Download
cn1276 server n.
Skip this Video
Loading SlideShow in 5 Seconds..
CN1276 Server PowerPoint Presentation
Download Presentation
CN1276 Server

CN1276 Server

91 Vues Download Presentation
Télécharger la présentation

CN1276 Server

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

  2. Agenda • Chapter 2: Implementing Active Directory • Quiz • Exercise

  3. Server Manager • Two ways to add or remove roles and manage server • Initial Configuration Tasks (ICT) • Oobe.exe • Server Manager • See figure 2-1 on Page 22

  4. Designing an AD Implementation • Dcpromo, AD installation wizard, provides: • Adding a domain controller to an existing environment • Creating an entirely new forest structure • Adding a child domain to an existing domain • Adding a new domain tree to an existing forest • Demoting domain controllers and eventually removing a domain or forest

  5. Requirement • A server running Windows Server (standard, enterprise, or datacenter) OR server core • Local Administrator account • NTFS for SYSVOL • SYSVOL is used to store GPO, login scripts, etc • TCP/IP • An authoritative DNS server

  6. Preparation List • Local administrator password • Domain controller type • New tree in a forest? A root? A leaf? • Domain name • Location for the AD DB file and log file • DNS information • Directory Services Restore Mode (DSRM) password

  7. Install a new AD Forest • Forest root CANNOT moved • First DC will hold all Flexible Single Master Operation (FSMO) roles • To manage all the servers to function together • Fully qualified domain name (FQDN) • Domain netBIOS name – 15 characters MAX for backward compatibility

  8. DC Options • DNS Server • Global Catalog • First domain will be grayed out as GC is required • Read-Only Domain Controller (RODC)

  9. Post-Installation Tasks • Verify that the following are functioning • Application directory partition creation • Enterprise Admins group member is required • To control how and where (SCOPE) of data to replicate • DomainDnsZones • ForestDnsZones • Aging and scavenging for zones • When and how often to update DNS records

  10. Post-Installation Tasks (Cont.) • Verify that the following are functioning • Forward lookup zones and SRV records • For computer hostname-to-IP address mappings • .msdcs.yourdomainname.com • Shows specific services provided and the servers to which these services are mapped • Reverse lookup zones • For computer IP address-to-hostname mappings

  11. Post-Installation Tasks (Cont.) • SRV records • Protocol – TCP or UDP • Domain Name • Time-to-live • Priority – for load balancing • Weight –if two servers has the same priority value, then it will consider weight • Port

  12. Raising the functional levels • One-way operation. Once raised, it CANNOT demote. • Forest functional level cannot be raised until all domains in a forest has been raised to at least the corresponding Domain Functional Level • Domain Admins group is required to raise domain functional level • Enterprise Admins group is required to raise forest functional level • Use AD Domains and Trusts

  13. Server Core • Creates a minimal environment for running only specific services and roles • To install AD, you need to use dcpromo and unattended installation file • See Page 40 for txt file to created

  14. Removing AD • Run dcpromo on a promoted DC • It should be run only when a complete reinstallation of the Active Directory is required

  15. Read-Only Domain Controllers • RODC provides the AD service in a hard to secure location • It does inbound replication • To increase security of password cached • Denied RODC Password Replication Group • Allowed RODC Password Replication Group • Admin Role Separation • To allow user as a local administrator of RODC in a remote place

  16. Staged installation • You can prepared your RODC at the main location then use Admin Role Separation to assign a user as local administrator to complete the configuration • See the steps in Page 45 to 47 • First phase will be done on the main branch to setup the account and domain as necessary • Second phase will be done at the target server to promote the DC

  17. Decommissioning an RODC • Delete RODC’s computer from the DC OU in AD Users and Computers • See Figure 2-26 on Page 47

  18. AD Schema • Schema provides class and attributes for AD to work with other application • Each class or attribute that you add to the schema should have a valid Object Identifier (OID) • See www.iso.org or ANSI for OIDs • 1.55678.5.15

  19. AD Schema (Cont.) • Schema extensions are replicated to all DCs • One-way operation. You can add, but you can’t remove

  20. AD Lightweight Directory Services • ADLDS provides its own schema, hence you don’t have to worried about one-way adding schema

  21. Trusts • Shortcut trusts • Cross-forest trusts • Two-way transitive trusts between separate forests • External trust • One-way nontransitive trust with a Win2k domain or a single domain in an external organization • Realm trust • To create trust between AD and UNIX MIT Kerberos realm

  22. To manage/verify trust • Go to Active Directory Domains and Trusts • Or netdom trust trustingdomainname/d:trusteddomainname/verify

  23. To revoke the trust relationship • Go to Active Directory Domains and Trusts • Right click -> properties -> Remove • Or netdom trust trustingdomainname/d:trusteddomainname/remove

  24. User Principal Name (UPN) • UPN is stored in the global catalog • username@domainname • To change the default suffix for UPN • Open AD Domains and Trusts • Right-click and choose properties

  25. Assignment • Fill in the blank • 1-10 • Multiple Choice • 1-10 • Online Lab 2