Microsoft® Official Course

Module 2

Introduction to Active Directory Domain Services

Module Overview

Overview of AD DS

Overview of Domain Controllers• Installing a Domain Controller

Lesson 1: Overview of AD DS

Overview of AD DS

What Are AD DS Domains?

What Are OUs?

What Is an AD DS Forest?•What Is the AD DS Schema?

Overview of AD DS

Physical components Logical components

• Data store

• Domain controllers

• Global catalog server

• RODC

• Partitions

• Schema

• Domains

• Domain trees

• Forests

• Sites

• OUs

AD DS is composed of both physical and logical components

What Are AD DS Domains?

• AD DS requires one or more domain controllers

• All domain controllers hold a copy of the domain database which is continually synchronized

• The domain is the context within which user, group, and computer accounts are created

• The domain is a replication boundary

• An administrative center for configuring and managing objects

• Any domain controller can authenticate any logon in the domain

What Are OUs?

Organizational Units• Containers that can be used

to group objects within a domain

• Create OUs to:• Delegate administrative

permissions• Apply Group Policy

What Is an AD DS Forest?

adatum.com

Tree Root Domain

Forest Root Domain

atl.adatum.com

fabrikam.com

What Is the AD DS Schema?

The Active Directory schema acts as a blueprint for AD DS by defining the attributes and object classes such as:• Attributes• objectSID• sAMAccountName• location• manager• department

• Classes• User• Group• Computer• Site

Lesson 2: Overview of Domain Controllers

What Is a Domain Controller?

What Is the Global Catalog?

The AD DS Logon Process

Demonstration: Viewing the SRV Records in DNS•What Are Operations Masters?

What Is a Domain Controller?

Domain Controllers

• Servers that host the Active Directory database (NTDS.DIT) and SYSVOL

• Kerberos authentication service and KDC services perform authentication

• Best practices:• Availability: At least two domain controllers

in a domain• Security: RODC and BitLocker

What Is the Global Catalog?

Domain BDomain B

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

Domain BDomain B

ConfigurationConfiguration

SchemaSchema

Domain BDomain B

ConfigurationConfiguration

SchemaSchema

Global catalog:Hosts a partial attribute set for other domains in the forestSupports queries for objects throughout the forest

Global catalog server

The AD DS Logon Process

DC1

SVR1WKS1

The AD DS logon process:

1.User Account is authenticated to DC1

2.DC1 returns TGT back to client

3.Client uses TGT to apply for access to WKS1

4.DC1 grants access to WKS1

5.Client uses TGT to apply for access to SVR1

6.DC1 returns access to SVR1

Demonstration: Viewing the SRV Records in DNS

• In this demonstration, you will see how to use DNS Manager to view SRV records

What Are Operations Masters?

In any multimaster replication topology, some operations must be single master

Many terms are used for single master operations inAD DS, including the following:• Operations master (or operations master roles)

• Single master roles• FSMOs

Roles• Forest:

• Domain naming master

• Schema master

• Domain:• RID master• Infrastructure master

• PDC Emulator master

Lesson 3: Installing a Domain Controller

Installing a Domain Controller from Server Manager

Installing a Domain Controller on a Server Core Installation of Windows Server 2012

Upgrading a Domain Controller• Installing a Domain Controller by Using Install from Media

Installing a Domain Controller from Server Manager

Installing a Domain Controller on a Server Core Installation of Windows Server 2012

Use the dcpromo /unattend:”D:\answerfile.txt” command to perform the unattended installation. The following is an example of text from the answer file:[DCINSTALL]UserName=<The administrative account in the domain of the new domain controller>UserDomain=<The name of the domain of the new domain controller> Password=<The password for the UserName account> SiteName=<The name of the AD DS site in which this domain controller will reside> This site must be created in advance in the Dssites.msc snap-in.ReplicaOrNewDomain=replica ReplicaDomainDNSName=<The fully qualified domain name (FQDN) of the domain in which you want to add an additional domain controller>DatabasePath="<The path of a folder on a local volume>" LogPath="<The path of a folder on a local volume>" SYSVOLPath="<The path of a folder on a local volume>" InstallDNS=yes ConfirmGC=yes SafeModeAdminPassword=<The password for an offline administrator account> RebootOnCompletion=yes

Upgrading a Domain Controller

Options to upgrade AD DS to Windows Server 2012:

• In place upgrade (from Windows Server 2008 or Windows Server 2008 R2)• Benefit: Except for the prerequisite checks, all the files

and programs stay in-place and there is no additional work required

• Watch for: May leave legacy files and DLLs

• Introduce a new Windows Server 2012 server into the domain and promote it to be a domain controller• This option is the usually the preferred choice• Benefit: Result is a new server with no accumulated

files and settings• Watch for: May need additional work to migrate users’

file settings

Installing a Domain Controller by Using Install from Media

Lab: Installing Domain Controllers

Exercise 1: Installing a Domain Controller•Exercise 2: Installing a Domain Controller by

Using IFM

Logon InformationVirtual machines 20410B‑LON‑DC1 (start first)

20410B‑LON‑SVR120410B‑LON‑RTR20410B‑LON‑SVR2

User name Adatum\Administrator

Password Pa$$w0rdEstimated Time: 45 minutes

Lab Scenario

A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.

You have been asked by your manager to install a new domain controller in the data center to improve logon performance. You have been asked also to create a new domain controller for a branch office by using IFM.

Lab Review

Why did you use Server Manager and not dcpromo.exe when you promoted a server to be a domain controller?

What are the three operations masters found in each domain?

What are the two operations masters that are present in a forest?•What is the benefit of performing an Install From Media (IFM) install of a domain controller?

Module Review and Takeaways

•Review Questions