70-640 Resources

Resources and study guide for the 70-640 TS: Windows Server 2008 Active Directory, Configuring exam

Recommended Reading
Windows Server 2008 Active Directory Resource Kit
MCTS Self-Paced Training Kit (Exam 70-640)
Group Policy: Fundamentals, Security, and Troubleshooting
Creating the Secure Managed Desktop

Skills Measured

Configuring Domain Name System (DNS) for Active Directory (16 percent)
Configure zones
What's New in DNS in Windows Server 2008
DNS Server Overview
Understanding Active Directory Domain Services Integration
DNS Architecture
DNS Overview
Configuring Zone Properties
Adding Zones
Managing Resource Records

Configure DNS server settings
Understanding Forwarders
Using Forwarders
Checklist: Use Forwarders
Understanding Zone Delegation
Updating Root Hints
Use Aging and Scavenging

Configure zone transfers and replication
Understanding DNS Zone Replication in Active Directory Domain Services
Planning DNS Zones
Create a DNS Application Directory Partition
DNS Notify
Troubleshooting zone problems

Configuring the Active Directory infrastructure (25 percent)
Configure a forest or a domain
Requirements for Installing AD DS
Steps for Installing AD DS
Active Directory Domain Services (AD DS) Installation and Removal Step-by-Step Guide
Steps for Removing AD DS
Appendix of Unattended Installation Parameters
Download details: ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains
Scenarios for Installing AD DS
Appendix of Functional Level Features

Configure trusts
Managing Trusts
Managing Forest Trusts
Configuring SID Filter Quarantining: Domain and Forest Trusts; Active Directory

Configure sites
Overview of Active Directory Sites and Services
Checklist: Configure an Additional Site
Changing site link properties: Active Directory
Creating a Site Link Bridge Design

Configure Active Directory replication
Introduction to Administering Intersite Replication: Active Directory
Managing Intersite Replication: Active Directory
Introduction to Administering DFS-Replicated SYSVOL: Active Directory
SYSVOL Replication Migration Guide: FRS to DFS Replication
Forcing Replication

Configure the global catalog
Enabling Universal Group Membership Caching in a Site
Understanding the Global Catalog
Introduction to Administering the Global Catalog: Active Directory
Checklist: Add a Global Catalog Server
Configuring a Global Catalog Server: Active Directory

Configure operations masters
Introduction to Administering the Windows Time Service: Windows Time Service
Introduction to Administering Operations Master Roles: Active Directory
Transferring an operations master role: Active Directory
Seizing an operations master role: Active Directory
Designating a standby operations master: Active Directory
Active Directory Schema
Planning Operations Master Role Placement

Configuring additional Active Directory server roles (9 percent)
Configure Active Directory Lightweight Directory Service (AD LDS)
Running Domain Controllers in Hyper-V
Hyper-V
Server Core Installation Option Getting Started Guide
http://technet.microsoft.com/en-us/library/cc754361(WS.10).aspx
Active Directory Lightweight Directory Services Operations Guide

Configure Active Directory Rights Management Service (AD RMS).
Active Directory Rights Management Services Overview
Active Directory Rights Management Services Role
Active Directory Rights Management Services
Active Directory Rights Management Services

Configure the read-only domain controller (RODC).
AD DS: Read-Only Domain Controllers
Read-only Domain Controllers (RODC) Step-by-Step Guide
Read-Only Domain Controller (RODC) Planning and Deployment Guide
Read-Only Active Directory Database, SYSVOL, and Unidirectional Replication
RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC
Administrator Role Separation
Administering the Password Replication Policy
RODC Frequently Asked Questions

Configure Active Directory Federation Services (AD FS).
Active Directory Federation Services Overview
Active Directory Federation Services Role
Active Directory Federation Services (AD FS) Step-by-Step Guide
Active Directory Federation Services
AD FS Design Guide
AD FS Deployment Guide
Deploying Federation Servers
Deploying Federation Server Proxies

Creating and maintaining Active Directory objects (24 percent)
Automate creation of Active Directory accounts
Csvde
Dsadd
Ldifde
Administering Distribution Lists for Message Queuing

Maintain Active Directory accounts
Dsmod group
AGDLP - Wikipedia, the free encyclopedia
User Account Control
Delegating Administration of Account OUs and Resource OUs

Create and apply Group Policy objects (GPOs).
Group Policy
Download details: Planning and Deploying Group Policy
Download details: Group Policy Preferences Overview
Deploying Basic Settings by Using Group Policy
Loopback processing of Group Policy

Configure GPO templates
Managing Group Policy ADMX Files Step-by-Step Guide
Download details: Starter Group Policy Objects (GPOs)
Overview of AGPM

Configure software deployment GPOs
How to use Group Policy to remotely install software in Windows Server 2003

Configure account policies
Active Directory Domain Services (AD DS) Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
AD DS: Fine-Grained Password Policies

Configure audit policy by using GPOs.
Active Directory Domain Services (AD DS) Auditing Step-by-Step Guide
Download details: Group Policy Settings Reference for Windows Server 2008
How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.

Maintaining the Active Directory environment (13 percent)
Configure backup and recovery
Windows Server Backup Step-by-Step Guide for Windows Server 2008
Backing Up Your Server
Recovering Your Server
Active Directory Domain Services (AD DS) Backup and Recovery Step-by-Step Guide
Introduction to Administering Active Directory Backup and Recovery: Active Directory
Backing Up Active Directory Domain Services: Active Directory
set DSRM password
authoritative restore
Backing Up Group Policy Objects

Perform offline maintenance
Active Directory Database Mounting Tool Step-by-Step Guide
Restartable Active Directory Domain Services (AD DS) Step-by-Step Guide
Compact the directory database file (offline defragmentation): Active Directory

Monitor Active Directory
Performance and Reliability Monitoring Step-by-Step Guide for Windows Server 2008
Windows Reliability and Performance Monitor
Repadmin

Configuring Active Directory Certificate Services (13 percent)
Install Active Directory Certificate Services
Active Directory Certificate Services Overview
Active Directory Certificate Services Step-by-Step Guide
Designing a Public Key Infrastructure: Public Key

Configure CA server settings
AD CS: Enterprise PKI (PKIView)
Download details: Active Directory Certificate Services Longhorn Beta3 Key Archival and Recovery Whitepaper

Manage certificate templates
Certificate Templates Overview
Download details: Implementing and Administering Certificate Templates in Windows Server 2008

Manage enrollments
Certificate Autoenrollment in Windows Server 2003
AD CS: Network Device Enrollment Service
AD CS: Web Enrollment
AD CS: Restricted Enrollment Agent
Download details: Microsoft SCEP Implementation Whitepaper.

Manage certificate revocations
AD CS: Online Certificate Status Protocol Support
Online Responder Installation, Configuration, and Troubleshooting Guide

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

innotech

hi there, i;m new on here, I recently took the 70-680 and passed. I have quite a good understanding of AD since working in a 2003 environment for 2 yrs..I wanna do 70-640 but need help finding some accurate resources to make learning a good experience b4 i take the exam

David Morson

Tanks for providing information and useful resources. I am looking for some exam preparation resources which are free. Have you any online realiable and free of cost resources for 70 640 and other 70 series exams preparation?

pentapaadu007

hey it is nice

camit34

Just getting started on this...book marked...!!! Thanks for taking the time to put this together!

SephStorm

What are good books for beginner, intermediate, and advanced server 2008 R2 books? I have mostly helpdesk level experience using server 2008, mostly dealing with AD, creating users, computers, groups, ect. no domain level group policy, WSUS, ect.

kriscamaro68

SephStorm wrote: »

What are good books for beginner, intermediate, and advanced server 2008 R2 books? I have mostly helpdesk level experience using server 2008, mostly dealing with AD, creating users, computers, groups, ect. no domain level group policy, WSUS, ect.

Amazon.com: Group Policy: Fundamentals, Security, and the Managed Desktop (978047058185

: Jeremy Moskowitz: Books

Amazon.com: Windows Server 2008 R2 Unleashed (9780672330926): Rand Morimoto, Michael Noel, Omar Droubi, Ross Mistry, Chris Amaris: Books

damills

Hi anyone knows a good study guide out there. I have recently took my 70-640 and I failed it with a 593, I used ucertify. Has anyone used a study guide that help them passed it?

netsysllc

All of the resources in the thread have good stuff, setting up a lab and reviewing the technologies in technet are very helpful

sharpy56

Hi Claymore,

I was just wonder if there are any sites/books that you would recommend using to do labbing etc. Not knowing about the technology is difficult in some areas just to dive straight into a lab (what would you suggest in learning this?)

chicharito

Hi,
Please can i get suggestions on the best way to prepare for the 70-640 exam.I have a book for it.What do I need to use to simulate the environment where I can practice?I'd appreciate your suggestions.Thanks

RomBUS

Try following some CBT Nugget videos, really good for watching some lab material, and you can kind of follow along with the video as he talks

horusthesun

thank you for this!

kurosaki00

Anyone know if the 72 (student version) are still available?

crystalgeek

Hi All,

I'll be taking this exam today and thought I'd share my '**** Sheet' with you. It's basically a collection of notes etc I've made as I've studied on things I think are important to remember. Maybe we can add to it as a community

Command Line Tools

Tool
Description

Dsadd
Creates an object in the directory

Dsget
Return specified attributes of an object

Dsmod
Modifies specified attributes of an object
Modify the UPN for multiple users

Dsrm
Removes and object and all sub trees

Dsquery
Performs active directory query

CSVDE
Uses .CSV files for importing large number of accounts

LDIFDE
Uses ldif files for importing large number of accounts
Create a PSO

Dsmgmt
Configure roles/admin on RODC

Dnscmd
Configure dns partitions
Configure GlobalNames Zones

Dnslint
Test DNS records for AD Replication

NTDSUTIL
Seize FSMO
Create AD Partition

Dcdiag
Diagnose DC issues/replication

Diskpart
Basic disc conversion (i.e basic to dynamic)

Dsdbutil
Create installation media that corresponds only to the AD LDS instance for backup

MMC’s and Other Tools

Tool
Management Options

ADSIEdit
View, create, modify and delete AD LDS objects. Includes accounts, OU’s, groups.

Ldp.exe
General admin on any LDAP service (including AD DC and AD LDS)
Create a new application directory in existing instance

Active Director Schema snap-in (schmmgmt.mmc)
View and manage objects in the schema

Active Directory Sites and Services snap-in
Connect to AD LDS instance.
Admin directory data replication.
Configure GlobalCatalog Servers
Universal Group Membership Caching
Modify Intersite replication schedule
Configure sites and subnets

PKIView
Monitoring and troubleshooting multiple CA’s

Certificates Templates
Configure Cert Templates:-
Create/Duplicate
Modify Properties (Validity/key archival)
Configure Policies (enrolment/issuing)
Allowing autoenrollment
Create Template that allows Key Archiving

Certificate Authority
Enable use of Template
Enrollment Agents tab (Restrict Enrollment Agents)
Key Archival
Manage security/roles
Backup certificate database
Restore certificate database
Revoke Certificate
Configure CRL publication interval
Manage CRL Distribution Point/s (CDP)
Manage AIA

Certutil
Recover Archived Keys

Certificates (Console)
Backup Certificates (Machine/User)
Restore Certificates (Machine/User)

Online Responder Management snap-in
Configure Online Responder
Configure OR Array and Revocation Config

ADFS snap-in
Configure ADFS or ADFS server farm
Manage trust policies
Configure federation trusts
Creating claims/account stores
Enabling applications

Active Directory Users and Computers
RODC Password Replication Policy
Raise/View Domain Functional Level

Active Directory Domains and Trusts
Add UPN Suffix
Create and manage trusts
Raise/View Forest Functional Level

Security Configuration and Analysis
Allows comparing local settings against an imported ini

DNS Manager
DNS Stuff
Debug Logging

DFS Management
DFS Replication/Namespaces

Security Templates
Save custom security policies

Performance Monitor
Create server performance baseline
Identify bottlenecks
Alert to events

Notes:

Server 2008 introduces V3 Certificate Templates
Windows 2000/XP/2003 can only use V1 and V2 certs for web enrolment
Network Device Enrollment Service
Web Enrollment and Online Responder require IIS
Certificate Enrollment Web Service is not real-time with changes made to templates. There is a 30 minute polling setting. To force this reset iis
Certificate Templates include a discretionary access control list – defines users and groups that can read and configure template as well as enrol/auto-enrol cert’s based on template
V1 Templates – read only
V2 supported by XP/2003 and later – allow auto enrolment
V3 supported on vista and later
Key Recovery Agent
- Cert Template snap-in – Key Recovery Agent Template (Enable Read/Enrol for KRA User)
- Certificate Authority snap-in – Enable Template
- Enrol (Web)
Smart Cards require an enrolment agent and card-writer
- Enrollment agent certificate required
From certificates console use Certificate Export Wizard to backup certificates
From certificates console use Certificate Import Wizard to restore certificates
Wbadmin system state will backup certificate database
To restore CA you must stop AD CS
Vista/2008 introduced Online Responder
AIA – Authority Information Access
- Extension applied to CA
- Points to URL for issuing CA’s certificate
- Needed for Online Responder service
Federation Services
- Company hosting application – ‘resource partner’
- Company being trusted – ‘account partner’
- Applications involved – ‘federated applications’
[IMG]file:///C:\DOCUME~1\ALEX~1.NIC\LOCALS~1\Temp\msohtmlclip1\02\clip_image002.jpg[/IMG]
A ‘resource partner’ can have multiple account partners
Federation services use tokens
Federation services requires 2008 Ent or Datacentre
A ‘claim’ is a statement made about a client (name/identity/key etc.)
An account store stores user accounts that ADFS must authenticate for using federated applications
Trust policies enable users to share documents protected in AD RMS
AD FS snap-in
- Administer account stores in AD DS or AD LDS
- Manage partners that will trust your company
  - Account partners and resource partners
- Mange claims and certificates used by federation servers and web applications (AD FS)
AD FS Claims/Account Stores
- Creating Claims
  - AD FS snap-in
  - Trust Policy
  - My Organization
- Creating Account Stores
  - AD FS snap-in
  - Account Stores
  - New Account Store
- Enabling Applications
  - AD FS snap-in
  - Applications
  - New Application
- Federation Trusts
  - AD FS snap-in
  - Partner Organizations node
  - New Account Partner/New Resource Partner
Csvde –f will export AD objects to .csv
Csvde –I –f will import AD objects that don’t already exist (-k will process without error)
Remove Roles Wizard can’t be used to remove AD DS. You must use dcpromo
You can run AD LDS without a DC or DNS
DNS Stores it’s data in an Application Partition in AD
You can only install AD CS Enterprise on a DC
AD RMS client required on Windows 2000 and XP
- Windows 2000 must have SP4
- Windows Vista must have SP2
- Vista has client by default
A RODC must have the following
- Forest Functional Level at least 2003
- PDC Emulator running on Server 2008
- One 2008 DC Exists
- If upgrading from 2003 run adprep /rodcprep
RODC partnered with a writeable (200 DC
RODC Password replication policy must be configured on writable DC
- AD Users and Computers
- RODC Properties
- Password Replication Policy Tab
You can use the above to pre-populate password cache
Group Policy Applications
- Assign
  - To User or Computer
  - Shows in Start Menu or File Association
- Publish
  - To User
  - Shows in Control Panel or File Association
- If Assigned :-
  - User - Installed on Login
  - Computer – Installed on Boot
Configure DNS after RODC install – DNSCMD /enlistdirectorypartition
Check AD Recycle Bin – Powershell (Get-ADOptionalFeature)
Audit Before/After account changes – Audit Directory Services Changes – Auditpol (Tool)
Add DC to replication scope – dnscmd /createdirectorypartition
/resourcesACL only applies to Win 7/2008 R2 and above
Forest trusts require 2003 forest functional level
DSAmain command fails
- Port needs to be 40000 or higher
Use repadmin /syncall to replicate changes immediately
UPN Suffix available at 2000 Forest Level
DFSR only available in 2008 Domain functional level
Administering ADMX files from client only available to Win 7 and higher
If an Intermediate CA Cert expires, renew the certificate and import into Intermediate store on Intermediate CA.
If you see SID on folder permissions instead of names
- Move Infrastructure Master role. This is because the Infrastructure master refers to the global catalog.
RODC can be deployed in a 2003 Forest Functional Level
RAID 5 is data striping with parity
To replicate AD LDS instance to another location – Create and Install a replica by running AD LDS Setup Wizard
To ensure device certificate requests use MD5 – Modify registry on NDES server
Global Names Zones only available after running DNSCMD
Global Catalog Servers are required to validate Universal Group Memberships
Global Catalog contains
- Index of forest objects
- Can be on any DC
- Hosts multi-domain groups
- Deals with UGMC
- Needs at least one per domain
- Removed via Active Directory Users and Computers
- Required for UPN
When creating a new tree or child domain the server must be able to contact the Domain Naming Master
When creating new users or groups you must be able to contact the infrastructure master and have RID’s available.
For server 2000 DNS to receive conditional forwarder replication you must choose ‘All Domain Controllers in This Domain’ option
SMTP is used for Inter Domain replication. Requires a CA.
Site Link Costs – Lower is a fast link
The cost of a site link is the sum of all links contained within a bridge
KCC replicates site topology
Intersite replication default is 3 hours
Minimum intrasite replication schedule is every 15 minutes
Monitoring and Troubleshooting Replication Issues
- Event Viewer
- Active Directory Replication Monitor (replmon)
- Active Directory Replication Administrator (repadmin)
Each AD LDS can have it’s only schema
AD LDS can be managed with the following tools
- Active Directory Services Interface snap-in
- LDP.exe
- Active Directory Schema snap-in
- Active Directory Sites and Services
RID Master (Relative Identifier)
- Allocates pools in 500’s
- Is the sequential numbers used by SID’s
PDC Emulator
- Backwards compatibility for NT4 Domains
- Time clock for domains
- Final Authority on Passwords
- Used by DFS for changes
- Auto default for GPO Editing
Infrastructure Master
- Keeps changes to object references consistent across forest
- Tracks changes and moves across all domains
2008 Domain Functional Level
- Required for AES
- Fine Grained Password policies
- DFS replication for SYSVOL
Forest level 2003 + allows domain name re-names
External Trusts are used to connect to NT4
Short SID’s are local accounts
PSO are applied to Users and Groups and not OU’s
- To apply to OU’s you’d have to use a shadow group
PSO over-ride the default domain policy
When using multiple PSO’s
- Application order is determined by password settings precedence
  - This is a number of 1 or greater
    - Lowest number is used
    - Lowest GUID will be used
Server 2008 Auditing Change
- Active Directory Service Access
  - Can now record what has changed
To enable Audit Changes – auditpol /set /subcategory…….
To compare security settings (ini) with command line
- Secedit /validate
Group policy default refresh rate is 90 – 120 minutes – can be changed in GPO
Group Policy Loopback Processing
- Replace
  - GPO List for the user is replaced by the GPO list for the computer
- Merge
  - Computer Settings are applied after user settings
Group Policy loopback is used so that user settings can be applied to OU’s – ie apply printer only to certain computers.
Starter Group Policy Objects
- A template used to create new group policies
Global Catalogs are also known as Partial Attribute Sets (PAS)
- Are a replica of all objects in the forest
- Read only
- Changes in domain (AD) partition are copied to GC partiontion
- GC is forest wide
ADMT (Active Directory Migration Tool) – is supported on 2008 R2 only
AD LDS – Ensure replication you must create a service user on each server
AD LDS – Each instance runs as a separate computer service
To use Filtered Attribute Set – Forest Functional Level must be 2008
- FILTERED set on schema master not ‘filtered attribute set’
DNSSEC is available with 2008 R2 (on the DNS Server not DC)
To modify the UPN suffix for all users use DSMOD
If auditing is configured already on an OU then ‘modify the auditing entry’
UGMC is configured at – Active Directory Sites and Services > NTDS Site Settings
To ensure DC’s only replicate between adjacent sites disable site link bridging
AD RMS – To modify the password used by AD RMS User account use ‘ AD RMS Tool’

Forest Trust Types
- Transitive
  - Trust domains that your parent domain trusts
- Forest Trust – used to share resources between forests. Transitive by default.
  - Two-way
    - Both domains can be authenticated in each other domain
  - One-way incoming
    - Users in your domain (creation domain) can be authenticated in the other domain
  - One-ware outgoing
    - Users in other domain can be authenticated in your domain
- External Trust
  - One-way, non-transitive –used primarily with 2000 Domain Functionality
- Realm Trust
  - Non-AD trust
- Shortcut trust
  - Trust across forests one-to-one between 2 domains/sub domains (Bypass transitive links)
Trust Authentication Scope
- Domain-wide authentication—Available in the case of external trusts, this option permits unrestricted access by any users in the trusted domain to all available shared resources in the trusting domain, according to sharing and security permissions attached to the resources. It is the default option for external trusts.
- Forest-wide authentication—Available in the case of forest trusts, this option permits unrestricted access by any users in the trusted forest to all available shared resources in any domain of the trusting forest, according to sharing and security permissions attached to the resources. It is the default option for forest trusts. Microsoft recommends the domain-wide and forest-wide options for trusts within the same organization only.
- Selective authentication—This option does not create any default authentication. It enables you to specify the users and groups from a trusted forest who are permitted to authenticate to servers containing resources in the trusting forest. Microsoft recommends this option for trusts that involve separate organizations, such as contractor relationships.
  - It improves security by limiting the quantity of authentication
  - requests that can pass through the trust.

Chev Chellios

Nice summary there crystal geek, there is alot to go through for this exam it is a beast! Good luck with it dude and let us know how you get on

crystalgeek

Winner whoop - 792

Sintacks

Thanks CrystalGeek. Grats on passing. I will be writing mine at the end of next month. I'd love to know what other material you used to study and how long you studied for. I am thinking of ordering the MS Press books through our MS account manager at my office. Did you use the MS Press material or something else? TIA.... and thanks so much for the **** sheet!

Asif Dasl

Wiki Notes on 70-640

TheMontu

Really finding it hard to figure out which books to order....if you could only have two books to prepare which books would you get?

its so simple

TheMontu wrote: »

Really finding it hard to figure out which books to order....if you could only have two books to prepare which books would you get?

I was wondering the same. Any guidance would be appreciated. TIA.

conkistador

THANKS But i'm a newcomer in it plz can u advice me on the strategy to face those exams, i've just about 3 month to complete them really need u plz.take care

ClapDemCheeks

Are these resource supplemented with Train Signal/CBT Nuggets enough to pass 640?

SkyDiver069

For those who might be trying to cram in material for the 2008 R2 exams so that they can take advantage of the "2nd Shot" promo, so far I've found these videos to be pretty good! In my case, I had taken the first three 2008 training courses years back with members of a local MS Server group, and we all got burned when MS flipped the exams to R2 material on us. This is when I opted to put any MS courses on hold for a while, until I caught a couple agencies getting 'hot' for even a server MCP/MCITP on the cv. That's when I said what the heck, I might as well take another shot, if a backup exists. So, I've been cramming material in today because of that decision. https://www.youtube.com/playlist?list=PLBBA04BF566F0E0D6