IMPLEMENTING ACTIVE DIRECTORY

1
IMPLEMENTING ACTIVE DIRECTORY

• Chapter 2

2
REQUIREMENTS FOR ACTIVE DIRECTORY

• Microsoft Windows Server 2003 (Standard,
  Enterprise, Datacenter)
• Cannot use Web Edition for Active Directory
• Access as a local administrator
• NT file system (NTFS) partition for Sysvol
• 200 MB minimum free space
• Transmission Control Protocol/Internet Protocol
  (TCP/IP)
• Domain Name System (DNS) to host service location
  (SRV) resource records

3
ACTIVE DIRECTORY INSTALLATION PROCESS

• Complete pre-installation tasks
• Plan and test before you install in a production
  environment

4
ACTIVE DIRECTORY INSTALLATION

• Dcpromo or Manage Your Server
• If already a domain controller, Dcpromo allows
  you to remove Active Directory
• Operating system compatibility issues
• Microsoft Windows 95
• Microsoft Windows NT 4, Service Pack 3

5
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS

• Domain Controller type
• Domain controller for a new domain
• Replica domain controller
• Install in a new or existing forest?
• Install in a new or existing domain tree?
• Use the appropriate names
• Domain Name System (DNS)
• Fully Qualified Domain Name (FQDN)
• NetBIOS

6
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS

• Database and Log Folders
• Shared System Volume (Sysvol)
• systemroot\NTDS
• NTFS required

7
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS
8
DNS REGISTRATION AND DIAGNOSTICS

• If DNS is not detected, you can choose to
  automatically install and configure. Otherwise,
  you must manually install and configure.
• SRV resource records required
• Dynamic updates highly recommended
• Incremental zone transfers recommended

9
PERMISSIONS

• PreWindows 2000
• Windows Server 2003

10
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS

• Directory Services Restore Mode Administrator
  password
• Password used to enter Directory Services Restore
  Mode
• Required for Active Directory maintenance
• Completing the Active Directory installation
• Confirm your configuration
• Restart your new domain controller

11
VERIFY AND FINALIZE DNS

• Application Directory partition creation
• DomainDNSZones
• ForestDNSZones
• Automatically created when Active Directory
  Integrated DNS is used
• Can be managed only by Enterprise Admins
• Aging and scavenging options
• Forward lookup zones and SRV resource records

12
DNS UPDATES AND RECORD STORAGE

• Dynamic updates
• Secure only
• Nonsecure and secure
• None
• Store the zone in Active Directory, named Active
  Directoryintegrated
• Reverse lookup zones

13
REPLICA DOMAIN CONTROLLER

• Provides load balancing and fault tolerance
• If one domain controller fails, there is another
  holding the Active Directory records
• Clients can use either domain controller for
  authentication
• DNS fault tolerance
• If Active Directoryintegrated, the records are
  automatically copied to other domain controllers
• If not Active Directoryintegrated, you can use a
  secondary zone for fault tolerance of records

14
REPLICA DOMAIN CONTROLLER

• DNS load balancing
• Install DNS service on additional server
• Configure client computer to use the new server
  as their Preferred DNS server

15
SCHEMA MODIFICATION

• Some applications modify the schema
• Examples include e-mail programs, backup
  programs, and directory integration software
• Must be a member of Schema Admins to install
  these applications or to manually modify the
  schema
• Schema changes trigger replication to all domain
  controllers in the forest
• Default system classes cannot be modified
• Class and attribute changes cannot be removed,
  but can be deactivated

16
RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS

• Once complete, cannot be undone without a
  reinstall
• Each domain functional level can be raised
  independently of other domains
• Forest functional levels can be raised only when
  all domains are at Windows 2000 native or higher
• Domain Admins membership required to raise domain
  functional level
• Enterprise Admins membership required to raise
  forest functional level

17
ESTABLISHING AND MAINTAINING TRUSTS

• Shortcut trust
• Used to improve resource access
• Reduces the length of the trust path
• Transitive
• Cross-forest trust
• Initially one-way can create two one-way trusts
  to provide access in either direction
• Available only to Windows Server 2003 forests
• Transitive

18
ESTABLISHING AND MAINTAINING TRUST

• External
• Can be used for Windows NT Server 4.0 and
  Windows 2000 domain trusts
• Not transitive
• Realm
• Used between third-party Kerberos implementations
• Not transitive

19
MANAGING TRUSTS

• Verifying trusts
• Active Directory Domains And Trusts
• netdom trust domain1 /dcontoso /verify
• Revoking trust relationships
• Active Directory Domains And Trusts
• netdom trust domain1 /dcontoso /remove

20
USER PRINCIPAL NAMES

• Allows users to log on without specifying a
  domain separately
• Can be the users e-mail address
• By default, the User Principal Name (UPN) suffix
  is the same as the forest root domain name
• Can add UPN suffix in Active Directory Domains
  And Trusts
• Can modify UPN on a per-user basis

21
SUMMARY

• Active Directory requires DNS and SRV resource
  record support
• Verifying Active Directory installation
• Active Directory partitions
• Schema modification and replication
• Forest and domain functional levels
• Trust types Shortcut, cross-forest, external,
  realm