1 70- 742 Identity with Windows Server 2016

Module 1
Installing and configuring domain controllers
Contents:
 Lesson 1: Overview of AD DS
 Lesson 2: Overview of AD DS domain controllers
 Lesson 3: Deploying a domain controller
Module Overview
Active Directory Domain Services (AD DS) and its related services form the foundation for enterprise networks that run
Windows operating systems. The AD DS database is the central store of all the domain objects, such as user accounts,
computer accounts, and groups. AD DS provides a searchable, hierarchical directory and a method for applying
configuration and security settings for objects in the enterprise. This module covers the structure of AD DS and its various
components, such as forests, domains, and organizational units (OUs).
With an increasing focus on cloud and hybrid environments, Windows Server 2016 includes several new AD DS features
that make it easier to manage these environments. This module covers the features and choices available in Windows Server
2016 for installing AD DS on a server along with an overview of domain controllers.
Objectives
After completing this module, you will be able to:
 Describe AD DS and its main components.
 Describe the purpose of domain controllers and their roles.
 Describe the considerations for deploying domain controllers.
 Deploy a domain controller.
Lesson 1
Overview of AD DS
The AD DS database stores information on user identity, computers, groups, services, and resources in a hierarchical
structure, called the directory. AD DS domain controllers also host the service that authenticates user and computer accounts
when they sign in to the domain. Because AD DS stores information about all of the objects in the domain, and all users
and computers must connect to AD DS domain controllers when they sign in to the network, AD DS is the primary means
by which you can configure and manage user and computer accounts on your network.
This lesson covers the core logical components and physical components that make up an AD DS deployment.
Lesson Objectives
After completing this lesson, you will be able to:
 Describe the components of AD DS.
 Describe AD DS domains.
 Describe OUs and their purpose.
 Describe AD DS forests and trees and explain how you can deploy them in a network.
 Explain how an AD DS schema provides a set of rules that manage the objects and attributes that are stored in the
AD DS domain database.
 Describe Microsoft Azure Active Directory (Azure AD).
 Identify the tools available for administering AD DS.
 Describe what is new for on-premises Active Directory in Windows Server 2016.

Trainer: Muhammad Muazzam M1 - Lesson 1 Overview of AD DS

 2 70- 742 Identity with Windows Server 2016

Overview of AD DS
AD DS is composed of both logical and physical components. You need to understand
the way the components of AD DS work together so that you can manage your
infrastructure efficiently. In addition, you can use many other AD DS options to
perform actions such as installing, configuring, and updating apps; managing the
security infrastructure; enabling Remote Access Service and DirectAccess; and issuing
and managing digital certificates.
One of the most-used AD DS features is Group Policy, which allows you to configure
centralized policies that you can use to manage most objects in AD DS. Understanding
the various AD DS components is important for using Group Policy successfully.

Logical components
AD DS logical components are structures that you use to implement an AD DS design that is appropriate for an organization.
The following table describes the types of logical structures that an AD DS database contains.
Logical Description
component
Partition A partition, also called a naming context, is a portion of the AD DS database. Although the database is one file named
Ndts.dit, different partitions contain different data. For example, the schema partition contains a copy of the Active
Directory schema. The configuration partition contains the configuration objects for the forest, and the domain partition
contains the users, computers, groups, and other objects specific to the domain. Copies of a partition can be stored on
multiple domain controllers and updated through directory replication.
Schema A schema is the set of definitions of the object types and attributes that you use to define the objects created in AD DS.
Domain A domain is a logical administrative container for objects such as users and computers. A domain maps to a specific
partition and can be organized with parent-child relationships to other domains.
Domain tree A domain tree is a hierarchical collection of domains that share a common root domain and a contiguous Domain Name
System (DNS) namespace.
Forest A forest is a collection of domains that share a common AD DS root and schema, which have a two-way trust relationship
Site A site is a container for AD DS objects, such as computers and services that are defined by their physical location. This
is in comparison to a domain, which represents the logical structure of objects, such as users and groups in addition to
computers.
Subnet A subnet is a portion of the network IP addresses of an organization assigned to computers in a site. A site can have more
than one subnet.
OU An OU is a container object for users, groups, and computers that provides a framework for delegating administrative
rights and administration by linking Group Policy Objects (GPOs).
Container A container is an object that provides an organizational framework for use in AD DS. Some containers are created by
default, or you can create custom containers. Containers cannot have GPOs linked to them.

Physical components
The following table describes some of the physical components of AD DS.
Physical Description
component
Domain controller A domain controller contains a copy of the AD DS database. For most operations, each domain controller can process
changes and replicate the changes to all the other domain controllers in the domain.
Data store A copy of the data store exists on each domain controller. The AD DS database uses Microsoft Jet database
technology and stores the directory information in the Ntds.dit file and associated log files. Those files are stored in
the C:\Windows\NTDS folder by default
Global catalog A global catalog server is a domain controller that hosts the global catalog, which is a partial, read-only copy of all
server the objects in a multiple-domain forest. A global catalog speeds up searches for objects that might be stored on
domain controllers in a different domain in the forest
Read-only domain An RODC is a special, read-only installation of AD DS. RODCs are often used in branch offices where physical
controller security cannot be guaranteed, IT support is less advanced than in the main corporate centers, or line-of business
(RODC) applications exist that need to run on a domain controller.

Trainer: Muhammad Muazzam M1 - Lesson 1 Overview of AD DS

 3 70- 742 Identity with Windows Server 2016

What is the AD DS schema?

The AD DS schema is the component that defines all the object classes and attributes that AD DS uses to store data. All
domains in a forest contain a copy of the schema that applies to that forest. Any change that is made to the schema is
replicated to every domain controller in the forest from the schema master, which is typically the first domain controller in
the forest.
AD DS stores and retrieves information from a wide variety of applications and services. It does this, in part, by
standardizing how data is stored in the AD DS directory. By standardizing data storage, AD DS can retrieve, update, and
replicate data while helping to ensure that the data integrity is maintained.

Objects
AD DS uses objects as units of storage. All object types are defined in the schema. Each time the directory handles data,
the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the
directory creates the object and stores the data.
Object definitions specify both the types of data that the objects can store and the syntax of the data. You can create only
objects that are defined by the schema. Because the data is stored in a rigidly defined format, AD DS can store, retrieve,
and validate the data that it manages, regardless of which application supplies it.
Relationships among objects, rules, attributes, and classes
In AD DS, the schema defines the following:
• Objects that store data in the directory
• Rules that define the structure of the objects
• The structure and content of the directory itself
AD DS schema objects consist of attributes, which are grouped together into classes. Each class has rules that define which
attributes are required and which are optional. For example, the user class consists of more than 400 possible attributes,
including cn (the common name attribute), givenName, displayName, objectSID, and manager. Of these attributes, the
cn and objectSID attributes are mandatory. The cn attribute is defined as a single-value Unicode string that is from 1
through 64 characters long and that is replicated to the global catalog.
Changing the schema
Only members of the Schema Admins group can modify the AD DS schema. You cannot remove anything from the AD
DS schema. You can only extend the AD DS schema by using AD DS schema extensions or by modifying the attributes of
existing objects. For example, when you are preparing to install Exchange Server 2016, you must apply the Exchange
Server 2016 Active Directory schema changes. These changes add or modify hundreds of classes and attributes.
You should change the schema only when necessary because the schema dictates how information is stored, and any
changes made to the schema affect every domain controller. Before you change the schema, you should review the changes
through a tightly controlled process and implement them only after you have performed testing to help ensure that the
changes will not adversely affect the rest of the forest or any applications that use AD DS.
The schema master is one of the operations master roles that is hosted on a single domain controller in AD DS. Because it
is a single master, you must make changes to the schema by targeting the domain controller that holds the schema master,
using the Active Directory Schema snap-in. To target the schema master in a separate forest, you will need to target the
appropriate forest from within the snap-in.
Note: Operations master roles are discussed in detail in the topic, “What are operations masters?”.
What is an AD DS forest?
A forest is a top-level container in AD DS. Each forest is a collection of one or more domain trees that share a common
directory schema and a global catalog. A domain tree is a collection of one or more domains that share a contiguous
namespace. The first domain that is created in the forest is called the forest root domain. The forest root domain contains a
few objects that do not exist in other domains in the forest. Because these objects are always created on the first domain
controller that is created, a forest can consist of as little as one domain with a single domain controller, or it can consist of
hundreds of domains across multiple domain trees. The following objects exist only in the forest root domain:
• The schema master role. This is a special, forest-wide domain controller role. Only one schema master exists in any
forest. The schema can be changed only on the domain controller that holds the schema master.
• The domain naming master role. This is also a special, forest-wide domain controller role. Only one domain naming
master exists in any forest. Only the domain naming master can add new domain names to the directory.
• The Enterprise Admins group. By default, the Enterprise Admins group has the Administrator account for the forest
root domain as a member. The Enterprise Admins group is a member of the local Administrators group in every domain
in the forest. This allows members of the Enterprise Admins group to have full control administrative rights to every
domain throughout the forest.

Trainer: Muhammad Muazzam M1 - Lesson 1 Overview of AD DS

 4 70- 742 Identity with Windows Server 2016

• The Schema Admins group. By default, the Schema Admins group has no members. Only members of the Enterprise
Admins group or the Domain Admins group (in the forest root domain), can add members to the Schema Admins
group. Only members of the Schema Admins group can make changes to the schema.
Security boundary
An AD DS forest is a security boundary. By default, no users from outside the forest can access any resources inside the
forest. Typically, an organization creates only one forest, although you can create multiple forests to isolate administrative
permissions among different parts of the organization.
By default, all the domains in a forest automatically trust the other domains in the forest. This helps to make it easy to
enable access to resources, such as file shares and websites, for all the users in a forest, regardless of the domain in which
a user account is located.

Replication boundary
An AD DS forest is the replication boundary for the configuration and schema partitions in the AD DS database. As a result,
all the domain controllers in the forest must share the same schema. Because of this, organizations that want to deploy
applications with incompatible schemas need to deploy additional forests.
The AD DS forest is also the replication boundary for the global catalog. The global catalog makes it possible to find objects
from any domain in the forest. For example, the global catalog is used whenever user principal name (UPN) sign-in
credentials are used or when Microsoft Exchange Server address books are used to find users.
What is an AD DS domain?
AD DS domain: a container for users, computers, groups, and more
An AD DS domain is a logical container used to manage user, computer, group, and
other objects. All of the domain objects are stored in the AD DS database, a copy of
which is stored on each domain controller.
Many types of objects exist in the AD DS database. You most often work with user
accounts, computer accounts, and groups. The following list briefly describes these
three object types:
• User accounts. User accounts contain information about users, including the
information required to authenticate a user during the sign-in process and build
the user's access token.
• Computer accounts. Each domain-joined computer has an account in AD DS. Computer accounts are used for
domain-joined computers in the same way that user accounts are used for users.
• Groups. Groups are used to organize users or computers to make it easier to manage permissions and Group Policy
in the domain.
The AD DS domain is a replication boundary
When changes are made to any object in the domain, the domain controller where the change occurred replicates that change
to all the other domain controllers in the domain. If multiple domains exist in the forest, only subsets of the changes are
replicated to other domains. AD DS uses a multimaster replication model that allows every domain controller to make
changes to objects in the domain.
AD DS allows a single domain to contain nearly 2 billion objects. With this much capacity, most organizations can deploy
only a single domain to ensure that all domain controllers contain all the domain information. However, organizations that
have decentralized administrative structures or that are distributed across multiple locations might consider implementing
multiple domains in the same forest to accommodate the administrative needs of their environments.
The AD DS domain is an administrative center
The domain contains an Administrator account and a Domain Admins group. By default, the Administrator account is a
member of the Domain Admins group, and the Domain Admins group is a member of every local administrators group of
domain-joined computers. Also, by default, the Domain Admins group members have full control over every object in the
domain. The Administrator account in the forest root domain has additional rights, as detailed in the topic, “What is an AD
DS forest?” later in this module.
The AD DS domain provides authentication
Whenever a domain-joined computer starts or a user signs in to a domain-joined computer, AD DS authenticates it.
Authentication helps to verify that the computer or user has the proper credentials for an AD DS account.
The AD DS domain provides authorization
Windows operating systems use authorization and access control technologies to allow authenticated users to access
resources. Typically, the authorization process is performed locally at the resource level. Domain-based Dynamic Access

Trainer: Muhammad Muazzam M1 - Lesson 1 Overview of AD DS

 5 70- 742 Identity with Windows Server 2016

Control enables central access rules to control the access to resources. Central access rules do not replace the current access
control technology but provide an additional level of control.
Note: Dynamic Access Control (DAC) is a feature introduced in Windows Server 2012 that allows administrators to
define rules that control access permissions
What are OUs?
An organizational unit (OU) is a container object within a domain that you can use to
consolidate users, computers, groups, and other objects. You can link Group Policy
Objects (GPOs) directly to an OU in order to manage the objects contained in the OU.
You can also assign an OU manager and associate a COM+ partition with an OU.
You can create new OUs in AD DS at any time using Active Directory Administrative
Center. Two reasons exist to create an OU:
• To group objects together to make it easier to manage them by applying GPOs to
the whole group. When you assign GPOs to an OU, the settings apply to all the objects within the OU. GPOs are
policies that administrators create to manage and configure settings for computers and/or users. You deploy the GPOs
by linking them to OUs, domains, or sites.
• To delegate administrative control of objects within the OU. You can assign management permissions on an OU,
thereby delegating control of that OU to a user or group within AD DS in addition to the Domain Admins group. You
can use OUs to represent the hierarchical, logical structures within your organization. For example, you can create OUs
that represent the departments within your organization, the geographic regions within your organization, or a
combination of both departmental and geographic regions. You can use OUs to manage the configuration and use of
user, group, and computer accounts based on your organizational model.
Generic containers
AD DS contains several built-in containers, known as generic containers, such as Users and Computers. These containers
are used to store system objects or used as the default parents to the new objects when they are created. These generic
container objects should not be confused with OUs. The primary difference between OUs and containers are the
management capabilities. Containers have limited management capabilities. For example, you cannot apply a GPO directly
to a container.
When you install AD DS, the Domain Controllers OU and several generic container objects are created by default. Some
default objects are used primarily by AD DS and are hidden by default. The following objects are visible by default within
the AD Administrative Center:
• Domain. The top level of the domain organizational hierarchy.
• Built-in container. A container that stores several default groups.
• Computers container. The default location for new computer accounts that you create in the domain.
• Foreign Security Principals container. The default location for trusted objects from domains outside the AD DS
forest. Typically, these are created when an object from an external domain is added to a group in the AD DS domain.
• Managed Service Accounts. The default location for managed service accounts. AD DS provides automatic
password management in managed service accounts.
• Users container. The default location for new user accounts and groups that you create in the domain. The Users
container also holds the administrator and guest accounts for the domain and for some default groups.
• Domain Controllers OU. The default location for domain controllers' computer accounts. This is the only OU that
is present in a new installation of AD DS.
Several containers exist that you can see only when you click Advanced Features on the View menu. The following
objects are hidden by default:
• LostAndFound. This container holds orphaned objects.
• Program Data. This container holds Active Directory data for Microsoft applications, such as Active Directory
Federation Services (AD FS).
• System. This container holds the built-in system settings.
• NTDS Quotas. This container holds directory service quota data.
• TPM Devices. This container is new with Windows Server 2016. It stores the recovery information for Trusted
Platform Module (TPM) devices.
Note: Containers in an AD DS domain cannot have GPOs linked to them. To link GPOs to apply configurations and
restrictions, create a hierarchy of OUs and then link the GPOs to them.
Hierarchy design
The design of an OU hierarchy is dictated by the administrative needs of the organization. The design could be based on
geographic, functional, resource, or user classifications. Whatever be the order, the hierarchy should make it possible to

Trainer: Muhammad Muazzam M1 - Lesson 1 Overview of AD DS

 6 70- 742 Identity with Windows Server 2016

administer AD DS resources as effectively and with as much flexibility as possible. For example, if all the computers that
IT administrators use must be configured in a certain way, you can group all the computers in an OU and then assign a GPO
to manage those computers.
You also can create OUs within other OUs. For example, your organization might have multiple offices, and each office
might have a team of IT administrators who are responsible for managing user and computer accounts in their office. In
addition, each office might have different departments with different computer configuration requirements. In this situation,
you can create an OU for each office, and then within each of those OUs, create an OU for the IT administrators and an OU
for each of the other departments.
Although there is no technical limit to the number of levels in your OU structure, to help ensure manageability, limit your
OU structure to a depth of no more than 10 levels. Most organizations use 5 levels or fewer to simplify administration.
Note that applications that work with AD DS can impose restrictions on the OU depth within the hierarchy for the parts
of the hierarchy that they use.
What is new in AD DS in Windows Server 2016?
Windows Server 2016 has several new features as part of AD DS that make it
easier for you to help secure your AD DS environment and migrate to cloud-
based or hybrid environments.
Privileged Access Management
Privileged Access Management (PAM) is based on Microsoft Identity Manager. PAM allows you to separate the
permissions required for certain administrative activities from the permissions of members of the current AD DS
environment. With PAM, users request permission to perform activities that require privileged access instead of having that
access granted on a permanent basis. Granting those permissions can mean that you have to provide additional
authentication steps, such as Multi-Factor Authentication. When the user is granted access, the access is granted on a
temporary basis through a shadow group in a bastion forest. The bastion forest is a cleaner environment that is meant to be
devoid of any access from hackers or any stolen credentials of privileged users. Because the user’s personal work account
does not have the required permissions on a permanent basis, there is a decrease in the possibility of a security breach, such
as unlawful access by a malicious hacker that has stolen an administrator’s password.
Azure AD Join
Azure Active Directory Join (Azure AD Join) supports connecting on-premises, domain-joined devices to Azure AD for
improved cloud-only and hybrid environments. For corporate-owned devices, users no longer need a personal Microsoft
account. Azure AD also supports connecting devices that normally cannot join an on-premises domain, such as mobile
devices. Users can access the Windows Store with their on-premises accounts and even with their personal devices. Support
also exists for mobile device management (MDM), setting up shared devices, and imaging corporate-owned devices.
Microsoft Passport
AD DS in Windows Server 2016 supports Microsoft Passport, which provides a certificate-based approach to authentication
that can replace the use of passwords. Microsoft Passport allows users to authenticate to an on-premises AD DS account,
an Azure AD account, or any service that supports Fast Identity Online (FIDO) authentication. Microsoft Passport is covered
in detail in course, 20744: Securing Windows Server 2016.
What is Azure AD?
Azure AD is a service that provides identity management and access control for your
cloud-based applications. You use Azure AD when you subscribe to Microsoft Office
365, Microsoft SharePoint Online, Exchange Online, or Skype for Business.
Additionally, you can use Azure AD with Azure apps or Internet-connected apps that
require authentication. You can synchronize your on-premises AD DS with Azure AD
to allow your users to use the same identity across both internal resources and cloud-
based resources.
Azure AD does not include all the services available with an on-premises Active
Directory solution that uses Windows Server 2016. On-premises Active Directory in
Windows Server 2016 supports five services:
 AD DS
 AD FS
 Active Directory Lightweight Directory Services (AD LDS)
 Active Directory Certificate Services (AD CS)
 Active Directory Rights Management Services (AD RMS)
Azure AD includes only:
 Azure AD, which supports identity management in the cloud.

Trainer: Muhammad Muazzam M1 - Lesson 1 Overview of AD DS

 7 70- 742 Identity with Windows Server 2016

 Azure Access Control Service, which supports federation with external identity management services, including
your on-premises instance of AD DS.
Azure AD does not support applications that are integrated with on-premises Active Directory. For applications to integrate
with Azure AD, they must be written for Azure AD.
Note: You cannot create AD DS domain controllers in Azure AD. You can use Azure AD as a standalone service or
integrate it with your existing on-premises Active Directory infrastructure. However, you do not create or manage the Azure
AD systems. Instead, you manage your users in the Azure AD service.
Overview of AD DS administration tools
Managing the AD DS environment is one of the most common tasks an IT professional
performs. You typically manage your domain controllers remotely, even though you can
sign in to the computer either directly or by using Remote Desktop. The primary tool you
will use is the Active Directory Administrative Center.
Active Directory Administrative Center
The Active Directory Administrative Center provides a graphical user interface (GUI) that
is built on Windows PowerShell. This enhanced interface allows you to perform AD DS
object management by using task-oriented navigation, and it replaces the functionality of Active Directory Users and
Computers. Tasks that you can perform by using the Active Directory Administrative Center include:
 Creating and managing user, computer, and group accounts.
 Creating and managing OUs.
 Connecting to and managing multiple domains within a single instance of the Active Directory Administrative
Center.
 Searching and filtering AD DS data by building queries.
 Creating and managing fine-grained password policies.
 Recovering objects from the Active Directory Recycle Bin.
 Managing objects that are required for the Dynamic Access Control feature.
You can install the Active Directory Administrative Center only on servers running Windows Server 2008 R2 or later or
on client computers running Windows 7 or later.
Other management tools you will use to perform AD DS administration include:
 Active Directory Users and Computers:
Active Directory Users and Computers is a Microsoft Management Console (MMC) snap-in that manages most
of the common day-to-day resources, including users, groups, and computers. Although this snap-in is well known
to many administrators, the Active Directory Administrative Center replaces it and provides more capabilities.
 Active Directory Sites and Services:
The Active Directory Sites and Services MMC snap-in manages replication, network topology, and related
services.
 Active Directory Domains and Trusts:
The Active Directory Domains and Trusts MMC snap-in configures and maintains trust relationships at the domain
and forest functional levels.
 Active Directory Schema snap-in:
The Active Directory Schema MMC snap-in examines and modifies the definitions of AD DS attributes and object
classes. The schema provides the definitions for AD DS objects and attributes, and you typically do not view or
change it very often. Therefore, by default, the Active Directory Schema snapin is not fully installed.
 Active Directory module for Windows PowerShell:
The Active Directory module for Windows PowerShell supports AD DS administration, and it is one of the most
important management components. Server Manager and the Active Directory Administration Center are built on
Windows PowerShell and use cmdlets to perform their tasks.

Question: What are the two main purposes of OUs?

Question: Why would you need to deploy an additional tree in the AD DS forest?

Trainer: Muhammad Muazzam M1 - Lesson 1 Overview of AD DS