Home > Sample chapters

Improving the Security of Authentication in an AD DS Domain

Suggested Practices

To help you successfully master the exam objectives presented in this chapter, complete the following tasks.

Configure Multiple Password Settings Objects

In this practice, you experience the effects of PSO precedence by creating several PSOs that apply to a single user and evaluating the resultant PSO for that user.

To perform this practice, create the following objects in the contoso.com domain:

  • A global security group named Human Resources

  • A global security group named Secure Users

  • A user account named James Fine that is a member of both the Human Resources and Secure Users groups

  • Practice 1 Create a PSO named PSO1 that is linked to the Human Resources group. Give PSO1 a precedence value of 10. You can use any valid settings for the other attributes of the PSO. Create a second PSO named PSO2 and give it a precedence value of 5. You can use any valid settings for the other attributes of the PSO. Use the steps in Exercise 2, “Create a Password Settings Object,” of Lesson 1 as a reference if necessary.

  • Practice 2 Identify the PSO that affects James Fine. Use the steps in Exercise 3, “Identify the Resultant PSO for a User,” of Lesson 1 as a guide to evaluating resultant PSOs. Which PSO applies to James Fine?

  • Practice 3 Create a PSO named PSO3 that is linked to James Fine’s user account. Give PSO3 a precedence value of 20. You can use any valid settings for the other attributes of the PSO. Use the steps in Exercise 2 of Lesson 1 as a reference if needed. Use the steps in Exercise 3 of Lesson 1 as a guide to evaluating resultant PSO. Identify the PSO that affects James Fine.

Recover from a Stolen Read-Only Domain Controller

In this practice, you learn how to recover if an RODC is stolen or compromised, by simulating the loss of the server named BRANCHSERVER. To perform this practice, you must have completed the practice in Lesson 3, “Configuring Read-Only Domain Controllers.”

When an RODC is stolen or compromised, any user credentials that had been cached on the RODC should be considered suspect and should be reset. Therefore, you must identify the credentials that had been cached on the RODC and reset the passwords of each account.

  • Practice 1 Determine the user and computer accounts that had been cached on BRANCHSERVER by examining the Policy Usage tab of the BRANCHSERVER Advanced Password Replication Policy dialog box. Use the steps in Exercise 3, “Monitor Credential Caching,” of Lesson 3 if you require reminders for how to identify accounts whose passwords were stored on the RODC. Export the list to a file on your desktop.

  • Practice 2 Open the Active Directory Users And Computers snap-in and, in the Domain Controllers OU, select BRANCHSERVER. Press Delete and click Yes. Examine the options you have for automatically resetting user and computer passwords.