Module 1: Implementing Active Directory® Domain Services

Module Overview
• Installing Active Directory Domain Services • Deploying Read-Only Domain Controllers • Configuring AD DS Domain Controller Roles • 1 domain will need to have one DC to be /hold the Active Directory

server

Lesson 1: Installing Active Directory Domain Services
• Requirements for Installing AD DS • What Are Domain and Forest Functional Levels? • AD DS Installation Process • Advanced Options for Installing AD DS • Installing AD DS from Media • Demonstration: Verifying the AD DS Installation • Upgrading to Windows Server® 2008 AD DS • Installing AD DS on a Server Core Computer • Discussion: Common Configuration for AD DS

Requirements for Installing AD DS

Server requirements to install AD DS

• A computer running Windows Server 2008 (Web

Server edition not supported) • Minimum disk space of 250 MB and a partition formatted with NTFS file system
• TCP/IP must be configured, including DNS

Network configuration

client settings • DNS Server that supports dynamic updates must be available or will be configured on the domain controller

• Local Administrator permissions to install the first

Administrator permissions

domain controller in a forest • Domain Administrator permissions to install additional domain controllers in a domain • Enterprise Administrator permissions to install additional domains in a forest

What Are Domain and Forest Functional Levels?
Domain functional level Forrest functional levelFunctional levels: • Determine the AD DS features available in a domain or forest • Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported functional levels: Domain Windows® 2000 native Windows Server® 2003 Windows Server 2008 Supported Domain Controller Operating Systems • Windows Server 2008 • Windows Server 2003 • Windows 2000 Server
• Windows Server 2008 • Windows Server 2003 • Windows Server 2008

Forests
Windows 2000 Windows Server 2003 Windows Server 2008

AD DS Installation Process
the Active Directory 1 Installthe Server Manager Domain Services role using

2 3 4 5 6

Run the Active Directory Domain Services Installation Wizard Choose the deployment configuration Select the additional domain controller features Select the location for the database, log files, and SYSVOL(System volume) folder Configure the Directory Services Restore Mode Administrator Password

Advanced Options for Installing AD DS
To access the advanced mode installation options, choose the Advanced Mode option in the Installation Wizard or run DCPromo /adv Use the advanced mode options to: • Create a new domain tree with a different domain name • Use backup media as the source for AD DS information • Select the source domain controller for the installation • Modify the default domain NetBIOS name • Define the Password Replication Policy for an RODC

Installing AD DS from Media
Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media: • Full (or writable) domain controller • Full (or writable) domain controller with SYSVOL data

y domain controller with SYSVOL data: group npolicy objects (scripts) has a ver • Read-only domain controller: cannot save password

Demonstration: Verifying the AD DS Installation
In this demonstration, you will see how to verify the AD DS installation

Upgrading to Windows Server 2008 AD DS
To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation:

Current Version
Windows 2000 Windows 2003 Windows Server 2000 Windows Server 2003 Windows Server 2003

Before installing
• Windows Server 2008

Command
adprep /forestprep adprep /domainprep /gpprep

domain controllers • Must be run before other adprep commands
• Windows Server 2008

domain controllers

• Windows Server 2008

domain controllers

adprep /domainprep

• Windows Server 2008

RODCs

adprep /rodcprep

Installing AD DS on a Server Core Computer
To install AD DS on a Server Core computer, perform an unattended installation using an answer file
Use following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer

Discussion: Common Configuration for AD DS
• What additional steps would you take in your environment

after installing the first Windows Server 2008 domain controller? additional domain controllers in your domain? Manager apply to your organization?

• How would these tasks change after you have deployed • Which of the recommendations listed in the Server

Lesson 2: Deploying Read-Only Domain Controllers
• What Is a Read-Only Domain Controller? • Read-Only Domain Controller Features • Preparing to Install the RODC • Installing the RODC • Delegating the RODC Installation • What Are Password Replication Policies? • Demonstration: Configuring Administrator Role Separation

and Password Replication Policies

What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication

ROD C

RODCs provide: • Additional security for branch office with limited physical security • Additional security if applications must run on a domain controller RODCs: • Cannot hold operation master roles or be configured as replication bridgehead servers • Can be deployed on servers running Windows Server 2008 Server core for additional security

Read-Only Domain Controller Features
RODCs provide: • Unidirectional replication • Credential caching • Administrative role separation • Read-only DNS • RODC filtered attribute set

Preparing to Install the RODC
Before installing an RODC: • Ensure that the domain and forest is at a Windows Server 2003 functional level • Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition • Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions • Run ADPrep /domainprep in all domains if the RODC will be a global catalog server

Installing the RODC
1 in an existing domain 2 3
Choose the option to install an additional domain controller Select the option to install an RODC in the Active Directory Domain Services Installation wizard Choose advanced mode installation if you want to configure the password replication policy

To install an RODC on a Server Core installation, use an unattended installation file with the ReplicaOrNewDomain=ReadOnlyReplica value

Delegating the RODC Installation
To delegate the permission to installation of an RODC: • Pre-create the RODC computer account in the Domain Controllers container • Assign a user or group with permission to install the RODC

omplete a delegated RODC installation, run DCPromo the /UseExistingAccount:Attach switch , (no need Domain Admin to create an R

What Are Password Replication Policies?
• The password replication policy determines how the RODC performs credential caching for authenticated user • By default, the RODC does not cache any user credentials or computer credentials

Options for configuring password replication policies: • No credentials cached • Enable credential caching on an RODC for specified accounts • Add users or groups to the Domain RODC Password Allowed group so credentials are cached on all RODCs

Demonstration: Configuring Administrator Role Separation and Password Replication Policies
In this demonstration, you will see how to:
• Configure administrator role separation • Configure the RODC password replication groups • Track which users log on to an RODC • Configure password replication policies for those accounts

Lesson 3: Configuring AD DS Domain Controller Roles
• What Are Global Catalog Servers? • Modifying the Global Catalog • Demonstration: Configuring Global Catalog Servers • What Are Operations Master Roles? • Demonstration: Managing Operation Master Roles • How Windows Time Service Works • ************************************* • Each site should has at least 2 GC: Global catalog • Use “Regsvr32.exe schemgmt.dll” to open the schema

management ‘s MMC

What Are Global Catalog Servers?

Domain

Domain

Domain

Domain

Domain

Domain

Global Catalog Query

Domain

Result Global Catalog Server

Modifying the Global Catalog
Common Common Attributes Attributes
firstName firstName lastName lastName email address email address accountExpires accountExpires distinguishedName distinguishedName

Changed Changed Attributes Attributes

department department

firstName firstName lastName lastName email address email address accountExpires accountExpires distinguishedName distinguishedName

Create additional attributes Global Catalog Server

Add only the additional attributes to which you query or frequently refer

Demonstration: Configuring Global Catalog Servers
In this demonstration, you will see how to:
• Configure global catalog servers using Active Directory Sites and

Services

• Configure a domain controller on Server Core as a global catalog server • Add attributes to the global catalog server • A GC will increase the bandwidth for Replication traffic for each

Domain

• Each domain should has at least 2 DC

What Are Operations Master’s Roles?
Role Description
• Performs all updates to the Active Directory schema

Schema Master • The 1st one DC in the master domain per forest

Domain Naming • The 1st one DC in the master domain per forest Master • Manages adding and removing all domains and directory partitions RID Master
• The 1st one DC in a child domain per child domain • Allocates blocks of RIDs to each domain controller in

the domain

PDC Emulator

• The 1st one DC in a child domain per child domain • Minimizes replication latency for password changes • Synchronizes *system time* on all domain controllers in the

domain

Infrastructure Master

• The 1st one DC in a child domain per child domain • Updates object changes and references in its domain that

replicate the change to the same object in all other domains

Demonstration: Managing Operations Master Roles
In this demonstration, you will see how to:
• Determine which server holds an operations master role • Move an operations master role • Seize an operations master role

How Windows Time Service Works
Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers
PDC Emulator

Domain controllers Client computers

Time synchronization is important because: • Kerberos authentication includes a time stamp • Replication between domain controllers is time stamped

Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles
• Exercise 1: Evaluating Forest and Server Readiness for

Installing an RODC

• Exercise 2: Installing and Configuring an RODC • Exercise 3: Configuring AD DS Domain Controller Roles

Logon information

Virtual machine

6425A-NYC-DC1, 6425A-NYC-SVR1, 6425A-NYC-DC2 Administrator Pa$$w0rd

User name Password

Estimated time: 75 minutes

Lab Review
• Why did Axel’s account not have permission to create any

objects in AD DS?

• What were the two connection objects that were created

from NYC-DC1 to TOR-DC1? Why was no connection object created from TOR-DC1 to NYC-DC1? to TOR-DC1?

• Could you have assigned the Domain Naming Master role • What would happen when you add a new attribute to the

global catalog?

Module Review and Takeaways
• Review questions • Key points

Sign up to vote on this title
UsefulNot useful