Module 1: Implementing Active Directory Domain Services (AD DS)

Module Overview
Installing Active Directory Domain Services(ADDS) Deploying Read-Only Domain Controllers

Configuring AD DS Domain Controller Roles

Lesson 1: Installing Active Directory Domain Services

What are ADDS?

Active Directory Domain Services (AD DS) provides the

functionality of an identity and access (IDA) solution for enterprise networks. other identities.

Store information about users, groups, computers, and

Authenticate an identity.

The server will not grant the user access to the document unless the server can verify the identity presented in the access request as valid. Kerberos Authentication: a protocol called Kerberos is used to authenticate identi-ties.

Control access
Provide an audit trail

Technologies of ADDS

Active Directory Domain Services (Identity): designed to provide a central repository for identity mana gement within an organization. Active Directory Lightweight Directory Services (Applications): provides support for directory-enabled applications. Active Directory Certificate Services (Trust): set up a certificate authority for issuing digital certificates as part of a public key infrastructure (PKI) that binds the identity of a person, device, or service to a corresponding private key. Active Directory Rights Management Services (Integrity): information-protection technology that enables you to implement persistent usage policy templates that define allowed and unauthorized use whether online, offline, inside, or outside the firewall. Active Directory Federation Services (Partnership):enables an organization to extend IDA across multiple platforms, including both Windows and nonWindows environmen ts

Components of an Active Directory Infrastructure

Active Directory data store Domain controllers

Domain
Forest Tree

Functional level
Organizational units Sites

Active Directory data store

Stores identities in the directory a data store hosted on

domain controllers.

Located by default in the folder %SystemRoot%\Ntds.dit

The database is divided in to several partitions, including

the schema, configuration, global catalog, and the doma in naming context that contains the data about objects within a domainthe users, groups, and computers, for example

Domain controllers (DC)

DCs are servers that perform the AD DS role. The Kerberos Key Distribution Center (KDC) service, which

Performs authentication, and other Active Directory services.

Domain

One or more domain controllers are required to create an

Active Directory domain.

A domain is an administrative unit with in which certain

capabilities and characteristics are shared.

All domain controllers replicate the domains partition of

the data store, which contains other things the identity data for the domains users, groups, and computers.

Forest
A forest is a collection of one or more Active Directory

domains.

The first domain installed in a forest is called the forest

root domain.

The forest defines a security boundary.

Tree
Create by the DNS

namespace of domains in a forest. subdomain of another domain, the two domains are considered a tree.

A domain is a

Functional level
The functional level is an AD DS setting that enables Three domain functional levels:

advanced domain-wide or forest-wide AD DS features.

Windows 2000 native. Windows Server 2003 Windows Server 2008.

Two forest functional levels:

Microsoft Window s Server 2003. Windows Server 2008.

Organizational units
Objects in the data store can be collected in containers. One type of container is the object class called con-tainer

Default containers, including Users, Computers, and

Builtin, (OU)

Another type of con-tainer is the organizational unit

OUs provide not only a container for objects but also a scope with which to manage the objects.

Sites
An Active Directory site is an object that represents a

portion of the enterprise within which network connectivity is good. seconds.

Domain controllers within a site replicate changes within

For exam-ple, when a user logs on to the domain, the Windows client first attempts to authenticate with a domain controller in its site. Only if no domain controller is available in the site will the client attempt to authenticate with a DC in another site.

Requirements for Installing AD DS

Server requirements to install AD DS

A computer running Windows Server 2008 Minimum disk space of 250 MB and a partition

formatted with NTFS file system

TCP/IP must be configured, including DNS

Network configuration

client settings DNS Server that supports dynamic updates must be available or will be configured on the domain controller

Local Administrator permissions to install the first

Administrator permissions

domain controller in a forest Domain Administrator permissions to install additional domain controllers in a domain Enterprise Administrator permissions to install additional domains in a forest

AD DS Installation Process
Directory 1 Install the ActiveManager Domain Services role using the Server

2 Installation Wizard

Run the Active Directory Domain Services

3 Choose the deployment configuration

4 Select the additional domain controller features

5 SYSVOl folder
Select the location for the database, log files, and Configure the Directory Services Restore

6 Mode Administrator Password

Advanced Options for Installing AD DS

To access the advanced mode installation options, choose the Advanced Mode option in the installation wizard or run DCPromo /adv Use the advanced mode options to: Create a new domain tree Use backup media as the source for AD DS information Select the source domain controller for the installation Modify the default domain NetBIOS name Define the Password Replication Policy for an RODC

Installing AD DS from Media

Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media: Full (or writable) domain controller

Full (or writable) domain controller without SYSVOL data

Read-only domain controller without SYSVOL data Read-only domain controller

Upgrading to Windows Server 2008 AD DS

To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation:

Current Version
Windows 2000 Windows 2003 Windows Server 2000 Windows Server 2003 Windows Server 2003

Before installing
Windows Server 2008

Command
adprep /forestprep adprep /domainprep /gpprep

domain controllers

Windows Server 2008

domain controllers

Windows Server 2008

domain controllers

adprep /domainprep

Windows Server 2008

RODCs

adprep /rodcprep

Installing AD DS on a Server Core Computer

Installing Server Core

Installing AD DS on a Server Core Computer

Performing Initial Configuration Tasks

Installing AD DS on a Server Core Computer

Installing AD DS on a Server Core Computer

To install AD DS on a Server Core computer, perform an unattended installation using an answer file
Use following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer

Lesson 2: Deploying Read-Only Domain Controllers

What Is a Read-Only Domain Controller? Read-Only Domain Controller Features

Preparing to Install the RODC

Installing the RODC Delegating the RODC Installation

What Are Password Replication Policies?

Demonstration: Configuring Administrator Role Separation

and Password Replication Policies

What Is a Read-Only Domain Controller?

RODCs host read-only partitions of the Active Directory database, only accept replicated changes to Active Directory, and never initiate replication

RODC

RODCs provide: Additional security for branch office with limited physical security Additional security if applications must run on a domain controller RODCs: Cannot hold operation master roles or be configured as replication bridgehead servers Can be deployed on servers running Windows Server 2008 Server core for additional security

Read-Only Domain Controller Features

RODCs provide: Unidirectional replication Credential caching Administrative role separation Read-only DNS RODC filtered attribute set

Preparing to Install the RODC

Before installing an RODC: Ensure that the domain and forest is at a Windows Server 2003 functional level Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions Run ADPrep /domainprep in all domains if the RODC will be a global catalog server

Installing the RODC

1 in an existing domain
Choose the option to install an additional domain controller Select the option to install an RODC in the Active Directory

2 Domain Services Installation wizard

3 configure the password replication policy

Choose advanced mode installation if you want to

To install an RODC on a Server Core installation, use an unattended installation file with the ReplicaOrNewDomain=ReadOnlyReplica value

Delegating the RODC Installation

To delegate the installation of a RODC: Pre-create the RODC computer account in the Domain Controllers container Assign a user or group with permission to install the RODC

To complete a delegated RODC installation, run DCPromo with the /UseExistingAccount:Attach switch

What Are Password Replication Policies?

The password replication policy determines how the RODC performs credential caching for authenticated user By default, the RODC does not cache any user credentials or computer credentials

Options for configuring password replication policies: No credentials cached

Enable credential caching on an RODC for specified accounts

Add users or groups to the Domain RODC Password Allowed group so credentials are cached on all RODCs

Lesson 3: Configuring AD DS Domain Controller Roles

What Are Global Catalog Servers? Modifying the Global Catalog

Demonstration: Configuring Global Catalog Servers

What Are Operations Master Roles? Demonstration: Managing Operation Master Roles

How Windows Time Service Works

What Are Global Catalog Servers?

Domain

Domain

Domain

Domain

Domain

Domain

Global Catalog Query

Domain

Result Global Catalog Server

Modifying the Global Catalog

Common Attributes Changed Attributes

firstName lastName email address accountExpires distinguishedName

department

firstName lastName email address accountExpires distinguishedName

Create additional attributes Global Catalog Server

Add only the additional attributes that you query or refer to frequently

What Are Operations Master Roles?

Role
Schema Master
Domain Naming Master
One per forest

Description
Performs all updates to the Active Directory schema
One per forest Manages adding and removing all domains and

directory partitions

One per domain

RID Master

Allocates blocks of RIDs to each domain controller in

the domain

One per domain

PDC Emulator

Minimizes replication latency for password changes Synchronizes time on all domain controllers in the domain

Infrastructure Master

One per domain Updates object references in its domain that point to the object

in another domain

How Windows Time Service Works

Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers
In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers
PDC Emulator

Domain controllers Client computers

Time synchronization is important because: Kerberos authentication includes a time stamp

Replication between domain controllers is time stamped

Beta Feedback Tool

Beta feedback tool helps:

Collect student roster information, module feedback, and course evaluations. Identify and sort the changes that students request, thereby facilitating a quick team triage. Save data to a database in SQL Server that you can later query.

Walkthrough of the tool

Beta Feedback

Overall flow of module:

Pacing:

Which topics did you think flowed smoothly, from topic to topic? Was something taught out of order? Were you able to keep up? Are there any places where the pace felt too slow? Were you able to process what the instructor said before moving on to next topic? Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Which demos helped you learn the most? Why do you think that is? Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? Were there any discussion questions or reflection questions that really made you think? Were there questions you thought werent helpful?

Learner activities: