Microsoft Press mcts training kit 70 - 640 configuring windows server 2008 active directory phần 6 docx

The Active Directory Domain Services Installation Wizard is shown in Figure 10-1.Figure 10-1 The Active Directory Domain Services Installation Wizard NOTE All-in-one wizard Microsoft doc

Trang 1

tion process to the automatically created delegations the wizard generates This willfamiliarize you with the various pages presented by the wizards.

■ Practice 2 Work with zones, creating each of the three supported zone types one afterthe other Try as many configuration options as possible Then, create as many differentrecord types as possible This will familiarize you with the different dialog boxes and wiz-ards used to configure zones and records

■ Practice 3 Work with the command-line tools and try as many different switches as

possible for each tool The Dnscmd.exe command, especially, will be present on the

exam Familiarity with this command will help you understand its function better

■ Practice 4 Work with the DNS event log and tracing log and examine their content.Familiarity with DNS logging is essential for any DNS operator

Take a Practice Test

The practice tests on this book’s companion CD offer many options For example, you can testyourself on just one exam objective, or you can test yourself on all the 70-640 certificationexam content You can set up the test so that it closely simulates the experience of taking a cer-tification exam, or you can set it up in study mode so that you can look at the correct answersand explanations after you answer each question

MORE INFO Practice tests

For details about all the practice test options available, see the “How to Use the Practice Tests” tion in this book’s introduction

Trang 3

Domain Controllers

Domain controllers (DCs) host the directory service and perform the services that supportidentity and access management in a Microsoft Windows enterprise To this point in thetraining kit, you have learned to support the logical and management components of anActive Directory Domain Services (AD DS) infrastructure: users, groups, computers, andGroup Policy Each of these components is contained in the directory database and in SYSVOL

on domain controllers In this chapter, you will begin your exploration of the service-levelcomponents of Active Directory, starting with the domain controllers themselves You willlearn how to add Windows Server 2008 domain controllers to a forest or domain, how to pre-pare a Microsoft Windows Server 2003 forest or domain for its first Windows Server 2008 DC,how to manage the roles performed by DCs, and how to migrate the replication of SYSVOLfrom the File Replication Service (FRS) used in previous versions of Windows to the Distrib-uted File System Replication (DFS-R) mechanism that provides more robust and manageablereplication

Exam objectives in this chapter:

■ Configure a forest or a domain

■ Configure Active Directory replication

■ Configure operations masters

Lessons in this chapter:

■ Lesson 1: Installing Domain Controllers 461

■ Lesson 2: Configuring Operations Masters 478

■ Lesson 3: Configuring DFS Replication of SYSVOL 494

Before You Begin

To complete the practices in this chapter, you must have created a domain controller named

SERVER01 in a domain named contoso.com and a member server, with a full installation,

joined to the domain named SERVER02 See Chapter 1, “Installation,” for detailed steps forthis task

Trang 4

Real World

Dan Holme

Active Directory enables you to configure a domain and a forest with a single domaincontroller But that’s not enough Domain controllers provide functionality critical to theidentity and access management requirements of an enterprise, and if a domain control-ler fails, you must have a way to provide continuity of service That’s why it’s very impor-tant to have at least two DCs in a domain As soon as you start adding DCs to a domain,you start needing to consider replication, and in this chapter, you’ll learn about one ofthe exciting new features of Windows Server 2008: DFS-R of SYSVOL FRS, used by pre-vious versions of Windows and supported by Windows Server 2008 for backward com-patibility, has been a notorious weak spot prone to problems and difficult totroubleshoot To take advantage of this feature, all domain controllers must be runningWindows Server 2008, so you’ll need to know how to prepare an existing forest for itsfirst Windows Server 2008 DC—another objective of this chapter Finally, as you adddomain controllers to an enterprise, you need to consider the placement of single masteroperations, which are special roles assigned to one DC in a forest or domain By the timeyou’re through with this chapter, you’ll have the skills to improve the redundancy, per-formance, and manageability of multiple domain controllers in your enterprise

Trang 5

Lesson 1: Installing Domain Controllers

In Chapter 1, you used the Add Roles Wizard in Server Manager to install Active DirectoryDomain Services (AD DS) Then you used the Active Directory Domain Services Installation

Wizard to create the first DC in the contoso.com forest Because DCs are critical to

authentica-tion, it is highly recommended to maintain at least two domain controllers in each domain inyour forest to provide a level of fault tolerance in the event that one DC fails You might alsoneed to add domain controllers to remote sites or create new domains or trees in your ActiveDirectory forest In this lesson, you will learn user-interface, command-line, and unattendedmethods for installing domain controllers in a variety of scenarios

After this lesson, you will be able to:

■ Install a DC, using the Windows interface, Dcpromo.exe command-line parameters,

or an answer file for unattended installation

■ Add Windows Server 2008 DCs to a domain or forest with Windows Server 2003 and Windows 2000 Server DCs

■ Create new domains and trees

■ Perform a staged installation of a read-only domain controller

■ Install a DC from installation media to reduce network replication

■ Remove a domain controller

Estimated lesson time: 60 minutes

Installing a Domain Controller with the Windows Interface

If you want to use the Windows interface to install a domain controller, there are two majorsteps First, you must install the AD DS role, which, as you learned in Chapter 1, can beaccomplished using the Add Roles Wizard in Server Manager After the AD DS role installa-tion has copied the binaries required for the role to the server, you must install and config-ure AD DS by launching the Active Directory Domain Services Installation Wizard, usingone of these methods:

■ Click Start and, in the Start Search box, type dcpromo and click OK.

■ When you complete the Add Roles Wizard, click the link to launch the Active DirectoryDomain Services Installation Wizard

■ After adding the AD DS role, links will appear in Server Manager that remind you to runthe Active Directory Domain Services Installation Wizard Click any of those links

Trang 6

The Active Directory Domain Services Installation Wizard is shown in Figure 10-1.

Figure 10-1 The Active Directory Domain Services Installation Wizard

NOTE All-in-one wizard

Microsoft documentation for Windows Server 2008 emphasizes the role-based model, so it

recom-mends you add the AD DS role and then run Dcpromo.exe (the Active Directory Domain Services Installation Wizard) However, you can simply run Dcpromo.exe and, as a first step, the wizard

detects that the AD DS binaries are not installed and adds the AD DS role automatically

Unattended Installation Options and Answer Files

You can also add or remove a domain controller at the command line, using unattended

instal-lation supported by the Windows Server 2008 version of Dcpromo.exe Unattended

installa-tion opinstalla-tions provide values to the Active Directory Domain Services Installainstalla-tion Wizard Forexample, the NewDomainDNSName option specifies a fully qualified domain name (FQDN)for a new domain

These options can be provided at the command line by typing dcpromo /unattendOption:value,

for example, dcpromo /newdomaindnsname:contoso.com Alternatively, you can provide

the options in an unattended installation answer file The answer file is a text file that contains

a section heading, [DCINSTALL], followed by options and their values in the option=value

form For example, the following file provides the NewDomainDNSName option:

[DCINSTALL]

NewDomainDNSName=contoso.com

Trang 7

The answer file is called by adding its path to the unattend parameter, for example:

dcpromo /unattend:"path to answer file"

The options in the answer file can be overridden by parameters on the command line For

example, if the NewDomainDNSName option is specified in the answer file and the DomainDNSName parameter is used on the command line, the value on the command line

/New-takes precedence If any required values are neither in the answer file nor on the commandline, the Active Directory Domain Services Installation Wizard will prompt for the answers, soyou can use the answer file to partially automate an installation, providing a subset of config-uration values to be used during an interactive installation

The wizard is not available when running Dcpromo.exe from the command line in Server Core.

In that case, the Dcpromo.exe command will return with an error code.

For a complete list of parameters that you can specify as part of an unattended installation of

AD DS, open an elevated command prompt and type the following command:

dcpromo /?[:operation]

where operation is one of the following:

■ Promotion returns all parameters you can use when creating a domain controller.

■ CreateDCAccount returns all parameters you can use when creating a prestaged

account for a read-only domain controller (RODC)

■ UseExistingAccount returns all parameters you can use to attach a new DC to a

pre-staged RODC account

■ Demotion returns all parameters you can use when removing a domain controller.

MORE INFO Dcpromo parameters and unattended installation

For a complete reference of Dcpromo parameters and unattended installation options, see http://

go.microsoft.com/fwlink/?LinkID=101181.

NOTE Generate an answer file

When you use the Windows interface to create a domain controller, the Active Directory Domain Services Installation Wizard gives you the option, on the Summary page, to export your settings to

an answer file If you need to create an answer file for use from the command line, for example, on

a Server Core installation, you can use this shortcut to create an answer file with the correct options and values

Trang 8

Installing a New Windows Server 2008 Forest

Chapter 1 discussed the installation of the first Windows Server 2008 DC in a new forest,using the Windows interface Exercise 3, “Install a New Windows Server 2008 Forest with theWindows Interface,” and Exercise 4, “Install a New Windows Server 2008 Forest,” of Lesson

1, “Installing Active Directory Domain Services,” in that chapter detailed the steps to add the

AD DS role to a server by using Server Manager and then to run Dcpromo.exe to promote the

server to a domain controller When creating a new forest root domain, you must specify theforest root Domain Name System (DNS) name, its NetBIOS name, and the forest anddomain functional levels The first domain controller cannot be a read-only domain control-ler and must be a global catalog (GC) server If the Active Directory Domain Services Instal-lation Wizard detects that it is necessary to install or configure DNS, it does it automatically

You can also use an answer file by typing dcpromo /unattend:“path to answer file”, where the

answer file contains unattended installation options and values The following example tains the minimum parameters for an unattended installation of a new Windows Server 2008domain controller in a new forest:

con-[DCINSTALL]

ReplicaOrNewDomain=domain

NewDomain=forest

NewDomainDNSName=fully qualified DNS name

DomainNetBiosName=domain NetBIOS name

ForestLevel={0=Windows 2000 Server Native;

2=Windows Server 2003 Native;

3=Windows Server 2008}

DomainLevel={0=Windows Server 2000 Native;

2=Windows Server 2003 Native;

3=Windows Server 2008}

InstallDNS=yes

DatabasePath="path to folder on a local volume"

LogPath="path to folder on a local volume"

SYSVOLPath="path to folder on a local volume"

Trang 9

/databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol"

/safeModeAdminPassword:password /forestLevel:3 /domainLevel:3

/rebootOnCompletion:yes

Installing Additional Domain Controllers in a Domain

If you have a domain with at least one domain controller running Windows 2000 Server,Windows Server 2003, or Windows Server 2008, you can create additional domain controllers

to distribute authentication, create a level of fault tolerance in the event any one DC fails, orprovide authentication in remote sites

Installing the First Windows Server 2008 Domain Controller in an

Existing Forest or Domain

If you have an existing forest with domain controllers running Windows Server 2003 orWindows 2000 Server, you must prepare them prior to creating your first Windows Server

2008 domain controller That’s because there are objects and attributes that Windows Server

2008 adds to the directory that previous versions of Windows don’t understand Therefore,the schema must be updated The schema is the definition of the attributes and object classesthat can exist within a domain It is like the catalog for what can be created in other directorypartitions To prepare the forest schema for Windows Server 2008, follow these steps:

1 Log on to the schema master as a member of the Enterprise Admins, Schema Admins,

and Domain Admins groups

Lesson 2, “Configuring Operations Masters,” discusses operations masters and providessteps for identifying which domain controller is the schema master

2 Copy the contents of the \Sources\Adprep folder from the Windows Server 2008 DVD

to a folder on the schema master

3 Open a command prompt and change directories to the Adprep folder.

4 Type adprep /forestprep and press Enter.

5 If you plan to install an RODC in any domain in the forest, type adprep /rodcprep and

press Enter

NOTE RODCPREP, anytime

You can also run Adprep /rodcprep at any time in a Windows 2000 Server or Windows Server 2003 forest It does not have to be run in conjunction with /forestprep; however, you must run it and

allow its changes to replicate throughout the forest prior to installing the first RODC You can run

Adprep /rodcprep from any DC as long as you are logged on as a member of the Enterprise Admins

group

Trang 10

Exam Tip The Adprep /rodcprep command is required before installing an RODC into any

domain in an existing forest with Windows Server 2003 or Windows 2000 Server domain lers It is not necessary if the forest is a new forest consisting only of Windows Server 2008 domain controllers

control-You must allow time for the operation to complete After the changes have replicated out the forest, you can continue to prepare the domains for Windows Server 2008 To prepare

through-a Windows 2000 Server or Windows Server 2003 domthrough-ain for Windows Server 2008, performthese steps:

1 Log on to the domain infrastructure operations master as a member of Domain Admins.

Lesson 2 provides steps for identifying which domain controller is the infrastructureoperations master

2 Copy the contents of the \Sources\Adprep folder from the Windows Server 2008 DVD

to a folder on the infrastructure master

3 Open a command prompt and change directories to the Adprep folder.

4 Type adprep /domainprep /gpprep and press Enter.

On Windows Server 2003, you might receive an error message stating that updates wereunnecessary You can ignore this message

Allow the change to replicate throughout the forest before you install a domain controller thatruns Windows Server 2008

Installing an Additional Domain Controller

Additional domain controllers can be added by installing AD DS and launching the ActiveDirectory Domain Services Installation Wizard You are prompted to choose the deploymentconfiguration; to enter network credentials; to select a domain and site for the new DC; and toconfigure the DC with additional options such as DNS Server, Global Catalog, or Read-OnlyDomain Controller The remaining steps are the same as for the first domain controller: con-figuring file locations and the Directory Services Restore Mode Administrator password

If you have one domain controller in a domain, and if you select the Use Advanced ModeInstallation check box on the Welcome To The Active Directory Domain Services InstallationWizard page, you are able to configure advanced options, which are:

■ Install From Media By default, a new domain controller replicates all data for all tory partitions it will host from other domain controllers during the Active DirectoryDomain Services Installation Wizard To improve the performance of installation, par-ticularly over slow links, you can use installation media created by existing domaincontrollers Installation media is a form of backup The new DC is able to read datafrom the installation media directly and then replicate only updates from other

Trang 11

direc-domain controllers Install From Media (IFM) is discussed in the “Installing AD DSfrom Media” section.

■ Source Domain Controller If you want to specify the domain controller from which thenew DC replicates its data, you can click Use This Specific Domain Controller

NOTE Dcpromo /adv is still supported

In Windows Server 2003, Dcpromo /adv was used to specify advanced installation options The adv

parameter is still supported; it simply pre-selects the Use Advanced Mode Installation check box on the Welcome page

To use Dcpromo.exe with command-line parameters to specify unattended installation options,

you can use the minimal parameters shown in the following example:

dcpromo /unattend /replicaOrNewDomain:replica

/replicaDomainDNSName:contoso.com /installDNS:yes /confirmGC:yes

ReplicaDomainDNSName=FQDN of domain to join

UserDomain=FQDN of domain of user account

UserName=DOMAIN\username (in Administrators group of the domain)

Password=password for user specified by UserName (* to prompt)

InstallDNS=yes

ConfirmGC=yes

SafeModeAdminPassword=password

RebootOnCompletion=yes

Installing a New Windows Server 2008 Child Domain

If you have an existing domain, you can create a new child domain by creating a Windows

Server 2008 domain controller Before you do, however, you must run Adprep /forestprep, as

described in the “Installing the First Windows Server 2008 Domain Controller in an ExistingForest or Domain” section

Then install AD DS and launch the Active Directory Domain Services Installation Wizard and,

on the Choose A Deployment Configuration page, click Existing Forest and Create A NewDomain In An Existing Forest You are prompted to select the domain functional level

Trang 12

Because it is the first DC in the domain, it cannot be an RODC, and it cannot be installed frommedia If you select the Use Advanced Mode Installation check box on the Welcome page, thewizard presents you with a Source Domain Controller page on which you specify a domaincontroller from which to replicate the configuration and schema partitions.

Using Dcpromo.exe, you can create a child domain with the minimal options shown in the

/safeModeAdminPassword:password /forestLevel:3 /domainLevel:3

ParentDomainDNSName=FQDN of parent domain

UserDomain=FQDN of user specified by UserName

UserName= DOMAIN\username (in Administrators group of ParentDomainDNSName)

Password=password for user specified by UserName or * for prompt

ChildName=single-label prefix for domain

(Child domain FQDN will be ChildName.ParentDomainDNSName)

DomainNetBiosName=Domain NetBIOS name

DomainLevel=domain functional level (not lower than current forest level)

InstallDNS=yes

CreateDNSDelegation=yes

DNSDelegationUserName=DOMAIN\username with permissions to create

DNS delegation, if different than UserName, above

DNSDelegationPassword=password for DNSDelegationUserName or * for prompt

Installing a New Domain Tree

You learned in Chapter 1 that in an Active Directory forest, a tree is composed of one or more

domains that share contiguous DNS namespace So, for example, the contoso.com and subsidiary contoso.com domains would be in a single tree Additional trees are simply additional domains

that are not in the same namespace For example, if Contoso, Ltd., bought Tailspin Toys, the

tailspintoys.com domain would be in a separate tree in the domain There is very little

func-tional difference between a child domain and a domain in another tree, and the process for ating a new tree is, therefore, very similar to creating a child domain

Trang 13

cre-First, you must run Adprep /forestprep, as described in the “Installing the First Windows Server

2008 Domain Controller in an Existing Forest or Domain” section Then you can install AD DSand run the Active Directory Domain Services Installation Wizard You must select UseAdvanced Mode Installation on the Welcome page of the wizard On the Choose A Deploy-ment Configuration page, click Existing Forest, select Create A New Domain In An ExistingForest, and select Create A New Domain Tree Root Instead Of A New Child Domain The rest

of the process is identical to creating a new child domain

The following options provided as parameters to Dcpromo.exe create a new tree for the toys.com domain within the contoso.com forest:

tailspin-dcpromo /unattend /installDNS:yes

[DCINSTALL]

ReplicaOrNewDomain=domain

NewDomain=tree

NewDomainDNSName=FQDN of new domain

DomainNetBiosName=NetBIOS name of new domain

UserName= DOMAIN\username (in Administrators group of ParentDomainDNSName)

Password=password for user specified by UserName or * for prompt

DomainLevel=domain functional level (not lower than current forest level)

InstallDNS=yes

ConfirmGC=yes

CreateDNSDNSDelegation=yes

DNSDelegationUserName=account with permissions to create DNS delegation

required only if different than UserName, above

DNSDelegationPassword=password for DNSDelegationUserName or * for prompt

Staging the Installation of an RODC

As you remember from Chapter 8, “Authentication,” RODCs are designed to support branchoffice scenarios by providing authentication local to the site while mitigating the security anddata integrity risks associated with placing a DC in a less well-controlled environment Many

Trang 14

times, there are few or no IT support personnel in a branch office How, then, should a domaincontroller be created in a branch office?

To answer this question, Windows Server 2008 enables you to create a staged, or delegated,installation of an RODC The process includes two stages:

■ Create the account for the RODC A member of Domain Admins creates an account forthe RODC in Active Directory The parameters related to the RODC are specified at thistime: the name, the Active Directory site in which the RODC will be created, and, option-ally, the user or group that can complete the next stage of the installation

■ Attach the server to the RODC account After the account has been created, AD DS isinstalled, and the RODC is attached to the domain These steps can be the users orgroups specified when the RODC account was prestaged; these users do not require anyprivileged group membership A server can also be attached by a member of DomainAdmins or Enterprise Admins, but the ability to delegate this stage to a nonprivilegeduser makes it much easier to deploy RODCs in branches without IT support Thedomain controller will replicate its data from another writable DC in the domain, or youcan use the IFM method discussed in the “Installing AD DS from Media” section

NOTE Promote from a workgroup

When you create an RODC by using the staged approach—when you attach an RODC to a staged account—the server must be a member of a workgroup, not of the domain, when you

pre-launch Dcpromo.exe or the Active Directory Domain Services Installation Wizard The wizard will

look in the domain for the existing account with its name and will attach to that account

Creating the Prestaged Account for the RODC

To create the account for the RODC, using the Active Directory Users and Computers snap-in,right-click the Domain Controllers OU and choose Pre-Create Read-Only Domain ControllerAccount A wizard appears that is very similar to the Active Directory Domain Services Instal-lation Wizard You are asked to specify the RODC name and site You are also able to configurethe password replication policy, as detailed in Chapter 8

On the Delegation Of RODC Installation And Administration page, you can specify one rity principal—user or group—that can attach the server to the RODC account you create Theuser or group will also have local administrative rights on the RODC after the installation It isrecommended that you delegate to a group rather than to a user If you do not specify a user

secu-or group, only members of the Domain Admins secu-or Enterprise Admins groups can attach theserver to the account

Trang 15

MORE INFO Creating prestaged RODC accounts

You can create prestaged RODC accounts by using Dcpromo.exe with numerous parameters

or by creating an answer file for Dcpromo.exe The steps for doing so are detailed at http://

technet2.microsoft.com/windowsserver2008/en/library/f349e1e7-c3ce-4850-9e50-d8886c866b521033.mspx?mfr=true.

Attaching a Server to the RODC Account

After you have prestaged the account, the server can be attached to it You cannot simplylaunch the Active Directory Domain Services Installation Wizard You must do so by typing

dcpromo /useexistingaccount:attach The wizard prompts for network credentials and then

finds the RODC account in the domain indicated by the credentials Remaining steps are ilar to other domain controller promotion operations

sim-To use an answer file, provide the following options and values:

[DCINSTALL]

ReplicaDomainDNSName=FQDN of domain to join

UserName=DOMAIN\username (in Administrators group of the domain)

Password=password for user specified by UserName

InstallDNS=yes

ConfirmGC=yes

Run Dcpromo with the unattend:“answer file path” and the UseExistingAccount:Attach

options, as in the following example:

dcpromo /useexistingaccount:attache /unattend:"c:\rodcanswer.txt"

All the options just shown in the answer file can also be specified or overridden directly on thecommand line Just type a command similar to the following:

dcpromo /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName:contoso.com

/UserDomain:contoso.com /UserName:contoso\dan /password:*

/safeModeAdminPassword:password /rebootOnCompletion:yes

Trang 16

Quick Check

■ You administer a domain containing Windows Server 2003 domain controllers.You want to allow a manager at a remote site to promote a member server at aremote site to an RODC You do not want to give the manager administrative cre-dentials in the domain What steps must you and the manager take?

Quick Check Answer

■ You must run Adprep /rodcprep to prepare the domain for the RODC You must

then prestage the RODC account, delegating to the manager the ability to attach

the domain controller to the account The manager will run Dcpromo.exe with the

UseExistingAccount option to attach the server, but first, the server must beremoved from the domain and placed in a workgroup

Installing AD DS from Media

When you add domain controllers to a forest, data from existing directory partitions are licated to the new DC In an environment with a large directory or where bandwidth is con-strained between a new DC and a writable DC from which to replicate, you can install AD DS

rep-more efficiently by using the IFM option Installing from media involves creating installation media—a specialized backup of Active Directory that can be used by the Active Directory

Domain Services Installation Wizard as a data source for populating the directory on a new

DC Then the new DC will replicate only updates from another writable DC, so if the tion media is recent, you can minimize the impact of replication to a new DC

installa-Remember that it is not only the directory that must be replicated to a new DC but SYSVOL aswell When you create your installation media, you can specify whether to include SYSVOL onthe installation media

Using IFM also enables you to control the timing of impact to your network bandwidth Youcan, for example, create installation media and transfer it to a remote site during off hours,then create the domain controller during normal business hours Because the installationmedia is from the local site, impact to the network is reduced, and only updates will be repli-cated over the link to the remote site

To create installation media, open a command prompt on a writable domain controller, running

Windows Server 2008 The installation media is compatible across platforms Run Ntdsutil.exe

and then, at the ntdsutil prompt, type the activate instance ntds command and then the ifm

command At the ifm: prompt, type one of the following commands, based on the type of

instal-lation media you want to create:

■ create sysvol full path Creates installation media with SYSVOL for a writable domain controller in the folder specified by Path

Trang 17

■ create full path Creates installation media without SYSVOL for a writable domain

con-troller or an Active Directory Lightweight Directory Services (AD LDS) instance in the

folder specified by Path

■ create sysvol rodc path Creates installation media with SYSVOL for a read-only domain controller in the folder specified by Path

■ create rodc path Creates installation media without SYSVOL for a read-only domain controller in the folder specified by Path

When you run the Active Directory Domain Services Installation Wizard, select the Use AdvancedMode Installation check box, and you will be presented the Install From Media page later in thewizard Choose Replicate Data From Media At The Following Location You can use the Replica-

tionSourcePath installation option in an answer file or on the Dcpromo.exe command line.

Practice It Exercise 3, “Create Installation Media,” in the practice at the end of this lesson, steps

you through the process of creating installation media with Ntdsutil.exe.

Removing a Domain Controller

You can remove a domain controller by using Dcpromo.exe, either to launch the Active Directory

Domain Services Installation Wizard or from a command prompt, specifying options at thecommand line or in an answer file When a domain controller is removed while it has connec-tivity to the domain, it updates the forest metadata about the domain controller so that thedirectory knows the DC has been removed

MORE INFO Removing a domain controller

For detailed steps for removing a domain controller, see http://technet2.microsoft.com

/windowsserver2008/en/library/9260bb40-a808-422f-b33b-c3d2330f5eb81033.mspx.

If a domain controller must be demoted while it cannot contact the domain, you must use the

forceremoval option of Dcpromo.exe Type dcpromo /forceremoval, and the Active Directory

Domain Services Installation Wizard steps you through the process You are presented ings related to any roles the domain controller hosts Read each warning and, after you havemitigated or accepted the impact of the warning, click Yes You can suppress warnings, using

warn-the demotefsmo:yes option of Dcpromo.exe After warn-the DC has been removed, you must

manu-ally clean up the forest metadata

MORE INFO Performing metadata cleanup

See article 216498 in the Microsoft Knowledge Base for information about performing metadata

cleanup The article is located at http://go.microsoft.com/fwlink/?LinkId=80481.

Trang 18

PRACTICE Installing Domain Controllers

In this practice, you will perform the steps required to install an additional domain controller

in the contoso.com domain You will install AD DS and configure an additional DC, using the Active Directory Domain Services Installation Wizard You will not complete the installation.

Instead, you will save the settings as an answer file You will then use the settings to perform

an unattended installation, using the Dcpromo.exe command with installation options.

To perform this exercise, you will need a second server running Windows Server 2008 full

instal-lation The server must be named SERVER02, and it should be joined to the contoso.com domain.

Its configuration should be as follows:

■ Computer Name: SERVER02

■ Domain Membership: contoso.com

In this exercise, you will use the Active Directory Domain Services Installation Wizard

(Dcpromo.exe) to create an additional domain controller in the contoso.com domain You will

not complete the installation, however Instead, you will save the settings as an answer file,which will be used in the next exercise

1 Log on to SERVER02 as CONTOSO\Administrator.

2 Click Start, click Run, type Dcpromo.exe, and press Enter.

3 Click Next.

4 On the Operating System Compatibility page, review the warning about the default

secu-rity settings for Windows Server 2008 domain controllers, and then click Next

5 On the Choose A Deployment Configuration page, select Existing Forest, select Add A

Domain Controller To An Existing Domain, and then click Next

6 On the Network Credentials page, type contoso.com in the text box, select My Current

Logged On Credentials, and then click Next

7 On the Select A Domain page, select contoso.com and click Next.

8 On the Select A Site page, select Default-First-Site-Name and click Next.

The Additional Domain Controller Options page appears DNS Server and Global log are selected by default

Cata-9 Clear the Global Catalog and DNS Server check boxes, and then click Next.

An Infrastructure Master Configuration Conflict warning appears You will learn aboutthe infrastructure master in Lesson 2, so you will ignore this error

Trang 19

10 Click Do Not Transfer The Infrastructure Master Role To This Domain Controller I Will

Correct The Configuration Later

11 On the Location For Database, Log Files, And SYSVOL page, accept the default locations

for the database file, the directory service log files, and the SYSVOL files and click Next.The best practice in a production environment is to store these files on three separate vol-umes that do not contain applications or other files not related to AD DS This best prac-tices design improves performance and increases the efficiency of backup and restore

12 On the Directory Services Restore Mode Administrator Password page, type a strong

password in both the Password and Confirmed Password boxes Click Next

Do not forget the password you assigned to the Directory Services Restore ModeAdministrator

13 On the Summary page, review your selections.

If any settings are incorrect, click Back to make modifications

14 Click Export Settings.

15 Click Browse Folders.

16 Select Desktop.

17 In the File Name box, type AdditionalDC and click Save.

A message appears indicating that settings were saved successfully

18 Click OK.

19 On the Active Directory Domain Services Installation Wizard Summary page, click Cancel.

20 Click Yes to confirm that you are cancelling the installation of the DC.

Exercise 2 Add a Domain Controller from the Command Line

In this exercise, you will examine the answer file you created in Exercise 1, “Create an tional DC with the Active Directory Domain Services Installation Wizard.” You will use the

Addi-installation options in the answer file to create a Dcpromo.exe command line to install the

additional domain controller

1 Open the AdditionalDC.txt file you created in Exercise 1.

2 Examine the answers in the file Can you identify what some of the options mean?

Tip: Lines beginning with a semicolon are comments or inactive lines that have beencommented out

3 Open a command prompt.

You will be building a command line, using the options in the answer file Position thewindows so you can see both Notepad and the command prompt or print the answer filefor reference

4 Determine the command line to install the domain controller with the configuration

contained in the answer file

Parameters on the command line take the form /option:value whereas, in the answer file, they take the form option=value.

Trang 20

5 Type the following command and press Enter:

dcpromo /unattend /replicaornewdomain:replica

where password is a complex password.

6 Installation will complete, and the server will reboot.

Exercise 3 Create Installation Media

You can reduce the amount of replication required to create a domain controller by promoting thedomain controller, using the IFM option IFM requires that you provide installation media, which

is, in effect, a backup of Active Directory In this exercise, you will create the installation media

1 Log on to SERVER01 as Administrator.

2 Open a command prompt.

3 Type ntdsutil and press Enter.

4 Type activate instance ntds and press Enter.

5 Type ifm and press Enter.

6 Type ? and press Enter to list the commands available in IFM mode.

7 Type create sysvol full c:\IFM and press Enter.

The installation media files are copied to C:\Ifm

Lesson Summary

■ AD DS can be installed by running Dcpromo.exe, which launches the Active Directory Domain Services Installation Wizard or, with the unattend option, can obtain installa-

tion options from the command line or an answer file

■ When you introduce the first Windows Server 2008 domain controller into an existing

forest, you must run Adprep /forestprep Before you introduce the first Windows Server

2008 DC into an existing domain, you must run Adprep /domainprep /gpprep.

■ Before you install the first RODC in a domain containing Windows 2000 Server or

Windows Server 2003 DCs, you must run Adprep /rodcprep.

■ To perform a staged installation of an RODC, you create the account for the RODC andspecify the user or group that will be able to attach the RODC to the account

■ To reduce replication requirements, you can create installation media and use the media

as a source when performing a domain controller promotion

Trang 21

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 1,

“Installing Domain Controllers.” The questions are also available on the companion CD if youprefer to review them in electronic form

NOTE Answers

Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book

1 You are an administrator at Trey Research The Trey Research forest consists of three

domains, each of which includes two domain controllers running Windows Server

2003 You want to upgrade one of the domain controllers to Windows Server 2008.What must you do first?

A Upgrade the domain controller’s operating system to Windows Server 2008.

B Run the Adprep.exe /domainprep /gpprep command.

C Run the Active Directory Domain Services Installation Wizard.

D Run the Adprep.exe /forestprep command.

E Run the Adprep.exe /rodcprep command.

2 You are an administrator at Contoso, Ltd The domain was built using Windows Server

2008 domain controllers You want to improve authentication at a remote site by moting a member server at the site to a read-only domain controller There is no IT sup-port at the site, so you want the site’s manager to perform the promotion You do notwant to give her administrative credentials in the domain Which steps must you or themanager take? (Choose all that apply Each correct answer is part of the solution.)

pro-A Run Adprep /rodcprep.

B Create the RODC account in the Domain Controllers OU.

C Run Dcpromo.exe with the UseExistingAccount option.

D Remove the server from the domain.

3 You want to promote a server to act as a domain controller, but you are concerned about

the replication traffic that will occur during the promotion and its impact on the slowlink between the server’s site and the data center where all other domain controllers arelocated, so you choose to promote the server, using a backup of the directory fromanother domain controller What must you do to create the installation media?

A Run Ntbackup.exe and select System State.

B Install the Windows Server Backup Features.

C Run Ntdsutil.exe in the IFM mode and use the Create Sysvol Full command.

D Copy ntds.dit and SYSVOL from a domain controller to a location in the remote site.

Trang 22

Lesson 2: Configuring Operations Masters

In an Active Directory domain, all domain controllers are equivalent They are all capable ofwriting to the database and replicating changes to other domain controllers However, in anymultimaster replication topology, certain operations must be performed by one and only one

system In an Active Directory domain, operations masters are domain controllers that play a

specific role Other domain controllers are capable of playing the role but do not This lessonwill introduce you to the five operations masters found in Active Directory forests anddomains You will learn their purposes, how to identify the operations masters in your enter-prise, and the nuances of administering and transferring roles

■ Define the purpose of the five single master operations in Active Directory forests

■ Identify the domain controllers performing operations master roles

■ Plan the placement of operations master roles

■ Transfer and seize operations master roles

Understanding Single Master Operations

In any replicated database, some changes must be performed by one and only one replicabecause they are impractical to perform in a multimaster fashion Active Directory is no excep-tion A limited number of operations are not permitted to occur at different places at the sametime and must be the responsibility of only one domain controller in a domain or forest Theseoperations, and the domain controllers that perform them, are referred to by a variety of terms:

■ Operations masters

■ Operations master roles

■ Single master roles

■ Operations tokens

■ Flexible single master operations (FSMOs)

Regardless of the term used, the idea is the same One domain controller performs a function,and while it does, no other domain controller performs that function

Trang 23

Not Déjà Vu

If you were an administrator in the days of Microsoft Windows NT 4.0, the concept ofoperations masters might sound similar to Windows NT primary domain controllers(PDCs) However, single master operations are characteristic of any replicated database,and Active Directory single master operations bear striking differences to Windows NT4.0 PDCs:

■ All Active Directory domain controllers are capable of performing single masteroperations The domain controller that actually does perform an operation is thedomain controller that currently holds the operation’s token

■ An operation token, and thus the role, can be transferred easily to another domaincontroller without a reboot

■ To reduce the risk of single points of failure, the operations tokens can be uted among multiple DCs

distrib-AD DS contains five operations master roles Two roles are performed for the entire forest:

■ Domain naming

■ Schema

Three roles are performed in each domain:

■ Relative identifier (RID)

■ Infrastructure

■ PDC Emulator

Each of these roles is detailed in the following sections In a forest with a single domain, thereare, therefore, five operations masters In a forest with two domains, there are eight operationsmasters because the three domain master roles are implemented separately in each of the twodomains

Exam Tip Commit to memory the list of forest-wide and domain single master operations You are likely to encounter questions that test your knowledge of which roles apply to the entire forest and which are domain specific Exam questions are cast in scenarios and, often, the scenarios pro-vide so much detail that you can lose sight of what is really being asked When you read items on the certification exam, always ask yourself, “What is really being tested?” Sometimes what is being tested is different from, and simpler than, what the scenario in the question would lead you to believe

Trang 24

Forest-Wide Operations Master Roles

The schema master and the domain naming master must be unique in the forest Each role isperformed by only one domain controller in the entire forest

Domain Naming Master Role

The domain naming role is used when adding or removing domains in the forest When youadd or remove a domain, the domain naming master must be accessible, or the operation willfail

Schema Master Role

The domain controller holding the schema master role is responsible for making any changes

to the forest’s schema All other DCs hold read-only replicas of the schema If you want to ify the schema or install an application that modifies the schema, it is recommended you do so

mod-on the domain cmod-ontroller holding the schema master role Otherwise, changes you requestmust be sent to the schema master to be written into the schema

Domain-Wide Operations Master Roles

Each domain maintains three single master operations: RID, Infrastructure, and PDC tor Each role is performed by only one domain controller in the domain

Emula-RID Master Role

The RID master plays an integral part in the generation of security identifiers (SIDs) for rity principals such as users, groups, and computers The SID of a security principal must beunique Because any domain controller can create accounts and, therefore, SIDs, a mechanism

secu-is necessary to ensure that the SIDs generated by a DC are unique Active Directory domaincontrollers generate SIDs by assigning a unique RID to the domain SID The RID master forthe domain allocates pools of unique RIDs to each domain controller in the domain Thus,each domain controller can be confident that the SIDs it generates are unique

NOTE The RID master role is like DHCP for SIDs

If you are familiar with the concept that you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID mas-ter, which allocates pools of RIDs to domain controllers for the creation of SIDs

Infrastructure Master Role

In a multidomain environment, it is common for an object to reference objects in otherdomains For example, a group can include members from another domain Its multivalued

Trang 25

member attribute contains the distinguished names of each member If the member in the

other domain is moved or renamed, the infrastructure master of the group’s domain updates

the group’s member attribute accordingly.

NOTE The infrastructure master

You can think of the infrastructure master as a tracking device for group members from other domains When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date

Phantoms of the Directory

Although you are not expected to understand the internals of the infrastructure masterrole for the certification exam, such understanding can be helpful in the productionenvironment When you add a member from another domain into a group in your

domain, the group’s member attribute is appended with the distinguished name of the

new member However, your domain might not always have access to a domain ler from the member’s domain, so Active Directory creates a phantom object to representthe member The phantom object includes only the member’s SID, distinguished name(DN), and globally unique identifier (GUID) If the member is moved or renamed in itsdomain, its GUID does not change, but its DN changes If the object is moved betweendomains, its SID also changes The infrastructure master periodically—every two days bydefault—contacts a GC or a DC in the member domain At that time, the infrastructuremaster looks for each phantom object, using the GUID of the phantom object It updatesthe DN of the phantom objects with the current DN of the object Any change is then

control-propagated to the member attribute of groups.

After a member is moved or renamed in another domain, and until the infrastructuremaster has updated DNs, you might look at the membership of a group using the ActiveDirectory Users and Computers snap-in, for example, and the group might appear not toinclude that member However, the member continues to belong to the group The mem-

ber’s memberOf attribute still refers to the group, so the memberOf attribute and the tokenGroups constructed attribute are unchanged There is no compromise to security; it

is only an administrator looking at that particular group membership that would noticethe temporary inconsistency

PDC Emulator Role

The PDC Emulator role performs multiple, crucial functions for a domain:

Trang 26

■ Emulates a Primary Domain Controller (PDC) for backward compatibility In the days ofWindows NT 4.0 domains, only the PDC could make changes to the directory Previoustools, utilities, and clients written to support Windows NT 4.0 are unaware that all ActiveDirectory domain controllers can write to the directory, so such tools request a connec-tion to the PDC The domain controller with the PDC Emulator role registers itself as aPDC so that down-level applications can locate a writable domain controller Such appli-cations are less common now that Active Directory is nearly 10 years old, and if yourenterprise includes such applications, work to upgrade them for full Active Directorycompatibility.

■ Participates in special password update handling for the domain When a user’s password

is reset or changed, the domain controller that makes the change replicates the changeimmediately to the PDC emulator This special replication ensures that the domain con-trollers know about the new password as quickly as possible If a user attempts to log onimmediately after changing passwords, the domain controller responding to the user’slogon request might not know about the new password Before it rejects the logonattempt, that domain controller forwards the authentication request to a PDC emulator,which verifies that the new password is correct and instructs the domain controller toaccept the logon request This function means that any time a user enters an incorrectpassword, the authentication is forwarded to the PDC emulator for a second opinion.The PDC emulator, therefore, should be highly accessible to all clients in the domain Itshould be a well-connected, high-performance DC

■ Manages Group Policy updates within a domain If a Group Policy object (GPO) is ified on two DCs at approximately the same time, there could be conflicts between thetwo versions that could not be reconciled as the GPO replicates To avoid this situation,the PDC emulator acts as the focal point for all Group Policy changes When you open aGPO in Group Policy Management Editor (GPME), the GPME binds to the domain con-troller performing the PDC emulator role Therefore, all changes to GPOs are made onthe PDC emulator by default

mod-■ Provides a master time source for the domain Active Directory, Kerberos, File tion Service (FRS), and DFS-R each rely on timestamps, so synchronizing the time acrossall systems in a domain is crucial The PDC emulator in the forest root domain is the timemaster for the entire forest, by default The PDC emulator in each domain synchronizesits time with the forest root PDC emulator Other domain controllers in the domainsynchronize their clocks against that domain’s PDC emulator All other domain mem-bers synchronize their time with their preferred domain controller This hierarchicalstructure of time synchronization, all implemented through the Win32Time service,ensures consistency of time Universal Time Coordinate (UTC) is synchronized, andthe time displayed to users is adjusted based on the time zone setting of the computer

Trang 27

Replica-MORE INFO Change the time service only one way

It is highly recommended to allow Windows to maintain its native, default time tion mechanisms The only change you should make is to configure the PDC emulator of the forest root domain to synchronize with an extra time source If you do not specify a time source for the PDC emulator, the System event log will contain errors reminding you to do

synchroniza-so See http://go.microsoft.com/fwlink/?LinkId=91969, and the articles it refers to, for more

information

■ Acts as the domain master browser When you open Network in Windows, you see a list

of workgroups and domains, and when you open a workgroup or domain, you see a list

of computers These two lists, called browse lists, are created by the Browser service In

each network segment, a master browser creates the browse list: the lists of workgroups,domains, and servers in that segment The domain master browser serves to merge the lists

of each master browser so that browse clients can retrieve a comprehensive browse list

Placing Operations Masters

When you create the forest root domain with its first domain controller, all five operationsmaster roles are performed by the domain controller As you add domain controllers to thedomain, you can transfer the operations master role assignments to other domain controllers

to balance the load among domain controllers or to optimize placement of a single masteroperation The best practices for the placement of operations master roles are as follows:

■ Co-locate the schema master and domain naming master T h e s c h e m a m a s t e r a n ddomain naming master roles should be placed on a single domain controller that is a GCserver These roles are rarely used, and the domain controller hosting them should betightly secured The domain naming master must be hosted on a GC server becausewhen a new domain is added, the master must ensure that there is no object of any typewith the same name as the new domain The GC’s partial replica contains the name ofevery object in the forest The load of these operations master roles is very light unlessschema modifications are being made

■ Co-locate the RID master and PDC Emulator roles Place the RID and PDC Emulatorroles on a single domain controller If the load mandates that the roles be placed on twoseparate domain controllers, those two systems should be physically well connectedand have explicit connection objects created in Active Directory so that they are directreplication partners They should also be direct replication partners with domain con-trollers that you have selected as standby operations masters

■ Place the infrastructure master on a DC that is not a GC The infrastructure master should

be placed on a domain controller that is not a GC server but is physically well nected to a GC server The infrastructure master should have explicit connectionobjects in Active Directory to that GC server so that they are direct replication partners

Trang 28

con-The infrastructure master can be placed on the same domain controller that acts as theRID master and PDC emulator.

NOTE It doesn’t matter if they’re all GCs

If all DCs in a domain are GC servers—which indeed is a best practices recommendation that will be discussed in Chapter 11, “Sites and Replication”—you do not need to worry about which DC is the infrastructure master When all DCs are GCs, all DCs have up-to-date infor-mation about every object in the forest, which eliminates the need for the infrastructure mas-ter role

■ Have a failover plan In following sections, you will learn to transfer single operationsmaster roles between domain controllers, which is necessary if there is lengthy planned

or unplanned downtime of an operations master Determine, in advance, a plan for ferring operations roles to other DCs in the event that one operations master is offline

trans-Identifying Operations Masters

To implement your role placement plan, you must know which DCs are currently performingsingle master operations roles Each role is exposed in an Active Directory administrative tool

as well as in other user interface and command-line tools To identify the current master foreach role, use the following tools:

■ PDC Emulator: The Active Directory Users And Computers snap-in Right-click the domainand choose Operations Masters Click the PDC tab An example is shown in Figure 10-2,which indicates that SERVER01.contoso.com is currently the PDC operations master

Figure 10-2 PDC Operations Master

Trang 29

■ RID Master: The Active Directory Users And Computers snap-in Right-click the domainand choose Operations Masters Click the RID tab.

■ Infrastructure Master: The Active Directory Users And Computers snap-in Right-click thedomain and choose Operations Masters Click the Infrastructure tab

■ Domain Naming: The Active Directory Domains And Trusts snap-in Right-click the rootnode of the snap-in (Active Directory Domains And Trusts) and choose Operations Master

■ Schema Master: The Active Directory Schema snap-in Right-click the root node of thesnap-in (Active Directory Schema) and choose Operations Master

NOTE Registering the Active Directory Schema snap-in

You must register the Active Directory Schema snap-in before you can create a custom

Microsoft Management Console (MMC) with the snap-in At a command prompt, type

select operation target

list roles for connected server"

quit

dcdiag /test:knowsofroleholders /v

netdom query fsmo

Practice It Exercise 1, “Identify Operations Masters,” in the practice at the end of this lesson, steps you through the identification of operations masters

Transferring Operations Master Roles

You can transfer a single operations master role easily You will transfer roles in the followingscenarios:

■ When you establish your forest, all five roles are performed by the first domain controlleryou install When you add a domain to the forest, all three domain roles are performed

by the first domain controller in that domain As you add domain controllers, you candistribute the roles to reduce single-point-of-failure instances and improve performance

Trang 30

■ If you plan to take a domain controller offline that is currently holding an operationsmaster role, transfer that role to another domain controller prior to taking it offline.

■ If you are decommissioning a domain controller that currently holds an operations ter role, transfer that role to another domain controller prior to decommissioning TheActive Directory Domain Services Installation Wizard will attempt to do so automati-cally, but you should prepare for demoting a domain controller by transferring its roles

mas-To transfer an operations master role, follow these steps:

1 Open the administrative tool that exposes the current master.

For example, open the Active Directory Users And Computers snap-in to transfer any ofthe three domain master roles

2 Connect to the domain controller to which you are transferring the role.

This is accomplished by right-clicking the root node of the snap-in and choosing ChangeDomain Controller or Change Active Directory Domain Controller (The command dif-fers between snap-ins.)

3 Open the Operations Master dialog box, which will show you the domain controller

cur-rently holding the role token for the operation Click the Change button to transfer therole to the domain controller to which you are connected

Practice It Exercise 2, “Transfer an Operations Master Role,” in the practice at the end of this son, steps you through the transfer of an operations master role

les-When you transfer an operations master role, both the current master and the new master areonline The token is transferred, the new master immediately begins to perform the role, andthe former master immediately ceases to perform the role This is the preferred method ofmoving operations master roles

It is recommended to make sure that the new role holder is up to date with replication fromthe former role holder before transferring the role You can use skills introduced in Chapter 11

to force replication between the two systems

Recognizing Operations Master Failures

Several operations master roles can be unavailable for quite some time before their absencebecomes a problem Other master roles play a crucial role in the day-to-day operation of yourenterprise You can identify problems with operations masters by examining the DirectoryService event log

However, you will often discover that an operations master has failed when you attempt to form a function managed by the master, and the function fails For example, if the RID masterfails, eventually you will be prevented from creating new security principals

Trang 31

per-Seizing Operations Master Roles

If a domain controller performing a single master operation fails, and you cannot bring the tem back to service, you have the option of seizing the operations token When you seize arole, you designate a new master without gracefully removing the role from the failed master Seizing a role is a drastic action, so before seizing a role, think carefully about whether it is nec-essary Determine the cause and expected duration of the offline operations master If theoperations master can be brought online in sufficient time, wait What is sufficient time? Itdepends on the impact of the role that has failed:

sys-■ PDC emulator failure The PDC emulator is the operations master that will have themost immediate impact on normal operations and on users if it becomes unavailable.Fortunately, the PDC Emulator role can be seized to another domain controller and thentransferred back to the original role holder when the system comes back online

■ Infrastructure master failure A failure of the infrastructure master will be noticeable toadministrators but not to users Because the master is responsible for updating thenames of group members from other domains, it can appear as if group membership isincorrect although, as mentioned earlier in this lesson, membership is not actuallyaffected You can seize the infrastructure master role to another domain controller andthen transfer it back to the previous role holder when that system comes online

■ RID master failure A failed RID master will eventually prevent domain controllers fromcreating new SIDs and, therefore, will prevent you from creating new accounts for users,groups, or computers However, domain controllers receive a sizable pool of RIDs fromthe RID master, so unless you are generating numerous new accounts, you can often gofor some time without the RID master online while it is being repaired Seizing this role

to another domain controller is a significant action After the RID master role has beenseized, the domain controller that had been performing the role cannot be brought backonline

■ Schema master failure The schema master role is necessary only when schema cations are being made, either directly by an administrator or by installing an ActiveDirectory integrated application that changes the schema At other times, the role is notnecessary It can remain offline indefinitely until schema changes are necessary Seizingthis role to another domain controller is a significant action After the schema masterrole has been seized, the domain controller that had been performing the role cannot bebrought back online

modifi-■ Domain naming master failure The domain naming master role is necessary only whenyou add a domain to the forest or remove a domain from a forest Until such changes arerequired to your domain infrastructure, the domain naming master role can remainoffline for an indefinite period of time Seizing this role to another domain controller is

a significant action After the domain naming master role has been seized, the domaincontroller that had been performing the role cannot be brought back online

Trang 32

Although you can transfer roles by using the administrative tools, you must use Ntdsutil.exe to

seize a role To seize an operations master role, perform the following steps:

1 From the command prompt, type ntdsutil and press Enter.

2 At the ntdsutil prompt, type roles and press Enter.

The next steps establish a connection to the domain controller you want to perform thesingle master operation role

3 At the fsmo maintenance prompt, type connections and press Enter.

4 At the server connections prompt, type connect to server DomainControllerFQDN and

press Enter

DomainControllerFQDN is the FQDN of the domain controller you want to perform the

role

Ntdsutil responds that it has connected to the server

5 At the server connections prompt, type quit and press Enter.

6 At the fsmo maintenance prompt, type seize role and press Enter.

Role is one of the following:

7 At the fsmo maintenance prompt, type quit and press Enter.

8 At the ntdsutil prompt, type quit and press Enter.

Returning a Role to Its Original Holder

To provide for planned downtime of a domain controller if a role has been transferred, notseized, the role can be transferred back to the original domain controller

If, however, a role has been seized and the former master is able to be brought back online, youmust be very careful The PDC emulator and infrastructure master are the only operationsmaster roles that can be transferred back to the original master after having been seized

NOTE Do not return a seized schema, domain naming, or RID master to service

After seizing the schema, domain naming, or RID roles, you must completely decommission the original domain controller

If you have seized the schema, domain naming, or RID roles to another domain controller,you must not bring the original domain controller back online without first completely

Trang 33

decommissioning it That means you must keep the original role holder physically

discon-nected from the network, and you must remove AD DS by using the Dcpromo /forceremoval

command You must also clean the metadata for that domain controller as described in

http://go.microsoft.com/fwlink/?LinkId=80481

After the domain controller has been completely removed from Active Directory, if you wantthe server to rejoin the domain, you can connect it to the network and join the domain If youwant it to be a domain controller, you can promote it If you want it to resume performing theoperations master role, you can transfer the role back to the DC

NOTE Better to rebuild

Because of the critical nature of domain controllers, it is recommended that you completely reinstall the former domain controller in this scenario

pro-Quick Check Answer

■ Prior to performing the upgrade, make sure the standby operations master is up todate with replication from the PDC emulator Then open the Active DirectoryUsers And Computers snap-in, right-click the domain, and choose ChangeDomain Controller Select SERVER02 Right-click the domain and choose Opera-tions Masters Click the PDC tab and click Change The role is transferred WhenSERVER01 comes back online, right-click the domain, choose Change DomainController, and select SERVER01 Right-click the domain, choose Operations Mas-ters, click the PDC tab, and click Change

PRACTICE Transferring Operations Master Roles

In this practice, you will identify the operations masters in the contoso.com domain, and you

will transfer an operations master to another domain controller to take the current masteroffline for maintenance To perform Exercise 2 in this practice, you must have completed

“Practice: Installing Domain Controllers” in Lesson 1 so that you have a second domain troller, SERVER02, in the domain

Trang 34

con- Exercise 1 Identify Operations Masters

In this exercise, you will use both user interface and command-line tools to identify operations

masters in the contoso.com domain.

1 Log on to SERVER01 as Administrator.

2 Open the Active Directory Users And Computers snap-in.

3 Right-click the contoso.com domain and choose Operations Masters.

4 Click the tab for each operations master

The tabs identify the domain controllers currently performing the single master tions roles for the domain: PDC emulator, RID master, and Infrastructure master

opera-5 Click Close.

6 Open the Active Directory Domains And Trusts snap-in.

7 Right-click the root node of the snap-in, Active Directory Domains And Trusts, and

choose Operations Master

The dialog box identifies the domain controller performing the domain naming masterrole

8 Click Close.

The Active Directory Schema snap-in does not have a console of its own and cannot beadded to a custom console until you have registered the snap-in

9 Open a command prompt, type regsvr32 schmmgmt.dll, and press Enter

10 Click OK to close the message box that appears.

11 Click Start and, in the Start Search box, type mmc.exe, and press Enter.

12 Choose Add/Remove Snap-In from the File menu.

13 From the Available snap-ins list, choose Active Directory Schema, click Add, and then

16 Open a command prompt, type the command netdom query fsmo, and press Enter.

All operations masters are listed

Exercise 2 Transfer an Operations Master Role

In this exercise, you will prepare to take the operations master offline by transferring its role

to another domain controller You will then simulate taking it offline, bringing it back online,and returning the operations master role

1 Open the Active Directory Users And Computers snap-in.

Trang 35

2 Right-click the contoso.com domain and choose Change Domain Controller.

3 In the list of directory servers, select server02.contoso.com and click OK.

Before transferring an operations master, you must connect to the domain controller towhich the role will be transferred

The root node of the snap-in indicates the domain controller to which you are nected: Active Directory Users And Computers [server02.contoso.com]

con-4 Right-click the contoso.com domain and choose Operations Masters.

5 Click the PDC tab.

The tab indicates that SERVER01.contoso.com currently holds the role token.SERVER02.contoso.com is listed in the second dialog box It should appear similar toFigure 10-2

6 Click the Change button.

An Active Directory Domain Services dialog box prompts you to confirm the transfer ofthe operations master role

7 Click Yes.

An Active Directory Domain Services dialog box confirms the role was successfullytransferred

8 Click OK, and then click Close.

9 Simulate taking SERVER01 offline for maintenance by shutting down the server.

10 Simulate bringing the server back online by starting the server.

Remember you cannot bring a domain controller back online if the RID, schema, ordomain naming roles have been seized But you can bring it back online if a role wastransferred

11 Repeat steps 1–8, this time connecting to SERVER01 and transferring the operations

master role back to SERVER01

■ You can transfer a role by using Windows tools or Ntdsutil.exe Transferring a role is the

preferred method for managing operations masters

■ You can seize a role, using Ntdsutil.exe This should be done only when the former role

holder cannot be brought back online in sufficient time Only the PDC Emulator and

Trang 36

infrastructure roles can be transferred back to the original holder when it comes backonline DCs that held schema, RID, or domain naming roles must be completely decom-missioned if those roles are seized.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 2,

“Configuring Operations Masters.” The questions are also available on the companion CD ifyou prefer to review them in electronic form

NOTE Answers

Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book

1 You are an administrator at Contoso, Ltd The contoso.com domain consists of two sites.

At the headquarters, one domain controller, named SERVER01, is a GC server and forms all five operations master roles The second domain controller at the headquarters

per-is named SERVER02 SERVER02 per-is not a GC and performs no operations master roles

At the branch office, the domain controller is named SERVER03, and it is a GC server.Which change to the operations master role placement must you make?

A Transfer the infrastructure master to SERVER03.

B Transfer the RID master to SERVER02.

C Transfer the schema master to SERVER02.

D Transfer the domain naming master to SERVER03.

E Transfer the infrastructure master to SERVER02.

2 You are an administrator at Contoso, Ltd The forest consists of two domains, contoso.com

and windows.contoso.com Currently, SERVER02.windows.contoso.com performs all five operations master roles You are going to decommission the windows.contoso.com domain and move all accounts into contoso.com You want to transfer all operations mas-

ters to SERVER01.contoso.com Which operations masters do you transfer? (Choose allthat apply.)

Trang 37

3 You are an administrator at Contoso, Ltd The contoso.com domain has five domain

con-trollers You want to move all domain operations masters to SERVER02.contoso.com.Which masters do you move? (Choose all that apply.)

Trang 38

Lesson 3: Configuring DFS Replication of SYSVOL

SYSVOL, a folder located at %SystemRoot%\SYSVOL by default, contains logon scripts, group

policy templates (GPTs), and other resources critical to the health and management of anActive Directory domain Ideally, SYSVOL should be consistent on each domain controller.However, changes to Group Policy objects and to logon scripts are made from time to time,

so you must ensure that those changes are replicated effectively and efficiently to all domaincontrollers In previous versions of Windows, the FRS was used to replicate the contents ofSYSVOL between domain controllers FRS has limitations in both capacity and performancethat cause it to break occasionally Unfortunately, troubleshooting and configuring FRS isquite difficult In Windows Server 2008 domains, you have the option to use DFS-R to rep-licate the contents of SYSVOL In this lesson, you will learn how to migrate SYSVOL fromFRS to DFS-R

■ Raise the domain functional level

■ Migrate SYSVOL replication from FRS to DFS-R

Raising the Domain Functional Level

In Chapter 12, “Domains and Forests,” you will learn about forest and domain functional els A domain’s functional level is a setting that both restricts the operating systems that aresupported as domain controllers in a domain and enables additional functionality in ActiveDirectory A domain with a Windows Server 2008 domain controller can be at one of threefunctional levels: Windows 2000 Native, Windows Server 2003 Native, and Windows Server

lev-2008 At Windows 2000 Native domain functional level, domain controllers can be runningWindows 2000 Server or Windows Server 2003 At Windows Server 2003 Native domainfunctional level, domain controllers can be running Windows Server 2003 At WindowsServer 2008 domain functional level, all domain controllers must be running WindowsServer 2008

As you raise functional levels, new capabilities of Active Directory are enabled At WindowsServer 2008 domain functional level, for example, you can use DFS-R to replicate SYSVOL.Simply upgrading all domain controllers to Windows Server 2008 is not enough: You mustspecifically raise the domain functional level You do this by using Active DirectoryDomains and Trusts Right-click the domain and choose Raise Domain Functional Level.Then select Windows Server 2008 as the desired functional level and click Raise Afteryou’ve set the domain functional level to Windows Server 2008, you cannot add domaincontrollers running Windows Server 2003 or Windows 2000 Server The functional level isassociated only with domain controller operating systems; member servers and workstations

Trang 39

can be running Windows Server 2003, Windows 2000 Server, Windows Vista, Windows XP,

or Windows 2000 Workstation

Quick Check

■ You are the administrator of Northwind Traders The domain consists of threedomain controllers You have upgraded two of them to Windows Server 2008 Thethird is still running Windows Server 2003 You want to establish DFS-R as the rep-lication mechanism for SYSVOL What must you do?

Quick Check Answer

■ You must upgrade the third domain controller to Windows Server 2008 and thenraise the domain functional level to Windows Server 2008

Understanding Migration Stages

Because SYSVOL is critical to the health and functionality of your domain, Windows does notprovide a mechanism with which to convert replication of SYSVOL from FRS to DFS-Rinstantly In fact, migration to DFS-R involves creating a parallel SYSVOL structure When theparallel structure is successfully in place, clients are redirected to the new structure as thedomain’s system volume When the operation has proven successful, you can eliminate FRS

Migration to DFS-R thus consists of four stages or states:

■ 0 (start) The default state of a domain controller Only FRS is used to replicate SYSVOL

■ 1 (prepared) A copy of SYSVOL is created in a folder called SYSVOL_DFSR and isadded to a replication set DFS-R begins to replicate the contents of the SYSVOL_DFSRfolders on all domain controllers However, FRS continues to replicate the originalSYSVOL folders and clients continue to use SYSVOL

■ 2 (redirected) The SYSVOL share, which originally refers to SYSVOL\sysvol, is changed

to refer to SYSVOL_DFSR\sysvol Clients now use the SYSVOL_DFSR folder to obtainlogon scripts and Group Policy templates

■ 3 (eliminated) Replication of the old SYSVOL folder by FRS is stopped The originalSYSVOL folder is not deleted, however, so if you want to remove it entirely, you must do

Trang 40

migra-■ getglobalstate The getglobalstate option reports the current global DFSR migration

state

■ getmigrationstate The getmigrationstate option reports the current migration state of

each domain controller Because it might take time for domain controllers to be notified

of the new global DFSR migration state, and because it might take even more time for a

DC to make the changes required by that state, DCs will not be synchronized with the

global state instantly The getmigrationstate option enables you to monitor the progress

of DCs toward the current global DFSR migration state

If there is a problem moving from one state to the next higher state, you can revert to previousstates by using the setglobalstate option However, after you have used the setglobalstateoption to specify state 3 (eliminated), you cannot revert to earlier states

Migrating SYSVOL Replication to DFS-R

To migrate SYSVOL replication from FRS to DFS-R, perform the following steps:

1 Open the Active Directory Domains And Trusts snap-in.

2 Right-click the domain and choose Raise Domain Functional Level

3 If the Current Domain Functional Level box does not indicate Windows Server 2008,

choose Windows Server 2008 from the Select An Available Domain Functional Level list

4 Click Raise Click OK twice in response to the dialog boxes that appear.

5 Log on to a domain controller and open a command prompt.

6 Type dfsrmig /setglobalstate 1.

7 Type dfsrmig /getmigrationstate to query the progress of DCs toward the Prepared

glo-bal state Repeat this step until the state has been attained by all DCs

This can take 15 minutes to an hour or longer

9 Type dfsrmig /getmigrationstate to query the progress of DCs toward the Redirected

global state Repeat this step until the state has been attained by all DCs

This can take 15 minutes to an hour or longer

After you begin migration from state 2 (prepared) to state 3 (replicated), any changesmade to the SYSVOL folder will have to be replicated manually to the SYSVOL_DFSRfolder

11 Type dfsrmig /getmigrationstate to query the progress of DCs toward the Eliminated

global state Repeat this step until the state has been attained by all DCs This can take

15 minutes to an hour or longer

For more information about the Dfsrmig.exe command, type dfsrmig.exe /?.

Tiêu đề	Microsoft Press MCTS Training Kit 70-640 Configuring Windows Server 2008 Active Directory Part 6
Chuyên ngành	Information Technology
Thể loại	Training Kit

Định dạng
Số trang	98
Dung lượng	0,96 MB