Académique Documents
Professionnel Documents
Culture Documents
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
1/70
07/06/13
ActiveDirectory anditsrelatedservicesformthefoundationforenterprisenetworks runningWindows astheystoreinformationonuseridentity,computers,and servicesauthenticateauseroracomputerandprovideamechanismfortheuseror thecomputertoaccessresourcesfromtheenterprise.Inthismodule,youwillexplore WindowsServer2008R2ActiveDirectorybyinstallingtheActiveDirectoryDomain ServicesroleandcreatingadomaincontrollerinanewActiveDirectoryforest.You willfindthatWindowsServer2008R2continuestheevolutionofActiveDirectoryby enhancingmanyoftheconceptsandfeatureswithwhichyouarealreadyfamiliar. ThismodulefocusesonthecreationofanewActiveDirectoryforestwithasingle domaininasingleDC.Thelabinthismodulewillguideyouthroughthecreationofa domainnamedcontoso.comthatyouwilluseforallotherlabsinthiscourse.Inlater
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 2/70
07/06/13
Objectives
Aftercompletingthismodule,youwillbeableto: DescribethefunctionalityofADDSinanenterpriseinrelationtoidentityand access. DescribethemajorcomponentsandconceptsofADDS. InstallADDSandconfigureitasadomaincontroller.
07/06/13
ADDSprovidesthefunctionalityofanidentityandaccess(IDA)solutionfor enterprisenetworks.ThelessonreviewskeyconceptsofIDAandActiveDirectory.
Objectives
Aftercompletingthislesson,youwillbeableto: Explainauthenticationandauthorizationconcepts,terminologiesprocesses,and technologies. Positionthestrategicroleofadirectoryserviceinanenterpriseinrelationto identityandaccess.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 4/70
07/06/13
Information Protection
07/06/13
IdentityandAccess(IDA).Usersandothersecurityprincipals,whichmayinclude computers,services,andgroups,arenamedasidentities(alsocalled"accounts") thataregivenaccess(permissions)toinformation,resources,orsystems. Authentication,Authorization,andAccounting(AAA).Usersprovideusernameand passwordthatareauthenticatedwhentheircredentialsarevalidated.Usersare givenpermissionstoresources(accesscontrol)thatareusedtoauthorizeaccess requests.Accessismonitored,providingaccountingandauditing.Insome documentation,auditingissplitoutasaseparate"A"fromaccounting,leadingto theacronym,"AAAA." Confidentiality,Integrity,andAvailability(CIA).Informationisprotectedtoensure thatitisnotdisclosedtounauthorizedindividuals(confidentiality),isnotmodified incorrectly(integrity)intentionallyoraccidentally,andisavailablewhenneeded (availability).
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
6/70
07/06/13
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
8/70
07/06/13
Authentication
07/06/13
Access Tokens
Afteruserauthentication,theLocalSecurityAuthority(LSA)generatesasecurity accesstoken(alsocalledasecuritytokenoranaccesstoken)thatrepresentstheuser
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 10/70
07/06/13
tothesystembycollectingtheuser'sSIDandtheSIDsofallgroupstowhichthe userbelongs.Theaccesstokenalsorepresentsprivileges(alsocalleduserrights)held bytheuseronthesystem,suchastherighttoshutdownthesystemortologonto thesysteminteractively(locally). Itisimportanttorememberthattheaccesstokenisgeneratedandheldlocallyonthe computerthatauthenticatedtheuser.Whenauserlogsontohisorherdesktop (localorinteractivelogon),thedesktopcreatesasecuritytokenand,iftheuserhas therighttologontothesysteminteractively,proceedstoinvoketheWindows Explorerprocess,whichcreatesthedesktop. Whentheuserconnectstoaservertoaccessasharedfile(remoteornetworklogon), theserverauthenticatestheuserandgeneratesanaccesstokenontheserverthat representstheuserwiththeuser'sSIDandtheSIDsofallgroupstowhichthatuser belongs.Theaccesstokenontheserverisdistinctfromtheaccesstokenonthe user'sdesktop.Anaccesstokenisnevertransmittedoverthenetwork,andtheLSA ofaWindowssystemwouldneveraccepttheaccesstokengeneratedbyanotherLSA. Ofcourse,thisshouldbethecasebecauseauserprobablybelongstodifferentlocal groupsontheserverthanontheuser'sdesktop,andalmostcertainlyholdsdifferent privileges(userrights)ontheserverthanonthedesktop.
07/06/13
Thesecuritydescriptorofasecuredresource,suchasafileorfolderonanNTFS volume,fullydescribesthesecuritycharacteristicsoftheresource.Thesecurity descriptorcontainstheDACL,whichcontainsACEsor"permissions."Eachpermission ismadeupofaflagthatindicateswhethertheACEisanAlloworDenyACEa trustee(theSIDofauseroragroup)andanaccessmaskspecifyingalevelof access.Therefore,theACEdefineswho(thetrusteerepresentedbytheSID)canor can'tdowhat(representedbytheaccessmask). Thesecuritydescriptoralsocontainsthesystemaccesscontrollist(SACL),which containsauditingsettingsandattributessuchastheobject'sowner.Becausethe DACListhefocusofmostdaytodaysecuritymanagementactivitiesforaresource, thenameandacronymisoftenshortened.Therefore,theshortenedaccesscontrol
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 12/70
07/06/13
list(ACL),whiletechnicallyinaccurate,isusedbymanyadministratorsandmuch documentation(includingthiscourse)torefertotheDACL.
Authorization
07/06/13
Ifnomatchisfound,accessisdenied.
07/06/13
theidentitiesintheSAM.Afterauserhasbeenauthenticatedandauthorizedforlocal logon,theWindowsExplorerprocessislaunched,whichgeneratesthefamiliar Windowsdesktop. Iftheuserwishestoaccessasharedfolderonaserver,thereisanimmediate problem:theserverdoesnottrustanidentitypresentedtoit,becausetheidentity hasbeenauthenticatedbyanunknownanduntrustedsystem.Theservertrustsonly itsownidentitystoreitsownSAM.Therefore,fortheusertoremotelylogontothe server,theservermusthaveanidentity(useraccount)fortheuserinitsSAM.Ifthe logonnameandpasswordfortheidentityareidenticaltothecredentialsofthe identityontheworkstation,theauthenticationprocessthatoccursistransparentto theuser.Thistypeofauthenticationiscalledpassthroughauthentication.If, however,thelogonnamesorpasswordsdonotmatch,theuserwillbepromptedto entercredentialsthatarevalidfortheserverwhentheuserattemptstoconnecttoa sharedresource. TheACLonasecuredresourceontheservercannotcontainpermissionsthatreferto untrustedidentities.Therefore,alluserswhorequireaccesstotheresourcemusthave accountsontheserver. Thispresentsobviousmanagementchallenges.Iftheuserchangeshisorher passwordonthedesktop,thetwoaccountsarenolongerinsync,andtheuserwill bepromptedforcredentialswhenconnectingtotheserver.Theproblemonlygets worseasyouaddmoreusers,resources,andWindowssystemstotheenvironment.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 15/70
07/06/13
Themanagementchallengesofmaintainingmultipleidentitiesforeachuserbecome quicklyuntenable.
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
17/70
07/06/13
AnIDAinfrastructureshoulddothefollowing: Storeinformationaboutusers,groups,computersandotheridentities.Anidentity is,asyou'velearned,arepresentationofanentitythatwillperformactionsonthe enterprisenetwork.Forexample,auserwillopendocumentsfromasharedfolder onaserver.Youknowthatthedocumentwillbesecuredwithpermissionsonan ACL.Accesstothedocumentismanagedbythesecuritysubsystemoftheserver, whichcomparestheidentityoftheuserwiththeidentitiesonACLtodetermine whethertheuser'srequestforaccesswillbegrantedordenied.Computers,groups, services,andotherobjectsalsoperformactionsonthenetworktheymustbe representedbyidentities.Amongtheinformationstoredaboutanidentityare propertiesthatuniquelyidentifytheobject,suchasausernameoranSID,andthe passwordfortheidentity.TheidentitystoreisthereforeonecomponentofanIDA infrastructure.TheActiveDirectorydatastore,alsoknownasthedirectory,isan identitystore.Thedirectoryitselfishostedonandmanagedbyadomaincontroller aserverperformingtheADDSrole. Authenticateanidentity.Theserverwillnotgrantaccesstotheuserunlessthe serververifiesthattheidentitypresentedintheaccessrequestisvalid.Tovalidate theidentity,theuserprovidessecretsknownonlytotheuserandtheIDA infrastructure.Thosesecretsarecomparedwiththeinformationintheidentitystore inaprocesscalledauthentication. InanActiveDirectorydomain,aprotocolcalledKerberosisusedtoauthenticate identities.Whenauseroracomputerlogsontothedomain,Kerberos
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 18/70
07/06/13
authenticatesthecredentialsandissuesaninformationpackagecalledaticket grantingticket(TGT).Beforetheuserconnectstotheservertorequestthe document,aKerberosrequestissenttoadomaincontrolleralongwiththeTGT thatservestoidentifytheauthenticateduser.Thedomaincontrollerissuestheuser anotherinformationpackagecalledaserviceticketthatidentifiestheauthenticated usertotheserver.Theuserpresentstheservicetickettotheserver,whichaccepts theserviceticketasproofthattheuserhasbeenauthenticated. TheseKerberostransactionsresultinasinglenetworklogonorsinglesignon. AftertheuserorcomputerhasinitiallyloggedonandhasbeengrantedaTGT,the userisauthenticatedwithintheentiredomainandcanbegrantedservicetickets thatidentifytheusertoanyservice.Allofthisticketactivityismanagedbythe KerberosclientsandservicesbuiltintoWindows,anditistransparenttotheuser. Controlaccess.TheIDAinfrastructureisresponsibleforprotectingconfidential informationsuchastheinformationstoredinthedocument.Accesstoconfidential informationmustbemanagedaccordingtotheenterprisepolicies.TheACLonthe documentreflectsasecuritypolicythatcontainspermissionsthatspecifyaccess levelsforparticularidentities.Thesecuritysubsystemoftheserverinthisexample isperformingtheaccesscontrolfunctionalityintheIDAinfrastructure. Provideanaudittrail.Anenterprisemaywanttomonitorchangestoandactivities withintheIDAinfrastructure,soitmustprovideamechanismtomanageauditing.
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
20/70
07/06/13
EachoftheseservicesplaysaroleinextendingIDAtosupportmorecomplex configurationsandscenarios.
AD LDS
ADLDSisessentiallyastandaloneversionofActiveDirectorythatapplicationsaccess byusingLightweightDirectoryAccessProtocol(LDAP). ADLDSisthereplacementforActiveDirectoryApplicationMode(ADAM).Thename ofthepreviousversionofthetoolindicatesitspurpose:ADLDSisdesignedto providesupportfordirectoryenabledapplications.Itcanbeusedforapplicationsthat requireadirectorystore,butdonotrequirethetypeofinfrastructureprovidedbyan ActiveDirectorydomain. EachinstanceofADLDScanhaveitsownschema,configuration,andapplication partitions.Thisallowsyoutocreateahighlycustomizeddirectorystorewithout affectingyourproductionIDAinfrastructure,basedonADDS.AlthoughADLDSis notdependentonADDS,inadomainenvironment,ADLDScanuseADDS authenticationofWindowssecurityprincipals,suchasusers,computers,andgroups. ADLDScanbeconfiguredinadomainornondomainenvironment,anditiseven possibletorunmultipleinstancesonasinglesystem,eachwithitsownuniqueLDAP andSecureSocketsLayer(SSL)portstoensuresecureconnectionwitheachinstance.
AD CS
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 21/70
07/06/13
ADCSextendstheconceptoftrustsothatauser,computer,organization,orservice canproveitsidentityoutsideorinsidetheborderofyourActiveDirectoryforest. Certificatesareissuedfromacertificateauthority(CA).Whenauser,computer,or serviceusesacertificatetoproveitsidentity,theclientinthetransactionmusttrust theissuingCA.AlistoftrustedrootCAs,whichincludesVeriSignandThawte,is maintainedbyWindowsandupdatedaspartofWindowsUpdate. Thecertificatescanbeusedfornumerouspurposesinanenterprisenetwork, includingthecreationofsecurechannelssuchastheSSLexamplementionedinthe ADLDSsection.Additionally,thecertificatescanbeusedforvirtualprivatenetworks (VPNs),wirelesssecurity,andauthentication,suchassmartcardlogon. ADCSprovidestechnologiesandtoolsthathelpcreateandmanageapublickey infrastructure(PKI).AlthoughADCScanberunonastandaloneserver,itismuch morecommonandmuchmorepowerfultorunADCSintegratedwithADDS,which canactasacertificatestoreandprovideaframeworktomanagethelifetimeof certificateshowtheyareobtained,renewed,andrevoked.
AD RMS
ADRMScreatesaframeworkwithwhichyoucanensuretheintegrityofinformation, bothwithinandoutsideyourorganization. Inatraditionalmodelofinformationprotection,ACLsareusedtodefinehow
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 22/70
07/06/13
informationcanbeaccessed.Forexample,ausermaybegiventheReadpermission toadocument.However,thereisnothingtopreventthatuserfromperformingany numberofactionsafterthatdocumentisopened.Theusercanmakechangestothe documentandsaveitinanylocation,printthedocument,orforwardthedocument byemailtoauserwhootherwisedoesnothaveReadpermissiontothedocument. ADRMSaddressestheseandothersuchscenariosbyenforcinginformationuse policies.ADRMSaccomplishesthisbyusinglicensesandencryptiontoprotect informationandbyhavingrightsmanagementenabledapplicationsthatcanconsume thelicenses,createusagepolicies,openprotectedcontent,andenforceusage policies.
AD FS
ADFSallowsanorganizationtoextendtheauthorityofthedirectoryservicefor authenticatingusersacrossmultipleorganizations,platforms,andnetwork environments. ThetraditionalWindowsdomainstrustrelationshipcreatesatrustinwhichthe trustingdomainallowsthetrusteddomaintoauthenticateusers,buttheresultisthat allusersinthetrusteddomainaretrusted.Moreover,tomaintainatrust,several firewallexceptionsmustbemadethatarenotagreeabletomanyorganizationsand certainlynotsuitableforsupportingWebfacingapplications.Toovercomethis problem,ADFScanbeconfiguredtomaintaintrustsbyusingcommonportssuchas 80and443.ItisimportanttoknowthedifferencebetweenfederationtruststhatAD
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 23/70
07/06/13
Modules214ofthiscoursedescribetheinstallation,configuration,management, andtroubleshootingofADDS.Itisworthwhiletofirstgainanoverviewofthe
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 24/70
07/06/13
components,technologies,andconceptsrelatedtoActiveDirectory.
Objectives
Aftercompletingthislesson,youwillbeableto: IdentifythemajorcomponentsofADDS.
ActiveDirectoryisultimatelyadatabaseofenterpriseresourcesandconfiguration.A
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 25/70
07/06/13
suiteofservicessupportthedatabaseandusetheinformationinittoprovide enterpriseidentityandaccess.Indatabaseterminology,eachrecordintheActive DirectorydatabaseisanActiveDirectoryobject,suchasauser,group,orcomputer. Eachfieldisanattribute,alsocalledapropertyofanobject.Attributesincludethe object'sname,password,description,membership,orSID. Securityprincipals,alsocalledaccounts,arespecifictypesofobjectsinADDS. Securityprincipalshaveseveraluniqueattributes,themostimportantofthemisthe SID.TheSIDisused,asyoulearnedinthepreviouslesson,toassignresourceaccess totheaccount. Inthepreviouslesson,youfocusedononlyonesecurityprincipalusers.However,it iseasiertomanageresourceaccesswhenyouassignpermissionstoagroup.Thereis aclassofgroupobjectcalledasecuritygroup,whichisalsoasecurityprincipal. Computersinadomainarealsosecurityprincipals.Infact,thecomputerobjectis verysimilartoauserobject:ithasalogonnameandpasswordthatthecomputer usestoauthenticatewiththedomainatstartup. Finally,thereisaclassofobjectscalledinetOrgPerson.Thisobjectclassisusedin veryspecificsituationstosupportinteroperabilitywithahandfulofthirdparty directoryservices.inetOrgPersonisalsoasecurityprincipalandissimilartoauser account. TheActiveDirectorydatabaseissupportedandusedbyanumberofservices,
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 26/70
07/06/13
Asmentionedinthepreviouslesson,ADDSstoresitsidentitiesinthedirectorya datastorehostedondomaincontrollers.Thedirectoryisasinglefilenamedntds.dit,
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 27/70
07/06/13
anditislocatedbydefaultinthe%systemroot%\ntdsfolderonadomaincontroller. Thedatabaseisdividedintoseveralpartitions,whichwillbedetailedinlatermodules. Thepartitionsinclude: Schema.Definestheattributesandtypesofobjectsthatcanbestoredinthe directory. Domainnamingcontext(DomainNC).Animportantpartitionfordaytoday administration,becauseitcontainsthedataaboutobjectswithinadomainthe users,groups,andcomputers.WhenyoumakechangestoActiveDirectoryby usingtheActiveDirectoryUsersandComputerssnapin,youaremodifyingthe contentsoftheDomainNC. Configuration.Containsinformationaboutdomains,services,andtopology. DNS.IfyouuseActiveDirectoryintegratedDNS,theDNSzonesandresource recordsarestoredinapartition. PartialAttributeSet(PAS).ThispartitionisusedbytheGlobalCatalog,whichis detailedinalatertopicinthislesson,andinModule12.
07/06/13
Domain Controllers
07/06/13
Inadditiontoavailability,youmustensurethatdomaincontrollersaresecure.In additiontophysicalsecurity(suchasplacingdomaincontrollersinsecure datacenters),therearetwooptionstoimprovesecurity: SeverCore.YoucaninstallWindowsServer2008R2byusingtheServerCore installationoption.ThisinstallsaminimalconfigurationofWindowsServer2008R2 thatfeaturesaCommandPromptuserinterface,ratherthanWindowsExplorer.You willinstallaServerCoreDCintheLabforModule11. ReadOnlyDomainControllers(RODCs).RODCsfacilitatesuserauthenticationin lesssecureenvironments,suchasbranchoffices,bycachingcredentialsonlyfor thoseusers.PasswordsforotherusersarenotreplicatedtotheRODC.Additionally, theRODCdoesnotallowchangestobemadetoActiveDirectory,reducingthe vulnerabilityoftheADDSdomaintoaccidentalorintentionaldamageataless securesite.RODCsaredetailedinModule10.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
30/70
07/06/13
Inthisdemonstration,yourinstructorwillintroduceyoutotheroleandstructureof theschemabygivingyouatouroftheActiveDirectoryschema. TheschemaisoftencomparedwithablueprintforActiveDirectory.Itdefinesthe attributesandtypesofobjectsthatcanbestoredinthedirectory.Forexample,the schemadeterminesthefactthatActiveDirectorycanhaveuserobjects,andthatuser objectsarerequiredtohavealogonnameandoptionallyanemailaddress.Ifyou needtocreatesomeadditionalattributesorpropertiesfortheuserobject,youmust extendtheschema.However,youshouldnotextendtheschemawithoutagood reasonbecausethisoperationisnotreversible.Also,donotedittheschema manually,butedititonlythroughautomatedproceduresinitiatedbyapplicationsthat needschemaextension,suchasExchangeServer.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 31/70
07/06/13
Theschemahastwoprimarycontainers.TheAttributescontainerholdsdefinitions ofeveryattributesupportedbyActiveDirectory.Youcanopentheattributesfor propertieswithwhichyouarealreadyfamiliar: objectSID.Securityidentifier. sAMAccountName.ThepreWindows2000Serverlogonname,whichmost administratorsrefertoasthe"username." unicodePwd.Thisattributestoresapasswordasahashcodethatresultsfroma onewayfunction. Youcannotreadorderivetheactualpasswordfromthisattributewithout performingsomekindofbruteforcedictionaryattack(hacking). member.Theattributethatstoresthemembershiplistforagroupobject.
Demonstration Steps
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 32/70
07/06/13
1.
2.
3.
OpentheClassescontainer.Whilescrollingthrough,noticefamiliarobject classes,includinguser,computer,andgroup.
Organizational Units
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
33/70
07/06/13
07/06/13
computeraccountsandgroups.FileandprintersharesthatarepublishedtoADDS alsoarefoundinOUs. Delegateadministrativecontrol.Youcanassigneithercompleteadministrative control,suchastheFullControlpermission,overallobjectsintheOUorlimited administrativecontrol,suchastheabilitytomodifyemailinformation,overuser objectsintheOU.Todelegateadministrativecontrol,youassignspecific permissionsontheOUandtheobjectsthattheOUcontainsforoneormoreusers andgroups. Simplifythemanagementofcommonlygroupedresources.UsingOUs,youcan createcontainersinadomainthatrepresentthehierarchicalorlogicalstructuresin yourorganization.Then,youcanuseGroupPolicysettingstomanagethe configurationofuserandcomputersettingsbasedonyourorganizationalmodel.
07/06/13
yourorganizationmayhavemultipleoffices,andeachofficemighthaveasetof administratorsresponsibleformanaginguserandcomputeraccountsintheoffice. Also,eachofficemayhavedifferentdepartmentswithdifferentcomputer configurationrequirements.Inthissituation,youcouldcreateanOUforthatoffice thatisusedtodelegateadministrationandadepartmentOUinsidetheofficeOUto assigndesktopconfigurations. AlthoughthereisnotechnicallimittothenumberoflevelsinyourOUstructure,for thepurposeofmanageability,limityourOUstructuretoadepthofnomorethan10 levels,whilemostorganizationsuse5orlesslevelstosimplifyadministration.Note thatActiveDirectoryenabledapplicationsmighthaverestrictionsonthenumberof charactersusedinthedistinguishedname(thefullLDAPpathtotheobjectinthe directory)orontheOUdepthwithinthehierarchy.
Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
36/70
07/06/13
OneormoredomaincontrollersarerequiredtocreateanActiveDirectorydomain.A domainisanadministrativeunitwithinwhichcertaincapabilitiesandcharacteristics areshared.First,alldomaincontrollersreplicatethedomainspartitionofthedata store,whichcontains,amongotherthings,theidentitydataforthedomainsusers, groups,andcomputers.BecauseallDCsmaintainthesameidentitystore,anyDCcan authenticateanyidentityinadomain. Inaddition,adomainisascopeofadministrativepoliciessuchaspassword complexityandaccountlockoutpolicies.Suchpoliciesthatareconfiguredinone domainaffectallaccountsinthedomainanddonotaffectaccountsinother domains.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 37/70
07/06/13
Forest
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
38/70
07/06/13
AforestisacollectionofoneormoreActiveDirectorydomains.Thefirstdomain installedinaforestiscalledtheforestrootdomain.Aforestcontainsasingle definitionofnetworkconfigurationandasingleinstanceofthedirectoryschema.In otherwords,eachdomaincontrollerinaforestreplicatestheConfigurationand Schemapartitions,andthesetwopartitionsarethesameforeachdomaininthe forest.Inotherwords,youcannothavemorethanoneschemaorconfigurationina forest.Forestrootdomainalsocontainsforestwideadministrativeaccountssuchas EnterpriseAdminandSchemaAdmin.EnterpriseAdminhasadministrativeprivileges ineverydomaininforest,andcanalsoeditforeststructuresuchasaddingor removingdomains,extendingschema,andsoon. AforestisasingleinstanceofthedirectorynodataisreplicatedbyActiveDirectory outsidetheboundariesoftheforest.Therefore,theforestdefinesbothareplication andasecurityboundary.
Tree
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
39/70
07/06/13
TheDomainNameSystemnamespaceofdomainsinaforestcreatetreeswithinthe forest.Ifadomainisasubdomainofanotherdomain,thetwodomainsare consideredatree.Forexample,ifthetreyresearch.netforestcontainstwodomains, treyresearch.netandantarctica.treyresearch.net,thedomainsconstituteacontiguous portionoftheDNSnamespace,sotheyareasingletree.If,ontheotherhand,the twodomainsaretreyresearch.netandproseware.com,whicharenotcontiguousin theDNSnamespace,theforestisconsideredtohavetwotrees.Treesarethedirect resultofDNSnameschosenfordomainsintheforest. TheslideillustratesanActiveDirectoryforestforTreyResearch,whichmaintainsa smalloperationatafieldstationinAntarctica.BecausethelinkfromAntarcticatothe headquartersisexpensive,slow,andunreliable,Antarcticaisconfiguredasaseparate
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 40/70
07/06/13
Replication
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
41/70
07/06/13
Replicationservicesdistributedirectorydataacrossanetwork.Thisincludesbothdata storeaswellasdatarequiredtoimplementpoliciesandconfiguration,includinglogon scripts.ActiveDirectorymaintainsaseparatepartitionofthedatastorenamed Configuration,whichmaintainsinformationaboutnetworkconfiguration,topology, andservices. ActiveDirectoryusesmultimasterreplicationtosynchronizedirectoryinformation. Truemultimasterreplicationcanbecontrastedwithotherdirectoryservicesthatusea mastersubordinateapproachtoupdateswhereallupdatesmustbemadetothe mastercopyofthedirectoryandthenreplicatedtothesubordinatecopies.The mastersubordinatesystemisadequateforadirectorythathasasmallnumberof copiesandforanenvironmentwherethechangescanbeappliedcentrally.But,this approachdoesnotscalebeyondsmallsizedorganizations,anditdoesnotaddress theneedsofdecentralizedorganizations.InActiveDirectory,noonedomain controlleristhemaster.Instead,alldomaincontrollerswithinadomainare equivalent.Changescanbemadetoanydomaincontroller,unlikeasinglemaster system,wherechangesmustbemadetooneserver.Inthesinglemastersystem,the primaryserverreplicatestheupdatedinformationtoallotherdirectoryserversinthe domain. Withmultimasterreplication,itisnotnecessaryforeachdomaincontrollertoreplicate toeveryotherdomaincontroller.Instead,thesystemimplementsarobustsetof connectionsthatdetermineswhichdomaincontrollersreplicatetowhichotherdomain controllers.Thisensuresthatnetworksarenotoverloadedwithreplicationtrafficand
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 42/70
07/06/13
Sites
07/06/13
serviceutilization.Youcanalsotreatasiteasalogicalinterpretationofyourphysical network. Domaincontrollerswithinasitereplicatechangeswithinseconds.Changesare replicatedbetweensitesonacontrolledbasiswiththeassumptionthatintersite connectionsareslow,expensive,orunreliablethantheconnectionswithinasite.By definingsites,youaretellingActiveDirectorythatyouhavedomaincontrollerson variousphysicallocations,andthatreplicationbetweentheselocationsisperformed overslowerlinks. Inaddition,clientswillprefertousedistributedservicesfromserversintheirsiteor theclosestsite.Forexample,whenauserlogsontothedomain,theWindowsclient firstattemptstoauthenticatewithadomaincontrollerinitssite.Onlyifnodomain controllerisavailableinthesitewilltheclientattempttoauthenticatewithaDCin anothersite.
Global Catalog
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
44/70
07/06/13
SeveralcomponentsandtechnologiesenableyoutoqueryActiveDirectoryandlocate objectsinthedatastore.ApartitionofthedatastorecalledtheGlobalCatalog,which isalsoknownasthePAScontainsinformationabouteveryobjectinthedirectory.It isatypeofindexthatcanbeusedtolocateobjectsinthedirectory.TheGlobal CatalogisthesetofallobjectsinanADDSforest.AGlobalCatalogserverisa domaincontrollerthatstoresafullcopyofallobjectsinthedirectoryforitshost domainandapartial,readonlycopyofallobjectsforallotherdomainsintheforest. Thepartial,readonlycopiesofobjectsthatmakeuptheglobalcatalogaredescribed as"partial"becausetheyincludealimitedsetofattributesthatarerequiredbythe schemainadditiontotheattributesthataremostcommonlyusedinusersearch operations.Thisisparticularlyimportantifyouaresearchingforobjectsinanother domainwithinaforest.Becausethedomaincontrollersinyourdomainwillnot
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 45/70
07/06/13
containinformationaboutobjectsinotherdomains,youmustrelyontheglobal catalog,whichhastheindexed,partialattributesetforallobjectsinotherdomains.
Functional Levels
07/06/13
becomeavailabletoADDS.Forexample,whenthedomainfunctionallevelisraised toWindowsServer2008,anewattributebecomesavailablethatrevealsthelasttime ausersuccessfullyloggedontoacomputer,thecomputertowhichtheuserlast loggedon,andthenumberoffailedlogonattemptssincethelastlogon.Ifyouraise theforestfunctionalleveltoWindowsServer2008R2,youwillgettheActive DirectoryRecycleBinfeature,whichprovidestheabilitytorestoredeletedobjects fromADDS.Theimportantthingtoknowaboutfunctionallevelsisthatthey determinetheversionsofWindowspermittedondomaincontrollers.Beforeyouraise thedomainfunctionalleveltoWindowsServer2008R2,alldomaincontrollersmust berunningWindowsServer2008R2.Also,toraiseforestfunctionalleveltoWindows Server2008R2,alldomainsinaforestmustbeintheWindowsServer2008R2 functionallevel. IntheWindowsServer2008environment,youcanstillusetheWindows2000Server nativefunctionallevelwhiletheminimumsupportedfunctionallevelforWindows Server2008R2isWindowsServer2003.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
47/70
07/06/13
ActiveDirectoryandDNSarecloselyintegrated.First,thereisaonetoone relationshipbetweenaDNSnameandanActiveDirectorydomain.Second,thereisa completerelianceonDNStolocatecomputersandserviceswithinthedomain.Third, itisverycommontoconfiguredomaincontrollerstoalsoserveasDNSservers.When youdothis,youhavetheoptiontostoreDNSdata,calledazone,inActiveDirectory itself. TheActiveDirectorydatastorecanalsobeusedtosupportapplicationsandservices notdirectlyrelatedtoADDS.Withinthedatabase,applicationpartitionscanstore datatosupportapplicationsthatrequirereplicateddata.TheDNSserviceona WindowsServer2008servercanstoreitsinformationinadatabasecalledanActive Directoryintegratedzone,whichismaintainedasanapplicationpartitioninADDS
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 48/70
07/06/13
andreplicatedbyusingActiveDirectoryreplicationservices.
Trust Relationships
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
49/70
07/06/13
Thesameconceptcanbeextendedtootherdomains.Adomaincanauthenticate usersfromanotherdomainandcanallowthoseuserstobeassignedaccessto resourcesinthedomain.Thisisdonebyestablishingadomaintrustrelationship. Inatrustrelationship,thetrustingdomainextendsitsrealmoftrustsothatittrusts theidentitystoreandauthenticationservicesofthetrustingdomain.Useraccountsin thetrustingdomaincanbeauthenticated,andtheSIDsofuseraccountsinthe trusteddomaincanbeaddedtoACLsinthetrustingdomain. Withinaforest,eachdomaintrustseveryotherdomain.Youmustmanuallyestablish trustrelationshipsbetweenthedomainsthatareindifferentforestsandbetween foreststhemselves.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
50/70
07/06/13
ThislessondiscusseshowtoinstallADDSandhowtoconfigureadomaincontroller.
Objectives
Aftercompletingthislesson,youwillbeableto: Understandtherequirementsforinstallingadomaincontrollertocreateanew forest. ConfigureadomaincontrollerwiththeADDSrolebyusingtheWindowsinterface.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
51/70
07/06/13
ToinstallandconfigureaWindowsServer2008R2domaincontroller,youmustfirst installtheADDSrolebyusingServerManager.Thisaddsthefilesandregistry componentsnecessaryfortheservertolaterbecomeadomaincontroller.But,adding theroledoesnotactuallyconfigureandenabletheserverasadomaincontroller. ThatstepisperformedbyrunningtheActiveDirectoryDomainServicesInstallation Wizard,whichisalsoknownasDCPromo,becausethewizardcanbelaunchedby usingthedcpromo.execommand.TheActiveDirectoryDomainServicesInstallation Wizardtakesyouthroughtheprocessofselectingthedeploymentconfiguration, addingadditionaldomaincontrollerfeatures,suchastheDNSrole,specifyingthe locationforActiveDirectoryfiles,andconfiguringtheDirectoryServicesRestoreMode
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 52/70
07/06/13
AdministratorPassword,whichisusedwhenrestoringActiveDirectoryfromabackup, asyou'lllearninModule14.
07/06/13
calledaNetBIOSname.NetBIOSisanetworkprotocolthatisinusesincethefirst versionsofWindowsNT.Itisstillusedbysomelegacyapplications. Whetherthedomainwillneedtosupportdomaincontrollersrunningprevious versionsofWindows.WhenyoucreateanewActiveDirectoryforest,youwill configurethefunctionallevel.IfthedomainwillincludeonlyWindowsServer2008 R2domaincontrollers,youcansetthefunctionallevelaccordinglytobenefitfrom theenhancedfeaturesintroducedbythisversionofWindows. DetailsforhowDNSwillbeimplementedtosupportActiveDirectory.Itisabest practicetoimplementDNSforyourWindowsdomainzonesbyusingWindowsDNS Service,asyouwilllearninModule9.However,itispossibletosupportaWindows domainonathirdpartyDNSservice. IPconfigurationforthedomaincontroller.DomaincontrollersrequirestaticIP addressesandsubnetmaskvalues.Additionally,thedomaincontrollermustbe configuredwithaDNSserveraddresstoperformnameresolution.Ifyoucreatea newforestandrunWindowsDNSServiceonthedomaincontroller,youcan configuretheDNSaddresstopointtotheserversownIPaddress.AfterDNSis installed,theservercanchecktoresolveDNSnames. Theusernameandpasswordofanaccountintheserversadministratorgroup. Theaccountmusthaveapasswordthepasswordcannotbeblank. Thelocationinwhichthedatastore(includingntds.dit)andsystemvolume (SYSVOL)shouldbeinstalled.Bydefault,thesestoresarecreatedin %systemroot%,suchasc:\windows,intheNTDSandSYSVOLfolders,
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 54/70
07/06/13
respectively.Whencreatingadomaincontroller,youcanredirectthesestoresto otherdrives.
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 55/70
07/06/13
1.
Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager.
2.
InHyperVManager,click6425CNYCSVRD,andintheActionspane,click Start.
3. 4.
Lab Scenario
YouhavebeenhiredtoimproveidentityandaccessatContoso,Ltd.Thecompany currentlyhasoneserverinaworkgroupconfiguration.Employeesconnecttothe serverfromtheirpersonalclientcomputers.Inanticipationofneartermgrowth,you needtoimprovethemanageabilityandsecurityofthecompanysresources.You decidetoimplementanADDSdomainandforestbypromotingtheservertoa domaincontroller.YouhavejustfinishedinstallingWindowsServer2008R2fromthe installationDVD.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
56/70
07/06/13
IntheInitialConfigurationTaskswindow,changethetimezonesothatitis appropriateforyourlocation.
07/06/13
IntheInitialConfigurationTaskswindow,renametheservertoHQDC01.Donot restarttheservernow.
1.
2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
58/70
07/06/13
3.
4.
5.
ClickYes. Thecomputerrestarts.
Results:Inthisexercise,youconfiguredaservernamedHQDC01inthecorrect timezone,andwiththeIPconfigurationspecifiedinTask4.
07/06/13
Windows Interface
NowthatyouhavepreparedtheserverwithanappropriatenameandIP configuration,youarereadytoconfigureHQDC01asadomaincontroller. Inthisexercise,youwilladdtheADDSroleandcreatetheforestand domainbypromotingHQDC01tobethefirstdomaincontrollerinthe contoso.comforest. Themaintasksforthisexerciseareasfollows: 1. 2. AddtheActiveDirectoryDomainServicesroletoHQDC01. ConfigureanewWindowsServer2008forestnamedcontoso.comwithHQDC01 asthefirstdomaincontroller. 3. Examinethedefaultconfigurationofthecontoso.comforestanddomain. (Optional)
1. 2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
60/70
07/06/13
Task 2: Configure a new Windows Server 2008 R2 forest named contoso.com with HQDC01 as the first domain controller. 1. InServerManager,expandtheRolesnodeinthetreepane,andthenselect ActiveDirectoryDomainServices. 2. ClicktheRuntheActiveDirectoryDomainServicesInstallationWizard (dcpromo.exe)link. TheActiveDirectoryDomainServicesInstallationWizardappears. 3. 4. OntheWelcomepage,clickNext. OntheOperatingSystemCompatibilitypage,reviewthewarningaboutthe defaultsecuritysettingsforWindowsServer2008domaincontrollers,andthen clickNext. 5. OntheChooseaDeploymentConfigurationpage,selectCreateanew domaininanewforest,andthenclickNext. 6. OntheNametheForestRootDomainpage,typecontoso.com,andthen clickNext. ThesystemcheckstoensurethattheDNSandNetBIOSnamesarenotalready inuseonthenetwork. 7. OntheSetForestFunctionalLevelpage,clickWindowsServer2008,and
61/70
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
07/06/13
thenclickNext. EachofthefunctionallevelsisdescribedintheDetailsbox.ChoosingWindows Server2008forestfunctionallevelensuresthatalldomainsintheforestoperate attheWindowsServer2008domainfunctionallevel,whichenablesseveralnew featuresprovidedbyWindowsServer2008. Inaproductionenvironment,youwouldchooseWindowsServer2008R2forest functionallevel,ifyourequirethefeaturesoftheWindowsServer2008 R2functionallevelandifyoudonotaddanydomaincontrollersrunning operatingsystemspriortoWindowsServer2008R2. 8. OntheSetDomainFunctionalLevelpage,clickWindowsServer2008, andthenclickNext.TheAdditionalDomainControllerOptionspage appears. 9. DNSServerisselectedbydefault.TheActiveDirectoryDomainServices InstallationWizardwillcreateaDNSinfrastructureduringtheADDSinstallation. Thefirstdomaincontrollerinaforestmustbeaglobalcatalogserverandcannot beareadonlydomaincontroller(RODC).ClickNext. AwarningmessagestatesthatadelegationfortheDNSservercannotbe created. Inthisexercise,youcanignoretheerror.DelegationsofDNSdomainswillbe discussedlaterinthiscourse.ClickYestoclosetheActiveDirectoryDomain ServicesInstallationWizardwarningmessage.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 62/70
07/06/13
10. OntheLocationforDatabase,LogFiles,andSYSVOLpage,acceptthe defaultlocationsforthedatabasefile,thedirectoryservicelogfiles,andthe SYSVOLfiles,andthenclickNext. Thebestpracticeinaproductionenvironmentistostorethesefilesonthree separatevolumesthatdonotcontainapplicationsorotherfilesnotrelatedtoAD DS.Thisbestpracticedesignimprovesperformanceandincreasestheefficiency ofbackupandrestore. 11. OntheDirectoryServicesRestoreModeAdministratorPasswordpage, typePa$$w0rdinbothPasswordandConfirmPasswordboxes.Click Next. Inaproductionenvironment,youshoulduseastrongpasswordforthe DirectoryServicesRestoreModeAdministratorPassword.Donotforgetthe passwordyouassigntotheDirectoryServicesRestoreModeAdministrator. 12. OntheSummarypage,reviewyourselections. Ifanysettingsareincorrect,clickBacktomakemodifications. 13. ClickNext. ConfigurationofADDSbegins.Afterseveralminutesofconfiguration,the CompletingtheActiveDirectoryDomainServicesInstallationWizardpage appears. 14. ClickFinish.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 63/70
07/06/13
Task 3: Examine the default configuration of the contoso.com forest and domain. (Optional)
1.
LogontoHQDC01asContoso\AdministratorwiththepasswordPa$$w0rd. TheWindowsdesktopappearsand,afteramoment,ServerManageropens.
2.
ExpandtheRolesnodeinthetreepane,andexpandtheActiveDirectory DomainServicesnode.
3.
ExpandActiveDirectoryUsersandComputersandthecontoso.com domainnode.
4.
5.
ClicktheBuiltincontainer. Thegroupsyouseearesharedbyandavailabletodomaincontrollers,butnotto
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
64/70
07/06/13
memberserversorworkstations.Forexample,membersoftheBackupOperators groupcanperformbackupandrestoretasksondomaincontrollersonly,andthe AdministratorsgroupintheBuiltincontainerrepresentstheadministratorsofall domaincontrollers. 6. ClicktheComputerscontainer. Noticethatitisempty.Thisisthedefaultcontainerformemberserversand workstations. 7. ClicktheDomainControllersorganizationalunit(OU). ThisistheOUintowhichdomaincontrollersareplaced.Thecomputerobjectfor HQDC01appearsinthisOU.
Results:Inthisexercise,youconfiguredasingledomainforestnamed contoso.comwithasingledomaincontrollernamedHQDC01.
07/06/13
1. 2.
RaisethedomainfunctionalleveltoWindowsServer2008R2. RaisetheforestfunctionalleveltoWindowsServer2008R2.
Task 1: Raise the domain functional level to Windows Server 2008 R2.
1.
Ifnecessary,logontoHQDC01asContoso\Administratorwiththepassword ofPa$$w0rd.
2. 3. 4.
Task 2: Raise the forest functional level to Windows Server 2008 R2.
1.
IntheActiveDirectoryDomainsandTrustsconsole,raisetheforest functionalleveltoWindowsServer2008R2.
2.
CloseActiveDirectoryDomainsandTrusts.
Results:Inthisexercise,youraisedthedomainandforestfunctionallevelsto
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe 66/70
07/06/13
WindowsServer2008R2.
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
3.
IntheRevertVirtualMachinedialogbox,clickRevert.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
67/70
07/06/13
Review Questions
1. 2. 3. Whatisthemaindifferencebetweenauthenticationandauthorization? Whyisglobalcatalogimportantinamultidomainenvironment? WhichtoolscanyouusetoinstallADDS?
07/06/13
Issue
Dcpromowizardcannotperform installationofADDS Youcannotstartdcpromo.exe Youcannotraiseforesttothe WindowsServer2008R2functional level
TroubleshootingTip
Tools
Tool
ServerManager InitialConfiguration Tasks
Usefor
AddingADDSrole Performingpost installationtaskson WindowsServer2008R2
Wheretofindit
AdministrativeTools TypeOobe.exeintheRunwindow
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
69/70
07/06/13
Dcpromo.exe
Typedcromo.exeintheRunwindoworuse ServerManagertorunthetool
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=3&FontSize=3&FontType=segoe
70/70