You are on page 1of 52

NOTE:

To change the
image on this
slide, select
the picture and
delete it. Then
click the
Pictures icon in
the placeholder
to insert your
own image.
MCTS GUIDE TO CONFIGURING
MICROSOFT WINDOWS SERVER 2008
ACTIVE DIRECTORY
Chapter 10: Configuring and Maintaining the
Active Directory Infrastructure
Objectives
Describe and configure Active Directory functional levels
Add and remove domains from a forest
Configure Active Directory trusts
Configure intrasite replication
Work with sites
Manage operations master roles
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Examining Active Directory Functional Levels
Functional levels allow for Administrators to maintain backwards compatibility, despite
the addition of new features
Functional levels should be set at the highest version domain controllers on the
network support
Member servers / workstations are independent of functional levels
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Forest Functional Levels
Forest functional level determines the features of Active Directory that have forest-wide
implications
A Server 2008 domain controller supports the following functional levels:
Windows 2000
Lacks the ability to use forest trusts and to rename a domain
Windows 2003
Supports all the features present in Windows 2000, plus the following features: forest trusts, Knowledge
Consistency Checker (KCC) improvements, linked-value replication, rename a domain , read only domain
controller deployment
Windows 2008
All the features of 2003, but no additional features (yet)
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Domain Functional Levels
A domain controller cant be configured to run at a lower functional level than
the functional level of the forest.
Like forest functional levels, domain functional levels can be raised but not
lowered
Features:
Windows 2000 Native: Universal groups, group nesting, group conversion, Security
identifier (SID) history
Windows Server 2003: All features of Windows 2000 native, domain controller renaming,
logon timestamp replication, selective authentication, Users and Computers container
redirection
Windows Server 2008: All features of Windows 2003, Distributed File System replication,
fine-grained password policies, interactive logon information, Advanced Encryption
Standard (AES) support
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Raising the Domain Functional Level
All domain controllers must be running a Windows OS compatible with the desired
functional level
Functional level can be raised in Active Directory Domains and Trusts
Only one domain controller needs to be raised to the new functional level, the rest will
reflect the change automatically
Once the functional level is raised, it cannot be reversed
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Raising the Domain Functional Level (cont.)
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Raising the Forest Functional Level
You must be a member of the Domain Admins or Enterprise Admins group to raise the
forest functional level
If raising both domain and forest functional levels, domain functional must be raised
first
Domain functional levels must be equal or greater than forest functional levels
Once functional level is raised, it cannot be lowered
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Raising the Forest Functional Level (cont.)
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Preparing a Forest and Domain for Windows Server
2008 with Adprep
The Adprep command-line program prepares an existing forest or domain for the
addition of a Windows Server 2008 domain controller
To prepare the forest, run the adprep /forestprep command on a Windows Server 2003
or Windows 2000 domain controller acting as the schema master
Then run adprep /domainprep in each domain where you plan to add a Windows
Server 2008 DC. Windows 2000 requires adprep /domainprep /gpprep
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Preparing for a Read Only Domain Controller
Before you can install an RODC in an existing domain that isnt running all Windows
Server 2008 DCs, follow these steps:
Verify the functional level is Windows Server 2003 or higher
Prepare the forest
Install at least one writeable DC running Windows Server 2008
Install an RODC on a full Windows Server 2008 installation or a Server Core installation
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Removing a Domain Controller
Be aware of some potential issues
If the DC performs any operations master roles, you must first transfer the role to another DC
If the DC is a global catalog server, make sure at least one other DC is a global catalog server
If its the only DC in the domain, youll also remove the domain
Dcpromo is used to remove domain services
If the server wasnt the last DC, it will remain a member of the domain
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Removing a Domain
Two ways to remove a domain:
Dcpromo
Ntdsutil
If the DC crashed or was taken offline without using dcpromo to demote it to a regular
server, you must use Ntdsutil to remove the domain
This process is called removing an orphaned domain
A metadata cleanup will remove all selected domain data from the rest of the forest
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Using the Active Directory Migration Tool
The Active Directory Migration Tool (ADMT) allows moving objects and
restructuring Active Directory without users losing access to network
resources, and has three main types of migration:
Intraforest migration
Interforest migration
Migration of an NT 4.0 domain to an Active Directory domain
Before attempting migration, you should review the Active Directory Migration
guide
Terms used for migration planning and implementation:
SID History
Security Translation
Password Export Server (PES)
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Configuring Active Directory Trusts
Recall that all domains in a forest trust one another automatically through two-way
transitive trusts, which you cant remove
Types of trusts you can configure:
Shortcut trust
Forest trust
External trust
Realm trust
DNS must be configured so that FQDNs of DCs in all participating domains can be
resolved
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Configuring Shortcut Trusts
A shortcut trust is a one-way or two-way transitive trust between two domains in the
same forest or two domains in trusting forests
Helps to reduce authorization delays between domains
Shortcut trusts between domains in different forests require a forest trust to be
configured
Trusts between forests and external trusts might require additional DNS configuration
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Configuring Forest Trusts
DNS must be configured correctly in both forest root domains
You must initiate the forest trust in Active Directory Domains and Trusts from the forest
root domain
When creating a forest trust, you must specify the type of authentication you wish to
use:
Forest-wide authentication is a property of a forest trust in which all users in a trusted forest can be
authenticated to the trusting forest
Selective authentication enables administrators to specify users who can authenticate to selected
resources in the trusting forest
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Configuring External and Realm Trusts
An external trust is created between domains in different forests or between domains
in a Windows Server 2003/2008 forest and a Windows 2000 server forest or Windows
NT domain
An external trust is not transitive, and is nearly identical to creating a forest trust
When creating a realm trust, main consideration should be whether or not it should be
transitive
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Configuring Trust Properties
The Properties dialog box of a forest trust contains three tabs:
The General Tab Provides options:
The other domain supports Kerberos AES Encryption
Direction of trust
Transitivity of trust
Validate
Save As
The Name Suffix Routing Tab Allows you to control which name suffixes used by the trusted forest
are routed for authentication
Authentication Tab Same options as the Outgoing Trust Authentication Level window
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
SID Filtering
SIDHistory attribute can be used for nefarious purposes to gain administrative
privileges in a trusting forest
To counter the security risk, Windows provides a feature called SID filtering
SID Filtering causes the trusting domain to ignore any SIDs that arent from the trusted
domain
SID filtering is enabled by default on external trusts but is disabled on forest trusts
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Configuring Intrasite Replication
Intrasite and intersite replication use the same basic processes to replicate Active
Directory data
Intersite replication is optimized to take slower WAN links into account
Intrasite replication can be initiated in one of two ways:
Notification
Periodic replication
Intrasite replication involves two main components: Knowledge Consistency Checker
(KCC) and connection objects
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Knowledge Consistency Checker (KCC)
KCC is a process that runs on every DC and, for intrasite replication, builds a
replication topology among DCs in a site and establishes replication partners
The KCC on each domain controller uses data stored in the forest-wide configuration
directory partition to create the replication topology
The replication topology can be recalculated manually in Active Directory Sites and
Services
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Connection Objects
Connection objects define the connection parameters between two replication
partners
Changes to intrasite connection objects is usually unnecessary, but changes
can be made in Active Directory Sites and Services
General tab in the Properties dialog box is the only one of interest for
connection objects, and contains the following fields:
Change Schedule
Replicate from Server
Replicate from Site
Replicated Naming Context(s)
Partially Replicated Naming Context(s)
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Creating Connection Objects
You can create connection objects for intrasite replication if you want to alter the
replication topology manually
By default, the schedule for a new connection object is set to every 15 minutes, but
this value can be changed
Changing the schedule for connection objects can be useful for troubleshooting
replication problems
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Checking Replication Status
Active Directory Sites and Services can be used to force the KCC to check the
replication topology
Repadmin.exe is a tool that will show detailed information about connections and
replication status
To use, type repadmin /showrepl
Repadmin can also be used to show the partitions being replicated by each connection
object, force replication to occur, force the KCC to recalculate the topology, and other
actions
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Global Catalog Replication
Global Catalog contains a partial replica of all objects in the forest, maintains univeral
group memberships, provides cross-domain logon support, and is used to locate
objects throughout the forest
Global catalog servers keep inbound connections with a DC in each domain the global
catalog is built from
Connections between global catalog servers always include replication of the global
catalog partition
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Global Catalog Replication (cont.)
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Special Replication Situations
Most Active Directory database changes follow the regular replication rules
Certain changes require special processing:
Urgent replication events (trigger change notifications immediately):
Account lockouts
Changes to the account lockout policy
Changes to the domain password policy
Changes to non-security principal passwords
Password change to a DC computer account
Changes to the RID master DC
User Account password changes
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
RODC Replication
An RODC is treated like any other domain controller when considering replication
topology
Limitations to keep in mind:
Connection between an RODC and a writeable DC is a one-way connection
Two RODCs can replicate with one another, as long as one has an incoming connection with a
writeable DC
The domain directory partition can be replicated only to an RODC from a Windows Server 2008 DC.
Windows Server 2003 DCs can replicate other partitions to an RODC
When upgrading a domain from Windows Server 2003, the first Windows Server 2008 DC must be
writeable
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Creating Sites
A site is an AD object containing domain controllers and replication settings and is
usually associated with IP subnets and site links
Sites are usually geographically dispersed and connected by WAN links
When you create a site, youre asked to select a site link
DEFAULTIPSITELINK is the only choice unless youve created other site links
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Creating Sites (cont.)
http://www.examcollectionvce.com/vce-70-640.html
The Significance of Subnets
After creating a site, you must associate one or more subnets with it
AD uses this information in two important ways:
Placing new domain controllers in the appropriate site
Determining which site a client computer belongs to
If a clients IP address doesnt match a subnet in any of the defined sites,
communication efficiency could degrade because the client might request services
from servers in remote sites instead of locally
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Configuring Site Links
Any new sites you create use the default site link, DEFAULTIPSITELINK, for their
connection with other sites
Additional site links can help adjust the replication schedule according to a networks
link characteristics
Descriptive names should be used for site links
A site can exist in more than one site link
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Bridgehead Servers
Intersite Topology Generator is responsible for assigning a bridgehead server for each
directory partition in the site
Bridgehead servers are responsible for all intersite replication
Bridgehead servers can be designated manually
Repadmin /bridgeheads command can list which DCs in a site are acting as
bridgehead servers to other sites
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Intersite Transport Protocols
Two protocols can be used to replicate between sites:
IP
SMTP
IP is used by default in the DEFAULTIPSITELINK site link and is recommended in
most cases
Simple Mail Transport Protocol is used primarily for e-mail and works well for slower,
less reliable, or intermittent connections
DC can send multiple replication requests simultaneously without waiting for the reply
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Site Link Bridges
By default, site link bridging is enabled, which makes site links transitive
You can change the transitive behavior of site links by turning off site link bridging and
creating site link bridges manually
Automatic site bridging can lead to over-utilization of a slower WAN link
Other reasons to create site link bridges manually:
Control traffic through firewalls
Accommodate partially routed network
Reduce confusion of the KCC
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
The Global Catalog and Universal Group Membership
Caching
Global catalog servers increase replication traffic
Windows Server 2008 includes universal group membership caching, which allows
universal group membership information to be retrieved from a global catalog server in
a different site, then cached locally on every DC in the site and updated every 8 hours
Microsoft recommends placing a global catalog server in the site when the number of
accounts exceeds 500 and the number of DCs exceeds two
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Operations Master Best Practices
If you build a new forest, the first DC installed performs all five FSMO roles
This is acceptable for small environments, but larger environments may perform better
if these roles are transferred to separate servers
Common rules for operations masters:
Unless your domain is small, transfer operations master roles to other DCs
Place the servers performing these roles where network availability is high
Designate an alternate DC for all roles
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Domain Naming Master
The domain naming master is needed when a domain or domain controller is added or
removed from the forest
Attempting to add or remove a domain while the DC performing this role is down is not
advisable
When possible, the domain naming master should be a direct replication partner with
another DC thats also a global catalog server in the same site
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Schema Master
The schema master is needed when the Active Directory schema is changed
Generally, the schema master role should be transferred to another server only when
youre certain the original server will be down permanently
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
PDC Emulator
Processes password changes for older Windows clients (Windows 9x and NT)
Should be placed where there is a high concentration of users
Shouldnt be placed on a DC that is also a global catalog server
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
RID Master
Every Active Directory object uses an RID to create the objects SID
RID Master provides these RIDs to domain controllers
Ideally placed with the PDC emulator because the PDC emulator uses the RID
masters services frequently
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Infrastructure Master
Role is most needed when many objects have been moved or renamed
Shouldnt be performed by a DC thats also a global catalog server, but should be at
least in the same site as a global catalog server
If the Master fails, the role can be moved to another DC if necessary
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Transferring Operations Master Roles
Transferring an operations master role means moving the roles function from one
server to another while the original server is still in operation
Generally done for the following reasons:
DC performing the role was the first DC in the forest, and therefore holds all roles
DC performing the role is being moved to a location that isnt well suited for the role
The current DCs performance is inadequate because of the resources the FSMO role requires
The current DC is being taken out of service temporarily or permanently
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Transferring Operations Master Roles (cont.)
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Seizing Operations Master Roles
An operations master role is seized when the current role holder is no longer online
because of some type of failure
Seizing should never be done when the current role holder is accessible
Seizing is done with the ntdsutil command
MCTS Windows Server 2008 Active Directory http://www.examcollectionvce.com/vce-70-640.html
Chapter Summary
Administrators can configure functional levels on a new domain controller to maintain
backward compatibility
Functional levels can be raised but not lowered
Windows Server 2008 supports three forest functional levels: Windows 2000, Windows
Server 2003, and Windows Server 2008. Supported domain functional levels have
nearly identical names
You can raise functional levels when you install AD, or you can raise them manually
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Chapter Summary (cont.)
Before you can install a Windows Server 2008 server as a DC in an existing Windows
Server 2003 or Windows 2000 server domain, existing domain controllers must be
prepared
Before you can install RODC in an existing domain, the forest functional level must be
at least Windows Server 2003 or higher
To remove a domain controller, you use dcpromo or ntdsutil
Use the Active Directory Migration Tool to migrate accounts from one domain or forest
to another
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
Chapter Summary (cont.)
Before creating a trust of any type, DNS must be configured so that FQDNs of domain
controllers in all participating domains can be resolved
Some trust properties you can configure include the trust direction and transitivity,
name suffix routing, and authentication
Both intrasite and intersite replication use the same basic processes to replicate Active
Directory data; the main goal is to balance data replication timeliness and efficiency
MCTS Windows Server 2008 Active Directory
http://www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
Chapter Summary (cont.)
A site is an Active Directory object containing domain controllers and default
settings for replication within the site and is usually associated with one or
more IP subnets and site links
Connection objects provide the connection and replication parameters
between two servers
Bridgehead servers are responsible for all intersite replication
Universal group membership caching resolves the potential conflict between
faster logons and additional replication traffic
Deciding where to place the FSMO role holder is part of your overall Active
Directory design strategy
http://www.examcollectionvce.com/vce-70-640.html


MCTS Windows Server 2008 Active Directory http://www.examcollectionvce.com/vce-70-640.html


examcollectionvce Exam Features:

50000+ Customer feedbacks involved in Product.
Average 100% Success Rate.
Over 170 Global Certification Vendors Covered.
Services of Professional & Certified Experts available via support.
Free 90 days updates to match real exam scenarios.
Instant Download Access! No Setup required.
Exam History and Progress reports.
Verified answers researched by industry experts.
Study Material updated on regular basis.
Questions / Answers are downloadable in PDF format.
Practice / Exam are downloadable in Practice Test Software format.
Customize your exam based on your objectives.
Self-Assessment features.
-Guaranteed Success.

Fast, helpful support 24x7.