70-640 Windows Server 2008 Active Directory,

1
MCTS Guide to ConfiguringMicrosoft Windows
Server 2008 Active Directory
Chapter 10 Configuring and Maintaining the
Active Directory Infrastructure
2
Objectives

• Describe and configure Active Directory
  functional levels
• Add and remove domains from a forest
• Configure Active Directory trusts
• Configure intrasite replication
• Work with sites
• Manage operations master roles

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
3
Examining Active Directory Functional Levels

• Functional levels allow for Administrators to
  maintain backwards compatibility, despite the
  addition of new features
• Functional levels should be set at the highest
  version domain controllers on the network support
• Member servers / workstations are independent of
  functional levels

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
4
Forest Functional Levels

• Forest functional level determines the features
  of Active Directory that have forest-wide
  implications
• A Server 2008 domain controller supports the
  following functional levels
• Windows 2000
• Lacks the ability to use forest trusts and to
  rename a domain
• Windows 2003
• Supports all the features present in Windows
  2000, plus the following features forest trusts,
  Knowledge Consistency Checker (KCC) improvements,
  linked-value replication, rename a domain , read
  only domain controller deployment
• Windows 2008
• All the features of 2003, but no additional
  features (yet)

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
5
Domain Functional Levels

• A domain controller cant be configured to run at
  a lower functional level than the functional
  level of the forest.
• Like forest functional levels, domain functional
  levels can be raised but not lowered
• Features
• Windows 2000 Native Universal groups, group
  nesting, group conversion, Security identifier
  (SID) history
• Windows Server 2003 All features of Windows 2000
  native, domain controller renaming, logon
  timestamp replication, selective authentication,
  Users and Computers container redirection
• Windows Server 2008 All features of Windows
  2003, Distributed File System replication,
  fine-grained password policies, interactive logon
  information, Advanced Encryption Standard (AES)
  support

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
6
Raising the Domain Functional Level

• All domain controllers must be running a Windows
  OS compatible with the desired functional level
• Functional level can be raised in Active
  Directory Domains and Trusts
• Only one domain controller needs to be raised to
  the new functional level, the rest will reflect
  the change automatically
• Once the functional level is raised, it cannot be
  reversed

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
7
Raising the Domain Functional Level (cont.)
http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
8
Raising the Forest Functional Level

• You must be a member of the Domain Admins or
  Enterprise Admins group to raise the forest
  functional level
• If raising both domain and forest functional
  levels, domain functional must be raised first
• Domain functional levels must be equal or greater
  than forest functional levels
• Once functional level is raised, it cannot be
  lowered

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
9
Raising the Forest Functional Level (cont.)
http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
10
Preparing a Forest and Domain for Windows Server
2008 with Adprep

• The Adprep command-line program prepares an
  existing forest or domain for the addition of a
  Windows Server 2008 domain controller
• To prepare the forest, run the adprep /forestprep
  command on a Windows Server 2003 or Windows 2000
  domain controller acting as the schema master
• Then run adprep /domainprep in each domain where
  you plan to add a Windows Server 2008 DC. Windows
  2000 requires adprep /domainprep /gpprep

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
11
Preparing for a Read Only Domain Controller

• Before you can install an RODC in an existing
  domain that isnt running all Windows Server 2008
  DCs, follow these steps
• Verify the functional level is Windows Server
  2003 or higher
• Prepare the forest
• Install at least one writeable DC running Windows
  Server 2008
• Install an RODC on a full Windows Server 2008
  installation or a Server Core installation

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
12
Removing a Domain Controller

• Be aware of some potential issues
• If the DC performs any operations master roles,
  you must first transfer the role to another DC
• If the DC is a global catalog server, make sure
  at least one other DC is a global catalog server
• If its the only DC in the domain, youll also
  remove the domain
• Dcpromo is used to remove domain services
• If the server wasnt the last DC, it will remain
  a member of the domain

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
13
Removing a Domain

• Two ways to remove a domain
• Dcpromo
• Ntdsutil
• If the DC crashed or was taken offline without
  using dcpromo to demote it to a regular server,
  you must use Ntdsutil to remove the domain
• This process is called removing an orphaned
  domain
• A metadata cleanup will remove all selected
  domain data from the rest of the forest

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
14
Using the Active Directory Migration Tool

• The Active Directory Migration Tool (ADMT) allows
  moving objects and restructuring Active Directory
  without users losing access to network resources,
  and has three main types of migration
• Intraforest migration
• Interforest migration
• Migration of an NT 4.0 domain to an Active
  Directory domain
• Before attempting migration, you should review
  the Active Directory Migration guide
• Terms used for migration planning and
  implementation
• SID History
• Security Translation
• Password Export Server (PES)

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
15
Configuring Active Directory Trusts

• Recall that all domains in a forest trust one
  another automatically through two-way transitive
  trusts, which you cant remove
• Types of trusts you can configure
• Shortcut trust
• Forest trust
• External trust
• Realm trust
• DNS must be configured so that FQDNs of DCs in
  all participating domains can be resolved

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
16
Configuring Shortcut Trusts

• A shortcut trust is a one-way or two-way
  transitive trust between two domains in the same
  forest or two domains in trusting forests
• Helps to reduce authorization delays between
  domains
• Shortcut trusts between domains in different
  forests require a forest trust to be configured
• Trusts between forests and external trusts might
  require additional DNS configuration

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
17
Configuring Forest Trusts

• DNS must be configured correctly in both forest
  root domains
• You must initiate the forest trust in Active
  Directory Domains and Trusts from the forest root
  domain
• When creating a forest trust, you must specify
  the type of authentication you wish to use
• Forest-wide authentication is a property of a
  forest trust in which all users in a trusted
  forest can be authenticated to the trusting
  forest
• Selective authentication enables administrators
  to specify users who can authenticate to selected
  resources in the trusting forest

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
18
Configuring External and Realm Trusts

• An external trust is created between domains in
  different forests or between domains in a Windows
  Server 2003/2008 forest and a Windows 2000 server
  forest or Windows NT domain
• An external trust is not transitive, and is
  nearly identical to creating a forest trust
• When creating a realm trust, main consideration
  should be whether or not it should be transitive

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
19
Configuring Trust Properties

• The Properties dialog box of a forest trust
  contains three tabs
• The General Tab Provides options
• The other domain supports Kerberos AES Encryption
• Direction of trust
• Transitivity of trust
• Validate
• Save As
• The Name Suffix Routing Tab Allows you to
  control which name suffixes used by the trusted
  forest are routed for authentication
• Authentication Tab Same options as the Outgoing
  Trust Authentication Level window

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
20
SID Filtering

• SIDHistory attribute can be used for nefarious
  purposes to gain administrative privileges in a
  trusting forest
• To counter the security risk, Windows provides a
  feature called SID filtering
• SID Filtering causes the trusting domain to
  ignore any SIDs that arent from the trusted
  domain
• SID filtering is enabled by default on external
  trusts but is disabled on forest trusts

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
21
Configuring Intrasite Replication

• Intrasite and intersite replication use the same
  basic processes to replicate Active Directory
  data
• Intersite replication is optimized to take slower
  WAN links into account
• Intrasite replication can be initiated in one of
  two ways
• Notification
• Periodic replication
• Intrasite replication involves two main
  components Knowledge Consistency Checker (KCC)
  and connection objects

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
22
Knowledge Consistency Checker (KCC)

• KCC is a process that runs on every DC and, for
  intrasite replication, builds a replication
  topology among DCs in a site and establishes
  replication partners
• The KCC on each domain controller uses data
  stored in the forest-wide configuration directory
  partition to create the replication topology
• The replication topology can be recalculated
  manually in Active Directory Sites and Services

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
23
Connection Objects

• Connection objects define the connection
  parameters between two replication partners
• Changes to intrasite connection objects is
  usually unnecessary, but changes can be made in
  Active Directory Sites and Services
• General tab in the Properties dialog box is the
  only one of interest for connection objects, and
  contains the following fields
• Change Schedule
• Replicate from Server
• Replicate from Site
• Replicated Naming Context(s)
• Partially Replicated Naming Context(s)

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
24
Creating Connection Objects

• You can create connection objects for intrasite
  replication if you want to alter the replication
  topology manually
• By default, the schedule for a new connection
  object is set to every 15 minutes, but this value
  can be changed
• Changing the schedule for connection objects can
  be useful for troubleshooting replication problems

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
25
Checking Replication Status

• Active Directory Sites and Services can be used
  to force the KCC to check the replication
  topology
• Repadmin.exe is a tool that will show detailed
  information about connections and replication
  status
• To use, type repadmin /showrepl
• Repadmin can also be used to show the partitions
  being replicated by each connection object, force
  replication to occur, force the KCC to
  recalculate the topology, and other actions

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
26
Global Catalog Replication

• Global Catalog contains a partial replica of all
  objects in the forest, maintains univeral group
  memberships, provides cross-domain logon support,
  and is used to locate objects throughout the
  forest
• Global catalog servers keep inbound connections
  with a DC in each domain the global catalog is
  built from
• Connections between global catalog servers always
  include replication of the global catalog
  partition

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
27
Global Catalog Replication (cont.)
http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
28
Special Replication Situations

• Most Active Directory database changes follow the
  regular replication rules
• Certain changes require special processing
• Urgent replication events (trigger change
  notifications immediately)
• Account lockouts
• Changes to the account lockout policy
• Changes to the domain password policy
• Changes to non-security principal passwords
• Password change to a DC computer account
• Changes to the RID master DC
• User Account password changes

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
29
RODC Replication

• An RODC is treated like any other domain
  controller when considering replication topology
• Limitations to keep in mind
• Connection between an RODC and a writeable DC is
  a one-way connection
• Two RODCs can replicate with one another, as long
  as one has an incoming connection with a
  writeable DC
• The domain directory partition can be replicated
  only to an RODC from a Windows Server 2008 DC.
  Windows Server 2003 DCs can replicate other
  partitions to an RODC
• When upgrading a domain from Windows Server 2003,
  the first Windows Server 2008 DC must be writeable

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
30
Creating Sites

• A site is an AD object containing domain
  controllers and replication settings and is
  usually associated with IP subnets and site links
• Sites are usually geographically dispersed and
  connected by WAN links
• When you create a site, youre asked to select a
  site link
• DEFAULTIPSITELINK is the only choice unless
  youve created other site links

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
31
Creating Sites (cont.)
http//www.examcollectionvce.com/vce-70-640.html
32
The Significance of Subnets

• After creating a site, you must associate one or
  more subnets with it
• AD uses this information in two important ways
• Placing new domain controllers in the appropriate
  site
• Determining which site a client computer belongs
  to
• If a clients IP address doesnt match a subnet
  in any of the defined sites, communication
  efficiency could degrade because the client might
  request services from servers in remote sites
  instead of locally

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
33
Configuring Site Links

• Any new sites you create use the default site
  link, DEFAULTIPSITELINK, for their connection
  with other sites
• Additional site links can help adjust the
  replication schedule according to a networks
  link characteristics
• Descriptive names should be used for site links
• A site can exist in more than one site link

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
34
Bridgehead Servers

• Intersite Topology Generator is responsible for
  assigning a bridgehead server for each directory
  partition in the site
• Bridgehead servers are responsible for all
  intersite replication
• Bridgehead servers can be designated manually
• Repadmin /bridgeheads command can list which DCs
  in a site are acting as bridgehead servers to
  other sites

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
35
Intersite Transport Protocols

• Two protocols can be used to replicate between
  sites
• IP
• SMTP
• IP is used by default in the DEFAULTIPSITELINK
  site link and is recommended in most cases
• Simple Mail Transport Protocol is used primarily
  for e-mail and works well for slower, less
  reliable, or intermittent connections
• DC can send multiple replication requests
  simultaneously without waiting for the reply

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
36
Site Link Bridges

• By default, site link bridging is enabled, which
  makes site links transitive
• You can change the transitive behavior of site
  links by turning off site link bridging and
  creating site link bridges manually
• Automatic site bridging can lead to
  over-utilization of a slower WAN link
• Other reasons to create site link bridges
  manually
• Control traffic through firewalls
• Accommodate partially routed network
• Reduce confusion of the KCC

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
37
The Global Catalog and Universal Group Membership
Caching

• Global catalog servers increase replication
  traffic
• Windows Server 2008 includes universal group
  membership caching, which allows universal group
  membership information to be retrieved from a
  global catalog server in a different site, then
  cached locally on every DC in the site and
  updated every 8 hours
• Microsoft recommends placing a global catalog
  server in the site when the number of accounts
  exceeds 500 and the number of DCs exceeds two

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
38
Operations Master Best Practices

• If you build a new forest, the first DC installed
  performs all five FSMO roles
• This is acceptable for small environments, but
  larger environments may perform better if these
  roles are transferred to separate servers
• Common rules for operations masters
• Unless your domain is small, transfer operations
  master roles to other DCs
• Place the servers performing these roles where
  network availability is high
• Designate an alternate DC for all roles

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
39
Domain Naming Master

• The domain naming master is needed when a domain
  or domain controller is added or removed from the
  forest
• Attempting to add or remove a domain while the DC
  performing this role is down is not advisable
• When possible, the domain naming master should be
  a direct replication partner with another DC
  thats also a global catalog server in the same
  site

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
40
Schema Master

• The schema master is needed when the Active
  Directory schema is changed
• Generally, the schema master role should be
  transferred to another server only when youre
  certain the original server will be down
  permanently

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
41
PDC Emulator

• Processes password changes for older Windows
  clients (Windows 9x and NT)
• Should be placed where there is a high
  concentration of users
• Shouldnt be placed on a DC that is also a global
  catalog server

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
42
RID Master

• Every Active Directory object uses an RID to
  create the objects SID
• RID Master provides these RIDs to domain
  controllers
• Ideally placed with the PDC emulator because the
  PDC emulator uses the RID masters services
  frequently

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
43
Infrastructure Master

• Role is most needed when many objects have been
  moved or renamed
• Shouldnt be performed by a DC thats also a
  global catalog server, but should be at least in
  the same site as a global catalog server
• If the Master fails, the role can be moved to
  another DC if necessary

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
44
Transferring Operations Master Roles

• Transferring an operations master role means
  moving the roles function from one server to
  another while the original server is still in
  operation
• Generally done for the following reasons
• DC performing the role was the first DC in the
  forest, and therefore holds all roles
• DC performing the role is being moved to a
  location that isnt well suited for the role
• The current DCs performance is inadequate
  because of the resources the FSMO role requires
• The current DC is being taken out of service
  temporarily or permanently

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
45
Transferring Operations Master Roles (cont.)
http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
46
Seizing Operations Master Roles

• An operations master role is seized when the
  current role holder is no longer online because
  of some type of failure
• Seizing should never be done when the current
  role holder is accessible
• Seizing is done with the ntdsutil command

MCTS Windows Server 2008 Active Directory
http//www.examcollectionvce.com/vce-70-640.html
47
Chapter Summary

• Administrators can configure functional levels on
  a new domain controller to maintain backward
  compatibility
• Functional levels can be raised but not lowered
• Windows Server 2008 supports three forest
  functional levels Windows 2000, Windows Server
  2003, and Windows Server 2008. Supported domain
  functional levels have nearly identical names
• You can raise functional levels when you install
  AD, or you can raise them manually

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
48
Chapter Summary (cont.)

• Before you can install a Windows Server 2008
  server as a DC in an existing Windows Server 2003
  or Windows 2000 server domain, existing domain
  controllers must be prepared
• Before you can install RODC in an existing
  domain, the forest functional level must be at
  least Windows Server 2003 or higher
• To remove a domain controller, you use dcpromo or
  ntdsutil
• Use the Active Directory Migration Tool to
  migrate accounts from one domain or forest to
  another

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
49
Chapter Summary (cont.)

• Before creating a trust of any type, DNS must be
  configured so that FQDNs of domain controllers in
  all participating domains can be resolved
• Some trust properties you can configure include
  the trust direction and transitivity, name suffix
  routing, and authentication
• Both intrasite and intersite replication use the
  same basic processes to replicate Active
  Directory data the main goal is to balance data
  replication timeliness and efficiency

http//www.examcollectionvce.com/vce-70-640.html
MCTS Windows Server 2008 Active Directory
50
Chapter Summary (cont.)

• A site is an Active Directory object containing
  domain controllers and default settings for
  replication within the site and is usually
  associated with one or more IP subnets and site
  links
• Connection objects provide the connection and
  replication parameters between two servers
• Bridgehead servers are responsible for all
  intersite replication
• Universal group membership caching resolves the
  potential conflict between faster logons and
  additional replication traffic
• Deciding where to place the FSMO role holder is
  part of your overall Active Directory design
  strategy

http//www.examcollectionvce.com/vce-70-640.html
51

http//www.examcollectionvce.com/vce-70-640.html
52

• examcollectionvce Exam Features
• 50000 Customer feedbacks involved in Product.
• Average 100 Success Rate.
• Over 170 Global Certification Vendors Covered.
• Services of Professional Certified Experts
  available via support.
• Free 90 days updates to match real exam
  scenarios.
• Instant Download Access! No Setup required.
• Exam History and Progress reports.
• Verified answers researched by industry experts.
• Study Material updated on regular basis.
• Questions / Answers are downloadable in PDF
  format.
• Practice / Exam are downloadable in Practice Test
  Software format.
• Customize your exam based on your objectives.
• Self-Assessment features.
• -Guaranteed Success.

Fast, helpful support 24x7.