Active Directory Unit 1- Introduction - Donna Warren€¦ · A C Purpose of the Course T I • Understand how DNS works and how it supports Active Directory V E •Learn the Architecture

AACC UNIT 1TTII

UNIT 1

VVEEDDIIRR

Introduction to Microsoft Active Di tRR

EECC

DirectoryCCTTOO

DPW© 2005-2010

DPWDPW© Donna Warren © Donna Warren

RRYY

AACC Donna P WarrenTTII

Donna P. Warren• Education

– AS Accounting

VVEE

– BS Electrical Engineering

– MS Computer Science

• Industry CertificationsDDIIRR

– MCSE, CCNA

– CIW Master Designer

– CTT+, MCT and CIW InstructorRREECC

• Work Experience – Network systems Engineer in Telecommunications

– Owner of a small IT consulting CompanyCCTTOO

– 8 years a networking instructor

– Owner of a Web Design and Copywriting Company

• Email Address

DPW© 2005‐2010


RRYY

• [email protected] (Please put IT 222 in the subject line)

• Class Website• http://www.donna‐warren.com/Classes/ (capital C)

AACC Purpose of the CourseTTII

Purpose of the Course• Understand how DNS works and how it supports Active Directory

VVEE

• Learn the Architecture and history of Active Directory (AD)

• Install and configure an Active Directory forest with multiple domains

DDIIRR

domains

• Design the physical structure of Active Directory by using sites and site links

RREECC

• Understand what the Global Catalog is and how it is used

• Understand the Purpose of FSMO roles

• How to administer users OUs and groups and secureCCTTOO

How to administer users, OUs and groups and secure authentication

• Understand what it is and how to use Group Policy in Active Di t

DPW© 2005‐2010


RRYY

Directory

• How to maintain and troubleshoot Active Directory

AACC Topics for this UnitTTII

Topics for this Unit

• How Active Directory worksVVEE

• How Active Directory works

• What the schema is used to doDDIIRR

• Logical hierarchy of Active Directory

• Sites versus domains and forestsRREECC

• The role of a DNS in Active Directory

• Forest and domain functional levels inCCTTOO

• Forest and domain functional levels in Windows Server 2008

T t d l i A ti Di tDPW© 2005‐2010


RRYY

• Trust models in Active Directory

AACCTTIIVVEEDDIIRR

Domain Name ServiceRREECCCCTTOO

DPW© 2005-2010


RRYY

AACC DNS ServiceTTII

DNS Service

• Resolves FQDN (fully qualified domain names) VVEE

to IP addresses

• Static Database using host names (UNIX and DDIIRR

internet convention)

• Names stored in in a text fileRREECC

• DNS can be configured to use WINS netbiosname resolution CC

TTOO

• Provide reverse lookup services

• Has sophisticated caching techniques

DPW© 2005‐2010


RRYY

• Has sophisticated caching techniques

AACC InterNIC DNS HierarchyTTII

InterNIC DNS HierarchyROOT Name Server

VVEE

DDIIRRRREECC

ZWCOM EDU NET ORG INT GOV MIL AE US

Generic World Wide Domains Generic US OnlyCountry DomainsCCTTOO AK WY

Generic World Wide Domains Generic US OnlyCountry Domains

DPW© 2005‐2010


RRYY

States

AACC Top Level DomainsTTII

Top Level Domains

• COM ‐ identifies commercial entities VVEE

(microsoft.com)

• EDU ‐ originally all educational institutions,DDIIRR

EDU originally all educational institutions, now only 4‐year colleges and universities (rutgers.edu). Other schools and 2‐yearRR

EECC

(rutgers.edu). Other schools and 2 year colleges register under country domains

• NET ‐ network providers and internetCCTTOO

• NET ‐ network providers and internet administrative computers (internic.net)

DPW© 2005‐2010


RRYY

AACC Top Level DomainsTTII

Top Level Domains• INT ‐ organizations established by

VVEE

international treaty (nato.int)

• GOV ‐ agencies of the US federal government DDIIRR

(nsf.gov)

• MIL ‐ the US military (cecom.mil)RREECC

y ( )

• BZ – new business domain (photos.bz)

US d i (kid )CCTTOO

• US – new non‐government domain (kids.us)

• SR‐ new senior citizen domain (george.sr)

DPW© 2005‐2010


RRYY

AACC Name Server RolesTTII

Name Server Roles• Primary - Zone information stored in locally

VVEE

maintained files

• Secondary - Zone information downloaded from DDIIRR

ya master name server

• Master Source of zone information for aRREECC

• Master - Source of zone information for a secondary name server. Can be either a primary or secondary name serverCC

TTOO

primary or secondary name server.

• Caching - No zone information stored, only

DPW© 2005‐2010


RRYY

maintains (caches) the results of queries. Default installation type

AACC Database File Record EntriesTTII

Database File Record Entries

• The first record created is the SOA (StartVVEE

The first record created is the SOA (Start Of Authority) record and defines the parameters for its zone

DDIIRR

parameters for its zone.• You can link WINS to DNS - One WINS

t b ti i th fRREECC

server must be operating in the zone of authority and WINS lookup must be

bl d i th d t bCCTTOO

enabled in the zone database

DPW© 2005‐2010


RRYY

AACC DNS ZonesTTII

DNS Zones• Primary Zones store the database locally and have

h i f h dVVEE

authority for the data• Secondary Zones get the zone information from

thDDIIRR

another server.• Forward lookup DNS zones allow a resolver (an

li ti i l d d i b b d t FTPRREECC

application included in web browsers and most FTP software) to obtain an IP address when the host name is knownCC

TTOO

known.• A Reverse lookup DNS zone allows a resolver to

obtain a host name when an IP address is known. The

DPW© 2005‐2010


RRYY

obtain a host name when an IP address is known. The PTR record can be automatically created when you enter a record into the Forward lookup zone

AACC Zones of AuthorityTTII

Zones of Authority• Zone of Authority - Portion of name space that a

VVEE

Zone of Authority Portion of name space that a particular name server is responsible for.

• Zone transfer - Process of downloading zone data DDIIRR

from a master name server to a secondary name server.

RREECC

• NOTE: a single server can be authoritative for multiple zonesCC

TTOO

multiple zones

DPW© 2005‐2010


RRYY

AACC ZonesTTII

Zones• For each DNS domain name included in a zone, the

b h h i i f i f iVVEE

zone becomes the authoritative source for information about that domain.A t t t d t b f i l DNSDD

IIRR

• A zone starts as a storage database for a single DNS domain name. If th d i dd d b l th d i d tRR

EECC

• If other domains are added below the domain used to create the zone, these domains can either be part of the same zone or belong to another zoneCC

TTOO

same zone or belong to another zone. • Once a subdomain is added, it can then either be

managed and included in the original zone records, or

DPW© 2005‐2010


RRYY

managed and included in the original zone records, or delegated to another zone created to support the subdomain

AACC Zone TransfersTTII

Zone Transfers• For additional servers to host a zone, zone transfers are

VVEE

required to replicate and synchronize all copies of the zone used at each server configured to host the zone.

DDIIRR

• When a new DNS server is added to the network and is configured as a new secondary server for an existing

it f f ll i iti l t f f th tRREECC

zone, it performs a full initial transfer of the zone to obtain and replicate a full copy of resource records for the zoneCC

TTOO

the zone. • Most DNS server implementations use full zone

transfer for updating after changes are made to the

DPW© 2005‐2010


RRYY

transfer for updating after changes are made to the zone.


Zone Transfers

• Windows 2000 DNS service supports incremental VVEE

pp

zone transfer, a revised DNS zone transfer process for

intermediate changes.DDIIRR

• Incremental zone transfers provide a more efficient

method of propagating zone changes and updates.RREECC

p p g g g p

• With incremental transfer, an alternate query type

(IXFR) can be used instead This allows the secondaryCCTTOO

(IXFR) can be used instead. This allows the secondary

server to pull only those zone changes it needs to

synchronize its copy of the zone maintained by

DPW© 2005‐2010


RRYY

synchronize its copy of the zone maintained by

another DNS server.


Zone Transfers• If the zones are identified to be the same version -- as

i di d b h i l b fi ld i h fVVEE

indicated by the serial number field in the start of authority (SOA) resource record of each zone -- no transfer is madeDD

IIRR

transfer is made.• If the serial number for the zone at the source is

greater than at the requesting secondary server aRREECC

greater than at the requesting secondary server, a transfer is made of only those changes to resource records for each incremental version of the zone. CC

TTOO

• For an IXFR query to succeed and changes to be sent, the source DNS server for the zone must keep a

DPW© 2005‐2010


RRYY

phistory of incremental zone changes to use when answering these queries.


Zone Transfers• A zone transfer might occur during any of the

VVEE

following scenarios:

When the refresh interval expires for the zone DDIIRR

When a secondary server is notified of zone

changes by its master serverRREECC

changes by its master server

When the DNS Server service is started at a

secondary server for the zoneCCTTOO

secondary server for the zone

When the DNS console is used at a secondary

DPW© 2005‐2010


RRYY

server for the zone to manually initiate a

transfer from its master server


Zone Transfers

• Zone transfers are always initiated at the secondary VVEE

y yserver for a zone and sent to their configured master servers

DDIIRR

• Master servers can be any other DNS server that loads the zone, either the primary server for the zone or another secondary serverRR

EECC

or another secondary server.

• When the master server receives the request for the zone, it can reply with either a partial or full transfer CC

TTOO

, p y pof the zone to the secondary server.

DPW© 2005‐2010


RRYY

AACC Zone Transfer to a New DNS ServerTTII

Zone Transfer to a New DNS Server

1. During new configuration, the destination server VVEE

sends an initial "all zone" transfer (AXFR) request to the master DNS server configured as its source for thDD

IIRR

the zone.

2. The master (source) server responds and fully transfers the zone to the secondary (destination)RR

EECC

transfers the zone to the secondary (destination) server.

3 The zone is delivered to the destination serverCCTTOO

3. The zone is delivered to the destination server requesting the transfer with its version established by use of a Serial number field in the properties for

DPW© 2005‐2010


RRYY

by use of a Serial number field in the properties for the start of authority (SOA) resource record (RR).



4. The SOA RR also contains a stated refresh interval in VVEE

seconds (by default, 900 seconds or 15 minutes) to

indicate when the destination server should next

DDIIRR

request to renew the zone with the source server.

5. When the refresh interval expires, an SOA query is RREECC

used by the destination server to request renewal

of the zone from the source server. CCTTOO

6. The source server answers the query for its SOA

record.

DPW© 2005‐2010


RRYY


Zone Transfer to a New DNS Server7. This response contains the serial number for the zone

i it t t t t thVVEE

in its current state at the source server.

8. The destination server checks the serial number of

the SOA record in the response and determines howDDIIRR

the SOA record in the response and determines how

to renew the zone.

9 If the value of the serial number in the SOA responseRREECC

9. If the value of the serial number in the SOA response

is equal to its current local serial number, it concludes

that the zone is the same at both servers a zone CCTTOO

transfer is not needed.

10. If the value of the serial number in the SOA response

DPW© 2005‐2010


RRYY

p

is higher than its current local serial number, a

transfer is needed.



11. If the destination server concludes that the h h d i d IXFRVV

EEzone has changed, it sends an IXFR query to the source server, containing its current local value for the serial number in the SOA

DDIIRR

value for the serial number in the SOA record for the zone.

12 The source server responds with either anRREECC

12. The source server responds with either an incremental or full transfer of the zone.

13. If the source server supports incrementalCCTTOO

13. If the source server supports incremental transfer by maintaining a history of recent incremental zone changes for modified

DPW© 2005‐2010


RRYY

resource records, it can answer with an incremental zone transfer (IXFR) of the zone.



14. If the source server does not supportVVEE

14. If the source server does not support incremental transfer, or does not have a history of zone changes, it can answer with a

DDIIRR

full (AXFR) transfer of the zone instead.

RREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Zone Transfer ‐ Existing DNS ServerTTII

Zone Transfer Existing DNS Server

1. DNS Notify implements a push mechanism for notifying l f d f h i iVV

EEa select set of secondary servers for a zone when it is updated.

2. Notified servers can initiate a zone transfer to pull zoneDDIIRR

2. Notified servers can initiate a zone transfer to pull zone changes from their master servers and update their local replicas of the zone.

d h dd h fRREECC

3. Secondary servers must have its IP address in the notify list of the source server to be notified

4. This list is maintained in the Notify dialog box, which isCCTTOO

4. This list is maintained in the Notify dialog box, which is accessible from the Zone Transfer tab located in zone Properties

DPW© 2005‐2010


RRYY

5. The notify list can also be used to restrict or limit zone transfers.

AACC Default Zone Time Out ValuesTTII • Refresh interval - The time, in seconds, that a

secondar DNS ser er aits before q er ing its so rceVVEE

secondary DNS server waits before querying its source for the zone to attempt renewal of the zone. Default = 900 seconds (15 minutes)

DDIIRR

900 seconds (15 minutes).• Retry interval - The time, in seconds, a secondary

server waits before retrying a failed zone transfer.RREECC

server waits before retrying a failed zone transfer. Default = 600 seconds (10 minutes).

• Expire interval - The time, in seconds, before a CCTTOO

p , ,secondary server stops responding to queries after a lapsed refresh interval where the zone was not

DPW© 2005‐2010


RRYY

refreshed or updated. Default = 86,400 seconds (24 hours).

AACC DNS Resource Record TypesTTII

DNS Resource Record Types

• A ‐ address record maps host name to IP addressVVEE • AAAA ‐maps host name to IPv6 address

• CNAME canonical name record establishes anDDIIRR

• CNAME ‐ canonical name record establishes an alias for a host name

RREECC

• MX ‐mail exchange record identifies a mail server for a specified domain

CCTTOO

• NS ‐ Name server record identifies the name server for a specified DNS domain

DPW© 2005‐2010


RRYY

• MH ‐multihomed computer

AACC DNS Resource Record TypesTTII

DNS Resource Record Types

• PTR ‐ pointer record associates an IP VVEE

paddress with a host name in a reverse lookup database

DDIIRR

p

• SOA ‐ start of authority specifies the domain for which the DNS server is responsibleRR

EECC

for which the DNS server is responsible

• WINS ‐WINS record identifies the WINS server to be consulted to resolve names notCC

TTOO

server to be consulted to resolve names not recorded in DNS name space

DPW© 2005‐2010


RRYY

AACC netadmin.dnsTTII

netadmin.dns@ IN SOA netadmin.itt.com. dpw.itt.com.

VVEE

; name servers

@ IN NS netadmin.itt.comDDIIRR

; aliases

teacher IN CNAME netadminRREECC

; mail server

@ IN MX 10 mail1.CCTTOO

@ IN MX 10 mail1.

@ mail1 IN A 200.200.200.34

; WINS record

DPW© 2005‐2010


RRYY

; WINS record

@ IN WINS 200.200.200.34

AACC Types of DNS QueriesTTII

yp QRecursive ‐must respond with the

VVEE

requested data from its own or another DNS server’s database or an error message

DDIIRR

stating the data is unavailable.

Iterative ‐ Give the best answer, either a RREECC

,resolution or referral to another name server.CC

TTOO

Inverse ‐ Reverse Lookup

DPW© 2005‐2010


RRYY

AACC DNS Query ResponsesTTII

DNS Query ResponsesAn authoritative answer is a positive answer

VVEE

returned to the client and delivered with the authority bit set in the DNS message to i di t th bt i d fDD

IIRR

indicate the answer was obtained from a server with direct authority for the queried nameRR

EECC

name

A positive answer can consist of the queried RR or a list of RRs (also known as an RRset)CC

TTOO

RR or a list of RRs (also known as an RRset) that fits the queried DNS domain name and record type specified in the query message

DPW© 2005‐2010


RRYY

record type specified in the query message.

AACC DNS Query ResponsesTTII

DNS Query Responses

A referral answer contains additionalVVEE

A referral answer contains additional resource records not specified by name or type in the query. Used if client does not

DDIIRR

yp q ysupport the recursion process

A negative answer results when an RREECC

gauthoritative server reported that the queried name exists but no records of the CC

TTOO

specified type exist for that name or the queried name does not exist in the DNS

DPW© 2005‐2010


RRYY

namespace.

AACC Prioritizing Local SubnetsTTII

Prioritizing Local Subnets

• By default, the DNS service uses local subnet VVEE

y ,prioritizing as the method to require the client application attempt to connect to the host

DDIIRR

using its closest (and typically fastest) IP address available for connection when a host

RREECC

name that is mapped to more than one IP address

CCTTOO

• If more than one A resource record (RR) matches the queried host name, the DNS

d h d b h bDPW© 2005‐2010


RRYY

service can reorder the records by their subnet location

AACC DNS Database FilesTTII

DNS Database Files• Boot ‐master configuration file used only at creation

VVEE

or import of BIND database files, afterward all data is stored in the registry

• cache dns contains the addresses for the root nameDDIIRR

• cache.dns ‐ contains the addresses for the root name servers and to preload resource records into the DNS server names cache

RREECC

• 127.0.0.dns ‐ reverse lookup for the loopback network

CCTTOO

• zone_name.dns ‐ local DNS database file, not used in active directory

d fil d f i di

DPW© 2005‐2010


RRYY

• Root.dns ‐ Root zone file used for active directory root server

AACC DNS Database ManagementTTII

DNS Database Management

• AgingVVEE

Aging

• Scavenging

C hiDDIIRR

• Caching

• TTL ‐ It indicates a length of time used b th DNS t d t i h RR

EECC

by other DNS servers to determine how long to cache information for a record before expiring and discarding it CC

TTOO

before expiring and discarding it. Default = 1 hour

• ipconfig /flushdns

DPW© 2005‐2010


RRYY

• ipconfig /flushdns

AACC Nslookup UtilityTTII

Nslookup Utility• A command line utility that allows troubleshooting

VVEE

for DNS servers

• SyntaxDDIIRR

c> nslookup microsoft.comServer: ns02.plnfld01.nj.comcast.net

RREECC

Address: 68.39.224.6

Non-Authorative answer

N i ftCCTTOO

Name: microsoft.com

Addresses: 207.46.249.22 207.46.249.27 207.46.249.190 207.46.134.155

DPW© 2005‐2010


RRYY

207.46.134.190 207.46.134.222

AACCTTIIVVEEDDIIRR

Active DirectoryRREECCCCTTOO

DPW© 2005-2010


RRYY

AACC Directory ServiceTTII

Directory Service• A network service that identifies all resources

t k d k thVVEE

on a network and makes those resources accessible to users and applicationsTh t di t i t d dDD

IIRR

• The most common directory service standards are

X 500 Uses a hierarchical approach inRREECC

– X.500 - Uses a hierarchical approach in which objects are organized in a similar way to the files and folders on a hard driveCC

TTOO

way to the files and folders on a hard drive• Lightweight Directory Access Protocol (LDAP)

- Industry standard. Version of X.500 modified

DPW© 2005-2010


RRYY

yto run over the TCP/IP network

AACC Active DirectoryTTII

Active Directory• A directory service that uses the “tree”

VVEE

yconcept for managing resources on a Windows network

DDIIRR

• Stores information about the network resources and services, such as user

RREECC

data, printer, servers, databases, groups, computers, and security policiesId ifi ll k dCC

TTOO

• Identifies all resources on a network and makes them accessible to users and applications

DPW© 2005-2010


RRYY

applications

AACC Active DirectoryTTII

Active Directory• Used in Windows 2000, 2003 and 2008

VVEE • Windows Server 2008 provides two ADs

• Active Directory Domain Services (ADDDIIRR

• Active Directory Domain Services (AD DS) - Provides the full-fledged directory serviceRR

EECC

service• Active Directory Lightweight Directory

Ser ices (AD LDS) Pro ides aCCTTOO

Services (AD LDS) - Provides a lightweight, flexible directory platform that can be used by Active Directory

DPW© 2005-2010


RRYY

that can be used by Active Directory developers without a lot of overhead

AACC Domain Controller (DC)TTII

Domain Controller (DC)• Server that stores the Active Directory

VVEE

Server that stores the Active Directory database and authenticates users with the network during logon.

DDIIRR

the network during logon.• Stores database information in a file

called ntds ditRREECC

called ntds.dit.• Active Directory is a multimaster

databaseCCTTOO

database.– Information is automatically replicated

between multiple domain controllers

DPW© 2005-2010


RRYY

between multiple domain controllers.

AACC Active Directory BenefitsTTII

Active Directory Benefits• Centralized resource and security

VVEE

Centralized resource and security administration

• Single logon for access to globalDDIIRR

• Single logon for access to global resourcesFault tolerance and redundancyRR

EECC

• Fault tolerance and redundancy• Simplified resource location

CCTTOO

DPW© 2005-2010


RRYY

AACC Active Directory BenefitsTTII • Provides a single point from which

Active Directory Benefits

VVEE

g padministrators can manage network resources security objects

DDIIRR

• MMC Consoles found in Administrator Tools

RREECC

– Active Directory Users and Computers– Active Directory Sites and ServicesCC

TTOO

– Active Directory Domains and Trusts– ADSI Edit

DPW© 2005-2010


RRYY

AACC Fault Tolerance and RedundancyTTII

Fault Tolerance and Redundancy

• Active Directory uses a multimasterVVEE

Active Directory uses a multimasterdomain controller design

• Changes made on one domainDDIIRR

• Changes made on one domain controller are replicated to all other domain controllers in the environmentRR

EECC

domain controllers in the environment• It is recommended to have two or more

domain controllers for each domainCCTTOO

domain controllers for each domain

DPW© 2005-2010


RRYY

AACC Read-Only Domain Controller (RODC)TTII

Read-Only Domain Controller (RODC)

• Introduced with Windows Server 2008VVEE

Introduced with Windows Server 2008• A domain controller that contains a copy

of the ntds dit file that cannot beDDIIRR

of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers withRR

EECC

changes to other domain controllers with Active Directory

CCTTOO

DPW© 2005-2010


RRYY

AACC Simplified Resource LocationTTII

Simplified Resource Location• Allows file and print resources to be

VVEE

Allows file and print resources to be published within Active Directory

• Examples include:DDIIRR

• Examples include:– Shared folders

PrintersRREECC

– Printers

CCTTOO

DPW© 2005-2010


RRYY

AACC Active Directory ComponentsTTII

Active Directory Components• Forests – One or more domain trees,

VVEE

Forests One or more domain trees, with each tree having its own unique name space

DDIIRR

name space• Domain trees – One or more security

boundaries with contiguous name spaceRREECC

boundaries with contiguous name space• Domains – A logical unit of computers

and network resources that define aCCTTOO

and network resources that define a security boundary

DPW© 2005-2010


RRYY

AACC Active Directory ComponentsTTII

Active Directory Components• Some of these common attributes are as

VVEE

Some of these common attributes are as follows– Unique name

DDIIRR

Unique name– Globally unique identifier (GUID)– Required object attributesRR

EECC

– Required object attributes– Optional object attributes

CCTTOO

DPW© 2005-2010


RRYY

AACC SchemaTTII

Schema• Database design, structure and

VVEE

Database design, structure and relationship definitions

• Defines the objects stored within ActiveDDIIRR

• Defines the objects stored within Active Directory and the properties (attributes) associated within each objectRR

EECC

associated within each object• The nature and function of an object

determine what are reasonableCCTTOO

determine what are reasonable properties

DPW© 2005-2010


RRYY

AACC Active Directory Naming StandardTTII

Active Directory Naming Standard

VVEEDDIIRRRREECC

• Example:– cn=JSmith, ou=sales, dc=itt bensalem,CC

TTOO

cn JSmith, ou sales, dc itt_bensalem, dc=com

DPW© 2005-2010


RRYY

AACC Domain Name System (DNS)TTII

Domain Name System (DNS)• Normally provides name resolution for a

VVEE

y pTPC/IP network

• Active Directory requires DNS as the DDIIRR

y qdefault name resolution method

• Example Resource Records (RR)RREECC

p ( )– Host (A) – Host name to IP– Pointer (PTR) – IP to Host nameCC

TTOO

– Service (SRV) – Locator service for LDAP/Domain controllers services.

DPW© 2005-2010


RRYY

AACC Functional LevelsTTII

Functional Levels• Allows interoperability with prior versions

VVEE

Allows interoperability with prior versions of Microsoft Windows

• Higher levels of functional level will notDDIIRR

• Higher levels of functional level will not allow older versions of Windows to function but will add additionalRR

EECC

function but will add additional functionality or features

• Raising functional level is a one wayCCTTOO

• Raising functional level is a one-way process

DPW© 2005-2010


RRYY

AACC Domain Functional LevelsTTII

Domain Functional Levels

VVEEDDIIRRRREECCCCTTOO

DPW© 2005-2010


RRYY

AACC Forest Functional LevelsTTII

Forest Functional Levels

VVEEDDIIRRRREECCCCTTOO

DPW© 2005-2010


RRYY

AACC Using Forest Functional LevelsTTII

Using Forest Functional Levels• To raise the functional level of a forest,

VVEE

To raise the functional level of a forest, you must be logged on as a member of the Enterprise Admins group

DDIIRR

the Enterprise Admins group• The functional level of a forest can be

raised only on a server that holds theRREECC

raised only on a server that holds the Schema Master role

CCTTOO

DPW© 2005-2010


RRYY

AACC Trust RelationshipsTTII

Trust Relationships• Active Directory uses trust relationships

VVEE

Active Directory uses trust relationships to allow access between multiple domains and/or forests, either within a

DDIIRR

domains and/or forests, either within a single forest or across multiple enterprise networksRR

EECC

e te p se et o s• A trust relationship allows administrators

from a particular domain to grant accessCCTTOO

from a particular domain to grant access to their domain’s resources to users in other domains

DPW© 2005-2010


RRYY

other domains

AACC Trust RelationshipsTTII

Trust Relationships• When a child domain is created, it

VVEE

When a child domain is created, it automatically receives a two-way transitive trust with its parent domain

DDIIRR

transitive trust with its parent domain • Trusts are transitive:

If domain A trusts domain BRREECC

If domain A trusts domain BAnd domain B trusts CThen domain A trusts domain CCC

TTOO

Then domain A trusts domain C

DPW© 2005-2010


RRYY

AACCTTIIVVEEDDIIRR

Installing Active DirectoryRREECCCCTTOO

DPW© 2005-2010


RRYY

AACC Server ManagerTTII

Server Manager

• Located in Administrative Tools.VVEE

Located in Administrative Tools.– Can also be accessed by right‐clicking My Computer and selecting Manage

DDIIRR

• Allows you to– Add roles such as DNS server or Active

RREECC

Directory Domain Services role– Perform system diagnostics

CCTTOO

– Configure system services– Drill down into specific administrative tools

DPW© 2005‐2010


RRYY

AACC Server ManagerTTII

Server Manager

VVEE

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Requirements for Active DirectoryTTII

Requirements for Active Directory

• A server running VVEE

– Windows Server 2008 Standard Edition– Windows Server 2008 Enterprise Edition

DDIIRR

– Windows Server 2008 Datacenter Edition (Full version or Server Core)

• An administrator account and password onRREECC

• An administrator account and password on the local machine

CCTTOO

DPW© 2005‐2010


RRYY

AACC Requirements for Active DirectoryTTII

Requirements for Active Directory• An NT file system (NTFS) partition for the SYSVOL

VVEE

y ( ) pfolder structure– 200 MB minimum free space on the previously mentioned NTFS partition for Active Directory

DDIIRR

mentioned NTFS partition for Active Directory database files

– 50 MB minimum free space for the transaction log filesRR

EECC

files– Transmission Control Protocol/Internet Protocol (TCP/IP) must be installed and configured

• An authoritative DNS server for the DNS domainCCTTOO

• An authoritative DNS server for the DNS domain that supports service resource (SRV) records. – to support incremental zone transfers and dynamic

d

DPW© 2005‐2010


RRYY

updates

AACC Installing Active DirectoryTTII

Installing Active Directory

• To installVVEE

To install Active Directory,

ill dDDIIRR

you will need to first add the Active RR

EECC

Directory Domain Services roleCC

TTOO

Services role using Server Manager

DPW© 2005‐2010


RRYY

g



VVEE

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY



• The Active Directory Installation Wizard,VVEE

The Active Directory Installation Wizard, dcpromo, will guide you through any of the following installation scenarios

DDIIRR

– Adding a domain controller to an existing environment.

RREECC

– Creating an entirely new forest structure.

– Adding a child domain to an existing domain.CCTTOO

– Adding a new domain tree to an existing forest.

– Demoting domain controllers and eventually removing a domain or forest

DPW© 2005‐2010


RRYY

removing a domain or forest.

AACC Choosing the Deployment ConfigurationTTII

Choosing the Deployment Configuration

VVEE

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Movie DemoTTII

Movie Demo

• Windows Server 2008 ‐ How To InstallVVEE

• Windows Server 2008 How To Install Active Directory _ DNS .mp4

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Post‐Installation TasksTTII

Post‐Installation Tasks

• Upon completion of the Active DirectoryVVEE

• Upon completion of the Active Directory installation, you should verify a number of items

DDIIRR

items– Application directory partition creation

Aging and scavenging for zonesRREECC

– Aging and scavenging for zones

– Forward lookup zones and SRV records

Re erse look p onesCCTTOO

– Reverse lookup zones

DPW© 2005‐2010


RRYY

AACC Application PartitionsTTII

Application Partitions

VVEE

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Aging and Scavenging of DNS RecordsTTII

Aging and Scavenging of DNS Records

• Aging and scavenging are processes thatVVEE

• Aging and scavenging are processes that can be used by to clean up the DNS database after DNS records become

DDIIRR

database after DNS records become invalid or out of date

• Without this process the DNS databaseRREECC

• Without this process, the DNS database would require manual maintenance to prevent server performance degradationCC

TTOO

prevent server performance degradation and potential disk‐space issues

DPW© 2005‐2010


RRYY

AACC Aging and Scavenging of DNS RecordsTTII

Aging and Scavenging of DNS Records

VVEE

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Required DNS RecordsTTII

Required DNS Records

• Make sure Forward Lookup zone is createdVVEE

• Make sure Forward Lookup zone is created

• Make sure Host (A) record is created for your serverDD

IIRR

your server

• Make sure DNS domains are createdRREECC

– _msdcs

– _sitesCCTTOO

– _tcp

– _udp

DPW© 2005‐2010


RRYY

AACC DNS RecordsTTII

DNS Records

VVEE

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Raising the Domain Functional LevelTTII

Raising the Domain Functional Level

• Open ActiveVVEE

Open Active Directory Domains and Trusts from the

DDIIRR

Administrative Tools folder

RREECC

• Right‐click the domain you wish to i d lCC

TTOO

raise and select Raise Domain Functional Level

DPW© 2005‐2010


RRYY

Functional Level

AACC Raising the Forest Functional LevelTTII

Raising the Forest Functional Level

• Open Active Directory Domains and TrustsVVEE

• Open Active Directory Domains and Trusts from the Administrative Tools folder

• Right click the Active Directory DomainsDDIIRR

• Right‐click the Active Directory Domains and Trusts icon in the console tree and select Raise Forest Functional LevelRR

EECC

select Raise Forest Functional Level

CCTTOO

DPW© 2005‐2010


RRYY

AACC Raising the Forest Functional LevelTTII

Raising the Forest Functional Level

• If your domains have not all been raised toVVEE

• If your domains have not all been raised to at least Windows Server 2003, you will receive an error indicating that raising the

DDIIRR

receive an error indicating that raising the forest functional level cannot take place yet If all domains have met the domainRR

EECC

yet. If all domains have met the domain functionality criteria of Windows Server 2008 you can click Raise to proceedCC

TTOO

2008, you can click Raise to proceed

DPW© 2005‐2010


RRYY

AACC Removing Active DirectoryTTII

Removing Active Directory

• Click the Start menu key dcpromo andVVEE

Click the Start menu, key dcpromo and then press Enter and follow the directions

DDIIRRRREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Schema Management ConsoleTTII

Schema Management Console

• Some commercial applications such as MicrosoftVVEE

Some commercial applications such as Microsoft Exchange will modify the schema as a part of their installation process

DDIIRR

• You can also extend the schema manually using the Active Directory Schema snap‐in

RREECC

• To modify the schema manually, you must be a member of the Schema Admins group

CCTTOO

• The Active Directory Schema snap‐in should be installed on the domain controller holding the S h M t O ti l

DPW© 2005‐2010


RRYY

Schema Master Operations role

AACC Installing the Schema Management Snap‐inTTII

Installing the Schema Management Snap in

• From a command prompt type regsvr32VVEE

• From a command prompt, type regsvr32 schmmgmt.dll

• Close the Command Prompt window clickDDIIRR

• Close the Command Prompt window, click Start, and then select Run

T / i h di l b d li k OKRREECC

• Type mmc /a in the dialog box and click OK

• Click the File menu and select Add/Remove CCTTOO

Snap‐in

• Select Schema Management

DPW© 2005‐2010


RRYY

g

AACC Trust RelationshipTTII

Trust Relationship

• Trust relationships exist to make resourceVVEE

• Trust relationships exist to make resource accessibility easier between domains and forests

DDIIRR

forests

• Many trust relationships are established by default during the creation of the ActiveRR

EECC

default during the creation of the Active Directory forest structure

T l i hi b d iCCTTOO

• Trust relationships can be created using the Active Directory Domains and Trusts f h Ad i i i T l f ld

DPW© 2005‐2010


RRYY

from the Administrative Tools folder

AACC Four Available Trust RelationshipsTTII

Four Available Trust Relationships

• Shortcut trusts ‐ Used to shorten the “tree‐lk ” f h fVV

EEwalking” process for users who require frequent access to resources elsewhere in the forestC f t t t All t t tDD

IIRR

• Cross‐forest trusts ‐ Allows you to create two‐way transitive trusts between separate forests

• External trusts Used to configure a one wayRREECC

• External trusts ‐ Used to configure a one‐way non‐transitive trust

• Realm trusts ‐ Allows you to configure trustCCTTOO

• Realm trusts Allows you to configure trust relationships between a Windows Server 2008 Active Directory and a UNIX MIT Kerberos realm

DPW© 2005‐2010


RRYY

AACC Revoking a Trust Using NetdomTTII

Revoking a Trust Using Netdom

• Open a command prompt and type theVVEE

• Open a command prompt and type the following textNetdom trust TrustingDomainName

DDIIRR

Netdom trust TrustingDomainName/d:TrustedDomainName /remove

• Press EnterRREECC

• Press Enter

• Repeat these steps for the other end of the l i hiCC

TTOO

trust relationship

DPW© 2005‐2010


RRYY

AACC User Principal Name (UPN)TTII

User Principal Name (UPN)

• The name of a system user in an e‐mailVVEE

• The name of a system user in an e mail address format

username@domainnameDDIIRR

username@domainname

• Based on Internet RFC 822RREECCCCTTOO

DPW© 2005‐2010


RRYY

AACC Changing the Default Suffix for UPNsTTII

Changing the Default Suffix for UPNs

• Open Active Directory Domains and TrustsVVEE

• Open Active Directory Domains and Trusts from the Administrative Tools folder

• Right click Active Directory Domains andDDIIRR

• Right‐click Active Directory Domains and Trusts and choose Properties

Cli k h UPN S ffi b k h ffiRREECC

• Click the UPN Suffix tab, key the new suffix, and click Add

CCTTOO

• Key more than one suffix if your forest has more than one tree and then click OK

DPW© 2005‐2010


RRYY

AACC SummaryTTII

Summary• Active Directory requires DNS to be installed

VVEE

• Verification includes verifying DNS zones and the creation of SRV records

DDIIRR

– Additional items, such as reverse lookups, aging, and scavenging, also should be configuredRR

EECC

configured.

• Application directory partitions that allow replication are automatically created whenCC

TTOO

replication are automatically created when Active Directory integrated zones are configured in DNS

DPW© 2005‐2010


RRYY

• Raising a forest or domain functional level is a procedure that cannot be reversed

AACC SummaryTTII

Summary• Four types of manual trusts can be created: shortcut,

external cross‐forest and realm trustsVVEE

external, cross‐forest, and realm trusts

• Manual trusts can be created by using Active Directory Domains and Trusts or netdom at a

DDIIRR

ycommand line

• You must be a member of the Enterprise AdminsRREECC

group to change or add UPN suffixes

• Raising a forest or domain functional level is a d th t t b dCC

TTOO

procedure that cannot be reversed

• System classes of the schema cannot be modified, but additional classes can be added Schema Classes

DPW© 2005‐2010


RRYY

but additional classes can be added. Schema Classes and attributes can be added but not deleted. however, they can be deactivated

AACC Unit 1 LabTTII • Create the First Windows 2008 stand alone VVEE

server named Server 1

• Create the Second 2008 Server by duplicationDDIIRR

• Perform Basic Server Configuration

• Install active directory on server 1 at the Server RREECC

y2003 functional level for both the forest and domain and make it a forest root server using CC

TTOO

the student’s last‐name.com

• Create a secondary DNS zone with another

DPW© 2005‐2010


RRYY

student as a partner and do a zone transfer to the partner

Active Directory Unit 1- Introduction - Donna Warren€¦ · A C Purpose of the Course T I • Understand how DNS works and how it supports Active Directory V E •Learn the Architecture

Documents