-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
1/32
Module 1:
Implementing ActiveDirectory DomainServices
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
2/32
Module Overview
Installing Active Directory Domain Services
Deploying Read-Only Domain Controllers
Configuring AD DS Domain Controller Roles
1 domain will need to have one DC to be /hold the Active Directoryserver
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
3/32
Lesson 1: Installing Active DirectoryDomain Services
Requirements for Installing AD DS
What Are Domain and Forest Functional Levels?
AD DS Installation Process
Advanced Options for Installing AD DS
Installing AD DS from Media Demonstration: Verifying the AD DS Installation
Upgrading to Windows Server 2008 AD DS
Installing AD DS on a Server Core Computer
Discussion: Common Configuration for AD DS
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
4/32
Requirements for Installing AD DS
Local Administrator permissions to install the firstdomain controller in a forest
Domain Administrator permissions to installadditional domain controllers in a domain
Enterprise Administrator permissions to installadditional domains in a forest
Administratorpermissions
TCP/IP must be configured, including DNSclient settings
DNS Server that supports dynamic updates mustbe available or will be configured on the domaincontroller
Networkconfiguration
A computer running Windows Server 2008 (WebServer edition not supported)
Minimum disk space of 250 MB and a partitionformatted with NTFS file system
Serverrequirements toinstall AD DS
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
5/32
What Are Domain and Forest Functional Levels?
Domain functional levelForrest functional levelFunctional levels:
Determine the AD DS features available in a domain or forest
Restrict which Windows Server operating systems can berun on domain controllers in the domain or forest
Supported Domain ControllerOperating Systems
Windows 2000Windows 2000native
WindowsServer 2003
Windows Server2003
Windows Server2008
Windows Server2008
ForestsDomain
Windows Server 2008
Windows Server 2003
Windows 2000 Server
Windows Server 2008 Windows Server 2003
Windows Server 2008
Supported functional levels:
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
6/32
AD DS Installation Process
Install the Active Directory Domain Services roleusing the Server Manager1
Choose the deployment configuration3
Select the additional domain controller features4
Run the Active Directory Domain ServicesInstallation Wizard
2
Select the location for the database, log files, andSYSVOL(System volume) folder5
Configure the Directory Services RestoreMode Administrator Password6
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
7/32
Advanced Options for Installing AD DS
Use the advanced mode options to:
Create a new domain tree with a different domain name
Use backup media as the source for AD DS information
To access the advanced mode installation options,
choose the Advanced Mode option in the Installation Wizard or runDCPromo /adv
Select the source domain controller for the installation
Modify the default domain NetBIOS name
Define the Password Replication Policy for an RODC
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
8/32
Installing AD DS from Media
Use Ntdsutil.exe to create the installation media
Ntdsutil.exe can create the following types of installation media:
Full (or writable) domain controller
Full (or writable) domain controller with SYSVOL data
domain controller with SYSVOL data: group npolicy objects (scripts) has a ve
Read-only domain controller: cannot save password
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
9/32
Demonstration: Verifying the AD DS Installation
In this demonstration, you will see how to verify theAD DS installation
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
10/32
Upgrading to Windows Server 2008 AD DS
Before installing
adprep /forestprepWindows 2000Windows 2003
adprep/domainprep /gpprep
Windows Server2000
adprep /domainprepWindows Server2003
CommandCurrent Version
Windows Server 2008domain controllers
Must be run before other
adprep commands Windows Server 2008
domain controllers
Windows Server 2008domain controllers
To prepare previous versions of Active Directory for a Windows Server2008 domain controller installation:
adprep /rodcprepWindows Server
2003
Windows Server 2008RODCs
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
11/32
Installing AD DS on a Server Core Computer
To install AD DS on a Server Core computer, perform an
unattended installation using an answer file
Use following syntax with the Dcpromo command:Dcpromo /answer[:filename]
Where filename is the name of your answer
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
12/32
Discussion: Common Configuration for AD DS
What additional steps would you take in your environmentafter installing the first Windows Server 2008 domain
controller?
How would these tasks change after you have deployedadditional domain controllers in your domain?
Which of the recommendations listed in the Server
Manager apply to your organization?
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
13/32
Lesson 2: Deploying Read-OnlyDomain Controllers
What Is a Read-Only Domain Controller?
Read-Only Domain Controller Features
Preparing to Install the RODC
Installing the RODC
Delegating the RODC Installation What Are Password Replication Policies?
Demonstration: Configuring Administrator Role Separationand Password Replication Policies
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
14/32
What Is a Read-Only Domain Controller?
RODCs host read-only partitions of theAD DS database, only accept replicated
changes to Active Directory, and neverinitiate replication
RODCs:
Cannot hold operation master roles or be configured asreplication bridgehead servers
Can be deployed on servers running Windows Server 2008Server core for additional security
RODCs provide:
Additional security for branch office withlimited physical security
Additional security if applications must run on adomain controller
RODC
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
15/32
Read-Only Domain Controller Features
RODCs provide:
Unidirectional replication
Credential caching
Administrative role separation
Read-only DNS
RODC filtered attribute set
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
16/32
Preparing to Install the RODC
Before installing an RODC:
Ensure that the domain and forest is at a Windows Server2003 functional level
Ensure a writeable domain controller runningWindows Server 2008 is available to replicate thedomain partition
Run ADPrep /rodcprep to enable the RODC to replicateDNS partitions
Run ADPrep /domainprep in all domains if the RODC willbe a global catalog server
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
17/32
Installing the RODC
Choose the option to install an additional domain controller
in an existing domain1
Choose advanced mode installation if you want toconfigure the password replication policy
3
Select the option to install an RODC in the Active DirectoryDomain Services Installation wizard
2
To install an RODC on a Server Core installation, use anunattended installation file with theReplicaOrNewDomain=ReadOnlyReplica value
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
18/32
Delegating the RODC Installation
To delegate the permission to installation of an RODC:
Pre-create the RODC computer account in theDomain Controllers container
Assign a user or group with permission to install the RODC
mplete a delegated RODC installation, run DCPromothe/UseExistingAccount:Attach switch , (no need Domain Admin to create an
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
19/32
What Are Password Replication Policies?
The password replication policy determines how the
RODC performs credential caching for authenticated user
By default, the RODC does not cache any user credentialsor computer credentials
No credentials cached
Enable credential caching on an RODC for specified accounts
Options for configuring password replication policies:
Add users or groups to the Domain RODC PasswordAllowed group so credentials are cached on all RODCs
D t ti C fi i Ad i i t t R l
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
20/32
Demonstration: Configuring Administrator RoleSeparation and Password Replication Policies
In this demonstration, you will see how to:
Configure administrator role separation
Configure the RODC password replication groups
Track which users log on to an RODC
Configure password replication policies for those accounts
Lesson 3 Config ing AD DS Domain
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
21/32
Lesson 3: Configuring AD DS DomainController Roles
What Are Global Catalog Servers?
Modifying the Global Catalog Demonstration: Configuring Global Catalog Servers
What Are Operations Master Roles?
Demonstration: Managing Operation Master Roles
How Windows Time Service Works
*************************************
Each site should has at least 2 GC: Global catalog
Use Regsvr32.exe schemgmt.dll to open the schema
management s MMC
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
22/32
What Are Global Catalog Servers?
Domain
Domain
DomainDomainDomain
Domain Domain
Global Catalog ServerGlobal Catalog Server
Global CatalogGlobal Catalog
ResultResult
QueryQuery
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
23/32
Modifying the Global Catalog
firstNamelastNameemail addressaccountExpiresdistinguishedName
firstNamelastNameemail addressaccountExpiresdistinguishedName
CommonAttributes
Common
Attributes
Global Catalog ServerGlobal Catalog Server
Create additional
attributesCreate additional
attributes
Add only the additional attributes to which youquery or frequently referAdd only the additional attributes to which youquery or frequently refer
departmentfirstNamelastNameemail address
accountExpiresdistinguishedName
departmentfirstNamelastNameemail addressaccountExpiresdistinguishedName
ChangedAttributes
Changed
Attributes
Demonstration: Configuring Global
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
24/32
Demonstration: Configuring GlobalCatalog Servers
In this demonstration, you will see how to:
Configure global catalog servers using Active Directory Sites andServices
Configure a domain controller on Server Core as a global catalog server
Add attributes to the global catalog server
A GC will increase the bandwidth for Replication traffic for eachDomain
Each domain should has at least 2 DC
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
25/32
What Are Operations Masters Roles?
Role Description
Schema Master The 1st one DC in the master domain per forest
Performs all updates to the Active Directory schema
Domain NamingMaster
The 1st one DC in the master domain per forest
Manages adding and removing all domains anddirectory partitions
RID Master The 1st
one DC in a child domain per child domain
Allocates blocks of RIDs to each domain controller inthe domain
PDC Emulator The 1st one DC in a child domain per child domain
Minimizes replication latency for password changes
Synchronizes *system time* on all domain controllers in thedomain
InfrastructureMaster
The 1st one DC in a child domain per child domain
Updates object changes and references in its domain thatreplicate the change to the same object in all other domains
Demonstration: Managing Operations
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
26/32
Demonstration: Managing OperationsMaster Roles
In this demonstration, you will see how to:
Determine which server holds an operations master role
Move an operations master role
Seize an operations master role
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
27/32
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
28/32
How Windows Time Service Works
Time synchronization is important because:
Kerberos authentication includes a time stamp
Replication between domain controllers is time stamped
Windows Time service (W32Time)
provides network clocksynchronization for domaincontrollers and client computers
Domain controllersDomain controllers
PDC EmulatorPDC Emulator
Clientcomputers
Clientcomputers
In a Windows Server 2008 forest,
the PDC Emulator is used toprovide the authoritative timefor all other computers
L b I l ti R d O l D i C t ll d
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
29/32
Lab: Implementing Read-Only Domain Controllers andManaging Domain Controller Roles
Exercise 1: Evaluating Forest and Server Readiness forInstalling an RODC
Exercise 2: Installing and Configuring an RODC
Exercise 3: Configuring AD DS Domain Controller Roles
Logon information
Virtual machine 6425A-NYC-DC1,6425A-NYC-SVR1,
6425A-NYC-DC2
User name Administrator
Password Pa$$w0rd
Estimated time: 75 minutes
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
30/32
Lab Review
Why did Axels account not have permission to create anyobjects in AD DS?
What were the two connection objects that were createdfrom NYC-DC1 to TOR-DC1? Why was no connectionobject created from TOR-DC1 to NYC-DC1?
Could you have assigned the Domain Naming Master role
to TOR-DC1?
What would happen when you add a new attribute to theglobal catalog?
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
31/32
Module Review and Takeaways
Review questions
Key points
-
8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC
32/32