Download presentation
Presentation is loading. Please wait.
Published byGerald Carter Modified over 9 years ago
1
Implementing Active Directory Lesson 2
2
Skills Matrix Technology SkillObjective DomainObjective # Installing a New Active Directory Forest Configure a forest or a domain 2.1 Establishing and Maintaining Trust Relationships Configure trusts2.2 Configuring Active Directory Lightweight Directory Services Configure Active Directory Lightweight Directory Services (AD LDS) 3.1
3
Skills Matrix Technology SkillObjective DomainObjective # Configuring a Read-Only Domain Controller Configure the Read-Only Domain Controller (RODC) 3.3
4
Lesson 2 Installing a New Active Directory Forest Click the Start menu, and select Server Manager. Click Roles, and then click Add Roles under the Roles Summary section. Read the Before You Begin window, and click Next.
5
Lesson 2 Installing a New Active Directory Forest (cont.) On the Select Server Roles window, select Active Directory Domain Services. Click Next to continue.
6
Lesson 2 Installing a New Active Directory Forest (cont.) Click Next after you read the Introduction to AD Domain Services window. Click Install to begin the installation process. After the AD DS binaries have installed, click Close. Drill down to the Active Directory Domain Service role.
7
Lesson 2 Installing a New Active Directory Forest (cont.) Follow the instructions you see on the window, and click Run the Active Directory Domain Services Wizard. Place a checkmark next to Use Advanced Mode Installation. Click Next.
8
Lesson 2 Installing a New Active Directory Forest (cont.) To create the first domain controller in a new Active Directory forest, select Create a new domain in a new forest and click Next. You are prompted to enter the domain name of the Active Directory forest root domain. Enter this information, and click Next. Enter the NetBIOS name for the domain, and click Next.
9
Lesson 2 Installing a New Active Directory Forest (cont.) Select Windows Server 2003 as the forest functional level, and then click Next. Select Windows Server 2003 as the domain functional level, and then click Next. You can select one or more domain controller options for this domain controller. The DNS Server option is selected by default.
10
Lesson 2 Installing a New Active Directory Forest (cont.) Click Next without making any changes. Click Next to continue. Click Next to accept the default locations.
11
Lesson 2 Installing a New Active Directory Forest (cont.) Enter a strong password, and click Next to continue. Click Next to begin the installation process.
12
Lesson 2 Creating a Directory Partition Open DNS from the Administrative Tools folder. Right-click the desired DNS server, and choose Create Default Application Directory Partitions. Follow the steps to finalize the procedure.
13
Lesson 2 Configuring Aging and Scavenging Select the DNS tool from the Administrative Tools folder. Right-click the desired DNS server, and click Set Aging/Scavenging for all zones. Select the Scavenge Stale Resource Records checkbox. Modify any other desired properties, and click Apply to save your changes.
14
Lesson 2 Configuring Aging and Scavenging (cont.) Place a checkmark next to Apply these settings to existing Active Directory–integrated zones. Click OK to continue. Open DNS in the Administrative Tools folder. Right-click the desired zone, and select Properties from the submenu.
15
Lesson 2 Configuring Aging and Scavenging (cont.) Click the General tab, and click Aging. Select the Scavenge Stale Resource Records checkbox. Modify any other desired properties, and click Apply to save any changes.
16
Lesson 2 Verifying the Creation of a Forward Lookup Zone Open DNS from the Administrative Tools folder. Under DNS, expand your server. Expand the Forward Lookup Zones heading. You should see the currently configured forward lookup zones: _msdcs.yourdomain.com yourdomain.com
17
Lesson 2 Verifying Zone and Record Creation Open DNS from the Administrative Tools folder. Expand the desired DNS server, and expand the DNS domain you wish to view. You should see the following entries: _msdcs _sites _tcp _udp
18
Lesson 2 Verifying Zone and Record Creation (cont.) In addition, you may see the following zones created for application directory partition information: DomainDNSZones ForestDNSZones
19
Lesson 2 Verifying Zone and Record Creation (cont.) From a command prompt, key nslookup and press Enter. Key ls -t SRV domain (replace the word domain with your domain name), and press Enter.
20
Lesson 2 Verifying that Dynamic Updates Are Selected Right-click the desired zone, and select Properties. View the selected type of updates for this zone. By default, if the zone is Active Directory integrated, it will be set to Secure only.
21
Lesson 2 Creating a Reverse Lookup Zone Open DNS from the Administrative Tools folder. Expand the desired server, and right-click Reverse Lookup Zone. Click New Zone to begin the wizard, and then click Next to bypass the initial welcome window.
22
Lesson 2 Creating a Reverse Lookup Zone (cont.) Select the type of zone you wish to create. If this is the first reverse lookup zone, select Primary Zone. If this zone is to be stored on a domain controller running Active Directory integrated DNS, select Store the zone in Active Directory. Click Next to continue.
23
Lesson 2 Creating a Reverse Lookup Zone (cont.) Select the scope of replication for this zone, and click Next to continue. Select the option to create an IPv4 reverse lookup zone if your network uses TCP/IP version 4 as its network protocol, or select the option to create an IPv6 reverse lookup zone if you have upgraded your networking hardware to use the new TCP/IP version 6.
24
Lesson 2 Creating a Reverse Lookup Zone (cont.) Click Next to continue. In the Reverse Lookup Zone Name dialog box, click the Network ID option, and enter the Network ID of the reverse lookup zone. The Reverse Lookup zone name should appear in the second option field. Click Next to continue.
25
Lesson 2 Creating a Reverse Lookup Zone (cont.) Select the level of secure updates that should be enabled for this zone, and click Next. Review the summary zone creation window, and click Finish to complete the process. If you haven't enabled dynamic updates, add any necessary resource records by right- clicking on the newly created zone and selecting New Pointer (New PTR).
26
Lesson 2 Raising the Domain Functional Level Open Active Directory Domains and Trusts from the Administrative Tools folder. Right-click the domain you wish to raise, and select Raise Domain Functional Level.
27
Lesson 2 Raising the Domain Functional Level (cont.) Choose the level you wish to achieve from Select An Available Domain Functional Level, and then click Raise. You will be presented with the dialog box shown in Figure 2-15, which explains the irreversible nature of this procedure. Click OK to acknowledge this warning, and raise the functional level of the domain.
28
Lesson 2 Raising the Forest Functional Level Open Active Directory Domains and Trusts from the Administrative Tools folder. Right-click the Active Directory Domains and Trusts icon in the console tree, and select Raise Forest Functional Level.
29
Lesson 2 Raising the Forest Functional Level (cont.) If your domains have not all been raised to at least Windows Server 2003, you will receive an error indicating that raising the forest functional level cannot take place yet. If all domains have met the domain functionality criteria of Windows Server 2008, you can click Raise to proceed.
30
Lesson 2 Raising the Forest Functional Level (cont.) A warning message explaining the irreversible nature of this procedure is displayed. Click OK to acknowledge this warning and raise the functional level of the forest.
31
Lesson 2 Adding a Second Domain Controller to the Forest Root Domain Install the server operating system. You can configure the server as a member of a workgroup or as a member server within the existing domain. Ensure that the new domain controller can resolve SRV records within the domain that you are joining it to.
32
Lesson 2 Adding a Second Domain Controller to the Forest Root Domain (cont.) Add the Active Directory Domain Services role to this server, and configure it as an additional domain controller in an existing domain. Transfer single operation master roles as necessary to this server.
33
Lesson 2 Removing Active Directory Click the Start menu, key dcpromo, and then press Enter. Click Next to bypass the initial welcome window. If you see a message warning you that the domain controller is also a global catalog server, click OK to continue. Click Next to continue.
34
Lesson 2 Removing Active Directory (cont.) Enter a local administrator password for the newly demoted server in the Password field, and then enter it again in the Confirm password: field. Click Next to continue. On the Summary window, review your choices, and click Next to begin the uninstall process.
35
Lesson 2 Installing the Schema Management Snap-in From a command prompt, key regsvr32 schmmgmt.dll. Close the Command Prompt window, click Start, and then select Run. Key mmc /a in the dialog box, and click OK. Click the File menu, and select Add/Remove Snap-in.
36
Lesson 2 Installing the Schema Management Snap-in (cont.) Click Add to see the list of available snap-ins. Double-click Active Directory Schema in the list. Click Close, and click OK. If you want to save this console for future use, click File and then click Save.
37
Lesson 2 Creating a Trust Relationship Open Active Directory Domains and Trusts from the Administrative Tools folder. In the console tree on the left, right-click the domain for which you wish to establish a trust, and select Properties. Click the Trusts tab, and click New Trust to begin the New Trust Wizard. Click Next to continue.
38
Lesson 2 Creating a Trust Relationship (cont.) On the Trust Name page, key the DNS name of the domain and click Next. On the Trust page, select the desired trust type. On the Direction of Trust page, select the type and direction of the desired trust. Choose Allow authentication for all resources in the local domain or Allow authentication only for selected resources in the local domain.
39
Lesson 2 Verifying a Trust Relationship Using Active Directory In Active Directory Domains and Trusts, right- click the domain for which you want to verify trusts, and select Properties. On the Trusts tab, select Domains Trusted By This Domain (Outgoing) or Domains that Trust This Domain (Incoming). Select the appropriate trust, and click Properties.
40
Lesson 2 Verifying a Trust Relationship Using Active Directory (cont.) Click Validate. You will be prompted to choose to validate only one side of the trust or validate both sides of the trust simultaneously. Select Yes to validate both sides of the trust. You will be prompted to supply an administrative user account and password on the target domain. Select No to manually log onto the target domain to validate the other side of the trust relationship.
41
Lesson 2 Revoking a Trust Using Netdom Open a command prompt and enter the following text: Netdom trust TrustingDomainName /d:TrustedDomainName /remove Press Enter. Repeat Steps 1 and 2 for the other end of the trust relationship.
42
Lesson 2 Changing the Default Suffix for User Principal Names Open Active Directory Domains and Trusts from the Administrative Tools folder. Right-click Active Directory Domains and Trusts, and choose Properties. Click the UPN Suffix tab, key the new suffix, and click Add. Key more than one suffix if your forest has more than one tree, and then click OK.
43
Summary You Learned Active Directory requires DNS to be installed. DNS does not have to be installed on a Windows Server 2003 machine, but the version of DNS used does need to support SRV records for Active Directory to function. Planning the forest and domain structure should include a checklist that can be referenced for dialog information required by the Active Directory Installation Wizard.
44
Summary You Learned (cont.) Verification of a solid Active Directory installation includes verifying DNS zones and the creation of SRV records. Additional items, such as reverse lookups, aging, and scavenging, also should be configured. Application directory partitions are automatically created when Active Directory integrated zones are configured in DNS. These partitions allow replica placement within the forest structure.
45
Summary You Learned (cont.) System classes of the schema cannot be modified, but additional classes can be added. Classes and attributes cannot be deleted, but they can be deactivated. Planning forest and domain functionality is dependent on the need for down-level operating system compatibility. Raising a forest or domain functional level is a procedure that cannot be reversed.
46
Summary You Learned (cont.) Four types of manual trusts can be created: shortcut, external, cross-forest, and realm trusts. Manual trusts can be created by using Active Directory Domains and Trusts or netdom at a command line.
47
Summary You Learned (cont.) UPNs provide a mechanism to make access to resources in multiple domains user friendly. UPNs follow a naming format similar to email addresses. You must be a member of the Enterprise Admins group to add additional suffixes that can be assigned at user object creation.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.