SlideShare a Scribd company logo

Material modulo04 asf6501(6425-a_01)

J
JSantanderQ

Here are the key features of a read-only domain controller (RODC): - Stores a read-only copy of the Active Directory database - Provides authentication services for domain users and computers - Caches user passwords and credentials to enable offline logons - Supports delegation of administrative permissions to local administrators - Enhances security by preventing direct database writes from untrusted networks - Reduces costs by deploying lightweight domain controllers in branch offices BETA COURSEWARE. EXPIRES 4/11/2008 Implementing Active Directory® Domain Services 1-17 RODC Password Replication Policy Key Points The RODC password replication policy determines which user passwords are cached on the

TechnologyBusiness
1 of 40
Downloaded 52 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Implementing Active Directory® Domain Services 1-1 Module 1 Implementing Active Directory® Domain Services Contents: Lesson 1: Installing Active Directory Domain Services 1-3 Lesson 2: Deploying Read-Only Domain Controllers 1-14 Lesson 3: Configuring AD DS Domain Controller Roles 1-22 Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles 1-29 BETA COURSEWARE. EXPIRES 4/11/2008
1-2 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Module Overview Active Directory® Domain Services (AD DS) is installed as a server role in Windows Server® 2008. You have several choices to make when you install AD DS and run the Active Directory Installation Wizard. You must choose whether to create a new domain or add a domain controller to an existing domain. You also have the option of installing AD DS on a server running Windows Server 2008 Server Core or installing read-only domain controllers. After deploying the domain controllers, you also must manage special domain controller roles, such as the global catalog and operations masters. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-3 Lesson 1: Installing Active Directory Domain Services Windows Server 2008 provides several ways to install and configure Active Directory Domain Services. This lesson describes the standard AD DS installation, and then also describes some of the other options that are available when performing the installation. BETA COURSEWARE. EXPIRES 4/11/2008
1-4 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Requirements for Installing AD DS Key Points To install Active Directory Domain Services, the server must meet the following requirements: Windows Server 2008 operating system must be is installed. AD DS can only be installed on the following editions: • Windows Server 2008, Standard Edition • Windows Server 2008, Enterprise Edition • Windows Server 2008, Datacenter edition Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Requirements for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-5 What Are Domain and Forest Functional Levels? Key Points In Windows Server 2008, forest and domain functionality provides a way to enable forest-wide or domain-wide Active Directory features in your network environment. Different levels of forest and domain functionality are available, depending on domain and forest functional level. Additional Reading • Active Directory Domain Services Help: Set the domain or forest functional level • Microsoft Technet article: Appendix of Functional Level Features BETA COURSEWARE. EXPIRES 4/11/2008
1-6 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services AD DS Installation Process Key Points To configure a Windows Server 2008 domain controller, you must install the AD DS server role and run the Active Directory Domain Services Installation wizard. Do this using one of the following processes: • Install the Server role by using Server Manager, and then run the installation wizard by running DCPromo or the installation wizard from Server Manager. • Run DCPromo from the Run command or a command prompt. This will install the AD DS server role and then start the installation wizard. Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Installing a New Windows Server 2008 Forest and Scenarios for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-7 Advanced Options for Installing AD DS Key Points Some of the Active Directory Domain Services Installation Wizard pages appear only if you select the Use advanced mode installation check box on the Welcome page of the wizard or by running DCPromo with the /adv switch. If you do not run the installation wizard in advanced mode, the wizard uses default options that apply to most configurations. Question: When would you use the advanced options mode in your organization? Additional Reading • Active Directory Domain Services Help: Use advanced mode installation • Microsoft Technet article: What's New in AD DS Installation and Removal BETA COURSEWARE. EXPIRES 4/11/2008
1-8 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing AD DS from Media Key Points Before you can use backup media as the source for installing a domain controller, use Ntdsutil.exe to create the installation media. Question: Which types of installation media will you use in your organization? Additional Reading • Microsoft Technet article: Installing AD DS from Media BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-9 Demonstration: Verifying the AD DS installation Question: What steps would you take if you noticed that the domain controller installation failed? Additional Reading • Microsoft Technet article: Verifying an AD DS Installation • Microsoft Technet article: Verifying Active Directory Installation BETA COURSEWARE. EXPIRES 4/11/2008
1-10 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Upgrading to Windows Server 2008 AD DS Key Points To install a new Windows Server 2008 domain controller in an existing Windows 2000 Server or Windows Server 2003 domain, complete the following steps: • If the domain controller is the first Windows Server 2008 domain controller in the forest, you must prepare the forest for Windows Server 2008 by extending the schema on the schema operations master. To extend the schema, run adprep /forestprep. The adprep tool is located on the Windows Server 2008 installation media. • If the domain controller is the first Windows Server 2008 domain controller in a Windows 2000 Server domain, you must first prepare the domain by running adprep /domainprep /gpprep on the infrastructure master. The gpprep switch adds inheritable access control entry (ACEs) to the Group Policy Objects (GPO) that are located in the SYSVOL shared folder and synchronizes the SYSVOL shared folder among the controllers in the domain. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-11 • If the domain controller is the first Windows Server 2008 domain controller in a Windows Server 2003 domain, you must prepare the domain by running adprep /domainprep on the infrastructure master. • After you install a writeable domain controller, you can install an RODC in the Windows Server 2003 forest. Before doing this, you must prepare the forest by running adprep /rodcprep. You can run adprep /rodcprep on any computer in the forest. If the RODC will be a global catalog server, then you must run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. By running adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server. Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Installing a New Windows Server 2008 Forest: • Microsoft Technet article: Scenarios for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
1-12 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing AD DS on a Server Core Computer Key Points To install AD DS on a Windows Server 2008 computer running Server Core, you must use an unattended setup. Windows Server 2008 Server Core does not provide a graphical user interface (GUI) so you cannot run the Active Directory Domain Services installation wizard. To perform an unattended install of AD DS, use an answer file and the following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer file. Additional Reading • Microsoft Technet article: Appendix of Unattended Installation Parameters BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-13 Discussion: Common Configuration for AD DS Key Points After installing a domain controller, you may need to perform additional tasks in your environment. You can access checklists for the following common configurations for AD DS in Server Manager, under Resources and Support. Additional Reading • AD DS Help: Common Configurations for Active Directory Domain Services BETA COURSEWARE. EXPIRES 4/11/2008
1-14 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Lesson 2: Deploying Read-Only Domain Controllers One of the important new features in Windows Server 2008 is the option to use read-only domain controllers (RODCs). RODCs provide all of the functionality that clients require while providing additional security for domain controllers deployed in branch offices. When configuring RODCs, you can specify which user account passwords will be cached on the server and configure delegated administrative permissions for the domain controller. This lesson describes how to install and configure RODCs. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-15 What Is a Read-Only Domain Controller? Key Points An RODC is a new type of domain controller that Windows Server 2008 supports. An RODC hosts read-only partitions of the AD DS database. This means that no changes can ever be made to the database copy that the RODC stores, and all AD DS replication uses a one-way connection from a domain controller that has a writeable database copy to the RODC. Additional Reading • Microsoft Technet article: AD DS: Read-Only Domain Controllers BETA COURSEWARE. EXPIRES 4/11/2008
1-16 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Read-Only Domain Controller Features Key Points See the list on the slide. Additional Reading • Microsoft Technet article: AD DS: Read-Only Domain Controllers • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-17 Preparing to Install the RODC Key Points Before you can install an RODC, you must prepare the AD DS environment by completing the following steps: • Configure the domain and forest functional level • Plan for Windows Server 2008 domain controller availability • Prepare the forest and domain Additional Reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: AD DS: Read-Only Domain Controllers • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
1-18 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing the RODC Key Points The RODC installation is almost identical to the installation of AD DS on a domain controller with a writeable copy of the database. However there are a few extra steps. Additional Reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-19 Delegating the RODC Installation Key Points You can delegate the installation of an RODC by performing a two stage installation. Question: What are the benefits of delegating an RODC installation? Additional reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: AD DS: Read-Only Domain Controllers: • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3: BETA COURSEWARE. EXPIRES 4/11/2008
1-20 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services What Are Password Replication Policies? Key Points When deploy an RODC, you can configure a Password Replication Policy for the RODC. The Password Replication Policy acts as an access control list (ACL) that determines if an RODC is permitted to cache a password. The Password Replication Policy lists the accounts that you are allowing explicitly to be cached and those that you are not. The passwords for any accounts are not actually cached on the RODC until after the first time the user or computer account is authenticated through the RODC. Additional Reading • AD DS Online Help: Specify Password Replication Policy BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-21 Demonstration: Configuring Administrator Role Separation and Password Replication Policies Questions: What is an alternative way to configure administrator role separation and password replication policies? Your organization has deployed two RODCs. How would you configure the password replication policy if you wanted the credentials for all user accounts and computer accounts except for administrators and executives to be cached on both RODCs? Additional Reading • AD DS Help: Specify Password Replication Policy BETA COURSEWARE. EXPIRES 4/11/2008
1-22 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Lesson 3: Configuring AD DS Domain Controller Roles All domain controllers in a domain are essentially equal, meaning they all contain the same data and provide the same services. However, you also can assign special roles to domain controllers to provide additional services or address scenarios in which only one domain controller should provide services at any given time. This lesson describes how to configure and manage global catalog servers and operations masters. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-23 What Are Global Catalog Servers? Key Points The global catalog is a partial, read-only replica of all domain directory partitions in a forest. The global catalog is a partial replica because it includes only a limited set of attributes for each of the forest’s objects. By including only the attributes that are used the most for searching, the database of a single global catalog server can represent every object in every domain in the forest. The global catalog server hosts the global catalog and its domain information. Active Directory configures the first domain controller automatically in the forest as a global catalog server. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller. Additional Reading • Microsoft Technet article: Domain Controller Roles BETA COURSEWARE. EXPIRES 4/11/2008
1-24 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Modifying the Global Catalog Key Points Sometimes you may want to customize the global catalog server to include additional attributes. By default, for every object in the forest, the global catalog server contains an object’s most common attributes. Applications and users can query these attributes. For example, you can find a user by first name, last name, e- mail address, or other common properties Additional Reading • Microsoft Technet article: Domain Controller Roles (Global Catalog Partial Attribute Set section) BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-25 Demonstration: Configuring Global Catalog Servers Questions: What types of errors or user experiences would lead you to investigate whether you needed to configure another server as a global catalog server? What are reasons why you would choose to replicate an attribute to the global catalog? Additional Reading • Microsoft Technet article: To add an attribute to the global catalog BETA COURSEWARE. EXPIRES 4/11/2008
1-26 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services What Are Operations Master Roles? Key Points Active Directory is designed as a multimaster replication system. However, for certain directory operations, only a single authoritative server is required. The domain controllers that perform specific roles are known as operations masters. The domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Additional Reading • Microsoft Technet article: To add an attribute to the global catalog BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-27 Demonstration: Managing Operation Master Roles Questions: Under what circumstances might you need to seize an operations master role immediately rather than wait a few hours for a domain controller currently holding the role to be repaired? You are deploying the first domain controller in a new domain that will be a new domain tree in the WoodgroveBank.com forest. What operations master roles will this server hold by default? Additional Reading • Microsoft Technet article: Manage Operations Master Roles BETA COURSEWARE. EXPIRES 4/11/2008
1-28 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services How Windows Time Service Works Key Points The Windows Time service, also known as W32Time, synchronizes the date and time for all computers running on a Windows Server 2008 network. The Windows Time service uses the Network Time Protocol (NTP) to ensure highly accurate time settings throughout your network. You also can integrate the Windows Time service with external time sources. Additional Reading • Microsoft Technet article: Windows Time Service Technical Reference • Microsoft Technet article: Configuring a time source for the forest BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-29 Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles Scenario: Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is preparing to deploy domain controllers in several branch offices. The Enterprise Administrator created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements. BETA COURSEWARE. EXPIRES 4/11/2008
1-30 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is now preparing to deploy domain controllers in several of the branch offices. The Enterprise Administrator has created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements Note: Due to the limitations of the virtual lab environment, you will be installing the RODC in the same site as the existing domain controllers. In a production environment, you would complete the same steps even if the RODC was in a different site. The main tasks are as follows: 1. Start 6425A-NYC-DC1 and log on as Administrator. 2. Start 6425A-NYC-SVR1 and log on as Administrator. 3. Start 6425A-NYC-SVR1 and log on as Administrator. 4. Verify the forest and domain functional level are compatible with an RODC deployment. 5. Verify the availability of a writeable domain controller running Windows Server 2008. 5. Configure the computer account settings for the RODC. Task 1: Start 6425A-NYC-DC1 and log on as Administrator • Start 6425A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-31 Task 2: Start 6425A-NYC-DC2 and log on as Administrator • Start 6425A-NYC-DC2 and log on as Administrator using the password Pa$$w0rd. Task 3: Start 6425A-NYC-SVR1 and log on as Administrator • Start 6425A-NYC-SVR1 and log on as Administrator using the password Pa$$w0rd. Task 3: Verify the forest and domain functional level are compatible with an RODC deployment 1. On NYC-DC1, open Active Directory Users and Computers. 2. Right-click WoodgroveBank.com and verify that the domain functional level and the forest functional level are set to Windows Server 2003. Task 4: Verify the availability of a writeable domain controller running Windows Server 2008 1. In Active Directory Users and Computers, check the properties for NYC-DC1. 2. Verify that the operating system name is Windows Server 2008 Enterprise. Task 5: Configure the computer account settings for the RODC 1. On NYC-SVR1, open Server Manager. 2. Click Change System Properties, and on the Computer Name tab, change the computer name to TOR-DC1. 3. Restart the computer. Result: At the end of this exercise, you will have verified that the domain and the computer are ready to install an RODC. BETA COURSEWARE. EXPIRES 4/11/2008
1-32 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Exercise 2: Installing and Configuring an RODC You will install the RODC server role on the Windows Server 2008 computer. To do this, you will prestage the computer account that the RODC will use. As part of the prestaging, you will configure an administrative group with permissions to install the domain controller. After the installation is complete, you will verify that the installation completed successfully. You also will configure password-replication policies for users that log on to the domain controller. The main tasks are as follows: 1. Pre-stage the computer account for the RODC. 2. Log on to TOR-DC1 as Administrator. 3. Install the RODC using the existing account. Use WoodgroveBankAxel as the account with credentials to perform the installation. 4. Verify the successful installation of the domain controller. 5. Configure a password replication policy that enables credential caching for all user accounts in Toronto. Task 1: Pre-stage the computer account for the RODC 1. On NYC-DC1, open Active Directory Users and Computers. 2. Right-click the Domain Controllers organization unit and click Pre-create Read-only Domain Controller account. 3. Complete the Active Directory Domain Services Installation Wizard using the following selections: a. Use advanced mode installation b. Use the current credentials. c. Computer name: TOR-DC1 d. Default site e. Install only the DNS and RODC options f. Delegate permission to install the RODC to Axel Delgado BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-33 Task 2: Log on to TOR-DC1 as Administrator • Log on as Administrator using the password Pa$$w0rd. Task 3: Install the RODC using the existing account. Use WoodgroveBankAxel as the account with credentials to perform the installation 1. On TOR-DC1, open a command prompt and type dcpromo /UseExistingAccount:Attach, and then press ENTER: 2. Complete the Active Directory Domain Services Installation Wizard using the following selections: a. Use advanced mode installation b. Provide Axel as the alternative credential c. Use TOR-DC1 as the computer name d. Use NYC-DC1.WoodgroveBank.com as the source domain controller e. Accept the default location for the Database, Log Files, and SYSVOL files. f. Use Pa$$w0rd as the Directory Services Restore Mode Administrator Password 3. Reboot the computer when the installation finishes. Task 4: Verify the successful installation of the domain controller 1. After NYC-SRV1 restarts, log on as Axel with a password of Pa$$w0rd. 2. In Server Manager, verify that Active Directory Domain Services server role is installed. 3. Verify that all required services are running. 4. In Active Directory Users and Computers, verify that TOR-DC1 is listed in the Domain Controllers organizational unit. 5. Verify that you do not have permission to add or remove domain objects. BETA COURSEWARE. EXPIRES 4/11/2008
1-34 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services 6. In Active Directory Sites and Services, verify that TOR-DC1 is listed in the Servers list for the Default-First-Site-Name. 7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have been created. 8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects have been created for replication with TOR-DC1. 9. Open Event Viewer. In the Directory Service log, locate and view a message with an event ID of 1128. This event ID verifies that a replication connection object has been created between NYC-DC1 and TOR-DC1. Task 5: Configure a password replication policy that enables credential caching for all user accounts in Toronto 1. On NYC-DC1, in Active Directory Users and Computers, access the TOR- DC1 Properties dialog box. 2. Add all of the Toronto groups to the Password replication policy. Result: At the end of this exercise, you will have installed an RODC and configured the RODC password replication policy for the RODC. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-35 Exercise 3: Configuring AD DS Domain Controller Roles You will configure the RODC installed in the previous exercise as a global catalog server. You also will assign operation master roles to an additional domain controller in the domain. The main tasks are as follows: 1. Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server. 2. Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain. 3. Add the Department attribute to the global catalog. 4. Shut down all virtual machines. Task 1: Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server 1. On NYC-DC1, in Active Directory Sites and Services, locate the TOR-DC1 computer account. 2. Access the NTDS Settings, and select the Global Catalog check box. Task 2: Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain 1. On NYC-DC1, in Active Directory Users and Computers, change the console’s focus to NYC-DC1.WoodgroveBank.com and then click OK. 2. Right-click WoodgroveBank.com, and then click Operations Masters. Transfer the infrastructure master role to NYC-DC2.WoodgroveBank.com. 3. On NYC-DC2, open Active Directory Domains and Trusts. Access the Operations Master settings and transfer the domain naming operations master role to NYC-DC2. BETA COURSEWARE. EXPIRES 4/11/2008
1-36 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Task 3: Add the Department attribute to the global catalog 1. On NYC-DC1, use the regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in. 2. Create a new MMC and add the Active Directory Schema snap-in. 3. In the Active Directory Schema, access the Department attribute and configure the attribute to replicate to the Global Catalog. Task 4: Shut down all virtual machines and discard any changes Result: At the end of this exercise, you will have configured a global catalog server and configure AD DS domain controller roles. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-37 Module Review and Takeaways Review Questions 1. You are deploying a domain controller in a branch office. The branch office does not have a highly secure server room so you are concerned about the security of the server. What two Windows Server 2008 features can you take advantage of to enhance the security of the domain controller deployment? 2. You must create a new domain by installing a domain controller in your Active Directory infrastructure. You are reviewing the inventory list of available servers for this purpose. Which of the following computers could be used as a domain controller? A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB) free hard disk space, TCP/IP. B. Windows Server 2008 Enterprise Edition, NTFS files system, 500 megabyte (MB) free hard disk space, TCP/IP. BETA COURSEWARE. EXPIRES 4/11/2008
1-38 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system, 1GB free hard disk space, TCP/IP. D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free hard disk space, TCP/IP. 3. You are deploying an RODC in branch office. You need to ensure that all users in the branch office can authenticate even if the WAN connection from the branch office is not available. Only the users who normally log on in the branch office should be able to do this? How would you configure the password replication policy? 4. You need to install a domain controller by using the install from media option. What steps do you need to take to complete this process? 5. Will you be deploying RODCs in your AD DS environment? Describe the deployment scenario. 6. You are deploying a domain controller in a branch office. The office has a WAN connection to the main office that has very little available bandwidth and is not very reliable. Should you configure the branch office domain controller as a global catalog server? Considerations Keep the following considerations in mind when you are implementing RODCs and managing domain controller roles: • You can install the AD DS Server role on all Windows Server 2008 editions except Windows Server 2008 Web Server Edition. • Consider installing a RODC on a Windows Server 2008 Server Core computer to provide additional security for your domain environment. • To install AD DS on a Server Core computer, you must use an unattended installation. • Plan the password replication policies carefully in your organization. If you enable credential caching for most of the accounts in your domain, you will increase the impact to your organization if the RODC is compromised. If you do not enable any credential caching, you increase the impact to the branch office location if the WAN link to the main office is not available. BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-39 • In most cases, deploying a global catalog server in a site will improve the logon experience for users. However, deploying a global catalog in a remote office also increases the network utilized for replication. • Operation master roles provide important services on a network but the services are not usually time critical. Most of the time, if a domain controller holding an operation master role fails, you do not immediately need to seize the role to another domain controller if the failed server can be repaired within a few hours. BETA COURSEWARE. EXPIRES 4/11/2008
BETA COURSEWARE. EXPIRES 4/11/2008

More Related Content

PDF
Material modulo01 asf6501(6419-a_01)
JSantanderQ
 
PDF
Material modulo03 asf6501(6425-b_02)
JSantanderQ
 
PDF
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
PPT
Mcts chapter 4
Sadegh Nakhjavani
 
PPTX
Windows Server 2008 Active Directory
anilinvns
 
PDF
MCITP
Naqib Khan
 
PPTX
WINDOWS SERVER 2008
Tawose Olamide Timothy
 
PDF
Microsoft Solution Proposal with AD, Exchange & SC--Bill of Materials
Shahab Al Yamin Chawdhury
 
Material modulo01 asf6501(6419-a_01)
JSantanderQ
 
Material modulo03 asf6501(6425-b_02)
JSantanderQ
 
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
Mcts chapter 4
Sadegh Nakhjavani
 
Windows Server 2008 Active Directory
anilinvns
 
MCITP
Naqib Khan
 
WINDOWS SERVER 2008
Tawose Olamide Timothy
 
Microsoft Solution Proposal with AD, Exchange & SC--Bill of Materials
Shahab Al Yamin Chawdhury
 

What's hot (20)

PDF
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
Tũi Wichets
 
PPT
Windows Server 2008 Active Directory Guide
webhostingguy
 
PPTX
Introduction_of_ADDS
Harsh Sethi
 
PPT
Windows Server 2008 (Active Directory Yenilikleri)
ÇözümPARK
 
PDF
Windows Server 2008 Active Directory Components
Tũi Wichets
 
PPT
70 640 Lesson05 Ppt 041009
Coffeyville Community College
 
PPT
Active Directory
Sandeep Kapadane
 
PDF
Server 2008 r2 ppt
Raj Solanki
 
PDF
Active Directory Proposal
MJ Ferdous
 
PPT
70 640 Lesson02 Ppt 041009
Coffeyville Community College
 
PPT
0505 Windows Server 2008 一日精華營 PartI
Timothy Chen
 
PPT
Mcts chapter 6
Sadegh Nakhjavani
 
PPT
70 640 Lesson01 Ppt 041009
Coffeyville Community College
 
PDF
Mcitp course details
cisco training
 
PPTX
Active directory ds ws2008 r2
MICTT Palma
 
PPT
70 640 Lesson08 Ppt 041009
Coffeyville Community College
 
PPTX
Designing the active directory logical structure
John Carlo Catacutan
 
PPT
70 640 Lesson06 Ppt 041009
Coffeyville Community College
 
PPT
Active directory ii
deshvikas
 
PPTX
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
Tũi Wichets
 
Windows Server 2008 Active Directory Guide
webhostingguy
 
Introduction_of_ADDS
Harsh Sethi
 
Windows Server 2008 (Active Directory Yenilikleri)
ÇözümPARK
 
Windows Server 2008 Active Directory Components
Tũi Wichets
 
70 640 Lesson05 Ppt 041009
Coffeyville Community College
 
Active Directory
Sandeep Kapadane
 
Server 2008 r2 ppt
Raj Solanki
 
Active Directory Proposal
MJ Ferdous
 
70 640 Lesson02 Ppt 041009
Coffeyville Community College
 
0505 Windows Server 2008 一日精華營 PartI
Timothy Chen
 
Mcts chapter 6
Sadegh Nakhjavani
 
70 640 Lesson01 Ppt 041009
Coffeyville Community College
 
Mcitp course details
cisco training
 
Active directory ds ws2008 r2
MICTT Palma
 
70 640 Lesson08 Ppt 041009
Coffeyville Community College
 
Designing the active directory logical structure
John Carlo Catacutan
 
70 640 Lesson06 Ppt 041009
Coffeyville Community College
 
Active directory ii
deshvikas
 
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
Ad

Viewers also liked (11)

PPTX
biubon step
iAND
 
PDF
Unix
Srinath Dhayalamoorthy
 
DOC
6419 a configuring, managing and maintaining windows server 2008 servers
bestip
 
PPT
Library system
Iffat Anjum
 
ODP
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)
Nishan Shetty
 
PPT
Module 4 sharing files by using windows 7
xeroxk
 
PPT
70 271 Stu Chap05
Gene Carboni
 
PPT
IT103 Microsoft Windows XP/OS Chap07
blusmurfydot1
 
PPT
70 271 Stu Chap03
Gene Carboni
 
PPT
IT109 Microsoft Windows 7 Operating Systems Unit 01
blusmurfydot1
 
PPT
IT109 Microsoft Operating Systems Unit 05 lesson 06
blusmurfydot1
 
biubon step
iAND
 
Unix
Srinath Dhayalamoorthy
 
6419 a configuring, managing and maintaining windows server 2008 servers
bestip
 
Library system
Iffat Anjum
 
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)
Nishan Shetty
 
Module 4 sharing files by using windows 7
xeroxk
 
70 271 Stu Chap05
Gene Carboni
 
IT103 Microsoft Windows XP/OS Chap07
blusmurfydot1
 
70 271 Stu Chap03
Gene Carboni
 
IT109 Microsoft Windows 7 Operating Systems Unit 01
blusmurfydot1
 
IT109 Microsoft Operating Systems Unit 05 lesson 06
blusmurfydot1
 
Ad

Similar to Material modulo04 asf6501(6425-a_01) (20)

PPT
active-directory-domain-services
202066
 
PPTX
Windows server 2008 active directory
Raghu nath
 
PPTX
BITIC-27 Proyecto 3 BITIC 3 2022 Andres Labera ADDS.pptx
RodrigoOrtz4
 
PPTX
Microsoft Offical Course 20410C_02
gameaxt
 
PPTX
Module 2- introduction to Active Directory Domain Servics.pptx
HassanAhmadAbubakar1
 
PDF
Case Project 12-2 Devising an AD DS Design with RODC, AD RMS, and A.pdf
Amansupan
 
PPTX
Install a new windows server 2008 r2 forest
Raghu nath
 
PPTX
Installation and Adminstration of AD_MVP Padman
Quek Lilian
 
PPTX
Ad ds ws2008 r2
MICTT Palma
 
PPTX
Installing And configuring active directory .pptx
tallawanbealynne
 
PPTX
Active Directory 2008 R2 Updates
Amit Gatenyo
 
PPTX
teste
mvpjordao
 
PPTX
Setting up computer servers (sucs)
Melchor Maravillas
 
DOC
Adds domain upgrade
Budiyanto Raharja
 
PPTX
MCSA 70-412 Chapter 04
Computer Networking
 
PPTX
03 Active Directory Domain Services.pptx
kebimesay23
 
PPTX
server configuration concepts in system admin
sdsm2
 
DOCX
Windows sever 2008
Harish Konala
 
DOCX
Ctive directory interview question and answers
sankar palla
 
DOC
6416 c updating your network infrastructure and active directory technology...
bestip
 
active-directory-domain-services
202066
 
Windows server 2008 active directory
Raghu nath
 
BITIC-27 Proyecto 3 BITIC 3 2022 Andres Labera ADDS.pptx
RodrigoOrtz4
 
Microsoft Offical Course 20410C_02
gameaxt
 
Module 2- introduction to Active Directory Domain Servics.pptx
HassanAhmadAbubakar1
 
Case Project 12-2 Devising an AD DS Design with RODC, AD RMS, and A.pdf
Amansupan
 
Install a new windows server 2008 r2 forest
Raghu nath
 
Installation and Adminstration of AD_MVP Padman
Quek Lilian
 
Ad ds ws2008 r2
MICTT Palma
 
Installing And configuring active directory .pptx
tallawanbealynne
 
Active Directory 2008 R2 Updates
Amit Gatenyo
 
teste
mvpjordao
 
Setting up computer servers (sucs)
Melchor Maravillas
 
Adds domain upgrade
Budiyanto Raharja
 
MCSA 70-412 Chapter 04
Computer Networking
 
03 Active Directory Domain Services.pptx
kebimesay23
 
server configuration concepts in system admin
sdsm2
 
Windows sever 2008
Harish Konala
 
Ctive directory interview question and answers
sankar palla
 
6416 c updating your network infrastructure and active directory technology...
bestip
 

Recently uploaded (20)

PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
A Presentation on Artificial Intelligence
memembruh336
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

Material modulo04 asf6501(6425-a_01)

  • 1. Implementing Active Directory® Domain Services 1-1 Module 1 Implementing Active Directory® Domain Services Contents: Lesson 1: Installing Active Directory Domain Services 1-3 Lesson 2: Deploying Read-Only Domain Controllers 1-14 Lesson 3: Configuring AD DS Domain Controller Roles 1-22 Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles 1-29 BETA COURSEWARE. EXPIRES 4/11/2008
  • 2. 1-2 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Module Overview Active Directory® Domain Services (AD DS) is installed as a server role in Windows Server® 2008. You have several choices to make when you install AD DS and run the Active Directory Installation Wizard. You must choose whether to create a new domain or add a domain controller to an existing domain. You also have the option of installing AD DS on a server running Windows Server 2008 Server Core or installing read-only domain controllers. After deploying the domain controllers, you also must manage special domain controller roles, such as the global catalog and operations masters. BETA COURSEWARE. EXPIRES 4/11/2008
  • 3. Implementing Active Directory® Domain Services 1-3 Lesson 1: Installing Active Directory Domain Services Windows Server 2008 provides several ways to install and configure Active Directory Domain Services. This lesson describes the standard AD DS installation, and then also describes some of the other options that are available when performing the installation. BETA COURSEWARE. EXPIRES 4/11/2008
  • 4. 1-4 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Requirements for Installing AD DS Key Points To install Active Directory Domain Services, the server must meet the following requirements: Windows Server 2008 operating system must be is installed. AD DS can only be installed on the following editions: • Windows Server 2008, Standard Edition • Windows Server 2008, Enterprise Edition • Windows Server 2008, Datacenter edition Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Requirements for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
  • 5. Implementing Active Directory® Domain Services 1-5 What Are Domain and Forest Functional Levels? Key Points In Windows Server 2008, forest and domain functionality provides a way to enable forest-wide or domain-wide Active Directory features in your network environment. Different levels of forest and domain functionality are available, depending on domain and forest functional level. Additional Reading • Active Directory Domain Services Help: Set the domain or forest functional level • Microsoft Technet article: Appendix of Functional Level Features BETA COURSEWARE. EXPIRES 4/11/2008
  • 6. 1-6 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services AD DS Installation Process Key Points To configure a Windows Server 2008 domain controller, you must install the AD DS server role and run the Active Directory Domain Services Installation wizard. Do this using one of the following processes: • Install the Server role by using Server Manager, and then run the installation wizard by running DCPromo or the installation wizard from Server Manager. • Run DCPromo from the Run command or a command prompt. This will install the AD DS server role and then start the installation wizard. Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Installing a New Windows Server 2008 Forest and Scenarios for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
  • 7. Implementing Active Directory® Domain Services 1-7 Advanced Options for Installing AD DS Key Points Some of the Active Directory Domain Services Installation Wizard pages appear only if you select the Use advanced mode installation check box on the Welcome page of the wizard or by running DCPromo with the /adv switch. If you do not run the installation wizard in advanced mode, the wizard uses default options that apply to most configurations. Question: When would you use the advanced options mode in your organization? Additional Reading • Active Directory Domain Services Help: Use advanced mode installation • Microsoft Technet article: What's New in AD DS Installation and Removal BETA COURSEWARE. EXPIRES 4/11/2008
  • 8. 1-8 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing AD DS from Media Key Points Before you can use backup media as the source for installing a domain controller, use Ntdsutil.exe to create the installation media. Question: Which types of installation media will you use in your organization? Additional Reading • Microsoft Technet article: Installing AD DS from Media BETA COURSEWARE. EXPIRES 4/11/2008
  • 9. Implementing Active Directory® Domain Services 1-9 Demonstration: Verifying the AD DS installation Question: What steps would you take if you noticed that the domain controller installation failed? Additional Reading • Microsoft Technet article: Verifying an AD DS Installation • Microsoft Technet article: Verifying Active Directory Installation BETA COURSEWARE. EXPIRES 4/11/2008
  • 10. 1-10 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Upgrading to Windows Server 2008 AD DS Key Points To install a new Windows Server 2008 domain controller in an existing Windows 2000 Server or Windows Server 2003 domain, complete the following steps: • If the domain controller is the first Windows Server 2008 domain controller in the forest, you must prepare the forest for Windows Server 2008 by extending the schema on the schema operations master. To extend the schema, run adprep /forestprep. The adprep tool is located on the Windows Server 2008 installation media. • If the domain controller is the first Windows Server 2008 domain controller in a Windows 2000 Server domain, you must first prepare the domain by running adprep /domainprep /gpprep on the infrastructure master. The gpprep switch adds inheritable access control entry (ACEs) to the Group Policy Objects (GPO) that are located in the SYSVOL shared folder and synchronizes the SYSVOL shared folder among the controllers in the domain. BETA COURSEWARE. EXPIRES 4/11/2008
  • 11. Implementing Active Directory® Domain Services 1-11 • If the domain controller is the first Windows Server 2008 domain controller in a Windows Server 2003 domain, you must prepare the domain by running adprep /domainprep on the infrastructure master. • After you install a writeable domain controller, you can install an RODC in the Windows Server 2003 forest. Before doing this, you must prepare the forest by running adprep /rodcprep. You can run adprep /rodcprep on any computer in the forest. If the RODC will be a global catalog server, then you must run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. By running adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server. Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Installing a New Windows Server 2008 Forest: • Microsoft Technet article: Scenarios for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
  • 12. 1-12 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing AD DS on a Server Core Computer Key Points To install AD DS on a Windows Server 2008 computer running Server Core, you must use an unattended setup. Windows Server 2008 Server Core does not provide a graphical user interface (GUI) so you cannot run the Active Directory Domain Services installation wizard. To perform an unattended install of AD DS, use an answer file and the following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer file. Additional Reading • Microsoft Technet article: Appendix of Unattended Installation Parameters BETA COURSEWARE. EXPIRES 4/11/2008
  • 13. Implementing Active Directory® Domain Services 1-13 Discussion: Common Configuration for AD DS Key Points After installing a domain controller, you may need to perform additional tasks in your environment. You can access checklists for the following common configurations for AD DS in Server Manager, under Resources and Support. Additional Reading • AD DS Help: Common Configurations for Active Directory Domain Services BETA COURSEWARE. EXPIRES 4/11/2008
  • 14. 1-14 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Lesson 2: Deploying Read-Only Domain Controllers One of the important new features in Windows Server 2008 is the option to use read-only domain controllers (RODCs). RODCs provide all of the functionality that clients require while providing additional security for domain controllers deployed in branch offices. When configuring RODCs, you can specify which user account passwords will be cached on the server and configure delegated administrative permissions for the domain controller. This lesson describes how to install and configure RODCs. BETA COURSEWARE. EXPIRES 4/11/2008
  • 15. Implementing Active Directory® Domain Services 1-15 What Is a Read-Only Domain Controller? Key Points An RODC is a new type of domain controller that Windows Server 2008 supports. An RODC hosts read-only partitions of the AD DS database. This means that no changes can ever be made to the database copy that the RODC stores, and all AD DS replication uses a one-way connection from a domain controller that has a writeable database copy to the RODC. Additional Reading • Microsoft Technet article: AD DS: Read-Only Domain Controllers BETA COURSEWARE. EXPIRES 4/11/2008
  • 16. 1-16 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Read-Only Domain Controller Features Key Points See the list on the slide. Additional Reading • Microsoft Technet article: AD DS: Read-Only Domain Controllers • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
  • 17. Implementing Active Directory® Domain Services 1-17 Preparing to Install the RODC Key Points Before you can install an RODC, you must prepare the AD DS environment by completing the following steps: • Configure the domain and forest functional level • Plan for Windows Server 2008 domain controller availability • Prepare the forest and domain Additional Reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: AD DS: Read-Only Domain Controllers • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
  • 18. 1-18 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing the RODC Key Points The RODC installation is almost identical to the installation of AD DS on a domain controller with a writeable copy of the database. However there are a few extra steps. Additional Reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
  • 19. Implementing Active Directory® Domain Services 1-19 Delegating the RODC Installation Key Points You can delegate the installation of an RODC by performing a two stage installation. Question: What are the benefits of delegating an RODC installation? Additional reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: AD DS: Read-Only Domain Controllers: • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3: BETA COURSEWARE. EXPIRES 4/11/2008
  • 20. 1-20 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services What Are Password Replication Policies? Key Points When deploy an RODC, you can configure a Password Replication Policy for the RODC. The Password Replication Policy acts as an access control list (ACL) that determines if an RODC is permitted to cache a password. The Password Replication Policy lists the accounts that you are allowing explicitly to be cached and those that you are not. The passwords for any accounts are not actually cached on the RODC until after the first time the user or computer account is authenticated through the RODC. Additional Reading • AD DS Online Help: Specify Password Replication Policy BETA COURSEWARE. EXPIRES 4/11/2008
  • 21. Implementing Active Directory® Domain Services 1-21 Demonstration: Configuring Administrator Role Separation and Password Replication Policies Questions: What is an alternative way to configure administrator role separation and password replication policies? Your organization has deployed two RODCs. How would you configure the password replication policy if you wanted the credentials for all user accounts and computer accounts except for administrators and executives to be cached on both RODCs? Additional Reading • AD DS Help: Specify Password Replication Policy BETA COURSEWARE. EXPIRES 4/11/2008
  • 22. 1-22 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Lesson 3: Configuring AD DS Domain Controller Roles All domain controllers in a domain are essentially equal, meaning they all contain the same data and provide the same services. However, you also can assign special roles to domain controllers to provide additional services or address scenarios in which only one domain controller should provide services at any given time. This lesson describes how to configure and manage global catalog servers and operations masters. BETA COURSEWARE. EXPIRES 4/11/2008
  • 23. Implementing Active Directory® Domain Services 1-23 What Are Global Catalog Servers? Key Points The global catalog is a partial, read-only replica of all domain directory partitions in a forest. The global catalog is a partial replica because it includes only a limited set of attributes for each of the forest’s objects. By including only the attributes that are used the most for searching, the database of a single global catalog server can represent every object in every domain in the forest. The global catalog server hosts the global catalog and its domain information. Active Directory configures the first domain controller automatically in the forest as a global catalog server. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller. Additional Reading • Microsoft Technet article: Domain Controller Roles BETA COURSEWARE. EXPIRES 4/11/2008
  • 24. 1-24 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Modifying the Global Catalog Key Points Sometimes you may want to customize the global catalog server to include additional attributes. By default, for every object in the forest, the global catalog server contains an object’s most common attributes. Applications and users can query these attributes. For example, you can find a user by first name, last name, e- mail address, or other common properties Additional Reading • Microsoft Technet article: Domain Controller Roles (Global Catalog Partial Attribute Set section) BETA COURSEWARE. EXPIRES 4/11/2008
  • 25. Implementing Active Directory® Domain Services 1-25 Demonstration: Configuring Global Catalog Servers Questions: What types of errors or user experiences would lead you to investigate whether you needed to configure another server as a global catalog server? What are reasons why you would choose to replicate an attribute to the global catalog? Additional Reading • Microsoft Technet article: To add an attribute to the global catalog BETA COURSEWARE. EXPIRES 4/11/2008
  • 26. 1-26 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services What Are Operations Master Roles? Key Points Active Directory is designed as a multimaster replication system. However, for certain directory operations, only a single authoritative server is required. The domain controllers that perform specific roles are known as operations masters. The domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Additional Reading • Microsoft Technet article: To add an attribute to the global catalog BETA COURSEWARE. EXPIRES 4/11/2008
  • 27. Implementing Active Directory® Domain Services 1-27 Demonstration: Managing Operation Master Roles Questions: Under what circumstances might you need to seize an operations master role immediately rather than wait a few hours for a domain controller currently holding the role to be repaired? You are deploying the first domain controller in a new domain that will be a new domain tree in the WoodgroveBank.com forest. What operations master roles will this server hold by default? Additional Reading • Microsoft Technet article: Manage Operations Master Roles BETA COURSEWARE. EXPIRES 4/11/2008
  • 28. 1-28 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services How Windows Time Service Works Key Points The Windows Time service, also known as W32Time, synchronizes the date and time for all computers running on a Windows Server 2008 network. The Windows Time service uses the Network Time Protocol (NTP) to ensure highly accurate time settings throughout your network. You also can integrate the Windows Time service with external time sources. Additional Reading • Microsoft Technet article: Windows Time Service Technical Reference • Microsoft Technet article: Configuring a time source for the forest BETA COURSEWARE. EXPIRES 4/11/2008
  • 29. Implementing Active Directory® Domain Services 1-29 Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles Scenario: Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is preparing to deploy domain controllers in several branch offices. The Enterprise Administrator created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements. BETA COURSEWARE. EXPIRES 4/11/2008
  • 30. 1-30 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is now preparing to deploy domain controllers in several of the branch offices. The Enterprise Administrator has created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements Note: Due to the limitations of the virtual lab environment, you will be installing the RODC in the same site as the existing domain controllers. In a production environment, you would complete the same steps even if the RODC was in a different site. The main tasks are as follows: 1. Start 6425A-NYC-DC1 and log on as Administrator. 2. Start 6425A-NYC-SVR1 and log on as Administrator. 3. Start 6425A-NYC-SVR1 and log on as Administrator. 4. Verify the forest and domain functional level are compatible with an RODC deployment. 5. Verify the availability of a writeable domain controller running Windows Server 2008. 5. Configure the computer account settings for the RODC. Task 1: Start 6425A-NYC-DC1 and log on as Administrator • Start 6425A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd. BETA COURSEWARE. EXPIRES 4/11/2008
  • 31. Implementing Active Directory® Domain Services 1-31 Task 2: Start 6425A-NYC-DC2 and log on as Administrator • Start 6425A-NYC-DC2 and log on as Administrator using the password Pa$$w0rd. Task 3: Start 6425A-NYC-SVR1 and log on as Administrator • Start 6425A-NYC-SVR1 and log on as Administrator using the password Pa$$w0rd. Task 3: Verify the forest and domain functional level are compatible with an RODC deployment 1. On NYC-DC1, open Active Directory Users and Computers. 2. Right-click WoodgroveBank.com and verify that the domain functional level and the forest functional level are set to Windows Server 2003. Task 4: Verify the availability of a writeable domain controller running Windows Server 2008 1. In Active Directory Users and Computers, check the properties for NYC-DC1. 2. Verify that the operating system name is Windows Server 2008 Enterprise. Task 5: Configure the computer account settings for the RODC 1. On NYC-SVR1, open Server Manager. 2. Click Change System Properties, and on the Computer Name tab, change the computer name to TOR-DC1. 3. Restart the computer. Result: At the end of this exercise, you will have verified that the domain and the computer are ready to install an RODC. BETA COURSEWARE. EXPIRES 4/11/2008
  • 32. 1-32 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Exercise 2: Installing and Configuring an RODC You will install the RODC server role on the Windows Server 2008 computer. To do this, you will prestage the computer account that the RODC will use. As part of the prestaging, you will configure an administrative group with permissions to install the domain controller. After the installation is complete, you will verify that the installation completed successfully. You also will configure password-replication policies for users that log on to the domain controller. The main tasks are as follows: 1. Pre-stage the computer account for the RODC. 2. Log on to TOR-DC1 as Administrator. 3. Install the RODC using the existing account. Use WoodgroveBankAxel as the account with credentials to perform the installation. 4. Verify the successful installation of the domain controller. 5. Configure a password replication policy that enables credential caching for all user accounts in Toronto. Task 1: Pre-stage the computer account for the RODC 1. On NYC-DC1, open Active Directory Users and Computers. 2. Right-click the Domain Controllers organization unit and click Pre-create Read-only Domain Controller account. 3. Complete the Active Directory Domain Services Installation Wizard using the following selections: a. Use advanced mode installation b. Use the current credentials. c. Computer name: TOR-DC1 d. Default site e. Install only the DNS and RODC options f. Delegate permission to install the RODC to Axel Delgado BETA COURSEWARE. EXPIRES 4/11/2008
  • 33. Implementing Active Directory® Domain Services 1-33 Task 2: Log on to TOR-DC1 as Administrator • Log on as Administrator using the password Pa$$w0rd. Task 3: Install the RODC using the existing account. Use WoodgroveBankAxel as the account with credentials to perform the installation 1. On TOR-DC1, open a command prompt and type dcpromo /UseExistingAccount:Attach, and then press ENTER: 2. Complete the Active Directory Domain Services Installation Wizard using the following selections: a. Use advanced mode installation b. Provide Axel as the alternative credential c. Use TOR-DC1 as the computer name d. Use NYC-DC1.WoodgroveBank.com as the source domain controller e. Accept the default location for the Database, Log Files, and SYSVOL files. f. Use Pa$$w0rd as the Directory Services Restore Mode Administrator Password 3. Reboot the computer when the installation finishes. Task 4: Verify the successful installation of the domain controller 1. After NYC-SRV1 restarts, log on as Axel with a password of Pa$$w0rd. 2. In Server Manager, verify that Active Directory Domain Services server role is installed. 3. Verify that all required services are running. 4. In Active Directory Users and Computers, verify that TOR-DC1 is listed in the Domain Controllers organizational unit. 5. Verify that you do not have permission to add or remove domain objects. BETA COURSEWARE. EXPIRES 4/11/2008
  • 34. 1-34 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services 6. In Active Directory Sites and Services, verify that TOR-DC1 is listed in the Servers list for the Default-First-Site-Name. 7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have been created. 8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects have been created for replication with TOR-DC1. 9. Open Event Viewer. In the Directory Service log, locate and view a message with an event ID of 1128. This event ID verifies that a replication connection object has been created between NYC-DC1 and TOR-DC1. Task 5: Configure a password replication policy that enables credential caching for all user accounts in Toronto 1. On NYC-DC1, in Active Directory Users and Computers, access the TOR- DC1 Properties dialog box. 2. Add all of the Toronto groups to the Password replication policy. Result: At the end of this exercise, you will have installed an RODC and configured the RODC password replication policy for the RODC. BETA COURSEWARE. EXPIRES 4/11/2008
  • 35. Implementing Active Directory® Domain Services 1-35 Exercise 3: Configuring AD DS Domain Controller Roles You will configure the RODC installed in the previous exercise as a global catalog server. You also will assign operation master roles to an additional domain controller in the domain. The main tasks are as follows: 1. Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server. 2. Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain. 3. Add the Department attribute to the global catalog. 4. Shut down all virtual machines. Task 1: Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server 1. On NYC-DC1, in Active Directory Sites and Services, locate the TOR-DC1 computer account. 2. Access the NTDS Settings, and select the Global Catalog check box. Task 2: Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain 1. On NYC-DC1, in Active Directory Users and Computers, change the console’s focus to NYC-DC1.WoodgroveBank.com and then click OK. 2. Right-click WoodgroveBank.com, and then click Operations Masters. Transfer the infrastructure master role to NYC-DC2.WoodgroveBank.com. 3. On NYC-DC2, open Active Directory Domains and Trusts. Access the Operations Master settings and transfer the domain naming operations master role to NYC-DC2. BETA COURSEWARE. EXPIRES 4/11/2008
  • 36. 1-36 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Task 3: Add the Department attribute to the global catalog 1. On NYC-DC1, use the regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in. 2. Create a new MMC and add the Active Directory Schema snap-in. 3. In the Active Directory Schema, access the Department attribute and configure the attribute to replicate to the Global Catalog. Task 4: Shut down all virtual machines and discard any changes Result: At the end of this exercise, you will have configured a global catalog server and configure AD DS domain controller roles. BETA COURSEWARE. EXPIRES 4/11/2008
  • 37. Implementing Active Directory® Domain Services 1-37 Module Review and Takeaways Review Questions 1. You are deploying a domain controller in a branch office. The branch office does not have a highly secure server room so you are concerned about the security of the server. What two Windows Server 2008 features can you take advantage of to enhance the security of the domain controller deployment? 2. You must create a new domain by installing a domain controller in your Active Directory infrastructure. You are reviewing the inventory list of available servers for this purpose. Which of the following computers could be used as a domain controller? A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB) free hard disk space, TCP/IP. B. Windows Server 2008 Enterprise Edition, NTFS files system, 500 megabyte (MB) free hard disk space, TCP/IP. BETA COURSEWARE. EXPIRES 4/11/2008
  • 38. 1-38 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system, 1GB free hard disk space, TCP/IP. D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free hard disk space, TCP/IP. 3. You are deploying an RODC in branch office. You need to ensure that all users in the branch office can authenticate even if the WAN connection from the branch office is not available. Only the users who normally log on in the branch office should be able to do this? How would you configure the password replication policy? 4. You need to install a domain controller by using the install from media option. What steps do you need to take to complete this process? 5. Will you be deploying RODCs in your AD DS environment? Describe the deployment scenario. 6. You are deploying a domain controller in a branch office. The office has a WAN connection to the main office that has very little available bandwidth and is not very reliable. Should you configure the branch office domain controller as a global catalog server? Considerations Keep the following considerations in mind when you are implementing RODCs and managing domain controller roles: • You can install the AD DS Server role on all Windows Server 2008 editions except Windows Server 2008 Web Server Edition. • Consider installing a RODC on a Windows Server 2008 Server Core computer to provide additional security for your domain environment. • To install AD DS on a Server Core computer, you must use an unattended installation. • Plan the password replication policies carefully in your organization. If you enable credential caching for most of the accounts in your domain, you will increase the impact to your organization if the RODC is compromised. If you do not enable any credential caching, you increase the impact to the branch office location if the WAN link to the main office is not available. BETA COURSEWARE. EXPIRES 4/11/2008
  • 39. Implementing Active Directory® Domain Services 1-39 • In most cases, deploying a global catalog server in a site will improve the logon experience for users. However, deploying a global catalog in a remote office also increases the network utilized for replication. • Operation master roles provide important services on a network but the services are not usually time critical. Most of the time, if a domain controller holding an operation master role fails, you do not immediately need to seize the role to another domain controller if the failed server can be repaired within a few hours. BETA COURSEWARE. EXPIRES 4/11/2008