Download presentation
Presentation is loading. Please wait.
1
Week 2 - Domain Controllers and Operations Masters
Course 6425B Module 11: Administering AD DS Domain Controllers Domain Controller Installation Options Install a Server Core DC Manage Operations Masters -blank-
2
Install and Configure a Domain Controller
Course 6425B Install and Configure a Domain Controller Module 1: Introducing Active Directory® Domain Services Install the Active Directory Domain Services role using the Server Manager 1 Outline the major steps of installing and configuring a domain controller. Students will perform these steps in the Lab for this module. In this Module, the focus is on a new Windows Server 2008 forest with a single domain tree with a single domain, and a single domain controller. Modules will explore more complex multisite topologies, multidomain controller domains, multiple domain forests, and multiple forest models. Run the Active Directory Domain Services Installation Wizard (dcpromo.exe) 2 Choose the deployment configuration 3 Select the additional domain controller features 4 Select the location for the database, log files, and SYSVOL folder 5 Configure the Directory Services Restore Mode Administrator Password 6 2
3
Prepare to Create a New Forest with Windows Server 2008
Course 6425B Prepare to Create a New Forest with Windows Server 2008 Module 1: Introducing Active Directory® Domain Services Domain’s DNS name (e.g. contoso.com) Domain’s NetBIOS name (e.g. contoso) Whether the new forest will need to support DCs running previous versions of Windows (affects choice of functional level) Details about how DNS will be implemented to support AD DS Default: Creating domain controller and adds DNS Server role IP configuration for the DC IPv4 and, optionally, IPv6 Username and password of an account in the server’s Administrators group. Account must have a password. Location for data store (ntds.dit) and SYSVOL Default: %systemroot% (c:\windows) Before beginning to create a new domain or forest, you must collect certain configuration information that will be requested during installation. 3
4
Unattended Installation Options and Answer Files
Course 6425B Unattended Installation Options and Answer Files Module 11: Administering AD DS Domain Controllers Options can be specified at the command line /option:value – for example, /newdnsdomainname:contoso.com dcpromo.exe /?[:operation] for help Options can be specified in an answer file And called using dcpromo.exe /unattend:”path to answer file” Options on command line will override answer file Options not specified will be prompted by wizard [DCINSTALL] NewDomainDNSName=contoso.com
5
Install a New Windows Server 2008 Forest
Course 6425B Install a New Windows Server 2008 Forest Module 11: Administering AD DS Domain Controllers dcpromo.exe /unattend:”path” [DCINSTALL] ReplicaOrNewDomain=domain NewDomain=forest NewDomainDNSName=fqdn DomainNetBiosName=name ForestLevel={0, 2, 3} DomainLevel={0, 2,3} InstallDNS=yes DatabasePath="path" LogPath="path" SYSVOLPath="path" SafeModeAdminPassword=pwd RebootOnCompletion=yes dcpromo.exe /unattend /installDNS:yes /dnsOnNetwork:yes /replicaOrNewDomain:domain /newDomain:forest /newDomainDnsName:contoso.com /DomainNetbiosName:contoso /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /forestLevel:3 /domainLevel:3 /rebootOnCompletion:yes
6
Prepare an Existing Domain for Windows Server 2008 DCs
Course 6425B Prepare an Existing Domain for Windows Server 2008 DCs Module 11: Administering AD DS Domain Controllers ADPrep (adprep.exe) prepares AD DS for the first DC running a version of Windows newer than current DCs DVD:\sources folder adprep /forestprep Log on to the Schema master (see Lesson 3) as a member of Enterprise Admins, Schema Admins, and Domain Admins Run once per forest. Wait for change to replicate. adprep /domainprep /gpprep Log on to Infrastructure master as a member of Domain Admins Run once per domain. Wait for change to replicate. adprep /rodcprep Log on to any computer as a member of Enterprise Admins Run once per forest. Wait for change to replicate
7
Install an Additional DC in a Domain
Course 6425B Install an Additional DC in a Domain Module 11: Administering AD DS Domain Controllers dcpromo.exe /unattend:”path” [DCINSTALL] ReplicaOrNewDomain=replica ReplicaDomainDNSName=fqdn UserDomain=fqdn UserName=DOMAIN\username* Password=password* InstallDNS=yes ConfirmGC=yes DatabasePath="path" LogPath="path" SYSVOLPath="path" SafeModeAdminPassword=pwd RebootOnCompletion=yes dcpromo.exe /unattend /replicaOrNewDomain:replica /replicaDomainDNSName:contoso.com /installDNS:yes /confirmGC:yes /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /rebootOnCompletion:yes
8
Install a New Windows Server 2008 Child Domain
Course 6425B Install a New Windows Server 2008 Child Domain Module 11: Administering AD DS Domain Controllers [DCINSTALL] ReplicaOrNewDomain=domain NewDomain=child ParentDomainDNSName=fqdn UserDomain=fqdn UserName= DOMAIN\username* Password=password* ChildName=name* DomainNetBiosName=name DomainLevel={0,2,3}* InstallDNS=yes CreateDNSDelegation=yes DNSDelegationUserName=DOMAIN\username DNSDelegationPassword=password* DatabasePath="path" LogPath="path" SYSVOLPath="path" SafeModeAdminPassword=pwd RebootOnCompletion=yes dcpromo.exe /unattend:”path” TRICKY! The ChildName parameter is the prefix domain name, for example, corp. The fully qualified domain name of the new domain automatically becomes ChildName.ParentDomainDNSName, for example, corp.contoso.com. UserName/Password must be for an account that has permissions to add a child domain. Note that you’re also providing a username & password for an account to create the DNS delegation. The DomainLevel of the new domain cannot be lower than the ForestLevel of the forest. dcpromo.exe /unattend /installDNS:yes /replicaOrNewDomain:domain /newDomain:child /ParentDomainDNSName:contoso.com /newDomainDnsName:na.contoso.com /childName:subsidiary /DomainNetbiosName:subsidiary /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /forestLevel:3 /domainLevel:3 /rebootOnCompletion:yes
9
Install a New Domain Tree in a Forest
Course 6425B Install a New Domain Tree in a Forest Module 11: Administering AD DS Domain Controllers [DCINSTALL] ReplicaOrNewDomain=domain NewDomain=tree NewDomainDNSName=fqdn DomainNetBiosName=name UserDomain=fqdn UserName= DOMAIN\username* Password=password* DomainLevel={0,2,3}* InstallDNS=yes CreateDNSDelegation=yes DNSDelegationUserName=DOMAIN\username DNSDelegationPassword=password* DatabasePath="path" LogPath="path" SYSVOLPath="path" SafeModeAdminPassword=pwd RebootOnCompletion=yes dcpromo.exe /unattend:”path” dcpromo.exe /unattend /installDNS:yes /replicaOrNewDomain:domain /newDomain:tree /newDomainDnsName:tailspintoys.com /DomainNetbiosName:tailspintoys /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /domainLevel:2 /rebootOnCompletion:yes
10
Install AD DS from Media
Course 6425B Install AD DS from Media Module 11: Administering AD DS Domain Controllers Install from media (IFM) Create installation media—a specialized AD DS backup Use installation media for creation of DC Significantly reduce over-the-network replication DC will need to replicate any changes after backup ntdsutil – activate instance ntds – ifm create sysvol full path : media with sysvol for writable DC create full path : media without sysvol for writable DC create sysvol rodc path : media with sysvol for read-only DC create rodc path : media without sysvol for read-only DC Active Directory Domain Services Installation Wizard, select Use Advanced Mode ReplicationSourcePath option/switch
11
Authentication and Domain Controller Placement in a Branch Office
Course 6425B Authentication and Domain Controller Placement in a Branch Office Module 9: Improving the Security of Authentication in an AD DS Domain Data center Personnel Secure facilities Authentication of branch users subject to availability and performance of WAN Branch Office Few, if any, personnel Less secure facilities Improved authentication Security: Exposure of AD database Directory Service Integrity: Corruption at branch replicating to other DCs Administration: Administration requires domain Administrators membership ? 11
12
Read-Only Domain Controllers
Course 6425B Read-Only Domain Controllers Module 9: Improving the Security of Authentication in an AD DS Domain Data Center Writeable Windows Server 2008 DC Password Replication Policy (PRP) Specifies which user (and computer) passwords can be cached by the RODC Branch office RODC All objects Subset of attributes No "secrets" Not writeable Users log on RODC forwards authentication Password is cached If PRP allows Has a local Administrators group 12
13
Ensure the forest functional level is Windows Server 2003 or higher
Course 6425B Deploy an RODC Module 9: Improving the Security of Authentication in an AD DS Domain Ensure the forest functional level is Windows Server 2003 or higher All domain controllers running Windows Server 2003 or later All domains functional level of Windows Server 2003 or higher Forest functional level set to Windows Server 2003 or higher Ensure that there is at least one writeable DC running Windows Server 2008 If not, run adprep /forestprep & install one 2008 writable DC If the forest has any DCs running Windows Server 2003, run adprep /rodcprep Windows Server 2008 CD:\sources\adprep folder Install the RODC Active Directory Domain Services Installation Wizard (dcpromo) Stage the installation of an RODC: from Domain Controllers OU 13
14
Stage the Installation of an RODC
Course 6425B Stage the Installation of an RODC Module 11: Administering AD DS Domain Controllers Create the account for the RODC Right-click the Domain Controllers OU Pre-Create Read-only Domain Controller Account Delegation of RODC Installation and Administration Delegate to a group Members of the group can join RODC to domain Members of the group are local Administrators after join Attach the server to the RODC account Server must be a member of a workgroup dcpromo /UseExistingAccount:attach
15
Attach a Server to a Prestaged RODC Account
Course 6425B Attach a Server to a Prestaged RODC Account Module 11: Administering AD DS Domain Controllers [DCINSTALL] ReplicaDomainDNSName=fqdn UserDomain=fqdn UserName= DOMAIN\username* Password=password* InstallDNS=yes ConfirmGC=yes DatabasePath="path" LogPath="path" SYSVOLPath="path" SafeModeAdminPassword=pwd RebootOnCompletion=yes dcpromo.exe /useexistingaccount:attach /unattend:”path” dcpromo.exe /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName:contoso.com /UserDomain:contoso.com /UserName:contoso\dan /password:* /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /rebootOnCompletion:yes GUI Active Directory Domain Services Wizard: dcpromo.exe /useexistingaccount:attach
16
Remove a Domain Controller
Course 6425B Remove a Domain Controller Module 11: Administering AD DS Domain Controllers [DCINSTALL] UserName= DOMAIN\username* UserDomain=fqdn Password=password* AdministratorPassword=password* RemoveApplicationPartitions=yes RemoveDNSDelegation=yes DNSDelegationUserName=DOMAIN\username DNSDelegationPassword=password* dcpromo.exe /uninstallbinaries /unattend:”path” Explain that if you run DCPromo on an existing DC, it automatically goes into “removal” mode. Highlight the /uninstallbinaries switch used for command-line and answer file–based removals. dcpromo.exe /unattend /uninstallbinaries /UserName:contoso\dan /password:* /administratorpassword:Pa$$w0rd GUI Active Directory Domain Services Wizard: dcpromo.exe Command line: dcpromo.exe /uninstallbinaries If DC cannot contact the domain dcpromo /forceremoval Then you must clean up metadata: KB
17
Understand Server Core
Course 6425B Understand Server Core Module 11: Administering AD DS Domain Controllers Minimal installation: 3 GB disk space, 256 MB RAM No GUI: Command-line local UI. Can use GUI tools remotely. Features Microsoft Failover Cluster Network Load Balancing Subsystem for UNIX applications Windows Backup Multipath I/O Removable Storage Management Windows Bitlocker Drive Encryption SNMP WINS Telnet client Quality of Service (QoS) Roles Active Directory Domain Services Active Directory AD LDS DHCP Server DNS Server File Services Print Server Streaming Media Services Web Server: HTML. R2 adds .NET Hyper-V
18
Module 11: Administering AD DS Domain Controllers
Course 6425B Install Server Core Module 11: Administering AD DS Domain Controllers Select the Server Core Installation option in Windows setup
19
Server Core Configuration Commands
Course 6425B Server Core Configuration Commands Module 11: Administering AD DS Domain Controllers Task Change the Administrator Password Set a static IPv4 Configuration Activate Windows Server Join a domain Add Server Core roles, components, or features Display installed roles, components, and features Enable Remote Desktop Promote a domain controller Configure DNS Configure DFS Command When you log on with Ctrl+Alt+Delete, you will be prompted to change the password. You can also type the following command: Net user administrator* Netsh interface ipv4 Cscript c:\windows\system32\slmgr.vbs –ato Netdom Ocsetup.exe package or feature Note that the package or feature names are case sensitive Oclist.exe Cscript C:\windows\system32\scregedit.wsf /AF 0 Dcpromo.exe Dnscmd.exe Dfscmd.exe Performing the initial configuration of Server Core requires using command-line tools that some students will not be familiar with. Inform students that they will actually perform these commands to configure a Server Core installation as part of the Lab for this lesson. Remind students that they learned how to use DCPromo with command-line options and with an answer file in Lesson 1. Remind students that some commands, such as DNSCMD and DFSCMD, are not really necessary, as you can more easily manage DNS and DFS remotely with GUI MMC consoles. 19
20
Understand Single Master Operations
Course 6425B Understand Single Master Operations Module 11: Administering AD DS Domain Controllers In any multimaster replication topology, some operations must be “single master” Many terms used for single master operations in AD DS Operations master (or operations master roles) Single master roles Operations tokens Flexible single master operations (FSMOs) Roles Forest Domain naming Schema Domain Relative identifier (RID) Infrastructure PDC Emulator
21
Operations Master Roles
Course 6425B Operations Master Roles Module 11: Administering AD DS Domain Controllers Forest-wide Domain naming: adds/removes domains to/from the forest Schema: makes changes to the schema Domain-wide RID: provides “pools” of RIDs to DCs, which use them for SIDs Infrastructure: tracks changes to objects in other domains that are members of groups in this domain PDC: plays several very important roles Emulates a Primary Domain Controller (PDC): compatibility Special password update handling Default target for Group Policy updates Master time source for domain Domain master browser Discuss each of the roles in as much depth as you feel is appropriate for the students. Be sure to point out that most master roles are so “specific” that the master could be offline for days, weeks, months or years without problem. For example, you don’t need the schema master until you make changes to the schema; and you don’t need the domain naming master until you add or remove a domain in the forest. Domain FSMOs are needed on a more regular basis, particularly the PDC. The RID master provides a pool of RIDs to each DC. If it is not available, eventually a DC will attempt to create an account and will be unable to do so. Talk through the five PDC functions to the level of detail that is provided in the Student Manual. Enforce that if the PDC is not available or is slow to respond, you are more likely to “feel the pain” in the domain.
22
Optimize the Placement of Operations Masters
Course 6425B Optimize the Placement of Operations Masters Module 11: Administering AD DS Domain Controllers Forest root DC (first DC in forest) has all roles by default Best practice guidance Co-locate the schema master and domain naming master on a GC Co-locate the RID master and PDC emulator rules Place the infrastructure master on a DC that is not a GC* Have a failover plan * Real-world enhancements to best-practice guidance Consider configuring all DCs as GCs In a single domain forest, it doesn’t increase replication traffic If all DCs are GCs, infrastructure master role is not “necessary” Still exists, but does not start on a GC and isn’t needed
23
Identify Operations Masters
Course 6425B Identify Operations Masters Module 11: Administering AD DS Domain Controllers User interface tools PDC Emulator: Active Directory Users And Computers RID: Active Directory Users And Computers Infrastructure: Active Directory Users And Computers Schema: Active Directory Schema Domain Naming: Active Directory Domains and Trusts Command line tools NTDSUtil DCDiag netdom query fsmo
24
Transfer Operations Master Roles
Course 6425B Transfer Operations Master Roles Module 11: Administering AD DS Domain Controllers Transfer roles in these scenarios To distribute roles away from the forest domain root DC Prior to taking a role holding DC offline for maintenance Prior to demoting a role holding DC Procedure Ensure that the new role holder is up to date with replication from the current role holder Open the appropriate administrative snap-in Connect to the target domain controllers Open the Operations Master dialog box and click Change Or use NTDSUtil to change transfer the master
25
Seize Operations Master Roles
Course 6425B Seize Operations Master Roles Module 11: Administering AD DS Domain Controllers Recognize operations master failures Typically you notice when you attempt to perform an action for which the master is responsible, and receive an error Respond to an operations master failure Determine whether the DC can be brought online, and when Evaluate whether the enterprise can continue to function temporarily without the DC See Student Manual for specific guidance Seize the role using NTDSUtil Refer to procedure in Student Manual Return a role to its original holder? Only for PDC and Infrastructure tokens If Schema, RID, or domain naming have been seized, you must decommission the failed DC offline, then re-promote it
26
Raise the Domain Functional Level
Course 6425B Raise the Domain Functional Level Module 11: Administering AD DS Domain Controllers All domain controllers in the domain must be Windows Server 2008 or greater DCs in other domains and member server OSs don’t matter Active Directory Domains And Trusts Right-click domain Raise Domain Functional Level
Similar presentations
