Module 1: Implementing

Active Directory Domain

®

Services (AD DS)

Module Overview
• Installing Active Directory Domain Services(ADDS)

• Deploying Read-Only Domain Controllers

• Configuring AD DS Domain Controller Roles

Lesson 1: Installing Active Directory Domain
Services
What are ADDS?
• Active Directory Domain Services (AD DS) provides the
functionality of an identity and access (IDA) solution for
enterprise networks.
• Store information about users, groups, computers, and
other identities.
• Authenticate an identity.
 The server will not grant the user access to the document
unless the server can verify the identity presented in the
access request as valid.
 Kerberos Authentication: a protocol called Kerberos is used to
authenticate identi-ties.

• Control access

• Provide an audit trail

Technologies of ADDS
 Active Directory Domain Services (Identity): designed
to provide a central repository for identity mana gement
within an organization.
 Active Directory Lightweight Directory Services
(Applications): provides support for directory-enabled
applications.
 Active Directory Certificate Services (Trust): set up a
certificate authority for issuing digital certificates as part of a
public key infrastructure (PKI) that binds the identity of a
person, device, or service to a corresponding private key.
 Active Directory Rights Management Services
(Integrity): information-protection technology that enables
you to implement persistent usage policy templates that
define allowed and unauthorized use whether online, offline,
inside, or outside the firewall.
 Active Directory Federation Services
(Partnership):enables an organization to extend IDA across
multiple platforms, including both Windows and non-
Windows environmen ts
Components of an Active Directory Infrastructure
 Active Directory data store

 Domain controllers

 Domain

 Forest

 Tree

 Functional level

 Organizational units

 Sites
Active Directory data store

• Stores identities in the directory a data store hosted on

domain controllers.
• Located by default in the folder %SystemRoot%\Ntds.dit

• The database is divided in to several partitions, including

the schema, configuration, global catalog, and the doma in
naming context that contains the data about objects within
a domain—the users, groups, and computers, for example
Domain controllers (DC)

• DCs are servers that perform the AD DS role.

• The Kerberos Key Distribution Center (KDC) service, which

Performs authentication, and other Active Directory
services.
Domain

• One or more domain controllers are required to create an

Active Directory domain.
• A domain is an administrative unit with in which certain
capabilities and characteristics are shared.
• All domain controllers replicate the domain’s partition of
the data store, which contains other things the identity
data for the domain’s users, groups, and computers.
Forest

• A forest is a collection of one or more Active Directory

domains.
• The first domain installed in a forest is called the forest
root domain.
• The forest defines a security boundary.
Tree
• Create by the DNS
namespace of domains
in a forest.
• A domain is a
subdomain of another
domain, the two
domains are considered
a tree.
Functional level
• The functional level is an AD DS setting that enables
advanced domain-wide or forest-wide AD DS features.
• Three domain functional levels:
 Windows 2000 native.
 Windows Server 2003
 Windows Server 2008.

• Two forest functional levels:

 Microsoft Window s Server 2003.
 Windows Server 2008.
Organizational units
• Objects in the data store can be collected in containers.

• One type of container is the object class called con-tainer

• Default containers, including Users, Computers, and

Builtin,…
• Another type of con-tainer is the organizational unit
(OU)
 OUs provide not only a container for objects but also a scope
with which to manage the objects.
Sites
• An Active Directory site is an object that represents a
portion of the enterprise within which network connectivity
is good.
• Domain controllers within a site replicate changes within
seconds.
 For exam-ple, when a user logs on to the domain, the
Windows client first attempts to authenticate with a domain
controller in its site. Only if no domain controller is available in
the site will the client attempt to authenticate with a DC in
another site.
 Requirements for Installing AD DS

Server • A computer running Windows Server 2008

requirements to
install AD DS • Minimum disk space of 250 MB and a partition
formatted with NTFS file system

• TCP/IP must be configured, including DNS

client settings
Network
configuration • DNS Server that supports dynamic updates must
be available or will be configured on the domain
controller

• Local Administrator permissions to install the first

domain controller in a forest
Administrator • Domain Administrator permissions to install
permissions additional domain controllers in a domain
• Enterprise Administrator permissions to install
additional domains in a forest
AD DS Installation Process

1 Install the Active Directory Domain Services role

using the Server Manager

Run the Active Directory Domain Services

2 Installation Wizard

3 Choose the deployment configuration

4 Select the additional domain controller features

Select the location for the database, log files, and

5 SYSVOl folder

Configure the Directory Services Restore

6 Mode Administrator Password
 Advanced Options for Installing AD DS

To access the advanced mode installation options,

choose the Advanced Mode option in the installation wizard or run
DCPromo /adv

Use the advanced mode options to:

• Create a new domain tree

• Use backup media as the source for AD DS information

• Select the source domain controller for the installation

• Modify the default domain NetBIOS name

• Define the Password Replication Policy for an RODC

 Installing AD DS from Media

Use Ntdsutil.exe to create the installation media

Ntdsutil.exe can create the following types of installation media:

• Full (or writable) domain controller

• Full (or writable) domain controller without SYSVOL data

• Read-only domain controller without SYSVOL data

• Read-only domain controller

 Upgrading to Windows Server 2008 AD DS

To prepare previous versions of Active Directory for a Windows

Server 2008 domain controller installation:
Current Before installing Command
Version
• Windows Server 2008
Windows 2000 domain controllers adprep /forestprep
Windows 2003

• Windows Server 2008

Windows Server domain controllers adprep /domainprep
2000 /gpprep

• Windows Server 2008

Windows Server domain controllers
2003 adprep /domainprep

• Windows Server 2008

Windows Server RODCs adprep /rodcprep
2003
Installing AD DS on a Server Core Computer
• Installing Server Core
Installing AD DS on a Server Core Computer
• Performing Initial Configuration Tasks
Installing AD DS on a Server Core Computer
 Installing AD DS on a Server Core Computer

To install AD DS on a Server Core computer, perform an

unattended installation using an answer file

Use following syntax with the Dcpromo command:

Dcpromo /answer[:filename]
Where filename is the name of your answer
Lesson 2: Deploying Read-Only Domain Controllers
• What Is a Read-Only Domain Controller?

• Read-Only Domain Controller Features

• Preparing to Install the RODC

• Installing the RODC

• Delegating the RODC Installation

• What Are Password Replication Policies?

• Demonstration: Configuring Administrator Role Separation

and Password Replication Policies
 What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the
Active Directory database, only accept
replicated changes to Active Directory,
and never initiate replication
RODC

RODCs provide:
• Additional security for branch office with
limited physical security

• Additional security if applications must run on a

domain controller

RODCs:
• Cannot hold operation master roles or be configured as
replication bridgehead servers

• Can be deployed on servers running Windows Server 2008

Server core for additional security
Read-Only Domain Controller Features

RODCs provide:

• Unidirectional replication

• Credential caching

• Administrative role separation

• Read-only DNS

• RODC filtered attribute set

 Preparing to Install the RODC

Before installing an RODC:

• Ensure that the domain and forest is at a Windows Server
2003 functional level

• Ensure a writeable domain controller running

Windows Server 2008 is available to replicate
the domain partition

• Run ADPrep /rodcprep to enable the RODC to replicate

DNS partitions

• Run ADPrep /domainprep in all domains if the

RODC will be a global catalog server
Installing the RODC

Choose the option to install an additional domain controller

1 in an existing domain

Select the option to install an RODC in the Active Directory

2 Domain Services Installation wizard

Choose advanced mode installation if you want to

3 configure the password replication policy

To install an RODC on a Server Core installation, use an

unattended installation file with the
ReplicaOrNewDomain=ReadOnlyReplica value
 Delegating the RODC Installation

To delegate the installation of a RODC:

• Pre-create the RODC computer account in the
Domain Controllers container

• Assign a user or group with permission to install the RODC

To complete a delegated RODC installation, run DCPromo

with the /UseExistingAccount:Attach switch
What Are Password Replication Policies?

• The password replication policy determines how the

RODC performs credential caching for authenticated user

• By default, the RODC does not cache any user credentials

or computer credentials

Options for configuring password replication policies:

• No credentials cached

• Enable credential caching on an RODC for specified accounts

• Add users or groups to the Domain RODC Password

Allowed group so credentials are cached on all RODCs
Lesson 3: Configuring AD DS Domain
Controller Roles
• What Are Global Catalog Servers?

• Modifying the Global Catalog

• Demonstration: Configuring Global Catalog Servers

• What Are Operations Master Roles?

• Demonstration: Managing Operation Master Roles

• How Windows Time Service Works

What Are Global Catalog Servers?

Domain

Domain
Domain Domain

Domain Domain
Domain
Global Catalog
Query

Result

Global Catalog
Server
Modifying the Global Catalog

Common Changed
Attributes Attributes

firstName department
lastName firstName
email address lastName
accountExpires email address
distinguishedName accountExpires
distinguishedName

Create
additional
attributes
Global Catalog
Server

Add only the additional attributes that you

query or refer to frequently
 What Are Operations Master Roles?
Role Description

Schema • One per forest

Master • Performs all updates to the Active Directory schema

• One per forest

Domain
Naming Master • Manages adding and removing all domains and
directory partitions
• One per domain
RID Master • Allocates blocks of RIDs to each domain controller in
the domain
• One per domain

PDC Emulator • Minimizes replication latency for password changes

• Synchronizes time on all domain controllers in the domain

• One per domain

Infrastructure
Master • Updates object references in its domain that point to the object
in another domain
 How Windows Time Service Works

Windows Time service (W32Time) PDC Emulator

provides network clock
synchronization for domain
controllers and client computers

In a Windows Server 2008 forest,

the PDC Emulator is used to
provide the authoritative time Domain controllers
for all other computers
Client
computers

Time synchronization is important because:

• Kerberos authentication includes a time stamp

• Replication between domain controllers is time stamped

Beta Feedback Tool

• Beta feedback tool helps:

 Collect student roster information, module feedback, and
course evaluations.
 Identify and sort the changes that students request, thereby
facilitating a quick team triage.
 Save data to a database in SQL Server that you can later
query.
• Walkthrough of the tool
Beta Feedback
• Overall flow of module:
 Which topics did you think flowed smoothly, from topic to
topic?
 Was something taught out of order?
• Pacing:
 Were you able to keep up? Are there any places where the
pace felt too slow?
 Were you able to process what the instructor said before
moving on to next topic?
 Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
• Learner activities:
 Which demos helped you learn the most? Why do you think
that is?
 Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
 Were there any discussion questions or reflection questions
that really made you think? Were there questions you
thought weren’t helpful?