Implementing Active

Lesson 2
Directory

Skills Matrix
Technology Skill

Objective Domain

Objective #

Installing a New Active

Directory Forest

Configure a forest or a
domain

2.1

Establishing and
Maintaining Trust
Relationships

Configure trusts

2.2

Configuring Active
Directory Lightweight
Directory Services

Configure Active
Directory Lightweight
Directory Services (AD
LDS)

3.1

Configuring a Read-Only
Domain Controller

Configure the Read-Only

Domain Controller
(RODC)

3.3

Server Manager
Located in Administrative Tools.
Can also be accessed by right-clicking
My Computer and selecting Manage.

Allows you to:

Add roles such as DNS server or Active
Directory Domain Services role.
Perform system diagnostics.
Configure system services.
Drill down into specific administrative
tools.

Server Manager

Requirements for Active Directory

A server running Windows Server 2008
Standard Edition, Windows Server 2008
Enterprise Edition, or Windows Server
2008 Datacenter Edition (Full version or
Server Core).
An administrator account and password on
the local machine.

Requirements for Active Directory

An NT file system (NTFS) partition for the
SYSVOL folder structure.

200 MB minimum free space on the previously

mentioned NTFS partition for Active Directory
database files.
50 MB minimum free space for the transaction
log files.
Transmission Control Protocol/Internet Protocol
(TCP/IP) must be installed and configured

An authoritative DNS server for the DNS

domain that supports service resource (SRV)
records.
Recommends to support incremental zone
transfers and dynamic updates.

Installing Active Directory

To install
Active
Directory,
you will
need to first
add the
Active
Directory
Domain
Services
role using
Server
Manager.

Installing Active Directory

Installing Active Directory

The Active Directory Installation Wizard,
dcpromo, will guide you through any of the
following installation scenarios:
Adding a domain controller to an existing
environment.
Creating an entirely new forest structure.
Adding a child domain to an existing domain.
Adding a new domain tree to an existing
forest.
Demoting domain controllers and eventually
removing a domain or forest.

Choosing the Deployment

Configuration

Post-Installation Tasks
Upon completion of the Active
Directory installation, you should
verify a number of items:
Application directory partition
creation.
Aging and scavenging for zones.
Forward lookup zones and SRV
records.
Reverse lookup zones.

Application Partitions

Aging and Scavenging of DNS Records

Aging and scavenging are processes
that can be used by Windows Server
2008 DNS to clean up the DNS database
after DNS records become stale or out
of date.
Without this process, the DNS database
would require manual maintenance to
prevent server performance degradation
and potential disk-space issues.

Aging and Scavenging of DNS Records

DNS Records
Make sure Forward Lookup zone is
created.
Make sure Host (A) record is created for
your server.
Make sure DNS domains are created:
_msdcs
_sites
_tcp
_udp

DNS Records

Raising the Domain Functional Level

Open Active
Directory Domains
and Trusts from
the Administrative
Tools folder.
Right-click the
domain you wish
to raise and select
Raise Domain
Functional Level.

Raising the Forest Functional Level

Open Active Directory Domains and
Trusts from the Administrative Tools
folder.
Right-click the Active Directory
Domains and Trusts icon in the
console tree and select Raise Forest
Functional Level.

Raising the Forest Functional Level

If your domains have not all been
raised to at least Windows Server
2003, you will receive an error
indicating that raising the forest
functional level cannot take place
yet. If all domains have met the
domain functionality criteria of
Windows Server 2008, you can click
Raise to proceed.

Removing Active Directory

Click the Start menu, key dcpromo
and then press Enter.

Schema Management Console

Some commercial applications such as
Microsoft Exchange will modify the schema
as a part of their installation process.
You can also extend the schema manually
using the Active Directory Schema snap-in.
To modify the schema manually, you must
be a member of the Schema Admins group.
The Active Directory Schema snap-in should
be installed on the domain controller
holding the Schema Master Operations role.

Installing the Schema Management

Snap-in
From a command prompt, key
regsvr32 schmmgmt.dll.
Close the Command Prompt window,
click Start, and then select Run.
Key mmc /a in the dialog box and
click OK.
Click the File menu and select
Add/Remove Snap-in.

Trust Relationship
Trust relationships exist to make
resource accessibility easier between
domains and forests.
Many trust relationships are established
by default during the creation of the
Active Directory forest structure.
Trust relationships can be created using
the Active Directory Domains and Trusts
from the Administrative Tools folder.

Trust Relationships
Four trust types can be manually established in
Windows Server 2008:
Shortcut trusts - Used to shorten the treewalking process for users who require frequent
access to resources elsewhere in the forest.
Cross-forest trusts - Allows you to create twoway transitive trusts between separate forests.
External trusts - Used to configure a one-way
non-transitive trust.
Realm trusts - Allows you to configure trust
relationships between Windows Server 2008
Active Directory and a UNIX MIT Kerberos realm.

Revoking a Trust Using Netdom

Open a command prompt and type
the following text:
Netdom trust
TrustingDomainName
/d:TrustedDomainName /remove
Press Enter.
Repeat these steps for the other end
of the trust relationship.

User Principal Name (UPN)

The name of a system user in an email address format.
username@domainname
Based on Internet RFC 822.

Changing the Default Suffix for User

Principal Names

Open Active Directory Domains and Trusts

from the Administrative Tools folder.
Right-click Active Directory Domains and
Trusts and choose Properties.
Click the UPN Suffix tab, key the new
suffix, and click Add.
Key more than one suffix if your forest
has more than one tree and then click OK.

Summary
Active Directory requires DNS to be
installed. DNS does not have to be
installed on a Windows Server 2003
machine, but the version of DNS used
does need to support SRV records for
Active Directory to function.
Planning the forest and domain structure
should include a checklist that can be
referenced for dialog information required
by the Active Directory Installation Wizard.

Summary
Verification of a solid Active Directory
installation includes verifying DNS zones and
the creation of SRV records.
Additional items, such as reverse lookups,
aging, and scavenging, also should be
configured.

Application directory partitions are

automatically created when Active Directory
integrated zones are configured in DNS.
These partitions allow replica placement
within the forest structure.

Summary
System classes of the schema cannot be
modified, but additional classes can be
added. Classes and attributes cannot be
deleted, but they can be deactivated.
Planning forest and domain functionality
is dependent on the need for down-level
operating system compatibility.
Raising a forest or domain functional level
is a procedure that cannot be reversed.

Summary
Four types of manual trusts can be
created: shortcut, external, crossforest, and realm trusts.
Manual trusts can be created by
using Active Directory Domains and
Trusts or netdom at a command line.

Summary
UPNs provide a mechanism to make
access to resources in multiple
domains user-friendly.
UPNs follow a naming format similar
to email addresses.
You must be a member of the
Enterprise Admins group to add
additional suffixes that can be
assigned at user object creation.