Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Active Directory Domain Services

Published byLizbeth McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Active Directory Domain Services"— Presentation transcript:

1 Introduction to Active Directory Domain Services
20410B 2: Introduction to Active Directory Domain Services Presentation: 80 minutes Lab: 45 minutes After completing this module, students will be able to: Describe the structure of Active Directory® Domain Services (AD DS). Describe the purpose of domain controllers. Install a domain controller. Required Materials To teach this module, you need the Microsoft® Office PowerPoint® file 20410B_02.pptx. Important: It is recommended that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation Tasks To prepare for this module: Read all of the materials for this module. Practice performing the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on‑the‑job performance. Module 2 Introduction to Active Directory Domain Services

2 Installing a Domain Controller
20410B Module Overview 2: Introduction to Active Directory Domain Services Installing a Domain Controller

3 Lesson 1: Overview of AD DS
20410B Lesson 1: Overview of AD DS 2: Introduction to Active Directory Domain Services What Is the AD DS Schema? Do not spend too much time on each topic. Remember that this is a class on Windows Server® 2012, and not a class on AD DS.

4 20410B Overview of AD DS 2: Introduction to Active Directory Domain Services AD DS is composed of both physical and logical components Physical components Logical components Data store Domain controllers Global catalog server RODC Partitions Schema Domains Domain trees Forests Sites OUs Go through the list of physical and logical components. Offer brief descriptions of each. Physical Components Data store. Stores the AD DS information. This is a file on each domain controller. Domain controllers. Contain a copy of AD DS database. Global catalog servers. Host the global catalog, which is a partial, read‑only copy of all the domain naming contexts in the forest. A global catalog speeds up searches for objects that might be attached to other domain controllers in the forest. Read‑only domain controllers (RODCs). A special install of AD DS in a read‑only form. These are often used in branch offices where security and IT support are often less advanced than in the main corporate centers. RODCs are sometimes installed in Server Core installations and can be secured by using Windows® BitLocker Drive Encryption. Logical Components Partitions. The partitions that exist in AD DS, which are: domain partition, configuration partition, schema partition, global catalog, and application partitions. Schema. Defines the list of attributes that all objects in the AD DS can have. Domains. Logical, administrative boundary for users and computers Domain Trees. Collection of domain controllers that share a common root domain. Forests. Collections of domains that share a common AD DS. Sites. Collections of users, groups, and computers as defined by their physical locations. Useful when you plan administrative tasks such as replication of the AD DS. Organizational Units (OUs). Containers in AD DS that provide a framework for delegating administrative rights and for linking Group Policy Objects (GPOs). Emphasize that the OU structure does not necessarily match the organizational chart, but should be designed to meet the administrative requirements for each situation.

5 What Are AD DS Domains? AD DS requires one or more domain controllers
20410B What Are AD DS Domains? 2: Introduction to Active Directory Domain Services AD DS requires one or more domain controllers All domain controllers hold a copy of the domain database which is continually synchronized The domain is the context within which user, group, and computer accounts are created The domain is a replication boundary An administrative center for configuring and managing objects Any domain controller can authenticate any logon in the domain

6 What Are OUs? Organizational Units
20410B What Are OUs? 2: Introduction to Active Directory Domain Services Organizational Units Containers that can be used to group objects within a domain Create OUs to: Delegate administrative permissions Apply Group Policy Establish clearly to students the difference between OUs and containers: explain that containers are not OUs. Although they can hold objects, they cannot have GPOs linked to them, so it is necessary to move the objects into OUs that need to be managed. Examples are user accounts, computer accounts, and groups. Remind students that usually the OU structure would not match the organizational chart, but would be designed to support the delegation of administration, and should be a framework to support the linking of GPOs. In a large organization, with for example 50,000 users and computers, it would be much more manageable to divide those objects into OUs. Discuss some of the criteria that might drive the OU structure design, such as geographical location, department, object type, and cost center.

7 What Is an AD DS Forest? Forest Root Domain Tree Root Domain
20410B What Is an AD DS Forest? 2: Introduction to Active Directory Domain Services Forest Root Domain Use this slide to illustrate the different relationships of a child domain or another tree, but emphasize that there is no administrative difference between the two options, apart from the names. Tree Root Domain adatum.com fabrikam.com atl.adatum.com

8 20410B What Is the AD DS Schema? 2: Introduction to Active Directory Domain Services The Active Directory schema acts as a blueprint for AD DS by defining the attributes and object classes such as: Reinforce the concept that the schema defines the rules and syntax of the AD DS database, and provides the blueprint for any objects that can be created in it. If you think that your students are having trouble understanding this concept, you could use this analogy or something similar: In a restaurant, there is a burger and a cheeseburger on the menu. If you order one of these, there are certain mandatory components, or attributes, and additional optional extras, as shown in the following table. In a similar way, the schema defines the objects that reside in the AD DS database, and defines the mandatory and optional attributes, and the syntax and the relationships between them. Notice that the attributes are defined first, and then the objects are defined based on the underlying attributes. Thus, an attribute that is optional for one object might be mandatory for another. Optionally, you can demonstrate the Schema Management tool to show how the objects are defined from attributes. You also can show the hierarchy of objects and the inherited attributes. For example, the parent object for User is Organizational Person, the parent object for Organizational Person is Person, and the parent object for Person is an object called Top. Point out to students that attributes are defined at each level in the hierarchy, so the User object contains all of the attributes that are defined on the User class, and all of the attributes defined farther up the objects hierarchy (Organizational Person, Person, Top). Attributes Classes objectSID User sAMAccountName Group location Computer manager Site department Burger Cheeseburger Attributes Meat Mandatory Bun Cheese Onions Optional Pickle Lettuce Bacon Ketchup

9 Lesson 2: Overview of Domain Controllers
20410B Lesson 2: Overview of Domain Controllers 2: Introduction to Active Directory Domain Services What Are Operations Masters? This lesson describes the purpose of domain controllers and introduces the concept of the global catalog. It also describes in detail the logon process. This lesson covers the importance of DNS, particularly service resource (SRV) records, to the logon process. It also examines various operations master roles and how they contribute to the functioning of the AD DS domain. Question Why would you make a domain controller a global catalog server? Answer Queries that are directed at the forest (rather than the domain) need to be directed to a global catalog server. This is because a domain controller that is not a global catalog only holds information about the objects in its own domain. As a best practice, you should configure every domain controller to be a global catalog, even in a single domain forest.

10 What Is a Domain Controller?
20410B What Is a Domain Controller? 2: Introduction to Active Directory Domain Services Domain Controllers Servers that host the Active Directory database (NTDS.DIT) and SYSVOL Kerberos authentication service and KDC services perform authentication Best practices: Availability: At least two domain controllers in a domain Security: RODC and BitLocker Emphasize to students that the database and services are stored on servers called domain controllers. Domain controllers—servers that perform the AD DS role—host the Active Directory database, SYSVOL, the Kerberos authentication service and other Active Directory services. For redundancy purposes, it is best to have at least two available domain controllers. Highlight that all domain controllers in a domain essentially are equal. Each domain controller contains a copy of the directory store, and updates can be made to the AD DS data on all domain controllers except for RODCs. Emphasize the importance of having multiple domain controllers in each domain. This provides load balancing, but more importantly, it also provides recoverability if a server failure occurs. Mention that all domain controllers engage in authentication and authorization, thus making it a redundant system with fewer fail points. This topic does not provide much information about best practices. If students are interested, you can go into more detail about installing domain controllers in remote sites to protect against an unavailable wide area network (WAN) connection. You can also talk about increasing the number of domain controllers to account for redundancy and performance.

11 What Is the Global Catalog?
2: Introduction to Active Directory Domain Services Domain B Domain A Configuration Schema Global catalog: Hosts a partial attribute set for other domains in the forest Supports queries for objects throughout the forest Describe the role of the global catalog server when searching for objects across domains in a forest. Define a global catalog as a domain controller that replicates the partial attribute set for each domain in the forest. The domain controller does not need the partial attribute set for its own domain because it already has the full copy of the domain database, and only needs the changes made to other domains. That is why, in a single domain environment, making every domain controller a global catalog server adds no significant replication. Question Should a domain controller be a global catalog? Answer Every domain controller should be a global catalog. (In some extreme situations, there might be a reason not to do so.) However, most large, distributed organizations are doing just that, so it also makes sense for less complex, smaller organizations. Global catalog server

12 The AD DS Logon Process The AD DS logon process:
20410B The AD DS Logon Process 2: Introduction to Active Directory Domain Services The AD DS logon process: User Account is authenticated to DC1 DC1 returns TGT back to client Client uses TGT to apply for access to WKS1 DC1 grants access to WKS1 Client uses TGT to apply for access to SVR1 DC1 returns access to SVR1 DC1 SVR1 WKS1 Use this slide to illustrate how the logon process works. In the first phase, the user account is authenticated to DC1. In the second phase, the user account applies to the domain controller for a ticket to gain authorization to connect with the local computer. A centralized directory service such as AD DS provides a single identity store, authentication service, and point of management for administration. Emphasize the advantages of a single identity store for security and manageability. 

13 Demonstration: Viewing the SRV Records in DNS
20410B Demonstration: Viewing the SRV Records in DNS 2: Introduction to Active Directory Domain Services In this demonstration, you will see how to use DNS Manager to view SRV records Demonstrate the SRV records in Domain Name System (DNS) briefly, or as appropriate for the level of student experience or interest. After showing the sub‑domains that start with an underscore, explain that domain controllers register several SRV records so that they are searchable in multiple ways. Look for an SRV record in _tcp.Default‑First‑Site‑Name._sites.adatum.com that is offering the Kerberos authentication service. Examine the record and show that server LON‑DC1.adatum.com is offering the Kerberos authentication service over TCP port 88, and that the server is answering for the site Default‑First‑Site‑Name. This is the preferred domain controller to connect to because the domain controller is in the same AD DS site as the client computer. Point out that, because domain controllers register SRV records in many different ways, it is possible to find an alternative if the preferred domain controller is not available. Alternatively, you could also open C:\windows\system32\config with Notepad, and demonstrate netlogon.dns to illustrate all of the SRV records that each domain controller will register in DNS. Note that SRV records are registered in DNS by the Net Logon service that is running on each domain controller. If the SRV records are not entered in DNS correctly, you can trigger the domain controller to reregister those records by restarting the Net Logon service on that domain controller. This only reregisters the SRV records. If you want to reregister the host record information in DNS, you must run ipconfig /registerdns from the command line, just as you would for any other computer. Preparation Steps If it is not already running, start 20410B‑LON‑DC1, and then sign in to Adatum\Administrator with the password Pa$$w0rd. Open DNS Manager to demonstrate the SRV Records, and use Notepad to display the contents of the netlogon.dns file. (More notes on the next slide)

14 2: Introduction to Active Directory Domain Services
20410B 2: Introduction to Active Directory Domain Services Demonstration Steps View the SRV records by using DNS Manager On LON‑DC1, sign in with the user account Adatum\Administrator and the password Pa$$w0rd. In Server Manager, click the Tools menu. In the Tools list, click DNS. In the tree menu, expand LON‑DC1, expand Forward Lookup Zones, expand adatum.com, and show the following four DNS subzones: _msdcs _sites _tcp _udp Expand Forward Lookup Zones, expand adatum.com, expand _sites, expand Default‑First‑Site‑Name, expand _tcp, and then, in the right pane, show the following record: _ldap Service Location (SRV) [0][100][389] lon‑dc1.adatum.com. If the students have sufficient expertise and interest, open c:\windows\system32\config, and then open the netlogon.dns file in Notepad. Show all the SRV records that this domain controller will register in DNS.

15 What Are Operations Masters?
20410B What Are Operations Masters? 2: Introduction to Active Directory Domain Services In any multimaster replication topology, some operations must be single master Many terms are used for single master operations in AD DS, including the following: Discuss each of the operations master roles in as much depth as you feel is appropriate for the students. Be sure to point out that most master roles are so specific that the master could be offline for a while without causing any problems. For example, you do not need the schema master until you make changes to the schema, and you do not need the domain naming master until you add or remove a domain in the forest. Point out that other domain services can be slowed or disrupted if a domain controller is offline and not available. Be sure to point out to students that these roles all run on a domain controller, so the loss of a domain controller could cause serious problems. Domain Flexible Single Master Operations (FSMOs) are needed on a more regular basis than those in the forest root domain, particularly the primary domain controller (PDC) emulator. The relative ID (RID) master provides a pool of RIDs to each domain controller. If this master is not available, eventually a domain controller will attempt to create an account and will be unable to do so. Talk through the five PDC functions to the level of detail that is provided in the student handbook. Enforce that if the PDC emulator master is not available or is slow to respond, you are more likely to have issues in the domain. You can find which domain controllers are FSMO holders by typing the following at a command prompt, and then pressing Enter: Netdom query fsmo Operations master (or operations master roles) Single master roles FSMOs Roles Forest: Domain naming master Schema master Domain: RID master Infrastructure master PDC Emulator master

16 Lesson 3: Installing a Domain Controller
20410B Lesson 3: Installing a Domain Controller 2: Introduction to Active Directory Domain Services Installing a Domain Controller by Using Install from Media Depending on the students’ experience with AD DS, you might have to explain in more detail the implications of no longer being able to run the dcpromo.exe tool as a GUI wizard. This tool is only used in Windows Server 2012 for an unattended installation. Mention to students that you can remotely promote a server to be a domain controller by using Server Manager running on Windows Server 2012. Emphasize to the students that this module is only concerned with installing domain controllers by using the GUI tools. There are other ways of installing domain controllers by using scripting tools such as Windows PowerShell® or VBScript. Question What is the reason to specify the Directory Services Restore Mode password? Answer If the AD DS database must be restored from backup, the domain controller must be restarted into Directory Services Restore Mode. You then must use the Directory Services Restore Mode password to log on to the domain controller when it starts in Directory Services Restore Mode.

17 Installing a Domain Controller from Server Manager
20410B Installing a Domain Controller from Server Manager 2: Introduction to Active Directory Domain Services Use Server Manager to run through the initial process of installing an AD DS domain controller. Show the option to choose the local server or a remote server from the server pool. Explain that the initial pass installs the binaries for AD DS, and then you can continue to configure the AD DS installation.

18 20410B Installing a Domain Controller on a Server Core Installation of Windows Server 2012 2: Introduction to Active Directory Domain Services Use the dcpromo /unattend:”D:\answerfile.txt” command to perform the unattended installation. The following is an example of text from the answer file: Describe the command displayed on the slide, and refer to the answer file (answerfile.txt). Remind the students that dcpromo.exe cannot be used in GUI format in Windows Server 2012, but can still be typed at a command prompt when doing an unattended install. [DCINSTALL] UserName=<The administrative account in the domain of the new domain controller> UserDomain=<The name of the domain of the new domain controller> Password=<The password for the UserName account> SiteName=<The name of the AD DS site in which this domain controller will reside> This site must be created in advance in the Dssites.msc snap-in. ReplicaOrNewDomain=replica ReplicaDomainDNSName=<The fully qualified domain name (FQDN) of the domain in which you want to add an additional domain controller> DatabasePath="<The path of a folder on a local volume>" LogPath="<The path of a folder on a local volume>" SYSVOLPath="<The path of a folder on a local volume>" InstallDNS=yes ConfirmGC=yes SafeModeAdminPassword=<The password for an offline administrator account> RebootOnCompletion=yes

19 Upgrading a Domain Controller
20410B Upgrading a Domain Controller 2: Introduction to Active Directory Domain Services Options to upgrade AD DS to Windows Server 2012: In place upgrade (from Windows Server 2008 or Windows Server 2008 R2) Benefit: Except for the prerequisite checks, all the files and programs stay in-place and there is no additional work required Watch for: May leave legacy files and DLLs Introduce a new Windows Server 2012 server into the domain and promote it to be a domain controller This option is the usually the preferred choice Benefit: Result is a new server with no accumulated files and settings Watch for: May need additional work to migrate users’ file settings

20 Installing a Domain Controller by Using Install from Media
2: Introduction to Active Directory Domain Services Point out to students that because they are installing the domain controller using the IFM method, they should select the Install from media path check box. The next step is to type the path to the snapshot file in the Install from media path box.

21 Lab: Installing Domain Controllers
2: Introduction to Active Directory Domain Services Exercise 2: Installing a Domain Controller by Using IFM Before the students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind the students to complete the discussion questions after the last lab exercise. Exercise 1: Installing a Domain Controller Users have been experiencing slow logons in London during peak usage times. The server team has determined that the domain controllers are overwhelmed when many users are authenticating simultaneously. To improve logon performance, you are adding a new domain controller in the London data center. Exercise 2: Installing a Domain Controller by Using IFM You have been assigned by management to manage one of the new branch offices that are being configured. A faster network connection is scheduled to be installed in a few weeks. Until that time, network connectivity is very slow. It has been determined that the branch office requires a domain controller to support local logons. To avoid problems with the slow network connection, you are using IFM to install the domain controller in the branch office. Instructor Note: Once the domain controller is established by using the IFM media, when it reboots it connects to other domain controllers and receives any updates and changes that occurred since the IFM backup was created. Logon Information Virtual machines B‑LON‑DC1 (start first) 20410B‑LON‑SVR1 20410B‑LON‑RTR 20410B‑LON‑SVR2 User name Adatum\Administrator Password Pa$$w0rd Estimated Time: 45 minutes

22 20410B Lab Scenario 2: Introduction to Active Directory Domain Services A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been asked by your manager to install a new domain controller in the data center to improve logon performance. You have been asked also to create a new domain controller for a branch office by using IFM.

23 20410B Lab Review 2: Introduction to Active Directory Domain Services What is the benefit of performing an Install From Media (IFM) install of a domain controller? Question Why did you use Server Manager and not dcpromo.exe when you promoted a server to be a domain controller? Answer In Windows Server® 2012, dcpromo.exe is deprecated and its uses are limited. For example, it is only used at a command prompt, such as to perform an unattended installation of AD DS, or when it is necessary to do a complete domain controller promotion from a command–line interface. Server Manager is the preferred tool to use, or you can use Windows PowerShell® or some other scripted method. What are the three operations masters found in each domain? The three operations masters are: Relative ID (RID) masters Infrastructure master Primary domain controller (PDC) emulator masters What are the two operations masters that are present in a forest? The two operations masters that are present in a forest are the schema master and the domain naming master. What is the benefit of performing an Install From Media (IFM) install of a domain controller? When you have an unreliable wide area network (WAN) link, performing an IFM install reduces the use of the WAN link and provides for a more reliable installation process.

24 Module Review and Takeaways
20410B Module Review and Takeaways 2: Introduction to Active Directory Domain Services Review Questions Review Questions Point students to the appropriate section in the course so that they are able to answer the questions that this section presents. Question What are the two main purposes of OUs? Answer The two main purposes of OUs are to provide a framework for delegations of administration and to provide a structure to enable the targeted deployment of GPOs. Why would you need to deploy an additional tree in the AD DS forest? You would want to deploy an additional tree in the AD DS forest if you needed more than one DNS namespace. Which deployment method would you use if you had to install an additional domain controller in a remote location that had a limited WAN connection? You would use the IFM option, because it eliminates the need to copy the entire AD DS database over the WAN link. If you needed to promote a Server Core installation of Windows Server 2012 to be a domain controller, which tool or tools could you use? To promote a Server Core installation of Windows Server 2012 to a domain controller, you could use the following tools: Server Manager, which would allow you to install AD DS remotely Windows PowerShell 3.0 Run the command dcpromo /unattend on the Server Core server

Download ppt "Introduction to Active Directory Domain Services"

Similar presentations

Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Implementing Domain Name System

Implementing Domain Name System
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Lesson 13: Installing Domain Controllers

Lesson 13: Installing Domain Controllers
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.

Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.
Deploying Microsoft® Exchange Server 2010

Deploying Microsoft® Exchange Server 2010
Understanding Active Directory

Understanding Active Directory
Understanding Active Directory

Understanding Active Directory
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.

Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Nassau Community College

Nassau Community College
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.

Similar presentations

Ads by Google