Module 1: Implementing Active Directory Domain Services

Module Overview
Installing Active Directory Domain Services Deploying Read-Only Domain Controllers

Configuring AD DS Domain Controller Roles

Lesson 1: Installing Active Directory Domain Services

Requirements for Installing AD DS What Are Domain and Forest Functional Levels?

AD DS Installation Process
Advanced Options for Installing AD DS Installing AD DS from Media

Demonstration: Verifying the AD DS installation

Upgrading to Windows Server 2008 AD DS Installing AD DS on a Server Core Computer

Discussion: Common Configuration for AD DS

Requirements for Installing AD DS

Server requirements to install AD DS

A computer running Windows Server 2008 Minimum disk space of 250 MB and a partition

formatted with NTFS file system

TCP/IP must be configured, including DNS

Network configuration

client settings DNS Server that supports dynamic updates must be available or will be configured on the domain controller

Local Administrator permissions to install the first

Administrator permissions

domain controller in a forest Domain Administrator permissions to install additional domain controllers in a domain Enterprise Administrator permissions to install additional domains in a forest

What Are Domain and Forest Functional Levels?

Functional levels:
Determine the AD DS features available in a domain or forest Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported functional levels: Domain Supported Domain Controller Operating Systems Windows Server 2008 Windows Server 2003 Windows 2000
Windows Server 2008 Windows Server 2003 Windows Server 2008

Forests
Windows 2000 Windows Server 2003 Windows Server 2008

Windows 2000 native

Windows Server 2003 Windows Server 2008

AD DS Installation Process
Directory 1 Install the ActiveManager Domain Services role using the Server

2 Installation Wizard

Run the Active Directory Domain Services

3 Choose the deployment configuration

4 Select the additional domain controller features

5 SYSVOl folder
Select the location for the database, log files, and Configure the Directory Services Restore

6 Mode Administrator Password

Advanced Options for Installing AD DS

To access the advanced mode installation options, choose the Advanced Mode option in the installation wizard or run DCPromo /adv Use the advanced mode options to: Create a new domain tree Use backup media as the source for AD DS information Select the source domain controller for the installation Modify the default domain NetBIOS name Define the Password Replication Policy for an RODC

Installing AD DS from Media

Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media: Full (or writable) domain controller

Full (or writable) domain controller without SYSVOL data

Read-only domain controller without SYSVOL data Read-only domain controller

Demonstration: Verifying the AD DS Installation

In this demonstration, you will see how to verify the AD DS installation

Upgrading to Windows Server 2008 AD DS

To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation:

Current Version
Windows 2000 Windows 2003 Windows Server 2000 Windows Server 2003 Windows Server 2003

Before installing
Windows Server 2008

Command
adprep /forestprep adprep /domainprep /gpprep

domain controllers

Windows Server 2008

domain controllers

Windows Server 2008

domain controllers

adprep /domainprep

Windows Server 2008

RODCs

adprep /rodcprep

Installing AD DS on a Server Core Computer

To install AD DS on a Server Core computer, perform an unattended installation using an answer file
Use following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer

Discussion: Common Configuration for AD DS

What additional steps would you take in your environment

after installing the first Windows Server 2008 domain controller? additional domain controllers in your domain? Manager apply to your organization?

How would these tasks change after you have deployed

Which of the recommendations listed in the Server

Lesson 2: Deploying Read-Only Domain Controllers

What Is a Read-Only Domain Controller? Read-Only Domain Controller Features

Preparing to Install the RODC

Installing the RODC Delegating the RODC Installation

What Are Password Replication Policies?

Demonstration: Configuring Administrator Role Separation

and Password Replication Policies

What Is a Read-Only Domain Controller?

RODCs host read-only partitions of the Active Directory database, only accept replicated changes to Active Directory, and never initiate replication

RODC

RODCs provide: Additional security for branch office with limited physical security Additional security if applications must run on a domain controller RODCs: Cannot hold operation master roles or be configured as replication bridgehead servers Can be deployed on servers running Windows Server 2008 Server core for additional security

Read-Only Domain Controller Features

RODCs provide: Unidirectional replication Credential caching Administrative role separation Read-only DNS RODC filtered attribute set

Preparing to Install the RODC

Before installing an RODC: Ensure that the domain and forest is at a Windows Server 2003 functional level Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions Run ADPrep /domainprep in all domains if the RODC will be a global catalog server

Installing the RODC

1 in an existing domain
Choose the option to install an additional domain controller Select the option to install an RODC in the Active Directory

2 Domain Services Installation wizard

3 configure the password replication policy

Choose advanced mode installation if you want to

To install an RODC on a Server Core installation, use an unattended installation file with the ReplicaOrNewDomain=ReadOnlyReplica value

Delegating the RODC Installation

To delegate the installation of a RODC: Pre-create the RODC computer account in the Domain Controllers container Assign a user or group with permission to install the RODC

To complete a delegated RODC installation, run DCPromo with the /UseExistingAccount:Attach switch

What Are Password Replication Policies?

The password replication policy determines how the RODC performs credential caching for authenticated user By default, the RODC does not cache any user credentials or computer credentials

Options for configuring password replication policies: No credentials cached

Enable credential caching on an RODC for specified accounts

Add users or groups to the Domain RODC Password Allowed group so credentials are cached on all RODCs

Demonstration: Configuring Administrator Role Separation and Password Replication Policies

In this demonstration, you will see how to:
Configure administrator role separation

Configure the RODC password replication groups

Track which users log on to a RODC Configure password replication policies for those accounts

Lesson 3: Configuring AD DS Domain Controller Roles

What Are Global Catalog Servers? Modifying the Global Catalog

Demonstration: Configuring Global Catalog Servers

What Are Operations Master Roles? Demonstration: Managing Operation Master Roles

How Windows Time Service Works

What Are Global Catalog Servers?

Domain

Domain

Domain

Domain

Domain

Domain

Global Catalog Query

Domain

Result Global Catalog Server

Modifying the Global Catalog

Common Attributes Changed Attributes

firstName lastName email address accountExpires distinguishedName

department

firstName lastName email address accountExpires distinguishedName

Create additional attributes Global Catalog Server

Add only the additional attributes that you query or refer to frequently

Demonstration: Configuring Global Catalog Servers

In this demonstration, you will see how to:
Configure global catalog servers using Active Directory

Sites and Services

catalog server

Configure a domain controller on Server Core as a global Add attributes to the global catalog server

What Are Operations Master Roles?

Role
Schema Master Domain Naming Master
One per forest Performs all updates to the Active Directory schema One per forest Manages adding and removing all domains and

Description

directory partitions

One per domain

RID Master

Allocates blocks of RIDs to each domain controller in

the domain

One per domain

PDC Emulator

Minimizes replication latency for password changes Synchronizes time on all domain controllers in the domain

Infrastructure Master

One per domain

Updates object references in its domain that point to the object

in another domain

Demonstration: Managing Operations Master Roles

In this demonstration, you will see how to:
Determine which server holds an operations master role

Move an operations master role

Seize an operations master role

How Windows Time Service Works

Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers
In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers
PDC Emulator

Domain controllers Client computers

Time synchronization is important because: Kerberos authentication includes a time stamp

Replication between domain controllers is time stamped

Lab: Implementing Read-Only Domain Controllers

Exercise 1: Evaluating Forest and Server Readiness for

Installing an RODC

Exercise 2: Installing and Configuring an RODC Exercise 3: Configuring AD DS Domain Controller Roles

Logon information

Virtual machine User name Password

6425A-NYC-DC1, 6425A-NYC-SVR1, 6425A-NYC-DC2 Administrator Pa$$w0rd

Estimated time: 75 minutes

Lab Review
Why did Axels account not have permission to create any

objects in AD DS?

What were the two connection objects that were created

from NYC-DC1 to TOR-DC1? Why was no connection object created from TOR-DC1 to NYC-DC1? to TOR-DC1?

Could you have assigned the Domain Naming Master role What would happen when you add a new attribute to the

global catalog?

Module Review and Takeaways

Review questions Key points

Beta Feedback Tool

Beta feedback tool helps:

Collect student roster information, module feedback, and course evaluations. Identify and sort the changes that students request, thereby facilitating a quick team triage. Save data to a database in SQL Server that you can later query.

Walkthrough of the tool

Beta Feedback

Overall flow of module:

Pacing:

Which topics did you think flowed smoothly, from topic to topic? Was something taught out of order? Were you able to keep up? Are there any places where the pace felt too slow? Were you able to process what the instructor said before moving on to next topic? Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Which demos helped you learn the most? Why do you think that is? Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? Were there any discussion questions or reflection questions that really made you think? Were there questions you thought werent helpful?

Learner activities: