Module 1: Implementing

Active Directory® Domain

Services
Module Overview
• Installing Active Directory Domain Services

• Deploying Read-Only Domain Controllers

• Configuring AD DS Domain Controller Roles

Lesson 1: Installing Active Directory
Domain Services
• Requirements for Installing AD DS

• What Are Domain and Forest Functional Levels?

• AD DS Installation Process

• Advanced Options for Installing AD DS

• Installing AD DS from Media

• Demonstration: Verifying the AD DS Installation

• Upgrading to Windows Server® 2008 AD DS

• Installing AD DS on a Server Core Computer

• Discussion: Common Configuration for AD DS

 Requirements for Installing AD DS

Server • A computer running Windows Server 2008 (Web

requirements to Server edition not supported)
install AD DS
• Minimum disk space of 250 MB and a partition
formatted with NTFS file system
• TCP/IP must be configured, including DNS
client settings
Network
configuration • DNS Server that supports dynamic updates must
be available or will be configured on the domain
controller

• Local Administrator permissions to install the first

domain controller in a forest
Administrator • Domain Administrator permissions to install
permissions additional domain controllers in a domain
• Enterprise Administrator permissions to install
additional domains in a forest
 What Are Domain and Forest Functional Levels?
Functional levels:

• Determine the AD DS features available in a domain or forest

• Restrict which Windows Server operating systems can be

run on domain controllers in the domain or forest

Supported functional levels:

Supported Domain Controller
Domain
Operating Systems
Forests
• Windows Server 2008
Windows® 2000
• Windows Server 2003 Windows 2000
native
• Windows 2000 Server

Windows Server® • Windows Server 2008 Windows

2003 • Windows Server 2003 Server 2003

Windows Server • Windows Server 2008 Windows Server

2008 2008
AD DS Installation Process

Install the Active Directory Domain Services role

1 using the Server Manager

Run the Active Directory Domain Services

2 Installation Wizard

3 Choose the deployment configuration

4 Select the additional domain controller features

Select the location for the database, log files, and

5 SYSVOL folder

Configure the Directory Services Restore

6 Mode Administrator Password
 Advanced Options for Installing AD DS

To access the advanced mode installation options,

choose the Advanced Mode option in the Installation Wizard or
run DCPromo /adv

Use the advanced mode options to:

• Create a new domain tree

• Use backup media as the source for AD DS information

• Select the source domain controller for the installation

• Modify the default domain NetBIOS name

• Define the Password Replication Policy for an RODC

 Installing AD DS from Media

Use Ntdsutil.exe to create the installation media

Ntdsutil.exe can create the following types of installation media:

• Full (or writable) domain controller

• Full (or writable) domain controller with SYSVOL data

• Read-only domain controller with SYSVOL data

• Read-only domain controller

Demonstration: Verifying the AD DS Installation
In this demonstration, you will see how to verify the
AD DS installation
 Upgrading to Windows Server 2008 AD DS

To prepare previous versions of Active Directory for a Windows

Server 2008 domain controller installation:
Current Before installing Command
Version
• Windows Server 2008
Windows 2000 domain controllers adprep /forestprep
Windows 2003
• Must be run before other
adprep commands
Windows Server • Windows Server 2008 adprep
2000 domain controllers /domainprep /gpprep

• Windows Server 2008

Windows Server domain controllers
2003 adprep /domainprep

• Windows Server 2008

Windows Server
RODCs adprep /rodcprep
2003
 Installing AD DS on a Server Core Computer

To install AD DS on a Server Core computer, perform an

unattended installation using an answer file

Use following syntax with the Dcpromo command:

Dcpromo /answer[:filename]
Where filename is the name of your answer
Discussion: Common Configuration for AD DS
• What additional steps would you take in your environment
after installing the first Windows Server 2008 domain
controller?
• How would these tasks change after you have deployed
additional domain controllers in your domain?
• Which of the recommendations listed in the Server
Manager apply to your organization?
Lesson 2: Deploying Read-Only
Domain Controllers
• What Is a Read-Only Domain Controller?

• Read-Only Domain Controller Features

• Preparing to Install the RODC

• Installing the RODC

• Delegating the RODC Installation

• What Are Password Replication Policies?

• Demonstration: Configuring Administrator Role Separation

and Password Replication Policies
 What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the
AD DS database, only accept replicated
changes to Active Directory, and never
initiate replication
RODC

RODCs provide:
• Additional security for branch office with
limited physical security

• Additional security if applications must run on a

domain controller

RODCs:
• Cannot hold operation master roles or be configured as
replication bridgehead servers

• Can be deployed on servers running Windows Server 2008

Server core for additional security
Read-Only Domain Controller Features

RODCs provide:

• Unidirectional replication

• Credential caching

• Administrative role separation

• Read-only DNS

• RODC filtered attribute set

 Preparing to Install the RODC

Before installing an RODC:

• Ensure that the domain and forest is at a Windows Server
2003 functional level

• Ensure a writeable domain controller running

Windows Server 2008 is available to replicate the
domain partition

• Run ADPrep /rodcprep to enable the RODC to replicate

DNS partitions

• Run ADPrep /domainprep in all domains if the RODC will

be a global catalog server
Installing the RODC

Choose the option to install an additional domain controller

1 in an existing domain

Select the option to install an RODC in the Active Directory

2 Domain Services Installation wizard

Choose advanced mode installation if you want to

3 configure the password replication policy

To install an RODC on a Server Core installation, use an

unattended installation file with the
ReplicaOrNewDomain=ReadOnlyReplica value
 Delegating the RODC Installation

To delegate the installation of an RODC:

• Pre-create the RODC computer account in the
Domain Controllers container

• Assign a user or group with permission to install the RODC

To complete a delegated RODC installation, run DCPromo

with the /UseExistingAccount:Attach switch
What Are Password Replication Policies?

• The password replication policy determines how the

RODC performs credential caching for authenticated user

• By default, the RODC does not cache any user credentials

or computer credentials

Options for configuring password replication policies:

• No credentials cached

• Enable credential caching on an RODC for specified accounts

• Add users or groups to the Domain RODC Password

Allowed group so credentials are cached on all RODCs
Demonstration: Configuring Administrator Role
Separation and Password Replication Policies
In this demonstration, you will see how to:
• Configure administrator role separation

• Configure the RODC password replication groups

• Track which users log on to an RODC

• Configure password replication policies for those accounts

Lesson 3: Configuring AD DS Domain
Controller Roles
• What Are Global Catalog Servers?

• Modifying the Global Catalog

• Demonstration: Configuring Global Catalog Servers

• What Are Operations Master Roles?

• Demonstration: Managing Operation Master Roles

• How Windows Time Service Works

What Are Global Catalog Servers?

Domain

Domain
Domain Domain

Domain Domain
Domain
Global Catalog
Query

Result

Global Catalog
Server
Modifying the Global Catalog

Common
Common Changed
Changed
Attributes
Attributes Attributes
Attributes

firstName
firstName department
lastName
department
lastName firstName
firstName
email
email address
address lastName
lastName
accountExpires
accountExpires email
email address
address
distinguishedName
distinguishedName accountExpires
accountExpires
distinguishedName
distinguishedName

Create
additional
attributes
Global Catalog
Server

Add only the additional attributes to which

you query or frequently refer
Demonstration: Configuring Global
Catalog Servers
In this demonstration, you will see how to:
• Configure global catalog servers using Active Directory
Sites and Services
• Configure a domain controller on Server Core as a global
catalog server
• Add attributes to the global catalog server
 What Are Operations Master Roles?
Role Description
• One per forest
Schema Master
• Performs all updates to the Active Directory schema

• One per forest

Domain
Naming Master • Manages adding and removing all domains and
directory partitions
• One per domain
RID Master • Allocates blocks of RIDs to each domain controller in
the domain
• One per domain

PDC Emulator • Minimizes replication latency for password changes

• Synchronizes time on all domain controllers in the domain

• One per domain

Infrastructure
Master • Updates object references in its domain that point to the object
in another domain
Demonstration: Managing Operations
Master Roles
In this demonstration, you will see how to:
• Determine which server holds an operations master role

• Move an operations master role

• Seize an operations master role

 How Windows Time Service Works

Windows Time service (W32Time) PDC Emulator

provides network clock
synchronization for domain
controllers and client computers

In a Windows Server 2008 forest,

the PDC Emulator is used to
provide the authoritative time Domain controllers
for all other computers
Client
computers

Time synchronization is important because:

• Kerberos authentication includes a time stamp

• Replication between domain controllers is time stamped

Lab: Implementing Read-Only Domain Controllers and
Managing Domain Controller Roles

• Exercise 1: Evaluating Forest and Server Readiness for

Installing an RODC
• Exercise 2: Installing and Configuring an RODC

• Exercise 3: Configuring AD DS Domain Controller Roles

Logon information
6425A-NYC-DC1,
6425A-NYC-
Virtual machine
SVR1, 6425A-
NYC-DC2
User name Administrator
Password Pa$$w0rd
Estimated time: 75 minutes
Lab Review
• Why did Axel’s account not have permission to create any
objects in AD DS?
• What were the two connection objects that were created
from NYC-DC1 to TOR-DC1? Why was no connection
object created from TOR-DC1 to NYC-DC1?
• Could you have assigned the Domain Naming Master role
to TOR-DC1?
• What would happen when you add a new attribute to the
global catalog?
Module Review and Takeaways
• Review questions

• Key points