70 640 lesson02 ppt 041009
DESCRIPTION
TRANSCRIPT
![Page 1: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/1.jpg)
Implementing Active Implementing Active DirectoryDirectory
Lesson 2
![Page 2: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/2.jpg)
Skills MatrixSkills MatrixTechnology Skill Objective Domain Objective #
Installing a New Active Directory Forest
Configure a forest or a domain
2.1
Establishing and Maintaining Trust Relationships
Configure trusts 2.2
Configuring Active Directory Lightweight Directory Services
Configure Active Directory Lightweight Directory Services (AD LDS)
3.1
Configuring a Read-Only Domain Controller
Configure the Read-Only Domain Controller (RODC)
3.3
![Page 3: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/3.jpg)
Server ManagerServer Manager• Located in Administrative Tools.
– Can also be accessed by right-clicking My Computer and selecting Manage.
• Allows you to:– Add roles such as DNS server or Active
Directory Domain Services role.– Perform system diagnostics.– Configure system services.– Drill down into specific administrative
tools.
![Page 4: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/4.jpg)
Server ManagerServer Manager
![Page 5: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/5.jpg)
Requirements for Active DirectoryRequirements for Active Directory• A server running Windows Server 2008
Standard Edition, Windows Server 2008 Enterprise Edition, or Windows Server 2008 Datacenter Edition (Full version or Server Core).
• An administrator account and password on the local machine.
![Page 6: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/6.jpg)
Requirements for Active DirectoryRequirements for Active Directory• An NT file system (NTFS) partition for the
SYSVOL folder structure.– 200 MB minimum free space on the previously
mentioned NTFS partition for Active Directory database files.
– 50 MB minimum free space for the transaction log files.
– Transmission Control Protocol/Internet Protocol (TCP/IP) must be installed and configured
• An authoritative DNS server for the DNS domain that supports service resource (SRV) records. – Recommends to support incremental zone
transfers and dynamic updates.
![Page 7: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/7.jpg)
Installing Active DirectoryInstalling Active Directory• To install
Active Directory, you will need to first add the Active Directory Domain Services role using Server Manager.
![Page 8: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/8.jpg)
Installing Active DirectoryInstalling Active Directory
![Page 9: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/9.jpg)
Installing Active DirectoryInstalling Active Directory• The Active Directory Installation Wizard,
dcpromo, will guide you through any of the following installation scenarios:– Adding a domain controller to an existing
environment.– Creating an entirely new forest structure.– Adding a child domain to an existing domain.– Adding a new domain tree to an existing
forest.– Demoting domain controllers and eventually
removing a domain or forest.
![Page 10: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/10.jpg)
Choosing the Deployment Choosing the Deployment ConfigurationConfiguration
![Page 11: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/11.jpg)
Post-Installation TasksPost-Installation Tasks
• Upon completion of the Active Directory installation, you should verify a number of items:– Application directory partition
creation.– Aging and scavenging for zones.– Forward lookup zones and SRV
records.– Reverse lookup zones.
![Page 12: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/12.jpg)
Application PartitionsApplication Partitions
![Page 13: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/13.jpg)
Aging and Scavenging of DNS RecordsAging and Scavenging of DNS Records
• Aging and scavenging are processes that can be used by Windows Server 2008 DNS to clean up the DNS database after DNS records become “stale” or out of date.
• Without this process, the DNS database would require manual maintenance to prevent server performance degradation and potential disk-space issues.
![Page 14: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/14.jpg)
Aging and Scavenging of DNS RecordsAging and Scavenging of DNS Records
![Page 15: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/15.jpg)
DNS RecordsDNS Records
• Make sure Forward Lookup zone is created.
• Make sure Host (A) record is created for your server.
• Make sure DNS domains are created:– _msdcs– _sites– _tcp– _udp
![Page 16: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/16.jpg)
DNS RecordsDNS Records
![Page 17: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/17.jpg)
Raising the Domain Functional LevelRaising the Domain Functional Level• Open Active
Directory Domains and Trusts from the Administrative Tools folder.
• Right-click the domain you wish to raise and select Raise Domain Functional Level.
![Page 18: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/18.jpg)
Raising the Forest Functional LevelRaising the Forest Functional Level
• Open Active Directory Domains and Trusts from the Administrative Tools folder.
• Right-click the Active Directory Domains and Trusts icon in the console tree and select Raise Forest Functional Level.
![Page 19: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/19.jpg)
Raising the Forest Functional LevelRaising the Forest Functional Level
• If your domains have not all been raised to at least Windows Server 2003, you will receive an error indicating that raising the forest functional level cannot take place yet. If all domains have met the domain functionality criteria of Windows Server 2008, you can click Raise to proceed.
![Page 20: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/20.jpg)
Removing Active DirectoryRemoving Active Directory
• Click the Start menu, key dcpromo and then press Enter.
![Page 21: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/21.jpg)
Schema Management ConsoleSchema Management Console• Some commercial applications such as
Microsoft Exchange will modify the schema as a part of their installation process.
• You can also extend the schema manually using the Active Directory Schema snap-in.
• To modify the schema manually, you must be a member of the Schema Admins group.
• The Active Directory Schema snap-in should be installed on the domain controller holding the Schema Master Operations role.
![Page 22: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/22.jpg)
Installing the Schema Management Installing the Schema Management Snap-inSnap-in
• From a command prompt, key regsvr32 schmmgmt.dll.
• Close the Command Prompt window, click Start, and then select Run.
• Key mmc /a in the dialog box and click OK.
• Click the File menu and select Add/Remove Snap-in.
![Page 23: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/23.jpg)
Trust RelationshipTrust Relationship
• Trust relationships exist to make resource accessibility easier between domains and forests.
• Many trust relationships are established by default during the creation of the Active Directory forest structure.
• Trust relationships can be created using the Active Directory Domains and Trusts from the Administrative Tools folder.
![Page 24: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/24.jpg)
Trust RelationshipsTrust Relationships• Four trust types can be manually established
in Windows Server 2008:– Shortcut trusts - Used to shorten the “tree-
walking” process for users who require frequent access to resources elsewhere in the forest.
– Cross-forest trusts - Allows you to create two-way transitive trusts between separate forests.
– External trusts - Used to configure a one-way non-transitive trust.
– Realm trusts - Allows you to configure trust relationships between Windows Server 2008 Active Directory and a UNIX MIT Kerberos realm.
![Page 25: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/25.jpg)
Revoking a Trust Using NetdomRevoking a Trust Using Netdom
• Open a command prompt and type the following text:Netdom trust TrustingDomainName /d:TrustedDomainName /remove
• Press Enter.• Repeat these steps for the other end
of the trust relationship.
![Page 26: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/26.jpg)
User Principal Name (UPN)User Principal Name (UPN)
• The name of a system user in an e-mail address format. username@domainname
• Based on Internet RFC 822.
![Page 27: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/27.jpg)
Changing the Default Suffix for User Changing the Default Suffix for User Principal NamesPrincipal Names
• Open Active Directory Domains and Trusts from the Administrative Tools folder.
• Right-click Active Directory Domains and Trusts and choose Properties.
• Click the UPN Suffix tab, key the new suffix, and click Add.
• Key more than one suffix if your forest has more than one tree and then click OK.
![Page 28: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/28.jpg)
SummarySummary• Active Directory requires DNS to be
installed. DNS does not have to be installed on a Windows Server 2003 machine, but the version of DNS used does need to support SRV records for Active Directory to function.
• Planning the forest and domain structure should include a checklist that can be referenced for dialog information required by the Active Directory Installation Wizard.
![Page 29: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/29.jpg)
SummarySummary• Verification of a solid Active Directory
installation includes verifying DNS zones and the creation of SRV records. – Additional items, such as reverse lookups,
aging, and scavenging, also should be configured.
• Application directory partitions are automatically created when Active Directory integrated zones are configured in DNS. – These partitions allow replica placement
within the forest structure.
![Page 30: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/30.jpg)
SummarySummary
• System classes of the schema cannot be modified, but additional classes can be added. Classes and attributes cannot be deleted, but they can be deactivated.
• Planning forest and domain functionality is dependent on the need for down-level operating system compatibility. – Raising a forest or domain functional
level is a procedure that cannot be reversed.
![Page 31: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/31.jpg)
SummarySummary
• Four types of manual trusts can be created: shortcut, external, cross-forest, and realm trusts.
• Manual trusts can be created by using Active Directory Domains and Trusts or netdom at a command line.
![Page 32: 70 640 Lesson02 Ppt 041009](https://reader033.vdocuments.us/reader033/viewer/2022061301/54d8f0dd4a7959e7268b45fe/html5/thumbnails/32.jpg)
SummarySummary
• UPNs provide a mechanism to make access to resources in multiple domains user-friendly.
• UPNs follow a naming format similar to email addresses.
• You must be a member of the Enterprise Admins group to add additional suffixes that can be assigned at user object creation.