Active Directory Troubleshooting 
UASCE279

Tuition: $2,495  Discount: $1,895

* Tuition is all-inclusive of class textbooks and related supplies.

*Tuition also includes optional one-on-one discussion with the instructor and UASCE staff about your individual projects and challenges

Test Information:

Exams:

Cohort: MCSE

Enroll: Call 266-1715, Fax 1556 to 458-5823 or email us.

By request for groups of three or more - on-site or at UA South.

Are you running Active Directory in your enterprise? Learn how to troubleshoot your AD installation with a hands-on class coupled with quality lecture over five days at UA South. Tuition includes instruction from a 2004 Microsoft MVP on Directory Services and Active Directory textbook author, along with textbook, class materials and even lunch once or twice during the week!

Any UASCE Class

Knowledge of Active Directory

Active Directory Troubleshooting, Maintenance, Security, and Customization

This course teaches system administrators and support personnel how to troubleshoot, maintain, and secure Active Directory. The course starts with a review of core Active Directory design philosophy, which gives the attendees a chance to describe their existing network design. Attendees then create Active Directory environments that are used to simulate their existing production network environments as closely as possible.

Attendees learn how to browse, backup, restore, compress and defragment the Active Directory database using their experimental networks. The course also covers modifying the Active Directory schema by adding objects, attributes, and display specifiers. Course attendees also learn to troubleshoot replication, logon, DNS, and operations master issues. The curriculum focuses on tools that ship with the Windows Server 2003 operating system as well as tools that can be freely downloaded from the Microsoft Web site.

Who should attend?
This course is valuable for those who implement, troubleshoot or maintain Active Directory. Although expertise with Active Directory is not a prerequisite for this course, those who attend should be supporting or administering an Active Directory network (or at very least plan to do so in the near future). A basic understanding of directory services is required. This experience can come from a background in supporting or administering Windows NT Directory Services, Active Directory, Novell eDirectory, OpenLDAP, or some similar directory services technology.

Hands-on training
Attendees will perform the following tasks during the class:
• Creating an Active Directory test environment
• Performing system state backup and an authoritative restore
• Using Automated System Recovery
• Examining directory objects with ADSI Edit, LDP and other tools
• Viewing and troubleshooting DNS record issues using the DNS console and NSLOOKUP
• Configuring DNS security
• Adding schema objects and attributes
• Extending the Active Directory Users and Computers user interface by implementing display specifiers
• Recovering from FSMO failure
• Compressing and Defragmenting the Active Directory database with NTDSUtil
• Troubleshooting Active Directory issues using Directory Services Restore Mode
• Monitoring and troubleshooting replication

Course content ACTIVE DIRECTORY DESIGN REVIEW
• Best Practices for Forest Design • Best Practices for Domain Design
• Flexible Single Master Operations Placement
• Best Practices for Site Design
• Best Practices for Organizational Unit Design
• Best Practices for Exchange Server Design Integration
• Creating a logical view of the enterprise directory infrastructure

BACKUP AND DISASTER RECOVERY
• Domain Controller Backup
o System State Backup
o Performing a System State Backup
o Limitation of Windows Backup
• Restoring Active Directory
o Directory Services Restore Mode
o DSRM Password
o Primary Restore
o Normal Restore
o Authoritative Restore
o The Tombstone
• Automated System Recovery
o The ASR Backup
o The ASR Restore
• Best Practices for Disaster Recovery

OPTIMIZING THE ACTIVE DIRECTORY DATABASE
• Configuring Diagnostic Logging
• Using ADSI Edit to View Directory Service Partitions
• Using NTDSUTIL for Active Directory Database Troubleshooting and Repair
o Committing Transactions to the Database
o Checking Database Integrity
o Compacting the Database
o Moving the Database
o Moving the Log Files
o Removing Orphaned Objects
o Maintaining Security Accounts
• Checking trust relationships
• Best Practices for Optimizing Active Directory

CUSTOMIZING ACTIVE DIRECTORY
• Searching and navigating the AD Support tools: ADSI Edit and LDP
o Domain naming context vs. Global Catalog (GC) object searches
o Creating complex LDAP search filters
• Providing access to new objects and attributes via the user interface (UI)
o Controlling context menus using display specifiers
o Extending the UI for administrators and users
o Modifying the schema
o Updating objects and attributes
o Disabling schema protection
• Benefits of Windows Server 2003 schema delete
• Cleaning up invalid metadata

TROUBLESHOOTING ACTIVE DIRECTORY REPLICATION
• Replication Overview
• Determining DNS Problems
• Verifying Replication
o Using RepAdmin
o Using ReplMon
o Using DCDIAG
• Controlling Replication in Large Organizations
• Best Practices for Troubleshooting AD Replication

MAINTAINING AND TROUBLESHOOTING DNS
• DNS Resolution Methods
o DNS service locator records
o DNS names for forest services
o Root Domain SRV Record High Availability
• Troubleshooting DCPROMO and DNS
• Diagnostic Tools
• Diagnosing and correcting DNS registration problems
• Best Practices for Maintaining DNS

TROUBLESHOOTING THE FILE REPLICATION SEVICE
• File Replication Service Overview
o File Replication Service (FRS) FRS, DFS and System Volume (SYSVOL) architecture and dependencies
o The replication model Sites and site links and replication protocols
• Resolving replication conflicts
o Journal Wrap
o Morphed Directories
o Staging Area Problems
o Parallel Version Vector Joins
• Checking consistency between multiple domain controllers
• FRS Troubleshooting Tools
o Using FRSDIAG.EXE
o Using Ultrasound
• Replicating SYSVOL
• Backing up and restoring SYSVOL
• Common FRS Problem Resolution
• Best Practices for Troubleshooting FRS

TROUBLESHOOTING LOGON FAILURES
• Auditing for Logon Problems
o Acctinfo.dll
o Kerberos Logging
• Native Mode Logon Problems
• Determining logon dependencies Windows Server 2003 changes to GC behavior Domain creation and troubleshooting
• Account Lockout Problems
• Remote Access Issues
• Are You Being Attacked?
• Controlling WAN Communications
• Best Practices for Logon and Account Lockout Troubleshooting

TROUBLESHOOTING FSMO ROLES
• FSMO Roles and Their Importance
o Schema Master
o Domain naming Master
o Relative Identifier
o Infrastructure Master
o Primary Domain Controller Emulator
• Identifying FSMO role holders
• Transferring and Seizing FSMO Roles
o Identifying the Current Role Holder
o Transferring the Role to Another Domain Controller
o Seizing the Role on the Standby Domain Controller
• Best Practices for Troubleshooting FSMO Roles

CONTROLLING ACTIVE DIRECTORY SECURITY
• Securing DNS
o Keeping the System Going
o Keeping the System Accurate
§ Using IPSec
§ Using Secure DDNS
§ Avoid Cache Poisoning
§ Allow Appropriate Access
§ Lock Down Transfers
o Best Practices for Securing DNS
• Securing Active Directory
o ACEs: inherited vs. explicit
o Controlling extended rights
o The impact of AdminSDHolder
o Placement of the Active Directory Database Files
o Maintaining the Secure Account Administrators
o Creating a Security Baseline
o Using Secure Administrative Methods
o Best Practices for Securing Active Directory