Windows Server 2008 Tips and notes

WS 2008 Tips and notes from System admin

This is a random collection of WS 2008 tips and features that came across. and I took note of it.

By Neven Radic  October 2011, Toronto, Ontario


  1. 1 The Teredo protocol performs several functions:
    1. 1.1 Private IPv6 addresses
      1. 1.1.1 Unique local address
      2. 1.1.2 A unique local address
    2. 1.2 DHCP client alternate configuration
    3. 1.3 DHCP Configuration options
    4. 1.4 Windows Server 2008 Data Collector Sets (Alerts)
    5. 1.5 DHCP relay agent in Windows Server 2008
    6. 1.6 File Server Resource Manager (FSRM) in WS 2008 R2
    7. 1.7 WS 2008 as DNS server - ­what you need to know
      1. 1.7.1 Suffixes order DNS for computers running Windows XP/Vista/Windows 7 DNS:
      2. 1.7.2 The DNS Suffix
      3. 1.7.3 DNS Flow diagram
      4. 1.7.4 Directing name queries using forwarders
      5. 1.7.5 DNS delegation vs Conditional forwarding vs Stub zone
      6. 1.7.6 What is really difference between “A” and “CNAME” record?
      7. 1.7.7 The stub zones in DNS
    8. 1.8 How WINS lookup works
    9. 1.9 Network Policy Server (NPS).
      1. 1.9.1 NPS features:
      2. 1.9.2 NPS and Radius
    10. 1.10 Universal Group membership caching (UGMC)
      1. 1.10.1 GPO and Central Store in WS 2008
    11. 1.11 Group Policy client-side extensions (CSEs)
      1. 1.11.1 Active directory right management services in WS 2008
    12. 1.12 Reverse proxies server features:
    13. 1.13 Terminal Server in Windows Server 2008
      1. 1.13.1 Remote Desktop Gateway in WS 2008
      2. 1.13.2 Remote Desktop Connection
      3. 1.13.3 RemoteApp
      4. 1.13.4 Windows Desktop Sharing
    14. 1.14 Security Configuration Wizard (SCW)
    15. 1.15 Global catalog in WS 2008
      1. 1.15.1 Universal group membership caching
    16. 1.16 Shadow groups
    17. 1.17 Try Next closest Site Group policy setting
    18. 1.18 All Active Directory trust:
    19. 1.19 SCVMM - System Center Virtual Machine Manager
  2. 2 Active Directory Management Gateway Service (ADMGS)
    1. 2.1 AD DS Fine-Grained Password or Password Setting Object (PSO)
    2. 2.2 Authentication mechanism assurance
    3. 2.3 EFS or Encrypted File System
    4. 2.4 Remote Desktop Gateway
    5. 2.5 4 new features available in WS 2008 domain functional level:
      1. 2.5.1 1) Different password policy or Fine-Grained Password Policies
      2. 2.5.2 2) The DFS support for SYSVOL replication
      3. 2.5.3 3) The Kerberos authentication traffic can be encrypted by using the Advance Encrypting Service (AES) algorithm that has a 256-bit key size
      4. 2.5.4 4) Last Interactive Logon Information
    6. 2.6 AD Federation trust in WS 2008
      1. 2.6.1 Account store in federation service WS 2008 and WS 2008 R2
    7. 2.7 Name suffix routing trust
    8. 2.8 Pros and Cons of DNS Active directory integration
    9. 2.9 DNS record ownership and the DnsUpdateProxy group
    10. 2.10 Active directory diagnostic data collector
    11. 2.11 AD application directory partition
    12. 2.12 Disabling AutoSiteCoverage Registration in DNS
    13. 2.13 Applocker
    14. 2.14 Windows Server 2008 Backup and VHD file format
    16. 2.16 Active Directory Rights Management Services in WS 2008
      1. 2.16.1 Features in AD RMS
      2. 2.16.2 AD RMS software considerations
    17. 2.17 Active Directory Recycle Bin in WS 2008 R2
    18. 2.18 Configure Windows Time service on the PDC emulator in the Forest Root Domain
    19. 2.19 CA Types and Roles in WS 2008
      1. 2.19.1 Enterprise vs. Stand-Alone CAs
      2. 2.19.2 Root CAs
      3. 2.19.3 Subordinate CAs
      4. 2.19.4 Intermediate CAs
      5. 2.19.5 Issuing CA
      6. 2.19.6 RAs
      7. 2.19.7 Recovery Agent Certificates
      8. 2.19.8 The number of recovery agent
      9. 2.19.9 Certificate Template Versions in WS 2008
        1. Version 1 certificate templates
        2. Version 2 certificate templates
        3. Version 3 certificate templates
        4. Duplicating certificate templates
      10. 2.19.10 Standalone Subordinate CAs

The Teredo protocol performs several functions:

1.     Diagnoses UDP over IPv4 (UDPv4) connectivity and discovers the kind of NAT present (using a simplified replacement to the STUN protocol)

2.     Assigns a globally routable unique IPv6 address to each host using it

3.     Encapsulates IPv6 packets inside UDPv4 datagrams for transmission over an IPv4 network (this includes NAT traversal)

4.     Routes traffic between Teredo hosts and native (or otherwise non-Teredo) IPv6 hosts


ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.

Unlike 6over4 (an older similar protocol using IPv4 multicast), ISATAP uses IPv4 as a virtualnonbroadcast multiple-access network (NBMA) data link layer, so that it does not require the underlying IPv4 network infrastructure to support multicast.

Note: ISATAP depends on the IP helper service.


Private IPv6 addresses

Unique local address

The concept of private networks and special address reservation for such networks has been carried over to the next generation of the Internet ProtocolIPv6.

The address block fc00::/7 has been reserved by IANA as described in RFC 4193. These addresses are called Unique Local Addresses (ULA). They are defined as being unicast in character and contain a 40-bit random number in the routing prefix to prevent collisions when two private networks are interconnected.

A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network or a point-to-point connection that a host is connected to. Routers do not forward packets with link-local addresses.

In Windows 7 (IPv6) link-local address are mandatory, contrary Windows XP (IPv4) isn’t. Equivalent in IPv4 is Link-local addresses may be assigned manually by an administrator or by operating system procedures. Most often they are assigned using stateless address autoconfiguration. In IPv4, they are normally only used to assign IP addresses to network interfaces when no external, stateful mechanism of address configuration exists, such as the DHCP, or when another primary configuration method has failed.

Link-local addresses for IPv4 are defined in the address block In IPv6, they are assigned with the fe80::/64 prefix.

A unique local address

IPv6 address that can communicate across segment is: fd00::/8 is a unique local address (ULA) is an IPv6 address in the block fc00::/7. It is the IPv6 counterpart of the IPv4 private address. Unique local addresses are available for use in private networks, e.g. inside a single site or organization, or spanning a limited number of sites or organizations. They are not routable in the global IPv6 Internet.

The address block fc00::/7 is divided into two /8 groups:

1) The block fc00::/8 has not been defined yet.

2) The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly-generated bit string.


DHCP client alternate configuration

With DHCP client alternate configuration, you can easily move a computer between two or more networks, one configured with static IP addresses and one or more configured with DHCP. Alternate configuration provides simplified computer migration (for example, a laptop) between networks without requiring that you reconfigure network adapter parameters such as IP address, subnet mask, default gateway, preferred and alternate Domain Name Service (DNS) servers, and Windows Internet Name Service (WINS) servers.

DHCP Configuration options

When you configure TCP/IP properties for a local area network connection, you have the following options:

  • Static IP address configuration 

  • Dynamic IP address configuration without alternate configuration 

    If the DHCP server is unavailable, the network adapter is configured using IP autoconfiguration.
  • Dynamic IP address configuration with alternate configuration 

    When you click Obtain an IP address automatically, click the Alternate Configuration tab, and type an alternate configuration, you can move your computer between one statically configured network (such as a home network) and one or more dynamically configured networks (such as a corporate network) without changing any settings. If the DHCP server is unavailable (for example, when your computer is connected to your home network), the network adapter is automatically configured with your alternate configuration, and the computer functions correctly on the network. When you move the computer back to the dynamically configured network and the DHCP server is available, the network adapter is automatically configured with the dynamic configuration assigned by the DHCP server. The alternate configuration is used only when the DHCP client cannot locate a DHCP server.

NAP Tip: To ensure that all client computer that access the network are evaluated by NAP create all access point as RADIUS client to the Network Policy Server (NPS).

Windows Server 2008 Data Collector Sets (Alerts)

Window Server 2008 introduces 'Data Collector Sets', which you can employ to a create data set containing performance counters.  WS 2008 supplies two main types of template, diagnostics or performance.

From the custom data set you can configure alert activities for when the performance counters are exceeded.  Naturally, once you have defined the Data Collector Set, you must configure the actions that WS 2008 will undertake when the alert thresholds are reached.

How to Create Alerts in Windows Server 2008

You have to choose between:

System Diagnostics,  System Performance template, or one of your own designs?

·         You have to launched the Windows Reliability and Performance Monitor (Perfmon):

·         Expand Data Collector Sets, right-click User Defined

·         Choose New, and click Data Collector Set.

·         Make sure you select the 'Create manually option and click Next.

·         Select the Performance Counter Alert

·         Add the counters you wish to monitor.

·         From the list of Performance counters, select the counter to monitor and trigger an alert.

·         Check the logic if whether to alert when the performance counter value is above, or below the limit.

Data Collector Set Tip: The Data Collector Set must run as a user who is a member of the Performance Log Users group, alternatively, they can run as a member of the Administrator's group.

Other Considerations: You could schedule the Data Collection Set to run at a certain time.  It's often helpful to set a 'Stop condition'.  Both strategies are to prevent you being swamped with data.

DHCP relay agent in Windows Server 2008

A DHCP relay agent (BOOTP relay agent) functions as a sort of DHCP proxy, enabling DHCP clients on a given IP subnet to obtain IP leases from DHCP servers on other subnets. The DHCP relay agent relays messages between DHCP clients and DHCP servers. The DHCP relay agent component given with Windows Server 2008 RRAS serves that function.

Note: The DHCP relay agent can’t run on a Windows Server 2008 that also is running the DHCP Server service or network address translation (NAT) with automatic addressing enabled.

Setting up a DHCP relay agent is fairly simple. In the RRAS console, select the server you want to function as a DHCP relay agent. Open the IP Routing branch, right-click General, and choose New Routing Protocol. Select DHCP Relay Agent from the list and click OK to add it to the IP Routing branch.

Next, add the interface(s) on which the DHCP relay agent will function. Right-click in the right pane or on DHCP Relay Agent and choose New Interface. Select the appropriate network interface and click OK. RRAS displays a property sheet for DHCP Relay which contains the following options:

1) Relay DHCP Packets: Select this option to enable DHCP relay or deselect it to disable DHCP relay.

2) Hop-Count Threshold: Specify the maximum number of DHCP relay agents to handle DHCP relayed traffic. The default is 4; the maximum is 16.

3) Boot Threshold: Specify the interval the server waits before forwarding the DHCP messages. Use this option to allow a local DHCP server to have a chance to respond to requests before forwarding the message to a remote DHCP server.

The final step is to define the list of DHCP servers to which the local relay agent relays messages. In the RRAS console, right-click DHCP Relay Agent under the IP Routing branch and choose Properties. RRAS displays a dialog box you can use that dialog box to specify the IP addresses of the remote DHCP servers.

WS 2008 Server blue screen tip: If you discovered that sever is crushing lately, look at Maintenance, and then view reliability history.

Event subscription tip: to create a new subscription on server, first create a custom view on sever by using Event Viewer. Export the custom view to a file named  e.g. subscrioption1.xml, then run cmd command: wecutil cs subscription1.xml.

DirectAccess is a new feature in Windows 7 (Ultimate and Enterprise editions only) and Windows Server 2008 R2 that provides seamless intranet connectivity to DirectAccess client computers when they are connected to the Internet.

Benefits of DirecAccesss over VPN connections is that the DirectAccess connections connect automatically as soon as the computer connects to the internet, no user intervention.

A third-party solution is needed to access UNIX and Linux servers through DirectAccess.

Interesting stuff is that is based on IPv6,  therefore if you want to implement this new cool feature, do not disable IPv6 on your environment.

DirectAccess establishes IPSec tunnels from the client to the DirectAccess server, and uses IPv6 to reach intranet resources or other DirectAccess clients. It encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet over the Internet, which still relies on IPv4 traffic. All traffic to the intranet is encrypted using SSL and sent through the standard HTTPS port (443), which means that in most cases, no configuration of firewalls or proxies should be required. A DirectAccess client can use one of several tunnelling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4, Teredo tunneling, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the internet directly will use 6to4, but if it is inside a NATed network, it will use Teredo instead.

DirectAccess requires:

1) Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet.

2) On the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.

3) Windows 7 (Ultimate and Enterprise editions only) - DA Client.

4) DC and DNS server running Windows Server 2008 SP2 or Windows Server 2008 R2.

5) Public key infrastructure (PKI) to issue computer certificates.

(Smart card certificates, and health certificates for Network Access Protection may be used along with PKI.)

DirectAccess Tip: To identify the URL of the network location server that computer is configure to use run this cmd on computer: netsh namespace show policy.

A third-party NAT64 device may be used to provide access to IPv4-only resources to DirectAccess clients.

SDDL is used to grant access for a user account to read the Application Event log but without making them a member of Local Administrators or any other local group.

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application > CustomSD

Since this key is in SDDL format use this KB article.

802.1x is an port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

For example if you want the NAP policy to be enforce for wireless connection, then you have to configure all your access point to with 802.1x.

DHCP rely Agent – same as IP helper in Cisco. Helper RRAS client to find (and obtain DHCP trough RRAS ).

File Server Resource Manager (FSRM) in WS 2008 R2

It is not much different than WS 2003 R2. You have to install the FSRM console. So, run the Server manager, then click on File server role, and if FSRM isn’t installed already install it.

The FSRM feature:

  • Folder Quotas
  • File Screening à block some files to be stored in folder, like .mp3 or .avi
  • Storage Reports
  • Event Log Integration
  • E-mail Notifications
  • Automated Scripts

So, you can use FSRM to perform the following tasks:

  • E-mail an administrator whenever a specific folder reaches 90% of its specified Quota.
  • Automatically execute a script when a folder size exceeds 1 GB to clean up stale data in the folder.
  • Create a File Screen to prevent users from saving of video/audio files to a share and send notifications when users attempt to do that.
  • Limit the size of a folder to 10GB and log an event when the Quota limit is reached.
  • Schedule and publish a periodic storage reports that shows how much space is being used by each user.
  • Generate an instant storage reports to list the largest files on a share.

The Driver Isolation Setting – (Printing) is technology to isolate printer drivers from each other and/or the spooler. Windows 7 and Server 2008 R2 achieve that by executing printer driver code not from within spoolsv.exe, but from a dedicated process, PrintIsolationHost.exe. In case of a driver causing a crash, only one instance ofPrintIsolationHost.exe goes away, but the spooler service itself is left unperturbed.

Printer driver isolation in Windows 7 and WS 2008 is enabled by default and can be disabled via the following group policy setting:

Computer Configuration / Administrative Templates / Printers / Execute print drivers in isolated processes

Access Based Enumeration (ABS) on Share and Store management console.

Access-based enumeration displays only the files and folders that a user has permissions to access.

WS 2008 as DNS server - ­what you need to know


GlobalQueryBlockList – needed to support DirecAccess. This is registry setting, after modification, DNS server has to be restarted.

DNSSEC needs Signature (SIG) and Public (KEY) DNS record.

GlobalNames Zone (GNZ) are came to play when we need the NetBIOS name resolution w/o WINS. So GNZ is intended to aid the retirement of WINS, and it's worth noting that it is not a replacement for WINS. In GNZ, after the creation and enabling of the GlobalNames Zone, the administrators must manually create, add, edit and, if required – delete, name records from that zone. GNZ does not support dynamic updates.

For example:

DNS Client is able to resolve single-label names by appending an appropriate list of suffixes to the name, which are then answered by the authoritative DNS Servers. If the client issues the following command:

Ping Mywebserver

And the machines DNS suffix is, for example,, then the client will append the DNS suffix to the host name and query the DNS for the Fully Qualified domain Name (FQDN) of

Note: The correct DNS suffix depends on the domain membership of the client, but can also be manually configured in the advanced TCP/IP properties for the computer, or by using Group Policy (GPO). This is the correct order in which the Domain name suffix is applied:

Suffixes order DNS for computers running Windows XP/Vista/Windows 7 DNS:

1.                   The primary DNS suffix, which is the domain that the client computer is joined to. 

Note: if Group Policy is being used, then this suffix not employed.  

2.                   The Group Policy configured DNS Suffix Search List. If GPO DNS Suffix Search List is used, further processing using DNS suffixes stops here.  

3.                   If there is no Group Policy:

·                             The connection-specific DNS suffix for each adapter is used.  

·                             For Vista only, for IPv6 adapters using DHCPv6 servers only, if there is a connection-specific suffix search list configured via DHCPv6 servers for an adapter, the suffixes in the list are appended in order.  

4.                   If the name cannot be resolved via DNS by using various suffixes, the query fails over to WINS.  

5.                   If no WINS is used, the client might turn over to broadcasting in the local subnet.

DNS Tip: to add new preferred DNS server from CMD:

netsh interface ipv4 add dnsserver "NAME of NIC" static index=1

The single label name isn’t NetBIOS name. A single label DNS name has no hierarchy. DNS relies on a hierarchy, because the whole premise is a hierarchal tree. If such a single
named zone exists, DNS thinks it's a TLD, such as 'com', 'net', etc... This also causes excessive queries to the Roots, during a registration attempt.

DNS Suffix search order makes it possible

The DNS Suffix

 If these suffixes do not work, the devolution of the primary DNS suffix is attempted by the name resolution process.

When a domain suffix search list is configured on a client, only that list is used. The primary DNS suffix and any connection-specific DNS suffixes are not used, nor is the devolution of the primary suffix attempted. The domain suffix search list is an administrative override of all standard Domain Name Resolver (DNR) look-up mechanisms.

DNS Suffix tip: Use the GPO to configure your domain suffixes to speed up the DNs naming resolutions.

DNS Flow diagram







Directing name queries using forwarders

The following figure illustrates how external name queries are directed using forwarders.

External Name Queries Directed Using Forwarders

Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs.

When you designate a DNS server as a forwarder, you make that forwarder responsible for handling external traffic, thereby limiting DNS server exposure to the Internet. A forwarder will build up a large cache of external DNS information because all of the external DNS queries in the network are resolved through it. In a short amount of time, a forwarder will resolve a good portion of external DNS queries using this cached data and thereby decrease the Internet traffic over the network and the response time for DNS clients.


DNS delegation vs Conditional forwarding vs Stub zone


DNS delegation

Conditional forwarding

Stub Zone

A Delegation can only be set in a parent domain

Similar to what the root servers do to the top level domains (com, org, net etc.) They "know" who's the DNS server that's holding that information down

Most heavily used for public name resolution where you have:

.. (DNS Root) --Delegation--> .com --Delegation-->

Any server using a Forwarder must support requests for Recursion

Note that servers hosting public DNS zones will not, generally, support

Conditional forwarding does NOT require the cooperation of the "other" DNS server, and no zone transfer

You can configure conditional forwarding of your queries to any DNS server in the world

This allows flexibility between organizations that have some sort of relationship between them but without the need to establish any sort of replication between them.


It "knows" who's the DNS server that's authoritive for that domain.

the DNS that's holding the stub zone does NOT need to hold the parent domain or any other domain for that matter

it queries a server you specify for a list of NS-Records, so you've got a list of all name-servers responsible for a zone. Then it'll query the server for the A-Records of the Nameservers of the zone.

Stub-Zones are dynamic - if you add new Name servers for a Zone the Stub-Zones will get this information and also use the new servers.

If Firewalls are involved: with a Stub-Zone you cannot specify which DNS-Server of the name servers responsible for the zone in question is really used to resolve the name. If you have specific ports opened just between some servers in question then a Delegation is better.



DNS Tip: To have DNS sever to resolve IP address to host name,               use PTR (pointer) record.

ForestDNSZone - Help us to resolve computer names for other domains (in the same forests) from a local DNS server.

If a DNS that is integrated with AD is used, there are two application partitions for DNS zones – ForestDNSZones and DomainDNSZones:

·                     ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.

·                     DomainDNSZones are unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones<domain name>.

Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.


What is really difference between “A” and “CNAME” record?

So if you need to have a few names pointing to same IP, yes you can do it by two A (GLUE) record or by A and CNAME record. Suddenly, you have to change to IP address, and the difference will surface now.

For all ‘A’ record you have to change it to point to new IP address, but CNAME will do it automatically once you change the main ‘A’ record.

Here is this in an example:

…….. NS MX                                      --> for email A                                                   --> A record CNAME                               --> CNAME pointing to A record CNAME CNAME



The stub zones in DNS

A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces.

The subzone may be necessary:

                a) When a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

                b) It is also an option to ensure naming resolution continue to work in case of DNS IP address change in other zone.

A stub zone consists of:

  • The start of authority (SOA) resource record, name server (NS) resource records, and the (glue) ‘A’ resource records for the delegated zone.
  • The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.

DNS Tip: You change the IP address of Primary DNS serer, and you want to replicate this immediately, run:

dnscmd /ZoneUpdate FromDs     - on secondary DNS Server(s)

DNS Tip #2:

dnscmd ./clearcache -> to immediately resolve the new DNS record entered on primary DNS server

DHCP Tip: If you have restore your DHCP serer from the backup, but you want to prevent DHCP client form receiving IP address that are currently in use on the network --> set the Conflict Detection value to 2

How WINS lookup works

The wins is a dying technologies , is only need3d to support legacy application that still rely on the NetBIOS names.The following is an example of a DNS client (host-b) querying its DNS server in an attempt to look up the address for another computer named “”

WINS Lookup


If you looking for more DNS how to, here is excellent MS article.

Tip: TIFF Filter –> is used to classify documents.

 Branch cache


Print Server Tip: Use Pubprn.vbs to publish all shared printer to AD.

Backup tip: To restore all files just for corrupted folder w/o effecting other files, you can run this cmd:

wbadmin start recovery -version: 07/30/2010-10:00 -itemType:File -item:f:\problemfoldername - overwrite -recursive quit

EFS tip: To prevent users from accessing EFS-encrypted files when they Smart Card are removed, disable the Create caching-capable user key from Smart Card option.

EFS tip: If you want user to open all files that they encrypted from ANY computer - enable Credential roaming

The Branch Cache is WS 2008 R2 excellent feature, particular if you have slow link sites.

Here is a very good MS article how to configure and use it.

Branch cache tip: To enable client to use server's cached files, run this cmd:

 netsh branchcache set service mode=HOSTEDSERVER.

Event log tip: Use Wevtutil cmd tools to archive logs.

Network Policy Server (NPS).


NPS replaced IAS.

NPS features:

1.       VPN Services

2.       Dial-up Services

3.       802.11 protected access

4.       Routing & Remote Access (RRAS)

5.       Offer Authentication through Windows Active Directory

6.       Control network access with policies


NPS and Radius



WSUS Tip: To automatically add new site to the WSUS managed group do following:

a) Modify the Computer Option in the Update Service console

b) Configure a GPO that enables client-side targeting


RODC is a new type of domain controller in the WW 2008 operating system. As its name implies RODC hosts read-only partitions of the AD database.

An RODC makes it possible for organizations to easily deploy a DC in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an internet or in an application-facing role.

Softgrid is now known as App-V, it is MS application virtualization solution mostly used in situation where an application isn't compatible with other apps in the systems, therefore only option is to run this app in the sandbox mode, to not interfere with other applications. App-V software implementation has many Limitations like:

·         Auto Update: Applications with automatic updates should not be sequenced if their update mechanism cannot be disabled. In addition, allowing auto-update leads to non compliance of application version.

·         Services: System services can be started when an application starts and shuts down or when an application main executable terminates. Only user-mode services are suitable candidates for sequencing.

·         Microsoft Office plug-ins

·         Device Driver: App-V presently does not support sequencing of kernel-mode device drivers; thus any application that installs a device driver cannot be sequenced. The only exception to this is when the device driver can be pre-installed locally; in this case, the application is sequenced without the device driver.

·         Application Size: The maximum application size Softgrid can handle is 4GB, due to the use of the FAT32 file-system.

·         Shortcuts: Applications should have minimum of one shortcut. If no shortcuts are present, then the application should be sequenced in a suite along with the application that needs it. Internet Explorer plugins require a special shortcut to start the browser process under the virtualization layer.

·         Middleware: Middleware applications may not be good candidates for sequencing as they may be runtime prerequisites for multiple applications.

·         Path hard coding: The application should not have folder/file path hard coded in the application itself. Some applications hard code the path of files in their executables rather than parameterising them. Configuration files such as ini, conf, txt etc. and the Registry are good places to look for application-specific settings. Failing that, a shim can be used to remediate the application where source code or an update is not available.

·         COM+ apps: Some applications which use COM+ might not work properly in a virtual environment.

·         COM DLL: Some applications that use COM DLL surrogate virtualization, i.e. DLL’s that run in Dllhost.exe, do not work properly in the Softgrid Environment.

·         Licensing Policies: Applications with licensing enforcement tied to the machine, e.g. the license is tied to the system’s MAC address or harddisk serial number.

·         Internet Explorer & Service Packs: Microsoft does not support sequencing of any version of Internet Explorer.

·         Roaming Profiles: The default local cache location is %APPDATA%, this resides inside a folder that travels with roaming profiles, and will cause applications to fail often as files fail to sync using current best practices for roaming profiles in Windows Vista and Windows 7. Users will have to exclude the Softgrid Client folder from their syncing rules, or use an alternative location.

·         LOCALAPPDATA: Administrators cannot set the local cache location to %LOCALAPPDATA% if they want user changes to the "bubble" filesystem and registry to be available to the application after it has closed.

DSRM is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

You can log on to DSRM by using a special DSRM password that you set when you promoted the domain controller. Use the logon account nameMyComputer\Administrator (language may vary). For MyComputer use the name of the computer.

Windows Server 2000 or 2003: To load Active Directory you must boot DSRM. UMove will offer to automatically reboot the computer to DSRM and resume the interview where it left off.

Windows Server 2008: DSRM is rarely needed on Windows Server 2008 (W2K8). AD can be stopped and re-started on W2K8 without a reboot, making DSRM unnecessary. On W2K8 DSRM is only needed when doing a domain-wide restore or a forest-wide restore, or when AD is so damaged that it will not boot.

A realm trust can be established between any non-Windows Kerberos V5 realm and a Windows Server 2003 domain. This trust relationship allows cross-platform interoperability with security services based on other Kerberos V5 versions such as UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way.


User principal Names (UPN) - The UPN (User Principal Name) suffix is the domain portion of the UPN (User Principal Name), such as for the UPN (User Principal Name) We can configure alternative UPN (User Principal Name) which provide additional security or simplify the naming if you have multiple-level child domains.

To create an alternative UPN suffix, open the Active Directory Domains and Trusts administrative console, right-click the root container and select Properties.

An alternative UPN suffix is useful if company decide to change FQDN.

Universal Group membership caching (UGMC)

Since WS 2003 , this is a new feature to locally cache a user's membership in universal groups on the DC authenticating the user. This can be useful in branch office scenarios where you don't want to deploy a GC because of the extra WAN traffic that the GC needs to replicate with other domain controllers in the domain. The cached membership for UGMC is then refreshed every 8 hours to keep it up to date.

One of key feature of UGMC is to allow user in branch office to log on if WAN link fail.

UGMC is enabled on a per-site basis in AD as follows: Open Active Directory Sites and Services, expand the Sites node and select the site where you want to enable UGMC, right-click NTDS Site Settings, select Properties, and select the Enable Universal Group Membership Caching check box. Then under Refresh cache from click a different site from which the selected site will refresh its UG membership cache.

If UGMC can speed logons at remote sites then it sounds like a good idea. But when is it better to simply deploy a GC at the remote office instead?

1. When you have lots of WAN bandwidth available

2. When the membership of universal groups frequently changes

3. When you have Exchange Server deployed at the remote site

4. When the branch office and headquarters both belong to the same AD site.

If any of these is true, it's best if you simply make one of the domain controllers at your remote office a global catalog server.

AD Tip: Use a shortcut trust to optimize the authentication process when many users in a domain often log on to other domains in a forest. Shortcut trusts also effectively shorten the path traveled for authentication's request between domains located in two separate trees.

CA Tip: If you want enable authentication for routes (assuming that routes supports the Simple Certification Enrolment protocol SCEP) then you have to install WS 2008 Certificate Service Enterprise Edition and enable the Network Device Enrollment service.

RDS Tip: If you have RD Server with different hardware performance, use TS Session Broker Load Balancing and assign appropriate weight to each server based on individual server HW performance.

IIS Redundancy Tip: Use NLB Network Load Balancing cluster service.

AD Optimization Tip: If you want specific DC to authenticate user in case of local DC failure, then make sure that DCs that you do not want to participate in the authentication, not to registering generic domain controller locator DNS record.

AD Security Tip: I you need to prevent custom application password from being replicated to other DCs, then you have to upgrade all DC to WS 2008 R2, and add custom application password attribute to the DC filtered attribute set and mark attribute as confidential.

Few new interesting feature WS 2008 R2:

InetOrgPerson objects - is used in several non-Microsoft, Lightweight Directory Access Protocol (LDAP) and X.500 directory services to represent people in an organization.

Support for InetOrgPerson makes migration from other LDAP directories to AD DSmore efficient. The InetOrgPerson object is derived from the user class. It can function as a security principal just like the user class.

Fine-grained password policies - you can use fine-grained password policies to specify multiple password policies within a single domain.

Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group.

A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.

GPO and Central Store in WS 2008

The Group Policy Central Store is a single folder on each domain (RUNNING WS 2008) controllers SYSVOL that stores one set of ADMX files for the entire domain. The central store effectively relieves the symptoms of SYSVOL bloat (where old .ADM template using 2-4 MB each have to be replicated across) and reduces the amount of data transferred during SYSVOL replication when new Group Policy objects are created. 

The Central Store is a file location that is checked by the GPMC tools. The GPMC tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location:

\\FQDN\SYSVOL\FQDN(or domain name)\policies

Copy all files from the PolicyDefinitions folder on a Windows 7-based client computer to the PolicyDefinitions folder on the domain controller. The PolicyDefinitions folder on a Windows 7-based computer resides in the same folder as Windows 7. The PolicyDefinitions folder on the Windows 7-based computer stores all .admx files and .adml files for all languages that are enabled on the client computer. 
The .adml files on the Windows 7-based computer are stored in a language-specific folder. For example, English (United States) .adml files are stored in a folder that is named "en-US."

Important note about Central Store: As soon you populate the Central Store on one DC , your local GPMC will prefer to use it vs. local .admx files, therefore you have to update your Central store location with LATES .ADMX files.

Also, note that windows 7 ADMX files now include support for two registry types: REG_MULTI_SZ and REG_QWORD. The REG_MULTI_SZ registry data type represents multi strings entries within a single registry value. The REG_QWORD registry data type represents a 64-bit number, which is twice the size of the 32-bit number stored in REG_DWORD. These new aspects of the ADMX syntax are only viewable when using the GPMC and Group Policy editors from Windows Server 2008 R2 or Windows 7 Remote Server Administration Tools (RSAT). Group Policy editors and the GPMC from Windows Vista cannot read ADMX files containing this new syntax.

Group Policy client-side extensions (CSEs)

These CSEs are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and in Windows Vista to process the new preference items. 

To download the original Group Policy preference client-side extensions for your operating system, visit one of the following Microsoft Web sites:

·             Windows Vista, 64-bit edition

·             Windows Vista, 32-bit edition

·             Windows Server 2003, 64-bit edition

·             Windows Server 2003, 32-bit edition

·             Windows XP, 64-bit edition

·             Windows XP, 32-bit edition


Active directory right management services in WS 2008

or RMS  is a form of Information Rights Management used on Microsoft Windows that uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mail, Word documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

Reverse proxies server features:


·         Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.

·         In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware.

·         A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource.

·         Reverse proxies can hide the existence and characteristics of the origin server(s).

·         A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator.

·         A reverse proxy can optimize content by compressing it in order to speed up loading times.

·         In a technique known as "spoon feeding",[2] a dynamically generated page can be produced all at once and served to the reverse-proxy, which can then return it to the client a little bit at a time. The program that generates the page is not forced to remain open and tying up server resources during the possibly extended time the client requires to complete the transfer.

·         Reverse proxies can be used whenever multiple web servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyses each incoming call and delivers it to the right server within the local area network.


There is two MS solution for reverse proxy servers:

·         Microsoft Forefront Threat Management Gateway (Forefront TMG), formerly known as Microsoft Internet Security and Acceleration Server (ISA Server), is a commercial proxy, firewall and caching solution.

·         Internet Information Services 7.0 with URL Rewrite v2 and Application Request Routing can act as a reverse proxy

Terminal Server in Windows Server 2008

It handles the job of authenticating clients, as well as making the applications available remotely. The remote session information is stored in specialized directories, called Session Directory which is stored at the server. Session directories are used to store state information about a session, and can be used to resume interrupted sessions. The terminal server also has to manage these directories. Terminal Servers can be clustered.

In Windows Server 2008, it has been significantly overhauled. While logging in, if the user logged on to the local system using a Windows Server Domain account, the credentials from the same sign-on can be used to authenticate the remote session. However, this requires Windows Server 2008 to be the terminal server OS, while the client OS is limited to Windows Server 2008, Windows Vista and Windows 7.

The terminal server can provide access to only a single program, rather than the entire desktop, by means of a feature named RemoteApp.

Terminal Services Web Access (TS Web Access) makes a RemoteApp session invocable from the web browser. It includes the TS Web Access Web Part control which maintains the list of RemoteApps deployed on the server and keeps the list up to date.

Terminal Server can also integrate with Windows System Resource Manager ( WSRM) to throttle resource usage of remote applications

Terminal Server is managed by the Terminal Server Manager Microsoft Management Console snap-in. It can be used to configure the sign in requirements, as well as to enforce a single instance of remote session. It can also be configured by using Group Policy or Windows Management Instrumentation. It is, however, not available in client versions of Windows OS, where the server is pre-configured to allow only one session and enforce the rights of the user account on the remote session, without any customization.

Remote Desktop Gateway in WS 2008

The Remote Desktop Gateway service component, or Gateway, can tunnel the Remote Desktop Protocol session using a HTTPS channel by encapsulating the session with Transport Layer Security (TLS). This also allows the option to use Internet Explorer as the RDP client.

Remote Desktop Connection

With version 6.0, if the Desktop Experience component is plugged into the remote server, the chrome of the applications will resemble the local applications, rather than the remote one. In this scenario, the remote applications will use the Aero theme if the user connects to the server from a Windows Vista machine running Aero or Later versions of the protocol also support rendering the UI in full 24-bit color, as well as resource redirection for printers, COM ports, disk drives, mice and keyboards. With resource redirection, remote applications can use the resources of the local computer. Audio is also redirected, so that any sounds generated by a remote application are played back at the client system. In addition to regular username/password for authorizing for the remote session, RDC also supports using smart cards for authorization. With RDC 6.0, the resolution of a remote session can be set independently of the settings at the remote computer. In addition, a remote session can also span multiple monitors at the client system, independent of the multi-monitor settings at the server. It also prioritizes UI data as well as keyboard and mouse inputs over print jobs or file transfers so as to make the applications more responsive. It also redirects plug and play devices such as cameras, portable music players, and scanners, so that input from these devices can be used by the remote applications as well. RDC can also be used to connect to computers which are exposed via Windows Home Server RDP Gateway over the Internet. RDC can be used to reboot the remote computer with the CTRL-ALT-END key combination.


RemoteApp (or TS RemoteApp) is a special mode of Remote Desktop Services, available only in Remote Desktop Connection 6.1 and above (with Windows Server 2008 being the RemoteApp server), where remote session configuration is integrated into the client operating-system. The RDP 6.1 client ships with Windows XP SP3, KB952155 for Windows XP SP2 users, Windows Vista SP1 and Windows Server 2008. The UI for the RemoteApp is rendered in a window over the local desktop, and is managed like any other window for local applications. The end result of this is that remote applications behave largely like local applications. The task of establishing the remote session, as well as redirecting local resources to the remote application, is transparent to the end user. Multiple applications can be started in a single RemoteApp session, each with their own windows.

A RemoteApp can be packaged either as a .rdp file or distributed via an .msi Windows Installer package. When packaged as an .rdp file (which contains the address of the RemoteApp server, authentication schemes to be used, and other settings), a RemoteApp can be launched by double clicking the file. It will invoke the Remote Desktop Connection client, which will connect to the server and render the UI. The RemoteApp can also be packaged in a Windows Installer database, installing which can register the RemoteApp in the Start Menu as well as create shortcuts to launch it. A RemoteApp can also be registered as handler for file types or URIs. Opening a file registered with RemoteApp will first invoke Remote Desktop Connection, which will connect to the terminal server and then open the file. Any application which can be accessed over Remote Desktop can be served as a RemoteApp.

Windows 7 includes built-in support for RemoteApp publishing but it has to be enabled manually in registry, since there is no RemoteApp management console in client versions of Microsoft Windows.

Windows Desktop Sharing

Windows Vista onwards, Terminal Services also includes a multi-party desktop sharing capability known as Windows Desktop Sharing. Unlike Terminal Services, which creates a new user session for every RDP connection, Windows Desktop Sharing can host the remote session in the context of the currently logged in user without creating a new session, and make the Desktop, or a subset of it, available over Remote Desktop Protocol. Windows Desktop Sharing can be used to share the entire desktop, a specific region, or a particular application. Windows Desktop Sharing can also be used to share multi-monitor desktops. When sharing applications individually (rather than the entire desktop), the windows are managed (whether they are minimized or maximized) independently at the server and the client side.

The functionality is only provided via a public API, which can be used by any application to provide screen sharing functionality. Windows Desktop Sharing API exposes two objects: RDPSession for the sharing session and RDPViewer for the viewer. Multiple viewer objects can be instantiated for one Session object. A viewer can either be a passive viewer, who is just able to watch the application like a screen cast, or an interactive viewer, who is able to interact in real time with the remote application. The RDP Session object contains all the shared applications, represented as Application objects, each with Window objects representing their on-screen windows. Per-application filters capture the application Windows and package them as Window objects. A viewer must authenticate itself before it can connect to a sharing session. This is done by generating an Invitation using the RDP Session. It contains an authentication ticket and password. The object is serialized and sent to the viewers, who need to present the Invitation when connecting.


Security Configuration Wizard (SCW)


The SCW is available in Windows Server 2003 service pack 1.

The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: you can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles, such as a file server, a print server, or a domain controller.

The following are considerations for using SCW:

·         SCW disables unnecessary services and provides Windows Firewall with Advanced Security support.

·         Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file.

·         You can deploy security policies that you create with SCW by using Group Policy.

·         SCW does not install or uninstall the components necessary for the server to perform a role. You can install role-specific components through Server Manager.

·         SCW detects role dependencies. If you select a role, it automatically selects dependent roles.

·         All applications that use the IP protocol and ports must be running on the server when you run SCW.

·         In some cases, you must be connected to the Internet to use the links in SCW Help.

I want to mention some very important MS tools that we often forget about:



Assessment and planning tool (MAP)

The Microsoft Assessment and Planning Toolkit (MAP) is an agentless, automated, multi-product planning and assessment tool for quicker and easier desktop, server and cloud migrations. MAP provides detailed readiness assessment reports and executive proposals with extensive hardware and software information, and actionable recommendations to help organizations accelerate their IT infrastructure planning process, and gather more detail on assets that reside within their current environment. MAP also provides server utilization data for Hyper-V server virtualization planning; identifying server placements, and performing virtualization candidate assessments, including ROI analysis for server consolidation with Hyper-V.

Help to identify which server or workstations can be consolidates

Desktop Optimization tool (MDOP)

The Microsoft Desktop Optimization Pack (MDOP) is a suite of technologies available as a subscription for Software Assurance customers. MDOP helps to improve compatibility and management (App-V/MED-V), reduce support costs (DaRT), improve asset management (AIS) and improve policy control (MBAM/AGPM).

AD Right Management Service (AD RMS)

The goal of an AD RMS deployment is to be able to protect information, no matter where it goes. Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the content owner is able to remove the protection from the file. The owner grants rights to other users to perform actions on the content, such as the ability to view, copy, or print the file.


* Is a form of Information Rights Management used on Microsoft Windows that uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mail, Word documents, and web pages, and the operations authorized users can perform on them.

* The Rights Management Client is included in Windows Vista and later versions and downloadable for Windows XP, Windows 2000 or Windows Server 2003

* It can be used for :

 - Record document access

 - Place time restriction

 - Protect document confidentiality

It requires  SQL Server 2005 Standard Edition with Service Pack 2 (SP2)





Microsoft Forefront Identity Manager (FIM) 2010

FIM 2010 offers you a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments.


FIM 2010 empowers users with self service password reset and embeds self-help tools in Office so you can manage routine aspects of identity and access, gives IT Professionals rich administrative tools and enhanced automation, and delivers .NET and web services-based extensibility for developers.

User are able to reset they (locked) password by himself.

Microsoft Forefront Unified Access Gateway (UAG) 2010

Delivers secure remote access to corporate resources for employees, partners, and vendors on both managed and unmanaged PCs and mobile devices. Utilizing a combination of connectivity options, ranging from SSL VPN to Direct Access, as well as built in configurations and policies, Forefront UAG provides centralized and easy management of your organization's complete anywhere access offering


AD tip: WS R2 2008 RODC (read only domain controller) - can coexist on WS 2003 functional level domain.

Global catalog in WS 2008

GC stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest.

  • Finds objects.
    When a user searches for people or printers from the Start menu or selects the Entire Directory option in a query, that user is searching the global catalog. After the user enters a search request, the request is routed to the default global catalog port 3268 and sent to a global catalog server for resolution.
  • Supplies user principal name authentication.

    A global catalog server resolves a user principal name (UPN) when the authenticating domain controller has no knowledge of the user account. If a user’s cannot find the user’s account, then  it must contact a GC to complete the logon process.
  • Validates object references within a forest.

    Domain controllers use the global catalog to validate references to objects of other domains in the forest. When a domain controller holds a directory object with an attribute that contains a reference to an object in another domain, the domain controller validates the reference by contacting a global catalog server.
  • Supplies universal group membership information in a multiple-domain environment.

    Universal groups can have members in different domains. For this reason, the member attribute of universal groups, which contains the list of members in the group, is replicated to the GC


Therefore in single domain GC isn't really needed and user will be able to logon without presence of GC, but in multi forest / domain GC is a must.

Down site of GC is that can be heavy on the network, but here is solution to that, the Universal Group membership caching.

Universal group membership caching

On domain controllers running WS 2003, WS 2008, or WS 2008 R2 in a site that has no GC server, you can use universal group membership caching to reduce the need to contact a global catalog server in a different site. When this feature is enabled, the first time that a user logs on to a domain where universal groups are available, the user's universal group membership information is cached on the domain controller. Thereafter, the DC uses cached memberships to process the logon, rather than having to contact a GC server.

Note, that there are GC dependent applications such Exchange.

Shadow groups

In Microsoft's Active Directory, OUs do not grant access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other directories such as Novell are able to assign access privileges through object placement within an OU.

A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership.

Here is good example how to update the shadow group with a single line CMD:

dsquery user ou=hr,dc=ad,dc=nlab,dc=com | dsmod group cn=hr_ou_users,ou=groups,dc=ad,dc=nlab,dc=com -chmbr


Try Next closest Site Group policy setting

Another WS 2008 / Vista GPO

When the “try next closest site” feature is enabled, a client would do the following:

·         it asks DNS for a DC in its own site to be sure not to use a far-off DC. If it gets a DC in the same site, everything is fine and the DC is used for auth.

·         if it can’t find a DC in its own site, it would check for the next closest site (determined by the site cost in AD) and try a DC there (sites with RODCs are not regarded in the “next closest site search”). If there’s a DC available in the next closest site, it’s used for auth.

·         if it can’t find a DC in the next closest site, it just picks a random DC in some random site

That saves network bandwidth in case the local DC is down and you have a lot of remote sites that are connected by slow or highly utilized links.

Here’s the GPO path to enable it:

Comp Conf\Adm Templ\System\Net Logon\DC Locator DNS Records - “Try Next Closest Site”

All Active Directory trust:

·         One-way trust

o        One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.

·         Two-way trust

o        Two domains allow access to users on both domains.

·         Trusting domain

o        The domain that allows access to users from a trusted domain.

·         Trusted domain

o        The domain that is trusted; whose users have access to the trusting domain.

·         Transitive trust

o        A trust that can extend beyond two domains to other trusted domains in the forest.

·         Intransitive trust

o        A one way trust that does not extend beyond two domains.

·         Explicit trust

o        A trust that an admin creates. It is not transitive and is one way only.

·         Cross-link trust

o        An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

·         Shortcut

o        Joins two domains in different trees, transitive, one- or two-way

·         Forest

o        Applies to the entire forest. Transitive, one- or two-way

·         Realm

o        Can be transitive or nontransitive, one- or two-way

o        Used to connect to non-Microsoft network

·         External

o        Connect to other forests or non-AD domains. Nontransitive, one- or two-way

·         Federate trust


AD site connection Tip: Use the DC Locator DNS Record GPO setting for the Domain Controller to control site connections.

SCVMM - System Center Virtual Machine Manager

System Center Virtual Machine Manager Self-Service Portal 2.0 is a free, partner-extensible component that allows you to dynamically pool, allocate, and manage datacenter resources. Using the Self-Service Portal, you can reduce IT costs, while increasing agility for your organization. The Self-Service Portal works with products and technologies you know and trust, like Windows Server and the System Center product suite. This solution delivers:


  • Automated web portals and workload provisioning engine that’s integrated with System Center.
  • Tested guidance and best practices to help configure and deploy private cloud infrastructures.
  • Guidance to help partners easily extend functionality.
  • Localization in three languages: Japanese, Traditional Chinese, and Simplified Chinese.


Active Directory Management Gateway Service (ADMGS)

Part of WS 2008 R2.

Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.

AD DS Fine-Grained Password or Password Setting Object (PSO)

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. For example, to increase the security of privileged accounts, you can apply stricter settings to the privileged accounts and then apply less strict settings to the accounts of other users. Or in some cases, you may want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema:

  • Password Settings Container 
  • Password Settings 


Authentication mechanism assurance

When a certificate-based logon method (for example, smart-card logon) is used, and authentication mechanism assurance is enabled, an additional group membership is added to the user’s access token during logon. An administrator links the group membership from a specific certificate issuance policy, which is included in the certificate template. Because different certificate issuance policies can be linked to different groups, the administrator can identify whether a certificate was used during the logon operation. The administrator can also distinguish between different types of certificates. Ultimately, this makes it possible for resource administrators to secure resources by using group memberships. However, because membership in certain groups can be granted based on the certificate type that is used during logon, access to resources can be controlled according to whether a user logged on with a certificate, as well as the type of certificate that was used during logon.

For example, assume that a user named Todd has a smart card with a certificate that was distributed from a certificate template that includes the Medium Assurance certificate issuance policy. An administrator has linked the Medium Assurance certificate issuance policy to a group named Medium Access Level. A file share is configured so that the Medium Access Level group has Read access and another group named High Access Level group has Modify access. No other access permissions are configured on the file share. When Todd logs on using his smart card, his access token includes an additional group membership (in this case, to the Medium Access Level group). Todd is then granted Read access to the file share. If Todd does not log on using the smart card, he cannot access the file share. If a user named Cassie has a smart card with a certificate that was issued from a certificate template with a certificate issuance policy that is linked to the group named High Access Level, Cassie has Modify permissions to the file share when she logs on with her smart card.

You can also use the additional group membership that is specified in the user’s access token an Active Directory Federation Services (AD FS) interforest claim, which you can then use to grant varying levels of access between forests. You can combine this claim with other claims to further restrict access to federated resources.

Before you can implement authentication mechanism assurance, you must first deploy a certificate-based logon method. In this step, you deploy a certification authority (CA) and you configure the appropriate logon certificates. This step contains procedures for ensuring that the domain functional level is Windows Server 2008 R2, preparing the CA, and preparing the certificates.


·             At least one Active Directory domain controller running Windows Server 2008 R2, with the domain functional level set to Windows Server 2008 R2

·             A client computer or server running Windows Vista®, Windows® 7, Windows Server 2008, or Windows Server 2008 R2 that is a member of the domain

·             A smart card reader, which must be attached to the client computer. If you have access to software that provides virtual smart cards and virtual smart card readers, you can use that software with a virtual ADFSCLIENT computer. If you do not have this software, you may have to create a physical computer named ADFSCLIENT. You join this computer to the domain using the same IP address and configuration as the virtual machine (VM) that is described in the AD FS in Windows Server 2008 R2 Step-by-Step Guide ( You can then install a smart card reader. You must also have at least two different smart cards to which the different levels of access correspond. A single smart card that allows for multiple certificates or even rewrites can be used in place of multiple, individual smart cards.

EFS or Encrypted File System

The EFS encrypt files only if file is stored on EFS encrypted store and only built in admin Domain account can descript encrypted file.

Remote Desktop Gateway

The Remote Desktop Gateway service component, also known as RD Gateway, can tunnel the Remote Desktop Protocol session using a HTTPS channel. This increases the security of Remote Desktop Services by encapsulating the session with Transport Layer Security (TLS). This also allows the option to use Internet Explorer as the RDP client.

This feature was introduced in the Windows Server 2008 and Windows Home Server products


4 new features available in WS 2008 domain functional level:


1) Different password policy or Fine-Grained Password Policies

 In WS 2003, you can only configure one password policy for each domain. The password policies specify such things as password complexity and the maximum password age. It makes sense to use different policies depending on the rights users have.

2) The DFS support for SYSVOL replication


DFS can be fine-tuned for network bandwidth use between DCs.

You probably know that the SYSVOL directory stores Group Policy objects, classic system policies (Windows NT 4), and the Netlogon scripts. It is essential that the replication of the SYSVOL folder between domain controllers is fast and reliable. In Windows Server 2003, the File Replication Service (FRS) is used to replicate SYSVOL. If your DFL is Windows Server 2008, you can use the Distributed File System (DFS) replication service. DFS was already introduced as an add-on for Windows NT and is meanwhile quite reliable. There are quite a few advantages of using DFS instead of FRS to replicate SYSVOL. Thanks to differential replication, it is more efficient, especially over low-bandwidth connections. DFS is also more reliable and scalable than FRS. The filing cabinet has more details of its advantages and describes how to migrate SYSVOL replication from FRS to DFS.

DFS Tips:

·         To reduce workload of PDC emulator (there is only PDC one per tree) enable the Optimize for scalability option.

·         Use dfsrdiag to replicate SYSVOL in WS 2008 R2 DC.

·         If you want to prestige the new DFS server, uses wbadmin (backup). This will save network bandwidth.

3) The Kerberos authentication traffic can be encrypted by using the Advance Encrypting Service (AES) algorithm that has a 256-bit key size

Kerberos is the protocol used for authentication when you logon to a Windows domain. Microsoft’s implementation uses the RC4 encryption algorithm and the HMAC protocol to secure communication in Kerberos since Windows 2000. It also supports DES-CBC-CRC and DES-CBC-MD5 for compatibility reasons.

Note that Windows XP doesn’t support this new feature. You can find more information about this feature here.

4) Last Interactive Logon Information

Some of these attributes are already available at the Windows Server 2003 functional level. You can access these user attributes in Windows Server 2003 with ADSIedit or by registering acctinfo.dll (REGSVR32 acctinfo.dll) from the Account Lockout and Management Tools. This will add a new tab to ADUC displaying information such as last logon time and last bad logon. The new feature that comes with Server 2008 DFL is that you can display this information on the desktop after you users logged on. They will see the last successful interactive logon, from what workstation, and the number of failed logon attempts since the last logon. This information is displayed immediately after the logon. However this only works on Vista and Server 2008 machines. You can enable this feature using Group Policy:

Computer \Policies\Administrative Templates\Windows Components\Windows Logon Options\Last Interactive Login Information

AD Federation trust in WS 2008

Although the ability to import and export policy files was available in Windows Server 2003 R2, creating federated trusts between partner organizations is easier in Windows Server 2008 as a result of enhanced policy-based export and import functionality. These enhancements were made to improve the administrative experience by permitting more flexibility for the import functionality in the Add Partner Wizard. For example, when a partner policy is imported, the administrator can use the Add Partner Wizard to modify any values that are imported before the wizard process is completed. This includes the ability to specify a different account partner verification certificate and the ability to map incoming or outgoing claims between partners.

By using the export and import features that are included with AD FS in Windows Server 2008, administrators can simply export their trust policy settings to an .xml file and then send that file to the partner administrator. This exchange of partner policy files provides all of the URIs, claim types, claim mappings, and other values and the verification certificates that are necessary to create a federated trust between the two partner organizations.


The relying party trust acts as a secure channel where authentication tokens can safely pass between your organization and App in order to facilitate single sign-on access to App.

Account store in federation service WS 2008 and WS 2008 R2

Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. The Federation Service uses LDAP to communicate with account stores. AD FS supports the following two account stores:

  • Active Directory Domain Services (AD DS)
  • Active Directory Lightweight Directory Services (AD LDS)

AD FS works with both enterprise-wide deployments of AD DS or instances of AD LDS. When it works with AD DS, AD FS can take advantage of the strong authentication technologies in AD DS, including Kerberos, X.509 digital certificates, and smart cards. When it works with AD LDS, AD FS uses LDAP Bind as a means to authenticate users.

Name suffix routing trust

The name suffix routing is available since WS 2003. Name suffix routing is a mechanism that is used to manage how authentication requests are routed across WS 2003/2008 forests that are joined by forest trusts. To simplify the administration of authentication requests, when a forest trust is created, all unique name suffixes are routed by default. A unique name suffix is a name suffix within a forest, such as a user principal name (UPN) suffix, service principal name (SPN) suffix, or Domain Name System (DNS) forest or domain tree name that is not subordinate to any other name suffix. For example, the DNS forest name is a unique name suffix within the forest.

 You can enable or disable an existing name suffix for routing by using the New Trust Wizard in Active Directory Domains and Trusts or by using the Netdom command-line tool.

Pros and Cons of DNS Active directory integration



Enhanced security

 - based on AD security

 -  you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides granulated access to either the zone or a specified RR in the zone.

Single point of failure

 - Primary server maintains the master copy of the zone in a local file

Multimaster update

 - any authoritative DNS server, such as a domain controller running a DNS server, is designated as a primary source for the zone. Because the master copy of the zone is maintained in the Active Directory database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain

a single-master update model.

Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an Active Directory domain. 

New standard DNS zone require manual setting

Directory replication is faster and more efficient than standard DNS replication

Directory replication is slower on standard DNS replication

Installation are simple

 - automatically reading setting form AD and registry


More complex installation

The multimaster replication model of Active Directory removes the need for secondary zones when all zones are stored in Active Directory



AD tip: To check size of the AD database, check %systemroot%\ntds\ntds.dit file propery.

AD Tip: The Universal Group Membership Caching is per site basis.

DNS record ownership and the DnsUpdateProxy group

As previously described, you can configure a DHCP server so that it dynamically registers host (A) and pointer (PTR) resource records on behalf of DHCP clients. In this configuration, the use of secure dynamic update with DNS servers might cause stale resource records.

For example, suppose the following sequence of events occurs:

  1. A DHCP server running Windows Server 2003 (DHCP1) performs a secure dynamic update on behalf of one of its clients for a specific DNS domain name.
  2. Because the DHCP server successfully created the name, it becomes the owner of the name.
  3. Once the DHCP server becomes the owner of the name, only that DHCP server can update the DNS records for that name.

In some circumstances, this can cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the second server cannot update the client name because it is not the owner of the name.

In another example, if the DHCP server performs DNS dynamic updates for legacy DHCP clients (clients running a version of Windows earlier than Windows 2000), and those clients are later upgraded to Windows 2000, Windows XP, or a Windows Server 2003 operating system, the upgraded client cannot take ownership of or update its own DNS records.

To solve this problem, the built-in security group called DnsUpdateProxy is provided. If all DHCP servers are added as members of the DnsUpdateProxy group, then the records of one server can be updated by another server if the first server fails. Also, because all of the objects that are created by the members of the DnsUpdateProxy group are not secured, the first user (that is not a member of the DnsUpdateProxy group) to modify the set of records that is associated with a DNS name becomes its owner. When legacy clients are upgraded, they can therefore take ownership of their name records at the DNS server. If every DHCP server registering resource records for legacy clients is a member of the DnsUpdateProxy group, the problems discussed earlier are eliminated.

DNS Tip: Use DNSLint CMD utility to diagnose common DNS issue like AD NDS record registration problems.

The DNSLint is a standalone free tool; you can download from Microsoft here.

Active directory diagnostic data collector

The AD Diagnostic Data Collector set can be used for the verity of the reasons and performance tuning. For example, you can use it to find the top user in DC.

To activate AD diagnostic data collector, you have to start the Windows event collection service first

Right click on Subscription, and click Create subscription

Select: Collection initiated and follows the wizard.


DNS Tip: In order to use the DNSSEC all of your DNS servers have to be WS 2008 R2.

AD application directory partition

An application directory partition is a directory partition that is replicated only to specific domain controllers.

This differs from a domain directory partition in which data is replicated to all domain controllers in that domain. Storing application data in an application directory partition instead of in a domain directory partition may reduce replication traffic because the application data is only replicated to specific domain controllers. Some applications may use application directory partitions to replicate data only to servers where the data will be locally useful.

A DC that participates in the replication of a particular application directory partition hosts a replica of that partition. Only DC WS 2003 or later can host a replica of an application directory partition.

Applications (like DNS service) and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals.

Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.

AD tip:  To replicate an AD custom attribute(s), you have to use AD Schema snap-in, and then modify the property of the custom attribute class schema attribute.

To actual install AD schema snap-in, you have first to install RRAS tool and then run regsvr32 schmmgmt.dll from Admin CMD to install snap in.

Disabling AutoSiteCoverage Registration in DNS

Situation that requires configuration of SRV records results from not having a domain controller in a particular site. This may happen because there are no users needing constant logon access, or because replication to the site might be too expensive or too slow. To ensure that a domain controller can be located in the site closest to a client computer, if not the same site, Windows 2000 automatically attempts to register a domain controller in every site by using an "autositecoverage" algorithm. The algorithm determines how one site can "cover" another site when no domain controller exists in the second site. By default, the process uses the replication topology.

The algorithm works as follows. Each domain controller checks all sites in the forest and then checks the replication cost matrix. A domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This process ensures that every site has a domain controller even though its domain controller may not be located in that site. The domain controllers that are published in DNS are those from the closest site (as defined by the replication topology).

In the branch office scenario, any computer from other sites should not discover branch office domain controllers. A client should always communicate with a local domain controller, and if that is not available, use a domain controller in the hub site. To achieve this:

Disable AutoSiteCoverage on all of the domain controllers, not only for the branch domain controllers, but also hub domain controllers.

Do not register generic records as described above.

If both of these configurations (1. and 2.) are performed, then all-site clients will discover the local domain controller if it is available, or its hub domain controller (if no local domain controller is available).

In the unusual scenario when a site with a domain controller for some domain is closer to another site than the central hub, the administrator has the ability to configure that domain controller with the specific ("close") sites to be covered using the following registry values: SiteCoverage, GcSiteCoverage. Alternatively, the administrator can use the following Group Policy settings:

Sites Covered by the domain controller Locator DNS SRV Records

Sites Covered by the global catalog server Locator DNS SRV Records

Sites Covered by the NDNC Locator DNS SRV Records

However, physical proximity or network performance are not the only criteria. If firewalls or dial-on-demand lines do not allow traffic in this direction, incorrectly applied site-coverage will be bad for clients, since they will fall back to an unreachable domain controller, and not to the hub.

AD Branch Office Tip: If you want to ensure that users in a Branch office only authenticate to the DC in Main office, disable the AutoSiteCoverage registry in DNS , by setting value to 0.


AD trust Tip: To configure a trust between the domains in two forests use an incoming external trust.

Application Directory Tip: To create an AD application directory partition use LDP tool.

 AD FSMO Roles explained and best practice



Rules and best practice

PDC Emulator 

- needed where  Windows NT 4.0 BDC is present, because the PDC Emulator role emulates the functions of a Windows NT 4.0 PDC

- is the root time server

- hold all changes to Group Policy

- SYSVOL share is on the PDC Emulator

- handle all password and account lockout change

- One per domain

- It is recommended to put RID and PDC Emulator together for the performance reason

RID Master 

- monitor the pool of unused relative IDs (RIDs) for the domain and prevent this pool from becoming exhausted. RIDs are used up whenever you create a new security principle (user or computer account) because the SID for the new security principle is constructed by combining the domain SID with a unique RID taken from the pool

- One per domain.

- It is recommended to put RID and PDC Emulator together for the performance reason

Infrastructure Master 

- ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly.

- Not needed if you do not have multiple domains. Rarely used.

- Never put together with GC.

Schema Master

- replicate schema changes to all other domain controllers in the forest

- One per forest, rarely used.

- A recommended security policy is that the Schema Master is segregated

Domain Naming Master 

- processes all changes to the namespace, like adding the child domain to the forest root domain and making sure that all required role will be available.

- One per forest, very rarely used, not to be placed together with GC, have to be direct replication partner with Schema master

Global catalog

- stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest.

-  Supplies user principal name authentication (UPN).

- Supplies Universal Group membership information in a multiple-domain environment.

- When a DC holds a directory object with an attribute that contains a reference to an object in another domain, the DC validates the reference by contacting a Global Catalog server


- Not needed in single domain model

- Need to be in the same site with Infrastructure Master as direct replication partner

- Forest root domain should  host the one GC

- It can be heavy on the network.  Solution to that is the Universal Group membership caching


AD tip: As a general rule, the infrastructure master should not be placed on a GC server that has a direct connection object to some GC in the forest, preferably in the same Active Directory site. Because the GC server holds a partial replica of every object in the forest, the infrastructure master, if placed on a GC server, will never update anything, because it does not contain any references to objects that it does not hold.



AppLocker same as XP's Software Restriction Policy (SRP) simply prevent user of running specific applications. It is a new feature in WS 2008 R2 and Windows 7 that replace the functionality of the Windows XP SRP feature. AppLocker depends on the Application Identity service (AppIDSvc) for rule enforcement. AppLocker feature:

  • Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version.
  • Assign a rule to a security group or an individual user. 
  • Create exceptions to rules.
  • Use audit-only mode to deploy the policy and understand its impact before enforcing it.
  • Import and export rules. If you import a policy, the existing policy is overwritten.
  • PowerShell cmdlets available for AppLocker. 

To learn more about Applocker click here.


SRP and AppLocker neck to neck:


SRP (Software Restriction Policies)


Rule scope

Specific user or group (per GPO)

Specific user or group (per rule)

Rule conditions provided

File hash, path, certificate, registry path, and Internet zone rules

File hash, path, and publisher rules

Rule types provided

Allow and deny

Allow and deny

Default rule action

Allow and deny


Audit-only mode



Wizard to create multiple rules at one time



Policy import or export



Rule collection



PowerShell support



Custom error messages



Supporting OS

Windows XP and Windows Server 2003

Windows 7 and WS 2008

GPO Domain dependent







Applocker Tips:

  • If the application's certificate expires while the rule is enforced, the binary file will be blocked from running. A binary file is considered signed as long as the timestamp happened during the validity period of both the signing of the certificate and the time stamping of the certificates in the certificate chain.
  • To detect rule conflicts you can use the Windows PowerShell cmdlets Get-AppLockerPolicy and Test-AppLockerPolicy to check whether specific files are allowed based on an AppLocker policy.


Windows Server 2008 Backup and VHD file format

In the WS 2008, rather than writing backups as .BKF files, backups are written as .VHD files!?.  Wait , I know what are you thinking now, but you cannot take a Windows Server 2008 backup file, link it to Hyper-V Server, and boot off of it (although that is probably going to be possible at some point in the future). You can however, mount a Windows backup file as a volume in Virtual Server. This feature provides administrators with a very easy way of extracting individual files from a backup set.

GPO Replication Tip: If you want check if your GPO has been replicated, then check :



                The VersionNumber value for the CN={GUID},CN=Policies,CN=System,DC=domainname,DC=com

AD WS 2008 R2 Tip: First, you have to raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest DCs or all servers that host instances of AD LDS configuration sets to be running WS 2008 R2. Then use Enable-ADOptionalFeature cmdlet.



Used since AD 2000 for controlling directory replication between DCs within a site. The Active Directory KCC logically links a site’s DCs to a ring topology, which defines the paths that directory updates use to travel from one domain controller to another. The KCC does this by creating connection objects that represent a unidirectional path from one domain controller to another. These connection objects are located in the NTDS Settings folder, which is in the Active Directory Sites and Services administrative tool. Administrators can also create additional intrasite or intersite connection objects for controlling directory replication, but it is often better to let the KCC do this automatically to ensure better performance.

The ring topology generated by the KCC ensures a minimum of two replication paths between domain controllers so that if one domain controller is down, replication can continue. In this topology, a directory replication update travels from one domain controller to any other domain controller in the same site in three or fewer “hops.” When a domain controller is added to or removed from a site, the KCC generates a new topology.

AD remote monitoring tip: You want from local computer to view events on remote DC, then you have to run: winrm.exe quickconfig on DC server.


Active Directory Rights Management Services in WS 2008

It is role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows® 7 and Windows Vista® operating systems. The deployment of an AD RMS system provides the following benefits to an organization:

  • Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as "confidential - read only" that can be applied directly to the information.
  • Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
  • Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.

AD RMS provides developer tools and industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions. For creating customized AD RMS solutions, an AD RMS software development kit (SDK) is available.

Features in AD RMS

By using Server Manager, you can set up the following components of AD RMS:

  • Active Directory Rights Management Services. The Active Directory Rights Management Services (AD RMS) role service is a required role service that installs the AD RMS components used to publish and consume rights-protected content.
  • Identity Federation Support. The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services.
  • Microsoft Federation Gateway Support . The Microsoft Federation Gateway is an identity service that runs over the Internet and mediates between an organization or business and the external services that the organization wants to use. The gateway connects users and other identities to the services that it works with, so that an organization only has to manage a single identity-federation relationship to enable its identities to access all Microsoft and Microsoft-based services they want to use.

AD RMS software considerations

·         Windows Server 2008 R2 operating system

·         Internet Information Services (IIS)

·         AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the same server as AD RMS or on a remote server

·         Active Directory Domain Services forest

Active Directory Recycle Bin in WS 2008 R2

This guide provides step-by-step instructions and background information for enabling and using the Active Directory® Recycle Bin feature in the Windows Server® 2008 R2 operating system.

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environments.

AD WS 2008 Recycle Bin Tip - By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. After you set the forest functional level of your environment to Windows Server 2008 R2, you can use the instructions in this guide to enable Active Directory Recycle Bin.

In this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it


The LDAP Data Interchange Format (LDIF) is an AD cmd tools used for performing batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be performed against the Active Directory. A utility program called LDIFDE is included in Windows 2000 to support batch operations based on the LDIF file format standard. This article is designed to help you better understand how the LDIFDE utility can be used to migrate directories.

Configure Windows Time service on the PDC emulator in the Forest Root Domain

To configure the Windows Time service you have to run W32tm.exe on the PDC emulator operations master in the forest root domain when you deploy a new forest root domain or when you move the role of the PDC emulator in the forest root domain to a new domain controller.

CA Types and Roles in WS 2008

There are two different types of CAs available with Windows Server 2003 / 2008:

1.       Enterprise

2.       Stand-alone

Enterprise and stand-alone CAs can be configured as either Root CAs or Subordinate CAs. Subordinate CAs can further be configured as either Intermediate CAs or Issuing CAs.

Before you create your CA infrastructure, you need to determine the type or types of CAs that you plan to use, and define the specialized roles that you plan to have each CA assume.

Enterprise vs. Stand-Alone CAs



Enterprise CA

Stand-alone CA

AD integrated

- Publish certificates in Active Directory and use Active Directory to validate certificate requests.



Smart card support


No, because this process requires that smart card certificates be mapped automatically to the user accounts in AD.

- use certificate templates


No, all information about the requested certificate type must be included in the certificate request.

Support for automated certificate approval and user certificate enrollment


No, need manual approval (mostly)

Take the CA offline.



Configure the CA to issue certificates automatically.



Allow administrators to approve certificate requests manually.



Use certificate templates.



Authenticate requests to Active Directory.



Root CAs

A root CA is the CA that is at the top of a certification hierarchy and must be trusted by all clients in your organization. All certificate chains terminate at a root CA. Enterprise and stand-alone CAs both need to designate a root CA.

Because there is no higher certifying authority in the certification hierarchy, the subject of the certificate issued by a root CA is also the issuer of the certificate. Likewise, because the certificate chain terminates when it reaches a self-signed CA, all self-signed CAs are root CAs. WS 2003 / 2008 only allows you to designate a self-signed CA as a root CA. The decision to designate a CA as a trusted root CA can be made at either the enterprise level or locally, by the individual IT administrator.

A root CA serves as the foundation upon which you base your certification authority trust model. It guarantees that the subject public key belongs to the subject identity information that is contained in the certificates it issues.

The root CA is the most important CA in your hierarchy. If your root CA is compromised, every other CA and certificate in your hierarchy might have been compromised. You can maximize the security of the root CA by keeping it disconnected from the network and using subordinate CAs to issue certificates to other subordinate CAs or to end users.

Subordinate CAs

CAs that are not root CAs are considered subordinate. The first subordinate CA in a hierarchy obtains its CA certificate from the root CA. This first subordinate CA can, in turn, use this key to issue certificates that verify the integrity of another subordinate CA.

Intermediate CAs

An intermediate CA is subordinate to a root CA, but also serves as a higher certifying authority to one or more subordinate CAs.

An intermediate CA is often referred to as a policy CA because it is typically used to separate classes of certificates that can be distinguished by policy. For example, policy separation includes the level of assurance that a CA provides or the geographical location of the CA to distinguish different end-entity populations. A policy CA can be online or offline.

Most organizations use one root CA and two policy CAs — one to support internal users, the second to support external users.

Issuing CA

The issuing CA issues certificates to users and computers and is almost always online.


The RAs can act as an intermediary for a CA by authenticating the identity of a user who is applying for a certificate, initiating revocation requests, and assisting in key recovery. Unlike a CA, however, an RA does not issue certificates or CRLs; it merely processes transactions on behalf of the CA.

Recovery Agent Certificates

Certificates with an object identifier of in the Enhanced Key Usage field of the certificates are valid for EFS recovery agent operations. EFS automatically generates its own certificates for the default recovery agent accounts: the domain Administrator account for the first domain controller installed in the domain and the local Administrator account for stand-alone computers. The default recovery agent certificates are placed in the personal certificate store for the Administrator account. To recover data, a valid recovery agent certificate and private key must be installed on the computer where the recovery takes place. EFS recovery policy is valid only if all recovery certificates are valid.

If you want to designate alternate recovery agent accounts (other than the default recovery accounts), the alternate recovery accounts must have valid EFS recovery agent certificates. You can deploy Certificate Services to issue and manage EFS recovery agent certificates.

The number of recovery agent

We have the Number of recovery agents to use and the number of recovery agent certificates issued. If those two values are equal then every time a key is archived all of the issued recovery agent certificates are used for the archive process which means that any single one of the certificates can be used to recover the archived key. If the number of certificates issued is greater than the value set for the Number of recovery agents to use then when a key is archived the CA will select X number of recovery agent certificates (where X is equal to the value of Number of recovery agents to use) of the total number of certificates issued and only those certificates will be able to be used to decrypt the private key. You'll still only need 1 of those certificates to decrypt the private key, but you won't know until the attempt is made to decrypt which of the issued recovery agent certificates can be used for the operation. You only ever need 1 recovery agent certificate to decrypt a key. One last consideration is that for CLM or CM to work properly you need to make sure that the two values are the same.

CA tip: If you need to ensure that all users in the domain enroll for a certificate based on the custom certificate template, then you need:

                - In GPO, configure autoenrollment settings

                - On the Certificate template set security permission to: Reed, Enroll and Autoenroll to Domain users.

Certificate Template Versions in WS 2008

Microsoft certification authorities (CAs) support three types of certificate templates: version 1, version 2, and version 3.


version 1 template

version 2 template

version 3 template

CA Support

- WS 2003 Standard Edition , WS 2000, WS 2003 Enterprise Edition, or WS 2003 Datacenter Edition, WS 2008

WS 2003 Enterprise Edition, or WS 2003 Datacenter Edition, WS 2008

WS 2008

Client Support

Windows 2000 and later

XP and later

Vista, Windows 7, WS 2008


Version 1 certificate templates

Version 1 templates are provided for backward compatibility and support many general needs for subject certification. They are created by default when a CA is installed and cannot be modified or removed. When you duplicate a version 1 template, the duplicate becomes a version 2 or version 3 template that can be modified.

Version 2 certificate templates

Version 2 certificate templates allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.

Version 3 certificate templates

Version 3 certificates allow administrators to add advanced Suite B cryptographic settings to their certificates. Suite B includes advanced options for encryption, digital signatures, key exchange, and hashing. Certificates based on version 3 certificate templates can only be issued from CAs installed on servers running Windows Server 2008 and used on clients running Windows Server 2008 or Windows Vista.

Duplicating certificate templates

New certificate templates are created by duplicating existing templates. Many settings are copied from the original template. You can also select whether to create the duplicate as a version 2 or version 3 certificate template.

To create a new certificate, you should create the duplicate based on an existing template closest in function to the intended template.

When duplicating a template, examine the subject type of the original template and ensure that you duplicate a template that has a similar function to that of the intended template.

Although most settings for certificate templates can be edited after the template is duplicated, the subject type cannot be changed.

CA tips:

·         If you need to ensure that a certificate template is available on the Web enrolment pages, make sure your certificate template is version 2 and install the WS 2008 R2 AD Schema updates.

  • If you need to install the enterprise subordinate certification authority (CA) that support private key archival then you must upgrade member server to WS 2008 R2 or WS 2003 Enterprise and minimum AD schema have to be WS 2003 level.

Enterprise Root CAs: The Enterprise Root CA is at the top level of the certificate authority hierarchy. Once Enterprise Root CA is configured, it registers automatically within Active Directory and all computers within the domain trust it.

The Enterprise Root CA is usually responsible for issuing certificates to subordinate CAs, which then issue the certificates to users and computers on the network. However the Enterprise Root CA can also issue certificates to users and computers, if required. Following are the features of Enterprise CAs.

·         Auto enrollment feature is available.

·         Only a member of Enterprise Admins group can configure Enterprise CA.

·         An enterprise CA requires the Active Directory service.

·         An enterprise CA requires the DNS service.

Note: If you require smart cards for your employees, you should use Enterprise CAs.

Enterprise Subordinate CAs: are placed under the Enterprise Root CA in the certificate hierarchy. Enterprise Subordinate CAs normally used for issuing certificates to a particular part of an organization or for issuing certificates of a specific type. Enterprise Subordinate CA should be certified by the Enterprise Root CA (may be an enterprise root CA on the local network or a third-party CA).

Standalone Root CAs: Do not use Active Directory. If Active Directory is not available in your network, you can configure Standalone Root CAs. If you want to issue certificates to outside entities, a Standalone CA should be implemented.

• Auto enrollment feature is not available. All requests for certificates are pending until an administrator approves them.

• Local administrators can configure standalone CAs

• Standalone CAs can be used with extranets.

• No certificate templates are used.

• Standalone CA certificates cannot be used for smart cards.

Standalone Subordinate CAs

The function of Standalone Subordinate CA is similar to an Enterprise Subordinate CA and Standalone Subordinate CAs are placed under a Root CA in the certificate hierarchy. You require a Root CA to configure a Standalone Subordinate CA. Standalone Subordinate CA should be certified by the Root CA (Root CA on the local network or a third-party CA).

A standalone subordiante CA is a certificate server that will be a member of an existing non-enterprise hierarchy.

o        It can issue certificates, but must obtain its own certificate from the stand alone root CA in its hierarchy.

o        It may or may not be a member of a domain.

o        It does not need access to Active Directory service.

o        However, it will use Active Directory if it exists for publishing certificates and certificate revocation lists.