Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 263 NOTE DO NOT BE TOO HASTY IN RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS. It is easy to raise a functional level. It is diffi cult to reduce one—this requires a re-install or a restore from backups of the lower functional level. If, for example, you raised the domain functional level to Windows Server 2008 and then found you needed to add a Windows Server 2003 domain controller to your domain, you have a serious problem. Similarly, if you raised your organization’s forest functional level to Windows Server 2008 and your orga- nization acquired another that had a domain that included Windows Server 2003 domain controllers, you would have problems integrating your network. Raise functional levels only enough to enable the features you need. MORE INFO DOMAIN AND FOREST FUNCTIONAL LEVELS For more information about domain and forest functional levels, see http://technet .microsoft.com/en-us/library/cc754918.aspx. RODCs require a forest functional level of Windows Server 2003 or higher. To determine the functional level of your forest, open Active Directory Domains And Trusts from the Administrative Tools group, right-click the name of the forest, choose Properties, and verify the forest functional level, as shown in Figure 5-12. Any user can verify the forest functional level in this way. FIGURE 5-12 The Forest Properties dialog box. NOTE DO NOT BE TOO HASTY IN RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS. NOTE DO NOT BE TOO HASTY IN RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS.NOTE It is easy to raise a functional level. It is diffi cult to reduce one—this requires a re-install or a restore from backups of the lower functional level. If, for example, you raised the domain functional level to Windows Server 2008 and then found you needed to add a Windows Server 2003 domain controller to your domain, you have a serious problem. Similarly, if you raised your organization’s forest functional level to Windows Server 2008 and your orga- nization acquired another that had a domain that included Windows Server 2003 domain controllers, you would have problems integrating your network. Raise functional levels only enough to enable the features you need. MORE INFO DOMAIN AND FOREST FUNCTIONAL LEVELS For more information about domain and forest functional levels, see http://technet .microsoft.com/en-us/library/cc754918.aspx . .microsoft.com/en-us/library/cc754918.aspx microsoft.com/en-us/library/cc754918.aspx 2 6 4 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers If the forest functional level is not at least Windows Server 2003, examine the properties of each domain to identify any domains for which the domain functional level is not at least Windows Server 2003. If you fi nd such a domain, ensure that all domain controllers in the domain are running Windows Server 2003. Open Active Directory Domains And Trusts, right- click the domain, and choose Raise Domain Functional Level. When you have raised each domain functional level to at least Windows Server 2003, right-click the root node of the Active Directory Domains And Trusts snap-in and choose Raise Forest Functional Level. In the Select An Available Forest Functional Level drop-down list, choose Windows Server 2003 and click Raise. You must be a domain administrator to raise the domain’s functional level. To raise the forest functional level, you must be either a mem- ber of the Domain Admins group in the forest root domain or a member of the Enterprise Admins group. Running adprep /rodcprep If you are upgrading an existing forest to include domain controllers running Windows Server 2008, you must run adprep /rodcprep. This command confi gures permissions so that RODCs are able to replicate DNS application directory partitions. If you are creating a new Active Directory forest that contains only domain controllers running Windows Server 2008, you do not need to run adprep /rodcprep. You can fi nd the adprep command in the cdrom\Sources\Adprep folder of the Windows Server 2008 installation DVD. Copy the folder to the domain controller acting as the schema master, log on to the schema master as a member of the Enterprise Admins group, open a command prompt, change directories to the Adprep folder, and enter adprep /rodcprep in an elevated command prompt. DNS Application Directory Partitions and Read-Only DNS W hen DNS data is stored within AD DS directory databases, it is replicated by default with the directory data with which it is associated. You can also defi ne a custom replication scope for DNS data. For example, DNS data that belongs to a root domain in a forest must be available to the entire forest, whereas DNS data for a specifi c domain is required only for that domain. You control DNS data replica- tion scopes through DNS application directory partitions. To support the RODC role, DNS has been updated to provide read-only DNS data for primary zones hosted on the RODC. This further secures the role and ensures that no one can create records from potentially unprotected servers to spoof the network. A DNS server running on an RODC does not support dynamic updates, but clients are able to use the DNS server to query for name resolution. Because the DNS is read-only, clients cannot update records on it. If, however, a cli- ent wants to update its own DNS record, the RODC sends a referral to a writable DNS Application Directory Partitions and Read-Only DNS W hen DNS data is stored within AD DS directory databases, it is replicated by default with the directory data with which it is associated. You can also defi ne a custom replication scope for DNS data. For example, DNS data that belongs to a root domain in a forest must be available to the entire forest, whereas DNS data for a specifi c domain is required only for that domain. You control DNS data replica- tion scopes through DNS application directory partitions. To support the RODC role, DNS has been updated to provide read-only DNS data for primary zones hosted on the RODC. This further secures the role and ensures that no one can create records from potentially unprotected servers to spoof the network. A DNS server running on an RODC does not support dynamic updates, but clients are able to use the DNS server to query for name resolution. Because the DNS is read-only, clients cannot update records on it. If, however, a cli- ent wants to update its own DNS record, the RODC sends a referral to a writable Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 265 DNS server. The single updated record will be replicated from the writable DNS server to the DNS server on the RODC. This is a special single object (DNS record) replication that keeps the RODC DNS servers up to date and gives the clients in the branch offi ce faster name resolution. The Schema Master Role T he domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other domain controllers hold read-only replicas of the schema. If you want to modify the schema or install an application that modifi es the schema, Microsoft recommends you do so on the domain control- ler holding the schema master role. Otherwise, the changes you request must be sent to the schema master to be written into the schema. Placing the Writable Windows Server 2008 Domain Controller An RODC must replicate domain updates from a writable domain controller running Windows Server 2008, and the RODC must be able to establish a replication connection with the writ- able Windows Server 2008 domain controller. Ideally, the writable Windows Server 2008 domain controller should be in the closest site—the hub site. If you want the RODC to act as a DNS server, the writable Windows Server 2008 domain controller must also host the DNS domain zone. Quick Check n Your domain consists of a central site and four branch offi ces. The central site has two domain controllers. Each branch offi ce site has one domain controller. All domain controllers run Windows Server 2003. Your company decides to open a fi fth branch offi ce and you want to confi gure it with a new Windows Server 2008 RODC. What must you do before confi guring the fi rst RODC in your domain? Quick Check Answer n You must ensure that the forest functional level is Windows Server 2003. Then you need to upgrade one of the existing domain controllers to Windows Server 2008 so there is one writable Windows Server 2008 domain controller on the network. You must then run adprep /rodcprep on the writable Win- dows Server 2008 domain from the Windows Server 2008 installation DVD. DNS server. The single updated record will be replicated from the writable DNS server to the DNS server on the RODC. This is a special single object (DNS record) replication that keeps the RODC DNS servers up to date and gives the clients in the branch offi ce faster name resolution. The Schema Master Role T he domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other domain controllers hold read-only replicas of the schema. If you want to modify the schema or install an application that modifi es the schema, Microsoft recommends you do so on the domain control- ler holding the schema master role. Otherwise, the changes you request must be sent to the schema master to be written into the schema. Quick Check n Your domain consists of a central site and four branch offi ces. The central site has two domain controllers. Each branch offi ce site has one domain controller. All domain controllers run Windows Server 2003. Your company decides to open a fi fth branch offi ce and you want to confi gure it with a new Windows Server 2008 RODC. What must you do before confi guring the fi rst RODC in your domain? Quick Check Answer n You must ensure that the forest functional level is Windows Server 2003. Then you need to upgrade one of the existing domain controllers to Windows Server 2008 so there is one writable Windows Server 2008 domain controller on the network. You must then run adprep /rodcprep on the writable Win- dows Server 2008 domain from the Windows Server 2008 installation DVD. Quick Check 2 6 6 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers Installing an RODC After you complete the preparatory steps, you can install an RODC on either a full or Server Core installation of Windows Server 2008. On a full installation of Windows Server 2008, you can use the Active Directory Domain Services Installation Wizard to create an RODC. You select Read-Only Domain Controller (RODC) on the Additional Domain Controller Options page of the wizard, as shown in Figure 5-13. FIGURE 5-13 Creating an RODC with the Active Directory Domain Services Installation Wizard. Alternatively, you can use the dcpromo command with the /unattend switch to create the RODC. On a Server Core installation of Windows Server 2008, you must use the dcpromo /unattend command. You can also delegate the installation of the RODC, which enables a user who is not a domain administrator to create the RODC, by adding a new server in the branch offi ce and running dcpromo. EXAM TIP Remember that if you create an RODC by using delegated installation, the server must be a member of a workgroup, not of the domain. Installing an RODC on Server Core M icrosoft recommends deploying RODCs that run on the Server Core installa- tion whenever practicable. This improves the security of branch offi ce domain controllers. GUI tools are not available in Server Core, but you can use the dcpromo /unattend command at an elevated command prompt in exactly the same way as you can to Installing an RODC on Server Core M icrosoft recommends deploying RODCs that run on the Server Core installa- tion whenever practicable. This improves the security of branch offi ce domain controllers. GUI tools are not available in Server Core, but you can use the dcpromo /unattend command at an elevated command prompt in exactly the same way as you can to Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 267 install an RODC on a full Windows Server 2008 installation. The following example creates an RODC in the contoso.internal domain in the MyBranch site, creates a global catalog, and installs and confi gures the DNS Server service: dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaOrNewDomain:ReadOnlyReplica /replicaDomainDNSName:contoso.internal /sitename:MyBranch /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"f:\sysvol" /safeModeAdminPassword:P@ssw0rd /rebootOnCompletion:yes Alternatively, you can choose to use an answer fi le. In this case, fi rst create your answer fi le by using a text editor, and then enter the command dcpromo / unattend:<path to answer fi le>. Your answer fi le would be similar to the following: [DCInstall] Username=Kim_Akers Password=P@ssw0rd UserDomain=contoso.internal InstallDns=yes ConfirmGC=yes ReplicaOrNewDomain=ReadOnlyReplica ReplicaDomainDNSName=contoso.internal Sitename=MyBranch databasePath="e:\ntds" logPath="e:\ntdslogs" sysvolpath:"f:\sysvol" SafeModeAdminPassword:P@ssw0rd RebootOnCompletion:yes MORE INFO SERVER CORE FEATURES For more information about the features that you can install with a Server Core installation, see http://technet.microsoft.com/en-us/library/cc771345.aspx. install an RODC on a full Windows Server 2008 installation. The following example creates an RODC in the contoso.internal domain in the MyBranch site, creates a contoso.internal domain in the MyBranch site, creates a contoso.internal global catalog, and installs and confi gures the DNS Server service: dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaOrNewDomain:ReadOnlyReplica /replicaDomainDNSName:contoso.internal /sitename:MyBranch /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"f:\sysvol" /safeModeAdminPassword:P@ssw0rd /rebootOnCompletion:yes Alternatively, you can choose to use an answer fi le. In this case, fi rst create your answer fi le by using a text editor, and then enter the command dcpromo / unattend:<path to answer fi le>. Your answer fi le would be similar to the following: [DCInstall] Username=Kim_Akers Password=P@ssw0rd UserDomain=contoso.internal InstallDns=yes ConfirmGC=yes ReplicaOrNewDomain=ReadOnlyReplica ReplicaDomainDNSName=contoso.internal Sitename=MyBranch databasePath="e:\ntds" logPath="e:\ntdslogs" sysvolpath:"f:\sysvol" SafeModeAdminPassword:P@ssw0rd RebootOnCompletion:yes MORE INFO SERVER CORE FEATURES For more information about the features that you can install with a Server Core installation, see http://technet.microsoft.com/en-us/library/cc771345.aspx . http://technet.microsoft.com/en-us/library/cc771345.aspx. http://technet.microsoft.com/en-us/library/cc771345.aspx 2 6 8 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers MORE INFO OPTIONS FOR INSTALLING AN RODC For more information about RODC installation, including delegated installation, see “Step- by-Step Guide for Read-only Domain Controllers” at http://technet2.microsoft.com /windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033. mspx?mfr=true. Password Replication Policy PRP determines which users’ credentials can be cached on a specifi c RODC. If PRP allows an RODC to cache a user’s credentials, that user’s authentication and service ticket activities can be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentica- tion and service ticket activities are referred to a writable domain controller by the RODC. An RODC PRP is determined by two multivalued attributes of the RODC computer account. These attributes are known as the Allowed List and the Denied List. If a user’s account is on the Allowed List, the user’s credentials are cached. You can include groups on the Allowed List, in which case, all users who belong to the group can have their credentials cached on the RODC. If a user is on both the Allowed List and the Denied List, that user’s credentials will not be cached—the Denied List takes precedence. Confi guring Domain-Wide Password Replication Policy To facilitate the management of PRP, Windows Server 2008 creates two domain local security groups in the Users container of AD DS. The fi rst, named Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user’s credentials. If there are users whose credentials you want all domain RODCs to cache, add those users to the Allowed RODC Password Replication Group. The second group is named Denied RODC Password Replication Group. It is added to the Denied List of each new RODC. If there are users whose credentials you want to ensure domain RODCs never cache, add those users to the Denied RODC Password Replication Group. By default, this group contains security-sensitive accounts that are members of groups such as Domain Admins, Enterprise Admins, and Group Policy Creator Owners. NOTE CACHING COMPUTER CREDENTIALS In addition to branch offi ce users, branch offi ce computers also generate authentication and service ticket activity. To improve performance of systems in a branch offi ce, allow the branch RODC to cache both user and computer credentials. MORE INFO OPTIONS FOR INSTALLING AN RODC For more information about RODC installation, including delegated installation, see “Step- by-Step Guide for Read-only Domain Controllers” at http://technet2.microsoft.com /windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033. mspx?mfr=true . NOTE CACHING COMPUTER CREDENTIALS NOTE CACHING COMPUTER CREDENTIALSNOTE In addition to branch offi ce users, branch offi ce computers also generate authentication and service ticket activity. To improve performance of systems in a branch offi ce, allow the branch RODC to cache both user and computer credentials. Lesson 2: Configuring Read-Only Domain Controllers CHAPTER 5 269 Configuring an RODC-Specific Password Replication Policy The Allowed RODC Password Replication Group and Denied RODC Password Replication Group provide a method of managing PRP on all RODCs. However, you typically need to allow the RODC in each branch office to cache user and computer credentials for that specific location. Therefore, you must configure the Allowed List and the Denied List of each RODC. To configure an RODC PRP, open the properties of the RODC computer account in the Domain Controllers OU. On the Password Replication Policy tab, shown in Figure 5-14, you can view the current PRP settings and add or remove users or groups from the PRP. FIGURE 5-14 The Password Replication Policy tab of an RODC. Administering Credentials Caching on an RODC When you click the Advanced button on the Password Replication Policy tab, shown in Figure 5-14, the Advanced Password Replication Policy dialog box shown in Figure 5-15 appears. The drop-down list at the top of the Policy Usage tab enables you to select one of the fol- lowing RODC reports: Accounts Whose Passwords Are Stored On This Read-Only Domain Controller This report displays the list of user and computer credentials currently cached on the RODC. You can use this list to determine whether credentials are being cached that you do not want to be cached on the RODC and modify the PRP accordingly. Accounts That Have Been Authenticated To This Read-Only Domain Controller This report displays the list of user and computer credentials that have been referred to a writable domain controller for authentication or service ticket processing. You can use this list to iden- tify users or computers that are attempting to authenticate with the RODC. If any of these accounts are not being cached and you want them to be, add them to the PRP. 2 7 0 CHAPTER 5 Configuring Active Directory Lightweight Directory Services and Read-Only Domain Controllers FIGURE 5-15 The Advanced Password Replication Policy dialog box. The Resultant Policy tab of the Advanced Password Replication Policy dialog box enables you to evaluate the effective caching policy for an individual user or computer. Click Add to select a user or computer account for evaluation. You can also use the Advanced Password Replication Policy dialog box to prepopulate credentials in the RODC cache. If a user or computer is on an RODC Allowed list, the account credentials can be cached on the RODC, but not until the authentication or service ticket events cause the RODC to replicate the credentials from a writable domain controller. You can ensure that authentication and service ticket activity will be processed locally by the RODC even when the user or computer is authenticating for the first time by prepopulating creden- tials in the RODC cache for users and computers in the branch office. To prepopulate creden- tials, click Prepopulate Passwords and select the appropriate users and computers. Typically, you would do this if a new employee is starting work at a branch office (or if you know that a senior manager is visiting a branch office and will want to log on). Administrative Role Separation RODCs in branch offices can require maintenance such as the installation of an updated device driver. Additionally, small branch offices might combine the RODC with (for example) the file server role on a single computer, in which case, it is important that a staff member at the branch office can back up the system. RODCs support local administration through a feature called administrative role separation. Each RODC maintains a local database of groups for specific administrative purposes. You can add domain user accounts to these local roles to enable support for a specific RODC. You can configure administrative role separation by using the dsmgmt.exe command. To add a user to the Administrators role on an RODC, follow these steps: 1. Open an elevated command prompt on the RODC. Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 271 2. Type dsmgmt. 3. Type local roles. 4. At the local roles prompt, you can type ? to obtain a list of commands. You can also type list roles to obtain a list of local roles. 5. Type add username administrators, where username is the pre-Windows 2000 logon name of a domain user. You can repeat this process to add other users to the various local roles on an RODC. MORE INFO IMPROVING AUTHENTICATION AND SECURITY For more information about how RODCs improve authentication and security in branch offi ces, see http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646 -490c-93d3-b78c5e1d9db71033.mspx. PracticE Confi guring an RODC In this practice, you confi gure an RODC to simulate a branch offi ce scenario. You install the RODC, confi gure password replication policy, monitor credential caching, and prepopulate credentials. NOTE RODC AND AD LDS In this practice, you promote the Boston server to an RODC. If you completed the prac- tice in Lesson 1, the AD LDS server role is already installed on this server. In a production network, you would not promote a server that is running the AD LDS server role. In your test environment, the exercises work as written. However, you might decide to remove the AD LDS role on Boston before you promote the server. Lesson 1 details how to remove the AD LDS role. ExErcisE 1 Create Active Directory Objects In this exercise, you create Active Directory objects that you will use in the following exercises. 1. Log on to the Glasgow domain controller with the Kim_Akers account. 2. Open Active Directory Users And Computers. 3. Create the following Active Directory objects: n A global security group named Branch_Offi ce_Users n A user named Jeff Hay n A user named Joe Healy n A user named Tanja Plate MORE INFO IMPROVING AUTHENTICATION AND SECURITY For more information about how RODCs improve authentication and security in branch offi ces, see http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646 -490c-93d3-b78c5e1d9db71033.mspx . -490c-93d3-b78c5e1d9db71033.mspx 490c-93d3-b78c5e1d9db71033.mspx NOTE RODC AND AD LDS NOTE RODC AND AD LDSNOTE In this practice, you promote the Boston server to an RODC. If you completed the prac- tice in Lesson 1, the AD LDS server role is already installed on this server. In a production network, you would not promote a server that is running the AD LDS server role. In your test environment, the exercises work as written. However, you might decide to remove the AD LDS role on Boston before you promote the server. Lesson 1 details how to remove the AD LDS role. 2 7 2 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers n Put Jeff Hay and Joe Healy in Branch_Offi ce_Users. Do not put Tanja Plate into this group. All three accounts will be members of Domain Users by default. 4. Add the Domain Users group as a member of the Print Operators group. NOTE PRINT OPERATORS GROUP Adding standard user or group accounts to the Print Operators group enables users to log on interactively at a domain controller. You would not do this in a production environment. 5. Log off from the domain controller. ExErcisE 2 Install an RODC In this exercise, you confi gure the Boston server as an RODC in the contoso.internal domain. 1. Log on to the domain at Boston with the Kim_Akers account. 2. Click Start, click Run, and enter dcpromo. A window appears, informing you that the Active Directory Domain Services binaries are being installed. When installation completes, the Active Directory Domain Services Installation Wizard appears. 3. Click Next. 4. On the Operating System Compatibility page, click Next. 5. On the Choose A Deployment Confi guration page, select Existing Forest, and then select Add A Domain Controller To An Existing Domain. Click Next. 6. On the Network Credentials page, type contoso.internal. 7 Click Set. 8. In the User Name box, type Kim_Akers. 9. In the Password box, type the password for the Kim_Akers account. Click OK. 10. Click Next. 11. On the Select A Domain page, select contoso.internal, and then click Next. 12. On the Select A Site page, select Default-First-Site-Name, and then click Next. Note that in a production environment, you would select the site for the branch offi ce in which the RODC is being installed. 13. On the Additional Domain Controller Options page, select Read-Only Domain Control- ler (RODC). Ensure that DNS Server and Global Catalog are selected. Click Next. 14. On the Delegation Of RODC Installation And Administration page, click Next. 15. On the Location For Database, Log Files, And SYSVOL page, click Next. 16. On the Directory Services Restore Mode Administrator Password page, type a pass- word in the Password and Confi rm Password text boxes, and then click Next. Choose a secure password that you will remember but others are unlikely to guess. NOTE PRINT OPERATORS GROUP NOTE PRINT OPERATORS GROUPNOTE Adding standard user or group accounts to the Print Operators group enables users to log on interactively at a domain controller. You would not do this in a production environment. [...]... tailspintoys.com account domain uses the following Windows Server 2008 servers in its AD FS deployment: n tailspintoysDC n tailspintoysFed The AD DS domain controller for tailspintoys.com The federation server for tailspintoys.com This server is also a root CA n The Federation Service Proxy for tailspintoys.com talispintoysproxy The treyresearch.net resource domain uses the following Windows Server 2008. .. http://msdn .microsoft. com/en-us/library/bb498017.aspx http://msdn .microsoft. com/en-us/library/bb498017.aspx Lesson 1: Installing, Configuring, and Using AD FS CHAPTER 6 289 A Windows token-based agent converts an AD FS security token into an impersonation-level Windows NT access token that is recognized by applications that rely on Windows authentication rather than on Web-based authentication n Windows token-based... install one? 2 You do not want to send one of your IT staff overseas to install an RODC How do you enable the local desktop-maintenance technician to create an RODC without making this technician a domain administrator? 3 You want the technician to be able to log on to the RODC to perform regular mainte- nance How do you configure administrator role separation? 4 You want the RODC to cache the credentials... Installed a Windows Server 2008 Enterprise server configured as a domain controller in the contoso.internal domain as described in Chapter 1, “Configuring Internet Protocol Addressing ” n Installed a Windows Server 2008 Enterprise server in the contoso.internal domain as described in Chapter 2, “Configuring IP Services ” If you completed the practices in Chapter 5, “Configuring Active Directory Lightweight... under Windows Server 2003 R2 to AD FS, the service runs by default under the Network Service account EXAM TIP Windows Server 2003 R2 introduced AD FS, and you might or might not have studied it for your Windows Server 2003 examinations Even if you did, you should spend some time looking at the service again because Windows Server 2008 introduces some significant enhancements AD FS provides extensions to. .. to Windows Server 2008, and the company wants to use AD LDS to support its applications Specifically, they want each application to be an AD LDS instance Trey has employed you as a consultant to carry out this task Answer the following questions 1 How should you name each instance? 2 Where should you store the files related to each instance? 3 Why should you use application directory partitions? 4. .. facilitate its installation and administration processes Windows Server 2008 AD FS also supports a wider variety of Web applications than did the original AD FS release MORE INFO aD FS For more information about AD FS and the enhancements Windows Server 2008 introduces, see http://technet2 .microsoft. com/windowsserver2008/en/servermanager /activedirectoryfederationservices.mspx and follow the links AD FS... 4 Monitor Credential Caching In this exercise, you simulate the logon of several users to the branch office server You then evaluate the credentials caching of the server 1 Log on to Boston as Jeff Hay, and then log off 2 Log on to Boston as Tanja Plate, and then log off 3 Log on to Glasgow as Kim_Akers and open the Active Directory Users And Computers snap-in 4 Open the properties of Boston in... claimsaware application, as is Microsoft Office SharePoint Server 2007 AD FS is based on a Web service and does not rely only on AD DS to support federated identities Any directory service that adheres to the WS-Federation standard can participate in an AD FS identity federation Federation Services existed in Windows Server 2003 R2, but Windows Server 2008 improves AD FS significantly to facilitate its installation... federation: n Federation Service A server running the Federation Service (a federation server) routes authentication requests to the appropriate source directory to generate security tokens for the user requesting access Servers that share a trust policy use this service n Federation Service proxy A federation server relies on a proxy server that is located in the perimeter network to obtain authentication . needed to add a Windows Server 2003 domain controller to your domain, you have a serious problem. Similarly, if you raised your organization’s forest functional level to Windows Server 2008 and your. functional level to Windows Server 2008 and then found you needed to add a Windows Server 2003 domain controller to your domain, you have a serious problem. Similarly, if you raised your organization’s. running Windows Server 2008, and the RODC must be able to establish a replication connection with the writ- able Windows Server 2008 domain controller. Ideally, the writable Windows Server 2008