1 installing and configuring active directory preparing for active directory installation ...

1

Installing and Configuring Active Directory

Preparing for Active Directory Installation

Installing and Removing Active Directory

Verifying Active Directory Installation Troubleshooting Active Directory

Installation and Removal

2

Preparing for Active Directory Installation

Active Directory Installation Prerequisites:– The Domain Structure– The Domain Name– The storage location of the database and log

files– The location of the shared system volume

folder– The DNS configuration method– The DNS configuration

3

Determining the Domain Structure

You must assess your:– Company’s physical environment– Determine the forest root domain– Determine the number of domains– Organize domains in a hierarchy

4

Assessing the Physical Environment

The physical environment of your organization’s network includes:– The current location of points on the network– The current number of users at each location– The current network type used at each location– The current location, link speed, and percentage of

available bandwidth of remote network links– The current TCP/IP subnets at each location– The current location of domain controllers– The current list of servers at each location and the

services that run on each– The current location of firewalls in the network

5

Physical Environment Example

6

Physical Environment

In addition to your assessment of the organization’s physical environment, you should also consider other infrastructures currently employed– DNS– Exchange Server

Integrating DNS Structures– Issues when using BIND

7

Determining the Forest Root Domain

Is the first domain you create in an Active Directory Forest

Must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming and policy decisions

Start with a dedicated forest root domain– Set up exclusively to administer the

forest infrastructure

8

Determining the Forest Root Domain

Dedicated root domain is recommended:– Enables you to control the number of

administrators– Easily replicate the forest root across the

enterprise– Never becomes obsolete– Easily transfer the ownership

9

Determining the Number of Domains

You should begin planning your domain structure with a single child domain under the root, and add more domains only when the single child domain model no longer meets your needs

You should not create separate domains to reflect your company’s organization of divisions and departments– Use Organizational Units is recommended here

Remember that a single Windows Server 2003 domain can contain/maintain up to a million objects (Tested)– Had restrictions in NT 4.0

10

Reasons to Create More Than One Domain

Decentralized network administration Replication control Different password requirements

between organizations Massive number of objects Different Internet domain names International requirements Internal political requirements

11

Defining a Domain Hierarchy

If you require more than one domain, you must organize the domains into a hierarchy that fits the needs of your organization

As domains are placed in a hierarchy, the two-way transitive trust relationship (default) allows the domains to share resources

Recap the differences between the logical domain Tree and Forest components.

12

Planning a Domain Namespace

Domains are named using DNS name resolution techniques. Plan the DNS namespace before using DNS on the network.

Decisions must be made about how DNS is to be used and what goals will be accomplished using DNS.– Has a DNS domain name been previously chosen

and registered for the Internet?– Will the company’s internal Active Directory

namespace be the same or different from its external Internet namespace?

– What naming requirements and guidelines must be followed when choosing DNS domain names?

13

Choosing a DNS Domain Name

First choose and register a unique parent DNS name that can be used for hosting the organization on the Internet.

Before deciding on a parent DNS name for the organization, perform a search to see if the name is already registered to another entity.

The Internet DNS namespace is currently managed by Network Solutions Inc., though other domain name registrars are also available.

Combine the parent DNS name with a location or organizational name used within your organization to form other sub-domain names.

14

Determining the Domain Name Use only the Internet standard characters. The

character set names may be up to 40 characters taken from the printable characters of US-ASCII. However, no distinction is made between use of upper and lower case letters.

Differentiate between internal and external name spaces, if any.

Base the internal DNS name on the Internet DNS name

15

Determining the Domain Name

Never use the same domain name twice Use only registered domain names Use names that will remain static Use short, distinct, meaningful names

16

Database and Shared System Volume

Installing Active Directory creates the database and database log files, as well as the shared system volume.

Replication of the shared system volume occurs on the same schedule as replication of the Active Directory.

File replication to or from the newly created system volume may not be noticed until two replication periods have elapsed, typically 10 minutes in duration.

The first file replication period updates the configuration of other system volumes so that they are aware of the newly created system volume.

17

Database and Database Log Files

The database is the directory for the new domain.

Default location is %systemroot%\NTDS. If able place the database and its log file on

separate hard disks. Database name is NTDS.DIT

– Contains the schema, global catalog and objects stored on a domain controller

18

Shared System Volume A folder structure that exists on all Windows

2003 domain controllers. Stores scripts and some of the group policy

objects for both the current domain and the enterprise.

Default location is %systemroot%\SYSVOL. Must be located on a partition or volume

formatted with NTFS 5.0. Replication occurs on the same schedule as

Active Directory

19

Determining the DNS Configuration Method

You can configure you Windows Server 2003 DNS server manually or you can allow it to be configured automatically during the installation of Active Directory

You must have a DNS Server installed if you are using Active Directory as DNS is the locator service for Active Directory.

Does not need to be a Windows Server 2003 DNS server– Can be a BIND Server

20

Determining the DNS Configuration

If you manually install DNS, you must make sure that the configuration meets the DNS requirements for joining an Active Directory Domain

Computers joining an Active Directory domain must satisfy the following DNS requirements:– Must be configured with a static IP address and the

IP address of the DNS server– Service Records must exist on the DNS server

How to configure a static IP address and DNS server IP address on the computer

21

Configuring the Required DNS Resource Records

The following Service Location Records must exist on the DNS server:– _ldap._tcp.dc_msdcs.DNSDomainName

• This record identifies the names of the domain controllers that serve the Active Directory domains

– A corresponding (A) resource record that identifies the IP address for the domain controllers listed in the SRV record

To verify the appropriate records exist:– Nslookup– Need a reverse lookup zone to use Nslookup utility

22

Installing and Removing Active Directory

There are four ways to install Active Directory:– DCPromo.exe– Using an answer file to perform an unattended

installation– Using the network or backup media (to install

Active Directory on additional domain controllers in the network using media)

– Using the Configure Your Server Wizard

23

Installing Active Directory using DCPromo.exe

Wizard Can Perform the Following Tasks:– Add a domain controller to an existing domain– Create the first domain controller of a new domain– Create a new child domain– Create a new domain tree– Install a DNS server– Create the database and database log files– Create the shared system volume– Remove Active Directory services from a domain

controller

24

Installing Active Directory using an Answer File

You can create an answer file to run the Active Directory Installation Wizard without having to respond to the screen prompts

Dcpromo /answer:(answerfile)

25

Installing Active Directory Using the Network or Backup Media

In Windows 2000, promoting a member server to become an additional domain controller required replicating the entire directory database

Servers running Windows Server 2003 can be promoted using a restored backup taken from a Windows Server 2003 domain controller

This backup can be stored on any backup media Reduces the amount of replication required to copy the

directory database– Saves on bandwidth

Enables you to configure a new DC quicker Dcpromo /adv

26

Using the Configure Your Server Wizard

27

Removing Active Directory from a Domain Controller

Run Dcpromo To remove AD, you must have the appropriate

credentials:– Must have Enterprise admins, to remove the LAST DC in a

tree-root or domain– To remove AD from a DC that is the last in the forest, you

must log on to the domain as Administrator or as a member of the Domain Admins global group

– To remove AD from a domain controller that is not the last DC in the domain, you must be logged on as a member of either the Domain Admins global group or the Enterprise Admins group

28

Verifying Active Directory Installation

You must verify that Active Directory has been correctly installed

You can do this by verifying the following:– Domain Configuration– DNS configuration– DNS Integration With Active Directory– Installation of the shared system volume– Operation of the Directory Services Restore

Mode boot option

29

Troubleshooting Active Directory Installation and Removal

Troubleshooting Active Directory Installation– You cannot reach the server from which you are

installing, perhaps because the DNS name is not registered yet

– The name of the domain you are authenticating against is incorrect or not available yet

– The user name and password you supplied are incorrect

– The DNS server settings are not configured correctly– You are unable to remove data in Active Directory

after an unsuccessful removal of Active Directory

30


Tools available to help diagnose and resolve problems– Directory Service Log– NetDiag.exe – Network connectivity tester– DcDiag.exe – Domain controller diagnostic

tool– Dcpromoui.log, Dcpromos.log and

Dcpromo.log files– Ntdsutil – Active Directory diagnostic tool

31


Troubleshooting with the Directory Service log in Event Viewer

32


Troubleshooting with netdiag.exe Included with the support tools on the

installation CD Netdiag.exe diagnoses network problems

by checking all aspects of a host computer’s network configuration and connection

Netdiag has the following syntax

33


34


Run Netdiag whenever a computer is having network problems

The utility tries to diagnose the problem and can even flag problem areas for closer inspection

Can fix simple DNS problems with the optional /fix switch

How to install the Windows Server 2003 support tools To use Netdiag

– Netdiag /debug

35


Troubleshooting with Dcdiag.exe– Is a command line diagnostic tool included in the support tools– Analyzes the stat of domain controllers in a forest or enterprise

and reports any problems– Runs a series of tests to verify different functional areas of

Active Directory– You can specify which domain controllers are tested– Read only tool that does not affect the state of the enterprise

and performs an automatic analysis of the domain controller with little user intervention

– Dcdiag tool verifies• DNS names for the server are registered• The server can be reached by IP address, LDAP and RPC

36


Dcdiag.exe syntax

37


38


Example of Dcdiag.exe– Dcdiag /s:domain_controller_name

/test:connectivity

39


Troubleshooting with the Dcpromo Log files

Following logs are created when you install Active Directory– Dcpromoui.log– Dcpromos.log– Dcpromo.log

40


Dcpromoui.log– Contains detailed progress report of the Active Directory

installation from a graphical interface perspective– Following information about the installation or removal is

logged• The name of the source domain controller for replication• The directory partitions that were replicated to the target

server• The number of items that were replicated in each directory

partition• The services configured on the target domain controller• The access control entries set on the registry and files• The sysvol directories• Applicable error messages• Applicable selections that were entered by the

Administrator during the installation

41


Dcpromos.log– Similar to the Dcpromoui.log file– Is created by the user interface during the

graphical user interface mode setup when a 3.x or 4.0 domain controller is promoted to a Windows 2003 domain controller

42


Dcpromo.log– Records settings used for promotion or

demotion, such as the site name, the path for Active Directory Database and log files, time synchronization and information about the computer account

– Captures the creation of the Active Directory database, Sysvol trees and the installation, modification and removal of services

– Log is located in %systemroot%\debug

43


Troubleshooting with Ntdsutil.exe– Command line tool that provides

management facilities for Active Directory– By default is installed in the %systemroot%\system32 directory

1 installing and configuring active directory preparing for active directory installation ...

Documents

domain hierarchy

domain structure

dedicated forest root

network slide

hierarchy slide

active directory forest

number of domains

current location of