Module 1 - Introducing Active Directory® Domain Services

07/06/13
Module 1: Introducing Active Directory Domain Services
Module1:IntroducingActiveDirectory Domain Services

Contents: Lesson1: Lesson2: Lesson3: Lab: OverviewofActiveDirectory,Identity,andAccess ActiveDirectoryComponentsandConcepts InstallActiveDirectoryDomainServices InstallanADDSDomainControllertoCreateaSingleDomain Forest
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
1/70
07/06/13
ActiveDirectory anditsrelatedservicesformthefoundationforenterprisenetworks runningWindows astheystoreinformationonuseridentity,computers,and servicesauthenticateauseroracomputerandprovideamechanismfortheuseror thecomputertoaccessresourcesfromtheenterprise.Inthismodule,youwillexplore WindowsServer2008R2ActiveDirectorybyinstallingtheActiveDirectoryDomain ServicesroleandcreatingadomaincontrollerinanewActiveDirectoryforest.You willfindthatWindowsServer2008R2continuestheevolutionofActiveDirectoryby enhancingmanyoftheconceptsandfeatureswithwhichyouarealreadyfamiliar. ThismodulefocusesonthecreationofanewActiveDirectoryforestwithasingle domaininasingleDC.Thelabinthismodulewillguideyouthroughthecreationofa domainnamedcontoso.comthatyouwilluseforallotherlabsinthiscourse.Inlater
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 2/70
07/06/13
modules,youwilllearntoimplementADDSinotherscenarios,includingmultidomain forests,upgradesofexistingforeststoWindowsServer2008R2,andadvanced installationoptions. Mostimportantly,thismodulesetsthestagefortheentirecoursebypresentinga bigpictureviewofActiveDirectory.Youwillreviewkeyconceptsofauthentication, authorization,anddirectoryservices,andyouwilltakeahighlevellookatthemajor componentsofActiveDirectoryandhowtheyfittogether.Whetheryouarehighly experiencedwithActiveDirectoryornewtotheplatform,thismodulewillhelpyou understandwhereyouareheadinginthiscourse.
Objectives
Aftercompletingthismodule,youwillbeableto: DescribethefunctionalityofADDSinanenterpriseinrelationtoidentityand access. DescribethemajorcomponentsandconceptsofADDS. InstallADDSandconfigureitasadomaincontroller.
Lesson 1: Overview of Active Directory, Identity, and Access

07/06/13
ADDSprovidesthefunctionalityofanidentityandaccess(IDA)solutionfor enterprisenetworks.ThelessonreviewskeyconceptsofIDAandActiveDirectory.
Objectives
Aftercompletingthislesson,youwillbeableto: Explainauthenticationandauthorizationconcepts,terminologiesprocesses,and technologies. Positionthestrategicroleofadirectoryserviceinanenterpriseinrelationto identityandaccess.
07/06/13
Information Protection
Ifyouboilitalldown,thejobofaninformationtechnologyprofessional(ITpro)is toconnectuserswiththeinformationtheyrequiretogettheirjobsdone.Thatwould beprettyeasy,ifwedidn'thavetoworryaboutalittlethingcalled"security." Becauseusersrequiredifferentlevelsofaccesstodifferentclassesofinformation,we needtoassociatethecorrectuserswiththecorrectlevelsofaccessinformation protection. Theindustrydefinesseveralapproachestoachievinginformationprotection.Eachof these"alphabetsoup"frameworksissimplyadifferentperspectiveonthesame problem:

07/06/13
IdentityandAccess(IDA).Usersandothersecurityprincipals,whichmayinclude computers,services,andgroups,arenamedasidentities(alsocalled"accounts") thataregivenaccess(permissions)toinformation,resources,orsystems. Authentication,Authorization,andAccounting(AAA).Usersprovideusernameand passwordthatareauthenticatedwhentheircredentialsarevalidated.Usersare givenpermissionstoresources(accesscontrol)thatareusedtoauthorizeaccess requests.Accessismonitored,providingaccountingandauditing.Insome documentation,auditingissplitoutasaseparate"A"fromaccounting,leadingto theacronym,"AAAA." Confidentiality,Integrity,andAvailability(CIA).Informationisprotectedtoensure thatitisnotdisclosedtounauthorizedindividuals(confidentiality),isnotmodified incorrectly(integrity)intentionallyoraccidentally,andisavailablewhenneeded (availability).
Identity and Access
6/70
07/06/13
Atthecoreofinformationprotectionaretwocriticalconcepts:identityandaccess. Let'sspendafewminutesreviewingthefundamentals,components,processes,and technologiesinvolvedwithidentityandaccessonWindowssystems.Althoughmost ofthisinformationshouldbefamiliartoyou,itisimportanttosetthestageforthe roleofActiveDirectoryandtoclarifytheterminology,components,andprocesses associatedwithIDA. Inasecuredsystem,eachuserisrepresentedbyanidentity.InWindowssystems, theidentityistheuseraccount.Theaccountsforoneormoreusersaremaintainedin anidentitystore,whichisalsoknownasadirectorydatabase.Anidentityiscalleda

07/06/13
securityprincipalinWindowssystems.Securityprincipalsareuniquelyidentifiedbyan attributecalledthesecurityidentifier(SID). Ontheotherendofthesystemistheresourcetowhichtheuserrequiresaccess.The resourceissecuredwithpermissions,andeachpermissionspecifiesapairingofa specificlevelofaccesswithanidentity.ManyWindowsresources,includingsignificant filesandfoldersonNTFSvolumes,aresecuredbyasecuritydescriptorthatcontains adiscretionaryaccesscontrollist(DACL)inwhicheachpermissiontakestheformof anaccesscontrolentry(ACE).
Authentication and Authorization
8/70
07/06/13
Thereareafewconceptsandprocessesthatyoumustunderstandaboutusersand resourceaccess.Whenausertriestoaccessaresourceonalocaloraremote system,severalproceduresareinitiated.Asdiscussedearlier,itsallaboutmappinga userSIDtotheappropriateACEonaresource. Thenextfourslideswilldetailthisprocess.
Authentication
Authenticationistheprocessofverifyingauser'sidentity.Theuserprovides credentialsthatcontainatleasttwocomponents:alogonnameandasecretknown onlytotheuserandthesystem,suchasapassword.Thesystemvalidatesthe

07/06/13
accuracyofthecredentialsagainstthosestoredaspartoftheidentity. Therearetwotypesofauthentication:localandremote.Local,orinteractive,logon occurswhenauserlogsontoacomputerdirectly,suchaswhenyoulogontoyour laptopinthemorning.Remote,ornetwork,logonoccurswhenyouconnectto anothercomputersuchasafileserver,oramailserver,togetfilesorothertypeof resources.
Access Tokens
Afteruserauthentication,theLocalSecurityAuthority(LSA)generatesasecurity accesstoken(alsocalledasecuritytokenoranaccesstoken)thatrepresentstheuser
07/06/13
tothesystembycollectingtheuser'sSIDandtheSIDsofallgroupstowhichthe userbelongs.Theaccesstokenalsorepresentsprivileges(alsocalleduserrights)held bytheuseronthesystem,suchastherighttoshutdownthesystemortologonto thesysteminteractively(locally). Itisimportanttorememberthattheaccesstokenisgeneratedandheldlocallyonthe computerthatauthenticatedtheuser.Whenauserlogsontohisorherdesktop (localorinteractivelogon),thedesktopcreatesasecuritytokenand,iftheuserhas therighttologontothesysteminteractively,proceedstoinvoketheWindows Explorerprocess,whichcreatesthedesktop. Whentheuserconnectstoaservertoaccessasharedfile(remoteornetworklogon), theserverauthenticatestheuserandgeneratesanaccesstokenontheserverthat representstheuserwiththeuser'sSIDandtheSIDsofallgroupstowhichthatuser belongs.Theaccesstokenontheserverisdistinctfromtheaccesstokenonthe user'sdesktop.Anaccesstokenisnevertransmittedoverthenetwork,andtheLSA ofaWindowssystemwouldneveraccepttheaccesstokengeneratedbyanotherLSA. Ofcourse,thisshouldbethecasebecauseauserprobablybelongstodifferentlocal groupsontheserverthanontheuser'sdesktop,andalmostcertainlyholdsdifferent privileges(userrights)ontheserverthanonthedesktop.
Security Descriptors, ACLs, and ACEs

07/06/13
Thesecuritydescriptorofasecuredresource,suchasafileorfolderonanNTFS volume,fullydescribesthesecuritycharacteristicsoftheresource.Thesecurity descriptorcontainstheDACL,whichcontainsACEsor"permissions."Eachpermission ismadeupofaflagthatindicateswhethertheACEisanAlloworDenyACEa trustee(theSIDofauseroragroup)andanaccessmaskspecifyingalevelof access.Therefore,theACEdefineswho(thetrusteerepresentedbytheSID)canor can'tdowhat(representedbytheaccessmask). Thesecuritydescriptoralsocontainsthesystemaccesscontrollist(SACL),which containsauditingsettingsandattributessuchastheobject'sowner.Becausethe DACListhefocusofmostdaytodaysecuritymanagementactivitiesforaresource, thenameandacronymisoftenshortened.Therefore,theshortenedaccesscontrol
07/06/13
list(ACL),whiletechnicallyinaccurate,isusedbymanyadministratorsandmuch documentation(includingthiscourse)torefertotheDACL.
Authorization
Authorizationistheprocessthatdetermineswhethertograntordenyausera requestedlevelofaccesstoaresource.Anaccessrequestthatindicatestheresource, thelevelofaccess,andthesecuritytokenrepresentingtheuserismade.Then,the securitysubsystemexaminestheACLoftheresource,comparingtheSIDsinthe ACEswiththeSIDsinthesecuritytoken.ThefirstACEthatmatchesbothanSIDin thetokenandthedesiredtypeofaccessdetermineswhethertheuserisallowed(if theACEisanAllowACE)ordenied(iftheACEisaDenyACE)accesstotheresource.

07/06/13
Ifnomatchisfound,accessisdenied.
Stand-Alone (Workgroup) Authentication
InastandaloneconfigurationofWindowssystems,alsocalledaworkgroup,each computermaintainsoneandonlyonetrustedidentitystore:alocallistofusersand groupsstoredintheregistrycalledtheSecurityAccountsManager(SAM)database. Unlikeauthenticationindomain,whichiscentralized,inaworkgroup,thereisa distributedauthenticationsystembecauseeachcomputerhasitsownSAM. BecauseWindowssystemsaresecure,ausercannotevenlogontoacomputer withoutauseraccount.Theusermustpresentcredentialsthatarevalidatedagainst

07/06/13
theidentitiesintheSAM.Afterauserhasbeenauthenticatedandauthorizedforlocal logon,theWindowsExplorerprocessislaunched,whichgeneratesthefamiliar Windowsdesktop. Iftheuserwishestoaccessasharedfolderonaserver,thereisanimmediate problem:theserverdoesnottrustanidentitypresentedtoit,becausetheidentity hasbeenauthenticatedbyanunknownanduntrustedsystem.Theservertrustsonly itsownidentitystoreitsownSAM.Therefore,fortheusertoremotelylogontothe server,theservermusthaveanidentity(useraccount)fortheuserinitsSAM.Ifthe logonnameandpasswordfortheidentityareidenticaltothecredentialsofthe identityontheworkstation,theauthenticationprocessthatoccursistransparentto theuser.Thistypeofauthenticationiscalledpassthroughauthentication.If, however,thelogonnamesorpasswordsdonotmatch,theuserwillbepromptedto entercredentialsthatarevalidfortheserverwhentheuserattemptstoconnecttoa sharedresource. TheACLonasecuredresourceontheservercannotcontainpermissionsthatreferto untrustedidentities.Therefore,alluserswhorequireaccesstotheresourcemusthave accountsontheserver. Thispresentsobviousmanagementchallenges.Iftheuserchangeshisorher passwordonthedesktop,thetwoaccountsarenolongerinsync,andtheuserwill bepromptedforcredentialswhenconnectingtotheserver.Theproblemonlygets worseasyouaddmoreusers,resources,andWindowssystemstotheenvironment.
07/06/13
Themanagementchallengesofmaintainingmultipleidentitiesforeachuserbecome quicklyuntenable.
Active Directory Domains: Trusted Identity Store
Themanagementandsecuritychallengesofaworkgrouparesolvedbycentralizing theidentitystoresothatthereisonlyoneidentity(useraccount)requiredforany oneuseranidentitystorethatistrustedbyallcomputers.Thisunitoftrusted identityiscreatedbytheintroductionofanActiveDirectorydomainandforest infrastructure. AnActiveDirectorydomainprovidesacentralizedidentitystoretrustedbyalldomain

07/06/13
membersallcomputersthathaveaccountsinthedomain.Adomainalsoprovidesa centralizedauthenticationservice.Boththeidentitystore(theActiveDirectory database)andtheauthenticationservice,alongwithanumberofothercomponents andservices,arehostedonaserverperformingtheroleofadomaincontroller.
Active Directory, Identity, and Access
Asmentionedintheintroductionstothemoduleandthislesson,ActiveDirectory providestheIDAsolutionforenterprisenetworksrunningWindows.IDAisnecessary tomaintainthesecurityofenterpriseresourcessuchasfiles,email,applications,and databases.
17/70
07/06/13
AnIDAinfrastructureshoulddothefollowing: Storeinformationaboutusers,groups,computersandotheridentities.Anidentity is,asyou'velearned,arepresentationofanentitythatwillperformactionsonthe enterprisenetwork.Forexample,auserwillopendocumentsfromasharedfolder onaserver.Youknowthatthedocumentwillbesecuredwithpermissionsonan ACL.Accesstothedocumentismanagedbythesecuritysubsystemoftheserver, whichcomparestheidentityoftheuserwiththeidentitiesonACLtodetermine whethertheuser'srequestforaccesswillbegrantedordenied.Computers,groups, services,andotherobjectsalsoperformactionsonthenetworktheymustbe representedbyidentities.Amongtheinformationstoredaboutanidentityare propertiesthatuniquelyidentifytheobject,suchasausernameoranSID,andthe passwordfortheidentity.TheidentitystoreisthereforeonecomponentofanIDA infrastructure.TheActiveDirectorydatastore,alsoknownasthedirectory,isan identitystore.Thedirectoryitselfishostedonandmanagedbyadomaincontroller aserverperformingtheADDSrole. Authenticateanidentity.Theserverwillnotgrantaccesstotheuserunlessthe serververifiesthattheidentitypresentedintheaccessrequestisvalid.Tovalidate theidentity,theuserprovidessecretsknownonlytotheuserandtheIDA infrastructure.Thosesecretsarecomparedwiththeinformationintheidentitystore inaprocesscalledauthentication. InanActiveDirectorydomain,aprotocolcalledKerberosisusedtoauthenticate identities.Whenauseroracomputerlogsontothedomain,Kerberos
07/06/13
authenticatesthecredentialsandissuesaninformationpackagecalledaticket grantingticket(TGT).Beforetheuserconnectstotheservertorequestthe document,aKerberosrequestissenttoadomaincontrolleralongwiththeTGT thatservestoidentifytheauthenticateduser.Thedomaincontrollerissuestheuser anotherinformationpackagecalledaserviceticketthatidentifiestheauthenticated usertotheserver.Theuserpresentstheservicetickettotheserver,whichaccepts theserviceticketasproofthattheuserhasbeenauthenticated. TheseKerberostransactionsresultinasinglenetworklogonorsinglesignon. AftertheuserorcomputerhasinitiallyloggedonandhasbeengrantedaTGT,the userisauthenticatedwithintheentiredomainandcanbegrantedservicetickets thatidentifytheusertoanyservice.Allofthisticketactivityismanagedbythe KerberosclientsandservicesbuiltintoWindows,anditistransparenttotheuser. Controlaccess.TheIDAinfrastructureisresponsibleforprotectingconfidential informationsuchastheinformationstoredinthedocument.Accesstoconfidential informationmustbemanagedaccordingtotheenterprisepolicies.TheACLonthe documentreflectsasecuritypolicythatcontainspermissionsthatspecifyaccess levelsforparticularidentities.Thesecuritysubsystemoftheserverinthisexample isperformingtheaccesscontrolfunctionalityintheIDAinfrastructure. Provideanaudittrail.Anenterprisemaywanttomonitorchangestoandactivities withintheIDAinfrastructure,soitmustprovideamechanismtomanageauditing.
Active Directory IDA Services

07/06/13
ADDSisthemostprominentcomponentofanIDAinfrastructure,butitisnotthe onlycomponentofIDAthatissupportedbyWindowsServer2008R2.Withthe releaseofWindowsServer2008,Microsofthasconsolidatedanumberofpreviously separatecomponentsintoanintegratedIDAplatform.Theseservicesare: ActiveDirectoryLightweightDirectoryServices(ADLDS) ActiveDirectoryCertificateServices(ADCS) ActiveDirectoryRightsManagementServices(ADRMS) ActiveDirectoryFederationServices(ADFS)
20/70
07/06/13
EachoftheseservicesplaysaroleinextendingIDAtosupportmorecomplex configurationsandscenarios.
AD LDS
ADLDSisessentiallyastandaloneversionofActiveDirectorythatapplicationsaccess byusingLightweightDirectoryAccessProtocol(LDAP). ADLDSisthereplacementforActiveDirectoryApplicationMode(ADAM).Thename ofthepreviousversionofthetoolindicatesitspurpose:ADLDSisdesignedto providesupportfordirectoryenabledapplications.Itcanbeusedforapplicationsthat requireadirectorystore,butdonotrequirethetypeofinfrastructureprovidedbyan ActiveDirectorydomain. EachinstanceofADLDScanhaveitsownschema,configuration,andapplication partitions.Thisallowsyoutocreateahighlycustomizeddirectorystorewithout affectingyourproductionIDAinfrastructure,basedonADDS.AlthoughADLDSis notdependentonADDS,inadomainenvironment,ADLDScanuseADDS authenticationofWindowssecurityprincipals,suchasusers,computers,andgroups. ADLDScanbeconfiguredinadomainornondomainenvironment,anditiseven possibletorunmultipleinstancesonasinglesystem,eachwithitsownuniqueLDAP andSecureSocketsLayer(SSL)portstoensuresecureconnectionwitheachinstance.
AD CS
07/06/13
ADCSextendstheconceptoftrustsothatauser,computer,organization,orservice canproveitsidentityoutsideorinsidetheborderofyourActiveDirectoryforest. Certificatesareissuedfromacertificateauthority(CA).Whenauser,computer,or serviceusesacertificatetoproveitsidentity,theclientinthetransactionmusttrust theissuingCA.AlistoftrustedrootCAs,whichincludesVeriSignandThawte,is maintainedbyWindowsandupdatedaspartofWindowsUpdate. Thecertificatescanbeusedfornumerouspurposesinanenterprisenetwork, includingthecreationofsecurechannelssuchastheSSLexamplementionedinthe ADLDSsection.Additionally,thecertificatescanbeusedforvirtualprivatenetworks (VPNs),wirelesssecurity,andauthentication,suchassmartcardlogon. ADCSprovidestechnologiesandtoolsthathelpcreateandmanageapublickey infrastructure(PKI).AlthoughADCScanberunonastandaloneserver,itismuch morecommonandmuchmorepowerfultorunADCSintegratedwithADDS,which canactasacertificatestoreandprovideaframeworktomanagethelifetimeof certificateshowtheyareobtained,renewed,andrevoked.
AD RMS
ADRMScreatesaframeworkwithwhichyoucanensuretheintegrityofinformation, bothwithinandoutsideyourorganization. Inatraditionalmodelofinformationprotection,ACLsareusedtodefinehow
07/06/13
informationcanbeaccessed.Forexample,ausermaybegiventheReadpermission toadocument.However,thereisnothingtopreventthatuserfromperformingany numberofactionsafterthatdocumentisopened.Theusercanmakechangestothe documentandsaveitinanylocation,printthedocument,orforwardthedocument byemailtoauserwhootherwisedoesnothaveReadpermissiontothedocument. ADRMSaddressestheseandothersuchscenariosbyenforcinginformationuse policies.ADRMSaccomplishesthisbyusinglicensesandencryptiontoprotect informationandbyhavingrightsmanagementenabledapplicationsthatcanconsume thelicenses,createusagepolicies,openprotectedcontent,andenforceusage policies.
AD FS
ADFSallowsanorganizationtoextendtheauthorityofthedirectoryservicefor authenticatingusersacrossmultipleorganizations,platforms,andnetwork environments. ThetraditionalWindowsdomainstrustrelationshipcreatesatrustinwhichthe trustingdomainallowsthetrusteddomaintoauthenticateusers,buttheresultisthat allusersinthetrusteddomainaretrusted.Moreover,tomaintainatrust,several firewallexceptionsmustbemadethatarenotagreeabletomanyorganizationsand certainlynotsuitableforsupportingWebfacingapplications.Toovercomethis problem,ADFScanbeconfiguredtomaintaintrustsbyusingcommonportssuchas 80and443.ItisimportanttoknowthedifferencebetweenfederationtruststhatAD
07/06/13
FShandleandADDStrusts.ADFScannotmanageADDSdomainorforesttrusts. ADFSisextremelyusefulforextendingadirectory'sauthorityinbusinesstobusiness andpartnershipscenarios,aswellasforsupportingsinglesignonwebapplications.
Lesson 2: Active Directory Components and Concepts
Modules214ofthiscoursedescribetheinstallation,configuration,management, andtroubleshootingofADDS.Itisworthwhiletofirstgainanoverviewofthe
07/06/13
components,technologies,andconceptsrelatedtoActiveDirectory.
Objectives
Aftercompletingthislesson,youwillbeableto: IdentifythemajorcomponentsofADDS.
Active Directory as a Database
ActiveDirectoryisultimatelyadatabaseofenterpriseresourcesandconfiguration.A
07/06/13
suiteofservicessupportthedatabaseandusetheinformationinittoprovide enterpriseidentityandaccess.Indatabaseterminology,eachrecordintheActive DirectorydatabaseisanActiveDirectoryobject,suchasauser,group,orcomputer. Eachfieldisanattribute,alsocalledapropertyofanobject.Attributesincludethe object'sname,password,description,membership,orSID. Securityprincipals,alsocalledaccounts,arespecifictypesofobjectsinADDS. Securityprincipalshaveseveraluniqueattributes,themostimportantofthemisthe SID.TheSIDisused,asyoulearnedinthepreviouslesson,toassignresourceaccess totheaccount. Inthepreviouslesson,youfocusedononlyonesecurityprincipalusers.However,it iseasiertomanageresourceaccesswhenyouassignpermissionstoagroup.Thereis aclassofgroupobjectcalledasecuritygroup,whichisalsoasecurityprincipal. Computersinadomainarealsosecurityprincipals.Infact,thecomputerobjectis verysimilartoauserobject:ithasalogonnameandpasswordthatthecomputer usestoauthenticatewiththedomainatstartup. Finally,thereisaclassofobjectscalledinetOrgPerson.Thisobjectclassisusedin veryspecificsituationstosupportinteroperabilitywithahandfulofthirdparty directoryservices.inetOrgPersonisalsoasecurityprincipalandissimilartoauser account. TheActiveDirectorydatabaseissupportedandusedbyanumberofservices,
07/06/13
includingKerberos(responsibleforauthentication),DNS(responsibleforname resolution),andthedirectoryreplicationagent(DRA),whichisresponsiblefor replicatingthedatabasebetweendomaincontrollers. TheActiveDirectorydatabasecanbeaccessedinanumberofways.Todothis,you canusevariousWindowscomponents,tools,andinterfacesapplicationprogramming interfaces(APIs)orLDAP.
Active Directory Data Store
Asmentionedinthepreviouslesson,ADDSstoresitsidentitiesinthedirectorya datastorehostedondomaincontrollers.Thedirectoryisasinglefilenamedntds.dit,
07/06/13
anditislocatedbydefaultinthe%systemroot%\ntdsfolderonadomaincontroller. Thedatabaseisdividedintoseveralpartitions,whichwillbedetailedinlatermodules. Thepartitionsinclude: Schema.Definestheattributesandtypesofobjectsthatcanbestoredinthe directory. Domainnamingcontext(DomainNC).Animportantpartitionfordaytoday administration,becauseitcontainsthedataaboutobjectswithinadomainthe users,groups,andcomputers.WhenyoumakechangestoActiveDirectoryby usingtheActiveDirectoryUsersandComputerssnapin,youaremodifyingthe contentsoftheDomainNC. Configuration.Containsinformationaboutdomains,services,andtopology. DNS.IfyouuseActiveDirectoryintegratedDNS,theDNSzonesandresource recordsarestoredinapartition. PartialAttributeSet(PAS).ThispartitionisusedbytheGlobalCatalog,whichis detailedinalatertopicinthislesson,andinModule12.
ActiveDirectoryalsostoresinformationinafolderstructurecalledSYSVOL.By default,thisfolderislocatedinthe%systemroot%folder(c:\windows).SYSVOL containsitemssuchaslogonscriptsandfilesrelatedtoGPOs.

07/06/13
Domain Controllers
Domaincontrollers,alsoreferredtoasDCs,areserversthatperformtheADDSrole. Aspartofthatrole,theyhostandreplicatetheActiveDirectorydatabase(NTDS.DIT) andSYSVOL. DCsalsoruntheKerberosKeyDistributionCenter(KDC)service,whichperforms authenticationandotherActiveDirectoryservices. Becauseauthenticationiscriticaltoanenterprise,thebestpracticeistohaveatleast twoavailabledomaincontrollerssothatifclientsareunabletoaccessone,theyhave accesstoanother.

07/06/13
Inadditiontoavailability,youmustensurethatdomaincontrollersaresecure.In additiontophysicalsecurity(suchasplacingdomaincontrollersinsecure datacenters),therearetwooptionstoimprovesecurity: SeverCore.YoucaninstallWindowsServer2008R2byusingtheServerCore installationoption.ThisinstallsaminimalconfigurationofWindowsServer2008R2 thatfeaturesaCommandPromptuserinterface,ratherthanWindowsExplorer.You willinstallaServerCoreDCintheLabforModule11. ReadOnlyDomainControllers(RODCs).RODCsfacilitatesuserauthenticationin lesssecureenvironments,suchasbranchoffices,bycachingcredentialsonlyfor thoseusers.PasswordsforotherusersarenotreplicatedtotheRODC.Additionally, theRODCdoesnotallowchangestobemadetoActiveDirectory,reducingthe vulnerabilityoftheADDSdomaintoaccidentalorintentionaldamageataless securesite.RODCsaredetailedinModule10.
Demonstration: Active Directory Schema
30/70
07/06/13
Inthisdemonstration,yourinstructorwillintroduceyoutotheroleandstructureof theschemabygivingyouatouroftheActiveDirectoryschema. TheschemaisoftencomparedwithablueprintforActiveDirectory.Itdefinesthe attributesandtypesofobjectsthatcanbestoredinthedirectory.Forexample,the schemadeterminesthefactthatActiveDirectorycanhaveuserobjects,andthatuser objectsarerequiredtohavealogonnameandoptionallyanemailaddress.Ifyou needtocreatesomeadditionalattributesorpropertiesfortheuserobject,youmust extendtheschema.However,youshouldnotextendtheschemawithoutagood reasonbecausethisoperationisnotreversible.Also,donotedittheschema manually,butedititonlythroughautomatedproceduresinitiatedbyapplicationsthat needschemaextension,suchasExchangeServer.
07/06/13
Theschemahastwoprimarycontainers.TheAttributescontainerholdsdefinitions ofeveryattributesupportedbyActiveDirectory.Youcanopentheattributesfor propertieswithwhichyouarealreadyfamiliar: objectSID.Securityidentifier. sAMAccountName.ThepreWindows2000Serverlogonname,whichmost administratorsrefertoasthe"username." unicodePwd.Thisattributestoresapasswordasahashcodethatresultsfroma onewayfunction. Youcannotreadorderivetheactualpasswordfromthisattributewithout performingsomekindofbruteforcedictionaryattack(hacking). member.Theattributethatstoresthemembershiplistforagroupobject.
TheClassescontainerdefinesthetypesofobjectsthatcanbeinstantiated(created) inthedirectory,includinguserandgroup.Objectclassesareassociatedwith attributesdefinedintheAttributescontainer.Theseassociationsdeterminewhich objectclasseshavewhichattributesandwhichofthoseattributesaremandatoryfor aparticularobjectclass.
Demonstration Steps
07/06/13
1.
Onthevirtualmachine6425CNYCDC1,openD:\AdminTools\ADConsole.msc. ExpandtheActiveDirectorynode,andthenexpandtheActiveDirectory Schema[NYCDC1.contoso.com]node.
2.
LookattheAttributescontainer.OpenthePropertiesofthefollowing. objectSID sAMAccountName(whatmostadminscalltheusername) unicodePwd member description
3.
OpentheClassescontainer.Whilescrollingthrough,noticefamiliarobject classes,includinguser,computer,andgroup.
Organizational Units
33/70
07/06/13
ActiveDirectoryisahierarchicaldatabase.Objectsinthedatastorecanbegroupedin containers.OnetypeofcontaineristheobjectclasscalledContainer.Othertypesof containersincludeforests,domains,sites,andsoon.Youhaveseenthedefault containers,includingUsers,Computers,andBuiltin,whenyouopentheActive DirectoryUsersandComputerssnapin.Anothertypeofcontaineristhe organizationalunit(OU). AnOUisanADDSobjectthatiscontainedinadomain.YoucanuseOUstoperform thefollowingtasks: Organizeobjectsinadomain.OUscontaindomainobjects,suchasuserand

07/06/13
computeraccountsandgroups.FileandprintersharesthatarepublishedtoADDS alsoarefoundinOUs. Delegateadministrativecontrol.Youcanassigneithercompleteadministrative control,suchastheFullControlpermission,overallobjectsintheOUorlimited administrativecontrol,suchastheabilitytomodifyemailinformation,overuser objectsintheOU.Todelegateadministrativecontrol,youassignspecific permissionsontheOUandtheobjectsthattheOUcontainsforoneormoreusers andgroups. Simplifythemanagementofcommonlygroupedresources.UsingOUs,youcan createcontainersinadomainthatrepresentthehierarchicalorlogicalstructuresin yourorganization.Then,youcanuseGroupPolicysettingstomanagethe configurationofuserandcomputersettingsbasedonyourorganizationalmodel.
Anorganizationalhierarchyshouldrepresentanorganizationalstructurelogically.The organizationcouldbebasedongeographic,functional,resource,oruser classifications.Whatevertheorder,thehierarchyshouldmakeitpossibleto administerADDSresourcesaseffectivelyandwithasmuchflexibilityaspossible.For example,ifallcomputersthatITadministratorsusemustbeconfiguredinacertain way,youcangroupallcomputersinanOUandassignapolicytomanageits computers. YoualsocancreateOUsinsideotherOUstosimplifyadministration.Forexample,

07/06/13
yourorganizationmayhavemultipleoffices,andeachofficemighthaveasetof administratorsresponsibleformanaginguserandcomputeraccountsintheoffice. Also,eachofficemayhavedifferentdepartmentswithdifferentcomputer configurationrequirements.Inthissituation,youcouldcreateanOUforthatoffice thatisusedtodelegateadministrationandadepartmentOUinsidetheofficeOUto assigndesktopconfigurations. AlthoughthereisnotechnicallimittothenumberoflevelsinyourOUstructure,for thepurposeofmanageability,limityourOUstructuretoadepthofnomorethan10 levels,whilemostorganizationsuse5orlesslevelstosimplifyadministration.Note thatActiveDirectoryenabledapplicationsmighthaverestrictionsonthenumberof charactersusedinthedistinguishedname(thefullLDAPpathtotheobjectinthe directory)orontheOUdepthwithinthehierarchy.
Domain
36/70
07/06/13
OneormoredomaincontrollersarerequiredtocreateanActiveDirectorydomain.A domainisanadministrativeunitwithinwhichcertaincapabilitiesandcharacteristics areshared.First,alldomaincontrollersreplicatethedomainspartitionofthedata store,whichcontains,amongotherthings,theidentitydataforthedomainsusers, groups,andcomputers.BecauseallDCsmaintainthesameidentitystore,anyDCcan authenticateanyidentityinadomain. Inaddition,adomainisascopeofadministrativepoliciessuchaspassword complexityandaccountlockoutpolicies.Suchpoliciesthatareconfiguredinone domainaffectallaccountsinthedomainanddonotaffectaccountsinother domains.
07/06/13
ChangescanbemadetoobjectsintheActiveDirectorydatabasebyanydomain controller,andthatwillbereplicatedtoallotherdomaincontrollers.Therefore,in networkswherereplicationofalldatabetweendomaincontrollerscannotbe supported,itmaybenecessarytoimplementmorethanonedomaintomanagethe replicationofsubsetsofidentities. NoteChangescannotbemadetoobjectsintheActiveDirectorydatabaseon anRODC.YouhavetouseaRead/WriteDomainControllerforthispurpose.
Forest
38/70
07/06/13
AforestisacollectionofoneormoreActiveDirectorydomains.Thefirstdomain installedinaforestiscalledtheforestrootdomain.Aforestcontainsasingle definitionofnetworkconfigurationandasingleinstanceofthedirectoryschema.In otherwords,eachdomaincontrollerinaforestreplicatestheConfigurationand Schemapartitions,andthesetwopartitionsarethesameforeachdomaininthe forest.Inotherwords,youcannothavemorethanoneschemaorconfigurationina forest.Forestrootdomainalsocontainsforestwideadministrativeaccountssuchas EnterpriseAdminandSchemaAdmin.EnterpriseAdminhasadministrativeprivileges ineverydomaininforest,andcanalsoeditforeststructuresuchasaddingor removingdomains,extendingschema,andsoon. AforestisasingleinstanceofthedirectorynodataisreplicatedbyActiveDirectory outsidetheboundariesoftheforest.Therefore,theforestdefinesbothareplication andasecurityboundary.
Tree
39/70
07/06/13
TheDomainNameSystemnamespaceofdomainsinaforestcreatetreeswithinthe forest.Ifadomainisasubdomainofanotherdomain,thetwodomainsare consideredatree.Forexample,ifthetreyresearch.netforestcontainstwodomains, treyresearch.netandantarctica.treyresearch.net,thedomainsconstituteacontiguous portionoftheDNSnamespace,sotheyareasingletree.If,ontheotherhand,the twodomainsaretreyresearch.netandproseware.com,whicharenotcontiguousin theDNSnamespace,theforestisconsideredtohavetwotrees.Treesarethedirect resultofDNSnameschosenfordomainsintheforest. TheslideillustratesanActiveDirectoryforestforTreyResearch,whichmaintainsa smalloperationatafieldstationinAntarctica.BecausethelinkfromAntarcticatothe headquartersisexpensive,slow,andunreliable,Antarcticaisconfiguredasaseparate
07/06/13
domain.TheDNSnameoftheforestistreyresearch.net.TheAntarcticadomainisa childdomainintheDNSnamespace,antarctica.treyresearch.net,soitisconsidereda childdomaininthedomaintree. Theproseware.comdomain,becauseitdoesnotshareacontiguousDNSnamespace, isanothertreeinthesameforest.
Replication
41/70
07/06/13
Replicationservicesdistributedirectorydataacrossanetwork.Thisincludesbothdata storeaswellasdatarequiredtoimplementpoliciesandconfiguration,includinglogon scripts.ActiveDirectorymaintainsaseparatepartitionofthedatastorenamed Configuration,whichmaintainsinformationaboutnetworkconfiguration,topology, andservices. ActiveDirectoryusesmultimasterreplicationtosynchronizedirectoryinformation. Truemultimasterreplicationcanbecontrastedwithotherdirectoryservicesthatusea mastersubordinateapproachtoupdateswhereallupdatesmustbemadetothe mastercopyofthedirectoryandthenreplicatedtothesubordinatecopies.The mastersubordinatesystemisadequateforadirectorythathasasmallnumberof copiesandforanenvironmentwherethechangescanbeappliedcentrally.But,this approachdoesnotscalebeyondsmallsizedorganizations,anditdoesnotaddress theneedsofdecentralizedorganizations.InActiveDirectory,noonedomain controlleristhemaster.Instead,alldomaincontrollerswithinadomainare equivalent.Changescanbemadetoanydomaincontroller,unlikeasinglemaster system,wherechangesmustbemadetooneserver.Inthesinglemastersystem,the primaryserverreplicatestheupdatedinformationtoallotherdirectoryserversinthe domain. Withmultimasterreplication,itisnotnecessaryforeachdomaincontrollertoreplicate toeveryotherdomaincontroller.Instead,thesystemimplementsarobustsetof connectionsthatdetermineswhichdomaincontrollersreplicatetowhichotherdomain controllers.Thisensuresthatnetworksarenotoverloadedwithreplicationtrafficand
07/06/13
thatreplicationlatencyisnotsolongthatitcausesinconveniencetousers.Thesetof connectionsthroughwhichchangesarereplicatedtodomaincontrollersinan enterpriseiscalledthereplicationtopology.
Sites
Whenyouconsiderthenetworktopologyofadistributedenterprise,youwillcertainly discussthenetworkssites.SitesinActiveDirectory,however,haveaveryspecific meaningbecausethereisaspecificobjectclasscalledsite. AnActiveDirectorysiteisanobjectthatrepresentsaportionoftheenterprisewithin whichnetworkconnectivityisgood.Asitecreatesaboundaryofreplicationand

07/06/13
serviceutilization.Youcanalsotreatasiteasalogicalinterpretationofyourphysical network. Domaincontrollerswithinasitereplicatechangeswithinseconds.Changesare replicatedbetweensitesonacontrolledbasiswiththeassumptionthatintersite connectionsareslow,expensive,orunreliablethantheconnectionswithinasite.By definingsites,youaretellingActiveDirectorythatyouhavedomaincontrollerson variousphysicallocations,andthatreplicationbetweentheselocationsisperformed overslowerlinks. Inaddition,clientswillprefertousedistributedservicesfromserversintheirsiteor theclosestsite.Forexample,whenauserlogsontothedomain,theWindowsclient firstattemptstoauthenticatewithadomaincontrollerinitssite.Onlyifnodomain controllerisavailableinthesitewilltheclientattempttoauthenticatewithaDCin anothersite.
Global Catalog
44/70
07/06/13
SeveralcomponentsandtechnologiesenableyoutoqueryActiveDirectoryandlocate objectsinthedatastore.ApartitionofthedatastorecalledtheGlobalCatalog,which isalsoknownasthePAScontainsinformationabouteveryobjectinthedirectory.It isatypeofindexthatcanbeusedtolocateobjectsinthedirectory.TheGlobal CatalogisthesetofallobjectsinanADDSforest.AGlobalCatalogserverisa domaincontrollerthatstoresafullcopyofallobjectsinthedirectoryforitshost domainandapartial,readonlycopyofallobjectsforallotherdomainsintheforest. Thepartial,readonlycopiesofobjectsthatmakeuptheglobalcatalogaredescribed as"partial"becausetheyincludealimitedsetofattributesthatarerequiredbythe schemainadditiontotheattributesthataremostcommonlyusedinusersearch operations.Thisisparticularlyimportantifyouaresearchingforobjectsinanother domainwithinaforest.Becausethedomaincontrollersinyourdomainwillnot
07/06/13
containinformationaboutobjectsinotherdomains,youmustrelyontheglobal catalog,whichhastheindexed,partialattributesetforallobjectsinotherdomains.
Functional Levels
ThefunctionalityavailableinanActiveDirectorydomainorforestdependsonits functionallevel.ThefunctionallevelisanADDSsettingthatenablesadvanced domainwideorforestwideADDSfeatures.Therearefourdomainfunctionallevels: Windows2000native,WindowsServer2003,WindowsServer2008,andWindows Server2008R2,andthreeforestfunctionallevels:WindowsServer2003,Windows Server2008,andWindowsServer2008R2.Asyouraisethefunctionallevelofa domainorforest,featuresprovidedbythatversionofWindows(andActiveDirectory)

07/06/13
becomeavailabletoADDS.Forexample,whenthedomainfunctionallevelisraised toWindowsServer2008,anewattributebecomesavailablethatrevealsthelasttime ausersuccessfullyloggedontoacomputer,thecomputertowhichtheuserlast loggedon,andthenumberoffailedlogonattemptssincethelastlogon.Ifyouraise theforestfunctionalleveltoWindowsServer2008R2,youwillgettheActive DirectoryRecycleBinfeature,whichprovidestheabilitytorestoredeletedobjects fromADDS.Theimportantthingtoknowaboutfunctionallevelsisthatthey determinetheversionsofWindowspermittedondomaincontrollers.Beforeyouraise thedomainfunctionalleveltoWindowsServer2008R2,alldomaincontrollersmust berunningWindowsServer2008R2.Also,toraiseforestfunctionalleveltoWindows Server2008R2,alldomainsinaforestmustbeintheWindowsServer2008R2 functionallevel. IntheWindowsServer2008environment,youcanstillusetheWindows2000Server nativefunctionallevelwhiletheminimumsupportedfunctionallevelforWindows Server2008R2isWindowsServer2003.
DNS and Application Partitions
47/70
07/06/13
ActiveDirectoryandDNSarecloselyintegrated.First,thereisaonetoone relationshipbetweenaDNSnameandanActiveDirectorydomain.Second,thereisa completerelianceonDNStolocatecomputersandserviceswithinthedomain.Third, itisverycommontoconfiguredomaincontrollerstoalsoserveasDNSservers.When youdothis,youhavetheoptiontostoreDNSdata,calledazone,inActiveDirectory itself. TheActiveDirectorydatastorecanalsobeusedtosupportapplicationsandservices notdirectlyrelatedtoADDS.Withinthedatabase,applicationpartitionscanstore datatosupportapplicationsthatrequirereplicateddata.TheDNSserviceona WindowsServer2008servercanstoreitsinformationinadatabasecalledanActive Directoryintegratedzone,whichismaintainedasanapplicationpartitioninADDS
07/06/13
andreplicatedbyusingActiveDirectoryreplicationservices.
Trust Relationships
Atthebeginningofthismodule,youconsideredthedefault,standalone,workgroup, configurationofWindowsServer.Youthenlearnedthat,whenacomputerjoinsa domain,theLSAofthesystembeginstotrusttheidentitystoreandauthentication servicesprovidedbythedomain.Thatallowsauseraccountstoredinthedomainto beauthenticatedbythecomputer.Thisalsoprovidestheuseraccountaccessto resourcesonthecomputersjoinedtothedomain.Joiningcomputerstoadomainis thesimplestwayofestablishingatrustrelationship.
49/70
07/06/13
Thesameconceptcanbeextendedtootherdomains.Adomaincanauthenticate usersfromanotherdomainandcanallowthoseuserstobeassignedaccessto resourcesinthedomain.Thisisdonebyestablishingadomaintrustrelationship. Inatrustrelationship,thetrustingdomainextendsitsrealmoftrustsothatittrusts theidentitystoreandauthenticationservicesofthetrustingdomain.Useraccountsin thetrustingdomaincanbeauthenticated,andtheSIDsofuseraccountsinthe trusteddomaincanbeaddedtoACLsinthetrustingdomain. Withinaforest,eachdomaintrustseveryotherdomain.Youmustmanuallyestablish trustrelationshipsbetweenthedomainsthatareindifferentforestsandbetween foreststhemselves.
Lesson 3: Install Active Directory Domain Services
50/70
07/06/13
ThislessondiscusseshowtoinstallADDSandhowtoconfigureadomaincontroller.
Objectives
Aftercompletingthislesson,youwillbeableto: Understandtherequirementsforinstallingadomaincontrollertocreateanew forest. ConfigureadomaincontrollerwiththeADDSrolebyusingtheWindowsinterface.
51/70
07/06/13
Install and Configure a Domain Controller
ToinstallandconfigureaWindowsServer2008R2domaincontroller,youmustfirst installtheADDSrolebyusingServerManager.Thisaddsthefilesandregistry componentsnecessaryfortheservertolaterbecomeadomaincontroller.But,adding theroledoesnotactuallyconfigureandenabletheserverasadomaincontroller. ThatstepisperformedbyrunningtheActiveDirectoryDomainServicesInstallation Wizard,whichisalsoknownasDCPromo,becausethewizardcanbelaunchedby usingthedcpromo.execommand.TheActiveDirectoryDomainServicesInstallation Wizardtakesyouthroughtheprocessofselectingthedeploymentconfiguration, addingadditionaldomaincontrollerfeatures,suchastheDNSrole,specifyingthe locationforActiveDirectoryfiles,andconfiguringtheDirectoryServicesRestoreMode
07/06/13
AdministratorPassword,whichisusedwhenrestoringActiveDirectoryfromabackup, asyou'lllearninModule14.
Prepare to Create a New Forest with Windows Server 2008 R2
BeforeyouinstalltheADDSroleonaserverandpromoteittoactasadomain controller,youshouldplanyourActiveDirectoryinfrastructure.Youwillneedthe followinginformationtocreateadomaincontroller: ThedomainnameandtheDNSname.AdomainmusthaveauniqueDNSname, suchascontoso.com,aswellasashortname,suchasCONTOSO,whichisalso

07/06/13
calledaNetBIOSname.NetBIOSisanetworkprotocolthatisinusesincethefirst versionsofWindowsNT.Itisstillusedbysomelegacyapplications. Whetherthedomainwillneedtosupportdomaincontrollersrunningprevious versionsofWindows.WhenyoucreateanewActiveDirectoryforest,youwill configurethefunctionallevel.IfthedomainwillincludeonlyWindowsServer2008 R2domaincontrollers,youcansetthefunctionallevelaccordinglytobenefitfrom theenhancedfeaturesintroducedbythisversionofWindows. DetailsforhowDNSwillbeimplementedtosupportActiveDirectory.Itisabest practicetoimplementDNSforyourWindowsdomainzonesbyusingWindowsDNS Service,asyouwilllearninModule9.However,itispossibletosupportaWindows domainonathirdpartyDNSservice. IPconfigurationforthedomaincontroller.DomaincontrollersrequirestaticIP addressesandsubnetmaskvalues.Additionally,thedomaincontrollermustbe configuredwithaDNSserveraddresstoperformnameresolution.Ifyoucreatea newforestandrunWindowsDNSServiceonthedomaincontroller,youcan configuretheDNSaddresstopointtotheserversownIPaddress.AfterDNSis installed,theservercanchecktoresolveDNSnames. Theusernameandpasswordofanaccountintheserversadministratorgroup. Theaccountmusthaveapasswordthepasswordcannotbeblank. Thelocationinwhichthedatastore(includingntds.dit)andsystemvolume (SYSVOL)shouldbeinstalled.Bydefault,thesestoresarecreatedin %systemroot%,suchasc:\windows,intheNTDSandSYSVOLfolders,
07/06/13
respectively.Whencreatingadomaincontroller,youcanredirectthesestoresto otherdrives.
Lab: Install an AD DS Domain Controller to Create a Single Domain Forest
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps:
07/06/13
1.
Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager.
2.
InHyperVManager,click6425CNYCSVRD,andintheActionspane,click Start.
3. 4.
IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Administrator Password:Pa$$w0rd
Lab Scenario
YouhavebeenhiredtoimproveidentityandaccessatContoso,Ltd.Thecompany currentlyhasoneserverinaworkgroupconfiguration.Employeesconnecttothe serverfromtheirpersonalclientcomputers.Inanticipationofneartermgrowth,you needtoimprovethemanageabilityandsecurityofthecompanysresources.You decidetoimplementanADDSdomainandforestbypromotingtheservertoa domaincontroller.YouhavejustfinishedinstallingWindowsServer2008R2fromthe installationDVD.
Exercise 1: Perform Post-Installation Configuration Tasks
56/70
07/06/13
Inthisexercise,youwillpreparetheserverbyperformingpostinstallation configurationtasks. Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. Configurethetimezone. ChangetheIPconfiguration. RenametheservertoHQDC01. Restarttheserver.
Task 1: Configure the time zone.
IntheInitialConfigurationTaskswindow,changethetimezonesothatitis appropriateforyourlocation.
Task 2: Change the IP configuration.
IntheInitialConfigurationTaskswindow,changetheIP(IPv4)configurationto thefollowing: IPaddress:10.0.0.11

07/06/13
Subnetmask:255.255.255.0 Defaultgateway:10.0.0.1 PreferredDNSserver:10.0.0.11
Task 3: Rename the server to HQDC01.
IntheInitialConfigurationTaskswindow,renametheservertoHQDC01.Donot restarttheservernow.
Task 4: Restart the server.
1.
IntheInitialConfigurationTaskswindow,reviewtheAddrolesandAdd featureslinks. Inthenextexercise,youwilluseServerManagertoaddrolesandfeaturesto HQDC01.Theselinkshelpyouperformthesametasks.Bydefault,theInitial ConfigurationTaskswindowwillappeareachtimeyoulogontotheserver.
2.
Topreventthewindowfromappearing,selecttheDonotshowthiswindow atlogoncheckbox.NotethatifyouneedtoopentheInitialConfiguration Taskswindowinthefuture,runtheOobe.execommand.
58/70
07/06/13
3.
ClicktheClosebutton. ServerManagerappears. ServerManagerenablesyoutoconfigureandadministertherolesandfeatures ofaserverrunningWindowsServer2008.YouwilluseServerManagerinthe nextexercise. AtthelowerpartoftheServerManagerwindow,thefollowingstatusmessageis displayed: Consolecannotrefreshuntilcomputerisrestarted.
4.
ClicktheRestartlink. Now,youarepromptedwiththefollowingmessage: Doyouwanttorestartnow?
5.
ClickYes. Thecomputerrestarts.
Results:Inthisexercise,youconfiguredaservernamedHQDC01inthecorrect timezone,andwiththeIPconfigurationspecifiedinTask4.
Exercise 2: Install a New Windows Server 2008 R2 Forest with the

07/06/13
Windows Interface
NowthatyouhavepreparedtheserverwithanappropriatenameandIP configuration,youarereadytoconfigureHQDC01asadomaincontroller. Inthisexercise,youwilladdtheADDSroleandcreatetheforestand domainbypromotingHQDC01tobethefirstdomaincontrollerinthe contoso.comforest. Themaintasksforthisexerciseareasfollows: 1. 2. AddtheActiveDirectoryDomainServicesroletoHQDC01. ConfigureanewWindowsServer2008forestnamedcontoso.comwithHQDC01 asthefirstdomaincontroller. 3. Examinethedefaultconfigurationofthecontoso.comforestanddomain. (Optional)
Task 1: Add the Active Directory Domain Services role to HQDC01.
1. 2.
LogontoHQDC01asAdministratorwiththepasswordPa$$w0rd. UsingServerManager,addtheActiveDirectoryDomainServicesrole,and thenacceptalldefaults.
60/70
07/06/13
Task 2: Configure a new Windows Server 2008 R2 forest named contoso.com with HQDC01 as the first domain controller. 1. InServerManager,expandtheRolesnodeinthetreepane,andthenselect ActiveDirectoryDomainServices. 2. ClicktheRuntheActiveDirectoryDomainServicesInstallationWizard (dcpromo.exe)link. TheActiveDirectoryDomainServicesInstallationWizardappears. 3. 4. OntheWelcomepage,clickNext. OntheOperatingSystemCompatibilitypage,reviewthewarningaboutthe defaultsecuritysettingsforWindowsServer2008domaincontrollers,andthen clickNext. 5. OntheChooseaDeploymentConfigurationpage,selectCreateanew domaininanewforest,andthenclickNext. 6. OntheNametheForestRootDomainpage,typecontoso.com,andthen clickNext. ThesystemcheckstoensurethattheDNSandNetBIOSnamesarenotalready inuseonthenetwork. 7. OntheSetForestFunctionalLevelpage,clickWindowsServer2008,and
61/70
07/06/13
thenclickNext. EachofthefunctionallevelsisdescribedintheDetailsbox.ChoosingWindows Server2008forestfunctionallevelensuresthatalldomainsintheforestoperate attheWindowsServer2008domainfunctionallevel,whichenablesseveralnew featuresprovidedbyWindowsServer2008. Inaproductionenvironment,youwouldchooseWindowsServer2008R2forest functionallevel,ifyourequirethefeaturesoftheWindowsServer2008 R2functionallevelandifyoudonotaddanydomaincontrollersrunning operatingsystemspriortoWindowsServer2008R2. 8. OntheSetDomainFunctionalLevelpage,clickWindowsServer2008, andthenclickNext.TheAdditionalDomainControllerOptionspage appears. 9. DNSServerisselectedbydefault.TheActiveDirectoryDomainServices InstallationWizardwillcreateaDNSinfrastructureduringtheADDSinstallation. Thefirstdomaincontrollerinaforestmustbeaglobalcatalogserverandcannot beareadonlydomaincontroller(RODC).ClickNext. AwarningmessagestatesthatadelegationfortheDNSservercannotbe created. Inthisexercise,youcanignoretheerror.DelegationsofDNSdomainswillbe discussedlaterinthiscourse.ClickYestoclosetheActiveDirectoryDomain ServicesInstallationWizardwarningmessage.
07/06/13
10. OntheLocationforDatabase,LogFiles,andSYSVOLpage,acceptthe defaultlocationsforthedatabasefile,thedirectoryservicelogfiles,andthe SYSVOLfiles,andthenclickNext. Thebestpracticeinaproductionenvironmentistostorethesefilesonthree separatevolumesthatdonotcontainapplicationsorotherfilesnotrelatedtoAD DS.Thisbestpracticedesignimprovesperformanceandincreasestheefficiency ofbackupandrestore. 11. OntheDirectoryServicesRestoreModeAdministratorPasswordpage, typePa$$w0rdinbothPasswordandConfirmPasswordboxes.Click Next. Inaproductionenvironment,youshoulduseastrongpasswordforthe DirectoryServicesRestoreModeAdministratorPassword.Donotforgetthe passwordyouassigntotheDirectoryServicesRestoreModeAdministrator. 12. OntheSummarypage,reviewyourselections. Ifanysettingsareincorrect,clickBacktomakemodifications. 13. ClickNext. ConfigurationofADDSbegins.Afterseveralminutesofconfiguration,the CompletingtheActiveDirectoryDomainServicesInstallationWizardpage appears. 14. ClickFinish.
07/06/13
ClickRestartNow.Thecomputerrestarts. 15. ContinuewithTask3(Optional)orskiptoExercise3
Task 3: Examine the default configuration of the contoso.com forest and domain. (Optional)
1.
LogontoHQDC01asContoso\AdministratorwiththepasswordPa$$w0rd. TheWindowsdesktopappearsand,afteramoment,ServerManageropens.
2.
ExpandtheRolesnodeinthetreepane,andexpandtheActiveDirectory DomainServicesnode.
3.
ExpandActiveDirectoryUsersandComputersandthecontoso.com domainnode.
4.
ClicktheUserscontainer. Theusersandgroupsyouseeareavailabletoanycomputerinthedomain.For example,thedomain'sAdministratoraccountcanbeusedtologontoany computerinthedomain,bydefault,andtheDomainUsersgroupisamemberof thelocalUsersgrouponeachcomputerinthedomain.
5.
ClicktheBuiltincontainer. Thegroupsyouseearesharedbyandavailabletodomaincontrollers,butnotto
64/70
07/06/13
memberserversorworkstations.Forexample,membersoftheBackupOperators groupcanperformbackupandrestoretasksondomaincontrollersonly,andthe AdministratorsgroupintheBuiltincontainerrepresentstheadministratorsofall domaincontrollers. 6. ClicktheComputerscontainer. Noticethatitisempty.Thisisthedefaultcontainerformemberserversand workstations. 7. ClicktheDomainControllersorganizationalunit(OU). ThisistheOUintowhichdomaincontrollersareplaced.Thecomputerobjectfor HQDC01appearsinthisOU.
Results:Inthisexercise,youconfiguredasingledomainforestnamed contoso.comwithasingledomaincontrollernamedHQDC01.
Exercise 3: Raise Domain and Forest Functional Levels

Inthisexercise,youwillraisethedomainfunctionalleveltoWindows Server2008R2level. Themaintasksforthisexerciseareasfollows:
07/06/13
1. 2.
RaisethedomainfunctionalleveltoWindowsServer2008R2. RaisetheforestfunctionalleveltoWindowsServer2008R2.
Task 1: Raise the domain functional level to Windows Server 2008 R2.
1.
Ifnecessary,logontoHQDC01asContoso\Administratorwiththepassword ofPa$$w0rd.
2. 3. 4.
OpentheActiveDirectoryDomainsandTrustsconsole. ConfirmthatthecurrentdomainfunctionallevelisWindowsServer2008. RaisetheDomainfunctionalleveltoWindowsServer2008R2.
Task 2: Raise the forest functional level to Windows Server 2008 R2.
1.
IntheActiveDirectoryDomainsandTrustsconsole,raisetheforest functionalleveltoWindowsServer2008R2.
2.
CloseActiveDirectoryDomainsandTrusts.
Results:Inthisexercise,youraisedthedomainandforestfunctionallevelsto
07/06/13
WindowsServer2008R2.
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. IntheVirtualMachineslist,rightclick6425CNYCSVRD,andthenclick Revert.
3.
IntheRevertVirtualMachinedialogbox,clickRevert.
Lab Review Question:WhatcanyoudowiththeInitialConfigurationTasksconsole? Question:Whatmustyoudobeforestartingthedcpromowizard? Question:Whichtoolisusedtoraisethedomainfunctionallevel?
67/70
07/06/13
Module Review and Takeaways
Review Questions
1. 2. 3. Whatisthemaindifferencebetweenauthenticationandauthorization? Whyisglobalcatalogimportantinamultidomainenvironment? WhichtoolscanyouusetoinstallADDS?
Common Issues Related to AD DS Installation

07/06/13
Issue
Dcpromowizardcannotperform installationofADDS Youcannotstartdcpromo.exe Youcannotraiseforesttothe WindowsServer2008R2functional level
TroubleshootingTip
Best Practices Related to AD DS

UseastrongpasswordforDirectoryServiceRestoreMode. MakealldomaincontrollersintoGlobalCatalogservers. UsestaticIPaddressesfordomaincontrollers.
Tools
Tool
ServerManager InitialConfiguration Tasks
Usefor
AddingADDSrole Performingpost installationtaskson WindowsServer2008R2
Wheretofindit
AdministrativeTools TypeOobe.exeintheRunwindow
69/70
07/06/13
Dcpromo.exe
InstallingActiveDirectory DomainServicesand makingtheservera domaincontroller
Typedcromo.exeintheRunwindoworuse ServerManagertorunthetool
70/70

Module 1 - Introducing Active Directory® Domain Services

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Module 1 - Introducing Active Directory® Domain Services

Transféré par

Droits d'auteur :

Formats disponibles

07/06/13

Module 1: Introducing Active Directory Domain Services

Module1:IntroducingActiveDirectory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Lesson 1: Overview of Active Directory, Identity, and Access

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Identity and Access

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Authentication and Authorization

Module 1: Introducing Active Directory Domain Services

Thereareafewconceptsandprocessesthatyoumustunderstandaboutusersand resourceaccess.Whenausertriestoaccessaresourceonalocaloraremote system,severalproceduresareinitiated.Asdiscussedearlier,itsallaboutmappinga userSIDtotheappropriateACEonaresource. Thenextfourslideswilldetailthisprocess.

Authenticationistheprocessofverifyingauser'sidentity.Theuserprovides credentialsthatcontainatleasttwocomponents:alogonnameandasecretknown onlytotheuserandthesystem,suchasapassword.Thesystemvalidatesthe

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Security Descriptors, ACLs, and ACEs

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Stand-Alone (Workgroup) Authentication

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Active Directory Domains: Trusted Identity Store

Module 1: Introducing Active Directory Domain Services

membersallcomputersthathaveaccountsinthedomain.Adomainalsoprovidesa centralizedauthenticationservice.Boththeidentitystore(theActiveDirectory database)andtheauthenticationservice,alongwithanumberofothercomponents andservices,arehostedonaserverperformingtheroleofadomaincontroller.

Active Directory, Identity, and Access

Asmentionedintheintroductionstothemoduleandthislesson,ActiveDirectory providestheIDAsolutionforenterprisenetworksrunningWindows.IDAisnecessary tomaintainthesecurityofenterpriseresourcessuchasfiles,email,applications,and databases.

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Active Directory IDA Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

FShandleandADDStrusts.ADFScannotmanageADDSdomainorforesttrusts. ADFSisextremelyusefulforextendingadirectory'sauthorityinbusinesstobusiness andpartnershipscenarios,aswellasforsupportingsinglesignonwebapplications.

Lesson 2: Active Directory Components and Concepts

Module 1: Introducing Active Directory Domain Services

Active Directory as a Database

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Active Directory Data Store

Module 1: Introducing Active Directory Domain Services

ActiveDirectoryalsostoresinformationinafolderstructurecalledSYSVOL.By default,thisfolderislocatedinthe%systemroot%folder(c:\windows).SYSVOL containsitemssuchaslogonscriptsandfilesrelatedtoGPOs.

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Demonstration: Active Directory Schema

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Onthevirtualmachine6425CNYCDC1,openD:\AdminTools\ADConsole.msc. ExpandtheActiveDirectorynode,andthenexpandtheActiveDirectory Schema[NYCDC1.contoso.com]node.

LookattheAttributescontainer.OpenthePropertiesofthefollowing. objectSID sAMAccountName(whatmostadminscalltheusername) unicodePwd member description

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services

Module 1: Introducing Active Directory Domain Services