Vous êtes sur la page 1sur 11

IntroToADM02

Welcome back to interruption Active Directory we're going to jump right into our first actual technical
module regarding actor director Domain Services and diving as in depth actor Hugh Wayne services
going to start with an overview we're going to go into the two essentially halves of actor Directory
Domain Services the physical structure and the logical structure or really the technology pieces the over
use going to cover these topics it's almost not Active Directory Domain Services it's more an overview of
what it provides the the different functionalities that this software provides for and what they are in
terms of overall technology not so much specific yet the first detail is a technical detail the protocol used
to access Active Directory lightweight directory access protocol or L. DEP based on the base on the X.
Five hundred standard and T.C.P. IP it's a client server piece of software that lets the clients
workstations other servers access domain controllers which really learn about a little while and the
technology is provided by actor director Domain Services we start off with authentication and what it is
authentication is the process of verifying the user's identity on a network a good analogy a passport. A
driver's license I want to make sure you are who you say you are. The passport. Is is exactly that it's a
way for me to say Who are you you can tell me all you want but that passport provides me with proof
two components an interactive log on which allows me to log onto the computer in front of me and a
network authentication which grants access to network resources. Once you've been authenticated the
next step is authorization authentication is who you are authorization is what you can do. The process of
verifying that an authenticated user has permission to perform an action. Security principles are issued
security identifiers when the account is created in the case of windows an Active Directory a SID is the
term you'll use or see used most frequently user accounts are issued security tokens during
authentication that include the user Sid and related groups it's I'm a good joke in the just says this is
who I am these are the groups I belong to shared resources on a network include access control lists
that define who can access the resource we're going to branch off here in just a moment talk a little bit
more about access control lists. And then the security token that I've been issued which has my Sid and
the sins of my groups in it is compared against the Access Control List of that resource in this case it's
called a discretionary access control list if my seat is on that list I'm given permission to do whatever it is
I've been granted on that access control list. Some some further notes on this one because I've
mentioned discretionary access control list I feel I should also mention System Access Control List or
essay seals or seconds as we call them a discretionary access control list here gives us or defines the
permissions we have to do things with objects right read change a system access control list keeps track
of what events will trigger an audit by a given security principle. So while I see a share is going to have
my user account attached to it by Sid. And that state is going to be also attached to my token that token
is going to be compared to that folder that share the SIDS match I'll be able to do with ever that
whatever to that folder that I'm granted via that access that folder also is going to have a system access
control list that may also have my sit on it my identifier that says that anything I do to that folder is
audited if I delete something if I change something just the fact that I open that folder and in fact some
cases if I'm not allowed to open that folder. Why given all this information because technically it does
exist in any computer there are access control lists there are seeds there are system access control listen
discretionary access control list on a computer just sitting on your desk that all exists that technology
does so why Active Directory Domain Services What benefits does it provide. Well it gives us a
centralized directory instead of having to worry about giving five users all individual access to five
computers on my small home or small office network actor director lets me create those five accounts in
one place I don't have to worry about creating them on every computer that they need access to. A
single sign on access that's the benefit given those five accounts those five computers get connected to
my Active Directory domain. I don't need to go to each computer individually worry about if my
password is changed worry about if my usernames match I can logon to any of those computers
anywhere any time integrated security. Scale ability this can be done at great scale after the
introduction of Active Directory and Windows two thousand the scale ability of Active Directory in this
case actor director Domain Services has ballooned to the point that it is limited only by the hardware
provided for your domain controllers. 1 IntroToADM02_high And a common management interface I
briefly touched on this earlier this allows for a person or a series of people to manage all the
components of actor director Domain Services in a single location or from various locations but always
using the same interface no one's going to worry about not knowing what's going on or what someone
else has done or what tools are being used it centralizes this network management by providing a single
location and set of tools for managing user group accounts. Now single location is a little tricky in this
instance because a single location may not be a single geographic location is or they may not mean a
single geographic location. We're going to talk more about that single location for a signing access to
shared network resources. Directory service for A.D.'s enabled applications so it's a way for exchange to
get information about users that it wouldn't normally have. Options for configuring security policies that
apply to all users and computers this is called group policy we're not going to cover it to a real great
extent in this course it's more just an overview of Active Directory and its components the group policy
is a very powerful tool at our disposal once we've decided to use actor director Domain Services. Group
Policies to manage user desktops and security settings this again is the same as the one above it options
for configuring security policies it centralized management of a number of security and application
based options. The requirements for installing I decided to put some some quick over your requirements
in here because we are in fact going to install and I want to make sure that people have the
prerequisites they would need requirements for installing T.C.P. IP configure appropriate T.C.P. IP and
D.M.'s server addresses this is the chosen network mechanism for actor director Domain Services
credentials to install a new forest and again we'll talk about force in a little while you need to be a local
administrator on the server you've got your server set up it's installed it's running if you're not a local
administrator you can't actually make that server into what's called a domain controller. To install an
additional domain controller which is not a topic we're going to cover in any great length here today you
need to be a member of the Domain Admins Group in an existing domain. Most importantly on this slide
however is our last one domain name system infrastructure. Verify that a D.M.'s infrastructure is in
place when you install a D.D.S. you can include D.N.A.'s or installation if it's needed It's all part of the
same interface which is terrific when you create a new domain a D.M.'s television is created
automatically those details right here would agree death on again this is more technically deep than we
need to cover just the fact that you have to have D.S. in place it has to be functioning your servers have
to be able to communicate and find each other in your clients have to be able to find those servers via
D.N.A. this prior to the installation of Active Directory Domain Services a quick overview of the two and
how they interact. A.D.'s requires an infrastructure which we just talked about. Eighty D.S. domain
names must be D.M.'s domain names and that is to say fully qualified domain names. Domain Controller
records must be registered in the US to enable other domain controllers and client computers to locate
them this is an automatic process given that your D.M.'s infrastructure is installed and functioning
correctly those records called S R V records will be created automatically N.D.S. for other domain
controllers and client computers to find and use. D.M.'s zones can be stored in a. As Active Directory
Integrated zones this is again a slightly more advanced technological term or or option. It has the nice
advantages in that you can use Active Directory as a replication mechanism for ACT for D.N.A. us and as
a security boundary for D.N.A.'s if using Active Directory to store your D.S. records in that again is a topic
for another day that will be posting up at some point in the future. Component overview there's a lot on
the slide we're going to cover each of these pieces individually in the next couple of slides. Physical data
components domain controllers Global Catalog servers and the data store are really the three big
important crucial in this case required physical components Active Directory Domain Services without
any one of those three. It doesn't really function. We also have read only domain controllers as a
physical option a component option for a T.D.'s what this allows for is essentially a copy of your domain
to be placed in for example a branch office and. Allowing clients users computers to access that
directory information potentially authenticating instead directly information but without the risk of it
being compromised by an intruder and outside attack we're not going to read only domain controllers
any further be on this slide in this course there's the 2 IntroToADM02_high more advanced topic and
then then we're going to cover the logical components are the more complicated piece of Active
Directory Domain Services partitions schema domains trees forests sites and all use are all logical pieces
of Active Directory Domain Services we're going to start at the top we're going to work our way down
through those pieces as we can they're not necessarily all hierarchical but some of them are our second
lesson we're going to jump into those physical components we saw on the left side of that first. That
first call. Domain Controllers Global Catalog servers and the data store again being the big three physical
components to Active Directory Domain Services and then sites and replication being. Trying to think of
the best way to explain it may be expansions on the physical components of Active Directory. And
replication sort of a piece that ties those physical components together in itself it's not necessarily a
physical component. Domain Controllers are the foundation this is the starting point this is what you're
going to create first an actor director Domain Services if you've never done it installed it used it before a
domain controller or D.C. as well probably relate to that or reference them later is a server with the
A.D.'s role installed that has specifically been promoted to a domain controller you create domain
controllers. It hosts a copy of the A.D.'s directory store or data store which is a physical component and
we will talk about in more detail later. It provides authentication and authorization services it's going to
keep track of who you are it's going to let you authenticate to it so that you can prove who you are and
it's going to maintain some of the things that you have access to and what you can do against those
objects. They replicate updates to other domain controllers in the domain and the forest we're going to
talk about that when we get to the replication slide here in just a couple of minutes and they allow
administrative access to manage user accounts and network resources in a central location. Windows
Server two thousand and eight and later support those read only doing as we talked about earlier we're
not going to cover that in any more depth. Our next physical component Global Catalog servers Global
Catalog servers our domain controllers that also store a copy of the global catalog and what the global
catalog is is it is a copy of all the objects in Active Directory. And a subset of the attributes of those
objects now where this gets to be specific and where a global catalog is different than a domain
controller is in this first line this first option contains a copy of all a D.D.S. objects in a forest we're going
to cover forests in just a minute so that you'll learn a little bit more about why a global catalog is
different than a domain controller improves efficiency of object searches by avoiding unnecessary
referrals to Domain Controllers again this is one of those situations where we have to reference
technology to explain technology that we haven't necessarily learned about yet we're to learn about
forests domains and trust in a few minutes Global Catalog servers are also required for users to log onto
a domain again we'll cover that as we get into domains forests and trees the A.D.'s data store is where
all this information is physically kept on a server actually in my opinion kind of one of the more
overlooked aspects of Active Directory Domain Services a lot of people install A.D.'s the configure they
set up their users their computers their printers their resources they manage all the tools with not a lot
of thought to the data store itself the database that all this information is kept in and where it's stored
again we're not going to go into too much technical depth we could spend hours and hours just on this
one topic it does consist of a single file and T.D.'s dot de or N.T. D.S. dot did it stored by default in the
system root N.T. D.S. folder on all the main controllers this is a configurable option as we'll see in a little
while. And is accessible only through the domain controller processes and protocols there is a slight
caviar got to that bit of information. I might demonstrate it in a little while one have to decide if that's a
worthwhile demonstration. A.D.'s replication is the process of making sure that database is the same
across all of your domain controllers A.D.'s replication copies all updates of the T.D.'s database to all
other domain controllers in a domain or forest we want to make sure if we've changed a password if we
remove the user account if we've added a user account that those changes exist across our entire
domain infrastructure so that those users can or can't authenticate depending on if we've removed or
added them and their passwords and updated if it's been changed in the last couple of minutes we don't
want them to change your password log off try and log back on and have it fail because they're trying to
get to a different main controller than originally the change was 3 IntroToADM02_high made on.
Ensures that they have the same information uses a multifaceted replication model what this does
ensures that. There's no single point of failure there's no single authoritative source for that information
this is a complicated technological concept because without a single authoritative source how do you
know where those changes come from they are tracked within a V.D.'s Rockley one of the technical
details of how but it does keep track of basically who was last what was the last change made that's
actually an official change that should be recorded across all of these databases in all these domain
controllers and can be managed by creating a D.D.S. sites which we're going to talk about a couple of
minutes and in this case how they relate specifically to replication the replication typologies created
automatically as new domain controllers are added to the domain however it can be modified using
Sites what our sites and E.D.S. site is used to represent a network segment where all domain controllers
are connected by a fast and reliable network connection. Sites are not an organizational boundary. In
terms of we have a branch office in London we have a branch office in Paris they were branch office in
New York those are not necessarily Active Directory Domain Services sites depending on the speed of
the links between those offices. Sites are associated with IP subnets typically and by default as you're
expanding out your Active Directory Domain Services to further sites this will be created automatically
used to manage replication traffic used to manage client log on traffic used by site aware applications
such as D.F.S. or exchange servers and used to assign group policy objects to all users and computers in
a company location potentially there's a big potentially on that one. Sites are defined based on their
bandwidth so that's what you're going to want to know ahead of time before you design any sort of site
infrastructure. The primary reason as I've mentioned is when links and high speed versus slow speed
away and links now to kind of tie all this together we're going to get into logical components we're going
to talk about what it is we're creating when we create our first I mean controller when we create
subsequent I mean controllers as I mentioned before Daisy your zero is going to be a domain controller
you're going to create a domain controller in the first steps of implementing an Active Directory Domain
Services infrastructure. When you do that when you create that domain controller the Active Directory
Domain Services store and the information in it are based on this the Active Directory Domain Services
schema defines every type of object that can be stored in the directory enforces rules regarding object
creation and configuration. There are some examples provided there is a class what objects can be
created a directory for instance a user or a computer. And then attach to those classes there after
abuse. Information attach to an object a display name a user name a computer name. A phone number
there are hundreds of attributes we could be your all day. So now we get into the basics of these logical
pieces how they relate I've already talked about a couple of these I'm at this point going to go from the
simplest to the most complex. Domain used to group manage objects in an organization when you bring
up that first server and your local administrator and you deploy Active Directory you're going to install
the role then after that's done you're going to run the tools to actually create a domain controller This is
what you're going to be creating you're going to be building a domain. That domain is going to be part of
a forest that forest is going to contain a tree that tree is going to be your domain for now. Their
administrative boundaries for applying group policies an object's a replication boundary for implicating
data between the main controllers potentially. And an authentication authorization boundary that
provides a way to limit the scope of access to resources as I mentioned we're going to build on this that
domain that you're going to create is going to be part of a tree. For the sake of demos today we're only
going to have a single domain we're not going to build out subdomains as these are called a domain tree
is a hierarchy of domains in a D.D.S.. All the means in a tree share contiguous namespace with the
parent as you can see here on the slide can toso dot com is our parent domain the comment any dot
com toso dot com are child domains or subdomains this is a single tree. There can be additional child
that means those child the means can be is as deep or as wide as you like in terms of how many levels
and how many domains you'd like to have. By default created to a transitive trust with other domains
we haven't talked about trusts yet but what this tells us is that any resources in any of these domains
can access. Or can be accessed by rather accounts in those domains I don't have to create 4
IntroToADM02_high anything allow anything specifically designate that users in any dock until So dot
com can access resources in can come it's automatic. We expand further we've got a domain in a tree
we've got the tree in a forest a forest potentially of multiple trees a force is a collection of one or more
domain trees forests share a common schema so the definition of our objects and their attributes are
going to be the same across the entire forest share a common configuration partition. Share a common
global catalog to enable searching this one is important we talked about global catalog service before.
It's when we get to the forest level the global catalog server start to matter. If I'm a user in any domain
in any tree in a given forest and I want to find objects in Active Directory I'm going to query the global
catalog because the global catalog contains all of the objects in the domains all the domains along with a
subset of their attributes so instead of me trying to find a user that could be in any one of these domains
by searching through them it or of Lee wanted to time. I'm just going to circle with hello and they will
trust between all domains in the forest again it's automatic. If you use or in this third tier child the main
is to access a resource in another tree. The trust exists all the way up through those domains and it
crossed to the other trees and then down through that hierarchy as well. The Enterprise Admins and
Schema Admins groups are administrative groups with permissions to modify either the mains the forest
or the trees and the schema itself Enterprise Admins and Schema Admins are administrator is across an
entire forest as opposed to Domain Admins which are just administrators across a single domain now
we've created this hierarchy domain tree forest really jump down the other direction and we're going
now subdivided our domain and this is where it gets a little complicated we've mentioned a couple of
slides ago that a domain is an administrative boundary. It's a way for you to group users and computers
or objects in your organization together to be administered as a single unit. But that doesn't necessarily
mean it's our smallest division. I can within a domain create organizational units to further divide those
objects into administrative groups. Or use or used to represent your organization hierarchically and or
logically I should put and or here there are a number of different criteria for creating organizational
units manage a collection of objects in a consistent way. And I would almost say here manage a
collection of objects that are consistent with each other but not with other objects if I have ten users
that I want to have a certain security rule applied to but I don't want that rule applied to the rest of the
users of my domain I'm going to use an organizational unit to do it. Delegate permissions to administer
groups of objects this one is handy especially larger enterprises much like here Microsoft if you have
business groups defined in your organization and those business groups have their own I.T.
infrastructures and they have their own administrators to manage those I.T.M. for structures I can
create organizational units I can put users computers and other objects from those different
organizations into those organizational units and I can give rights to manage those objects to other
administrators within those business unit eighty departments. And apply policies again this is the group
policies we referenced not going to cover in any great depth yet today trusts we've mentioned a couple
of times a truss provides a mechanism for users to gain access to resources in another domain it's
actually a pretty simple concept. If I'm in Domain A fireman can toso dot com and I want to access
resources in Domain B. And a doc and also dot com. In theory that may not be possible. I say in theory
because according to Windows and how things are done in domains here it is possible by default it's
only possible because by default in a Windows forest in Active Directory Domain Services when you add
domains. To a forest to a transitive trusts are created by default. Users in control so dot com can access
resources in any doc until So dot com and vice versa. Of course according to the application of
authorization to use those resources but what it allows me to do as an administrator is I go into a
resource I can right click I go to properties I go to the Security tab when I click add. I have available to
me all of the resources across all the domains in my forest to add to that resource. That isn't always the
case it hasn't always been the case even within Windows operating systems and I can still beyond the
default trust created create further trust to other domains external domains potentially or even create
what are called shortcut trusts within my forest. Trusts are typically directional the trust direction flows
from trusting to trusted and I'm going to try and put this in clear terms. The trusting domain is the
domain that contains resources. I have something someone else wants access 5 IntroToADM02_high to.
For me to provide that access to that other domain is to trust that domain and its users to access my
resources so the trust flows from me to the other organization. Transitive trusts are not directional
transitor or let me rephrase that to a transitive trust are not directional they flow both directions the
transitive part of a to a transit trust is much like some rules you learned in mathematics when you were
younger possibly junior high if I'm in can toso dot com. And then I have an a doc in tow so dot com as a
sub domain and I have sales in a doc in toso dot com As a further sub domain. The way to a trans of trust
are created or the transitive property of those trust is that if I trust N.A. and N. A trusts sales I trust
sales. My trust of N.A. flows through an aide to anything that they trust as well. And again these are all
to a by default in Active Directory Domain Services. All the means in a forest trust all other domains in a
forest trusts can extend outside the Forest those can be established manually. This list is just a list of the
objects available to us a small small set of the list of objects available to us in Active Directory doing
services users are going to be probably one of the most familiar if you've gotten into active directory if
you already manage Active Directory or if you haven't but you happen to have used a computer at any
point in the last ten twenty years a user. Or is going to be a pretty pretty well known concept a user
object is merely the representation of a user an Active Directory Domain Services and the attributes
attached name. And user name telephone office address dozens and dozens of attributes. I met org
person. Is actually the standard the X five hundred which is the protocol the X. Five hundred standard is
the standard upon which the protocol elde app lightweight directory Access Protocol is built for
communication between directory services and IT or person is the X. Five hundred standard
representation of a user across any directory service so this exists in Microsoft's actor director Domain
Services as a means to communicate a crossed product boundaries use for compatibility with other
directory services. Contacts or just that it's a contact card this person has an email address outside
organization we want to keep track of that groups computers printers and shared folders all concepts
that are relatively straightforward groups there can be some complication that will be for another
course in terms of the technical depth and explanation of groups nested groups scope of groups and
probably gets that in future course I'm going to jump into a demo we're going to take a look at Active
Directory Domain Services and it's actual implementation Alright so we're out of power point we're into
the demo environment I have a server set up right here it's been installed the only configuration steps
that I've taken ahead of time are to give it a name and IP address and that's it for starting from a clean
slate we're going to install the Active Directory Domain Services role we do so by clicking on add rules
and features. This brings us into our wizard for all roles and features I'm not going to skip this page by
default just for the sake of the demo this is something you'll see when you do this in your environment.
We're doing a roll or feature based installation so the default is the correct option. Server selection
we're doing this on the local server which I've just named server and the role installing actor director
Domain Services as soon as I check that box it's going to bring up this ad rules and features wizard it's
prerequisites Microsoft has built the server manager to automatically detect prerequisites required
when you're installing a given role give those to you in a list to preview and select to install when I click
Next it's going to take me to the features installation page this one wizard accommodates both roles and
features essentially independently in this case some of these have been checked because of the
requirement from the last from the the role selection screen so what is going to click Next we're not
going to select any additional features. Give me a little overview of actor director Domain Services what
it does what it is. Next on the confirmation we're installing the Active Directory and services role once
langar policy management and the remote server administration tools features. And we click install.
Now as this installs on a related note that this does not create a domain controller we're not creating a
domain we're not creating a forest we're not creating any Active Directory Domain Services
infrastructure we're merely lighting up the bits that allow us to do so. So when this is done we'll be able
to then go on to that next step one of the nice things about the new version of Windows Server this
wizard starts I don't have to sit here and watch it there's no to the bottom you can close as wizard
without interrupting running tasks and close this and just wait for it to complete of its own accord the 6
IntroToADM02_high background I do get a flag up here that tells me this is running and I can actually
use it to check status. And were in a way just I'm over this to complete as you can see it doesn't take
that long thirty to sixty seconds and you'll be done installing the Active Directory Domain Services roll
Another nice feature of the new server manager once this is complete up here in this same window will
actually get a note which you'll see in just a moment it's done letting us know that there are further
configuration steps required to actually implement the Active Directory Domain Services role just
installing the role as we've done isn't enough for it to actually be functional so knowing come up here
and we can see there are features installed already to move to next steps installation succeeded this is
where things diverge a little bit for anybody who's familiar with potentially older versions of Windows
Server and the mechanisms for promoting the main controllers. You used to open up or run window or
command prompt. And Run D.C. Promo that doesn't work anymore. You now get this warning the actor
director Domain Services installation wizard is relocated in server manager so here in server manager
once we've installed the role. If I get the right one to come up tools. This is where all of our new
management tools live manage admirals and features create server group. So once. OK so what I had to
do I forgot to refresh so I'll just pick up with a note after a quick refresher the console. We come over
here to the flag so it would basically back up out of tools out of manageable pick up after the D.C. Promo
this error comes up and go to all do a quick refresh and the status is going to change and then our
prompt is in here. OK. So after I close that morning telling me that I can no longer do D.C. Promo the
traditional way I can run a quick refresher by consul. And what that will do is it will bring up a second
task and a flag or a notification on the flag the lets me know configuration required for Active Directory
Domain Services at server and my link is now here promote the server to a domain controller. Which is
our next step it's good and bad these days that Microsoft makes a lot of things very easy. Not quite as
complex as it used to be may take a second to come up and in this case came up behind my other
window so it is a front. This is very much a wizard it's going to walk us through the process top to
bottom. Select the deployment operation is first we don't have an existing domain we don't have an
existing forest so we have to create a new forest so as I explained earlier from the domain up we have to
create this from the top down forest first then well the tree sort of comes from. The domain name we're
going to give it so root domain name can toso dot com This gives us domain controller options. Force
function level and domain functional level we're not going to go into details of what those mean in this
session there will again be subsequent courses that go into great detail of those options. I'm going to
give this a quick password real quick. What that password is in your environment obviously it's up to you
make sure to document all passwords adequately and securely. Domain Name System server D.N.A.'s
server and global catalog these are options were selecting the DNS server is an option I can uncheck it
although in this case I have not installed D.S. ahead of time so this domain controller has to have the
N.S.A. installed and configured along with it to function correctly the global catalog is not an option
because this is our first domain controller for a new forest it automatically has to be a global catalog
there is a warning at the top of the screen a delegation for this D.M.'s or cannot be created because the
authoritative parent zone cannot be found or does not run Windows D.S. server we don't have a parent
zone we don't have any D.N.A. in this case existing prior in your existing environments in organizations
you may and the server will be configured to find that the N.S.A. already and this delegation can be
created. So we're going to click Next through that. The net last name is going to be generated
automatically. You can change it if you want. Depending on the domain name you've chosen you may
have to based on the link in this case can toso is perfectly acceptable we're going to accept that and
move on to the next step in this next one I mentioned earlier that the data store that file and T.D.'s
dubbed it. Where it's stored is right here see slash windows slash in T.D.'s same thing for the log file this
can be modified. There are a number of guidelines for putting this file on other volumes it does have to
be a local volume it cannot be kept on a network there are other criteria rules and considerations for
moving it elsewhere again we're not going to cover those in this we're just going to go and accept the
defaults and put our N.T.'s dubbed it on the C. Drive we get one more quick glance at our options what
we've selected one thing I haven't talked about and won't talk 7 IntroToADM02_high about too much in
this course is Power Shell as an administrative tool for actor director Domain Services as this course is
more of an overview we're not going into a lot of technical depth on the tools used to manage or
manipulate actor director Domain Services more just what it is but if you're familiar with Power Shell or
you've seen or taken other courses that Microsoft provides which we have plenty of on the topic this
button view script will allow you to see an automatically generated power shell script for the promotion
of this computer to a domain controller This is a terrific tool if you're planning on promoting a number
of computers or domain controllers and you want to automate that process you run through it once by
hand you get your script you add this to a script that somehow through a number of different possible
means runs through a list of servers that you want to promote and these options are already prepared
for you in this case we're not to use the script we're just going to continue the wizard next it make sure
that all my prerequisites are met I don't anticipate any problems with this step should not take very long
either. Notice there is a notification at the bottom of the window if you click install the server
automatically reboot at the end of the promotion operation a domain controller promotion is a really
required scenario a couple of mentions a couple of notifications Windows Server twenty twelve have a
default for security setting named allow cryptography algorithms compatible with Windows N.T. four.
We're not going to details just know that these are standard warnings none of these are expected in this
case. A delegation for this D.M.'s or cannot be created this is the same error we saw before
prerequisites check completed and passed successfully none of these are stopping errors we're going to
install. And we're going to actually move to another virtual machine that already has this process done
again it's automated there's not much I can do at this point not much I'm even going to see it doesn't
give me a lot of detail in this window so we're going to switch over to a nother virtual machine on which
this is already done so server manager is already open you can see I've got all the roles install will use
this one as our functional demo after the installation of this on the other server what your servers going
to look like after actor director domain service has been installed you're going to see this in server
manager we've got a venture related to eighty D.S. we've got servers on which this role is installed in
this case it's just this one under Tools. We now have some new options actor director administrative
center actor director domains and trusts Active Directory Sites and Services active directory users and
computers A.D.'s I edits all of these are added through the process of installing the Active Directory
Domain Services role and promoting this computer to or the server to a domain controller group policy
manager is also on that list. And that's it those are all the ones installed right away. And what we're
going to do is just a brief rundown of each of those tools see what they do how they function that there
was actually some question on my team as I was preparing for this course whether or not I was going to
use server manager that much just because of the fact not everybody watching this course may be using
Server two thousand and twelve and it's a lot different in twenty twelve than it was in prior versions
however I'm going to just use multiple methods because it's what we have available to us and everyone
should know all of the ways to manage one new tool in twenty twelve the Active Directory
administrative center this is a new centralized tool for managing our domain. As we've already seen in
the Tools menu there are a number of tools installed Microsoft is attempting to consolidate. Overview
this is one of the better changes in the new server manager this gives me a lot of information about
these tools right off the bat learn more use the administrative center to manage tasks use the actor for
your module for Power Shell find answers on the Active Directory forums dynamic access control a
feature we're not going to talk much about here today and the next off solution is celebrated to help
configure dynamic access control so goes with that last topic. Over here on the left this can toso local is
our domain you now have a view. Of the domain you just created. For example computers domain
controllers which we actually have and users. For anybody who is familiar with Active Directory Domain
Services or has installed actor director Domain Services or the prior Active Directory these should look
pretty familiar these groups most of these groups Anyways have have been around for a long time to
look at some of the other versions of these tools This allows us to do. Some things. Older versions of this
might look a little bit different. In the news server obviously we have a new interface on the desktop we
have our new start menu 8 IntroToADM02_high but we do have familiar tools active directory users and
computers is the old snap in for managing parts of your domain you'll see some of the same options
here we just saw computers domain controllers of which we have one and users will come back to that I
want to minimize it and look at it again in a minute Active Directory domains and trusts doesn't seem
like there's a whole lot to it we only have one domain we don't have any trust created because we only
have one domain total but it's in properties that a lot of the this Tools value comes out this is where we
would create or manage pretty created trusts between this domain and other domains we talked briefly
in the course about sites Active Directory Sites and Services is a tool for managing sites. As mentioned
sites are created by default based on subnet. There is right here a site created default first site name this
is always the name hence the title default first site name any time you create an Active Directory
domain. This is your starting point. These are the servers in that site these are the settings that relate to
that server in that site. If we go into properties we see connections this is where we'll see other servers
other domain controllers that we're replicating to and from. And then normal security and actually
editor object. Options for this is well we're not going to be doing any demos involving multiple sites but
this is where you would manage that all right close out this demo I'm going to open up actor director
users and computers we're going to do a little bit of a comparison old tools and new tools as well as
exploring really the meat of Active Directory and what it manages or activity to mean services and what
is managed which is object users computers and the like here we have the old version actor to using
computers up on the screen. We're going to open up double click on this administrator account and just
look at the options available names numbers emails organizational details address and you do a count a
little bit of a technical technical tab never log on names we have logged on our restrictions which
because the administrator accounts doing administrator account I can't restrict it logon to same thing I
can't restrict this because a domain administrator account where I could restrict what it what computers
this computer could actually log onto. Have account options we're going to go through all of these want
to time it would take us far longer than we have for this course but feel free if you've followed along
with this demo or if you've got an environment that you're in where you have access to this information
explore these tabs what the options are what they mean. And and this really becomes the foundation of
active very few Domain Services now I'm going to close this. And we're going to look at the same
information in the new tool that Active Directory administrative center is now open I've got my domain
selected. I've got users selected and this is the same list. And I can right click and there are actual tasks
on here that I can do or I can double click and it will open that object in another window very similar to
what we just saw with Active Directory users and computers and a lot of the same options exist right
here on the screen name. Logon details U P N and Sam account. Organization. Display Name job title
even ale address. Member of what groups I'm in and I can enroll in membership to new groups.
Password settings. Profile settings again options we saw and then down here the bottom under
extensions these are the tabs that were available and academics are using computers that have it and
yet put into this new forms based interface so these are the remaining tabs session information remote
control information so the same options available We've just changed how it's presented made a little
bit easier a little bit more consolidated there's a lot more on this one screen than having to go through
those first four or five tabs to get all this information first that is pretty much the end of the demo on
Active Directory Domain Services there is provided in this particular in this particular slide that there's a
model of you in takeaways that when you download this slide deck is going to be available to you it's
going to have a review questions it's going to have a summary of the topic discussed that's not
something we're necessarily going to go over in detail right now and that sums up what we've done and
that sums up what we've covered so far with Active Directory Domain Services how to install it how to
promote a domain controller some of the basics of the structures involved both logical and physical and
we've taken a look at the tools used to manage Active Directory Domain Services once it's installed
That's it for now and we'll see you in the next module. 9