mcts chapter 10

MCTS Guide to Configuring Microsoft Windows Server 2008

Active Directory

Chapter 10: Configuring and Maintaining the Active Directory Infrastructure

MCTS Windows Server 2008 Active Directory 2

Objectives

2

• Describe and configure Active Directory functional levels

• Add and remove domains from a forest

• Configure Active Directory trusts

• Configure intrasite replication

• Work with sites

• Manage operations master roles


Examining Active Directory Functional Levels

• Functional levels allow for Administrators to maintain backwards compatibility, despite the addition of new features

• Functional levels should be set at the highest version domain controllers on the network support

• Member servers / workstations are independent of functional levels


Forest Functional Levels

• Forest functional level determines the features of Active Directory that have forest-wide implications

• A Server 2008 domain controller supports the following functional levels:– Windows 2000

• Lacks the ability to use forest trusts and to rename a domain

– Windows 2003• Supports all the features present in Windows 2000, plus the

following features: forest trusts, Knowledge Consistency Checker (KCC) improvements, linked-value replication, rename a domain , read only domain controller deployment

– Windows 2008• All the features of 2003, but no additional features (yet)


Domain Functional Levels

• A domain controller can’t be configured to run at a lower functional level than the functional level of the forest.

• Like forest functional levels, domain functional levels can be raised but not lowered

• Features:– Windows 2000 Native: Universal groups, group nesting, group

conversion, Security identifier (SID) history

– Windows Server 2003: All features of Windows 2000 native, domain controller renaming, logon timestamp replication, selective authentication, Users and Computers container redirection

– Windows Server 2008: All features of Windows 2003, Distributed File System replication, fine-grained password policies, interactive logon information, Advanced Encryption Standard (AES) support


Raising the Domain Functional Level

• All domain controllers must be running a Windows OS compatible with the desired functional level

• Functional level can be raised in Active Directory Domains and Trusts

• Only one domain controller needs to be raised to the new functional level, the rest will reflect the change automatically

• Once the functional level is raised, it cannot be reversed


Raising the Domain Functional Level (cont.)


Raising the Forest Functional Level

• You must be a member of the Domain Admins or Enterprise Admins group to raise the forest functional level

• If raising both domain and forest functional levels, domain functional must be raised first

• Domain functional levels must be equal or greater than forest functional levels

• Once functional level is raised, it cannot be lowered


Raising the Forest Functional Level (cont.)


Preparing a Forest and Domain for Windows Server 2008 with Adprep

• The Adprep command-line program prepares an existing forest or domain for the addition of a Windows Server 2008 domain controller

• To prepare the forest, run the adprep /forestprep command on a Windows Server 2003 or Windows 2000 domain controller acting as the schema master

• Then run adprep /domainprep in each domain where you plan to add a Windows Server 2008 DC. Windows 2000 requires adprep /domainprep /gpprep


Preparing for a Read Only Domain Controller

• Before you can install an RODC in an existing domain that isn’t running all Windows Server 2008 DCs, follow these steps:– Verify the functional level is Windows Server 2003 or higher– Prepare the forest– Install at least one writeable DC running Windows Server 2008– Install an RODC on a full Windows Server 2008 installation or a

Server Core installation


Removing a Domain Controller

• Be aware of some potential issues– If the DC performs any operations master roles, you must first

transfer the role to another DC– If the DC is a global catalog server, make sure at least one

other DC is a global catalog server– If it’s the only DC in the domain, you’ll also remove the domain

• Dcpromo is used to remove domain services

• If the server wasn’t the last DC, it will remain a member of the domain


Removing a Domain

• Two ways to remove a domain:– Dcpromo– Ntdsutil

• If the DC crashed or was taken offline without using dcpromo to demote it to a regular server, you must use Ntdsutil to remove the domain

• This process is called removing an orphaned domain

• A metadata cleanup will remove all selected domain data from the rest of the forest


Using the Active Directory Migration Tool

• The Active Directory Migration Tool (ADMT) allows moving objects and restructuring Active Directory without users losing access to network resources, and has three main types of migration:– Intraforest migration

– Interforest migration

– Migration of an NT 4.0 domain to an Active Directory domain

• Before attempting migration, you should review the Active Directory Migration guide

• Terms used for migration planning and implementation:– SID History

– Security Translation

– Password Export Server (PES)


Configuring Active Directory Trusts

• Recall that all domains in a forest trust one another automatically through two-way transitive trusts, which you can’t remove

• Types of trusts you can configure:– Shortcut trust– Forest trust– External trust– Realm trust

• DNS must be configured so that FQDNs of DCs in all participating domains can be resolved


Configuring Shortcut Trusts

• A shortcut trust is a one-way or two-way transitive trust between two domains in the same forest or two domains in trusting forests

• Helps to reduce authorization delays between domains

• Shortcut trusts between domains in different forests require a forest trust to be configured

• Trusts between forests and external trusts might require additional DNS configuration


Configuring Forest Trusts

• DNS must be configured correctly in both forest root domains

• You must initiate the forest trust in Active Directory Domains and Trusts from the forest root domain

• When creating a forest trust, you must specify the type of authentication you wish to use:– Forest-wide authentication is a property of a forest trust in

which all users in a trusted forest can be authenticated to the trusting forest

– Selective authentication enables administrators to specify users who can authenticate to selected resources in the trusting forest


Configuring External and Realm Trusts

• An external trust is created between domains in different forests or between domains in a Windows Server 2003/2008 forest and a Windows 2000 server forest or Windows NT domain

• An external trust is not transitive, and is nearly identical to creating a forest trust

• When creating a realm trust, main consideration should be whether or not it should be transitive


Configuring Trust Properties

• The Properties dialog box of a forest trust contains three tabs:– The General Tab – Provides options:

• The other domain supports Kerberos AES Encryption

• Direction of trust

• Transitivity of trust

• Validate

• Save As

– The Name Suffix Routing Tab – Allows you to control which name suffixes used by the trusted forest are routed for authentication

– Authentication Tab – Same options as the Outgoing Trust Authentication Level window


SID Filtering

• SIDHistory attribute can be used for nefarious purposes to gain administrative privileges in a trusting forest

• To counter the security risk, Windows provides a feature called SID filtering

• SID Filtering causes the trusting domain to ignore any SIDs that aren’t from the trusted domain

• SID filtering is enabled by default on external trusts but is disabled on forest trusts


Configuring Intrasite Replication

• Intrasite and intersite replication use the same basic processes to replicate Active Directory data

• Intersite replication is optimized to take slower WAN links into account

• Intrasite replication can be initiated in one of two ways:– Notification– Periodic replication

• Intrasite replication involves two main components: Knowledge Consistency Checker (KCC) and connection objects


Knowledge Consistency Checker (KCC)

• KCC is a process that runs on every DC and, for intrasite replication, builds a replication topology among DCs in a site and establishes replication partners

• The KCC on each domain controller uses data stored in the forest-wide configuration directory partition to create the replication topology

• The replication topology can be recalculated manually in Active Directory Sites and Services


Connection Objects

• Connection objects define the connection parameters between two replication partners

• Changes to intrasite connection objects is usually unnecessary, but changes can be made in Active Directory Sites and Services

• General tab in the Properties dialog box is the only one of interest for connection objects, and contains the following fields:– Change Schedule

– Replicate from Server

– Replicate from Site

– Replicated Naming Context(s)

– Partially Replicated Naming Context(s)


Creating Connection Objects

• You can create connection objects for intrasite replication if you want to alter the replication topology manually

• By default, the schedule for a new connection object is set to every 15 minutes, but this value can be changed

• Changing the schedule for connection objects can be useful for troubleshooting replication problems


Checking Replication Status

• Active Directory Sites and Services can be used to force the KCC to check the replication topology

• Repadmin.exe is a tool that will show detailed information about connections and replication status

• To use, type repadmin /showrepl

• Repadmin can also be used to show the partitions being replicated by each connection object, force replication to occur, force the KCC to recalculate the topology, and other actions


Global Catalog Replication

• Global Catalog contains a partial replica of all objects in the forest, maintains univeral group memberships, provides cross-domain logon support, and is used to locate objects throughout the forest

• Global catalog servers keep inbound connections with a DC in each domain the global catalog is built from

• Connections between global catalog servers always include replication of the global catalog partition


Global Catalog Replication (cont.)


Special Replication Situations

• Most Active Directory database changes follow the regular replication rules

• Certain changes require special processing:– Urgent replication events (trigger change notifications

immediately):• Account lockouts

• Changes to the account lockout policy

• Changes to the domain password policy

• Changes to non-security principal passwords

• Password change to a DC computer account

• Changes to the RID master DC

– User Account password changes


RODC Replication

• An RODC is treated like any other domain controller when considering replication topology

• Limitations to keep in mind:– Connection between an RODC and a writeable DC is a one-

way connection– Two RODCs can replicate with one another, as long as one

has an incoming connection with a writeable DC– The domain directory partition can be replicated only to an

RODC from a Windows Server 2008 DC. Windows Server 2003 DCs can replicate other partitions to an RODC

– When upgrading a domain from Windows Server 2003, the first Windows Server 2008 DC must be writeable


Creating Sites

• A site is an AD object containing domain controllers and replication settings and is usually associated with IP subnets and site links

• Sites are usually geographically dispersed and connected by WAN links

• When you create a site, you’re asked to select a site link

• DEFAULTIPSITELINK is the only choice unless you’ve created other site links


Creating Sites (cont.)


The Significance of Subnets

• After creating a site, you must associate one or more subnets with it

• AD uses this information in two important ways:– Placing new domain controllers in the appropriate site– Determining which site a client computer belongs to

• If a client’s IP address doesn’t match a subnet in any of the defined sites, communication efficiency could degrade because the client might request services from servers in remote sites instead of locally


Configuring Site Links

• Any new sites you create use the default site link, DEFAULTIPSITELINK, for their connection with other sites

• Additional site links can help adjust the replication schedule according to a network’s link characteristics

• Descriptive names should be used for site links

• A site can exist in more than one site link


Bridgehead Servers

• Intersite Topology Generator is responsible for assigning a bridgehead server for each directory partition in the site

• Bridgehead servers are responsible for all intersite replication

• Bridgehead servers can be designated manually

• Repadmin /bridgeheads command can list which DCs in a site are acting as bridgehead servers to other sites


Intersite Transport Protocols

• Two protocols can be used to replicate between sites: – IP– SMTP

• IP is used by default in the DEFAULTIPSITELINK site link and is recommended in most cases

• Simple Mail Transport Protocol is used primarily for e-mail and works well for slower, less reliable, or intermittent connections

• DC can send multiple replication requests simultaneously without waiting for the reply


Site Link Bridges

• By default, site link bridging is enabled, which makes site links transitive

• You can change the transitive behavior of site links by turning off site link bridging and creating site link bridges manually

• Automatic site bridging can lead to over-utilization of a slower WAN link

• Other reasons to create site link bridges manually:– Control traffic through firewalls– Accommodate partially routed network– Reduce confusion of the KCC


The Global Catalog and Universal Group Membership Caching

• Global catalog servers increase replication traffic

• Windows Server 2008 includes universal group membership caching, which allows universal group membership information to be retrieved from a global catalog server in a different site, then cached locally on every DC in the site and updated every 8 hours

• Microsoft recommends placing a global catalog server in the site when the number of accounts exceeds 500 and the number of DCs exceeds two


Operations Master Best Practices

• If you build a new forest, the first DC installed performs all five FSMO roles

• This is acceptable for small environments, but larger environments may perform better if these roles are transferred to separate servers

• Common rules for operations masters:– Unless your domain is small, transfer operations master roles

to other DCs– Place the servers performing these roles where network

availability is high– Designate an alternate DC for all roles


Domain Naming Master

• The domain naming master is needed when a domain or domain controller is added or removed from the forest

• Attempting to add or remove a domain while the DC performing this role is down is not advisable

• When possible, the domain naming master should be a direct replication partner with another DC that’s also a global catalog server in the same site


Schema Master

• The schema master is needed when the Active Directory schema is changed

• Generally, the schema master role should be transferred to another server only when you’re certain the original server will be down permanently


PDC Emulator

• Processes password changes for older Windows clients (Windows 9x and NT)

• Should be placed where there is a high concentration of users

• Shouldn’t be placed on a DC that is also a global catalog server


RID Master

• Every Active Directory object uses an RID to create the object’s SID

• RID Master provides these RIDs to domain controllers

• Ideally placed with the PDC emulator because the PDC emulator uses the RID master’s services frequently


Infrastructure Master

• Role is most needed when many objects have been moved or renamed

• Shouldn’t be performed by a DC that’s also a global catalog server, but should be at least in the same site as a global catalog server

• If the Master fails, the role can be moved to another DC if necessary


Transferring Operations Master Roles

• Transferring an operations master role means moving the role’s function from one server to another while the original server is still in operation

• Generally done for the following reasons:– DC performing the role was the first DC in the forest, and

therefore holds all roles– DC performing the role is being moved to a location that isn’t

well suited for the role– The current DC’s performance is inadequate because of the

resources the FSMO role requires– The current DC is being taken out of service temporarily or

permanently


Transferring Operations Master Roles (cont.)


Seizing Operations Master Roles

• An operations master role is seized when the current role holder is no longer online because of some type of failure

• Seizing should never be done when the current role holder is accessible

• Seizing is done with the ntdsutil command


Chapter Summary

• Administrators can configure functional levels on a new domain controller to maintain backward compatibility

• Functional levels can be raised but not lowered• Windows Server 2008 supports three forest

functional levels: Windows 2000, Windows Server 2003, and Windows Server 2008. Supported domain functional levels have nearly identical names

• You can raise functional levels when you install AD, or you can raise them manually


Chapter Summary (cont.)

• Before you can install a Windows Server 2008 server as a DC in an existing Windows Server 2003 or Windows 2000 server domain, existing domain controllers must be prepared

• Before you can install RODC in an existing domain, the forest functional level must be at least Windows Server 2003 or higher

• To remove a domain controller, you use dcpromo or ntdsutil

• Use the Active Directory Migration Tool to migrate accounts from one domain or forest to another



• Before creating a trust of any type, DNS must be configured so that FQDNs of domain controllers in all participating domains can be resolved

• Some trust properties you can configure include the trust direction and transitivity, name suffix routing, and authentication

• Both intrasite and intersite replication use the same basic processes to replicate Active Directory data; the main goal is to balance data replication timeliness and efficiency



• A site is an Active Directory object containing domain controllers and default settings for replication within the site and is usually associated with one or more IP subnets and site links

• Connection objects provide the connection and replication parameters between two servers

• Bridgehead servers are responsible for all intersite replication

• Universal group membership caching resolves the potential conflict between faster logons and additional replication traffic

• Deciding where to place the FSMO role holder is part of your overall Active Directory design strategy

mcts chapter 10

Documents

features of active directory

active directory domains

active directory chapter

features of windows

microsoft windows server

forest functional levelif

forest functional levelyou

following functional