Beruflich Dokumente
Kultur Dokumente
Table of Contents
Module Overview 1-1
Lesson 1: Active Directory Improvements 1-2
Lab: Introduction to Active Directory Technology in
Windows Server 2008 1-16
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any
real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft
makes no representations and warranties, either expressed, implied, or statutory, regarding these
manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or
product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to
third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the
contents of any linked site or any link contained in a linked site, or any changes or updates to such sites.
Microsoft is not responsible for webcasting or any other form of transmission received from any linked site.
Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
Microsoft, Microsoft Press, Active Directory, ActiveSync, ActiveX, BitLocker, BizTalk, ForeFront, Internet
Explorer, MSDN, Outlook, PowerPoint, SharePoint, SQL Server, Visual Studio, Windows, Windows Media,
Windows Mobile, Windows NT, Windows PowerShell, Windows Server, Windows Vista, and WinFXare either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Version 1.1
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-1
Module Overview
Microsoft® Windows Server® 2008 incorporates several changes that affect Active
Directory® management. The server installation process creates a minimally configured
platform. After the initial configuration tasks are complete, several Active Directory roles
can be added to a server. Roles are added using the Server Manager tool. Several new
Active Directory components, including Active Directory Lightweight Directory Services
(AD LDS) and the Read Only Domain Controller role, enhance Active Directory
functionality.
Objectives
After completing this module, you will have the information to:
• List improvements in Active Directory roles
• Describe how to configure roles on Windows Server 2008
1-2 Module 1: Introduction to Active Directory Technology in Windows Server 2008
After the Windows Server 2008 installation process and initial configuration tasks are
complete, server roles can be added. There are several Active Directory roles that can be
added, depending upon the intended server function. The Server Manager console is used
to add these roles.
Objectives
After completing this module, you will have the information to:
• List improvements in Active Directory roles
• Describe how to configure roles on Windows Server 2008
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-3
Windows Server 2008 uses roles to define discrete components of server functionality.
Several server roles provide functionality related to Active Directory Services.
Server Role Functionality
Active Directory Certificate Services Active Directory Certificate Services (AD CS)
(AD CS) enables creation and management of digital
certificates for users, computers, and organizations
as part of a public key infrastructure.
Active Directory Domain Services (AD DS) Windows Server 2003 Active Directory Domain
Services functionality has been carried forward into
Windows Server 2008, along with an improved setup
wizard.
Active Directory Federation Services Active Directory Federation Services (AD FS)
(AD FS) provides simplified, encrypted identity federation and
Web single sign-on (SSO).
Active Directory Lightweight Directory The Active Directory® Lightweight Directory
Services (AD LDS) Services (AD LDS) server role is a Lightweight
Directory Access Protocol (LDAP) directory service.
It provides data storage and retrieval for directory-
enabled applications, without the dependencies that
are required for Active Directory Domain Services
(AD DS).
Active Directory Rights Management Active Directory Rights Management Services is
Services (AD RMS) information protection technology that works with
Active Directory Rights Management Services
applications to help safeguard digital information
from unauthorized use.
1-4 Module 1: Introduction to Active Directory Technology in Windows Server 2008
(continued)
Server Role Functionality
Supporting Server Role Functionality
Domain Name System (DNS) DNS is required to provide name resolution services
for Active Directory.
Windows Internet Name Service (WINS) WINS may be used in some environments to
provide name resolution services for previous clients
or where a simple, flat namespace is adequate.
Note: The new GlobalName zone type of Windows
Server 2008 DNS may allow some organizations to
retire WINS.
Dynamic Host Configuration Protocol DHCP is used in many environments to provide IP
(DHCP) address assignment.
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-5
In this demonstration, you will see how to add Server Features using Server Manager.
• Show how Server Manager can be used to manage server features
• Show how Server Manager automates dependency-checking when adding features
Key Points
The key points of this demonstration are…
• The Server Manager interface is used to add—and remove— features
• Server Manager helps automate the process by checking dependencies
1-6 Module 1: Introduction to Active Directory Technology in Windows Server 2008
The following table shows some default settings that are configured by the Windows
Server 2008 installation process. Commands available in the Initial Configuration Tasks
window allow you to modify these defaults.
Setting Default Configuration
Administrator password The Administrator account password is blank by default.
Computer name The computer name is randomly assigned during installation.
You can modify the computer name by using commands in
the Initial Configuration Tasks window.
Domain membership The computer is not joined to a domain by default; it is joined
to a workgroup named WORKGROUP.
Windows Update Windows Update is turned off by default.
Network connections All network connections are set to obtain IP addresses
automatically by using DHCP.
Windows Firewall Windows Firewall is turned on by default.
Roles installed File Server is installed by default.
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-7
The new Server Manager console simplifies the task of managing and securing server
roles with Windows Server 2008. The Server Manager in Windows Server 2008 provides
tools for:
• Managing a server’s identity
• Displaying current server status
• Identifying problems with server role configurations
• Managing all roles designated for the server
In short, the Server Manager provides a single point for managing a server.
The Server Manager console uses integrated wizards to step the user through adding or
removing server roles. You can use Server Manage to add several roles at once, even if
they are unrelated. For example, a server being provisioned for a branch office could
have the DNS Server, DHCP Server, and Print Server roles added at once. The Server
Manager Wizards performs all the necessary dependency checks and conflict resolution
so the server is stable, reliable, and secure.
1-8 Module 1: Introduction to Active Directory Technology in Windows Server 2008
The Server Manager can also be used as a portal for regular ongoing server management.
The Server Manager console reports on server status, exposes key management tasks, and
guides administrators to advanced management tools. A key component of the Server
Manger is the server role home pages. These pages provide an integrated view of server
roles including their current status and current configurations. Some of these consoles
include a filtered event viewer that displays recent events related specifically to that role.
Server role home pages offer controls where you can diagnose problems by selectively
stopping and starting role services. These role-specific summaries highlight potential
problem and offer relevant troubleshooting tools.
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-9
(continued)
New DNS Feature Description
Read Only Domain Windows Server 2008 introduces a new type of domain controller,
Controller Support the read-only domain controller (RODC). To support RODCs, a
DNS server running Windows Server 2008 supports a new type of
zone, the primary read-only zone (also sometimes referred to as a
branch office zone).
GlobalNames Zone So that organizations can more quickly retire WINS and move to
an all-DNS environment (or to provide the benefits of global, single-
label names to all-DNS networks), the DNS Server service
in Windows Server 2008 now supports a new zone, called
GlobalNames, to hold these names. In typical cases, the replication
scope of this zone is the entire forest, which ensures that the zone
has the desired effect of providing unique, single-label names
across the entire forest.
Active Directory Domain Services (AD DS, used for RODC also)
To improve the installation and management of Active Directory® Domain Services
(AD DS), Windows Server 2008 includes an updated Active Directory Domain Services
Installation Wizard. Windows Server 2008 also includes changes to the Microsoft
Management Console (MMC) snap-in functions that are used to manage AD DS.
AD DS user interface improvements provide new installation options for domain
controllers. Furthermore, the updated Active Directory Domain Services Installation
Wizard streamlines and simplifies AD DS installation.
AD DS user interface improvements also provide new management options for AD DS
features such as read-only domain controllers (RODCs). Additional changes to the
management tools improve the ability to find domain controllers throughout the
enterprise. They also provide important controls for new features such as the Password
Replication Policy for RODCs.
AD DS user interface improvements do not require any special considerations. The
improvements to the Active Directory Domain Services Installation Wizard are all
available by default. However, some wizard pages appear only if the check box for
UseAdvanced mode installation is selected on the Welcome page of the wizard. For
example, use the advanced option if you want to identify the source domain controller for
AD DS replication.
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-11
Advanced mode installation provides experienced users with more control over the
installation process, without confusing newer users with configuration options that might
not be familiar. For users who do not select the UseAdvanced mode installation check
box, the wizard uses default options that apply to most configurations.
Note: Although it is not a user interface improvement, new options for running
unattended installation of AD DS are available in Windows Server 2008. Unlike
unattended installation in the Microsoft Windows Server 2003 operating system,
unattended installation in Windows Server 2008 does not require a response to any
user interface prompt, such as a prompt to restart the domain controller. This is
necessary to install AD DS on a Server Core installation of Windows Server 2008,
a new installation option for Windows Server 2008 that does not provide user
interface options, such as the interactive Active Directory Domain Services
Installation Wizard.
AD LDS provides much of the same functionality as AD DS (and, in fact, is built on the
same code base), but it does not require the deployment of domains or domain controllers.
1-12 Module 1: Introduction to Active Directory Technology in Windows Server 2008
You can run multiple instances of AD LDS concurrently on a single computer, with an
independently managed schema for each AD LDS instance or configuration set (if the
instance is part of a configuration set). Member servers, domain controllers, and stand-
alone servers can be configured to run the AD LDS server role.
AD LDS differs from AD DS primarily in that it does not store Windows security
principals. While AD LDS can use Windows security principals, such as domain users, in
Access Control Lists (ACLs) that control access to objects in AD LDS, Windows cannot
authenticate users stored in AD LDS or use AD LDS users in its ACLs. AD LDS does
not support domains and forests, Group Policy, or global catalogs.
Applications that were designed to work with ADAM do not require changes in order to
function with AD LDS.
RODC Prerequisites
The prerequisites for deploying an RODC are as follows:
• The domain controller that holds the primary domain controller (PDC) emulator
operations master role for the domain must be running Windows Server 2008. This is
necessary for creating the new krbtgt account for the RODC and for ongoing RODC
operations.
• The RODC needs to forward authentication requests to a global catalog server
running Windows Server 2008 in the site that is closest to the site with the RODC.
The Password Replication Policy is set on this domain controller to determine if
credentials are replicated to the branch location for a forwarded request from the
RODC.
• The domain functional level must be Windows Server 2003 so that Kerberos
constrained delegation is available. Constrained delegation is used for security calls
that need to be impersonated under the context of the caller.
1-14 Module 1: Introduction to Active Directory Technology in Windows Server 2008
• The forest functional level must be Windows Server 2003, so that linked-value
replication is available. This provides a higher level of replication consistency.
• You must run adprep /rodcprep one time in the forest. This will update the
permissions on all of the DNS application directory partitions in the forest to
facilitate replication between RODCs that are also DNS servers.
• Multiple RODCs for the same domain in the same site are not supported because
RODCs in the same site do not share information with each other. Therefore,
deploying multiple RODCs for the same domain in the same site can lead to
inconsistent logon experiences for users, if the writable domain controllers cannot be
reached on the network.
Note: This new auditing feature also applies to Active Directory Lightweight
Directory Services (AD LDS). However, this discussion refers only to AD DS.
The global audit policy Audit directory service access controls whether auditing for
directory service events is enabled or disabled. This security setting determines whether
events are recorded in the Security log when certain operations are carried out on objects
in the directory. You can control what operations to audit by modifying the system access
control list (SACL) on an object. In Windows Server 2008, this policy is enabled by
default.
If you define this policy setting, by modifying the default Domain Controllers Policy, you
can specify whether to audit successes, audit failures, or not audit at all. Success audits
generate an audit entry when a user successfully accesses an AD DS object that has a
SACL specified. Failure audits generate an audit entry when a user unsuccessfully
attempts to access an AD DS object that has a SACL specified.
You can set a SACL on an AD DS object on the Security tab in that object’s properties
dialog box. Audit directory service access is applied in the same manner as Audit object
access; however, it applies only to AD DS objects, and not to file system objects and
registry objects. Previously, AD DS auditing only logged the name of the attribute that
was changed; it did not log the previous and current values of the attribute.
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-15
In this demonstration, we will examine the Server Manager, and see how it streamlines
Windows Server 2008 server management. We’ll tour the Server Role home pages, and
see how they help manage the roles and applications installed on a server.
• Show how role management is integrated to Server Manager
Key Points
The key points of this demonstration are…
• Server Manager is a unified interface for role management
1-16 Module 1: Introduction to Active Directory Technology in Windows Server 2008
After completing this lab, you will have the information to:
• Configure Roles and Features in Windows Server 2008
• Configure Role Services
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the
lab, you must:
• Start the SEA-SRV-01, SEA-SRV-02, and SEA-DC-01 virtual machines
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-17
Processor: _________________________________
• After the installation program begins the copying files phase, turn
off the SEA-SRV-01 virtual machine.
1-18 Module 1: Introduction to Active Directory Technology in Windows Server 2008
(continued)
2. Use the Initial Configuration • Use Initial Configuration Tasks to perform the following actions
Tasks. on SEA-SRV-02.
• Change the Administrator password.
Q What are the characteristics of a strong administrator
password?
Note: The answers to the practices and labs are on the Student Materials CD.
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-19
• Add the Fax Server role. • Add the Fax Server role.
Q What Role services are available with the Print Server role?
A Print Service (selected by default), LPD Service, and
Internet Printing.
Note: The answers to the practices and labs are on the Student Materials CD.
1-20 Module 1: Introduction to Active Directory Technology in Windows Server 2008
• Remove the Active • Remove the Print Services role from SEA-SRV-02.
Directory Domain Services
role.
Note: The answers to the practices and labs are on the Student Materials CD.
Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-21
• Add a new Role Service to • Add the Internet Printing Role Service to Print Services.
SEA-SRV-02.
Note: The answers to the practices and labs are on the Student Materials CD.
Lab Shutdown
After you complete the lab, you must shut down the virtual machines and discard any
changes.
Important: If the Close dialog box appears, ensure that Turn off and delete
changes is selected, and then click OK.