Explanation:
Create a CA Setup for OCSP Responders
An online responder needs to have a current online certificate status in order to work effectively.
Certificate for the Protocol (OCSP)Response Signing. If you are using an OCSP responder that is not a Microsoft product, you additionally require this OCSP Response Signing certificate.
The following actions are required when setting up a certification authority (CA) to support OCSP responder services:
1. Set up the OCSP Response Signing certificates' issuance properties and certificate templates.
2. Establish enrollment restrictions for all computers hosting Online
Responders.
3. Enable the OCSP extension in issued certificates if the CA runs on Windows Server 2003.
4. Update the authority information access extension on the CA to include the Online Responder's or OCSP responder's location.
5. Activate the CA's OCSP Response Signing certificate template.
Explanation:
http://support.microsoft.com/kb/298148
How to Dispose of the Dot Zone (Root Zone)
When installing DNS on a Windows 2000 server without a connection to the Internet,
A root zone, commonly referred to as a dot zone, is generated along with the zone for the domain on the internet. The DNS and its clients may be unable to access the Internet due to this root zone. If a root zone exists, there are no other zones save those that are mentioned with DNS, and forwarders or root hint servers cannot be configured. You might need to get rid of the root zone because of these factors.
Explanation:
Recognizing Forwarders -
An internal DNS server on a network that transmits DNS requests for external DNS names to external DNS servers is known as a forwarder. Utilizing conditional forwarders, you may also forward inquiries in accordance with particular domain names.
By configuring the other DNS servers on the network to forward requests that they are unable to locally resolve to the DNS server you have designated as a forwarder, you can designate one DNS server on a network as a forwarder. You may control name resolution for names outside of your network, such names on the Internet, and enhance name resolution effectiveness for the computers in your network by employing a forwarder.
The direction of external name inquiries with forwarders is shown in the accompanying figure.
desktop1.png in C: Documents and Settingsusernwz1
Forwarders with conditions: A DNS server that forwards DNS requests based on the DNS domain name in the request is known as a conditional forwarder. For instance, you can instruct a DNS server to route all requests for names ending in corp.contoso.com to either a single DNS server's IP address or to the IP addresses of several different DNS servers.
Explanation:
http://support.microsoft.com/kb/243629
HOW TO: Add Forest UPN Suffixes
Adding a Forest to a UPN Suffix -
Active Directory Domains and Trusts should be open.
In the Tree window pane, right-click Active Directory Domains and Trusts, and then click
Properties.
Enter the new UPN suffix you want to add to the forest on the UPN Suffixes page.
Click OK after selecting Add.
You can now choose the new UPN suffix to complete the user's logon name when adding users to the forest.
Explanation:
Step-by-Step Guide for the AD DS Fine-Grained Password and Account Lockout Policy
This step-by-step manual outlines how to set up and implement specific password and account lockout policies for various user groups in Windows Server 2008 domains.
There is only one password and account lockout policy that may be applied to all domain users in Microsoft Windows 2000 and Windows Server 2003 Active Directory domains. This policy is defined in the domain's Default Domain Policy. As a result, you had to either develop a password filter or set up numerous domains if you desired different password and account lockout settings for certain groups of users. Both choices were expensive for various reasons.
Using fine-grained password policies in Windows Server 2008, you can specify various password policies and implement various account lockout and password restrictions for various groups of users inside a single domain.
Policies for account lockout and fine-grained passwords: Requirements and specific considerations
Domain functional level: Windows Server 2008 or a later version must be selected as the domain functional level.
Explanation:
When objects and their characteristics are changed, a new audit subcategory in Windows Server 2008 allows you to configure AD DS auditing to log both the old and new values.
The new audit policy subcategory Directory Service Changes enables the ability to audit changes to objects in AD DS. This manual offers guidance for putting this audit policy subcategory into practice.
Explanation:
desktop1.png in C:Documents and Settingsusernwz1
Additional details:
http://technet.microsoft.com/en-us/library/dd145547.aspx
Account Tab in User Properties
Account closes down -
establishes the user's account expiration policy. You have the following options to choose from:
If you want the specified account to never expire, use the Never option. For brand-new users, this choice is the default.
If you wish the user's account to expire on a specific date, choose End of and then choose a date.