Académique Documents
Professionnel Documents
Culture Documents
1-1
Module 1
Implementing Active Directory Domain
Services
Contents:
Lesson 1: Installing Active Directory Domain Services
1-3
1-14
1-22
1-29
1-2
Module Overview
1-3
Lesson 1:
Windows Server 2008 provides several ways to install and configure Active
Directory Domain Services. This lesson describes the standard AD DS installation,
and then also describes some of the other options that are available when
performing the installation.
1-4
Key Points
To install Active Directory Domain Services, the server must meet the following
requirements:
Windows Server 2008 operating system must be is installed. AD DS can only be
installed on the following editions:
Additional Reading
1-5
Key Points
In Windows Server 2008, forest and domain functionality provides a way to enable
forest-wide or domain-wide Active Directory features in your network environment.
Different levels of forest and domain functionality are available, depending on
domain and forest functional level.
Additional Reading
Active Directory Domain Services Help: Set the domain or forest functional
level
1-6
AD DS Installation Process
Key Points
To configure a Windows Server 2008 domain controller, you must install the AD
DS server role and run the Active Directory Domain Services Installation wizard.
Do this using one of the following processes:
Install the Server role by using Server Manager, and then run the installation
wizard by running DCPromo or the installation wizard from Server Manager.
Run DCPromo from the Run command or a command prompt. This will
install the AD DS server role and then start the installation wizard.
Additional Reading
Microsoft Technet article: Installing a New Windows Server 2008 Forest and
Scenarios for Installing AD DS
1-7
Key Points
Some of the Active Directory Domain Services Installation Wizard pages appear
only if you select the Use advanced mode installation check box on the Welcome
page of the wizard or by running DCPromo with the /adv switch. If you do not run
the installation wizard in advanced mode, the wizard uses default options that
apply to most configurations.
Question: When would you use the advanced options mode in your organization?
Additional Reading
1-8
Key Points
Before you can use backup media as the source for installing a domain controller,
use Ntdsutil.exe to create the installation media.
Question: Which types of installation media will you use in your organization?
Additional Reading
1-9
Question: What steps would you take if you noticed that the domain controller
installation failed?
Additional Reading
1-10
Key Points
To install a new Windows Server 2008 domain controller in an existing Windows
2000 Server or Windows Server 2003 domain, complete the following steps:
If the domain controller is the first Windows Server 2008 domain controller in
the forest, you must prepare the forest for Windows Server 2008 by extending
the schema on the schema operations master. To extend the schema, run
adprep /forestprep. The adprep tool is located on the Windows Server 2008
installation media.
If the domain controller is the first Windows Server 2008 domain controller in
a Windows 2000 Server domain, you must first prepare the domain by
running adprep /domainprep /gpprep on the infrastructure master. The
gpprep switch adds inheritable access control entry (ACEs) to the Group
Policy Objects (GPO) that are located in the SYSVOL shared folder and
synchronizes the SYSVOL shared folder among the controllers in the domain.
1-11
If the domain controller is the first Windows Server 2008 domain controller in
a Windows Server 2003 domain, you must prepare the domain by running
adprep /domainprep on the infrastructure master.
After you install a writeable domain controller, you can install an RODC in the
Windows Server 2003 forest. Before doing this, you must prepare the forest by
running adprep /rodcprep. You can run adprep /rodcprep on any computer in
the forest. If the RODC will be a global catalog server, then you must run
adprep /domainprep in all domains in the forest, regardless of whether the
domain runs a Windows Server 2008 domain controller. By running adprep
/domainprep in all domains, the RODC can replicate global catalog data from
all domains in the forest and then advertise as a global catalog server.
Additional Reading
1-12
Key Points
To install AD DS on a Windows Server 2008 computer running Server Core, you
must use an unattended setup. Windows Server 2008 Server Core does not
provide a graphical user interface (GUI) so you cannot run the Active Directory
Domain Services installation wizard.
To perform an unattended install of AD DS, use an answer file and the following
syntax with the Dcpromo command:
Dcpromo /answer[:filename] Where filename is the name of your answer
file.
Additional Reading
1-13
Key Points
After installing a domain controller, you may need to perform additional tasks in
your environment. You can access checklists for the following common
configurations for AD DS in Server Manager, under Resources and Support.
Additional Reading
1-14
Lesson 2:
One of the important new features in Windows Server 2008 is the option to use
read-only domain controllers (RODCs). RODCs provide all of the functionality that
clients require while providing additional security for domain controllers deployed
in branch offices. When configuring RODCs, you can specify which user account
passwords will be cached on the server and configure delegated administrative
permissions for the domain controller. This lesson describes how to install and
configure RODCs.
1-15
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports.
An RODC hosts read-only partitions of the AD DS database. This means that no
changes can ever be made to the database copy that the RODC stores, and all AD
DS replication uses a one-way connection from a domain controller that has a
writeable database copy to the RODC.
Additional Reading
1-16
Key Points
See the list on the slide.
Additional Reading
1-17
Key Points
Before you can install an RODC, you must prepare the AD DS environment by
completing the following steps:
Additional Reading
1-18
Key Points
The RODC installation is almost identical to the installation of AD DS on a domain
controller with a writeable copy of the database. However there are a few extra
steps.
Additional Reading
1-19
Key Points
You can delegate the installation of an RODC by performing a two stage
installation.
Question: What are the benefits of delegating an RODC installation?
Additional reading
1-20
Key Points
When deploy an RODC, you can configure a Password Replication Policy for the
RODC.
The Password Replication Policy acts as an access control list (ACL) that
determines if an RODC is permitted to cache a password.
The Password Replication Policy lists the accounts that you are allowing explicitly
to be cached and those that you are not. The passwords for any accounts are not
actually cached on the RODC until after the first time the user or computer
account is authenticated through the RODC.
Additional Reading
1-21
Additional Reading
1-22
Lesson 3:
All domain controllers in a domain are essentially equal, meaning they all contain
the same data and provide the same services. However, you also can assign special
roles to domain controllers to provide additional services or address scenarios in
which only one domain controller should provide services at any given time. This
lesson describes how to configure and manage global catalog servers and
operations masters.
1-23
Key Points
The global catalog is a partial, read-only replica of all domain directory partitions in
a forest. The global catalog is a partial replica because it includes only a limited set
of attributes for each of the forests objects. By including only the attributes that are
used the most for searching, the database of a single global catalog server can
represent every object in every domain in the forest.
The global catalog server hosts the global catalog and its domain information.
Active Directory configures the first domain controller automatically in the forest as
a global catalog server. You can add global catalog functionality to other domain
controllers or change the default location of the global catalog to another domain
controller.
Additional Reading
1-24
Key Points
Sometimes you may want to customize the global catalog server to include
additional attributes. By default, for every object in the forest, the global catalog
server contains an objects most common attributes. Applications and users can
query these attributes. For example, you can find a user by first name, last name, email address, or other common properties
Additional Reading
1-25
Questions: What types of errors or user experiences would lead you to investigate
whether you needed to configure another server as a global catalog server?
What are reasons why you would choose to replicate an attribute to the global
catalog?
Additional Reading
1-26
Key Points
Active Directory is designed as a multimaster replication system. However, for
certain directory operations, only a single authoritative server is required. The
domain controllers that perform specific roles are known as operations masters.
The domain controllers that hold operations master roles are designated to
perform specific tasks to ensure consistency and to eliminate the potential for
conflicting entries in the Active Directory database.
Additional Reading
1-27
Additional Reading
1-28
Key Points
The Windows Time service, also known as W32Time, synchronizes the date and
time for all computers running on a Windows Server 2008 network. The Windows
Time service uses the Network Time Protocol (NTP) to ensure highly accurate time
settings throughout your network. You also can integrate the Windows Time
service with external time sources.
Additional Reading
1-29
Scenario:
Woodgrove Bank has begun their deployment of Windows Server 2008. The
organization has deployed several domain controllers at the corporate
headquarters and is preparing to deploy domain controllers in several branch
offices. The Enterprise Administrator created a design that requires read-only
domain controllers to be deployed on servers running Windows Server 2008 in all
branch offices. Your task is to deploy a domain controller in a branch office that
meets these requirements.
1-30
Note: Due to the limitations of the virtual lab environment, you will be installing the
RODC in the same site as the existing domain controllers. In a production
environment, you would complete the same steps even if the RODC was in a
different site.
2.
3.
4.
Verify the forest and domain functional level are compatible with an RODC
deployment.
5.
5.
1-31
f Task 3: Verify the forest and domain functional level are compatible
with an RODC deployment
1.
2.
In Active Directory Users and Computers, check the properties for NYC-DC1.
2.
Verify that the operating system name is Windows Server 2008 Enterprise.
2.
Click Change System Properties, and on the Computer Name tab, change the
computer name to TOR-DC1.
3.
Result: At the end of this exercise, you will have verified that the domain and the
computer are ready to install an RODC.
1-32
2.
3.
Install the RODC using the existing account. Use WoodgroveBank\Axel as the
account with credentials to perform the installation.
4.
5.
Configure a password replication policy that enables credential caching for all
user accounts in Toronto.
2.
3.
Complete the Active Directory Domain Services Installation Wizard using the
following selections:
a.
b.
c.
d. Default site
e.
f.
1-33
2.
Complete the Active Directory Domain Services Installation Wizard using the
following selections:
a.
b.
c.
3.
e.
Accept the default location for the Database, Log Files, and SYSVOL files.
f.
2.
In Server Manager, verify that Active Directory Domain Services server role is
installed.
3.
4.
5.
Verify that you do not have permission to add or remove domain objects.
1-34
6.
In Active Directory Sites and Services, verify that TOR-DC1 is listed in the
Servers list for the Default-First-Site-Name.
7.
Check the NTDS Settings for TOR-DC1. Confirm that connection objects have
been created.
8.
Check the NTDS Settings for NYC-DC1. Confirm that no connection objects
have been created for replication with TOR-DC1.
9.
Open Event Viewer. In the Directory Service log, locate and view a message
with an event ID of 1128. This event ID verifies that a replication connection
object has been created between NYC-DC1 and TOR-DC1.
On NYC-DC1, in Active Directory Users and Computers, access the TORDC1 Properties dialog box.
2.
Result: At the end of this exercise, you will have installed an RODC and configured
the RODC password replication policy for the RODC.
1-35
2.
3.
4.
2.
Access the NTDS Settings, and select the Global Catalog check box.
2.
3.
1-36
2.
Create a new MMC and add the Active Directory Schema snap-in.
3.
f Task 4: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have configured a global catalog server and
configure AD DS domain controller roles.
1-37
Review Questions
1.
You are deploying a domain controller in a branch office. The branch office
does not have a highly secure server room so you are concerned about the
security of the server. What two Windows Server 2008 features can you take
advantage of to enhance the security of the domain controller deployment?
2.
You must create a new domain by installing a domain controller in your Active
Directory infrastructure. You are reviewing the inventory list of available
servers for this purpose. Which of the following computers could be used as a
domain controller?
A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB)
free hard disk space, TCP/IP.
B. Windows Server 2008 Enterprise Edition, NTFS files system, 500
megabyte (MB) free hard disk space, TCP/IP.
1-38
C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system,
1GB free hard disk space, TCP/IP.
D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free
hard disk space, TCP/IP.
3.
You are deploying an RODC in branch office. You need to ensure that all users
in the branch office can authenticate even if the WAN connection from the
branch office is not available. Only the users who normally log on in the
branch office should be able to do this? How would you configure the
password replication policy?
4.
You need to install a domain controller by using the install from media option.
What steps do you need to take to complete this process?
5.
6.
You are deploying a domain controller in a branch office. The office has a
WAN connection to the main office that has very little available bandwidth and
is not very reliable. Should you configure the branch office domain controller
as a global catalog server?
Considerations
Keep the following considerations in mind when you are implementing RODCs
and managing domain controller roles:
You can install the AD DS Server role on all Windows Server 2008 editions
except Windows Server 2008 Web Server Edition.
1-39
In most cases, deploying a global catalog server in a site will improve the logon
experience for users. However, deploying a global catalog in a remote office
also increases the network utilized for replication.