Module 1: Implementing Active Directory - PowerPoint PPT Presentation

About This Presentation
Title:

Module 1: Implementing Active Directory

Description:

Title: Module 4: Managing Security Author: jessieg Last modified by: dinhhanh Created Date: 12/13/2006 11:57:27 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 33
Provided by: jessi303
Category:

less

Transcript and Presenter's Notes

Title: Module 1: Implementing Active Directory


1
  • Module 1 Implementing Active Directory Domain
    Services

2
Module Overview
  • Installing Active Directory Domain Services
  • Deploying Read-Only Domain Controllers
  • Configuring AD DS Domain Controller Roles

3
Lesson 1 Installing Active Directory Domain
Services
  • Requirements for Installing AD DS
  • What Are Domain and Forest Functional Levels?
  • AD DS Installation Process
  • Advanced Options for Installing AD DS
  • Installing AD DS from Media
  • Demonstration Verifying the AD DS installation
  • Upgrading to Windows Server 2008 AD DS
  • Installing AD DS on a Server Core Computer
  • Discussion Common Configuration for AD DS

4
Requirements for Installing AD DS
  • A computer running Windows Server 2008
  • Minimum disk space of 250 MB and a partition
    formatted with NTFS file system

Server requirements to install AD DS
Network configuration
  • TCP/IP must be configured, including DNS client
    settings
  • DNS Server that supports dynamic updates must be
    available or will be configured on the domain
    controller

Administrator permissions
  • Local Administrator permissions to install the
    first domain controller in a forest
  • Domain Administrator permissions to install
    additional domain controllers in a domain
  • Enterprise Administrator permissions to install
    additional domains in a forest

5
What Are Domain and Forest Functional Levels?
Functional levels
  • Determine the AD DS features available in a
    domain or forest
  • Restrict which Windows Server operating systems
    can be run on domain controllers in the domain
    or forest

Supported functional levels
Supported Domain Controller Operating Systems
Forests
Domain
Windows 2000 native
  • Windows Server 2008
  • Windows Server 2003
  • Windows 2000

Windows 2000
Windows Server2003
  • Windows Server 2008
  • Windows Server 2003

Windows Server 2003
Windows Server 2008
Windows Server 2008
  • Windows Server 2008

6
AD DS Installation Process
Install the Active Directory Domain Services
role using the Server Manager
1
Run the Active Directory Domain Services
Installation Wizard
2
Choose the deployment configuration
3
Select the additional domain controller
features
4
Select the location for the database, log
files, and SYSVOl folder
5
Configure the Directory Services Restore
Mode Administrator Password
6
7
Advanced Options for Installing AD DS
To access the advanced mode installation options,
choose the Advanced Mode option in the
installation wizard or run DCPromo /adv
Use the advanced mode options to
  • Create a new domain tree
  • Use backup media as the source for AD DS
    information
  • Select the source domain controller for the
    installation
  • Modify the default domain NetBIOS name
  • Define the Password Replication Policy for an
    RODC

8
Installing AD DS from Media
Use Ntdsutil.exe to create the installation media
Ntdsutil.exe can create the following types of
installation media
  • Full (or writable) domain controller
  • Full (or writable) domain controller without
    SYSVOL data
  • Read-only domain controller without SYSVOL data
  • Read-only domain controller

9
Demonstration Verifying the AD DS Installation
  • In this demonstration, you will see how to verify
    the AD DS installation

10
Upgrading to Windows Server 2008 AD DS
To prepare previous versions of Active Directory
for a Windows Server 2008 domain controller
installation
Before installing
Command
Current Version
Windows 2000 Windows 2003
  • Windows Server 2008 domain controllers

adprep /forestprep
Windows Server2000
  • Windows Server 2008 domain controllers

adprep /domainprep /gpprep
Windows Server 2003
  • Windows Server 2008 domain controllers

adprep /domainprep
Windows Server 2003
adprep /rodcprep
  • Windows Server 2008 RODCs

11
Installing AD DS on a Server Core Computer
To install AD DS on a Server Core computer,
perform an unattended installation using an
answer file
Use following syntax with the Dcpromo
command Dcpromo /answerfilename Where
filename is the name of your answer
12
Discussion Common Configuration for AD DS
  • What additional steps would you take in your
    environment after installing the first Windows
    Server 2008 domain controller?
  • How would these tasks change after you have
    deployed additional domain controllers in your
    domain?
  • Which of the recommendations listed in the Server
    Manager apply to your organization?

13
Lesson 2 Deploying Read-Only Domain Controllers
  • What Is a Read-Only Domain Controller?
  • Read-Only Domain Controller Features
  • Preparing to Install the RODC
  • Installing the RODC
  • Delegating the RODC Installation
  • What Are Password Replication Policies?
  • Demonstration Configuring Administrator Role
    Separation and Password Replication Policies

14
What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the Active
Directory database, only accept replicated
changes to Active Directory, and never initiate
replication
RODC
RODCs provide
  • Additional security for branch office with
    limited physical security
  • Additional security if applications must run on
    a domain controller

RODCs
  • Cannot hold operation master roles or be
    configured as replication bridgehead servers
  • Can be deployed on servers running Windows
    Server 2008 Server core for additional security

15
Read-Only Domain Controller Features
RODCs provide
  • Unidirectional replication
  • Credential caching
  • Administrative role separation
  • Read-only DNS
  • RODC filtered attribute set

16
Preparing to Install the RODC
Before installing an RODC
  • Ensure that the domain and forest is at a
    Windows Server 2003 functional level
  • Ensure a writeable domain controller running
    Windows Server 2008 is available to replicate
    the domain partition
  • Run ADPrep /rodcprep to enable the RODC to
    replicate DNS partitions
  • Run ADPrep /domainprep in all domains if the
    RODC will be a global catalog server

17
Installing the RODC
Choose the option to install an additional
domain controller in an existing domain
1
Select the option to install an RODC in the
Active Directory Domain Services Installation
wizard
2
Choose advanced mode installation if you want
to configure the password replication policy
3
To install an RODC on a Server Core
installation, use an unattended installation
file with the ReplicaOrNewDomainReadOnlyRepli
ca value
18
Delegating the RODC Installation
To delegate the installation of a RODC
  • Pre-create the RODC computer account in the
    Domain Controllers container
  • Assign a user or group with permission to
    install the RODC

To complete a delegated RODC installation, run
DCPromo with the /UseExistingAccountAttach
switch
19
What Are Password Replication Policies?
  • The password replication policy determines how
    the RODC performs credential caching for
    authenticated user
  • By default, the RODC does not cache any user
    credentials or computer credentials

Options for configuring password replication
policies
  • No credentials cached
  • Enable credential caching on an RODC for
    specified accounts
  • Add users or groups to the Domain RODC Password
    Allowed group so credentials are cached on all
    RODCs

20
Demonstration Configuring Administrator Role
Separation and Password Replication Policies
  • In this demonstration, you will see how to
  • Configure administrator role separation
  • Configure the RODC password replication groups
  • Track which users log on to a RODC
  • Configure password replication policies for those
    accounts

21
Lesson 3 Configuring AD DS Domain Controller
Roles
  • What Are Global Catalog Servers?
  • Modifying the Global Catalog
  • Demonstration Configuring Global Catalog Servers
  • What Are Operations Master Roles?
  • Demonstration Managing Operation Master Roles
  • How Windows Time Service Works

22
What Are Global Catalog Servers?
23
Modifying the Global Catalog
Common Attributes
Changed Attributes
firstName lastName email address accountExpires d
istinguishedName
department firstName lastName email
address accountExpires distinguishedName
Create additionalattributes
Global Catalog Server
Add only the additional attributes that you query
or refer to frequently
24
Demonstration Configuring Global Catalog Servers
  • In this demonstration, you will see how to
  • Configure global catalog servers using Active
    Directory Sites and Services
  • Configure a domain controller on Server Core as a
    global catalog server
  • Add attributes to the global catalog server

25
What Are Operations Master Roles?
Role Description
Schema Master One per forest Performs all updates to the Active Directory schema
Domain Naming Master One per forest Manages adding and removing all domains and directory partitions
RID Master One per domain Allocates blocks of RIDs to each domain controller in the domain
PDC Emulator One per domain Minimizes replication latency for password changes Synchronizes time on all domain controllers in the domain
Infrastructure Master One per domain Updates object references in its domain that point to the object in another domain
26
Demonstration Managing Operations Master Roles
  • In this demonstration, you will see how to
  • Determine which server holds an operations master
    role
  • Move an operations master role
  • Seize an operations master role

27
How Windows Time Service Works
Windows Time service (W32Time) provides
network clock synchronization for domain
controllers and client computers
In a Windows Server 2008 forest, the PDC
Emulator is used to provide the authoritative
time for all other computers
Time synchronization is important because
  • Kerberos authentication includes a time stamp
  • Replication between domain controllers is time
    stamped

28
Lab Implementing Read-Only Domain Controllers
  • Exercise 1 Evaluating Forest and Server
    Readiness for Installing an RODC
  • Exercise 2 Installing and Configuring an RODC
  • Exercise 3 Configuring AD DS Domain Controller
    Roles

Logon information
Virtual machine 6425A-NYC-DC1, 6425A-NYC-SVR1, 6425A-NYC-DC2
User name Administrator
Password Paw0rd
Estimated time 75 minutes
29
Lab Review
  • Why did Axels account not have permission to
    create any objects in AD DS?
  • What were the two connection objects that were
    created from NYC-DC1 to TOR-DC1? Why was no
    connection object created from TOR-DC1 to
    NYC-DC1?
  • Could you have assigned the Domain Naming Master
    role to TOR-DC1?
  • What would happen when you add a new attribute to
    the global catalog?

30
Module Review and Takeaways
  • Review questions
  • Key points

31
Beta Feedback Tool
  • Beta feedback tool helps
  • Collect student roster information, module
    feedback, and course evaluations.
  • Identify and sort the changes that students
    request, thereby facilitating a quick team
    triage.
  • Save data to a database in SQL Server that you
    can later query.
  • Walkthrough of the tool

32
Beta Feedback
  • Overall flow of module
  • Which topics did you think flowed smoothly, from
    topic to topic?
  • Was something taught out of order?
  • Pacing
  • Were you able to keep up? Are there any places
    where the pace felt too slow?
  • Were you able to process what the instructor said
    before moving on to next topic?
  • Did you have ample time to reflect on what you
    learned? Did you have time to formulate and ask
    questions?
  • Learner activities
  • Which demos helped you learn the most? Why do you
    think that is?
  • Did the lab help you synthesize the content in
    the module? Did it help you to understand how you
    can use this knowledge in your work environment?
  • Were there any discussion questions or reflection
    questions that really made you think? Were there
    questions you thought werent helpful?
Write a Comment
User Comments (0)
About PowerShow.com