Download presentation
Presentation is loading. Please wait.
1
Advanced Deployment and Administration of AD DS
Presentation: 60 minutes Lab: 45 minutes After completing this module, students will be able to: Explain how to deploy Active Directory Domain Services (AD DS). Explain how to deploy and clone virtual domain controllers. Explain how deploy domain controllers in Windows Azure. Explain how to administer AD DS. Required materials To teach this module, you need the Microsoft Office PowerPoint file 10969A_02.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, some of the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who might experience difficulties in a lab; it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 2 Advanced Deployment and Administration of AD DS
2
Module Overview Administering AD DS 10969A
2: Advanced Deployment and Administration of AD DS Administering AD DS This module is for students who are familiar with AD DS in older versions of the Windows operating system. To ensure that the level of your lectures is appropriate before you begin the lessons, engage in a brief discussion about the students’ experiences with AD DS deployment and virtualization options.
3
Lesson 1: Deploying AD DS
2: Advanced Deployment and Administration of AD DS Upgrading and Migrating to Windows Server 2012 R2 AD DS Present the lesson content. Let students know that planning and designing an AD DS infrastructure is not covered in this course.
4
Overview of AD DS Deployment
2: Advanced Deployment and Administration of AD DS Information required before deploying an AD DS domain controller: AD DS and DNS infrastructure: AD DS structure New domain/forest or existing domain DNS infrastructure information Windows Server installation options: Server Core installation Server with a GUI Server Core with Minimal Server Interface Change using Windows PowerShell Feature on demand to minimize installation binaries Physical, virtual, or cloud installation: Not many reasons not to go virtual Must not have single point of failure Some scenarios benefit from cloud deployment Deployment options: Local deployment Remote deployment This topic provides a lot of information for potential discussions. Try to avoid discussions about topics that are covered later in this module. In the beginning of this module, we stated that with Windows Server 2008 all binaries are installed on the server. While in most cases this is true, the .NET Framework 3.5 in Windows Server 2012 is available as a feature on demand and the binaries, when needed, can be downloaded from Windows Update or via any provided installation source.
5
Remote Deployment of AD DS
2: Advanced Deployment and Administration of AD DS When you install AD DS in Windows Server 2012 R2, you must use: The Windows PowerShell cmdlet Install-ADDSDomainController Server Manager, which provides a GUI and runs Windows PowerShell in the background Dcpromo.exe is used only for unattended installations to support legacy processes: Role must be added to install binaries, and then AD DS must be configured Active Directory Domain Services Configuration Wizard performs: Collection of data Prerequisite checks Preparation of schema and domain if required Promotion of domain controller Runs the same either locally or remotely Consider using RODC when remote locations are unsecure Consider using IFM where there is low bandwidth
6
Demonstration: Remote Deployment of Domain Controllers
2: Advanced Deployment and Administration of AD DS In this demonstration, you will see how to deploy an AD DS domain controller remotely when you: Add LON-SVR1 to Server Manager on LON-DC1 Add the AD DS role on a remote server Configure AD DS remotely by using Server Manager Emphasize that we are doing this demonstration in Server Manager, and that Server Manager uses Windows PowerShell in the background. During the lab and at the end of this lesson, students will perform these tasks by using Windows PowerShell. When you have completed this demonstration, leave the virtual machines running for the subsequent demonstrations. Preparation Steps For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-SVR1 virtual machines. Sign in to all virtual machines as Adatum\Administrator with the password of Pa$$w0rd. Demonstration Steps Add LON-SVR1 to Server Manager on LON-DC1 On LON-DC1, in Server Manager, select the All Servers view. On the top menu, click the Manage menu, and then select Add Servers. In the Add Servers dialog box, maintain the default settings, and then click Find Now. In the Active Directory list of servers, select LON-SVR1, then click the arrow to add it to the Selected list. Click OK. Add the AD DS role on a remote server On LON-DC1, in Server Manager, in the All Servers view, ensure that LON-SVR1 is added to the Servers list. On the top menu, click the Manage menu, and then select Add Roles and Features. In the Add Roles and Features Wizard, on the Before You Begin page, click Next. On the Select installation type page, keep the default role-based or feature‑based installation, and then click Next. On the Select destination server page, in the Server Pool section, select LON- SVR1.Adatum.com, and then click Next. (More notes on the next slide)
7
2: Advanced Deployment and Administration of AD DS
On the Select server roles page, in the Roles section, check Active Directory Domain Services. The Add features that are required for Active Directory Domain Services dialog box opens. In the Add features that are required for Active Directory Domain Services dialog box, accept the default, and then click Add Features. If required, click Next. In the Select features page, click Next. On the Active Directory Domain Services page, click Next. On the Confirm installation selections page, click Install. Wait until the Active Directory binaries are installed. Click Close. Configure AD DS remotely by using Server Manager On LON-DC1, when the installation of the AD DS role on LON-SRV1 is finished, in Server Manager, on the top menu, click the Notifications flag symbol. Note the Post-deployment Configuration of LON-SVR1, and then click the Promote this server to a domain controller link. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, Select the deployment operation to Add a domain controller to an existing domain. Ensure that the domain Adatum.com is specified. In the Supply the credentials to perform this operation section, click Change. In the Credentials for deployment operation dialog box, enter the following, click OK, and then click Next: User name: Administrator Password: Pa$$w0rd In the Domain Controller Options page, remove the selections for the Domain Name System (DNS) server and Global Catalog (GC). Read-only domain controller (RODC) also should not be selected.
8
2: Advanced Deployment and Administration of AD DS
In the Type the Directory Services Restore Mode (DSRM) password section, enter and confirm the password Pa$$w0rd, and then click Next. On the DNS Options page, ignore the alert, and then click Next. On the Additional Options page, click Next. On the Paths page, keep the default path settings for the Database folder, Log files folder, and SYSVOL folder, and then click Next. On the Review Options page, show the generated Windows PowerShell command-line interface script by clicking View script. When done, exit Notepad.exe, and then click Next. When the Prerequisites Check is performed and finished, review the results, and then click Install. After the installation completes, click Close. Verify that the server is added to the AD DS view in Server Manager.
9
Upgrading and Migrating to Windows Server 2012 R2 AD DS
2: Advanced Deployment and Administration of AD DS Migrations are preferred to in-place upgrades of domain controllers and are only possible with Windows Server 2008 SP2 or newer When you promote the Server Managers’ domain, you are performing the forest and domain preparations: These can be done separately using Adprep.exe Adprep.exe runs on domain member servers and is only available in a 64- bit version Test your preparation and migration in a test lab with production schema Verify applications and plan for the first domain controller Clean up your infrastructure and consider new features and functionality after the migration is finished
10
Lesson 2: Deploying and Cloning Virtual Domain Controllers
2: Advanced Deployment and Administration of AD DS Domain Controller Virtualization Best Practices Make sure that you fully understand domain controller virtualization risks and how they are mitigated in Windows Server 2012. This is a very interesting topic and discussions should be encouraged if time allows.
11
Virtual Domain Controller Deployment Considerations
2: Advanced Deployment and Administration of AD DS Virtualization benefits for domain controllers: Scalable Independent of hardware Quicker recovery Windows Server 2012 is cloud-ready and virtualization safe Considerations for virtualization include: Time synchronization Domain membership of the virtualization host Single point of failure Going to the cloud Explain how virtualization provides benefits to domain controllers when it is done correctly. Mention how to address the issues on this slide. Wait to address snapshots and update sequence number (USN) rollbacks because they are covered in the next topic.
12
? How Snapshots Affect Domain Controllers DC01 USN 2200 2210 2220 2230
2: Advanced Deployment and Administration of AD DS DC01 USN 2200 2210 2220 ? 2230 2240 2250 2260 2270 Use the animated slide to explain how USN rollbacks are happening when snapshots of a domain controller are taken and rolled back. We will show how this is solved in Windows Server 2012 in the next topic. There are four frames in this animated slide that depict the lifetime of two domain controllers: DC01 and DC02. DC01 has a USN of DC02 has a USN of They both receive changes, and they want to replicate again. Next, DC01 has a current USN of 2220, and DC02 has a USN of DC01 requests the updates from DC02 from when DC02’s USN was 1020, which is the USN from the last replication from its high watermark table. Next, DC02 requests all USNs since The administrator creates a snapshot of both domain controllers, while DC01 and DC02 continue to get updates. When DC01 is at USN 2260 and DC02 is at USN 1080, they replicate again. DC01 requests all changes from DC02 since USN 1040, DC02 requests all changes since USN They are synchronized again. The administrator rolls back a snapshot on DC02. Now, DC02 is back at USN 1040 and thinks it has all updates from DC01 since USN DC01 is at USN 2260 and thinks it has all updates from DC02 since USN The next 40 changes on DC02 are not replicated to DC01. It is depicted that we now have an area in the lifetime of the two domain controllers where they have inconsistent states and will never be consistent again. DC02 USN 1020 1030 1040 1050 1060 1070 1080 1090 DC01 (USN 2220) and DC02 (USN 1040) are synchronized– DC02 snapshot created DC01 (USN 2260) synchronized with DC02 (USN 1080) DC02 rolled back to snapshot Result: DC01 thinks it has all updates from DC02 since 1080; however DC02 is at 1040-changes between 1040 and 1080 not replicated to DC01
13
Domain Controller Virtualization in Windows Server 2012
2: Advanced Deployment and Administration of AD DS To support safe virtualization of domain controllers: Hypervisor needs to support Virtual Machine Generation Identifier, such as Hyper-V on Windows Server 2012 Virtual guest domain controller needs to be on Windows Server 2012 or newer Compares stored Virtual Machine Generation Identifier against Virtual Machine Generation Identifier provided by the Hypervisor Safeguards are triggered when: Snapshot is restored during guest shutdown Snapshot is restored while machine is running Guest employs virtualization safeguards by: Invalidating the local RID pool Setting as a new invocation ID for the domain controller database, effectively presenting itself as new domain controller and verifying all objects and attributes Ensure that students understand this process. In the next topic, we will discuss domain controller cloning, which uses similar techniques.
14
AD DS Domain Controller Cloning
2: Advanced Deployment and Administration of AD DS Domain controllers can be cloned for: Rapid deployment Private clouds Recovery strategies To clone a source domain controller: Add the domain controller to the Cloneable Domain Controllers group Verify application and service compatibility Create a DCCloneConfig.xml file Export once and create as many clones as needed Start the clones Explain the domain controller cloning process and where it aligns with the safeguards for virtualization features of AD DS.
15
AD DS Domain Controller Cloning
2: Advanced Deployment and Administration of AD DS Start No Virtual Machine Generation Identifier changed? Yes DCCloneConfig exists? Rename DDCloneConfig Normal Restart in DSRM Virtualizations safeguards triggered Exists? Duplicate IP? Clone Succeed Restart Fail Virtual Machine Generation Identifier Exists? Explain to students the process of how a newly cloned domain controller starts up, describing each of the following steps: First, the clone verifies if a Virtual Machine Generation Identifier exists. Starting in Directory Services Restore Mode is a safeguard, and a domain administrator needs to pay close attention to fix the issue and make the domain controller work as intended. If not, the computer will either start normally when no DCCloneConfig exists, or it will rename the DCCloneConfig and restart in Directory Services Restore Mode. Check if the Virtual Machine Generation Identifier has changed: If not, it is the original source domain controller. If a DCCloneConfig exists, it will be renamed. In any case, a normal start is performed and the domain controller is functional again. If yes, the virtualization safeguards are triggered and the process continues. Last, check if the DCCloneConfig exists. If not, a check for a duplicate IP address decides whether to start normally or in Directory Services Restore Mode. If the DCCloneConfig file exists, the computer will get the new computer name and IP address settings out of the file. The AD DS database will be modified and initialization steps are performed so that a new domain controller is created.
16
Demonstration: Domain Controller Cloning
2: Advanced Deployment and Administration of AD DS In this demonstration, you will learn how to: Prepare a source domain controller to be cloned Export the source virtual machine Create and start the cloned domain controller Demonstrate for students how to prepare a domain controller for becoming a source domain controller for cloning, and then create a clone. Explain every step of the demonstration as instructed in the prior topics. After completing this demonstration, delete the LON-DC3 virtual machine, and then revert all virtual machines. Preparation Steps For this demonstration, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 10969A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in by using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Adatum Demonstration Steps Prepare the source domain controller to be cloned On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, double-click Adatum (local), and then in the details pane, double-click the Domain Controllers organizational unit (OU). In the details pane, select LON-DC1, and then in the Tasks panes, in the LON-DC1 section, click Add to group. In the Select Groups dialog box, in the Enter the object names to select, type Cloneable, and then click Check Names. (More notes on the next slide)
17
2: Advanced Deployment and Administration of AD DS
Ensure that the group name is expanded to Cloneable Domain Controllers, and then click OK. On LON-DC1, in the taskbar, click the Windows PowerShell icon. At the Windows PowerShell command prompt, type the following command, and then press Enter: Get-ADDCCloningExcludedApplicationList Verify the list of critical applications. In production, we need to verify each application or use a domain controller that has fewer applications installed by default. We accept to take the risk, and then type and enter the following command: Get-ADDCCloningExcludedApplicationList –GenerateXML Run the following command to create the DCCloneConfig.xml file: New-ADDCCloneConfigFile Type the following command to shut down LON-DC1, and then press Enter: Stop-Computer Export the source virtual machine On the host computer, in Hyper-V Manager, in the details pane, select the 10969A-LON-DC1 virtual machine. In the Actions pane, in the 10969A-LON-DC1 section, click Export. In the Export Virtual Machine dialog box, select the location D:\Program Files\Microsoft Learning\10969, and then click Export. Wait until the export is finished. In the Actions pane, in the LON-DC1 section, click Start. (More notes on the next slide)
18
2: Advanced Deployment and Administration of AD DS
Create and start the cloned domain controller In the Actions pane, in the upper section that is named like the host computer, click Import Virtual Machine. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next. On the Locate Folder page, click Browse, select the folder D:\Program Files\Microsoft Learning\10969\10969A-LON-DC1, click Select Folder, and then click Next. On the Select Virtual Machine page, select 10969A-LON-DC1, and then click Next. On the Choose Import Type page, select Copy the virtual machine (create a new unique ID), then click Next. On the Choose Folders for Virtual Machine Files page, select the store the virtual machine in a different location check box. For each folder location provide the following path: D:\Program Files\Microsoft Learning\10969\. Click Next. On the Choose Folders to Store Virtual Hard Disks page, provide the path D:\Program Files\Microsoft Learning\10969\ and then click Next. On the Completing Import Wizard page, click Finish. In the details pane, identify and select the newly imported virtual machine named 10969A-LON- DC1, which has the State shown as Off. In the lower section of the Actions pane, click Rename. Type 10969A-LON-DC3 as the name, and then press Enter. In the Actions pane, in the LON-DC3 section, click Start, and then click Connect to see the virtual machine starting. While the server is starting, note the “Domain Controller cloning is at x% completion” message.
19
Domain Controller Virtualization Best Practices
2: Advanced Deployment and Administration of AD DS Avoid single points of failure Time service Use virtualization technology with the Virtual Machine Generation Identifier feature Use Windows Server 2012 or Windows Server 2012 R2 as virtualization guests Avoid or disable snapshots Be aware of security Consider taking advantage of cloning in your deployment or recovery strategy Start a maximum number of 10 new clones at the same time Consider using virtualization technologies that allow virtual machine guests to move between sites Adjust your naming strategy to allow domain controller clones
20
Lesson 3: Deploying Domain Controllers in Windows Azure
2: Advanced Deployment and Administration of AD DS Deploying Domain Controllers in the Cloud
21
Running AD DS Domain Controllers in Windows Azure
2: Advanced Deployment and Administration of AD DS Extending AD DS to the Windows Azure Virtual Machine clouds provides new scenarios, including: Cloud-only deployments, to enable a new forest in the cloud to: Support applications in the cloud that are accessible from the intranet and Internet Run applications and AD DS isolated from the corporate directory Support extranet applications Hybrid deployments, to extend an existing domain to the cloud to: Support corporate applications in the cloud Business-to-business authentication by using AD FS out of the cloud Support high availability and disaster recovery scenarios
22
Considering Domain Controllers in the Cloud
2: Advanced Deployment and Administration of AD DS Technical considerations: Treat domain controllers in Windows Azure as virtual domain controllers Put core AD DS data on data disks, not operating system disks Optimize your deployment for traffic and costs Design your sites and services with the cloud in mind Use dynamic TCP/IP settings Consider using RODCs Design your naming resolution Deployment considerations: Move an existing virtual domain controller to Windows Azure Create a new virtual machine, and then connect and promote it to your corporate network Use Install from Media to reduce costs Servicing and maintaining domain controllers in Windows Azure: Extend your processes and plan for monitoring and updating
23
Deploying Domain Controllers in the Cloud
2: Advanced Deployment and Administration of AD DS Verify Prerequisites by: Creating a Windows Azure in the Virtual Network Creating a cloud service in the virtual network Deploying a virtual machine in the cloud service, Size L or greater, and attaching a data disk, not an operating system disk Verifying the on-premises infrastructure Creating subnets and sites for the cloud Configuring the cloud-based virtual machine to use on-premises DNS Deploying the domain controller Installing an additional domain controller in the cloud Validating the installation
24
Lesson 4: Administering AD DS
2: Advanced Deployment and Administration of AD DS Demonstration: Administering AD DS with Windows PowerShell
25
Overview of AD DS Management Tools
2: Advanced Deployment and Administration of AD DS You typically will perform AD DS management by using the following tools: Active Directory Administrative Center Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts Active Directory Schema snap-in Active Directory module for Windows PowerShell Explain the different Active Directory management tools and their usage and history. Do not go into great detail about the Active Directory Administration Center or the Active Directory module for Windows PowerShell. They will be covered in more detail in the following topics.
26
What Is Active Directory Administrative Center?
2: Advanced Deployment and Administration of AD DS Active Directory Administrative Center is a task-oriented tool that is based on Windows PowerShell
27
In this demonstration, you will learn how to:
Demonstration: Using Active Directory Administrative Center to Administer and Manage AD DS 2: Advanced Deployment and Administration of AD DS In this demonstration, you will learn how to: Navigate within Active Directory Administrative Center Perform an administrative task within Active Directory Administrative Center Create objects View all object attributes Use the Windows PowerShell History Viewer in Active Directory Administrative Center When you have completed this demonstration, leave the virtual machines running for the subsequent demonstrations. Preparation Steps For this demonstration you will need the 10969A-LON-DC1 virtual machine. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps Navigate within Active Directory Administrative Center On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. Click Adatum (local), click Dynamic Access Control, and then click Global Search. In the navigation pane, click the Tree View tab. Double-click Adatum (local) to expand the Adatum.com domain. Perform an administrative task within Active Directory Administrative Center In Active Directory Administrative Center, click Overview. In the Reset Password box, in the User name field, type Adatum\Adam. In the Password and Confirm password fields, type Pa$$w0rd. Clear the check box for User must change password at next log on, and then click Apply. In the Global Search box, type Rex in the Search field, and then press Enter. Create objects In Active Directory Administrative Center, in the details pane, double-click Adatum (local), and then double-click the Computers container. In the Tasks pane, in the Computers section, click New, then select Computer. (More notes on the next slide)
28
2: Advanced Deployment and Administration of AD DS
In the Create Computer: dialog box, enter the following information, and then click OK: Computer name: LON-CL4 Computer (NetBIOS) name: LON-CL4 View all object attributes In Active Directory Administrative Center, double-click Adatum (local), and then in the details pane, double-click Computers. Select LON-CL4. In the Tasks pane, in the LON-CL4 section, click Properties. In the LON-CL4 dialog window, scroll down to the Extensions section. Click the Attribute Editor tab, and then note that all attributes of the computer object are available here. Close LON-CL4 properties by clicking Cancel. Use the Windows PowerShell History Viewer In Active Directory Administrative Center, click the Windows PowerShell History toolbar at the bottom of the screen. View the details for the New-ADComputer cmdlet that was used to perform the most recent task. On LON-DC1, close all open windows.
29
What is the Active Directory Module for Windows PowerShell?
2: Advanced Deployment and Administration of AD DS The Active Directory module is the foundation of management for AD DS: GUIs such as Server Manager and Active Directory Administrative Center rely on Windows PowerShell Requires ADWS Provides 147 cmdlets for management and 10 cmdlets for deployment in Windows Server 2012 R2 Exploring cmdlets for AD DS: Get-Command –Module ActiveDirectory Get-Command –Module ADDSDeployment Get-Help New-ADUser Get-Help New-ADUser -Examples Introduce the Active Directory module. Explain the functionality contained in the module and its capabilities for AD DS management. Point out the new sets of cmdlets for site replication, central access, and claims management.
30
Using Windows PowerShell ISE for AD DS Administration
2: Advanced Deployment and Administration of AD DS Windows PowerShell ISE helps you run commands and write, edit, run, test, and debug scripts an environment that displays syntax coloring and supports Unicode
31
Demonstration: Administering AD DS with Windows PowerShell
2: Advanced Deployment and Administration of AD DS In this demonstration, you will see how to administer AD DS by using Windows PowerShell to: Search for all users in the Marketing department Change the user properties of all users with a last name beginning with L through Z to the Marketing2 department Query OUs not protected from accidental deletion Mark all OUs to protect from accidental deletion Revert all virtual machines after completing this demonstration. Preparation Steps For this demonstration you will need the 10969A-LON-DC1 virtual machine. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-DC1, open Server Manager, click Tools, and then click Active Directory module for Windows PowerShell. At the Windows PowerShell command prompt, type the following, and then press Enter: Get-ADUser –filter {Department –eq ’Marketing’} –properties department | ft name,department Verify in the output of the command that all users belong to the Marketing department. Get-ADUser –LDAPFilter “(&(objectClass=User)(department=Marketing))” – properties sn | where {$_.sn –ge ’L’} | Set-ADUser –department ’Marketing2’ In Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, double-click Adatum (local), and then in the details pane, scroll down and double-click Marketing. Confirm that user accounts with a last name beginning with L through Z have the department Marketing2 in their properties. Get-ADOrganizationalUnit –filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion –match $False} Verify in the output of the command that the Domain Controller’s default OU is not protected from accidental deletion. (More notes on the next slide)
32
2: Advanced Deployment and Administration of AD DS
At the Windows PowerShell command prompt, type the following, and then press Enter: Get-ADOrganizationalUnit –filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion –match $False} | Set-ADOrganizationalUnit – ProtectedFromAccidentalDeletion $true Get-ADOrganizationalUnit –filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion –match $False} Verify that the Domain Controller’s OU is no longer listed and that the results are empty because the Domain Controller OU is now protected from accidental deletion.
33
Lab: Deploying and Administering AD DS
2: Advanced Deployment and Administration of AD DS Exercise 3: Administering AD DS Exercise 1: Deploying AD DS As a part of the business expansion, A. Datum wants to deploy new domain controllers in remote sites with minimal engagement of remote IT staff. You will use Windows PowerShell to deploy new domain controllers. Exercise 2: Deploying Domain Controllers by Performing Domain Controller Cloning An IT team at A. Datum wants to deploy new virtual domain controllers rapidly when needed. It is considering the domain controller clones in Windows Server 2012. You must perform a domain controller cloning procedure to verify if it is a valid option to speed-up the deployment of domain controllers. Exercise 3: Administering AD DS The A. Datum IT team is evaluating available tools in Windows Server 2012 for AD DS administration. You should evaluate the usage of Active Directory Administrative Center and Windows PowerShell for AD DS administration and management. Logon Information: Virtual machines: A-LON-DC1 10969A-LON-SVR1 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 45 minutes
34
10969A Lab Scenario 2: Advanced Deployment and Administration of AD DS You are an IT administrator at A. Datum Corporation. The company is expanding its business with several new locations. The AD DS administration team currently is evaluating the methods available in Windows Server 2012 for rapid and remote domain controller deployment. Also, the team is looking for a way to automate certain AD DS administrative tasks. The team wants fast and seamless deployment of new domain controllers for new locations, and it also wants to promote servers to domain controllers from a central location.
35
In which scenarios can domain controller cloning be useful?
Lab Review 2: Advanced Deployment and Administration of AD DS In which scenarios can domain controller cloning be useful? Question In the lab, you used Active Directory Administrative Center and the Active Directory module for Windows PowerShell. Which tool would you prefer to use for each tasks? Answer Active Directory Administrative Center is better for individual tasks when you prefer to use the GUI. Windows PowerShell is better when performing the task multiple times, or if you prefer to do more complex operations. Also, automating tasks by using a script enables you to test it beforehand to avoid errors in production. In which scenarios can domain controller cloning be useful? Cloning can be useful in any scenario where you want to deploy multiple domain controllers quickly, such as in private cloud scenarios where you need to scale out, or in scenarios where you want to deploy multiple servers quickly in a remote location, or as part of a recovery plan.
36
Module Review and Takeaways
2: Advanced Deployment and Administration of AD DS Best Practice Review Questions Question What is the benefit of deploying domain controllers remotely? Answer If you want to use the Server Core installation version of the operating system, which is streamlined to operate server loads, you can still use the tools that you are used to, without typing a lengthy command at the command prompt. Also, for RODCs, we do not recommend signing in locally or via remote desktop with elevated credentials. Promoting them remotely minimizes those risks. Lastly, you can automate the deployment of multiple servers remotely by using Windows PowerShell. Why have virtual domain controllers been a risk in previous version of the operating system, and how has this changed in Windows Server 2012? It is important that virtual domain controllers have the correct time. You must not have a single point of failure across all your domain controllers, and you must not use snapshots on the virtualization guests in previous versions of the operating system because this will cause your AD DS infrastructure to be in an inconsistent state. With Windows Server 2012 and a supported hypervisor, virtualization safeguards are implemented to prevent this from happening. How can you find out which cmdlets are available for AD DS administration and deployment in the Active Directory module for Windows PowerShell? You can use the following to get a list of AD DS cmdlets: Get-Command –Module ActiveDirectory Get-Command –Module ADDSDeployment Then you can use Get-Help for more information about a specific cmdlet. (More notes on the next slide)
37
2: Advanced Deployment and Administration of AD DS
Tools Tool Use for Where to find it Active Directory Users and Computers Managing objects within AD DS such as users, groups, and computers. Server Manager Active Directory Administrative Center Windows PowerShell cmdlets Automating the management of the AD DS infrastructure as well as its objects. Available for Active Directory, AD DS Deployment, and Group Policy
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.