COMP2017 – Server Administration Implementing Active Directory Objectives Installing a New Active Directory Forest Establishing and Maintaining Trust Relationships Configuring Active Directory Lightweight Directory Services Configuring a Read-Only Domain Controller MCTS Windows Server 2008 Active Directory 2 2 Installing a New Active Directory Forest The first Active Directory domain on the network is the forest root domain It needs to remain online and in place for the life of an AD installation You can add and remove child domains under it – but the forest root domain must stay in place You can create a New AD Forest by opening the Active Directory Installation Wizard using the dcpromo.exe commandline tool or from the Server Manager utility that's installed in the Administrative Tools folder Lesson 2 Installing a New Active Directory Forest On the Select Server Roles window, select Active Directory Domain Services Lesson 2 Installing a New Active Directory Forest The advantage of the Server Manager interface is that it will allow you to view other roles the server might be performing The advantage of using dcpromo will allow you to script or automate the installation process The first domain controller installed in a new Active Directory forest will hold the Flexible Single Master Operations (FSMO) roles, which are specific server roles that work together to enable the multimaster functionality of Active Directory Lesson 2 Installing a New Active Directory Forest The advantage of the Server Manager interface is that it will allow you to view other roles the server might be performing The advantage of using dcpromo will allow you to script or automate the installation process The first domain controller installed in a new Active Directory forest will hold the Flexible Single Master Operations (FSMO) roles, which are specific server roles that work together to enable the multimaster functionality of Active Directory Lesson 2 Installing a New Active Directory Forest Modifying the schema is a per Forest role because the Active Directory schema is shared among all domains in a forest The server holding the Schema Master operations role must be accessible to all domains in the forest After the initial domain controller creation, additional domain controllers can be installed and the roles can be transferred to the new domain controllers See textbook chapter 2 – pgs 25 through 30 for the detailed steps in installing a new AD Forest Lesson 2 Installing a New Active Directory Forest – Post Installation After the Active Directory installation, you should verify a number of items before you consider it complete You should verify several items before considering that the installation is complete and operational: Application directory partition creation Aging and scavenging for zones Forward lookup zones and SRV records Reverse lookup zones Lesson 2 Creating a Directory Partition Application directory partitions are used to separate forest-wide DNS information from domain-wide DNS information to control the scope of replication Information in an application partition can be configured to replicate to any domain controller in the forest, even if they are not all in the same domain This allows you to control which DNS data is replicated within a single domain or throughout the entire forest Lesson 2 Creating a Directory Partition The following points are key to understanding application directory partitions: Application directory partitions are automatically created when installing Active Directory Integrated DNS You must be a member of the Enterprise Admins group to create or modify an application directory partition If you were unable to create an application directory partition during the AD Installation Wizard, you can do so manually at a later time Lesson 2 Configuring Aging and Scavenging Aging and scavenging (not configured by default) are processes that can be used by Windows Server 2008 DNS to clean up the DNS database after DNS records become "stale" or out of date Without this process, the DNS database would require manual maintenance to prevent performance degradation and wasted disk-space See details on how to configure aging and scavenging on pages 32-33 Lesson 2 Verifying the Creation of a Forward Lookup Zone Forward lookup zones are necessary for computer hostname-to—IP address mappings, which are used for name resolution by a variety of services For example, when a user requests access to a server based on its host name, the request is passed to a DNS server to resolve the host name to an IP address Most queries are based on forward lookups See pages 33 – 34 for how to verify the creation of a forward lookup zone and records Lesson 2 Verifying Dynamic Updates For domain controllers to register their records with DNS at startup, dynamic updates must be allowed By default, when a DNS zone is Active Directory integrated, Secure Dynamic Updates are enabled. This means, a client must be authenticated before attempting to update or add information to the DNS database This prevents unwanted or unnecessary records from being added to the database, avoiding performance, space, and potential security issues Lesson 2 Creating a Reverse Lookup Zone In addition to forward lookup zones, which are automatically created by the Active Directory Installation Wizard, you should also configure a reverse lookup zone for full DNS functionality Reverse lookup zones answer queries in which a client provides an IP address and DNS resolves the IP address to a host name It is good practice to add reverse lookup zones for troubleshooting, security checks, and reverse IP queries See pages 35 – 36 for detailed how-to steps Lesson 2 Raising the Domain and Forest Functional Levels To leverage more advanced features in Active Directory, you can raise the domain and forest functional levels Domain and forest functional levels are available to provide backward compatibility with previous Windows Server operating systems Prior to raising the domain functional levels, you must verify that any previous Microsoft Windows network operating systems are NOT needed in the domain See steps on pages 37 - 38 Lesson 2 Raising the Domain and Forest Functional Levels The following are key facts and requirements for raising domain and forest functional levels: This is a one-way operation. Raising the domain and forest functional levels cannot be reversed without a complete reinstallation of the domain or forest Each domain can be handled independently, allowing a phased approach The forest functional level cannot be raised until all domains in a forest have been raised to the corresponding Domain Functional Level You must be logged on as a member of the Domain Admins group to raise the domain functional level You must be logged on as a member of the Enterprise Admins group to raise the forest functional level Lesson 2 Adding a Second Domain Controller to the Forest Root A second domain controller should be added to each domain for fault tolerance This provides some redundancy in case one of the domain controllers fails Also, because the first domain controller in the forest holds all FSMO roles, adding a second domain controller allows you to offload some of the work to another domain controller See pages 38 – 39 for detailed steps Lesson 2 Installing Active Directory on Server Core A new feature of Windows Server 2008 is Server Core which creates a minimal environment for running only specific services and roles and runs almost entirely without a graphical user interface (command mode) Server Core provides a useful way to deploy a domain controller with an extremely small security footprint, improving the security of domain controllers in branch offices or other remote environments Because there are no graphical wizards - you will need to run dcpromo from the command line using an unattended installation, which uses a specially formatted text file to specify the necessary installation options See page 40 for details Lesson 2 Removing Active Directory Removing Active Directory from a domain controller demotes that computer to a member server within an Active Directory domain You will use this to decommission older hardware or to remove Active Directory so that you can perform troubleshooting or extensive maintenance on that server See page 41 for the procedure Lesson 2 Working with Read-Only Domain Controllers Another new feature of Windows Server 2008 is the Read-Only Domain Controller (RODC) Can be used to greatly improve the security of a domain controller that's deployed in a branch office or another hard-to-secure location Read-Only Domain Controllers allow you to deploy a domain controller that will host a read-only copy of the Active Directory database. This means that an administrator will need to connect to a writeable domain controller to make any changes to Active Directory Lesson 2 Working with Read-Only Domain Controllers RODCs do not perform any outbound replication - They only accept inbound replication connections from writeable domain controllers You need to have at least one writeable Windows Server 2008 domain controller deployed in your environment, and you need to be at the Windows Server 2003 domain and forest functional levels Each RODC can be configured with its own Password Replication Policy - you can specify a particular list of user or group accounts whose password information should be stored (or cached) on a particular RODC - you can also configure specific users or groups whose password information should not be cached on an RODC See pages 43 - 47 Lesson 2 Modifying the Active Directory Schema Many applications, such as email, will require modification to add necessary objects to the Active Directory database – a key task for any Active Directory administrator Exchange, for example, adds over 1000 classes and attributes The Active Directory schema is replicated to every domain controller within a forest, which means that each Active Directory forest can only have a single schema – managed by domain controller that is assigned the Schema Master FSMO role (first domain controller installed in the forest) Lesson 2 Modifying the Active Directory Schema Schema extensions are replicated to all domain controllers in the forest and have a global effect on the modified objects and attributes. Default system classes cannot be modified, but additional classes can be added and changed Any class and attribute that you add to the schema cannot be removed; extending the schema is a one-way operation. However, beginning in Windows Server 2003, schema additions can be deactivated When the schema is modified, it triggers replication within the forest. Planning modification of the schema may require sensitivity to the time of day and the possible performance impact A certain amount of latency can be expected before all domain controllers contain consistent schema information Lesson 2 Configuring Active Directory Lightweight Directory Services Server 2008 includes a new Active Directory Lightweight Directory Services (AD LDS) role that provides developers the ability to store data for directory-enabled applications without incurring the overhead of extending the Active Directory schema Each AD LDS instance has its own schema, which allows developers to create, deploy, and upgrade directory-enabled applications without worrying about the one-way nature of Active Directory schema modifications See pages 50 – 52 on how to configure AD LDS Lesson 2 Establishing and Maintaining Trust Relationships Trust relationships exist to make resource accessibility easier between domains and forests In addition to the default trust relationships that exist between parent and child domains and between root domains of domain trees within a forest, four trust types can be manually established in Windows Server 2008 Lesson 2 Establishing and Maintaining Trust Relationships Shortcut trusts - used to shorten the"tree-walking" process for users who require frequent access to resources elsewhere in the forest Cross-forest trusts - allows you to create two-way transitive trusts between separate forests. External trusts - used to configure a one-way nontransitive trust with a Windows 2000 domain or a single domain in an external organization Realm trusts - allow you to configure trust relationships between Windows Server 2008 Active Directory and a UNIX MIT Kerberos realm, which is the UNIX equivalent to an Active Directory domain allowing centralized user and password administration on a UNIX network Lesson 2 Creating a Trust Relationship Use the Active Directory Domains and Trusts MMC snap-in to establish manual trust relationships If you have the appropriate administrative privileges in the source and target forest or domain, you can create both sides of the trust relationship To create a cross-forest trust, each forest must be able to resolve the DNS names and SRV records contained in the other forest through the use of secondary zones, stub zones, or conditional forwarding Lesson 2 Verifying a Trust Relationship After you establish a manual trust, you can verify the trust using either Active Directory Domains and Trusts or the netdom command-line tool Because automatic trusts are part of the default functionality provided by Active Directory, you can only use this process to verify shortcut, external, and cross-forest trusts Lesson 2 Revoking a Trust Relationship In some cases, it may be necessary to remove an established trust For example, if a corporation relinquishes its business relationship with a supplier that was trusted, you will need to revoke the trust to prevent unwanted access to network resources You can use Active Directory Domains and Trusts or netdom to revoke a trust Lesson 2 Changing the Default Suffix for User Principal Names As an organization grows due to expansion, acquisitions, mergers, and new locations, the Active Directory structure can become difficult to navigate Users needing access to more than one tree structure within the forest can find it cumbersome to recall what is contained in each domain To alleviate this confusion and provide a simple means for users to gain global access to the forest structure, Active Directory supports User Principal Names Lesson 2 Changing the Default Suffix for User Principal Names A User Principal Name (UPN) is stored in the global catalog, which allows UPNs to be available forestwide A UPN follows a naming convention that can reflect the forest root domain or another alias that you configure that follows the format of username@domainname Common practice is to configure the UPN to match the email ID of the user In larger organizations, this may mean that you will need to modify the default UPN suffix when creating users Lesson 2 Changing the Default Suffix for User Principal Names To modify the default suffix for a UPN, you must have Enterprise Administrator credentials because this is a forest-wide operation Lesson 2 Summary Active Directory requires DNS to be installed. DNS does not have to be installed on a Windows Server 2008 machine, but the version of DNS used does need to support SRV records for Active Directory to function. Planning the forest and domain structure should include a checklist that can be referenced for dialog information required by the Active Directory Installation Wizard. Verification of a solid Active Directory installation includes verifying DNS zones and the creation of SRV records. Additional items, such as reverse lookups, aging, and scavenging, also should be configured. Lesson 2 Summary Application directory partitions are automatically created when Active Directory integrated zones are configured in DNS. These partitions allow replica placement within the forest structure. System classes of the schema cannot be modified, but additional classes can be added. Classes and attributes cannot be deleted, but they can be deactivated. Planning forest and domain functionality is dependent on the need for down-level operating system compatibility. Raising a forest or domain functional level is a procedure that cannot be reversed. Lesson 2 Summary Four types of manual trusts can be created: shortcut, external, cross-forest, and realm trusts. Manual trusts can be created by using Active Directory Domains and Trusts or netdom at a command line. UPNs provide a mechanism to make access to resources in multiple domains user friendly. UPNs follow a naming format similar to email addresses. You must be a member of the Enterprise Admins group to add additional suffixes that can be assigned at user object creation. Lesson 2