1 / 32

Module 1: Implementing Active Directory ® Domain Services

Module 1: Implementing Active Directory ® Domain Services. Module Overview . Installing Active Directory Domain Services Deploying Read-Only Domain Controllers Configuring AD DS Domain Controller Roles. Lesson 1: Installing Active Directory Domain Services .

avak
Télécharger la présentation

Module 1: Implementing Active Directory ® Domain Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 1: Implementing Active Directory® Domain Services

  2. Module Overview • Installing Active Directory Domain Services • Deploying Read-Only Domain Controllers • Configuring AD DS Domain Controller Roles

  3. Lesson 1: Installing Active Directory Domain Services • Requirements for Installing AD DS • What Are Domain and Forest Functional Levels? • AD DS Installation Process • Advanced Options for Installing AD DS • Installing AD DS from Media • Demonstration: Verifying the AD DS installation • Upgrading to Windows Server 2008 AD DS • Installing AD DS on a Server Core Computer • Discussion: Common Configuration for AD DS

  4. Requirements for Installing AD DS Server requirements to install AD DS • A computer running Windows Server 2008 • Minimum disk space of 250 MB and a partition formatted with NTFSfile system Network configuration • TCP/IP must be configured, including DNS client settings • DNS Server that supports dynamic updates must be available or will be configured on the domain controller Administrator permissions • Local Administrator permissions to install the first domain controller in a forest • Domain Administrator permissions to install additional domain controllers in a domain • Enterprise Administrator permissions to install additional domains in a forest

  5. What Are Domain and Forest Functional Levels? Functional levels: • Determine the AD DS features available in a domain or forest • Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported functional levels: Supported Domain Controller Operating Systems Domain Forests Windows 2000 native • Windows Server 2008 • Windows Server 2003 • Windows 2000 Windows 2000 Windows Server2003 • Windows Server 2008 • Windows Server 2003 Windows Server 2003 Windows Server 2008 Windows Server 2008 • Windows Server 2008

  6. AD DS Installation Process Install the Active Directory Domain Services role using the Server Manager 1 Run the Active Directory Domain Services Installation Wizard 2 Choose the deployment configuration 3 Select the additional domain controller features 4 Select the location for the database, log files, and SYSVOl folder 5 Configure the Directory Services Restore Mode Administrator Password 6

  7. Advanced Options for Installing AD DS To access the advanced mode installation options, choose the Advanced Mode option in the installation wizard or run DCPromo /adv Use the advanced mode options to: • Create a new domain tree • Use backup media as the source for AD DS information • Select the source domain controller for the installation • Modify the default domain NetBIOS name • Define the Password Replication Policy for an RODC

  8. Installing AD DS from Media Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media: • Full (or writable) domain controller • Full (or writable) domain controller without SYSVOL data • Read-only domain controller without SYSVOL data • Read-only domain controller

  9. Demonstration: Verifying the AD DS Installation In this demonstration, you will see how to verify the AD DS installation

  10. Upgrading to Windows Server 2008 AD DS To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation: Before installing Current Version Command Windows 2000 Windows 2003 • Windows Server 2008 domain controllers adprep /forestprep Windows Server2000 • Windows Server 2008 domain controllers adprep /domainprep /gpprep Windows Server 2003 • Windows Server 2008 domain controllers adprep /domainprep Windows Server 2003 adprep /rodcprep • Windows Server 2008 RODCs

  11. Installing AD DS on a Server Core Computer To install AD DS on a Server Core computer, perform an unattended installation using an answer file Use following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer

  12. Discussion: Common Configuration for AD DS • What additional steps would you take in your environment after installing the first Windows Server 2008 domain controller? • How would these tasks change after you have deployed additional domain controllers in your domain? • Which of the recommendations listed in the Server Manager apply to your organization?

  13. Lesson 2: Deploying Read-Only Domain Controllers • What Is a Read-Only Domain Controller? • Read-Only Domain Controller Features • Preparing to Install the RODC • Installing the RODC • Delegating the RODC Installation • What Are Password Replication Policies? • Demonstration: Configuring Administrator Role Separation and Password Replication Policies

  14. What Is a Read-Only Domain Controller? RODCs host read-only partitions of the Active Directory database, only accept replicated changes to Active Directory, and never initiate replication RODC RODCs provide: • Additional security for branch office with limited physical security • Additional security if applications must run on a domain controller RODCs: • Cannot hold operation master roles or be configured as replication bridgehead servers • Can be deployed on servers running Windows Server 2008 Server core for additional security

  15. Read-Only Domain Controller Features RODCs provide: • Unidirectional replication • Credential caching • Administrative role separation • Read-only DNS • RODC filtered attribute set

  16. Preparing to Install the RODC Before installing an RODC: • Ensure that the domain and forest is at a Windows Server 2003 functional level • Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition • Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions • Run ADPrep /domainprep in all domains if the RODC will be a global catalog server

  17. Installing the RODC Choose the option to install an additional domain controller in an existing domain 1 Select the option to install an RODC in the Active Directory Domain Services Installation wizard 2 Choose advanced mode installation if you want to configure the password replication policy 3 To install an RODC on a Server Core installation, use an unattended installation file with the ReplicaOrNewDomain=ReadOnlyReplica value

  18. Delegating the RODC Installation To delegate the installation of a RODC: • Pre-create the RODC computer account in the Domain Controllers container • Assign a user or group with permission to install the RODC To complete a delegated RODC installation, run DCPromo with the /UseExistingAccount:Attach switch

  19. What Are Password Replication Policies? • The password replication policy determines how the RODC performs credential caching for authenticated user • By default, the RODC does not cache any user credentials or computer credentials Options for configuring password replication policies: • No credentials cached • Enable credential caching on an RODC for specified accounts • Add users or groups to the Domain RODC Password Allowed group so credentials are cached on all RODCs

  20. Demonstration: Configuring Administrator Role Separation and Password Replication Policies In this demonstration, you will see how to: • Configure administrator role separation • Configure the RODC password replication groups • Track which users log on to a RODC • Configure password replication policies for those accounts

  21. Lesson 3: Configuring AD DS Domain Controller Roles • What Are Global Catalog Servers? • Modifying the Global Catalog • Demonstration: Configuring Global Catalog Servers • What Are Operations Master Roles? • Demonstration: Managing Operation Master Roles • How Windows Time Service Works

  22. What Are Global Catalog Servers? Domain Domain Domain Domain Domain Domain Domain Global Catalog Query Result Global Catalog Server

  23. Modifying the Global Catalog Common Attributes Changed Attributes firstName lastName email address accountExpires distinguishedName department firstName lastName email address accountExpires distinguishedName Create additionalattributes Global Catalog Server Add only the additional attributes that you query or refer to frequently

  24. Demonstration: Configuring Global Catalog Servers In this demonstration, you will see how to: • Configure global catalog servers using Active Directory Sites and Services • Configure a domain controller on Server Core as a global catalog server • Add attributes to the global catalog server

  25. What Are Operations Master Roles?

  26. Demonstration: Managing Operations Master Roles In this demonstration, you will see how to: • Determine which server holds an operations master role • Move an operations master role • Seize an operations master role

  27. How Windows Time Service Works PDC Emulator Domain controllers Client computers Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers Time synchronization is important because: • Kerberos authentication includes a time stamp • Replication between domain controllers is time stamped

  28. Lab: Implementing Read-Only Domain Controllers • Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC • Exercise 2: Installing and Configuring an RODC • Exercise 3: Configuring AD DS Domain Controller Roles Logon information Estimated time: 75 minutes

  29. Lab Review • Why did Axel’s account not have permission to create any objects in AD DS? • What were the two connection objects that were created from NYC-DC1 to TOR-DC1? Why was no connection object created from TOR-DC1 to NYC-DC1? • Could you have assigned the Domain Naming Master role to TOR-DC1? • What would happen when you add a new attribute to the global catalog?

  30. Module Review and Takeaways • Review questions • Key points

  31. Beta Feedback Tool • Beta feedback tool helps: • Collect student roster information, module feedback, and course evaluations. • Identify and sort the changes that students request, thereby facilitating a quick team triage. • Save data to a database in SQL Server that you can later query. • Walkthrough of the tool

  32. Beta Feedback • Overall flow of module: • Which topics did you think flowed smoothly, from topic to topic? • Was something taught out of order? • Pacing: • Were you able to keep up? Are there any places where the pace felt too slow? • Were you able to process what the instructor said before moving on to next topic? • Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? • Learner activities: • Which demos helped you learn the most? Why do you think that is? • Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? • Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?

More Related