01-Implementing Active Directory Domain Services

Select the option to install an RODC in the Active Directory Domain Services Installation wizard. To install an RODC on a Server Core installation, use an unattended installation[r]

Module 1: Implementing Active

Directory® Domain

Services

Module Overview

• Installing Active Directory Domain Services

• Deploying Read-Only Domain Controllers

• Configuring AD DS Domain Controller Roles

Lesson 1: Installing Active Directory

Domain Services

• Requirements for Installing AD DS

• What Are Domain and Forest Functional Levels?

• AD DS Installation Process

• Advanced Options for Installing AD DS

• Installing AD DS from Media

• Demonstration: Verifying the AD DS installation

• Upgrading to Windows Server 2008 AD DS

• Installing AD DS on a Server Core Computer

• Discussion: Common Configuration for AD DS

Requirements for Installing AD DS

• Local Administrator permissions to install the first domain controller in a forest

• Domain Administrator permissions to install additional domain controllers in a domain

• Enterprise Administrator permissions to install additional domains in a forest

Administrator

permissions

• TCP/IP must be configured, including DNS

client settings

• DNS Server that supports dynamic updates must

be available or will be configured on the domain

controller

Network

configuration

• A computer running Windows Server 2008

• Minimum disk space of 250 MB and a partition

formatted with NTFS file system

Server

requirements to

install AD DS

What Are Domain and Forest Functional Levels?

Functional levels:

• Determine the AD DS features available in a domain or forest

• Restrict which Windows Server operating systems can be

run on domain controllers in the domain or forest

Supported Domain Controller

Windows Server

2003

Windows Server 2008

Configure the Directory Services Restore

Mode Administrator Password

6

Advanced Options for Installing AD DS

Use the advanced mode options to:

• Create a new domain tree

• Use backup media as the source for AD DS information

To access the advanced mode installation options,

choose the Advanced Mode option in the installation wizard or run DCPromo /adv

To access the advanced mode installation options,

choose the Advanced Mode option in the installation wizard or run DCPromo /adv

• Select the source domain controller for the installation

• Modify the default domain NetBIOS name

• Define the Password Replication Policy for an RODC

Installing AD DS from Media

Use Ntdsutil.exe to create the installation media

Ntdsutil.exe can create the following types of installation media :

• Full (or writable) domain controller

• Full (or writable) domain controller without SYSVOL data

• Read-only domain controller without SYSVOL data

• Read-only domain controller

Demonstration: Verifying the AD DS Installation

In this demonstration, you will see how to verify the

AD DS installation

Upgrading to Windows Server 2008 AD DS

• Windows Server 2008 domain controllers

• Windows Server 2008 domain controllers

To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation:

adprep /rodcprep

Windows Server

2003

• Windows Server 2008 RODCs

Installing AD DS on a Server Core Computer

To install AD DS on a Server Core computer, perform an unattended installation using an answer file

Use following syntax with the Dcpromo command:

Dcpromo /answer[:filename]

Where filename is the name of your answer

Use following syntax with the Dcpromo command:

Dcpromo /answer[:filename]

Where filename is the name of your answer

Discussion: Common Configuration for AD DS

• What additional steps would you take in your environment after installing the first Windows Server 2008 domain

controller?

• How would these tasks change after you have deployed additional domain controllers in your domain?

• Which of the recommendations listed in the Server

Manager apply to your organization?

Lesson 2: Deploying Read-Only

Domain Controllers

• What Is a Read-Only Domain Controller?

• Read-Only Domain Controller Features

• Preparing to Install the RODC

• Installing the RODC

• Delegating the RODC Installation

• What Are Password Replication Policies?

• Demonstration: Configuring Administrator Role Separation and Password Replication Policies

What Is a Read-Only Domain Controller?

RODCs host read-only partitions of the

Active Directory database, only accept

replicated changes to Active Directory,

and never initiate replication

RODCs host read-only partitions of the

Active Directory database, only accept

replicated changes to Active Directory,

and never initiate replication

RODCs:

• Cannot hold operation master roles or be configured as

replication bridgehead servers

• Can be deployed on servers running Windows Server 2008

Server core for additional security

RODCs provide:

• Additional security for branch office with

limited physical security

• Additional security if applications must run on a

domain controller

RODC

Read-Only Domain Controller Features

Preparing to Install the RODC

Before installing an RODC:

• Ensure that the domain and forest is at a Windows Server

2003 functional level

• Ensure a writeable domain controller running

Windows Server 2008 is available to replicate

the domain partition

• Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions

• Run ADPrep /domainprep in all domains if the

RODC will be a global catalog server

Installing the RODC

Choose the option to install an additional domain controller

in an existing domain

1

Choose advanced mode installation if you want to

configure the password replication policy

3

Select the option to install an RODC in the Active Directory Domain Services Installation wizard

2

To install an RODC on a Server Core installation, use an

unattended installation file with the

ReplicaOrNewDomain=ReadOnlyReplica value

Delegating the RODC Installation

To delegate the installation of a RODC:

• Pre-create the RODC computer account in the

Domain Controllers container

• Assign a user or group with permission to install the RODC

To complete a delegated RODC installation, run DCPromo

with the /UseExistingAccount:Attach switch

What Are Password Replication Policies?

• The password replication policy determines how the

RODC performs credential caching for authenticated user

• By default, the RODC does not cache any user credentials

• Add users or groups to the Domain RODC Password

Allowed group so credentials are cached on all RODCs

Demonstration: Configuring Administrator Role Separation and Password Replication Policies

In this demonstration, you will see how to:

• Configure administrator role separation

• Configure the RODC password replication groups

• Track which users log on to a RODC

• Configure password replication policies for those accounts

Lesson 3: Configuring AD DS Domain

Controller Roles

• What Are Global Catalog Servers?

• Modifying the Global Catalog

• Demonstration: Configuring Global Catalog Servers

• What Are Operations Master Roles?

• Demonstration: Managing Operation Master Roles

• How Windows Time Service Works

What Are Global Catalog Servers?

Domain

Domain

Domain Domain

Domain

Domain Domain

Global Catalog Server

Global Catalog Server

Global Catalog

Result Query

Modifying the Global Catalog

firstName lastName email address accountExpires distinguishedName

firstName lastName email address accountExpires distinguishedName

Common Attributes

Common Attributes

Global Catalog Server

Global Catalog Server

Create additional attributes

Create additional attributes

Add only the additional attributes that you query or refer to frequently

Add only the additional attributes that you query or refer to frequently

department

firstName lastName email address accountExpires distinguishedName

department

firstName lastName email address accountExpires distinguishedName

Changed Attributes

Changed Attributes

Demonstration: Configuring Global

Catalog Servers

In this demonstration, you will see how to:

• Configure global catalog servers using Active Directory Sites and Services

• Configure a domain controller on Server Core as a global catalog server

• Add attributes to the global catalog server

What Are Operations Master Roles?

Schema Master • One per forest

• Performs all updates to the Active Directory schema

Domain

Naming Master

• One per forest

• Manages adding and removing all domains and directory partitions

RID Master

• One per domain

• Allocates blocks of RIDs to each domain controller in the domain

PDC Emulator

• One per domain

• Minimizes replication latency for password changes

• Synchronizes time on all domain controllers in the domain

Infrastructure

Master

• One per domain

• Updates object references in its domain that point to the object

in another domain

Demonstration: Managing Operations

Master Roles

In this demonstration, you will see how to:

• Determine which server holds an operations master role

• Move an operations master role

• Seize an operations master role

How Windows Time Service Works

Time synchronization is important because:

• Kerberos authentication includes a time stamp

• Replication between domain controllers is time stamped

Windows Time service (W32Time)

provides network clock

synchronization for domain

controllers and client computers

Domain controllers

PDC Emulator

Client computers

Client computers

In a Windows Server 2008 forest,

the PDC Emulator is used to

provide the authoritative time

for all other computers

Lab: Implementing Read-Only

Domain Controllers

• Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC

• Exercise 2: Installing and Configuring an RODC

• Exercise 3: Configuring AD DS Domain Controller Roles

Logon information

Virtual machine

6425A-NYC-DC1, 6425A-NYC-

object created from TOR-DC1 to NYC-DC1?

• Could you have assigned the Domain Naming Master role

to TOR-DC1?

• What would happen when you add a new attribute to the global catalog?

Module Review and Takeaways

• Review questions

• Key points

Beta Feedback Tool

• Beta feedback tool helps:

 Collect student roster information, module feedback, and course evaluations

 Identify and sort the changes that students request, thereby facilitating a quick team triage

 Save data to a database in SQL Server that you can later query

• Walkthrough of the tool

Beta Feedback

 Which topics did you think flowed smoothly, from topic to topic?

 Was something taught out of order?

 Were you able to keep up? Are there any places where the pace felt too slow?

 Were you able to process what the instructor said before

moving on to next topic?

 Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions?

knowledge in your work environment?

 Were there any discussion questions or reflection questions that really made you think? Were there questions you

thought weren’t helpful?