Module 1: Implementing Active Directory ® Domain Services

Module Overview Installing Active Directory Domain Services Deploying Read-Only Domain Controllers Configuring AD DS Domain Controller Roles

Lesson 1: Installing Active Directory Domain Services Requirements for Installing AD DS What Are Domain and Forest Functional Levels? AD DS Installation Process Advanced Options for Installing AD DS Installing AD DS from Media Demonstration: Verifying the AD DS Installation Upgrading to Windows Server ® 2008 AD DS Installing AD DS on a Server Core Computer Discussion: Common Configuration for AD DS

Requirements for Installing AD DS Local Administrator permissions to install the first domain controller in a forest Domain Administrator permissions to install additional domain controllers in a domain Enterprise Administrator permissions to install additional domains in a forest Administrator permissions TCP/IP must be configured, including DNS client settings DNS Server that supports dynamic updates must be available or will be configured on the domain controller Network configuration A computer running Windows Server 2008 (Web Server edition not supported) Minimum disk space of 250 MB and a partition formatted with NTFS file system Server requirements to install AD DS

What Are Domain and Forest Functional Levels? Functional levels: Determine the AD DS features available in a domain or forest Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Supported Domain Controller Operating Systems Windows 2000 Windows ® 2000 native Windows Server 2003 Windows Server ® 2003 Windows Server 2008 Forests Domain Windows Server 2008 Windows Server 2003 Windows 2000 Server Windows Server 2008 Windows Server 2003 Windows Server 2008 Supported functional levels:

AD DS Installation Process Install the Active Directory Domain Services role using the Server Manager 1 1 Choose the deployment configuration 3 3 Select the additional domain controller features 4 4 Run the Active Directory Domain Services Installation Wizard 2 2 Select the location for the database, log files, and SYSVOL folder 5 5 Configure the Directory Services Restore Mode Administrator Password 6 6

Advanced Options for Installing AD DS Use the advanced mode options to: Create a new domain tree Use backup media as the source for AD DS information To access the advanced mode installation options, choose the Advanced Mode option in the Installation Wizard or run DCPromo /adv Select the source domain controller for the installation Modify the default domain NetBIOS name Define the Password Replication Policy for an RODC

Installing AD DS from Media Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media : Full (or writable) domain controller Full (or writable) domain controller with SYSVOL data Read-only domain controller with SYSVOL data Read-only domain controller

Demonstration: Verifying the AD DS Installation In this demonstration, you will see how to verify the AD DS installation

Upgrading to Windows Server 2008 AD DS Before installing adprep /forestprep Windows 2000 Windows 2003 adprep /domainprep /gpprep Windows Server 2000 adprep /domainprep Windows Server 2003 Command Current Version Windows Server 2008 domain controllers Must be run before other adprep commands Windows Server 2008 domain controllers To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation: adprep /rodcprep Windows Server 2003 Windows Server 2008 RODCs

Installing AD DS on a Server Core Computer To install AD DS on a Server Core computer, perform an unattended installation using an answer file Use following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer Use following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer

Discussion: Common Configuration for AD DS What additional steps would you take in your environment after installing the first Windows Server 2008 domain controller? How would these tasks change after you have deployed additional domain controllers in your domain? Which of the recommendations listed in the Server Manager apply to your organization?

Lesson 2: Deploying Read-Only Domain Controllers What Is a Read-Only Domain Controller? Read-Only Domain Controller Features Preparing to Install the RODC Installing the RODC Delegating the RODC Installation What Are Password Replication Policies? Demonstration: Configuring Administrator Role Separation and Password Replication Policies

What Is a Read-Only Domain Controller? RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication RODCs: Cannot hold operation master roles or be configured as replication bridgehead servers Can be deployed on servers running Windows Server 2008 Server core for additional security RODCs provide: Additional security for branch office with limited physical security Additional security if applications must run on a domain controller RODC

Read-Only Domain Controller Features RODCs provide: Unidirectional replication Credential caching Administrative role separation Read-only DNS RODC filtered attribute set

Preparing to Install the RODC Before installing an RODC: Ensure that the domain and forest is at a Windows Server 2003 functional level Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions Run ADPrep /domainprep in all domains if the RODC will be a global catalog server

Installing the RODC Choose the option to install an additional domain controller in an existing domain 1 1 Choose advanced mode installation if you want to configure the password replication policy 3 3 Select the option to install an RODC in the Active Directory Domain Services Installation wizard 2 2 To install an RODC on a Server Core installation, use an unattended installation file with the ReplicaOrNewDomain=ReadOnlyReplica value

Delegating the RODC Installation To delegate the installation of an RODC: Pre-create the RODC computer account in the Domain Controllers container Assign a user or group with permission to install the RODC To complete a delegated RODC installation, run DCPromo with the /UseExistingAccount:Attach switch

What Are Password Replication Policies? The password replication policy determines how the RODC performs credential caching for authenticated user By default, the RODC does not cache any user credentials or computer credentials No credentials cached Enable credential caching on an RODC for specified accounts Options for configuring password replication policies: Add users or groups to the Domain RODC Password Allowed group so credentials are cached on all RODCs

Demonstration: Configuring Administrator Role Separation and Password Replication Policies In this demonstration, you will see how to: Configure administrator role separation Configure the RODC password replication groups Track which users log on to an RODC Configure password replication policies for those accounts

Lesson 3: Configuring AD DS Domain Controller Roles What Are Global Catalog Servers? Modifying the Global Catalog Demonstration: Configuring Global Catalog Servers What Are Operations Master Roles? Demonstration: Managing Operation Master Roles How Windows Time Service Works

What Are Global Catalog Servers? Domain Global Catalog Server Global Catalog Result Query

Modifying the Global Catalog firstName lastName address accountExpires distinguishedName firstName lastName address accountExpires distinguishedName Common Attributes Global Catalog Server Create additional attributes Add only the additional attributes to which you query or frequently refer department firstName lastName address accountExpires distinguishedName department firstName lastName address accountExpires distinguishedName Changed Attributes

Demonstration: Configuring Global Catalog Servers In this demonstration, you will see how to: Configure global catalog servers using Active Directory Sites and Services Configure a domain controller on Server Core as a global catalog server Add attributes to the global catalog server

What Are Operations Master Roles? RoleDescription Schema Master One per forest Performs all updates to the Active Directory schema Domain Naming Master One per forest Manages adding and removing all domains and directory partitions RID Master One per domain Allocates blocks of RIDs to each domain controller in the domain PDC Emulator One per domain Minimizes replication latency for password changes Synchronizes time on all domain controllers in the domain Infrastructure Master One per domain Updates object references in its domain that point to the object in another domain

Demonstration: Managing Operations Master Roles In this demonstration, you will see how to: Determine which server holds an operations master role Move an operations master role Seize an operations master role

How Windows Time Service Works Time synchronization is important because: Kerberos authentication includes a time stamp Replication between domain controllers is time stamped Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers Domain controllers PDC Emulator Client computers In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers

Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC Exercise 2: Installing and Configuring an RODC Exercise 3: Configuring AD DS Domain Controller Roles Logon information Virtual machine 6425A-NYC-DC1, 6425A-NYC-SVR1, 6425A-NYC-DC2 User nameAdministrator Password Pa$$w0rd Estimated time: 75 minutes

Lab Review Why did Axel’s account not have permission to create any objects in AD DS? What were the two connection objects that were created from NYC-DC1 to TOR-DC1? Why was no connection object created from TOR-DC1 to NYC-DC1? Could you have assigned the Domain Naming Master role to TOR-DC1? What would happen when you add a new attribute to the global catalog?

Module Review and Takeaways Review questions Key points