS Emulator role to provide compatibility with these MPs. This role can be manually moved between management servers (using the PowerShell cmdlet Set-SCOMRMSEmulator) and there’s a management pack coming that will automate the failover of the role. Management Groups don’t rely on the RMS emulator; it’s there for backwards compatibility with MPs.

SCOM 2012 Resource Pool

Know that all management servers are treated as having equal capacity; differences in processors and memory capacity are not taken into account so it’s best to plan on having all servers identical. Different workloads are also not taken into account and are simply distributed amongst the available servers in a pool. There’s are three default pools ; All Management Server Resource Pool, the Notification Pool and an AD Integration pool but you can create your own pools for specific monitoring situations.

The three built in Resource Pools

Roles within a pool can be manually controlled, this is suitable for instance if you have a hardware text/SMS alerting device connected to a particular management server, there’s no point in failing that function over to a server without the hardware attached. Cross platform (Unix/Linux) monitoring and network device monitoring is also targeted at pools rather than individual management servers.

SCOM 2012 maintenance mode

An issue in SCOM 2007 R2 is when you put a management server into maintenance mode, because the workflow to take the server out of maintenance mode after the designated time is also running on that server it never automatically comes out of maintenance mode, in SCOM 2012 the workflow is moved to the All Management Servers resource pool negating the need to manually take a server out of maintenance mode.

The new Silverlight based web console is your friend when you’re away from your monitoring station.

The new home on the web for all management packs is http://systemcenter.pinpoint.microsoft.com and for those who’ve been less than impressed by the Pinpoint site and finding management packs in the past it’s good to know that the above address is focused solely on System Center.

In the next part of this SCOM 2012 RC technical review series we’ll look at my favourite new feature: Network Monitoring, what’s required and how it works.

SCOM 2012 review – Part 3: Interoperability

Paul Schnackenburg — Mon, 12 Dec 2011 19:05:38 +0000

In this third part of the SCOM 2012 RC technical review we’ll look at Interoperability with other management systems and other System Center products, PowerShell v2 and v3 support in SCOM 2012 and Console enhancements.

Interoperability in SCOM 2012

Because a modern enterprise is heterogeneous SCOM sometimes needs to integrate with other monitoring solutions such as IBM Tivoli, HP OpenView and others. In SCOM 2007 R2 this is accomplished with connectors, but these are not supported in SCOM 2012. The integration between SCOM and other management systems will now be accomplished through System Center Orchestrator 2012.

The different programs in the System Center suite are essentially different applications with little integration in the current version. System Center Orchestrator 2012 is about to change this in the 2012 wave by providing Integration Packs (IP) for each of the major Systems Center applications including SCOM. The SCOM IP can create and interact with Alerts and Monitors as well as start and stop maintenance mode.

There’s also IPs for System Center Service Manager (SCSM) that can create incidents automatically based on alerts in SCOM for instance; the IP for System Center Virtual Machine Manager (SCVMM) will push information about VMs, services, private clouds and hosts into SCOM. In a future review here at 4sysops we’ll look at this approach for integrating the System Center suite and if it’ll provide the tight glue that many have asked for.

PowerShell in SCOM 2012

The good news is that SCOM now comes with full PowerShell 2.0 support and a host of new cmdlets. The less good news is that there will be a learning curve as the new cmdlet nouns have “SCOM” in their names; the old cmdlets still seem to work however. There are also new cmdlets for monitoring Unix and Linux machines (see part seven), these rely on PowerShell 3.0 (in CTP at the time of writing) for easy scripting and background operations.

To execute PowerShell cmdlets you have to establish a connection to a management group, this can either be persistent so you can run multiple cmdlets or a temporary connection allowing you to run a single command.

A new cmdlet that might come in very handy is Export-SCOMEffectiveMonitoringConfiguration that looks at a specific monitored instance (or a list), finds the monitors, rules and overrides that apply to it and exports the effective monitoring to a csv file.

The main console in SCOM 2012 follows the familiar System Center look and is easy to work with.

Consoles in SCOM 2012

Sysadmins familiar with SCOM 2007 R2 will feel right at home in the console, apart from some cosmetic changes (the “Actions” pane is now the “Tasks” pane and is split into two tabs, one for actions and one for help) it’s almost identical. The Web console on the other hand has received a major Silverlight overhaul and is now a joy to work with. Note that the Web console provides a monitoring workspace only although you can create dashboards in it with the same functionality as in the full console (see part eight) .You’ll need a 32 bit version of Word 2010 to edit custom information in the Knowledge Base, Office 2010 x64 won’t work.

In the next part of this series we’ll look at the flagship feature of SCOM 2012; built in High Availability as well as how the new Resource Pools work.

Operations Manager 2012 review – Part 2: Upgrade

Paul Schnackenburg — Thu, 08 Dec 2011 20:22:33 +0000

In this second part of our eight part rerview of SCOM 2012 we’ll look at how to upgrade from Operations Manager 2007 R2, the sequence, multi-homing agents and management packs considerations.

Upgrading to Operations Manager 2012

Only SCOM 2007 R2 can be upgraded to Operations Manager 2012 so if you’re on an earlier version you have to upgrade to this level first. If you’re an early adopter and trialled the beta it can be upgraded to the current Release Candidate and it in turn is supported for upgrade to RTM. You can’t however upgrade from the beta directly to RTM, nor can you upgrade to RC from a SCOM 2012 beta that was originally upgraded from SCOM 2007 R2.

The most important prerequisite however is that all SCOM 2007 R2 management servers that you want to upgrade are 64 bit on x64 hardware and run 2008 R2 SP1 as the OS. If this isn’t the case in your environment, fear not, you can spin up a new server and start the upgrade from there. If you’re doing your upgrade this way back up your encryption keys from the current RMS and restore them on the new SCOM 2012 server.

The general sequence for an upgrade is: secondary management servers, gateways and agents first, then the Root Management Server (RMS). If any management servers or gateways are still 2007 R2 the final RMS upgrade will be blocked. If agents are still 2007 R2 this will be highlighted during the RMS upgrade but it won’t block the upgrade. Be aware that these agents won’t be able to report to SCOM until they have been upgraded to SCOM 2012 agents.

If yours is a smaller environment with a single SCOM 2007 R2 server you can either upgrade in place (provided your server meets the hard- and software requirements) or you can set up another management server and start the upgrade from there. If you upgrade in-place be aware that you have to upgrade all the agents before they’ll report to SCOM 2012.

To assist with your upgrade plan there are clickable flow diagrams on TechNet that clarifies what options you have, the same page also provides links to checklists with step by step instructions. There’s also an upgrade helper Management Pack (MP) that walks you through the upgrade and gives you an overview of what parts of your infrastructure has been upgraded.

Once your environment has been upgraded to Operations Manager 2012 you can take advantage of the new reporting functionality.

Further points for your upgrade planning includes backing up the databases, disabling notifications to prevent false alarms and stopping connectors to avoid false tickets being generated as well as making sure agents don’t report directly to the RMS as your upgrading it. Most importantly, check the event log for any problems, you can’t upgrade away from problems so ensure your SCOM environment is healthy before you upgrade.

If you used Operations Manager to deploy agents they will show up as pending upgrade in the console and you can push out the upgrade from SCOM; if you use an alternate method of deploying agents (such as SCCM) you have to upgrade them using your chosen deployment method but it’s simple MSI file so that should be easy. The native consoles are version specific so if you need both the old and the new console on a machine upgrade to the SCOM 2012 console and then reinstall the SCOM 2007 R2 console afterwards.

Depending on the size of your environment you may have a mix of SCOM 2007 R2 and SCOM 2012 management groups and servers in your environment for some time so be aware that the SCOM 2012 agent will communicate with SCOM 2007 R2 servers. The reverse isn’t true however so an important step in your upgrade process will be upgrading agents to the 2012 version. The new Control Panel applet makes it easy to identify which management groups an agent reports to and adding and removing of management groups from agents can now be centrally controlled via scripts.

The new scriptable control over agent assignments will be a boon in large environments as will the Control Panel applet for troubleshooting.

Management packs that work in SCOM 2007 R2 should work in Operations Manager 2012 because the MP schema is unchanged. The few exceptions are where third party management packs require new modules on the agent, new MP templates or new view types due to API changes; or if they attempt to create or update other MPs or elements within other MPs.

In the next part of this series we’ll look at PowerShell enhancements in SCOM 2012, interoperability with other platforms as well as improvements in the Console.

Raffle: ManageEngine Desktop Central – Part 2: Features

Timothy Warner — Wed, 07 Dec 2011 19:05:37 +0000

In this second part of two I will describe some technical details of ManageEngine Desktop Central 7 and give an overview of the tool’s systems management features.

Role-based access control

Desktop Central 7 uses a role-based access control (RBAC) motif in which you can log into the system as a full-fledged administrator or as one of a series of dedicated sub-administrative roles, including the following:

Patch Manager
Auditor
Asset Manager
Remote Desktop Technician

Once you are logged in as an administrator, Desktop Central offers you a plethora of administrative action options for managed devices; some of these are shown in the screenshot below.

Desktop Central 7 administrative options

Network discovery

The Scan Systems option is particularly relevant because network discovery is key to creating managed computers as well as in most other aspects of the software. The Scope of Management page, shown in the next screenshot, lists managed computers and enables you to (among other things) install or uninstall the agent software.

Managing client devices

The Scope of Management report truly forms the foundation of your systems administration with Desktop Central 7. This list comprises the systems that are managed by Desktop Central; thus, all other Desktop Central processes (for instance, inventory scanning, managing software, etc.) operate from this systems list.

IT asset management

Does your IT shop subscribe to service management frameworks such as ITIL? Regardless, we need to be able to document exactly what hardware and software we have within our infrastructure. We also need to be able to account for software licenses, to limit or prevent user installation of unauthorized software, and so forth.

As you can observe in Figures 4 and 5, the Desktop Central 7 agent software thoroughly scours target systems, enabling you the administrator to know always precisely what each machine’s hardware and software loadout looks like.

Computer details

The rich reporting in Desktop Central 7 enables “at a glance” analysis of your target systems.

PC inventory

Desktop Central 7 can feasibly allow you to move away (partially or fully) from the often difficult-to-troubleshoot Group Policy infrastructure. For instance, with Desktop Central 7, we can perform the following hardware/software configuration tasks that are typically reserved for GPOs:

Software deployment and maintenance

The software deployment features that are built into Desktop Central 7 mean that you can possibly retire WSUS and Group Policy Software Installation.

If you seek to move away from the complex array of Windows OS deployment tools, then a related ManageEngine product is what you need: OS Deployer. OS Deployer includes functionality to manage all aspects of the operating system lifecycle: image capture, image maintenance, and image deployment.

However, Desktop Central 7 can be used to deploy service packs and any other .EXE or .MSI software installation package, and prevent specified software from being installed by your network users.

Notice how in the following figure the software packages list resembles the Programs and Features Control Panel item—deploying software with Desktop Central 7 is much easier than with comparable tools!

Software deployment with Desktop Central 7

In a nutshell, the software deployment feature in Deskop Central 7 enables you to completely manage the installation and uninstallation of approved software packages. The basic workflow for this works as follows:

Create a central repository to host the software installers
Create a schedule for installation (you can schedule installation on a per-user or per-computer basis)
Determine application lifetime (you can schedule software updates or product installation automatically)

Patch management is another selling point of Desktop Central 7. The software allows the deployment of both Microsoft as well as non-Microsoft patch code. Desktop Central 7 also enables you to automatically deploy antivirus updates for clients that use the Microsoft Forefront Client Security software.

One interesting aspect of the patch management/security management feature in Desktop Central 7 is their online vulnerability database. The way this works is that the Desktop Central 7 software periodically queries this online database for the release of any Microsoft hotfix code, downloads the code to your Desktop Central management server, and notifies administrators as to its availability. This makes it easier for systems administrators to remain on the forefront (pun intended) of IT security.

Conclusion

Notice that this review only scratched the surface of ManageEngine Desktop Central 7′s capabilities. I encourage you to download the free trial and have a closer look at this easy-to-use desktop management software. If you already have experience with the product or any questions about it, then please feel free to leave that feedback in the comments portion of this post.

If you want to have a chance to win a 100 computers annual subscription license (worth $995 USD) or a 50 computers annual subscription license of the Professional Edition (worth $545 USD), please send an email with the subject “Desktop Central” to . The deadline of this contest is January 7, 2012.

4sysops » Articles

Microsoft Exam 70-640 – Active Directory trusts

Forest Trust

Selective Authentication vs. Forest-Wide Authentication

Transitive Trust

External Trust

Shortcut Trust

SID Filtering

Conclusion

Microsoft Exam 70-640 – DNS Server settings – Sample question

The sample question

The Correct Answer, Explanation, and Analysis

Conclusion

Relevant resources

Microsoft exam 70-640 – DNS server settings

Forwarding

Root hints

Zone delegation

Round robin

Disabling recursion

Debug logging

Server scavenging

Conclusion

Microsoft Exam 70-640 – DNS zone transfers and replication – Sample question

The sample question

The correct answer, explanation, and analysis

Conclusion

Relevant links

Microsoft Exam 70-640 – DNS zone transfers and replication

DNS replication scope

Incremental zone transfer

DNS Notify

Secure zone transfer

Configuring name servers

Application directory partitions

Conclusion

Introduction to the Microsoft Deployment Toolkit (MDT)

MDT and WAIK

Windows Imaging Format or WIM

Microsoft Exam 70-640 – Active Directory Forests and Domains – Sample question

Sample practice question

The correct answer, explanation, and analysis

Conclusion

Microsoft Exam 70-640 – Active Directory Forests and Domains

Removing a domain

Performing an unattended AD DS installation

Active Directory Migration Tool (ADMT)

Changing domain and forest functional levels; Interoperability with previous versions of Active Directory

Multiple UPN suffixes

ForestPrep, DomainPrep

Conclusion

Microsoft Exam 70-640 – DNS Zones – Sample practice question

Sample practice question

The correct answer, explanation, and analysis

Conclusion

Recommended reading

Microsoft Exam 70-640 – DNS Zones – Overview

Dynamic DNS (DDNS)

Non-Dynamic DNS (NDDNS)

Secure Dynamic DNS (SDDNS)

Time to Live (TTL)

GlobalNames

Primary and Secondary Zones

Active Directory-Integrated Zones

Stub Zone

Start of Authority (SOA)

Zone Scavenging

Conclusion

SCOM 2012 review – Part 8: Dashboards

Conclusion

Resources

How to disable the Shutdown Event Tracker in Windows Server 2008 R2

How the Shutdown Event Tracker works

Conclusion

SCOM 2012 review – Part 7: Linux and JEE monitoring

Unix and Linux monitoring in SCOM 2012

Java Enterprise Edition monitoring in SCOM 2012

SCOM 2012 review – Part 6: Application Performance Monitoring (APM)

Why only (I)T will matter

SCOM 2012 review – Part 5: Network Monitoring