Microsoft Official Course
®
Module 2 review slides
Introduction to Active Directory
Domain Services
Module Overview
• Overview of AD DS
• Overview of Domain Controllers
• Installing a Domain Controller
Lesson 1: Overview of AD DS
• Overview of AD DS
• What Are AD DS Domains?
• What Are OUs?
• What Is an AD DS Forest?
• What Is the AD DS Schema?
What you need to know
The AD DS database is the central store of all the
domain objects, such as user accounts, computer
accounts, and groups. AD DS provides a
searchable hierarchical directory, and provides a
method for applying configuration and security
settings for objects in the enterprise. This module
covers the structure of AD DS and its various
components, such as forest, domain, and
organizational units (OUs).
Overview of AD DS
AD DS is composed of both physical and logical components
Physical components
Logical components
• Data store
• Partitions
• Domain controllers
• Schema
• Global catalog server
• Domains
• RODC
• Domain trees
• Forests
• Sites
• OUs
What you need to know
Physical component
Description
Domain controllers
Contain copies of the AD DS database.
Data store
The file on each domain controller that stores the AD DS information.
Global catalog
servers
Host the global catalog, which is a partial, read-only copy of all the objects in the forest. A
global catalog speeds up searches for objects that might be stored on domain controllers in a
different domain in the forest.
Read-only domain
controllers (RODC)
A special install of AD DS in a read-only form. These are often used in branch offices where
security and IT support are often less advanced than in the main corporate centers.
Logical
component
Description
Partition
A section of the AD DS database. Although the database is one file named NTDS.DIT, it is viewed,
managed, and replicated as if it consisted of distinct sections or instances. These are called partitions,
which are also referred to as naming contexts.
Schema
Defines the list of object types and attributes that all objects in AD DS can have.
Domain
A logical, administrative boundary for users and computers.
Domain tree
A collection of domains that share a common root domain and a Domain Name System (DNS)
namespace.
Forest
A collection of domains that share a common AD DS.
Site
A collection of users, groups, and computers as defined by their physical locations. Sites are useful in
planning administrative tasks such as replication of changes to the AD DS database.
OU
OUs are containers in AD DS that provide a framework for delegating administrative rights and for
linking Group Policy Objects (GPOs).
What Are AD DS Domains?
• AD DS requires one or more domain controllers
• All domain controllers hold a copy of the domain
database which is continually synchronized
• The domain is the context
within which user, group,
and computer accounts are
created
• The domain is a replication
boundary
• An administrative center for
configuring and managing
objects
• Any domain controller can
authenticate any logon in
the domain
What Are OUs?
Organizational Units
• Containers that can be used to
group objects within a domain
• Create OUs to:
• Delegate administrative
permissions
• Apply Group Policy
Containers are not OUs. Although they can hold
objects, they cannot have GPOs linked to them, so it is
necessary to move the objects into OUs that need to
be managed. Examples are user accounts, computer
accounts, and groups.
What Is an AD DS Forest?
Forest Root
Domain
Tree Root
Domain
adatum.com
fabrikam.com
A forest is a collection of one or more domain trees. A tree is a
collection of one or more domains. The first domain that is
created in the forest is called the forest root domain. The forest
root domain contains a few objects that do not exist in other
domains in the forest. For example, the forest root domain
contains two special domain controller roles, the schema master
and the domain naming master. In addition, the Enterprise
Admins group and the Schema Admins group exist only in the
forest root domain. The Enterprise Admins group has full control
over every domain within the forest.
atl.adatum.com
What Is the AD DS Schema?
The Active Directory schema acts as a blueprint for AD DS by
defining the attributes and object classes such as:
• Attributes
• Classes
• objectSID
• User
• sAMAccountName
• Group
• location
• Computer
• manager
• Site
• department
Schema defines the objects that reside in the AD DS database, and defines
the mandatory and optional attributes, and the syntax and the relationships
between them.
Lesson 2: Overview of Domain Controllers
• What Is a Domain Controller?
• What Is the Global Catalog?
• The AD DS Logon Process
• Demonstration: Viewing the SRV Records in DNS
• What Are Operations Masters?
What Is a Domain Controller?
Domain Controllers
• Servers that host the Active Directory database (NTDS.DIT) and SYSVOL
• Kerberos authentication service and KDC services perform authentication
• Best practices:
• Availability: At least two domain controllers in a domain
• Security: RODC and BitLocker
A domain controller is a server that is configured to store a copy of the AD DS directory
database (NTDS.DIT) and a copy of the SYSVOL folder. All domain controllers except
RODCs store a read/write copy of both NTDS.DIT and the SYSVOL folder
Domain controllers—servers that perform the AD DS role—host the Active
Directory database, SYSVOL, the Kerberos authentication service and other Active
Directory services. For redundancy purposes, it is best to have at least two
available domain controllers.
What Is the Global Catalog?
Schema
Configuration
Domain A
Schema
Global catalog:
Hosts a partial attribute set for
other domains in the forest
Supports queries for objects
throughout the forest
Configuration
Schema
Domain A
Configuration
Domain B
Global catalog server
Domain B
Schema
Configuration
Domain B
Global Catalog
GC
as a domain controller that replicates the partial attribute set for each domain in the forest. The domain controller
does not need the partial attribute set for its own domain because it already has the full copy of the domain
database, and only needs the changes made to other domains. That is why, in a single domain environment, making
every domain controller a global catalog server adds no significant replication.
Question
Should a domain controller be a global catalog?
Answer
Every domain controller should be a global catalog. (In some extreme situations, there might be a reason not to do
so.) However, most large, distributed organizations are doing just that, so it also makes sense for less complex,
smaller organizations.
The AD DS Logon Process
The AD DS logon process:
1.
User Account is authenticated to DC1
2.
DC1 returns TGT back to client
3.
Client uses TGT to apply for access to WKS1
4.
DC1 grants access to WKS1
5.
Client uses TGT to apply for access to SVR1
6.
DC1 returns access to SVR1
In the first phase, the user account is
authenticated to DC1.
 In the second phase, the user
account applies to the domain
controller for a ticket to gain
authorization to connect with the local
computer.
 A centralized directory service such
as AD DS provides a single identity
store, authentication service, and point
of management for administration.
DC1
WKS
1
SVR1
Demonstration: Viewing the SRV Records in DNS
• In this demonstration, you will see how to use
DNS Manager to view SRV records
I prepared this demo separately: Meer
What Are Operations Masters?
In any multimaster replication topology, some operations
must be single master
Many terms are used for single master operations in
AD DS, including the following:
• Operations master (or operations master roles)
• Single master roles
• FSMOs
Roles
• Forest:
• Domain naming
master
• Schema master
• Domain:
• RID master
• Infrastructure master
• PDC Emulator master
Domain Flexible Single Master Operations (FSMOs) are needed on a more regular basis than those in the forest root
domain, particularly the primary domain controller (PDC) emulator.
The relative ID (RID) master provides a pool of RIDs to each domain controller. If this master is not available,
eventually a domain controller will attempt to create an account and will be unable to do so
if the PDC emulator master is not available or is slow to respond,
you are more likely to have issues in the domain.
You can find which domain controllers are FSMO holders by
typing the following at a command prompt, and then pressing
Enter:
Netdom query fsmo to see all 5 FSMO roles
Lesson 3: Installing a Domain Controller
• Installing a Domain Controller from Server
Manager
• Installing a Domain Controller on a Server Core
Installation of Windows Server 2012
• Upgrading a Domain Controller
• Installing a Domain Controller by Using Install
from Media
Installing a Domain Controller from Server Manager
Installing a Domain Controller on a Server Core
Installation of Windows Server 2012
Use the dcpromo /unattend:”D:\answerfile.txt” command
to perform the unattended installation. The following is an
example of text from the answer file:
[DCINSTALL]
UserName=<The administrative account in the domain of the new domain controller>
UserDomain=<The name of the domain of the new domain controller>
Password=<The password for the UserName account>
SiteName=<The name of the AD DS site in which this domain controller will
reside> This site must be created in advance in the Dssites.msc snap-in.
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=<The fully qualified domain name (FQDN) of the domain in
which you want to add an additional domain controller>
DatabasePath="<The path of a folder on a local volume>"
LogPath="<The path of a folder on a local volume>"
SYSVOLPath="<The path of a folder on a local volume>"
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=<The password for an offline administrator account>
RebootOnCompletion=yes
dcpromo.exe cannot be used in GUI format in Windows Server 2012, but can still be
typed at a command prompt when doing an unattended install.
What you need to know
To install the AD DS binaries on the server, you can use Server Manager to connect remotely to the
Server Core server. You can also use the Windows PowerShell command
Install-Windowsfeature -name AD-Domain-Services to install the binaries.
Once you install the AD DS binaries, you can complete the installation and configuration in one of
the following four ways:

In Server Manager, click the notification icon to complete the post-deployment
configuration. This starts the configuration and setup of the domain controller.

Run the Windows PowerShell command Install-ADDSDomainController –
domainname “Adatum.com”, with other arguments as required.

Create an answer file and run dcpromo /unattend:”D:\answerfile.txt” at a
command prompt where “D:\answerfile.txt” is the path to the answer file.
Run dcpromo /unattend at a command prompt with the appropriate switches, for example:
dcpromo /unattend /InstallDns:yes /confirmglobal catalog:yes
/replicaOrNewDomain:replica
/replicadomaindnsname:"mynewdomain.com" /databasePath:"c:\ntds"
/logPath:"c:\ntdslogs" /sysvolp
Upgrading a Domain Controller
Options to upgrade AD DS to Windows Server 2012:
• In place upgrade (from Windows Server 2008 or Windows
Server 2008 R2)
• Benefit: Except for the prerequisite checks, all the files and
programs stay in-place and there is no additional work
required
• Watch for: May leave legacy files and DLLs
• Introduce a new Windows Server 2012 server into the
domain and promote it to be a domain controller
• This option is the usually the preferred choice
• Benefit: Result is a new server with no accumulated files and
settings
• Watch for: May need additional work to migrate users’ file
settings
What you need to know
Upgrading to Windows Server 2012
To upgrade an AD DS domain that is running at an older Windows Server functional level to an
AD DS domain running at Windows Server 2012 functional level, you must first upgrade all
the domain controllers to the Windows Server 2012 operating system. You can achieve this by
upgrading all of the existing domain controllers to Windows Server 2012, or by introducing
new domain controllers that are running Windows Server 2012, and then phasing out the
existing domain controllers.
To perform an in-place upgrade of a computer that has the AD DS role installed, you must
first use the command-line commands Adprep.exe /forestprep and Adprep.exe /domainprep
to prepare the forest and domain. An in-place operating system upgrade does not perform
automatic schema and domain preparation. Adprep.exe is included on the installation media
in the \Support\Adprep folder. There are no additional configuration steps after that point,
and you can continue to run the Windows Server 2012 operating system upgrade.
When you promote a Windows Server 2012 server to be a domain controller in an existing
domain, and if you are logged in as a member of the Schema Admins and Enterprise Admins
groups, the AD DS schema will be updated automatically to Windows Server 2012. In this
scenario, you do not need to run the Adprep.exe commands before starting the installation.
What you need to know
Deploying Windows Server 2012 Domain Controllers
To upgrade the operating system of a Windows Server 2008 domain controller to Windows Server 2012,
perform the following steps:
1.
Insert the installation disk for Windows Server 2012, and then run Setup.
2.
After the language selection page, click Install now.
3.
After the operating system selection window and the license acceptance page, in the
Which type of installation do you want? window, click Upgrade: Install Windows and keep
files, settings, and apps.
Note: With this type of upgrade, there is no need to preserve users’ settings and reinstall applications;
everything is upgraded in place. Remember to check for hardware and software compatibility before
performing an upgrade.
To introduce a clean install of Windows Server 2012 as a domain controller, perform the following steps:
1.
Deploy and configure a new installation of Windows Server 2012 and join it to the
domain.
2.
Promote the new server to be a domain controller in the domain by using Server
Manager 2012 or one of the other methods described previously.
Note: You can upgrade directly from Windows Server 2008 and Windows Server 2008 R2 to Windows
Server 2012.
Installing a Domain Controller by Using Install
from Media
Lab: Installing Domain Controllers
• Exercise 1: Installing a Domain Controller
• Exercise 2: Installing a Domain Controller by
Using IFM
Logon Information
Virtual machines
User name
Password
20410-LON-DC1 (start first)
20410-LON-SVR1
20410-LON-RTR
20410-LON-SVR2
Adatum\Administrator
Pa$$w0rd
Estimated Time: 50 minutes: Ignore this lab: instructor will provide lab
Lab Scenario
A. Datum Corporation is a global engineering and
manufacturing company with a head office based in
London, England. An IT office and a data center are
located in London to support the London location and
other locations. A. Datum has recently deployed a
Windows Server 2012 infrastructure with Windows 8
clients.
You have been asked by your manager to install a new
domain controller in the data center to improve logon
performance. You have been asked also to create a new
domain controller for a branch office by using IFM.
Lab Review
• Why did you use Server Manager and not
dcpromo.exe when you promoted a server to be a
domain controller?
• What are the three operations masters found in
each domain?
• What are the two operations masters that are
present in a forest?
• What is the benefit of performing an Install From
Media (IFM) install of a domain controller?
Module Review and Takeaways
• Review Questions