microsoft ® official course module 2 review slides introduction to active directory domain services
TRANSCRIPT
Microsoft® Official Course
Module 2 review slides
Introduction to Active Directory Domain Services
Module Overview
Overview of AD DS
Overview of Domain Controllers• Installing a Domain Controller
Lesson 1: Overview of AD DS
Overview of AD DS
What Are AD DS Domains?
What Are OUs?
What Is an AD DS Forest?•What Is the AD DS Schema?
The AD DS database is the central store of all the domain objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable hierarchical directory, and provides a method for applying configuration and security settings for objects in the enterprise. This module covers the structure of AD DS and its various components, such as forest, domain, and organizational units (OUs).
What you need to knowWhat you need to know
Overview of AD DS
Physical components Logical components
• Data store
• Domain controllers
• Global catalog server
• RODC
• Partitions
• Schema
• Domains
• Domain trees
• Forests
• Sites
• OUs
AD DS is composed of both physical and logical components
Physical component Description
Domain controllers Contain copies of the AD DS database.
Data store The file on each domain controller that stores the AD DS information.
Global catalog servers
Host the global catalog, which is a partial, read‑only copy of all the objects in the forest. A global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest.
Read‑only domain controllers (RODC)
A special install of AD DS in a read‑only form. These are often used in branch offices where security and IT support are often less advanced than in the main corporate centers.
Logical component
Description
Partition A section of the AD DS database. Although the database is one file named NTDS.DIT, it is viewed, managed, and replicated as if it consisted of distinct sections or instances. These are called partitions, which are also referred to as naming contexts.
Schema Defines the list of object types and attributes that all objects in AD DS can have.
Domain A logical, administrative boundary for users and computers.
Domain tree A collection of domains that share a common root domain and a Domain Name System (DNS) namespace.
Forest A collection of domains that share a common AD DS.
Site A collection of users, groups, and computers as defined by their physical locations. Sites are useful in planning administrative tasks such as replication of changes to the AD DS database.
OU OUs are containers in AD DS that provide a framework for delegating administrative rights and for linking Group Policy Objects (GPOs).
What you need to knowWhat you need to know
What Are AD DS Domains?
• AD DS requires one or more domain controllers
• All domain controllers hold a copy of the domain database which is continually synchronized
• The domain is the context within which user, group, and computer accounts are created
• The domain is a replication boundary
• An administrative center for configuring and managing objects
• Any domain controller can authenticate any logon in the domain
What Are OUs?
Organizational Units• Containers that can be used
to group objects within a domain
• Create OUs to:• Delegate administrative
permissions• Apply Group Policy
Containers are not OUs. Although they can hold objects, they cannot have GPOs linked to them, so it is necessary to move the objects into OUs that need to be managed. Examples are user accounts, computer accounts, and groups.
Containers are not OUs. Although they can hold objects, they cannot have GPOs linked to them, so it is necessary to move the objects into OUs that need to be managed. Examples are user accounts, computer accounts, and groups.
What Is an AD DS Forest?
adatum.com
Tree Root Domain
Forest Root Domain
atl.adatum.com
fabrikam.com
A forest is a collection of one or more domain trees. A tree is a collection of one or more domains. The first domain that is created in the forest is called the forest root domain. The forest root domain contains a few objects that do not exist in other domains in the forest. For example, the forest root domain contains two special domain controller roles, the schema master and the domain naming master. In addition, the Enterprise Admins group and the Schema Admins group exist only in the forest root domain. The Enterprise Admins group has full control over every domain within the forest.
A forest is a collection of one or more domain trees. A tree is a collection of one or more domains. The first domain that is created in the forest is called the forest root domain. The forest root domain contains a few objects that do not exist in other domains in the forest. For example, the forest root domain contains two special domain controller roles, the schema master and the domain naming master. In addition, the Enterprise Admins group and the Schema Admins group exist only in the forest root domain. The Enterprise Admins group has full control over every domain within the forest.
What Is the AD DS Schema?
The Active Directory schema acts as a blueprint for AD DS by defining the attributes and object classes such as:• Attributes• objectSID• sAMAccountName• location• manager• department
• Classes• User• Group• Computer• Site
Schema defines the objects that reside in the AD DS database, and defines the mandatory and optional attributes, and the syntax and the relationships between them.
Schema defines the objects that reside in the AD DS database, and defines the mandatory and optional attributes, and the syntax and the relationships between them.
Lesson 2: Overview of Domain Controllers
What Is a Domain Controller?
What Is the Global Catalog?
The AD DS Logon Process
Demonstration: Viewing the SRV Records in DNS•What Are Operations Masters?
What Is a Domain Controller?
Domain Controllers• Servers that host the Active Directory database (NTDS.DIT) and SYSVOL• Kerberos authentication service and KDC services perform authentication• Best practices:
• Availability: At least two domain controllers in a domain• Security: RODC and BitLocker
Domain controllers—servers that perform the AD DS role—host the Active Directory database, SYSVOL, the Kerberos authentication service and other Active Directory services. For redundancy purposes, it is best to have at least two available domain controllers.
Domain controllers—servers that perform the AD DS role—host the Active Directory database, SYSVOL, the Kerberos authentication service and other Active Directory services. For redundancy purposes, it is best to have at least two available domain controllers.
A domain controller is a server that is configured to store a copy of the AD DS directory database (NTDS.DIT) and a copy of the SYSVOL folder. All domain controllers except RODCs store a read/write copy of both NTDS.DIT and the SYSVOL folder
A domain controller is a server that is configured to store a copy of the AD DS directory database (NTDS.DIT) and a copy of the SYSVOL folder. All domain controllers except RODCs store a read/write copy of both NTDS.DIT and the SYSVOL folder
What Is the Global Catalog?
Domain BDomain B
Domain ADomain A
ConfigurationConfiguration
SchemaSchema
Domain ADomain A
ConfigurationConfiguration
SchemaSchema
Domain BDomain B
ConfigurationConfiguration
SchemaSchema
Domain BDomain B
ConfigurationConfiguration
SchemaSchema
Global catalog:Hosts a partial attribute set for other domains in the forestSupports queries for objects throughout the forest
Global catalog server
as a domain controller that replicates the partial attribute set for each domain in the forest. The domain controller does not need the partial attribute set for its own domain because it already has the full copy of the domain database, and only needs the changes made to other domains. That is why, in a single domain environment, making every domain controller a global catalog server adds no significant replication.QuestionShould a domain controller be a global catalog?AnswerEvery domain controller should be a global catalog. (In some extreme situations, there might be a reason not to do so.) However, most large, distributed organizations are doing just that, so it also makes sense for less complex, smaller organizations.
Global CatalogGlobal Catalog
GCGC
The AD DS Logon Process
DC1
SVR1WKS1
The AD DS logon process:
1. User Account is authenticated to DC1
2. DC1 returns TGT back to client
3. Client uses TGT to apply for access to WKS1
4. DC1 grants access to WKS1
5. Client uses TGT to apply for access to SVR1
6. DC1 returns access to SVR1
In the first phase, the user account is authenticated to DC1. · In the second phase, the user account applies to the domain controller for a ticket to gain authorization to connect with the local computer.· A centralized directory service such as AD DS provides a single identity store, authentication service, and point of management for administration.
In the first phase, the user account is authenticated to DC1. · In the second phase, the user account applies to the domain controller for a ticket to gain authorization to connect with the local computer.· A centralized directory service such as AD DS provides a single identity store, authentication service, and point of management for administration.
Demonstration: Viewing the SRV Records in DNS
• In this demonstration, you will see how to use DNS Manager to view SRV records
I prepared this demo separately: Meer
What Are Operations Masters?
In any multimaster replication topology, some operations must be single master
Many terms are used for single master operations inAD DS, including the following:• Operations master (or operations master roles)
• Single master roles• FSMOs
Roles• Forest:
• Domain naming master
• Schema master
• Domain:• RID master• Infrastructure master
• PDC Emulator master
Domain Flexible Single Master Operations (FSMOs) are needed on a more regular basis than those in the forest root domain, particularly the primary domain controller (PDC) emulator.The relative ID (RID) master provides a pool of RIDs to each domain controller. If this master is not available, eventually a domain controller will attempt to create an account and will be unable to do so
if the PDC emulator master is not available or is slow to respond, you are more likely to have issues in the domain. You can find which domain controllers are FSMO holders by typing the following at a command prompt, and then pressing Enter:Netdom query fsmo to see all 5 FSMO roles
Lesson 3: Installing a Domain Controller
Installing a Domain Controller from Server Manager
Installing a Domain Controller on a Server Core Installation of Windows Server 2012
Upgrading a Domain Controller• Installing a Domain Controller by Using Install from Media
Installing a Domain Controller from Server Manager
Installing a Domain Controller on a Server Core Installation of Windows Server 2012
Use the dcpromo /unattend:”D:\answerfile.txt” command to perform the unattended installation. The following is an example of text from the answer file:[DCINSTALL]UserName=<The administrative account in the domain of the new domain controller>UserDomain=<The name of the domain of the new domain controller> Password=<The password for the UserName account> SiteName=<The name of the AD DS site in which this domain controller will reside> This site must be created in advance in the Dssites.msc snap-in.ReplicaOrNewDomain=replica ReplicaDomainDNSName=<The fully qualified domain name (FQDN) of the domain in which you want to add an additional domain controller>DatabasePath="<The path of a folder on a local volume>" LogPath="<The path of a folder on a local volume>" SYSVOLPath="<The path of a folder on a local volume>" InstallDNS=yes ConfirmGC=yes SafeModeAdminPassword=<The password for an offline administrator account> RebootOnCompletion=yes
dcpromo.exe cannot be used in GUI format in Windows Server 2012, but can still be typed at a command prompt when doing an unattended
install.
dcpromo.exe cannot be used in GUI format in Windows Server 2012, but can still be typed at a command prompt when doing an unattended
install.
To install the AD DS binaries on the server, you can use Server Manager to connect remotely to the Server Core server. You can also use the Windows PowerShell command Install‑Windowsfeature ‑name AD‑Domain‑Services to install the binaries.Once you install the AD DS binaries, you can complete the installation and configuration in one of the following four ways:
· In Server Manager, click the notification icon to complete the post‑deployment configuration. This starts the configuration and setup of the domain controller.· Run the Windows PowerShell command Install‑ADDSDomainController –domainname “Adatum.com”, with other arguments as required.· Create an answer file and run dcpromo /unattend:”D:\answerfile.txt” at a command prompt where “D:\answerfile.txt” is the path to the answer file.
Run dcpromo /unattend at a command prompt with the appropriate switches, for example:
dcpromo /unattend /InstallDns:yes /confirmglobal catalog:yes /replicaOrNewDomain:replica /replicadomaindnsname:"mynewdomain.com" /databasePath:"c:\ntds" /logPath:"c:\ntdslogs" /sysvolp
What you need to knowWhat you need to know
Upgrading a Domain Controller
Options to upgrade AD DS to Windows Server 2012:
• In place upgrade (from Windows Server 2008 or Windows Server 2008 R2)• Benefit: Except for the prerequisite checks, all the files
and programs stay in-place and there is no additional work required
• Watch for: May leave legacy files and DLLs
• Introduce a new Windows Server 2012 server into the domain and promote it to be a domain controller• This option is the usually the preferred choice• Benefit: Result is a new server with no accumulated
files and settings• Watch for: May need additional work to migrate users’
file settings
Upgrading to Windows Server 2012
To upgrade an AD DS domain that is running at an older Windows Server functional level to an AD DS domain running at Windows Server 2012 functional level, you must first upgrade all the domain controllers to the Windows Server 2012 operating system. You can achieve this by upgrading all of the existing domain controllers to Windows Server 2012, or by introducing new domain controllers that are running Windows Server 2012, and then phasing out the existing domain controllers. To perform an in‑place upgrade of a computer that has the AD DS role installed, you must first use the command-line commands Adprep.exe /forestprep and Adprep.exe /domainprep to prepare the forest and domain. An in‑place operating system upgrade does not perform automatic schema and domain preparation. Adprep.exe is included on the installation media in the \Support\Adprep folder. There are no additional configuration steps after that point, and you can continue to run the Windows Server 2012 operating system upgrade.When you promote a Windows Server 2012 server to be a domain controller in an existing domain, and if you are logged in as a member of the Schema Admins and Enterprise Admins groups, the AD DS schema will be updated automatically to Windows Server 2012. In this scenario, you do not need to run the Adprep.exe commands before starting the installation.
What you need to knowWhat you need to know
Deploying Windows Server 2012 Domain ControllersTo upgrade the operating system of a Windows Server 2008 domain controller to Windows Server 2012, perform the following steps:
1. Insert the installation disk for Windows Server 2012, and then run Setup. 2. After the language selection page, click Install now. 3. After the operating system selection window and the license acceptance page, in the Which type of installation do you want? window, click Upgrade: Install Windows and keep files, settings, and apps.
Note: With this type of upgrade, there is no need to preserve users’ settings and reinstall applications; everything is upgraded in place. Remember to check for hardware and software compatibility before performing an upgrade.To introduce a clean install of Windows Server 2012 as a domain controller, perform the following steps:
1. Deploy and configure a new installation of Windows Server 2012 and join it to the domain.2. Promote the new server to be a domain controller in the domain by using Server Manager 2012 or one of the other methods described previously.
Note: You can upgrade directly from Windows Server 2008 and Windows Server 2008 R2 to Windows Server 2012.
What you need to knowWhat you need to know
Installing a Domain Controller by Using Install from Media
Lab: Installing Domain Controllers
Exercise 1: Installing a Domain Controller•Exercise 2: Installing a Domain Controller by
Using IFM
Logon InformationVirtual machines 20410‑LON‑DC1 (start first)
20410‑LON‑SVR120410‑LON‑RTR20410‑LON‑SVR2
User name Adatum\Administrator
Password Pa$$w0rdEstimated Time: 50 minutes: Ignore this lab: instructor will provide lab
Lab Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been asked by your manager to install a new domain controller in the data center to improve logon performance. You have been asked also to create a new domain controller for a branch office by using IFM.
Lab Review
Why did you use Server Manager and not dcpromo.exe when you promoted a server to be a domain controller?
What are the three operations masters found in each domain?
What are the two operations masters that are present in a forest?•What is the benefit of performing an Install From Media (IFM) install of a domain controller?
Module Review and Takeaways
•Review Questions