70-640_Lesson02_PPT_041009.ppt

8/10/2019 70-640_Lesson02_PPT_041009.ppt

1/32

Implementing Active DirectoryLesson 2

8/10/2019 70-640_Lesson02_PPT_041009.ppt

2/32

Skills MatrixTechnology Skill Objective Domain Objective #Installing a New ActiveDirectory Forest

Configure a forest or adomain

2.1

Establishing andMaintaining TrustRelationships

Configure trusts 2.2

Configuring ActiveDirectory LightweightDirectory Services

Configure ActiveDirectory LightweightDirectory Services (ADLDS)

3.1

Configuring a Read-OnlyDomain Controller

Configure the Read-OnlyDomain Controller(RODC)

3.3

8/10/2019 70-640_Lesson02_PPT_041009.ppt

3/32

Server Manager

Located in Administrative Tools. Can also be accessed by right-clicking My

Computer and selecting Manage.

Allows you to: Add roles such as DNS server or Active

Directory Domain Services role. Perform system diagnostics. Configure system services. Drill down into specific administrative tools.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

4/32

Server Manager

8/10/2019 70-640_Lesson02_PPT_041009.ppt

5/32

Requirements for Active Directory

A server running Windows Server 2008Standard Edition, Windows Server 2008Enterprise Edition, or Windows Server 2008Datacenter Edition (Full version or Server Core).

An administrator account and password on thelocal machine.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

6/32

Requirements for Active Directory

An NT file system (NTFS) partition for theSYSVOL folder structure. 200 MB minimum free space on the previously

mentioned NTFS partition for Active Directorydatabase files.

50 MB minimum free space for the transaction logfiles.

Transmission Control Protocol/Internet Protocol(TCP/IP) must be installed and configured

An authoritative DNS server for the DNS domainthat supports service resource (SRV) records. Recommends to support incremental zone transfers

and dynamic updates.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

7/32

Installing Active Directory

To install ActiveDirectory,you willneed to firstadd the

ActiveDirectory

DomainServicesrole usingServer

Manager.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

8/32

Installing Active Directory

8/10/2019 70-640_Lesson02_PPT_041009.ppt

9/32

Installing Active Directory

The Active Directory Installation Wizard,d c p r o m o , will guide you through any of thefollowing installation scenarios:

Adding a domain controller to an existingenvironment. Creating an entirely new forest structure. Adding a child domain to an existing domain.

Adding a new domain tree to an existing forest. Demoting domain controllers and eventually

removing a domain or forest.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

10/32

Choosing the Deployment Configuration

8/10/2019 70-640_Lesson02_PPT_041009.ppt

11/32

Post-Installation Tasks

Upon completion of the Active Directoryinstallation, you should verify a number ofitems:

Application directory partition creation. Aging and scavenging for zones. Forward lookup zones and SRV records.

Reverse lookup zones.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

12/32

Application Partitions

8/10/2019 70-640_Lesson02_PPT_041009.ppt

13/32

Aging and Scavenging of DNS Records

Aging and scavenging are processes thatcan be used by Windows Server 2008DNS to clean up the DNS database after

DNS records become stale or out ofdate.

Without this process, the DNS database

would require manual maintenance toprevent server performance degradationand potential disk-space issues.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

14/32

Aging and Scavenging of DNS Records

8/10/2019 70-640_Lesson02_PPT_041009.ppt

15/32

DNS Records

Make sure Forward Lookup zone iscreated.

Make sure Host (A) record is created foryour server.

Make sure DNS domains are created: _msdcs _sites _tcp _udp

8/10/2019 70-640_Lesson02_PPT_041009.ppt

16/32

DNS Records

8/10/2019 70-640_Lesson02_PPT_041009.ppt

17/32

Raising the Domain Functional Level

Open ActiveDirectoryDomains and

Trusts from the AdministrativeTools folder.

Right-click thedomain you wishto raise andselect RaiseDomainFunctional Level.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

18/32

Raising the Forest Functional Level

Open Active Directory Domains and Trustsfrom the Administrative Tools folder.

Right-click the Active Directory Domainsand Trusts icon in the console tree andselect Raise Forest Functional Level.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

19/32

Raising the Forest Functional Level

If your domains have not all been raised toat least Windows Server 2003, you willreceive an error indicating that raising the

forest functional level cannot take placeyet. If all domains have met the domainfunctionality criteria of Windows Server

2008, you can click Raise to proceed.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

20/32

Removing Active Directory

Click the Start menu, key dcpromo andthen press Enter.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

21/32

Schema Management Console

Some commercial applications such as MicrosoftExchange will modify the schema as a part oftheir installation process.

You can also extend the schema manually usingthe Active Directory Schema snap-in. To modify the schema manually, you must be a

member of the Schema Admins group.

The Active Directory Schema snap-in should beinstalled on the domain controller holding theSchema Master Operations role.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

22/32

Installing the Schema Management Snap-in

From a command prompt, key regsvr32schmmgmt.dll .

Close the Command Prompt window, clickStart, and then select Run.

Key mmc /a in the dialog box and clickOK.

Click the File menu and select Add/Remove Snap-in.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

23/32

8/10/2019 70-640_Lesson02_PPT_041009.ppt

24/32

Trust Relationships

Four trust types can be manually established inWindows Server 2008: Shortcut trusts - Used to shorten the tree -

walking process for users who require frequent

access to resources elsewhere in the forest. Cross-forest trusts - Allows you to create two-

way transitive trusts between separate forests. External trusts - Used to configure a one-way

non-transitive trust. Realm trusts - Allows you to configure trust

relationships between Windows Server 2008 Active Directory and a UNIX MIT Kerberos realm.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

25/32

Revoking a Trust Using Netdom

Open a command prompt and type thefollowing text:Netdom trust Trus t ingDomainName

/d: Trus tedDomainName /remove Press Enter. Repeat these steps for the other end of

the trust relationship.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

26/32

User Principal Name (UPN)

The name of a system user in an e-mailaddress format.username@domainname

Based on Internet RFC 822.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

27/32

Changing the Default Suffix for User PrincipalNames

Open Active Directory Domains and Trustsfrom the Administrative Tools folder.

Right-click Active Directory Domains andTrusts and choose Properties.

Click the UPN Suffix tab, key the newsuffix, and click Add.

Key more than one suffix if your forest hasmore than one tree and then click OK.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

28/32

Summary

Active Directory requires DNS to beinstalled. DNS does not have to beinstalled on a Windows Server 2003

machine, but the version of DNS useddoes need to support SRV records for

Active Directory to function.

Planning the forest and domain structureshould include a checklist that can bereferenced for dialog information requiredby the Active Directory Installation Wizard.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

29/32

Summary

Verification of a solid Active Directory installationincludes verifying DNS zones and the creation ofSRV records. Additional items, such as reverse lookups, aging,

and scavenging, also should be configured.

Application directory partitions are automaticallycreated when Active Directory integrated zones

are configured in DNS. These partitions allow replica placement within

the forest structure.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

30/32

Summary

System classes of the schema cannot bemodified, but additional classes can beadded. Classes and attributes cannot be

deleted, but they can be deactivated. Planning forest and domain functionality is

dependent on the need for down-level

operating system compatibility. Raising a forest or domain functional level

is a procedure that cannot be reversed.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

31/32

Summary

Four types of manual trusts can becreated: shortcut, external, cross-forest,and realm trusts.

Manual trusts can be created by using Active Directory Domains and Trusts ornetdom at a command line.

8/10/2019 70-640_Lesson02_PPT_041009.ppt

32/32

Summary

UPNs provide a mechanism to makeaccess to resources in multiple domainsuser-friendly.

UPNs follow a naming format similar toemail addresses.

You must be a member of the Enterprise

Admins group to add additional suffixesthat can be assigned at user objectcreation.