Table of Contents - TestOut · Web viewWhat are the advantages of using groups when setting...

TestOut Server Pro 2016: Identity - English 4.0.x

LESSON PLAN

Revised 2018-08-06

Table of Contents

IntroductionSection 0.1: Server Pro 2016: Identity Introduction.......................................................................4Section 0.2: The TestOut Lab Simulator.......................................................................................5Install Active DirectorySection 1.1: Active Directory Overview.........................................................................................6Section 1.2: Install Active Directory...............................................................................................8Section 1.3: Install Additional Domain Controllers.......................................................................10Section 1.4: Read-Only Domain Controllers (RODCs)................................................................12Section 1.5: Domain Controller Cloning......................................................................................14Plan Active DirectorySection 2.1: Active Directory Sites..............................................................................................16Section 2.2: FSMO Roles and Global Catalog Servers...............................................................18Section 2.3: Active Directory Replication.....................................................................................20Section 2.4: Active Directory Trusts............................................................................................22Manage Active Directory ObjectsSection 3.1: Active Directory Organizational Units......................................................................24Section 3.2: Active Directory Computers.....................................................................................26Section 3.3: Active Directory Users.............................................................................................28Section 3.4: Active Directory Groups...........................................................................................30Section 3.5: Active Directory Service Accounts...........................................................................32Section 3.6: Active Directory Bulk Operations.............................................................................34Section 3.7: Delegation of Control...............................................................................................36Managing the Active Directory DatabaseSection 4.1: Active Directory Backup and Restore......................................................................37Section 4.2: Manage the Active Directory Database...................................................................39Section 4.3: Functional Levels.....................................................................................................40Group PolicySection 5.1: Group Policy Overview............................................................................................42Section 5.2: Group Policy Inheritance.........................................................................................44Section 5.3: Deploy Software with Group Policy.........................................................................46Section 5.4: Manage Windows Settings with Group Policy.........................................................48Section 5.5: Manage Security Settings with Group Policy...........................................................49Section 5.6: Managing Passwords with Group Policy.................................................................51Section 5.7: Group Policy Administrative Templates...................................................................53Section 5.8: Group Policy Preferences........................................................................................55Section 5.9: Group Policy Backup...............................................................................................57Section 5.10: Troubleshooting Group Policy...............................................................................58AD Certificate ServicesSection 6.1: Install AD Certificate Services.................................................................................60Section 6.2: Managing Certificates..............................................................................................62Section 6.3: Certificate Enrollment..............................................................................................64Section 6.4: Certificate Revocation.............................................................................................66Section 6.5: Certificate Services Administration..........................................................................68Section 6.6: Key Archival and Recovery.....................................................................................70Section 6.7: Back Up and Recover Certificate Services..............................................................71Active Directory Federation Services (AD FS)Section 7.1: AD FS Installation....................................................................................................72Section 7.2: AD FS Trusts...........................................................................................................74Section 7.3: Device Registration and Multi-Factor Authentication...............................................76

Section 7.4: AD FS Integration....................................................................................................78Section 7.5: Implement Web Application Proxy (WAP)...............................................................79Active Directory Rights Management Services (AD RMS)Section 8.1: AD RMS Installation................................................................................................81Section 8.2: AD RMS Templates.................................................................................................83Section 8.3: AD RMS Exclusions................................................................................................85Section 8.4: AD RMS Back Up and Restore...............................................................................86Practice ExamsPractice Exams............................................................................................................................87AppendicesAppendix A: Approximate Time for the Course...........................................................................88

0.1: Server Pro 2016: Identity Introduction

Lecture Focus Questions:

What are the course prerequisites? What major topics are covered in the course? Which certification does this course prepare me for?

Video/Demo Time0.1.1 Server Pro 2016: Identity Introduction 3:17

Total Video Time 3:17

Total TimeAbout 4 minutes

0.2: The TestOut Lab Simulator


How do I open the lab interface? How do I see the lab exhibits? How do I navigate to different servers in the lab interface? How do I open a virtual machine console?

In this section, you will learn to:

Open the lab interface. Review lab exhibits. Navigate to different servers in the lab interface. Open a virtual machine console.

Video/Demo Time0.2.1 Using the Lab Simulator 3:38


Lab/Activity0.2.2 Explore Multiple Hyper-V Servers


1.1: Active Directory Overview


What are the different advantages of a client-server network model and a workgroup model?

What is the difference between a tree and a forest? How can you tell when a new domain starts a new tree?

What is the function of the schema? How does Active Directory ensure that each domain controller has the most

current information from other domain controllers?

Key terms for this section include the following:Term Definition

Domain An administratively-defined collection of network resources that share a common directory database and security policies.

Tree A tree is a combination of one or more domains that share the same contiguous namespace and schema.

Forest A collection of related domain trees. If more than one tree exists, each tree will have a unique namespace.

ContainerA container is a built-in object that cannot be altered without making changes to the Active Directory schema. They are used to organize Active Directory objects.

Organizational Unit(OU)

An OU provides the means of organizing network resources within a domain. An OU can hold other organizational units and objects, such as users and computers. An OU can be used to simplify security administration.

Object

Within Active Directory, each resource is identified as an object, such as users, groups, computers, printers, and shared folders. Each object contains additional information about the shared resource that can be used for locating and securing resources.

Domain Controller

A server that has Active Directory Directory Service (AD DS) installed and holds the Active Directory database or a copy of the Active Directory database.

Replication Active Directory replication ensures that the information or data between domain controllers remains updated and consistent.

Schema

The schema in Active Directory contains a formal definition of every object class that can be created in an Active Directory forest. The schema also contains formal definitions of every attribute that can exist in an Active Directory object.

Video/Demo Time1.1.1 Active Directory Overview 6:22


Fact Sheets1.1.2 Active Directory Facts

Number of Exam Questions5 questions


1.2: Install Active Directory


How is Active Directory installed on Windows 2016? What are the requirements for installing Active Directory? What two methods can be used to install Active Directory? When installing Active Directory, what is an in-place upgrade? What are

Microsoft's recommendations for in-place upgrades?


Install Active Directory. Upgrade Active Directory installed on Windows Server 2012 to Active Directory

running on Windows Server 2016.


AD DS

Active Directory Domain Services (AD DS) is a server role that can be installed on a Windows 2016 server. Once installed, the server can then be promoted to a domain controller. The combination of these two steps, is typically referred to as installing Active Directory.

NTFS

New Technology File System (NTFS), is a proprietary file system developed by Microsoft. It was first introduced by Microsoft in 1993 with the release of Windows NT 3.1. NTFS introduced improved support for metadata and advanced data structures to improve performance, reliability, and disk space use.

ReFSResilient File System (ReFS is Microsoft's proprietary file system introduced with Windows Server 2012. It was intended to be a replacement for NTFS and included a number of improvements.

Domain Name

System(DNS)

DNS is used to convert IP addresses into readable domains such as Sales.CorpNet.com. Without DNS, you would have to remember random strings of numbers to access different websites.

This section helps you prepare for the following certification exam objectives:Exam Objective

Microsoft 70-742 Identitywith Windows Server 2016

1.1 Install and configure domain controllers 1.1.1 Install a new forest1.1.3 Upgrade a domain controller

Video/Demo Time1.2.1 Prepare for Active Directory 2:541.2.2 Installing a New Forest 5:211.2.3 Upgrading to 2016 7:56


Fact Sheets1.2.4 Active Directory Installation Facts

1.3: Install Additional Domain Controllers


What role does the domain controller play in Active Directory? How does Active Directory use the schema? What is the function of a Global Catalog server? How is a Global Catalog server updated? What is the purpose of the directory partition? Which partition types can be included in the directory partition? Once Active Directory has been installed, what must you do to make that server

a domain controller? To remove Active Directory from a domain controller, what action must you take

before demoting the domain controller?


Create a new domain. Add a domain controller to an existing domain. Install a domain controller using the Install From Media (IFM) method. Install Active Directory and Domain Controller to Server Core. Remove a domain controller.


Domain PartitionA domain partition stores the user, computer, group, and object data for a domain, as well as the domain's schema and configuration data.

Schema Partition

A schema partition contains a definition of each object class and the attributes of the object class that can exist in an Active Directory forest.

Configuration Partition

A configuration partition stores configuration objects for each domain in the forest. A schema partition for a domain is replicated to all domain controllers in the forest.

Application Directory Partition

An application directory partition contains application-specific data created by applications and services.

Replica Domain Controller

A replica domain controller provides fault tolerance in the event that the domain controller fails. Adding a domain controller in an existing domain creates a replica domain controller.

Global CatalogA global catalog is a domain controller that contains a partial replica of every object from every domain within a forest. The global catalog facilitates faster searches and logon.

Operations Master Roles

Operations master roles, also referred to as Flexible Single-Master Operation (FSMO) roles, are specialized domain controller tasks assigned to a domain controller in the domain or forest. Five roles exist: schema master, domain naming master, RID master, PDC emulator, and the infrastructure master.



1.1 Install and configure domain controllers 1.1.2 Add or remove a domain controller from a domain1.1.4 Install AD DS on a Server Core installation1.1.5 Install a domain controller from Install from Media (IFM)

Video/Demo Time1.3.1 Adding a Domain Controller to a Domain 6:231.3.2 Removing a Domain Controller from a Domain 7:141.3.3 Installing Active Directory to Server Core 6:261.3.4 Installing a Domain Controller Using IFM Method 5:42


Fact Sheets1.3.5 Domain Controller Facts1.3.6 Additional Domain Controllers Installation Facts



1.4: Read-Only Domain Controllers (RODCs)


What is the purpose of administrator role separation? How does unidirectional replication protect your network? How does using a Read-Only Domain Controller (RODC) allow for domain logon

in the event of a WAN link failure? How do DNS zones work differently on an RODC? What are the forest functional level requirements for installing an RODC? Which permissions do you need in order to install an RODC?


Install an RODC. Manage an RODC. Configure the Password Replication Policy. Manage RODC password replication using cmdlets.


RODCA Read-Only Domain Controller (RODC) is a server that hosts an Active Directory database's read-only partitions and responds to security authentication requests.

Cmdlet

A cmdlet is a lightweight command used in the Windows PowerShell environment. The Windows PowerShell runtime invokes these cmdlets within the context of automation scripts that are provided at the command line. The Windows PowerShell runtime also invokes them programmatically through Windows PowerShell APIs.



1.1 Install and configure domain controllers 1.1.9 Install and configure a read-only domain controller (RODC)2.2 Maintain Active Directory 2.2.9 Configure replication to Read-Only Domain Controllers (RODCs)2.2.10 Configure Password Replication Policy (PRP) for RODC

Video/Demo Time1.4.1 Read-Only Domain Controllers (RODCs) 4:051.4.2 Installing an RODC 4:411.4.3 Managing an RODC 5:251.4.4 Configuring the Password Replication Policy 3:27


Lab/Activity

1.4.7 Create RODC Accounts1.4.8 Edit the Password Replication Policy

Fact Sheets1.4.5 RODC Facts1.4.6 Password Replication Policy Facts



1.5: Domain Controller Cloning


What is the advantage of creating a new virtual domain controller by cloning an existing virtual domain controller?

Which prerequisites must be met before attempting to clone a virtual domain controller?

What are the five major steps of cloning a virtual domain controller? To be cloned, which group must the computer object for the domain controller be

a member of? Which versions of the Windows operating system support VM-Generation-ID

identifiers? Why is the VM-Generation-ID stored in two different locations?


Clone a domain controller from a Hyper-V machine.


VMA virtual machine (VM) imitates a physical machine by installing an operating system (such as Windows Server 2016) and its applications on software, such as Microsoft's Hyper-V.

CloneA cloned VM is a copy of an existing virtual machine. Using a cloned VM eliminates the need to install the guest operating system and applications.

Hyper-VHyper-V is Microsoft's hardware virtualization product. It lets you create and run a software version of a computer, called a virtual machine. Hyper-V Manager is used to create and manage VMs.

Hypervisor

A hypervisor is a process that separates a computer’s operating system and applications from the underlying physical hardware. The hypervisor drives the concept of virtualization by allowing the physical host machine to operate multiple virtual machines as guests.

PDC Emulator

The Primary Domain Controller (PDC) emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers, such as replicating password changes within a domain.


Sample: Microsoft 70-742 Identitywith Windows Server 2016

1.1 Install and configure domain controllers 1.1.10 Configure domain controller cloning

Video/Demo Time1.5.1 Cloning Domain Controllers 4:271.5.2 Cloning a DC 7:48


Fact Sheets1.5.3 Domain Controller Cloning Facts



2.1: Active Directory Sites


How does a site differ from a domain? What is the purpose of a site link? What does the term "well-connected" mean when referring to networks? How are sites used in Active Directory? How do IP addresses and subnets relate to sites? How are dynamic site assignments made?


Create Active Directory sites. Configure Active Directory sites. Manage Active Directory sites and subnets.


Site

A physical grouping of well-connected IP subnets that are typically connected with high-speed links. In most cases, an Active Directory site will map to a single LAN. Sites can represent a large physical location, such as a country or city, or a small collection of subnets located in a building.

SubnetA subnet represents a grouping of computers based on their IP address or physical network segment. Each subnet possesses its own unique network address space.

Site Links

Site links represent the logical paths that the Knowledge Consistency Checker (KCC) uses to establish the intersite connectivity for Active Directory replication.


TestOut Server Pro 2016: Identity1.2 Manage Active Directory sites 1.2.1 Configure sites1.2.2 Manage sites, subnets, and site links


2.3 Configure Active Directory in a complex enterprise environment 2.3.10 Configure sites and subnets2.3.11 Create and configure site links2.3.12 Manage site coverage

Video/Demo Time2.1.1 Active Directory Sites 5:502.1.2 Creating and Managing Active Directory Sites 3:24


Lab/Activity

2.1.4 Configure Sites2.1.5 Manage Sites and Subnets

Fact Sheets2.1.3 Site Facts



2.2: FSMO Roles and Global Catalog Servers


What is the purpose of an operation master role server? What is the function of a PDC emulator? What does the infrastructure master do? Which operations master roles are located at the forest level? How many of

these roles are there in a forest? How many domain operations masters are in a forest? You are installing a new domain controller in a new domain in an existing forest.

How many operations master roles will that server hold? What might happen if the RID master becomes unavailable? Which role(s) should be placed on a global catalog server? Which roles should

not? What is the difference between transferring a role and seizing a role?


Manage FSMO roles. Transfer RID and PDC masters. Transfer the Infrastructure master. Troubleshoot Operations masters. Manage Global Catalog Servers. Configure Global Catalog Servers. Enable Universal Group Membership Caching.


Lightweight Directory Access Protocol

(LDAP)

The primary global catalog protocol that specifies directory communications.

User Datagram Protocol(UDP)

UDP is an alternative communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss-tolerating connections between applications on the internet.

Global Catalog(GC)

A database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server.

Universal Group Membership Caching

(UGMC)

Universal Group Membership Caching caches the group membership of universal groups. During logon, universal group membership is checked for the user.


TestOut Server Pro 2016: Identity 1.4 Manage Flexible Single-Master Operation (FSMO) roles and global catalog servers 1.4.2 Transfer RID and PDC masters1.4.3 Transfer infrastructure masters

1.4.4 Troubleshoot operations masters1.4.5 Enable Universal Group Membership Caching (UGMC)


1.1 Install and configure domain controllers 1.1.8 Transfer and seize operations master roles

Video/Demo Time2.2.1 FSMO Roles and Global Catalog Servers 7:362.2.2 Managing FSMO Roles 6:292.2.8 Managing Global Catalog Servers 2:03


Lab/Activity2.2.5 Transfer RID and PDC Masters2.2.6 Transfer the Infrastructure Master2.2.7 Troubleshoot Operations Masters2.2.10 Configure Global Catalog Servers2.2.11 Enable Universal Group Membership Caching

Fact Sheets2.2.3 Operations Master Roles Facts2.2.4 Operations Master Roles Management Facts2.2.9 Global Catalog and UGMC Facts



2.3: Active Directory Replication


What types of trusts are enabled by default for site link bridges? How do you establish bidirectional communications between domain controllers? How does intrasite replication differ from intersite replication? What are the different ways you can force replication? What are three ways you force a certain path between sites for replication? What is the process for migrating from FRS replication to DFS replication when

the domain is at Windows Server 2003 functional level? During which migration stages are you able to roll back the migration?


Manage Active Directory replication. Configure intrasite replication. Configure intersite replication.


Site Link Bridge A collection of two or more site links that can be grouped as a single logical link.

Bridgehead Server

A domain controller in a site that replicates with domain controllers in other sites.

Connection A logical communication channel between domain controllers.

Site Link CostA number assigned to a site link that identifies the overall relative cost of using that site link. The cost is used to select the optimal path between sites when more than one path exists.

Distributed File System(DFS)

A set of client and server services that allow an organization using Microsoft Windows servers to organize many distributed SMB file shares into a distributed file system.

File Replication Service(FRS)

Used for replicating the Distributed File System folder (SYSVOL) for Microsoft Server preceding Windows Server 2008 R2.


TestOut Server Pro 2016: Identity1.3 Manage Active Directory replication 1.3.1 Configure intrasite replication1.3.2 Configure intersite replication


2.2 Maintain Active Directory 2.2.9 Configure replication to Read-Only Domain Controllers (RODCs)2.2.12 Upgrade SYSVOL replication to Distributed File System Replication (DFSR)

Video/Demo Time2.3.1 Active Directory Replication 10:27

2.3.2 Managing Active Directory Replication 4:26Total Video Time 14:53

Lab/Activity2.3.5 Configure Intrasite Replication2.3.6 Configure Intersite Replication

Fact Sheets2.3.3 Active Directory Replication Facts2.3.4 SYSVOL Replication Facts



2.4: Active Directory Trusts


Which types of trusts are created automatically for domains within a forest? What are the characteristics of automatically created domain trusts? What are the characteristics of trusts between forests? When can forest trusts be used? When must you create an external trust? What advantages does selective authentication provide to system administrators

for securing resources in a forest? How do shortcut trusts improve user logon times between two domains within a

forest? What are the characteristics of an external trust? When should you use a realm trust?


Create and manage Active Directory trusts. Create a forest root trust. Design trusts. Create a shortcut trust.


Shortcut

Shortcut trusts improve user logon times between two domains within a forest by reducing the amount of Kerberos authentication traffic on the network. Shortcut trusts are transitive and use Kerberos (a protocol for authentication).

External

External trusts provide access to resources located on a Windows NT 4.0 domain or a domain located in a forest that is not joined by a forest trust. External trusts are non-transitive and use NT LAN Manager authentication (NTLM) protocols.

RealmRealm trusts form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2008 or later domain. Realm trusts can be transitive or non-transitive and use Kerberos.

Direction of Trust

The direction of the arrow identifies the direction of trust. For example, if Domain A trusts Domain B, the arrow would point from Domain A to Domain B.

Security Identifier

(SID)

A security identifier (SID) is a unique value of variable length used to identify each account.

Direction of Resource Access

Resource access is granted opposite of the direction of trust. For example, if Domain A trusts Domain B, users in Domain B have access to resources in Domain A. Users in the trusted domain have access to resources in the trusting domain.

Transitivity Transitivity defines whether trust between domains flows or is inherited to other trusted domains.


TestOut Server Pro 2016: Identity

1.5 Manage Active Directory trusts 1.5.1 Design trusts1.5.2 Create forest root, cross-forest, external, shortcut, and realm trusts


2.3 Configure Active Directory in a complex enterprise environment 2.3.6 Configure external, forest, shortcut, and realm trusts2.3.7 Configure trust authentication2.3.8 Configure SID filtering

Video/Demo Time2.4.1 Active Directory Trusts 5:502.4.2 Creating and Managing Active Directory Trusts 10:45


Lab/Activity2.4.3 Create a Forest Root Trust2.4.7 Design Trusts2.4.8 Create a Shortcut Trust

Fact Sheets2.4.4 Trust Facts2.4.5 Cross-Forest Trust Facts2.4.6 External, Shortcut and Realm Trust Facts



3.1: Active Directory Organizational Units


What objects can an organizational unit contain? How is an organizational unit different from a container? What are the advantages of placing computer accounts in organizational units

rather than the computer container? How does inheritance affect child organizational units? How can you protect objects from accidental deletion?


Create organizational units. Manage organizational units. Delete organizational units.


Organizational Unit(OU)

An organizational unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.

ContainerA container is a built-in object used for organizing network resources within a domain. However, unlike OUs, a container cannot be altered without making changes to the Active Directory schema.


TestOut Server Pro 2016: Identity2.1 Manage organizational units 2.1.1 Create organizational units (OUs)2.1.2 Delete organizational units (OUs)


1.3 Create and manage Active Directory groups and organizational units (OUs) 1.3.6 Delegate the creation and management of Active Directory groups and OUs1.3.7 Manage default Active Directory containers1.3.8 Create, copy, configure, and delete groups and OUs

Video/Demo Time3.1.1 Active Directory Design 7:213.1.2 Creating and Managing OUs 5:33


Lab/Activity3.1.4 Create Organizational Units3.1.5 Delete Organizational Units

Fact Sheets3.1.3 Organizational Unit Facts



3.2: Active Directory Computers


When should you pre-stage a computer account in an OU? What is the benefit of computer account redirection? What must you do after resetting a computer account? How can you join a computer to the domain if it does not have a network

connection?


Create computer accounts Manage computer accounts Redirect the computer container


Pre-Staging Computers

A computer account must be created in Active Directory prior to joining a computer to the domain. Pre-staging is the process of adding a computer to the Active Directory database before joining the computer to the domain.


TestOut Server Pro 2016: Identity 2.2 Manage computers 2.2.1 Create computer accounts


1.2 Create and manage Active Directory users and computers 1.2.1 Automate the creation of Active Directory accounts1.2.2 Create, copy, configure, and delete users and computers

Video/Demo Time3.2.1 Active Directory Computers 1:053.2.2 Creating and Managing Computer Accounts 4:06


Lab/Activity3.2.4 Create Computer Accounts

Fact Sheets3.2.3 Computer Account Facts


Total Time

About 22 minutes

3.3: Active Directory Users


How is a domain user account different than a local user account? What is the difference between a disabled, locked out, or expired user account? What is the best way to handle a user's account when an employee quits the

company and will be replaced by a new employee in the near future? What are the recommendations for using a template user account? What permissions does a user account created from a template have? How should you re-create a user account that was accidentally deleted?


Create user accounts Create and use templates Manage user accounts using the GUI Manage user accounts using PowerShell Performing an offline domain join Manage user account passwords


User or Logon Name

The user or logon name is the name of the user account used to log on to a computer and domain. It is typically a combination of the first name and last name of the user.

User Principal Name(UPN)

The User Principal Name (UPN) combines the user account name with the DNS domain name. For example, account awaters in the corpnet.com domain would have the UPN [email protected].

Distinguished Names

Distinguished names are the way Active Directory refers to objects. The distinguished name identifies the full path to an object, including the object name and all parent objects to the root of the domain.

Relative Distinguished Name (RDN)

The Relative Distinguished Name (RDN) identifies the object within its container. The RDN needs to be unique only within the object’s container. In the example above, the RDN is CN=awaters.


TestOut Server Pro 2016: Identity2.3 Manage Active Directory user accounts 2.3.1 Create user accounts2.3.2 Manage user accounts


1.2 Create and manage Active Directory users and computers 1.2.1 Automate the creation of Active Directory accounts1.2.2 Create, copy, configure, and delete users and computers1.2.3 Configure templates

1.2.6 Implement offline domain join1.2.7 Manage inactive and disabled accounts1.2.8 Automate unlocking of disabled accounts1.2.9 Automate password resets

Video/Demo Time3.3.1 Active Directory Users 1:403.3.2 Creating User Accounts 4:453.3.3 User Templates 6:483.3.4 Managing User Accounts 8:123.3.5 Managing User Accounts with PowerShell 6:343.3.6 Performing an Offline Domain Join 4:42


Lab/Activity3.3.9 Create User Accounts3.3.10 Manage User Accounts

Fact Sheets3.3.7 User Account Facts3.3.8 User Account Management Facts



3.4: Active Directory Groups


What are the advantages of using groups when setting permissions? What is the difference between a security group and a distribution group? What type of objects can you make members of a universal group? A domain

local group? What happens to user accounts when the group they are in is deleted? Which PowerShell commands can you use to manage groups?


Create groups. Create global groups. Create a distribution group. Change group scope. Implement a group strategy. Enumerate group membership.


Local Group Local groups can contain members from only the local computers or member servers.

Domain Local Group

Domain local groups can contain members from any domain in the forest.

Global Group Global groups can contain members within the same domain.Universal

Group Universal groups can contain members from any domain in the forest.

Security Groups

A security group is one that can be used to manage rights and permissions.

Distribution Groups

A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions.



2.4 Manage groups 2.4.1 Create global groups2.4.2 Create a distribution group2.4.3 Change the group scope2.4.4 Implement a group strategy


1.3 Create and manage Active Directory groups and organizational units (OUs) 1.3.1 Configure group nesting1.3.2 Convert groups1.3.3 Manage group membership using Group Policy1.3.4 Enumerate group membership

1.3.5 Automate group membership management using Windows PowerShell1.3.8 Create, copy, configure, and delete groups and OUs

Video/Demo Time3.4.1 Active Directory Groups 11:293.4.2 Creating and Managing Groups 7:353.4.3 Managing Group Membership 4:45


Lab/Activity3.4.5 Create Global Groups3.4.6 Create a Distribution Group3.4.7 Change the Group Scope3.4.8 Implement a Group Strategy

Fact Sheets3.4.4 Group Facts



3.5: Active Directory Service Accounts


What are the differences between a managed service account, a virtual service account, and a group managed service account?

Which operating system is required to manage a service with a managed service account?

Which Windows PowerShell cmdlet will create a new managed service account? If you have a domain controller running Windows Server 2003, how can you use

a virtual account?


Create a service account. Create a managed service account. Create a group managed service account.


Built-in Local User Account

A built-in user account is a local user account that is created automatically during installation of the operating system.

Domain User Account

A domain user account enables the service to take full advantage of the service security features of Windows and Microsoft Active Directory Domain Services.

Managed Service Account

A managed service account provides the same benefits of using a domain user account with the following improvements:

Passwords are managed and reset automatically. When the domain is running at the Windows Server 2008 R2

functional level, the service principal name (SPN) doesn't need to be managed as with local accounts.

Virtual Account

Virtual accounts:

Are not created and cannot be deleted. Are auto-managed. Use a single account for a single service. If you have multiple

services that use virtual accounts, there will be a different account for each service.

Use the instance name as the service name, formatted as NT SERVICE\<SERVICENAME>.

Require no password management.

Group Managed Service Account

Group managed service accounts function in a manner similar to managed service accounts. However, they extend that functionality to multiple servers, allowing the same domain user account to be used by services running on many systems in the domain.



2.1 Configure service authentication and account policies 2.1.1 Create and configure Service Accounts2.1.2 Create and configure Group Managed Service Accounts (gMSAs)2.1.4 Manage Service Principal Names (SPNs)2.1.5 Configure virtual accounts

Video/Demo Time3.5.1 Active Directory Service Accounts 6:113.5.2 Creating and Managing Service Accounts 9:47


Fact Sheets3.5.3 Service Account Facts



3.6: Active Directory Bulk Operations


When would you choose the CSVDE command over the LDIFDE command when managing objects?

Which tools add the user password to the user account? Which tools can you use to create objects in Active Directory? Which cmdlets can be used to manage Active Directory objects? What is the benefit of piping multiple commands? What utilities would you use to view the properties of multiple Active Directory

objects? What is the default action for the CSVDE command?


Use CSVDE to import and export Active Directory objects. Use Domain Services (DS) commands to create and manage Active Directory

objects. Use PowerShell commands to create and manage Active Directory objects. Use LDIFDE commands to create and manage Active Directory objects. Use the LDP utility.


CSVDEComma Separated Value Data Exchange (CSVDE) is a command line tool that lets you import and export Active Directory objects using a comma-separated values file.

LDIFDELightweight Data Interchange Format, Data Exchange (LDIFDE) is a command line tool that lets you import, export, modify, and delete objects in Active Directory using LDAP Data Interchange Format (LDIF) files.

LDAPLightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

LDIF

Lightweight Directory Interchange Format (LDIF) files are plain text files that represent LDAP data and commands. They provide a simple way to communicate with a directory so as to read, write, rename, and delete entries, similar to how REG files can be used to manipulate the Windows Registry.

LDP

The LDP utility lets you search for and view the properties of multiple Active Directory objects. It is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through the Active Directory namespace and a details pane on the right that is used for displaying results.


TestOut Server Pro 2016: Identity2.3 Manage Active Directory user accounts 2.3.1 Create user accounts2.3.2 Manage user accounts


1.2 Create and manage Active Directory users and computers 1.2.1 Automate the creation of Active Directory accounts1.2.2 Create, copy, configure, and delete users and computers1.2.4 Perform bulk Active Directory operations

Video/Demo Time3.6.1 Bulk Operations 5:093.6.2 Performing Bulk Operations 7:22


Fact Sheets3.6.3 Bulk Operations Facts



3.7: Delegation of Control


Which security principle should be applied when you delegate administrative authority?

What are the processes typically involved in delegating administrative authority? What is a limitation of the Delegation of Control Wizard? What are the steps in delegating the right to create and link Group Policy

Objects? When is it necessary to delegate Manage Group Policy links?


Create security groups and delegate authority based on role. Use the Delegation of Control wizard to assign permissions.


Delegation of Control

Delegating administrative authority means not only sharing administrative tasks with other users, but also tightly controlling the permissions granted to each administrator. Use the principle of least privilege to assign users, including administrators, the permissions required to do their jobs, but no more.



1.3 Create and manage Active Directory groups and organizational units (OUs) 1.3.6 Delegate the creation and management of Active Directory groups and OUs

Video/Demo Time3.7.1 Delegation of Control 1:413.7.2 Delegating Control 4:08


Lab/Activity3.7.4 Delegate Administrative Control

Fact Sheets3.7.3 Rights Delegation Facts



4.1: Active Directory Backup and Restore


What are the two methodologies that you can use to backup Active Directory? Which of the two backup methodologies would you use to protect Active

Directory? Which of the two backup methodologies would you use to inspect Active

Directory elements at the point in time when they were backed up? When using the dsamain command with the -dbpath option to expose a snapshot

as an LDAP source, why can't you use port 389? Which port should you use? How do you enable the Active Directory Recycle Bin? What are Active Directory tombstones? What is the difference between an authoritative and a non-authoritative Active

Directory restore? What type of bootup should you use when performing either an authoritative or

non-authoritative Active Directory restore?


Back up Active Directory and the SYSVOL. Create and mount an Active Directory snapshot. Use the Active Directory Administrative Center to enable the Active Directory

Recycle Bin. Use the Active Directory Recycle Bin to recover deleted objects. Perform an authoritative Active Directory restore using wbadmin and ntdsutil.


Volume Shadow Copy Service

The Windows service that allows the creation of Active Directory Snapshots.

Active Directory snapshots

An instantaneous picture of the Active Directory database that allows you to see how Active Directory looked at the time that the snapshot was taken.

System State backup

A backup created using the System State option in the Windows Server Backup tool that is used to backup Active Directory in case of catastrophic failure.

Active Directory Recycle Bin

An Active Directory container that stores recently delete Active Directory objects.

Non-authoritative Active Directory

Restore

A restore that rebuilds an Active Directory database from a system state backup, restoring it to the state at the time of the backup. If the domain has multiple domain controllers, Active Directory replication will overwrite the restored domain controller with objects that were added or deleted on other domain controllers after the backup.

Authoritative Active Directory

Restore

A restore that rebuilds an Active Directory database from a system state backup, restoring it to the state at the time of the backup. If the domain has multiple domain controllers, the items marked for

authoritative restore will overwrite the other domain controllers so as to match the restored domain controller during Active Directory replication.


TestOut Server Pro 2016: Identity 1.1 Manage Active Directory 1.1.1 Backup and restore Active Directory


2.2 Maintain Active Directory 2.2.1 Back up Active Directory and SYSVOL2.2.2 Manager Active Directory offline2.2.5 Configure Active Directory snapshots2.2.6 Perform object- and container-level recovery2.2.7 Perform Active Directory restore2.2.8 Configure and restore objects by using Active Directory Recycle Bin

Video/Demo Time4.1.1 Active Directory Backups 4:174.1.2 Backing Up Active Directory 3:424.1.5 Active Directory Restore 6:174.1.6 Using the Active Directory Recycle Bin 2:344.1.7 Performing a Non-Authoritative Restore 5:284.1.8 Performing an Authoritative Restore 5:41


Lab/Activity4.1.4 Back Up Active Directory

Fact Sheets4.1.3 Active Directory Backup Facts4.1.9 Active Directory Restore Facts



4.2: Manage the Active Directory Database


How can you compact the Active Directory database? What are the benefits of cleaning up the metadata in an Active Directory? How can you stop the Active Directory database in order to perform

maintenance?

Key terms for this section include the following:

Defragment the Active Directory database. Perform a metadata cleanup on an Active Directory.

The key terms for this section include:Term Definition

Active Directory fragmentation

Like any other database the Active Directory can become fragmented as items are added and deleted. This fragmentation can affect Active Directory Performance

Active Directory defragmentation

The process of removing the Active Directory database fragmentation.

Active Directory metadata

Active Directory data that identifies a domain controller to the replication system.

Active Directory metadata cleanup

The process of removing the Active Directory metadata that remains during a failed Active Directory removal.



2.2 Maintain Active Directory 2.2.3 Perform offline defragmentation of an Active Directory database2.2.2 Clean up metadata

Video/Demo Time4.2.1 Maintaining the Active Directory Database 1:174.2.2 Managing the Active Directory Database 9:58


Fact Sheets4.2.3 Managing the Active Directory Database Facts



4.3: Functional Levels


How does the functional level of a domain impact the capabilities available on domain controllers in the domain or forest?

How does the functional level of a domain affect which operating systems you can run on workstations and servers in the domain?

What circumstances might prevent you from raising the functional level of a domain?

In what circumstances can you revert to a lower functional level without rebuilding the domain or forest?


Raise and lower the functional level of a domain. Raise and lower the functional level of a forest.


Active Directory functional level

A set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest.


TestOut Server Pro 2016: Identity1.1 Manage Active Directory 1.1.3 Raise Functional levels1.1.4 Raise the domain and/or forest levels


2.3 Configure Active Directory in a complex enterprise environment 2.2.4 Configure domain and forest functional levels

Video/Demo Time4.3.1 Forest and Domain Functional Levels 7:424.3.2 Managing Forest and Domain Functional Levels 4:39


Lab/Activity4.3.5 Raise Functional Levels4.3.6 Raise the Domain and/or Forest Levels

Fact Sheets4.3.3 Domain and Forest Functional Level Facts4.3.4 Functional Level Management Facts


5.1: Group Policy Overview


Which policies are commonly used in a GPO? What is the difference between a local Group Policy and a domain Group Policy? What is the difference between deleting a GPO and deleting a GPO link? When are computer policies enforced? When are user policies enforced?


Modify Local Group Policies. Create and link Group Policy objects.


Group Policy Object (GPO)

A collection of policies or configurations that are grouped together.

Local Group Policy A GPO located on each Windows computer that contains local configurations.

Domain Group Policy A GPO with settings that affect all computers or a group of computers in a domain.

Computer Configuration Policy

One of two categories of policies within a GPO that are enforced on the computers, no matter what user is logged in.

User Configuration Policy

One of two categories of policies within a GPO that are enforced for specific users.



3.1 Create and manage Group Policy Objects (GPOs) 3.1.3 Configure GPO links3.1.4 Configure multiple local Group Policies

Video/Demo Time5.1.1 Group Policy Overview 9:525.1.2 Creating and Linking Group Policy Objects 10:285.1.3 Local Group Policies 0:435.1.4 Managing Local Group Policies 4:59


Fact Sheets5.1.5 Group Policy Categories5.1.6 Group Policy Facts


5.2: Group Policy Inheritance

Summary

As you study this section, answer the following questions:

What is Group Policy inheritance? What are the four Group Policy levels? In what order are they processed? What are the three processing layers in the Local Group Policy. How are they

processed? In what order are site, domain and Organizational Unit policies processed? If there are multiple Organizational Unit policies, in what order are they

processed? How can Group Policy inheritance be blocked or modified?


Block GPO inheritance at the Organizational Unit level. Enforce GPO inheritance at the Organizational Unit level. Block GPO inheritance using Security Group filtering. Block GPO inheritance using WMO filters. Modify GPO inheritance using loopback processing. Modify GPO inheritance using slow link detection. Modify GPO inheritance using Group Policy caching


Group Policy Level

Group Policy levels control the order of Group Policy processing, often remembered using the mnemonic L-S-D-OU.

L is for Local. S is for Site. D is for Domain. OU is for Organizational Units.

Local Group Policy Layers

Local Group Policy layers control the order of Group Policy processing within the local level.

Block Inheritance

Block Inheritance prevents the GPOs from parent OUs from being inherited by a child OU. Enforced GPOs will not be blocked by a child OU even if it configured to block inheritance.

Security Group Filtering

Security Group filtering ensures that a GPO is applied to a single user or users in a security group, or is exempted by the user or group.

WMI FiltersWMI Filters use Windows Management Instrumentation queries to test for a condition. When the computer receives the GPO, it runs the WMI query to determine if the GPO should be processed

Loopback Processing

Loopback processing overrides GPO user configurations with GPO computer configurations.

Slow Link Slow link detection affects portions of a GPO if the network

Detection connection speed is below a configured value.

Group Policy Caching

Group Policy caching will save domain Group Policies on the local computers. Certain settings within the cached Group Policies will be ignored if a configured slow link value or timeout value is met.


TestOut Server Pro 2016: Identity 3.1 Manage Group Policy objects (GPOs) 3.1.3 Control GPO inheritance


3.2 Configure Group Policy processing 3.2.1 Configure processing order and precedence3.2.2 Configure blocking of inheritance3.2.3 Configure enforced policies3.2.4 Configure security filtering and Window Management Instrumentation (WMI) filtering3.2.5 Configure loopback processing3.2.6 Configure and manager slow-link processing and Group Policy caching

Video/Demo Time5.2.1 Group Policy Inheritance 11:315.2.2 Managing Group Policy Inheritance 5:485.2.3 Modifying Group Policy Inheritance Part 1 14:345.2.4 Modifying Group Policy Inheritance Part 2 7:12


Lab/Activity5.2.6 Control GPO Inheritance

Fact Sheets5.2.5 GPO Inheritance Facts



5.3: Deploy Software with Group Policy


Why must a software installation be packaged as an *.msi file? What is the difference between assigned and published software? Why should you use the UNC path or file share to install a package rather than

the local path? What are the benefits of naming the file share so that it ends with a '$'?


Assign and publish software installer packages. Configure software installation packages to customize deployment and removal.


Software Installation Package

A set of files used to install a software application. One of the files must be an *.msi file.

Distribution Point The location where software packages used by a GPOs are stored. This is typically a file share.

Assigned Software

An option associated with a software installation.

This is the only option under the GPO's computer configuration policy. It will install the software on the next reboot after the GPO is received.

Under the GPO's user configuration policy, this option adds an icon on the user's desktop. Clicking the icon installs the software

Published Software

An option that is available only under the GPO's user configuration policy. It allows the user to install software from the Control Panel.



3.2 Deploy software using Group Policy 3.2.1 Assign software3.2.2 Deploy software3.2.3 Deploy desktop shortcuts


3.3 Configure Group Policy settings 3.3.1 Configure software installation

Video/Demo Time5.3.1 Software Deployment with Group Policy 4:465.3.2 Deploying Software with Group Policy 9:58


Lab/Activity

5.3.4 Assign Software5.3.5 Deploy Software 15.3.6 Deploy Software 2

Fact Sheets5.3.3 Software Deployment Facts



5.4: Manage Windows Settings with Group Policy


What are the popular settings that can be configured under the Windows Settings folder in a GPO?

What settings are available in the Name Resolution policy? What is the purpose of the Folder Redirection policy? What kinds of configurations can be done in startup, shutdown, login, and logout

scripts?


Configure scripts that run at computer startup and shutdown. Configure scripts that run at user login and logout. Configure the Name Resolution Policy. Configure folder redirection.


Startup and Shutdown Script Policy

The configurations in a GPO that run scripts at computer startup and shutdown.

Login and Logout Script Policy

The configurations in a GPO that run scripts at user login and logout.

Name Resolution Policy The configurations in a GPO that enable DNSSEC and DNS settings for DirectAccess.

Folder Redirection The configurations in a GPO that redirect local folders, such as My Documents, to a network location.



3.3 Configure Group Policy settings 3.3.2 Configure folder redirection3.3.3 Configure scripts

Video/Demo Time5.4.1 Windows Settings 0:395.4.2 Managing Windows Settings with Group Policy 3:01


Fact Sheets5.4.3 Managing Windows Settings with Group Policy Facts



5.5: Manage Security Settings with Group Policy


What are the popular settings that can be configured under the Security Settings folder in a GPO?

What security settings are in the three local security policies? What is the benefit of controlling system services with a Group Policy? How can you restrict access to software using a Group Policy?


Configure local options, including: o Local security options. o Audit event options. o User rights assignment options.

Configure Windows Firewall options. Configure local system services. Configure local event log options. Add and configure registry entries. Add files to a client. Control access to software on the client.


Local Policies A folder in a GPO that contains settings that control the local computer.

Window Firewall with Advanced Security Policy GPO settings that configure the Windows Firewall.

System Services Policy GPO settings that turn on or turn off system services on a client.

Event Log Policy GPO settings that configure the size and retention periods of the event log file.

Registry Policy GPO policy that adds and configures Windows registry entries.

File System Policy GPO policy that adds files to a client.

Restricted Groups Policy GPO policy that prevents access from groups of users.

Software Restriction Policy GPO policy that controls access to software on a client.


TestOut Server Pro 2016: Identity3.4 Manage security policies 3.4.1 Configure security settings with Group Policy

Video/Demo Time5.5.1 Security Settings 1:28

5.5.2 Managing Security Settings with Group Policy 10:22Total Video Time 11:50

Lab/Activity5.5.4 Configure Security Settings with Group Policy

Fact Sheets5.5.3 Security Settings with Group Policy Management Facts



5.6: Managing Passwords with Group Policy


Which two policies under the Account Policies allow you to configure password settings?

What is password complexity? Which object types can be associated with a fine-grained password policy? How do you create a PSO?


Configure a password policy and apply it to specific users or groups. Configure an account lockout policy and apply it to specific users or groups. Configure fine-grained password policy.


Password History A history of user passwords (up to 24) that a user can't reuse.

Maximum Password Age The length of time before a user is forced to change a password.

Minimum Password Age

The length of time that a user must use a password before it can be changed.

Minimum Password

LengthThe minimum number of characters in a valid password.

Enforce Password Complexity

Requires that passwords can't contain the user name, the user's first or last name, the company name, or a complete dictionary word. The password must also contain a minimum of three of the four types of special characters: lowercase letters; uppercase letters; numbers; or !, @, #, $, %, ^, &, *.

Account Lockout Duration

How long a locked account remains locked. When the time period expires, the account will be unlocked automatically.

Account Lockout

Threshold

How many incorrect passwords can be entered before an account is locked.


TestOut Server Pro 2016: Identity3.4 Manage security policies 3.4.2 Configure password settings with Group Policy

Video/Demo Time5.6.1 Password Settings 2:525.6.2 Managing Password Settings with Group Policy 5:295.6.3 Managing Password Settings Objects 4:12


Lab/Activity5.6.5 Configure Password Settings with Group Policy5.6.6 Create a Password Settings Object

Fact Sheets5.6.4 Password Settings with Group Policy Management Facts



5.7: Group Policy Administrative Templates


What is the Administrative Template central store and where is it located? What are the advantages of using the central store? What is the function of *.adml files?


Import custom Administrative Templates. Configure property filters for Administrative Templates. Create a central store to share *.admx files with multiple domain controllers.


Administrative Template

An object that extends a GPO. These objects contain configurations for Windows components, other Microsoft products, and custom in-house products.

Central StoreAn area in the SYSVOL where Administrative Templates can be added so that they are made available to other domain controllers during replication.


TestOut Server Pro 2016: Identity 3.1 Manage Group Policy objects (GPOs) 3.1.3 Import a GPO


3.3 Configure Group Policy settings 3.3.4 Configure administrative templates3.3.5 Import security templates3.3.6 Import a custom administrative template file3.3.7 Configure filtering for administrative template

Video/Demo Time5.7.1 Administrative Templates 0:355.7.2 Managing Administrative Templates 4:415.7.3 Central Stores 1:245.7.4 Creating a Central Store 4:09


Lab/Activity5.7.6 Import a GPO

Fact Sheets5.7.5 Administrative Templates Facts


5.8: Group Policy Preferences


What is the main difference between Group Policy preferences and Group Policy settings?

Which types of applications and operating system features does Group Policy preferences support?

How do you configure Group Policy preferences?


Configure Group Policy preferences in a GPO. Deploy shortcuts in a GPO.


Group Policy Preference

Group Policy Preferences are similar to Group Policy Settings with the following key exceptions:

Preferences are not enforced. The user interface is not disabled. Removal of a preference does not restore the original

setting.



3.2 Deploy software using Group Policy 3.2.3 Deploy desktop shortcuts3.3 Manage group policies3.3.2 Configure browser settings in a GPO3.3.3 Configure power options in a GPO


3.4 Configure Group Policy preferences 3.4.1 Configure printer preferences3.4.2 Define network drive mappings3.4.3 Configure power options3.4.4 Configure custom registry settings3.4.5 Configure Control Panel settings3.4.6 Configure Internet Explorer settings3.4.7 Configure file and folder deployment3.4.8 Configure shortcut deployment

Video/Demo Time5.8.1 Group Policy Preferences 1:535.8.2 Managing Group Policy Preferences 10:31


Lab/Activity

5.8.4 Configure Internet Explorer Settings in a GPO5.8.5 Configure Power Options in a GPO5.8.6 Deploy Desktop Shortcuts in a GPO

Fact Sheets5.8.3 Preferences Facts



5.9: Group Policy Backup


How do you back up a GPO? How do you share a GPO as a template? How are GPO permissions handled during the backup and import processes? When moving GPOs from one domain to another, how do you handle settings

that are domain-specific and cannot be copied directly?


Create and configure a migration table to migrate domain-specific settings. Restore default GPOs to their state at Active Directory installation.

Key terms for this section include the following:Term DefinitionGPO

MigrationThe process of backing up a GPO on one domain controller and restoring it to another domain controller.

Migration Table

A table used when migrating a GPO from one domain to another. The table maps old domain information to new domain information.


TestOut Server Pro 2016: Identity3.1 Manage Group Policy objects (GPOs) 3.1.4 Back up a GPO3.1.5 Restore a GPO


3.1 Create and manage Group Policy Objects (GPOs) 3.1.5 Back up, import, copy, and restore GPOs3.1.6 Create and configure a migration table

Video/Demo Time5.9.1 Group Policy Backup 0:535.9.2 Backing Up Group Policy 7:05


Lab/Activity5.9.4 Back Up a GPO5.9.5 Restore a GPO

Fact Sheets5.9.3 GPO Backup Facts



5.10: Troubleshooting Group Policy


How can you determine whether a GPO is properly assigned to a client? How can you determine whether a setting in a GPO is properly applied to a

client? Which GPO troubleshooting tools are available on a domain controller? Which GPO troubleshooting tools are available on a client?


Use the domain status dashboard in the Group Policy Management tool to determine the health of GPOs in relation to the domain controller.

Use the Group Policy Results wizard to determine GPOs and settings that apply to a single computer from the perspective of the domain controller.

Use the Group Policy Modeling tool to test a set of GPOs based on a given computer, a given user, and other GPO factors.

Use the dcgpofix command to restore default GPOs to their original settings. Use the gpresults and gpupdate commands to troubleshoot client GPO issues.


Domain Status Dashboard

A dashboard in the Group Policy Management tool that can help determine the health of GPOs in relation to the domain controller.

Group Policy Results Wizard

A utility in the Group Policy Management tool that models how GPOs and settings apply to a single computer from the perspective of the domain controller.

Group Policy Modeling Tool

A utility in the Group Policy Management tool that tests a set of GPOs based on a given computer, user, and other GPO factors.

dcgpofix A command that resets the default GPOs to the state they were in when Active Directory was installed.

gpresults A command that shows information about GPOs from the client perspective.

gpupdate A command that forces a client to update GPOs from the domain controller.



3.1 Create and manage Group Policy Objects (GPOs) 3.1.7 Reset default GPOs3.1.9 Detect health issues using the Group Policy Infrastructure Status page3.2 Configure Group Policy processing3.2.8 Force a Group Policy update

Video/Demo Time5.10.1 Group Policy Troubleshooting 1:18

5.10.2 Troubleshooting Group Policy 13:49Total Video Time 15:07

Fact Sheets5.10.3 GPO Troubleshooting Facts



6.1: Install AD Certificate Services


What is the difference between symmetric encryption and asymmetric encryption?

How do certificates prove identity? What kinds of information do certificates hold? What is the relationship of a CA to a PKI? How can you ensure that users outside your organization trust your certificate? What are the advantages of using an enterprise CA over a standalone CA? How does an enterprise root differ from an enterprise subordinate? Which server role should you add to make a server a CA that can issue

certificates to other CAs, users, and computers? What features does the Online Responder service provide? What is credential roaming?


Install an enterprise Certificate Authority (CA).

Key terms for this section include the following:Terms Definitions

Active Directory Certificate

Services (AD CS)

Active Directory Certificate Services (AD CS) is a server role in Windows Server 2016. It provides services for creating a public key infrastructure (PKI) that administrators can use to issue and manage public key certificates.

Certification Authority (CA)

A certification authority (CA) issues and manages digital certificates and their associated public keys and is part of a PKI. A Windows Server can be configured as a CA. Companies such as VeriSign and GeoTrust are examples of trusted public CAs that issue certificates to people that need to provide secure communication with the public.

CRL Distribution Point (CDP)

A CRL distribution point (CDP) is an attribute of a certificate that identifies where the CRL for a CA can be retrieved from. Some of the locations are URLs for HTTP, FILE, FTP, and LDAP.

Enterprise CA Enterprise CA is a CA installation on Windows Server that’s integrated with Active Directory.

Standalone CA Standalone CA is a CA installation that isn’t integrated with Active Directory.

Enrollment Agent Enrollment agent is a user authorized to enroll on behalf of other users.

Certification Authority Web

Enrollment

Certification Authority Web Enrollment is the component that provides a way to issue and renew certificates for users, computers, and devices that are not joined to the domain, connected directly to the network, or Windows users.

Certificate Enrollment Policy

Certificate Enrollment Policy Web Service is the component that enables users to obtain certificate enrollment policy information

Web Service from the CA.

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a security system that connects the identity of a user or devices to a cryptographic key that then secures data transfer with encryption and ensures data authenticity with digital certificates.

Symmetric Encryption

Symmetric encryption is cryptography using a single encryption key to protect an electronic message. It uses a mathematical algorithm along with a secret key, which results in the inability to retrieve the contents of a message that is usable.

Asymmetric Encryption (PKI)

Asymmetric Encryption (PKI) is a public key cryptography. It uses two mathematically related keys for encryption. One key is used to encrypt the data, and the second key is used to decrypt it.

Authority Information Access

(AIA)

Authority Information Access (AIA) is a path configured on a CA server that specifies where to locate the certificate for a CA.

Root CA Root CA is the first CA installed in a network.This section helps you prepare for the following certification exam objectives:

Exam ObjectiveTestOut Server Pro

2016: Identity4.1 Install and configure certificates 4.1.1 Manage certificates

Microsoft 70-742 Identity

with Windows Server 2016

4.1 Install and configure AD CS 4.1.1 Install Active Directory Integrated Enterprise Certificate Authority (CA)4.1.2 Install offline root and subordinate CAs;4.1.3 Install standalone CAs

Video/Demo Time6.1.1 Active Directory Certificate Concepts: Encryption 6:136.1.2 Active Directory Certificate Concepts: Identification 8:076.1.3 Installing Active Directory Certificate Services 7:35


Fact Sheets6.1.4 AD CS Installation Facts6.1.5 Certificate Facts6.1.6 AD CS Facts



6.2: Managing Certificates


What functions does the Certification Authority Web Enrollment role service provide?

How does an Enterprise CA process a certificate request differently from a stand-alone CA?

What command do you enter at the command line to accept and install a certificate?

What is the process for requesting a certificate from an offline CA? What are the purpose and the benefits of a certificate template? What is best practice for maintaining the integrity of default templates? How do you control which templates a CA can issue? How are certificate templates replicated? Which permissions does an administrator need to set and modify certificate

template contents and permissions?


Manage certificates such as requesting a user certificate and approving pending certificates.

Manage and modify certificate templates. Create and issue a certificate template.


Certificate Template

A certificate template is a shell of a certificate that is used to create new certificates. Certificate templates will have certificate characteristics such as suggested use and expiration date. AD CS includes more than 30 pre-defined certificate templates.



4.1 Install and configure certificates 4.1.1 Manage certificates



4.2 Manage certificates 4.2.1 Manage certificates4.2.2 Implement and manage certificate deployment, validation, and revocation4.2.3 Manage certificate renewal4.2.4 Manage certificate enrolment and renewal for computers and users using Group Policies

Video/Demo Time6.2.1 Certificate Management 1:356.2.2 Managing Certificates 8:18


Lab/Activity6.2.6 Manage Certificates

Fact Sheets6.2.3 Certificate Management Facts6.2.4 Certificate Template Facts6.2.5 Certificate Template Settings Facts



6.3: Certificate Enrollment


Which three autoenroll settings require user intervention when selected? In addition to allowing certificates to be requested, issued, or renewed, which

other management tasks does autoenrollment perform? Which template version(s) is required for autoenrollment? When automatic renewal is enabled, how can you force users to re-enroll for a

certificate template? When configuring autoenrollment, which permissions should you grant to users

or computers to allow autoenrollment?


Configure the templates for autoenrollment. Enable certificate autoenrollment for users and computers. Create certificates for smart cards and require smart cards for logon.


Certificate Enrollment Certificate Enrollment is the process of issuing a certificate to a client.

Autoenrollment

Autoenrollment is a useful feature of Active Directory Certificate Services. It allows the administrator to configure subjects to automatically enroll, retrieve, and renew expiring certificates without requiring user interaction.

Web Enrollment

Web Enrollment component that provides a method to issue and renew certificates for users, computers, and devices that are not joined to the domain, are not connected directly to the network, or are for users of non-Windows operating systems.

Network Device Enrollment Service

(NDES)

Network Device Enrollment Service (NDES) allows network devices, such as routers and switches, to get certificates by using Simple Certificate Enrollment Protocol (SCEP), which is a Cisco proprietary protocol.



4.1 Install and configure certificates 4.1.3 Configure templates for autoenrollment4.1.4 Enable autoenrollment for the domain



4.2 Manage certificates 4.2.3 Manage certificate renewal4.2.4 Manage certificate enrolment and renewal for computers and users using Group Policies

Video/Demo Time6.3.1 Certificate Enrollment 2:256.3.2 Enrolling Certificates 11:41


Lab/Activity6.3.4 Configure Templates for Autoenrollment6.3.5 Enable Autoenrollment for the Domain6.3.6 Create Certificates for Smart Cards6.3.7 Require Smart Cards for Logon

Fact Sheets6.3.3 Certificate Enrollments Facts



6.4: Certificate Revocation


In what situations would a certificate be revoked? If a revoked certificate might be reinstated, what reason for revocation should

you use? How do you specify CRL Distribution Points? When would you publish a delta CRL? What are the advantages of using an online responder to verify certificate status? What two options do you have for obtaining the OCSP Response Signing

Certificate? Why is it necessary to configure CRLs and CDPs when you use an online

responder?


Revoke a certificate. Configure a CRL Distribution Point. Configure an online responder. Manage certificate revocation.


Certificate Revocation List

(CRL)

A certificate revocation list (CRL) is a list of certificates that the Certification Authority administrator has revoked before their expiration dates.

Online ResponderAn online responder is a server that supports Online Certificate Status Protocol (OCSP). This allows clients to periodically download CRLs for a certificate's status.

Online Certificate Status Protocol

(OCSP)

Online Certificate Status Protocol (OCSP) allows a user of a certificate to submit a certificate status request to a responder by using a web browser.



4.1 Install and configure certificates 4.1.2 Manage certificate revocation

Microsoft 70-742 Identitywith Windows Server

2016

4.1 Install and configure AD CS 4.1.4 Configure Certificate Revocation List (CRL) distribution points4.1.5 Install and configure Online Responder

Video/Demo Time6.4.1 Certificate Revocation 3:386.4.2 Configuring a Certificate Revocation List (CRL) 9:376.4.3 Configuring an Online Responder 7:20


Lab/Activity6.4.6 Manage Certificate Revocation

Fact Sheets6.4.4 Certificate Revocation Facts6.4.5 Online Responder Facts



6.5: Certificate Services Administration


Which permission(s) do you need to access and modify CA properties? What is administrative role separation? What implication does it have for

assigning permissions for certificate management? How do you control the certificates that a manager can manage? How can you monitor changes to the CA configuration? Which Group Policy

setting must you enable to do this? What are the steps in key archival?


Configure security roles on the CA; the enrollment agent, certificate manager, and the CA manager.

Restrict the security role of an enrollment agent or a certificate manager to a particular template.

Configure administrative role separation to not allow a user to have multiple roles assigned.


Enrollment Agent Enrolls certificates on behalf of someone else.

Certificate Manager

Issues and manages certificates and approves certificate enrollment and revocation requests.

CA Admin Can change the properties of the certification authority and complete any type of administration concerning the CA itself.

Backup Operator Backs up and restores files and directories.

Auditors Manages and reads security logs on a computer running the AD CS role.



4.1 Install and configure certificates 4.1.5 Create certificates for smart cards4.1.6 Require smart cards for logon


4.1 Install and configure AD CS 4.1.6 Implement administrative role separation

Video/Demo Time6.5.1 Administrative Roles 1:566.5.2 Configuring Administrative Roles 6:33


Fact Sheets6.5.3 Certificate Services Administration Facts

6.6: Key Archival and Recovery


In order for a user's private key to be backed up, what action must the user take? Which permission does this action require?

What is key archival? What steps are involved in key archival? What function does a Key Recovery Agent perform? What are the template requirements for key archival? What are the steps for recovering a lost key?


Create and publish the key recovery agent to the CA. Configure a CA for key archival. Recover a key.


Key Archival The process of locking up private keys and performing restoration if the user’s private key is lost.

Key Recovery Agent (KRA) Adesignated user with the right to recover archived keys.


TestOut Server Pro 2016: Identity 4.1 Install and configure certificates


4.2 Manage certificates 4.2.5 Configure and manage key archival and recovery

Video/Demo Time6.6.1 Key Archival and Recovery 2:576.6.2 Configuring Key Archival and Recovery 4:30


Fact Sheets6.6.3 Key Archival and Recovery Facts



6.7: Back Up and Recover Certificate Services


Which components of a CA does a system state backup back up? How does a Certification Authority Console backup differ from a system state

backup? When you move a CA from one server to another, which items might need to be

reconfigured? Which options would you use with the certutil command to back up only the CA

database and the keys and certificates?


Use the certutil command to backup and recover CA files.


System State Backup

Backs up and restores a CA. A system state backup backs up the entire CA and its configuration.

Certification Authority

Console Backup

A backup utility that available from the Microsoft Management Console (MMC) Certification Authority snap-in.

Certutil.exe

A command line program that is installed as part of Certificate Services. Certutil.exe exports and displays certification authority configuration information, configures Certificate Services, and backs up and restore CA components. Cerutil.exe is also used to verify certificates, key pairs, and certificate chains.


TestOut Server Pro 2016: Identity 4.1 Install and configure certificates


4.1 Install and configure AD CS 4.1.7 Configure CA backup and recovery

Video/Demo Time6.7.1 CA Backup and Recovery 2:536.7.2 Configuring CA Backup and Recovery 6:10


Fact Sheets6.7.3 CA Backup and Recovery Facts



7.1: AD FS Installation


What are the benefits of Active Directory Federated Services (AD FS)? You have users in a domain who need to access a Web application in a partner

domain. Which domain is the account domain, and which is the resource domain?

What is a claim? What type of information can be included in a claim? What is the difference between a claims-aware agent and a token-based agent? What are the requirements to install AD FS?


Install Active Directory Federated Services (AD FS) Configure Active Directory Federated Services (AD FS) Upgrade Active Directory Federated Services (AD FS) to Windows 2016


Active Directory Federation Services

(AD FS)

The Active Directory Federation Services (AD FS) server role allows single sign-on access to web-based resources.

Active Directory Domain Services (AD

DS)

Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store network resource information in a distributed database.

Federation Server Federation server is the name of the server that you install the Active Directory Federation Services role on.

Certificates Certificates are used to identify AD FS server components for security purposes.

Lightweight Directory Access Protocol

(LDAP)

Lightweight Directory Access Protocol (LDAP) is an vendor-neutral protocol for accessing and maintaining distributed directory information services over an IP network




5.1 Install and configure Active Directory Federation Services 5.1.1 Upgrade and migrate previous AD FS workloads to Windows Server 2016

Video/Demo Time7.1.1 Overview of AD FS 10:547.1.2 Installing AD FS 8:117.1.3 Upgrading and Migrating AD FS 10:17


Fact Sheets7.1.4 AD FS Installation Facts

7.2: AD FS Trusts


How do federation servers in the account partner organization enable single sign-on capabilities to users?

What are relying party trusts? In which locations are relying party trusts usually created? What functions does the account partner provide? What trust relationships must be configured for AD FS servers? What is the role of the resource partner in AD FS? When adding a claims provider, what are the preferred ways to obtain data about

the claims provider? What is the function of the claims-aware agent? How does the Windows token-based agent allow Windows token-based

applications to work with AD FS?


Implement claims-based authentication Implement a relying party trust


Federation Trust A federation trust involves a trusting party and trusted party.

Account Partner When referring to AD FS terminology, the trusted company is referred to as the account partner.

Resource Partner

When referring to AD FS terminology, the trusting company is called the resource partner.

Claims Provider A claims provider is an organization that provides claims to its users.

Relying Party The relying party is the resource partner that hosts the resources accessed by the account partner.

Relying Party Trust

A relying party trust is the AD FS trust created on a AD FS server that acts as the claims provider in an AD FS setup.

Claims Provider Trust

A claims provider trust is a trust created on a AD FS server that acts as the relying party or resource partner.

Claim RulesClaim rules are conditions that determine which attributes are required in a claim and how claims are processed by the federation server.

Claim A claim is an agreed-on set of user attributes that both parties in a federation trust use to determine user's credentials.




5.1 Install and configure Active Directory Federation Services (AD FS) 5.1.2 Implement claims-based authentication, including Relying Party Trusts

Video/Demo Time7.2.1 AD FS Trusts 2:107.2.2 Creating an AD FS Trust 6:52


Fact Sheets7.2.3 AD FS Trusts Facts



7.3: Device Registration and Multi-Factor Authentication


How does device registration help users connect to resources? What must be installed on the mobile device for device registration to work? What are the types of authentication methods that can be configured with AD

FS? What must you add to be able to use Multi-Factor Authentication?


Implement and configure device registration Configure authentication policies Configure multi-factor authentication


Device Registration Device registration is a feature that allows nondomain-joined devices to access claims-based resources securely.

Primary Authentication

Primary authentication is required for all users who access applications that use AD.

Multi-factor Authentication

(MFA)

Multi-factor authentication (MFA) is authentication that uses more than one method, such as a user name and password along with a digital certificate or a smart card.

WEB Single Sign On (SSO)

WEB Single Sign On (SSO) provides single sign-on access to multiple web applications for users external to the organization’s network.




5.1 Install and configure Active Directory Federation Services (AD FS) 5.1.3 Configure authentication policies5.1.4 Configure multi-factor authentication5.1.5 Implement and configure device registration

Video/Demo Time7.3.1 Device Registration 3:437.3.2 Configuring Device Registration 2:487.3.3 Configuring Multi-Factor Authentication 1:29


Fact Sheets7.3.4 Device Registration and Multi-Factor Auth Facts


7.4: AD FS Integration


What are the benefits of Microsoft Passport? Which Web Platform products must be installed before installing Windows Azure

on a Windows Server? Which management portals must the AD FS host be configured to reach? Which transformation rules must be applied to the management portal for

tenants?


Integrate AD FS with Microsoft Passport Configure AD FS with Microsoft Azure and Office 365 Configure AD FS to enable authentication of users stored in LDAP directories


Microsoft Passport

Microsoft Passport is an authentication service that provides multi-factor authentication using a PIN or biometric sign-in along with encrypted keys on a user device.

Attribute Store

An attribute store contains directories or databases that an organization uses to store its user accounts and their associated attribute values.

Office 365 Office 365 is a line of subscription cloud-based services offered by Microsoft, as part of the Microsoft Office product line.




5.1 Install and configure Active Directory Federation Services (AD FS) 5.1.6 Integrate AD FS with Microsoft Passport5.1.7 Configure for use with Microsoft Azure and Office 3655.1.8 Configure AD FS to enable authentication of users stored in LDAP directories

Video/Demo Time7.4.1 AD FS Integrated with Additional Services 3:387.4.2 Integrating AD FS with Online Products 3:17


Fact Sheets7.4.3 AD FS Integrated with Additional Services



7.5: Implement Web Application Proxy (WAP)


Implementing WAP with ADFS ensures that users can access what on your network?

How is WAP installed? How does pass-through mode benefit authentication? What are the benefits of Remote Desktop Gateway? What does HTTP to HTTPS redirect do?


Integrate WAP with AD FS Install and configure WAP Implement WAP in pass-through mode Implement WAP as AD FS proxy Configure AD FS requirements. Publish web apps via WAP Publish Remote Desktop Gateway applications Configure HTTP to HTTPS redirects Configure internal and external Fully Qualified Domain Names (FQDNs)

Key terms for this section include the following:Terms DefinitionsWeb

Application Proxy

WAP is a server role must is installed separately and is found as a component of the Remote Access role. It allows remote access to corporate network applications from the Internet.




5.2 Install and configure WAP 5.2.1 Install and configure WAP5.2.2 Implement WAP in pass-through mode; implement WAP as AD FS proxy5.2.3 Integrate WAP with AD FS5.2.4 Configure AD FS requirements5.2.5 Publish web apps via WAP5.2.6 Publish Remote Desktop Gateway applications5.2.7 Configure HTTP to HTTPS redirects5.2.8 Configure internal and external Fully Qualified Domain Names (FQDNs)

Video/Demo Time7.5.1 Web Application Proxy (WAP) Concepts 3:007.5.2 Installing and Configure WAP 5:397.5.3 Configuring WAP Publishing 4:20


Fact Sheets

7.5.4 Web Application Proxy (WAP) Facts7.5.5 Web Application Proxy (WAP) Publishing Facts



8.1: AD RMS Installation


How do usage policies help safeguard digital information from intentional or unintentional misuse?

How are usage policy templates used by administrators in implementing AD RMS?

How does a client license differ from a use license? How are protected documents created? How does a root cluster differ from a licensing-only cluster? What are the requirements for setting up the service account for AD RMS? Which tasks use the AD RMS Administrator password? What should you consider when defining a cluster address?


Install and configure a AD RMS server. Manage AD RMS Service Connection Point (SCP).


AD RMS ServerThe AD RMS server role is responsible for issuing licenses. This server role can be installed on one or more servers and is referred to as the AD RMS root cluster.

AD RMS ClusterAn AD RMS cluster is a single server or a group of servers running AD RMS that share AD RMS publishing and licensing requests from AD RMS clients.

Service Account AD RMS requires a user account as a service account for communicating with other services.

Cluster Key The cluster key is used to digitally sign certificates and licenses.Service

Connection Point (SCP)

A Service Connection Point (SCP) allows AD RMS-enabled clients in your organization to find and access the AD RMS cluster.


TestOut Server Pro 2016: Identity 4.2 Manage AD RMS


2016

5.3 Install and configure Active Directory Rights Management Services (AD RMS) 5.3.1 Install a licensor certificate AD RMS server5.3.2 Manage AD RMS Service Connection Point (SCP)

Video/Demo Time8.1.1 Overview of AD RMS 9:578.1.3 Installing AD RMS 8:03


Fact Sheets8.1.2 AD RMS Facts8.1.4 AD RMS Installation Facts



8.2: AD RMS Templates


How can administrators deploy rights policy templates to user computers so that the templates are available for offline publishing?

What is the purpose of archiving rights policy templates that are no longer being used for new documents?

What are lockbox exclusion policies? How does the AD RMS client manage rights policy templates? What conditions can be used to configure an expiration policy? What is self-enrollment? How is it used in AD RMS?


Manage AD RMS templates Identify certificate and license types


Rights Policy Template

A rights policy template allows you to configure policies to determined who can access a rights-protected document and what actions can be taken with the document

Server Licensor Certificate

The server licensor certificate (SLC) contains the public key of the AD RMS server. It also identifies the AD RMS cluster.

Rights Account Certificate

The rights account certificate (RAC) identifies users of AD RMS content.

Client Licensor Certificate

The client licensor certificate (CLC) is issued to clients when they’re connected to the AD RMS network. It grants them the right to publish protected content.

Machine Certificates

A machine certificate is created on a client computer when it first uses an AD RMS application.

Publishing License

A publishing license is tied to a rights-protected document. It is created when a client publishes the document.

Use License A use license is issued to certain users when they authenticate to an AD RMS server and request access to a rights-protected document.



4.2 Manage AD RMS 4.2.1 Configure AD RMS templates


2016

5.3 Install and configure Active Directory Rights Management Services (AD RMS) 5.3.3 Manage AD RMS templates

Video/Demo Time8.2.1 AD RMS Templates 1:168.2.2 Creating AD RMS Templates 7:15


Lab/Activity8.2.5 Configure a Distributed Rights Policy Template

Fact Sheets8.2.3 AD RMS Template Facts8.2.4 AD RMS Certificate Facts



8.3: AD RMS Exclusions


Why it is necessary to configure exclusions? How does AD RMS prevent unauthorized users from obtaining use licenses for

protected data? How are applications excluded with AD RMS? How can users determine the level of access they have to a document or

message?


Configure Exclusions Policies


User Exclusion User Exclusion prevents user accounts, identified by their email address, from obtaining use licenses for protected content.

Application Exclusion

Application Exclusion excludes applications based on the minimum and maximum version level

Lockbox Version Exclusion

Lockbox Version Exclusion Policy specifies the minimum AD RMS client version that can obtain a use license from AD RMS.



4.2 Manage AD RMS 4.2.2 Configure AD RMS exclusions


2016

5.3 Install and configure Active Directory Rights Management Services (AD RMS) 5.3.4 Configure Exclusion Policies

Video/Demo Time8.3.1 AD RMS Exclusion Policies 1:428.3.2 Creating AD RMS Exclusion Policies 2:20


Lab/Activity8.3.4 Configure a User Exclusion

Fact Sheets8.3.3 AD RMS Exclusion Facts



8.4: AD RMS Back Up and Restore


When should you back up your AD RMS configuration for the first time? What is required to restore AD RMS? What are the three AD RMS databases that you should back up?


Back up and restore AD RMS.


Cluster Key Password

The cluster key is used to digitally sign certificates and licenses and is protected by a password.

AD RMS Configuration

Database

The configuration database stores, shares, and retrieves all configuration data and other data that RMS needs to manage account certification, licensing, and publishing services for an entire cluster.

AD RMS Directory Services Database

The directory services database contains directory services data, such as users, identifiers, security IDs, and group memberships.

AD RMS Logging Database

The logging database contains the logs of client activity and license acquisition. By default, this database is installed on the same database server instance that hosts the configuration database.


TestOut Server Pro 2016: Identity 4.2 Manage AD RMS


2016

5.3 Install and configure Active Directory Rights Management Services (AD RMS) 5.3.5 Back up and restore AD RMS

Video/Demo Time8.4.1 AD RMS Backup and Restore 1:308.4.2 Backing Up and Restoring AD RMS 2:21


Fact Sheets8.4.3 AD RMS Backup and Restore Facts



Practice ExamsA.0: TestOut Server Pro 2016: Identity - Practice ExamsTestOut Server Pro 2016: Identity Certification Practice Exam (14 questions)

B.0: Microsoft 70-742 Practice ExamsMicrosoft 70-742 Certification Practice Exam (65 questions)

Appendix A: Approximate Time for the CourseThe total time for the LabSim for TestOut Server Pro 2016: Identity course is approximately 25 hours. Time is calculated by adding the approximate time for each section which is calculated using the following elements:

Video/demo times Text Lessons (5 minutes assinged per text lesson) Simulations (5 minutes assigned per simulation) Questions (1 minute per question)

Additionally, there are approximately another 2 hours and 15 minutes of Practice Test material at the end of the course.

The breakdown for this course is as follows:

Module Sections Time Videos Labs Text Exams0.0: Introduction

0.1: Server Pro 2016: Identity Introduction 4 4 0 0 00.2: The TestOut Lab Simulator 9 4 5 0 0

Total 0:13 0:08 0:05 0:00 0:001.0: Install Active Directory

1.1: Active Directory Overview 17 7 0 5 51.2: Install Active Directory 25 17 0 5 31.3: Install Additional Domain Controllers 39 26 0 10 31.4: Read-Only Domain Controllers (RODCs) 44 18 10 10 61.5: Domain Controller Cloning 24 13 0 5 6

Total 2:29 1:21 0:10 0:35 0:232.0: Plan Active Directory

2.1: Active Directory Sites 32 10 10 5 72.2: FSMO Roles and Global Catalog Servers 68 17 25 15 112.3: Active Directory Replication 49 15 10 10 142.4: Active Directory Trusts 60 17 15 15 13

Total 3:29 0:59 1:00 0:45 0:453.0: Manage Active Directory Objects

3.1: Active Directory Organizational Units 34 13 10 5 63.2: Active Directory Computers 22 6 5 5 63.3: Active Directory Users 62 33 10 10 93.4: Active Directory Groups 59 24 20 5 103.5: Active Directory Service Accounts 29 16 0 5 83.6: Active Directory Bulk Operations 27 13 0 5 93.7: Delegation of Control 21 6 5 5 5

Total 4:14 1:51 0:50 0:40 0:534.0: Managing the Active Directory Database

4.1: Active Directory Backup and Restore 55 28 5 10 124.2: Manage the Active Directory Database 20 12 0 5 34.3: Functional Levels 37 13 10 10 4

Total 1:52 0:53 0:15 0:25 0:195.0: Group Policy

5.1: Group Policy Overview 43 27 0 10 65.2: Group Policy Inheritance 58 40 5 5 85.3: Deploy Software with Group Policy 44 15 15 5 95.4: Manage Windows Settings with Group Policy 16 4 0 5 75.5: Manage Security Settings with Group Policy 27 12 5 5 55.6: Managing Passwords with Group Policy 35 13 10 5 75.7: Group Policy Administrative Templates 27 11 5 5 65.8: Group Policy Preferences 38 13 15 5 55.9: Group Policy Backup 27 8 10 5 45.10: Troubleshooting Group Policy 25 16 0 5 4

Total 5:40 2:39 1:05 0:55 1:016.0: AD Certificate Services

6.1: Install AD Certificate Services 43 22 0 15 66.2: Managing Certificates 38 10 5 15 86.3: Certificate Enrollment 45 15 20 5 56.4: Certificate Revocation 44 21 5 10 86.5: Certificate Services Administration 19 9 0 5 56.6: Key Archival and Recovery 19 8 0 5 66.7: Back Up and Recover Certificate Services 22 10 0 5 7

Total 3:50 1:35 0:30 1:00 0:457.0: Active Directory Federation Services (AD FS)

7.1: AD FS Installation 38 30 0 5 37.2: AD FS Trusts 23 10 0 5 87.3: Device Registration and Multi-Factor Authentication 17 8 0 5 47.4: AD FS Integration 17 7 0 5 57.5: Implement Web Application Proxy (WAP) 27 13 0 10 4

Total 2:02 1:08 0:00 0:30 0:248.0: Active Directory Rights Management Services (AD RMS)

8.1: AD RMS Installation 33 18 0 10 58.2: AD RMS Templates 29 9 5 10 58.3: AD RMS Exclusions 19 5 5 5 48.4: AD RMS Back Up and Restore 12 4 0 5 3

Total 1:33 0:36 0:10 0:30 0:17Total Course Time 25:00

Practice ExamsA.0: TestOut Server Pro 2016: Identity - Practice Exams Number of Questions TimeA.3: TestOut Server Pro 2016: Identity Certification Practice Exam 14 1:10

Total 14 1:10B.0: Microsoft 70-742 Practice Exams Number of Questions TimeB.4: Microsoft 70-742 Certification Practice Exam 65 1:05

Total 65 1:05Total Practice Exam Time 2:15

Table of Contents - TestOut · Web viewWhat are the advantages of using groups when setting...

Documents

Transcript of Table of Contents - TestOut · Web viewWhat are the advantages of using groups when setting...