active directory unit 1- introduction - donna warren€¦ · a c purpose of the course t i •...
TRANSCRIPT
AACC UNIT 1TTII
UNIT 1
VVEEDDIIRR
Introduction to Microsoft Active Di tRR
EECC
DirectoryCCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Donna P WarrenTTII
Donna P. Warren• Education
– AS Accounting
VVEE
– BS Electrical Engineering
– MS Computer Science
• Industry CertificationsDDIIRR
– MCSE, CCNA
– CIW Master Designer
– CTT+, MCT and CIW InstructorRREECC
• Work Experience – Network systems Engineer in Telecommunications
– Owner of a small IT consulting CompanyCCTTOO
– 8 years a networking instructor
– Owner of a Web Design and Copywriting Company
• Email Address
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
• [email protected] (Please put IT 222 in the subject line)
• Class Website• http://www.donna‐warren.com/Classes/ (capital C)
AACC Purpose of the CourseTTII
Purpose of the Course• Understand how DNS works and how it supports Active Directory
VVEE
• Learn the Architecture and history of Active Directory (AD)
• Install and configure an Active Directory forest with multiple domains
DDIIRR
domains
• Design the physical structure of Active Directory by using sites and site links
RREECC
• Understand what the Global Catalog is and how it is used
• Understand the Purpose of FSMO roles
• How to administer users OUs and groups and secureCCTTOO
How to administer users, OUs and groups and secure authentication
• Understand what it is and how to use Group Policy in Active Di t
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
Directory
• How to maintain and troubleshoot Active Directory
AACC Topics for this UnitTTII
Topics for this Unit
• How Active Directory worksVVEE
• How Active Directory works
• What the schema is used to doDDIIRR
• Logical hierarchy of Active Directory
• Sites versus domains and forestsRREECC
• The role of a DNS in Active Directory
• Forest and domain functional levels inCCTTOO
• Forest and domain functional levels in Windows Server 2008
T t d l i A ti Di tDPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
• Trust models in Active Directory
AACCTTIIVVEEDDIIRR
Domain Name ServiceRREECCCCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC DNS ServiceTTII
DNS Service
• Resolves FQDN (fully qualified domain names) VVEE
to IP addresses
• Static Database using host names (UNIX and DDIIRR
internet convention)
• Names stored in in a text fileRREECC
• DNS can be configured to use WINS netbiosname resolution CC
TTOO
• Provide reverse lookup services
• Has sophisticated caching techniques
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
• Has sophisticated caching techniques
AACC InterNIC DNS HierarchyTTII
InterNIC DNS HierarchyROOT Name Server
VVEE
DDIIRRRREECC
ZWCOM EDU NET ORG INT GOV MIL AE US
Generic World Wide Domains Generic US OnlyCountry DomainsCCTTOO AK WY
Generic World Wide Domains Generic US OnlyCountry Domains
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
States
AACC Top Level DomainsTTII
Top Level Domains
• COM ‐ identifies commercial entities VVEE
(microsoft.com)
• EDU ‐ originally all educational institutions,DDIIRR
EDU originally all educational institutions, now only 4‐year colleges and universities (rutgers.edu). Other schools and 2‐yearRR
EECC
(rutgers.edu). Other schools and 2 year colleges register under country domains
• NET ‐ network providers and internetCCTTOO
• NET ‐ network providers and internet administrative computers (internic.net)
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Top Level DomainsTTII
Top Level Domains• INT ‐ organizations established by
VVEE
international treaty (nato.int)
• GOV ‐ agencies of the US federal government DDIIRR
(nsf.gov)
• MIL ‐ the US military (cecom.mil)RREECC
y ( )
• BZ – new business domain (photos.bz)
US d i (kid )CCTTOO
• US – new non‐government domain (kids.us)
• SR‐ new senior citizen domain (george.sr)
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Name Server RolesTTII
Name Server Roles• Primary - Zone information stored in locally
VVEE
maintained files
• Secondary - Zone information downloaded from DDIIRR
ya master name server
• Master Source of zone information for aRREECC
• Master - Source of zone information for a secondary name server. Can be either a primary or secondary name serverCC
TTOO
primary or secondary name server.
• Caching - No zone information stored, only
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
maintains (caches) the results of queries. Default installation type
AACC Database File Record EntriesTTII
Database File Record Entries
• The first record created is the SOA (StartVVEE
The first record created is the SOA (Start Of Authority) record and defines the parameters for its zone
DDIIRR
parameters for its zone.• You can link WINS to DNS - One WINS
t b ti i th fRREECC
server must be operating in the zone of authority and WINS lookup must be
bl d i th d t bCCTTOO
enabled in the zone database
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC DNS ZonesTTII
DNS Zones• Primary Zones store the database locally and have
h i f h dVVEE
authority for the data• Secondary Zones get the zone information from
thDDIIRR
another server.• Forward lookup DNS zones allow a resolver (an
li ti i l d d i b b d t FTPRREECC
application included in web browsers and most FTP software) to obtain an IP address when the host name is knownCC
TTOO
known.• A Reverse lookup DNS zone allows a resolver to
obtain a host name when an IP address is known. The
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
obtain a host name when an IP address is known. The PTR record can be automatically created when you enter a record into the Forward lookup zone
AACC Zones of AuthorityTTII
Zones of Authority• Zone of Authority - Portion of name space that a
VVEE
Zone of Authority Portion of name space that a particular name server is responsible for.
• Zone transfer - Process of downloading zone data DDIIRR
from a master name server to a secondary name server.
RREECC
• NOTE: a single server can be authoritative for multiple zonesCC
TTOO
multiple zones
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC ZonesTTII
Zones• For each DNS domain name included in a zone, the
b h h i i f i f iVVEE
zone becomes the authoritative source for information about that domain.A t t t d t b f i l DNSDD
IIRR
• A zone starts as a storage database for a single DNS domain name. If th d i dd d b l th d i d tRR
EECC
• If other domains are added below the domain used to create the zone, these domains can either be part of the same zone or belong to another zoneCC
TTOO
same zone or belong to another zone. • Once a subdomain is added, it can then either be
managed and included in the original zone records, or
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
managed and included in the original zone records, or delegated to another zone created to support the subdomain
AACC Zone TransfersTTII
Zone Transfers• For additional servers to host a zone, zone transfers are
VVEE
required to replicate and synchronize all copies of the zone used at each server configured to host the zone.
DDIIRR
• When a new DNS server is added to the network and is configured as a new secondary server for an existing
it f f ll i iti l t f f th tRREECC
zone, it performs a full initial transfer of the zone to obtain and replicate a full copy of resource records for the zoneCC
TTOO
the zone. • Most DNS server implementations use full zone
transfer for updating after changes are made to the
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
transfer for updating after changes are made to the zone.
AACC Zone TransfersTTII
Zone Transfers
• Windows 2000 DNS service supports incremental VVEE
pp
zone transfer, a revised DNS zone transfer process for
intermediate changes.DDIIRR
• Incremental zone transfers provide a more efficient
method of propagating zone changes and updates.RREECC
p p g g g p
• With incremental transfer, an alternate query type
(IXFR) can be used instead This allows the secondaryCCTTOO
(IXFR) can be used instead. This allows the secondary
server to pull only those zone changes it needs to
synchronize its copy of the zone maintained by
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
synchronize its copy of the zone maintained by
another DNS server.
AACC Zone TransfersTTII
Zone Transfers• If the zones are identified to be the same version -- as
i di d b h i l b fi ld i h fVVEE
indicated by the serial number field in the start of authority (SOA) resource record of each zone -- no transfer is madeDD
IIRR
transfer is made.• If the serial number for the zone at the source is
greater than at the requesting secondary server aRREECC
greater than at the requesting secondary server, a transfer is made of only those changes to resource records for each incremental version of the zone. CC
TTOO
• For an IXFR query to succeed and changes to be sent, the source DNS server for the zone must keep a
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
phistory of incremental zone changes to use when answering these queries.
AACC Zone TransfersTTII
Zone Transfers• A zone transfer might occur during any of the
VVEE
following scenarios:
When the refresh interval expires for the zone DDIIRR
When a secondary server is notified of zone
changes by its master serverRREECC
changes by its master server
When the DNS Server service is started at a
secondary server for the zoneCCTTOO
secondary server for the zone
When the DNS console is used at a secondary
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
server for the zone to manually initiate a
transfer from its master server
AACC Zone TransfersTTII
Zone Transfers
• Zone transfers are always initiated at the secondary VVEE
y yserver for a zone and sent to their configured master servers
DDIIRR
• Master servers can be any other DNS server that loads the zone, either the primary server for the zone or another secondary serverRR
EECC
or another secondary server.
• When the master server receives the request for the zone, it can reply with either a partial or full transfer CC
TTOO
, p y pof the zone to the secondary server.
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Zone Transfer to a New DNS ServerTTII
Zone Transfer to a New DNS Server
1. During new configuration, the destination server VVEE
sends an initial "all zone" transfer (AXFR) request to the master DNS server configured as its source for thDD
IIRR
the zone.
2. The master (source) server responds and fully transfers the zone to the secondary (destination)RR
EECC
transfers the zone to the secondary (destination) server.
3 The zone is delivered to the destination serverCCTTOO
3. The zone is delivered to the destination server requesting the transfer with its version established by use of a Serial number field in the properties for
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
by use of a Serial number field in the properties for the start of authority (SOA) resource record (RR).
AACC Zone Transfer to a New DNS ServerTTII
Zone Transfer to a New DNS Server
4. The SOA RR also contains a stated refresh interval in VVEE
seconds (by default, 900 seconds or 15 minutes) to
indicate when the destination server should next
DDIIRR
request to renew the zone with the source server.
5. When the refresh interval expires, an SOA query is RREECC
used by the destination server to request renewal
of the zone from the source server. CCTTOO
6. The source server answers the query for its SOA
record.
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Zone Transfer to a New DNS ServerTTII
Zone Transfer to a New DNS Server7. This response contains the serial number for the zone
i it t t t t thVVEE
in its current state at the source server.
8. The destination server checks the serial number of
the SOA record in the response and determines howDDIIRR
the SOA record in the response and determines how
to renew the zone.
9 If the value of the serial number in the SOA responseRREECC
9. If the value of the serial number in the SOA response
is equal to its current local serial number, it concludes
that the zone is the same at both servers a zone CCTTOO
transfer is not needed.
10. If the value of the serial number in the SOA response
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
p
is higher than its current local serial number, a
transfer is needed.
AACC Zone Transfer to a New DNS ServerTTII
Zone Transfer to a New DNS Server
11. If the destination server concludes that the h h d i d IXFRVV
EEzone has changed, it sends an IXFR query to the source server, containing its current local value for the serial number in the SOA
DDIIRR
value for the serial number in the SOA record for the zone.
12 The source server responds with either anRREECC
12. The source server responds with either an incremental or full transfer of the zone.
13. If the source server supports incrementalCCTTOO
13. If the source server supports incremental transfer by maintaining a history of recent incremental zone changes for modified
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
resource records, it can answer with an incremental zone transfer (IXFR) of the zone.
AACC Zone Transfer to a New DNS ServerTTII
Zone Transfer to a New DNS Server
14. If the source server does not supportVVEE
14. If the source server does not support incremental transfer, or does not have a history of zone changes, it can answer with a
DDIIRR
full (AXFR) transfer of the zone instead.
RREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Zone Transfer ‐ Existing DNS ServerTTII
Zone Transfer Existing DNS Server
1. DNS Notify implements a push mechanism for notifying l f d f h i iVV
EEa select set of secondary servers for a zone when it is updated.
2. Notified servers can initiate a zone transfer to pull zoneDDIIRR
2. Notified servers can initiate a zone transfer to pull zone changes from their master servers and update their local replicas of the zone.
d h dd h fRREECC
3. Secondary servers must have its IP address in the notify list of the source server to be notified
4. This list is maintained in the Notify dialog box, which isCCTTOO
4. This list is maintained in the Notify dialog box, which is accessible from the Zone Transfer tab located in zone Properties
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
5. The notify list can also be used to restrict or limit zone transfers.
AACC Default Zone Time Out ValuesTTII • Refresh interval - The time, in seconds, that a
secondar DNS ser er aits before q er ing its so rceVVEE
secondary DNS server waits before querying its source for the zone to attempt renewal of the zone. Default = 900 seconds (15 minutes)
DDIIRR
900 seconds (15 minutes).• Retry interval - The time, in seconds, a secondary
server waits before retrying a failed zone transfer.RREECC
server waits before retrying a failed zone transfer. Default = 600 seconds (10 minutes).
• Expire interval - The time, in seconds, before a CCTTOO
p , ,secondary server stops responding to queries after a lapsed refresh interval where the zone was not
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
refreshed or updated. Default = 86,400 seconds (24 hours).
AACC DNS Resource Record TypesTTII
DNS Resource Record Types
• A ‐ address record maps host name to IP addressVVEE • AAAA ‐maps host name to IPv6 address
• CNAME canonical name record establishes anDDIIRR
• CNAME ‐ canonical name record establishes an alias for a host name
RREECC
• MX ‐mail exchange record identifies a mail server for a specified domain
CCTTOO
• NS ‐ Name server record identifies the name server for a specified DNS domain
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
• MH ‐multihomed computer
AACC DNS Resource Record TypesTTII
DNS Resource Record Types
• PTR ‐ pointer record associates an IP VVEE
paddress with a host name in a reverse lookup database
DDIIRR
p
• SOA ‐ start of authority specifies the domain for which the DNS server is responsibleRR
EECC
for which the DNS server is responsible
• WINS ‐WINS record identifies the WINS server to be consulted to resolve names notCC
TTOO
server to be consulted to resolve names not recorded in DNS name space
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC netadmin.dnsTTII
netadmin.dns@ IN SOA netadmin.itt.com. dpw.itt.com.
VVEE
; name servers
@ IN NS netadmin.itt.comDDIIRR
; aliases
teacher IN CNAME netadminRREECC
; mail server
@ IN MX 10 mail1.CCTTOO
@ IN MX 10 mail1.
@ mail1 IN A 200.200.200.34
; WINS record
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
; WINS record
@ IN WINS 200.200.200.34
AACC Types of DNS QueriesTTII
yp QRecursive ‐must respond with the
VVEE
requested data from its own or another DNS server’s database or an error message
DDIIRR
stating the data is unavailable.
Iterative ‐ Give the best answer, either a RREECC
,resolution or referral to another name server.CC
TTOO
Inverse ‐ Reverse Lookup
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC DNS Query ResponsesTTII
DNS Query ResponsesAn authoritative answer is a positive answer
VVEE
returned to the client and delivered with the authority bit set in the DNS message to i di t th bt i d fDD
IIRR
indicate the answer was obtained from a server with direct authority for the queried nameRR
EECC
name
A positive answer can consist of the queried RR or a list of RRs (also known as an RRset)CC
TTOO
RR or a list of RRs (also known as an RRset) that fits the queried DNS domain name and record type specified in the query message
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
record type specified in the query message.
AACC DNS Query ResponsesTTII
DNS Query Responses
A referral answer contains additionalVVEE
A referral answer contains additional resource records not specified by name or type in the query. Used if client does not
DDIIRR
yp q ysupport the recursion process
A negative answer results when an RREECC
gauthoritative server reported that the queried name exists but no records of the CC
TTOO
specified type exist for that name or the queried name does not exist in the DNS
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
namespace.
AACC Prioritizing Local SubnetsTTII
Prioritizing Local Subnets
• By default, the DNS service uses local subnet VVEE
y ,prioritizing as the method to require the client application attempt to connect to the host
DDIIRR
using its closest (and typically fastest) IP address available for connection when a host
RREECC
name that is mapped to more than one IP address
CCTTOO
• If more than one A resource record (RR) matches the queried host name, the DNS
d h d b h bDPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
service can reorder the records by their subnet location
AACC DNS Database FilesTTII
DNS Database Files• Boot ‐master configuration file used only at creation
VVEE
or import of BIND database files, afterward all data is stored in the registry
• cache dns contains the addresses for the root nameDDIIRR
• cache.dns ‐ contains the addresses for the root name servers and to preload resource records into the DNS server names cache
RREECC
• 127.0.0.dns ‐ reverse lookup for the loopback network
CCTTOO
• zone_name.dns ‐ local DNS database file, not used in active directory
d fil d f i di
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
• Root.dns ‐ Root zone file used for active directory root server
AACC DNS Database ManagementTTII
DNS Database Management
• AgingVVEE
Aging
• Scavenging
C hiDDIIRR
• Caching
• TTL ‐ It indicates a length of time used b th DNS t d t i h RR
EECC
by other DNS servers to determine how long to cache information for a record before expiring and discarding it CC
TTOO
before expiring and discarding it. Default = 1 hour
• ipconfig /flushdns
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
• ipconfig /flushdns
AACC Nslookup UtilityTTII
Nslookup Utility• A command line utility that allows troubleshooting
VVEE
for DNS servers
• SyntaxDDIIRR
c> nslookup microsoft.comServer: ns02.plnfld01.nj.comcast.net
RREECC
Address: 68.39.224.6
Non-Authorative answer
N i ftCCTTOO
Name: microsoft.com
Addresses: 207.46.249.22 207.46.249.27 207.46.249.190 207.46.134.155
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
207.46.134.190 207.46.134.222
AACCTTIIVVEEDDIIRR
Active DirectoryRREECCCCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Directory ServiceTTII
Directory Service• A network service that identifies all resources
t k d k thVVEE
on a network and makes those resources accessible to users and applicationsTh t di t i t d dDD
IIRR
• The most common directory service standards are
X 500 Uses a hierarchical approach inRREECC
– X.500 - Uses a hierarchical approach in which objects are organized in a similar way to the files and folders on a hard driveCC
TTOO
way to the files and folders on a hard drive• Lightweight Directory Access Protocol (LDAP)
- Industry standard. Version of X.500 modified
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
yto run over the TCP/IP network
AACC Active DirectoryTTII
Active Directory• A directory service that uses the “tree”
VVEE
yconcept for managing resources on a Windows network
DDIIRR
• Stores information about the network resources and services, such as user
RREECC
data, printer, servers, databases, groups, computers, and security policiesId ifi ll k dCC
TTOO
• Identifies all resources on a network and makes them accessible to users and applications
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
applications
AACC Active DirectoryTTII
Active Directory• Used in Windows 2000, 2003 and 2008
VVEE • Windows Server 2008 provides two ADs
• Active Directory Domain Services (ADDDIIRR
• Active Directory Domain Services (AD DS) - Provides the full-fledged directory serviceRR
EECC
service• Active Directory Lightweight Directory
Ser ices (AD LDS) Pro ides aCCTTOO
Services (AD LDS) - Provides a lightweight, flexible directory platform that can be used by Active Directory
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
that can be used by Active Directory developers without a lot of overhead
AACC Domain Controller (DC)TTII
Domain Controller (DC)• Server that stores the Active Directory
VVEE
Server that stores the Active Directory database and authenticates users with the network during logon.
DDIIRR
the network during logon.• Stores database information in a file
called ntds ditRREECC
called ntds.dit.• Active Directory is a multimaster
databaseCCTTOO
database.– Information is automatically replicated
between multiple domain controllers
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
between multiple domain controllers.
AACC Active Directory BenefitsTTII
Active Directory Benefits• Centralized resource and security
VVEE
Centralized resource and security administration
• Single logon for access to globalDDIIRR
• Single logon for access to global resourcesFault tolerance and redundancyRR
EECC
• Fault tolerance and redundancy• Simplified resource location
CCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Active Directory BenefitsTTII • Provides a single point from which
Active Directory Benefits
VVEE
g padministrators can manage network resources security objects
DDIIRR
• MMC Consoles found in Administrator Tools
RREECC
– Active Directory Users and Computers– Active Directory Sites and ServicesCC
TTOO
– Active Directory Domains and Trusts– ADSI Edit
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Fault Tolerance and RedundancyTTII
Fault Tolerance and Redundancy
• Active Directory uses a multimasterVVEE
Active Directory uses a multimasterdomain controller design
• Changes made on one domainDDIIRR
• Changes made on one domain controller are replicated to all other domain controllers in the environmentRR
EECC
domain controllers in the environment• It is recommended to have two or more
domain controllers for each domainCCTTOO
domain controllers for each domain
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Read-Only Domain Controller (RODC)TTII
Read-Only Domain Controller (RODC)
• Introduced with Windows Server 2008VVEE
Introduced with Windows Server 2008• A domain controller that contains a copy
of the ntds dit file that cannot beDDIIRR
of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers withRR
EECC
changes to other domain controllers with Active Directory
CCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Simplified Resource LocationTTII
Simplified Resource Location• Allows file and print resources to be
VVEE
Allows file and print resources to be published within Active Directory
• Examples include:DDIIRR
• Examples include:– Shared folders
PrintersRREECC
– Printers
CCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Active Directory ComponentsTTII
Active Directory Components• Forests – One or more domain trees,
VVEE
Forests One or more domain trees, with each tree having its own unique name space
DDIIRR
name space• Domain trees – One or more security
boundaries with contiguous name spaceRREECC
boundaries with contiguous name space• Domains – A logical unit of computers
and network resources that define aCCTTOO
and network resources that define a security boundary
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Active Directory ComponentsTTII
Active Directory Components• Some of these common attributes are as
VVEE
Some of these common attributes are as follows– Unique name
DDIIRR
Unique name– Globally unique identifier (GUID)– Required object attributesRR
EECC
– Required object attributes– Optional object attributes
CCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC SchemaTTII
Schema• Database design, structure and
VVEE
Database design, structure and relationship definitions
• Defines the objects stored within ActiveDDIIRR
• Defines the objects stored within Active Directory and the properties (attributes) associated within each objectRR
EECC
associated within each object• The nature and function of an object
determine what are reasonableCCTTOO
determine what are reasonable properties
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Active Directory Naming StandardTTII
Active Directory Naming Standard
VVEEDDIIRRRREECC
• Example:– cn=JSmith, ou=sales, dc=itt bensalem,CC
TTOO
cn JSmith, ou sales, dc itt_bensalem, dc=com
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Domain Name System (DNS)TTII
Domain Name System (DNS)• Normally provides name resolution for a
VVEE
y pTPC/IP network
• Active Directory requires DNS as the DDIIRR
y qdefault name resolution method
• Example Resource Records (RR)RREECC
p ( )– Host (A) – Host name to IP– Pointer (PTR) – IP to Host nameCC
TTOO
– Service (SRV) – Locator service for LDAP/Domain controllers services.
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Functional LevelsTTII
Functional Levels• Allows interoperability with prior versions
VVEE
Allows interoperability with prior versions of Microsoft Windows
• Higher levels of functional level will notDDIIRR
• Higher levels of functional level will not allow older versions of Windows to function but will add additionalRR
EECC
function but will add additional functionality or features
• Raising functional level is a one wayCCTTOO
• Raising functional level is a one-way process
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Domain Functional LevelsTTII
Domain Functional Levels
VVEEDDIIRRRREECCCCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Forest Functional LevelsTTII
Forest Functional Levels
VVEEDDIIRRRREECCCCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Using Forest Functional LevelsTTII
Using Forest Functional Levels• To raise the functional level of a forest,
VVEE
To raise the functional level of a forest, you must be logged on as a member of the Enterprise Admins group
DDIIRR
the Enterprise Admins group• The functional level of a forest can be
raised only on a server that holds theRREECC
raised only on a server that holds the Schema Master role
CCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Trust RelationshipsTTII
Trust Relationships• Active Directory uses trust relationships
VVEE
Active Directory uses trust relationships to allow access between multiple domains and/or forests, either within a
DDIIRR
domains and/or forests, either within a single forest or across multiple enterprise networksRR
EECC
e te p se et o s• A trust relationship allows administrators
from a particular domain to grant accessCCTTOO
from a particular domain to grant access to their domain’s resources to users in other domains
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
other domains
AACC Trust RelationshipsTTII
Trust Relationships• When a child domain is created, it
VVEE
When a child domain is created, it automatically receives a two-way transitive trust with its parent domain
DDIIRR
transitive trust with its parent domain • Trusts are transitive:
If domain A trusts domain BRREECC
If domain A trusts domain BAnd domain B trusts CThen domain A trusts domain CCC
TTOO
Then domain A trusts domain C
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACCTTIIVVEEDDIIRR
Installing Active DirectoryRREECCCCTTOO
DPW© 2005-2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Server ManagerTTII
Server Manager
• Located in Administrative Tools.VVEE
Located in Administrative Tools.– Can also be accessed by right‐clicking My Computer and selecting Manage
DDIIRR
• Allows you to– Add roles such as DNS server or Active
RREECC
Directory Domain Services role– Perform system diagnostics
CCTTOO
– Configure system services– Drill down into specific administrative tools
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Server ManagerTTII
Server Manager
VVEE
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Requirements for Active DirectoryTTII
Requirements for Active Directory
• A server running VVEE
– Windows Server 2008 Standard Edition– Windows Server 2008 Enterprise Edition
DDIIRR
– Windows Server 2008 Datacenter Edition (Full version or Server Core)
• An administrator account and password onRREECC
• An administrator account and password on the local machine
CCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Requirements for Active DirectoryTTII
Requirements for Active Directory• An NT file system (NTFS) partition for the SYSVOL
VVEE
y ( ) pfolder structure– 200 MB minimum free space on the previously mentioned NTFS partition for Active Directory
DDIIRR
mentioned NTFS partition for Active Directory database files
– 50 MB minimum free space for the transaction log filesRR
EECC
files– Transmission Control Protocol/Internet Protocol (TCP/IP) must be installed and configured
• An authoritative DNS server for the DNS domainCCTTOO
• An authoritative DNS server for the DNS domain that supports service resource (SRV) records. – to support incremental zone transfers and dynamic
d
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
updates
AACC Installing Active DirectoryTTII
Installing Active Directory
• To installVVEE
To install Active Directory,
ill dDDIIRR
you will need to first add the Active RR
EECC
Directory Domain Services roleCC
TTOO
Services role using Server Manager
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
g
AACC Installing Active DirectoryTTII
Installing Active Directory
VVEE
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Installing Active DirectoryTTII
Installing Active Directory
• The Active Directory Installation Wizard,VVEE
The Active Directory Installation Wizard, dcpromo, will guide you through any of the following installation scenarios
DDIIRR
– Adding a domain controller to an existing environment.
RREECC
– Creating an entirely new forest structure.
– Adding a child domain to an existing domain.CCTTOO
– Adding a new domain tree to an existing forest.
– Demoting domain controllers and eventually removing a domain or forest
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
removing a domain or forest.
AACC Choosing the Deployment ConfigurationTTII
Choosing the Deployment Configuration
VVEE
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Movie DemoTTII
Movie Demo
• Windows Server 2008 ‐ How To InstallVVEE
• Windows Server 2008 How To Install Active Directory _ DNS .mp4
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Post‐Installation TasksTTII
Post‐Installation Tasks
• Upon completion of the Active DirectoryVVEE
• Upon completion of the Active Directory installation, you should verify a number of items
DDIIRR
items– Application directory partition creation
Aging and scavenging for zonesRREECC
– Aging and scavenging for zones
– Forward lookup zones and SRV records
Re erse look p onesCCTTOO
– Reverse lookup zones
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Application PartitionsTTII
Application Partitions
VVEE
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Aging and Scavenging of DNS RecordsTTII
Aging and Scavenging of DNS Records
• Aging and scavenging are processes thatVVEE
• Aging and scavenging are processes that can be used by to clean up the DNS database after DNS records become
DDIIRR
database after DNS records become invalid or out of date
• Without this process the DNS databaseRREECC
• Without this process, the DNS database would require manual maintenance to prevent server performance degradationCC
TTOO
prevent server performance degradation and potential disk‐space issues
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Aging and Scavenging of DNS RecordsTTII
Aging and Scavenging of DNS Records
VVEE
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Required DNS RecordsTTII
Required DNS Records
• Make sure Forward Lookup zone is createdVVEE
• Make sure Forward Lookup zone is created
• Make sure Host (A) record is created for your serverDD
IIRR
your server
• Make sure DNS domains are createdRREECC
– _msdcs
– _sitesCCTTOO
– _tcp
– _udp
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC DNS RecordsTTII
DNS Records
VVEE
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Raising the Domain Functional LevelTTII
Raising the Domain Functional Level
• Open ActiveVVEE
Open Active Directory Domains and Trusts from the
DDIIRR
Administrative Tools folder
RREECC
• Right‐click the domain you wish to i d lCC
TTOO
raise and select Raise Domain Functional Level
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
Functional Level
AACC Raising the Forest Functional LevelTTII
Raising the Forest Functional Level
• Open Active Directory Domains and TrustsVVEE
• Open Active Directory Domains and Trusts from the Administrative Tools folder
• Right click the Active Directory DomainsDDIIRR
• Right‐click the Active Directory Domains and Trusts icon in the console tree and select Raise Forest Functional LevelRR
EECC
select Raise Forest Functional Level
CCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Raising the Forest Functional LevelTTII
Raising the Forest Functional Level
• If your domains have not all been raised toVVEE
• If your domains have not all been raised to at least Windows Server 2003, you will receive an error indicating that raising the
DDIIRR
receive an error indicating that raising the forest functional level cannot take place yet If all domains have met the domainRR
EECC
yet. If all domains have met the domain functionality criteria of Windows Server 2008 you can click Raise to proceedCC
TTOO
2008, you can click Raise to proceed
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Removing Active DirectoryTTII
Removing Active Directory
• Click the Start menu key dcpromo andVVEE
Click the Start menu, key dcpromo and then press Enter and follow the directions
DDIIRRRREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Schema Management ConsoleTTII
Schema Management Console
• Some commercial applications such as MicrosoftVVEE
Some commercial applications such as Microsoft Exchange will modify the schema as a part of their installation process
DDIIRR
• You can also extend the schema manually using the Active Directory Schema snap‐in
RREECC
• To modify the schema manually, you must be a member of the Schema Admins group
CCTTOO
• The Active Directory Schema snap‐in should be installed on the domain controller holding the S h M t O ti l
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
Schema Master Operations role
AACC Installing the Schema Management Snap‐inTTII
Installing the Schema Management Snap in
• From a command prompt type regsvr32VVEE
• From a command prompt, type regsvr32 schmmgmt.dll
• Close the Command Prompt window clickDDIIRR
• Close the Command Prompt window, click Start, and then select Run
T / i h di l b d li k OKRREECC
• Type mmc /a in the dialog box and click OK
• Click the File menu and select Add/Remove CCTTOO
Snap‐in
• Select Schema Management
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
g
AACC Trust RelationshipTTII
Trust Relationship
• Trust relationships exist to make resourceVVEE
• Trust relationships exist to make resource accessibility easier between domains and forests
DDIIRR
forests
• Many trust relationships are established by default during the creation of the ActiveRR
EECC
default during the creation of the Active Directory forest structure
T l i hi b d iCCTTOO
• Trust relationships can be created using the Active Directory Domains and Trusts f h Ad i i i T l f ld
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
from the Administrative Tools folder
AACC Four Available Trust RelationshipsTTII
Four Available Trust Relationships
• Shortcut trusts ‐ Used to shorten the “tree‐lk ” f h fVV
EEwalking” process for users who require frequent access to resources elsewhere in the forestC f t t t All t t tDD
IIRR
• Cross‐forest trusts ‐ Allows you to create two‐way transitive trusts between separate forests
• External trusts Used to configure a one wayRREECC
• External trusts ‐ Used to configure a one‐way non‐transitive trust
• Realm trusts ‐ Allows you to configure trustCCTTOO
• Realm trusts Allows you to configure trust relationships between a Windows Server 2008 Active Directory and a UNIX MIT Kerberos realm
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Revoking a Trust Using NetdomTTII
Revoking a Trust Using Netdom
• Open a command prompt and type theVVEE
• Open a command prompt and type the following textNetdom trust TrustingDomainName
DDIIRR
Netdom trust TrustingDomainName/d:TrustedDomainName /remove
• Press EnterRREECC
• Press Enter
• Repeat these steps for the other end of the l i hiCC
TTOO
trust relationship
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC User Principal Name (UPN)TTII
User Principal Name (UPN)
• The name of a system user in an e‐mailVVEE
• The name of a system user in an e mail address format
username@domainnameDDIIRR
username@domainname
• Based on Internet RFC 822RREECCCCTTOO
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC Changing the Default Suffix for UPNsTTII
Changing the Default Suffix for UPNs
• Open Active Directory Domains and TrustsVVEE
• Open Active Directory Domains and Trusts from the Administrative Tools folder
• Right click Active Directory Domains andDDIIRR
• Right‐click Active Directory Domains and Trusts and choose Properties
Cli k h UPN S ffi b k h ffiRREECC
• Click the UPN Suffix tab, key the new suffix, and click Add
CCTTOO
• Key more than one suffix if your forest has more than one tree and then click OK
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
AACC SummaryTTII
Summary• Active Directory requires DNS to be installed
VVEE
• Verification includes verifying DNS zones and the creation of SRV records
DDIIRR
– Additional items, such as reverse lookups, aging, and scavenging, also should be configuredRR
EECC
configured.
• Application directory partitions that allow replication are automatically created whenCC
TTOO
replication are automatically created when Active Directory integrated zones are configured in DNS
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
• Raising a forest or domain functional level is a procedure that cannot be reversed
AACC SummaryTTII
Summary• Four types of manual trusts can be created: shortcut,
external cross‐forest and realm trustsVVEE
external, cross‐forest, and realm trusts
• Manual trusts can be created by using Active Directory Domains and Trusts or netdom at a
DDIIRR
ycommand line
• You must be a member of the Enterprise AdminsRREECC
group to change or add UPN suffixes
• Raising a forest or domain functional level is a d th t t b dCC
TTOO
procedure that cannot be reversed
• System classes of the schema cannot be modified, but additional classes can be added Schema Classes
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
but additional classes can be added. Schema Classes and attributes can be added but not deleted. however, they can be deactivated
AACC Unit 1 LabTTII • Create the First Windows 2008 stand alone VVEE
server named Server 1
• Create the Second 2008 Server by duplicationDDIIRR
• Perform Basic Server Configuration
• Install active directory on server 1 at the Server RREECC
y2003 functional level for both the forest and domain and make it a forest root server using CC
TTOO
the student’s last‐name.com
• Create a secondary DNS zone with another
DPW© 2005‐2010
DPWDPW© Donna Warren © Donna Warren
RRYY
student as a partner and do a zone transfer to the partner