Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

04 Setting up Active Directory Domain Services

advertisement 
15/05/2013
Setting up Active Directory Domain Services
Tom Brett
CREATING A SINGLE‐DOMAIN FOREST
• Once you have Windows Server 2008 R2 installed, it’s pretty easy to create a domain—you simply run the domain controller promotion wizard (DCPromo) to promote the server to a domain controller.
• DCPromo will install (and remove when necessary) Active Directory Domain Services on servers. • You can run DCPromo on any Windows Server product to promote it to a DC
1
15/05/2013
• Dcpromo is an application which was also used for previous versions of windows server to install Active Directory Domain Services
• If you promote a Windows Server 2008 R2 server to a DC, you’ll have significantly more capabilities than if you promote a older Windows Server 2000 server.
DCPromo is a wizard, which will guide you but you will still have several decision points you need to understand:
• Server configuration
• Operating system compatibility
• Deployment configuration
• Domain name
• Forest functional level
• Domain functional level
• DNS
• File locations
• DSRM administrator password
PRE DCPROMO CONFIGURATIONS
2
15/05/2013
Computer name and IP address
• Before running DCPromo, you should ensure your server is properly configured. • The two primary considerations are the – name of the computer • It’s easiest to rename a domain controller before you promote it to a DC.
• Although it is possible to rename a domain controller using NetDom after you promote it, this frequently causes issues that are easier to just avoid
– and the IP address
• The domain controller should have a static IP address. Although Windows
• Server 2008 R2 supports both IPv4 and IPv6, • many companies are still using only IPv4 internally and disabling or simply not actively using IPv6. • Make sure you assign a static IP address for at least IPv4 to coincide with your network. • If you assign a static IP address for IPv4 but leave IPv6 enabled and dynamically assigned, you’ll receive an error message.
• It is possible to complete DCPromo without statically assigning the address, • if you use DCPromo to also install DNS (a very common practice), you’ll have some issues later. • It’s best to assign the address before running DCPromo
Deployment Configuration
• The deployment configuration choice allows you to identify whether you’re creating a new domain in a new forest or adding it to an existing forest. • If you’re adding it to an existing forest, you can add another domain controller to an existing domain or create a new domain.
3
15/05/2013
Naming Your Root Domain
• The very first domain in the forest is referred to as the forest root domain. • When creating the root domain, you need to use a fully qualified domain name (FQDN). • This will have two elements, such as Bigfirm.com or Mydomain.net. • The second part of the name (.com and .net in the examples) is referred to as the top‐level domain name. • Some other top‐level domain names you’ve probably seen on the Internet are .biz, .mil, .gov, .tv, and many more.
• You must use a two‐part name as your FQDN, but you don’t have to use a valid top‐level domain name that you may see on the Internet. • You can use .hme, .home, .tst, .test, or any other name you can think of. • Many administrators specifically try to avoid Internet top‐level domains to avoid confusion for their internal networks.
– .local is a very common top level name used
Active Directory and DNS
• DNS is a requirement for Active Directory. DNS SRV records are used to locate domain controllers running specific services.
• DNS is so important to Active Directory, that if Active Directory has a problem, the first thing to check is DNS. – It’s often said that 70 percent of Active Directory problems are directly related to DNS.
– If DNS isn’t working or configured properly, Active Directory won’t be working.
4
15/05/2013
• DCPromo makes the initial installation and configuration of DNS quite simple. • When you run DCPromo, it will recognize DNS isn’t installed and will offer to configure it for you. • DCPromo first tries to create a delegation for the DNS server, but if DNS isn’t installed, this will fail and give an error message
• After receiving this warning, you simply click Yes to continue, and DCPromo will install and
• configure DNS for you. It will create the DNS zone as an Active Directory integrated zone.
Domain Functional Levels
• DCPromo will prompt you to set the domain functional level and the forest functional level. • Your choice for the domain functional level will be based on the operating system that your domain controllers are using.
5
15/05/2013
• You can only choose a domain functional level that matches the oldest operating system running on any of your DCs. • The available domain functional levels are the following:
– Windows Server 2000 native
– Windows Server 2003
– Windows Server 2008
– Windows Server 2008 R2
• Your choice affects future DCs too, only Servers of the functional level or after can ever be used.
• Two important factors are worth considering:
– You can always raise the functional level to a higher level later.
– You can never lower the functional level.
• When you run DCPromo, you’ll be prompted to select the domain functional level with a dialog box
6
15/05/2013
• For further information on Domain Functional levels
• See Mastering Windows Server 2008 R2
• Pg 237
Forest Functional Levels
• The forest functional level can be only as high as the lowest domain functional level in the forest.
• Just as you can raise the domain functional level later, you can also raise the forest functional level after the DC has been promoted.
• For further information on Forest Functional levels
• See Mastering Windows Server 2008 R2
• Pg 239
7
15/05/2013
Locations for Files and SYSVOL
• DCPromo will prompt you for the location of different Active Directory files and the location of the SYSVOL shared folder.
• The SYSVOL shared folder is used to share information such as scripts and elements of Group Policy objects between domain controllers. – SYSVOL must be on an NTFS drive. • The database and log files can be located on different drives for optimization.
• The transaction log provides significant fault tolerance and recovery capabilities to the Active Directory database. • If the server loses power in the middle of any change, Active Directory can use the log to ensure that the database is in a consistent state when the server is rebooted. • Any changes recorded in the log are committed to the database, and any unfinished changes recorded in the log are ignored.
8
15/05/2013
• From a performance perspective, it’s possible to increase the performance of your DC by moving the database and transaction log files to different drives.
Directory Services Restore Mode Password
• If you ever need to perform maintenance or restoration of Active Directory, you need to do so using Directory Services Restore Mode (DSRM). • You can access DSRM by pressing F8 to access the Advanced Options menu. • After selecting the Directory Services Restore Mode, you’ll be prompted to log on.
• Using Directory Services Restore Mode Active Directory will not be running, so you can’t use an Active Directory account. • Instead, you’ll use a special administrator account with a different password.
• DCPromo prompts you to set the
password for the DSRM account
9
15/05/2013
• If you later want to change the DSRM password, you can use the NTDSUtil
command‐line shell program to do so. • NTDSUtil includes the Set DSRM Password command that can be used to change the DSRM password.
LAB : INSTALLING AD DS
• Open the Cloned 2008 R2 VM DC1
• Log on using an account with local administrative privileges.
• Set up a Static IP address on the server and set the computer name to DC1
– Changing IP address
•
•
•
•
•
Click Start – right click Network and choose properties
Click Change adapter settings
Right click the connection and choose properties
Double click the connection and choose IPV4
Fill in the static assignments click apply, ok etc
10
15/05/2013
• Click Start, and enter DCPromo in the start search box.
• Dcpromo checks for the Installation files
• Review the information on the Welcome page, and click Next
The advanced mode is used to set new domains in existing Forests
11
15/05/2013
• Review the information on the Operating System Compatibility page, and click Next.
• On the Choose a Deployment Configuration page, select “Create a new domain in a new forest,” Click Next
• Enter the FQDN of your domain. • You can use any two‐part FQDN you’d like.
12
15/05/2013
• Dcpromo checks to make sure it cannot find the name already in use
• The Set Forest Functional Level page appears.
• Choose server 2008 R2 and click Next
• Accept the default of Windows Server 2003, and click Next.
– We will be raising this level in a lab later
• The Set Domain Functional Level page appears. • Accept the default of Windows Server 2003, and click Next.
13
15/05/2013
• The system checks for DNS information
• The additional Domain Controller Options appear, Click Next
Notice that global catalog is also selected but dimmed, preventing it
from being changed. The first domain controller in the domain must be a global catalog
server.
• If there are dynamically assigned IP addresses assigned the following message will appear
• Choose Yes……
14
15/05/2013
• Dcpromo identifies that there is no exisitng
DNS entry available so it asks you whether it should continue – and create a DNS entry
• Choose Yes
• The Location for Database, Log Files, and SYSVOL page will appear. • Click Next to accept the default locations.
• On the Directory Services Restore Mode Administrator Password page, enter a password twice. • Use Pa$$w0rd. Click Next.
15
15/05/2013
• Review the information on the Summary page.
• There is a button named Export Settings. – This will allow you to save an answer file with all the selections you just made. – Click the Export Settings button.
• A “Save unattend file” dialog box will appear. Type DCPromoexport in the text box. • Browse to the root of the C:\ drive, and click Save.
• At this point, you could click Next, and DCPromo will run. • However, instead these next few steps will show you how to run the DCPromo script you just created. • On the Summary page, click Cancel, and click Yes to confirm you want to cancel DCPromo.
16
15/05/2013
• Open up the file you created on the c: drive
• This is the settings that we chose during the setup
• Notice the SafeModeAdminPassword line doesn’t include a password. – Type in a password after the equals sign (=) so that it looks something like this:
• SafeModeAdminPassword=Pa$$w0rd
• As a security precaution, DCPromo scrubs out the password each time you run the script,
• You will either need to set the file to read‐only or reenter the password before using the text file again. • You can also remove the semicolon for RebootOnCompletion=Yes. • This will cause the server to reboot after DCPromo completes. • Press Ctrl+S to save the file.
17
15/05/2013
• Return to the command prompt, and type in
– DCPromo.exe /unattend:c:\DCPromoexport.txt
• Press Return. DCPromo will now run unattended using the answer file.
• The installation begins
18
15/05/2013
• The system restarts
• You will then be asked to logon – notice the user account
• When you are logged in – review the roles in server manager
19
Related documents
SRT210 – Lab 01 Active Directory ACTIVE DIRECTORY Microsoft
SRT210 – Lab 01 Active Directory ACTIVE DIRECTORY Microsoft
Final Exam Part 1
Final Exam Part 1
reading
reading
Program Associate - Exponent Philanthropy
Program Associate - Exponent Philanthropy
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Questions for Unit-7
Questions for Unit-7
Download
advertisement