copyright line. configuring the active directory infrastructure exam objectives working with...

Copyright line.

Configuring the Active Directory Configuring the Active Directory InfrastructureInfrastructure

Exam ObjectivesExam Objectives

Working with Forests and DomainsWorking with Forests and DomainsWorking with SitesWorking with SitesWorking with Trusts Working with Trusts

Copyright line. Slide 2

Working with Forests and Working with Forests and DomainsDomains

You should know what type of domain you You should know what type of domain you want to install before you begin, and the want to install before you begin, and the namespace it will use.namespace it will use.

To improve a domain’s reliability, you should To improve a domain’s reliability, you should always create at least two DCs in each always create at least two DCs in each domain.domain.

The first DC that you install in the forest is the The first DC that you install in the forest is the root DC. It is responsible for the GC and for root DC. It is responsible for the GC and for all five FSMO roles. Some roles can later be all five FSMO roles. Some roles can later be transferred to other DCs for performance and transferred to other DCs for performance and diversification.diversification.


Working with SitesWorking with Sites Sites are used for optimizing the authentication process, by reducing Sites are used for optimizing the authentication process, by reducing

authentication traffic across slow, high-cost WAN links.authentication traffic across slow, high-cost WAN links. Subnets provide rapid and reliable communication between locations.Subnets provide rapid and reliable communication between locations. The primary role of sites is to increase the performance of a network, The primary role of sites is to increase the performance of a network,

which is achieved by economic and rapid transmission of data.which is achieved by economic and rapid transmission of data. Replication enables transferring data from a data store present on a Replication enables transferring data from a data store present on a

source computer to an identical data store present on a destination source computer to an identical data store present on a destination computer.computer.

The KCC is a process that runs on a DC.The KCC is a process that runs on a DC. The process of associating a subnet with a site notifies Active Directory The process of associating a subnet with a site notifies Active Directory

sites about the physical networks that are represented by the site.sites about the physical networks that are represented by the site. Cost is the value used to calculate site links by comparing one to others, Cost is the value used to calculate site links by comparing one to others,

in terms of speed and reliability charges.in terms of speed and reliability charges.


Working with TrustsWorking with Trusts Active Directory trust relationships allow users in one Active Directory trust relationships allow users in one

domain to access resources in another domain domain to access resources in another domain without having to create additional accounts in the without having to create additional accounts in the domain with the resources.domain with the resources.

Whenever a child domain is created, two-way Whenever a child domain is created, two-way transitive trusts are automatically created between transitive trusts are automatically created between the parent and the child.the parent and the child.

Forest trusts are created between the root domains Forest trusts are created between the root domains of two forests to allow users in one forest to access of two forests to allow users in one forest to access resources in the other forest.resources in the other forest.

SID filtering is a security device that uses the domain SID filtering is a security device that uses the domain SID to verify each security principal.SID to verify each security principal.


FAQFAQ

Q: What is the big deal about raising the Q: What is the big deal about raising the functional levels of my domains and forests? functional levels of my domains and forests? Shouldn’t I raise the levels as soon as they meet Shouldn’t I raise the levels as soon as they meet the prerequisites?the prerequisites?

A: No. Remember that functional levels, once A: No. Remember that functional levels, once raised, cannot be lowered again. In addition, raised, cannot be lowered again. In addition, some situations are better suited to skipping a some situations are better suited to skipping a level, rather than raising to one level and then the level, rather than raising to one level and then the other. In this case, known future restructuring other. In this case, known future restructuring and upgrade activities should be considered and upgrade activities should be considered before raising functional levels.before raising functional levels.


FAQFAQ

Q: How much of the Active Directory design stage Q: How much of the Active Directory design stage should be complete before I install my first DC?should be complete before I install my first DC?

A: Primarily, the DNS design should be complete, A: Primarily, the DNS design should be complete, and the decision should be made about how the and the decision should be made about how the forest-root domain will be used. Additional DCs and forest-root domain will be used. Additional DCs and domains can be added later. FSMO roles and GCs domains can be added later. FSMO roles and GCs can be shifted as needed, and trusts with other can be shifted as needed, and trusts with other forests and external domains can be added later. forests and external domains can be added later. Essentially, the first DC that you install should be in Essentially, the first DC that you install should be in a lab environment. From that perspective, you a lab environment. From that perspective, you should install your first DC for testing and training should install your first DC for testing and training purposes as soon as possible.purposes as soon as possible.


FAQFAQ

Q: If every FSMO role can be seized by another DC upon Q: If every FSMO role can be seized by another DC upon failure, why would I want to spread the roles out among failure, why would I want to spread the roles out among different machines?different machines?

A: There are several reasons. Chief among these are the A: There are several reasons. Chief among these are the associated risks of seizing roles. Lost or corrupted associated risks of seizing roles. Lost or corrupted directory data can result from FSMO failures, especially if directory data can result from FSMO failures, especially if the malfunctioning machine ever comes back online. the malfunctioning machine ever comes back online. Seizing roles should not be considered a routine operation. Seizing roles should not be considered a routine operation. Another consideration is performance. Each role exacts a Another consideration is performance. Each role exacts a certain amount of CPU and memory overhead, and your certain amount of CPU and memory overhead, and your servers might perform better if roles are spread among servers might perform better if roles are spread among multiple systems. If that weren’t enough, some roles and multiple systems. If that weren’t enough, some roles and functions should not coexist on the same DC, such as the functions should not coexist on the same DC, such as the Infrastructure Master and the GC. FSMO placement should Infrastructure Master and the GC. FSMO placement should not be ignored, and this knowledge will be important on the not be ignored, and this knowledge will be important on the test.test.


FAQFAQ

Q: What are the differences between Q: What are the differences between external, realm, and shortcut trusts?external, realm, and shortcut trusts?

A: An external trust is created to establish A: An external trust is created to establish a relationship with a domain outside your a relationship with a domain outside your tree or forest. A realm trust is created to tree or forest. A realm trust is created to establish a relationship with a non-establish a relationship with a non-Microsoft network using Kerberos Microsoft network using Kerberos authentication. A shortcut trust is used to authentication. A shortcut trust is used to optimize the authentication process.optimize the authentication process.


FAQFAQ

Q: What type of trust needs to be created Q: What type of trust needs to be created between the root domain and a domain between the root domain and a domain that is several layers deep inside the same that is several layers deep inside the same tree?tree?

A: None. Transitive two-way trusts are A: None. Transitive two-way trusts are automatically created between the layers automatically created between the layers of the tree structure. A root trust is also of the tree structure. A root trust is also created automatically so that any child created automatically so that any child domain has a shortcut to the root domain.domain has a shortcut to the root domain.


FAQFAQ

Q: What is the difference between implied, Q: What is the difference between implied, implicit, and explicit trusts?implicit, and explicit trusts?

A: An implicit trust is one that is automatically A: An implicit trust is one that is automatically created by the system. An example is the trusts created by the system. An example is the trusts created between parent and child domains. An created between parent and child domains. An explicit trust is one that is manually created. An explicit trust is one that is manually created. An example is a forest trust between two trees. An example is a forest trust between two trees. An implied trust is one that is implied because of the implied trust is one that is implied because of the transitive nature of trusts. An example is the trust transitive nature of trusts. An example is the trust between two child domains that are in different between two child domains that are in different trees, and a forest trust was created between the trees, and a forest trust was created between the roots of the trees.roots of the trees.


FAQFAQ

Q: What exactly does SID filtering Q: What exactly does SID filtering accomplish?accomplish?

A: SID filtering is used to secure a trust A: SID filtering is used to secure a trust relationship where the possibility exists relationship where the possibility exists that someone in the trusted domain might that someone in the trusted domain might try to elevate his or her own or someone try to elevate his or her own or someone else’s privileges.else’s privileges.


FAQFAQ

Q: How do you change the time the KCC Q: How do you change the time the KCC runs?runs?

A: The KCC, which manages connection A: The KCC, which manages connection objects for inter- and intrasite replication, runs objects for inter- and intrasite replication, runs every 15 minutes by default. To change this, every 15 minutes by default. To change this, start start regeditregedit and go to the and go to the HKEY_LOCAL_MACHINE\SYSTEM\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\CurrentControlSet\Services\NTDS\ParametersParameters Registry entry. Then, from the Registry entry. Then, from the EditEdit menu, select menu, select NewNew, , DWORDDWORD ValueValue. .


FAQFAQ

Q: How do I move a server to a different site?Q: How do I move a server to a different site? A: If the sites and subnets are configured, new A: If the sites and subnets are configured, new

servers are automatically added to the site that owns servers are automatically added to the site that owns the subnet. However, a server can be manually the subnet. However, a server can be manually moved to a different site. To perform this task, start moved to a different site. To perform this task, start the the Active Directory Sites and ServicesActive Directory Sites and Services. Expand . Expand the site that currently contains the server, and the site that currently contains the server, and expand the expand the ServersServers container. Right-click the server container. Right-click the server and select and select MoveMove from the context menu. There will from the context menu. There will be a list of all the sites. Select the new target site, be a list of all the sites. Select the new target site, and click and click OKOK..


FAQFAQ

Q: How can a server belong to more than one site?Q: How can a server belong to more than one site? A: By default, a server belongs to only one site. However, you A: By default, a server belongs to only one site. However, you

can configure a server to belong to multiple sites. Because sites can configure a server to belong to multiple sites. Because sites are necessary for replication, for clients to find resources, and to are necessary for replication, for clients to find resources, and to decrease traffic on intersite connections, simply modifying a decrease traffic on intersite connections, simply modifying a site’s membership might cause performance problems. To site’s membership might cause performance problems. To configure a server for multiple site membership, log on to the configure a server for multiple site membership, log on to the server you want to join multiple sites. Start server you want to join multiple sites. Start regedit regedit or or regedt32regedt32. . Go to the Go to the HKEY_LOCAL_MACHINE\SYSTEM\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\ParametersCurrentControlSet\ServicesNetlogon\Parameters Registry Registry entry, select entry, select Add ValueAdd Value from the from the EditEdit menu, enter the name menu, enter the name Site CoverageSite Coverage and a and a REG_MULTI_SZREG_MULTI_SZ value, and click value, and click OKOK. . Next, enter the names of the sites to join, each on a new line. Next, enter the names of the sites to join, each on a new line. (Press (Press Shift + EnterShift + Enter to move to the next line.) Click to move to the next line.) Click OKOK. Close . Close the Registry Editor.the Registry Editor.


FAQFAQ

Q: How do I disable site link transitivity?Q: How do I disable site link transitivity? A: Site links are bridged together to make them A: Site links are bridged together to make them

transitive so that the KCC can create connection transitive so that the KCC can create connection objects between DCs. We can disable site link objects between DCs. We can disable site link transitivity manually by bridging specific site links. transitivity manually by bridging specific site links. Start the Start the Active Directory Sites and ServicesActive Directory Sites and Services snap- snap-in. (Select in. (Select Administrative ToolsAdministrative Tools | | Active Directory Active Directory Sites and ServicesSites and Services from the from the StartStart menu.) Expand menu.) Expand the the SitesSites folder and expand the folder and expand the Inter-Site Inter-Site TransportsTransports folder. Right-click the protocol for which folder. Right-click the protocol for which you want to disable transitivity (IP or SMTP), and you want to disable transitivity (IP or SMTP), and select select PropertiesProperties. Clear the . Clear the Bridge all site links Bridge all site links checkbox, and click checkbox, and click ApplyApply..


FAQFAQ

Q: How do you rename a site?Q: How do you rename a site? A: When you install your first DC, the DC creates the A: When you install your first DC, the DC creates the

default site, Default-First-Site-Name. This name isn’t default site, Default-First-Site-Name. This name isn’t very descriptive, so you might want to rename it. very descriptive, so you might want to rename it. Start the Start the Active Directory Sites and Services Active Directory Sites and Services snap-snap-in. (Select in. (Select Administrative Tools | Active Directory Administrative Tools | Active Directory Sites and ServicesSites and Services from the from the StartStart menu.) Expand menu.) Expand the the SitesSites folder. Right-click the site that is to be folder. Right-click the site that is to be renamed (e.g., Default-First-Site-Name), and select renamed (e.g., Default-First-Site-Name), and select RenameRename. Enter the new name, and press . Enter the new name, and press EnterEnter..


FAQFAQ

Q: I want to enable GC functionality on a DC. Q: I want to enable GC functionality on a DC. Where do I do that?Where do I do that?

A: In the A: In the NTDS Settings PropertiesNTDS Settings Properties window window on the on the GeneralGeneral tab. You simply check the box tab. You simply check the box next to next to Global CatalogGlobal Catalog and click and click OKOK..


FAQFAQ

Q: I have an office with only 10 users. Should Q: I have an office with only 10 users. Should I put a GC server at this location?I put a GC server at this location?

A: Probably not; Microsoft recommends that A: Probably not; Microsoft recommends that 50 or more users at a location constitutes the 50 or more users at a location constitutes the necessity for a local DC at that office.necessity for a local DC at that office.


FAQFAQ

Q: I am noticing a large amount of traffic Q: I am noticing a large amount of traffic between my corporate office and branch between my corporate office and branch office. I recently added a GC server/DC at my office. I recently added a GC server/DC at my branch office. Why all the extra traffic?branch office. Why all the extra traffic?

A: More than likely, you didn’t set up a site for A: More than likely, you didn’t set up a site for each location. Having GC servers located in each location. Having GC servers located in sites helps to control replication and should sites helps to control replication and should cut down on bandwidth usage. Data is cut down on bandwidth usage. Data is compressed before being sent between sites, compressed before being sent between sites, which keeps bandwidth usage down.which keeps bandwidth usage down.


Exam WarningExam Warning

With Windows Server 2008 and beyond, With Windows Server 2008 and beyond, you will see more and more references you will see more and more references to UPN use in single or multiple domain to UPN use in single or multiple domain environments. Be sure to understand environments. Be sure to understand how the UPN works in relation to logon, how the UPN works in relation to logon, and how the GC keeps this information and how the GC keeps this information available efficiently. available efficiently.



Be prepared to see diagrams that show Be prepared to see diagrams that show network layouts and the various GC servers network layouts and the various GC servers you have on your network. Part of being a you have on your network. Part of being a successful network administrator is being successful network administrator is being able to determine whether the design is good. able to determine whether the design is good. Because many Active Directory-integrated Because many Active Directory-integrated applications, such as Microsoft Exchange, applications, such as Microsoft Exchange, need access to a GC for authentication, GCs need access to a GC for authentication, GCs should be placed in sites that support these should be placed in sites that support these applications, as well as sites that are applications, as well as sites that are connected over lower-speed WAN links. connected over lower-speed WAN links.


Test Day TipTest Day Tip

Universal Groups can exist only if the Universal Groups can exist only if the functional level of your network is Windows functional level of your network is Windows 2000 native or later. Universal Group 2000 native or later. Universal Group information is replicated between GC servers. information is replicated between GC servers. Replication traffic can consume bandwidth, Replication traffic can consume bandwidth, which is why site topology is important; which is why site topology is important; putting a GC at each site keeps replication putting a GC at each site keeps replication traffic to a minimum. traffic to a minimum.



Microsoft’s documentation recommends that Microsoft’s documentation recommends that if you have 50 or more users at a given if you have 50 or more users at a given location, you should give that location a DC location, you should give that location a DC serving as a GC server. This will help to serving as a GC server. This will help to reduce the number of queries crossing the reduce the number of queries crossing the WAN for Active Directory object searches. WAN for Active Directory object searches.



Remember this distinction between the GC Remember this distinction between the GC and the Schema Master: The and the Schema Master: The GC GC contains a contains a limited set of attributes of all objects in the limited set of attributes of all objects in the Active Directory. The Active Directory. The Schema MasterSchema Master contains formal definitions of every object contains formal definitions of every object class that can exist in the forest and every class that can exist in the forest and every object attribute that can exist within an object. object attribute that can exist within an object. In other words, the GC contains every In other words, the GC contains every objectobject, , whereas the schema contains every whereas the schema contains every definitiondefinition of every type of object. of every type of object.



As a network administrator, you must be As a network administrator, you must be familiar with the various roles and services familiar with the various roles and services offered by the Active Directory Sites. You offered by the Active Directory Sites. You needn’t worry about memorizing every detail needn’t worry about memorizing every detail for this particular exam. What you do have to for this particular exam. What you do have to know are the basics of how each role and know are the basics of how each role and services of Active Directory Sites works, and services of Active Directory Sites works, and how Active Directory Sites can be used how Active Directory Sites can be used efficiently in terms of data transmission as efficiently in terms of data transmission as part of a large network. part of a large network.



Make sure you are familiar with the benefits Make sure you are familiar with the benefits provided by a domain, and how a domain provided by a domain, and how a domain works to provide them for you. works to provide them for you.



Make sure you know and understand the Make sure you know and understand the differences between the physical and logical differences between the physical and logical structures of the network. Be aware of how structures of the network. Be aware of how each is used to build the most efficient each is used to build the most efficient replication topology. replication topology.



Remember that default Windows Server 2008 trust relationships Remember that default Windows Server 2008 trust relationships are friendly. The default and most common trusts in Active are friendly. The default and most common trusts in Active Directory, which are Directory, which are parent and childparent and child and and tree-roottree-root trusts, are trusts, are both both bidirectionalbidirectional and and transitivetransitive, meaning that the , meaning that the trust pathtrust path extends throughout the entire forest. You can remember this extends throughout the entire forest. You can remember this type of transitive trust with the old saying, “Any friend of yours is type of transitive trust with the old saying, “Any friend of yours is a friend of mine.” a friend of mine.”

Other types of Windows Server 2008 trusts exist, such as Other types of Windows Server 2008 trusts exist, such as forestforest, , shortcutshortcut, and , and externalexternal, each of which can be bidirectional or , each of which can be bidirectional or unidirectional and have different transitivity properties. One of unidirectional and have different transitivity properties. One of the first things you should do when you sit down at the testing the first things you should do when you sit down at the testing station is to write down the trusts and their properties on your station is to write down the trusts and their properties on your scratch paper. Do this before starting the test so as not to waste scratch paper. Do this before starting the test so as not to waste valuable time. valuable time.



On the day of the test, you will want to review On the day of the test, you will want to review the types of trusts as well as when to use the types of trusts as well as when to use them. On the exam, you might be given a them. On the exam, you might be given a scenario that will require you to determine the scenario that will require you to determine the type of trust that will best meet the type of trust that will best meet the requirements in the scenario. requirements in the scenario.



Although the trust relationship is considered Although the trust relationship is considered transitive, this applies only to the child transitive, this applies only to the child domains within forests. The transitive nature domains within forests. The transitive nature of the trust exists only within the two forests of the trust exists only within the two forests explicitly joined by a forest trust. The explicitly joined by a forest trust. The transitivity does not extend to a third forest transitivity does not extend to a third forest unless you create another explicit trust.unless you create another explicit trust.



You will always need to create an external You will always need to create an external trust when connecting to a Windows NT 4.0 trust when connecting to a Windows NT 4.0 or earlier domain. These domains are not or earlier domain. These domains are not eligible to participate in Active Directory. eligible to participate in Active Directory. These trusts must be one-way trusts. If you These trusts must be one-way trusts. If you have worked with Windows NT 4.0, you will have worked with Windows NT 4.0, you will remember that the only trusts allowed were remember that the only trusts allowed were nontransitive one-way trusts. nontransitive one-way trusts.

copyright line. configuring the active directory infrastructure exam objectives working with...

Documents

copyright line

forestroot domain

domain sid

forest trusts

sites sites

child domain

root domains

type of domain