active-directory-domain-services

Active Directory® Domain Services (AD DS)

What are ADDS?

•Active Directory Domain Services (AD DS) provides the functionality of an identity and access (IDA) solution for enterprise networks.

•Store information about users, groups, computers, and other identities.

•Authenticate an identity.

The server will not grant the user access to the document unless the server can verify the identity presented in the access request as valid.

Kerberos Authentication: a protocol called Kerberos is used to authenticate identi-ties.

•Control access

• Provide an audit trail

Components of an Active Directory Infrastructure

Active Directory data store

Domain controllers

Domain

Forest

Tree

Functional level

Organizational units

Sites

Domain controllers (DC)

•DCs are servers that perform the AD DS role.

• The Kerberos Key Distribution Center (KDC) service, which Performs authentication, and other Active Directory services.

Forest

•A forest is a collection of one or more Active Directory domains.

• The first domain installed in a forest is called the forest root domain.

• The forest defines a security boundary.

Functional level

• The functional level is an AD DS setting that enables advanced domain-wide or forest-wide AD DS features.

• Three domain functional levels:

Windows 2000 native.

Windows Server 2003

Windows Server 2008.

• Two forest functional levels:

Microsoft Window s Server 2003.

Windows Server 2008.

Requirements for Installing AD DS

• Local Administrator permissions to install the first domain controller in a forest

• Domain Administrator permissions to install additional domain controllers in a domain

• Enterprise Administrator permissions to install additional domains in a forest

Administrator permissions

• TCP/IP must be configured, including DNS client settings

• DNS Server that supports dynamic updates must be available or will be configured on the domain controller

Network configuration

• A computer running Windows Server 2008

• Minimum disk space of 250 MB and a partition formatted with NTFS file system

Server requirements to install AD DS

AD DS Installation Process

Install the Active Directory Domain Services role using the Server Manager

1

Choose the deployment configuration 3

Select the additional domain controller features 4

Run the Active Directory Domain Services Installation Wizard

2

Select the location for the database, log files, and SYSVOl folder 5

Configure the Directory Services Restore Mode Administrator Password 6

Advanced Options for Installing AD DS

Use the advanced mode options to:

• Create a new domain tree

• Use backup media as the source for AD DS information

To access the advanced mode installation options, choose the Advanced Mode option in the installation wizard or run DCPromo /adv

• Select the source domain controller for the installation

• Modify the default domain NetBIOS name

• Define the Password Replication Policy for an RODC

Installing AD DS from Media

Use Ntdsutil.exe to create the installation media

Ntdsutil.exe can create the following types of installation media:

• Full (or writable) domain controller

• Full (or writable) domain controller without SYSVOL data

• Read-only domain controller without SYSVOL data

• Read-only domain controller

• Installing Server Core

Installing AD DS on a Server Core Computer

Configuring AD DS Domain Controller Roles

•What Are Global Catalog Servers?

•Modifying the Global Catalog

•Demonstration: Configuring Global Catalog Servers

•What Are Operations Master Roles?

•Demonstration: Managing Operation Master Roles

•How Windows Time Service Works

What Are Global Catalog Servers?

Domain

Domain

DomainDomainDomain

Domain Domain

Global Catalog Server

Global Catalog

Result

Query

How Windows Time Service Works

Time synchronization is important because:

• Kerberos authentication includes a time stamp

• Replication between domain controllers is time stamped

Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers

Domain controllers

PDC Emulator

Client computers

In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers

steps