Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Configuring and Maintaining the Active Directory Infrastructure

advertisement 
MCTS Guide to Configuring
Microsoft Windows Server 2008
Active Directory
Chapter 10: Configuring and Maintaining
the Active Directory Infrastructure
Objectives
• Describe and configure Active Directory functional
levels
• Add and remove domains from a forest
• Configure Active Directory trusts
• Configure intrasite replication
• Work with sites
• Manage operations master roles
MCTS Windows Server 2008 Active Directory
2
Examining Active Directory Functional
Levels
• Functional levels allow for administrators to
maintain backwards compatibility, despite the
addition of new features
• Functional levels should be set at the highestversion domain controllers on the network support
• Member servers / workstations are independent of
functional levels
MCTS Windows Server 2008 Active Directory
3
Forest Functional Levels
• Forest functional level determines the features of
Active Directory that have forest-wide implications
• A Server 2008 domain controller supports the
following functional levels:
– Windows 2000
• Lacks the ability to use forest trusts and to rename a domain
– Windows 2003
• Supports all the features present in Windows 2000, plus the
following features: forest trusts, Knowledge Consistency Checker
(KCC) improvements, linked-value replication, rename a domain,
read only domain controller deployment
– Windows 2008
• All the features of 2003, but no additional features (yet)
MCTS Windows Server 2008 Active Directory
4
Domain Functional Levels
• A domain controller can’t be configured to run at a lower
functional level than the functional level of the forest
• Like forest functional levels, domain functional levels can be
raised but not lowered
• Features
– Windows 2000 Native: Universal groups, group nesting, group
conversion, Security identifier (SID) history
– Windows Server 2003: All features of Windows 2000 native, domain
controller renaming, logon timestamp replication, selective
authentication, Users and Computers container redirection
– Windows Server 2008: All features of Windows 2003, Distributed File
System replication, fine-grained password policies, interactive logon
information, Advanced Encryption Standard (AES) support
MCTS Windows Server 2008 Active Directory
5
Raising the Domain Functional Level
• All domain controllers must be running a Windows
OS compatible with the desired functional level
• Functional level can be raised in Active Directory
Domains and Trusts
• Only one domain controller needs to be raised to
the new functional level; the rest will reflect the
change automatically
• Once the functional level is raised, it cannot be
reversed
MCTS Windows Server 2008 Active Directory
6
Raising the Domain Functional Level (cont.)
MCTS Windows Server 2008 Active Directory
7
Raising the Forest Functional Level
• You must be a member of the Domain Admins or
Enterprise Admins groups to raise the forest
functional level
• If raising both domain and forest functional levels,
domain functional must be raised first
• Domain functional levels must be equal or greater
than forest functional levels
• Once functional level is raised, it cannot be lowered
MCTS Windows Server 2008 Active Directory
8
Raising the Forest Functional Level (cont.)
MCTS Windows Server 2008 Active Directory
9
Preparing a Forest and Domain for
Windows Server 2008 with Adprep
• The Adprep command-line program prepares an
existing forest or domain for the addition of a
Windows Server 2008 domain controller
• To prepare the forest, run the adprep /forestprep
command on a Windows Server 2003 or Windows
2000 domain controller acting as the schema
master
• Then run adprep /domainprep in each domain
where you plan to add a Windows Server 2008 DC;
Windows 2000 requires adprep /domainprep
/gpprep
MCTS Windows Server 2008 Active Directory
10
Preparing for a Read Only Domain
Controller
• Before you can install an RODC in an existing
domain that isn’t running all Windows Server 2008
DCs, follow these steps:
–
–
–
–
Verify the functional level is Windows Server 2003 or higher
Prepare the forest
Install at least one writeable DC running Windows Server 2008
Install an RODC on a full Windows Server 2008 installation or a
Server Core installation
MCTS Windows Server 2008 Active Directory
11
Removing a Domain Controller
• Be aware of some potential issues
– If the DC performs any operations master roles, you must first
transfer the role to another DC
– If the DC is a global catalog server, make sure at least one
other DC is a global catalog server
– If it’s the only DC in the domain, you’ll also remove the domain
• Dcpromo is used to remove domain services
• If the server wasn’t the last DC, it will remain a
member of the domain
MCTS Windows Server 2008 Active Directory
12
Removing a Domain
• Two ways to remove a domain
– Dcpromo
– Ntdsutil
• If the DC crashed or was taken offline without using
dcpromo to demote it to a regular server, you must
use Ntdsutil to remove the domain
• This process is called removing an orphaned
domain
• A metadata cleanup will remove all selected
domain data from the rest of the forest
MCTS Windows Server 2008 Active Directory
13
Using the Active Directory Migration Tool
• The Active Directory Migration Tool (ADMT) allows moving
objects and restructuring Active Directory without users
losing access to network resources and has three main
types of migration
– Intraforest migration
– Interforest migration
– Migration of an NT 4.0 domain to an Active Directory domain
• Before attempting migration, you should review the Active
Directory Migration guide
• Terms used for migration planning and implementation
– SID History
– Security Translation
– Password Export Server (PES)
MCTS Windows Server 2008 Active Directory
14
Configuring Active Directory Trusts
• Recall that all domains in a forest trust one another
automatically through two-way transitive trusts,
which you can’t remove
• Types of trusts you can configure
–
–
–
–
Shortcut trust
Forest trust
External trust
Realm trust
• DNS must be configured so that FQDNs of DCs in
all participating domains can be resolved
MCTS Windows Server 2008 Active Directory
15
Configuring Shortcut Trusts
• A shortcut trust is a one-way or two-way transitive
trust between two domains in the same forest or
two domains in trusting forests
• Helps to reduce authorization delays between
domains
• Shortcut trusts between domains in different forests
require a forest trust to be configured
• Trusts between forests and external trusts might
require additional DNS configuration
MCTS Windows Server 2008 Active Directory
16
Configuring Forest Trusts
• DNS must be configured correctly in both forest
root domains
• You must initiate the forest trust in Active Directory
Domains and Trusts from the forest root domain
• When creating a forest trust, you must specify the
type of authentication you wish to use
– Forest-wide authentication is a property of a forest trust in
which all users in a trusted forest can be authenticated to the
trusting forest
– Selective authentication enables administrators to specify users
who can authenticate to selected resources in the trusting
forest
MCTS Windows Server 2008 Active Directory
17
Configuring External and Realm Trusts
• An external trust is created between domains in
different forests or between domains in a Windows
Server 2003/2008 forest and a Windows 2000
server forest or Windows NT domain
• An external trust is not transitive and is nearly
identical to creating a forest trust
• When creating a realm trust, main consideration
should be whether or not it should be transitive
MCTS Windows Server 2008 Active Directory
18
Configuring Trust Properties
• The Properties dialog box of a forest trust contains
three tabs
– The General tab – Provides options:
•
•
•
•
•
The other domain supports Kerberos AES Encryption
Direction of trust
Transitivity of trust
Validate
Save As
– The Name Suffix Routing tab – Allows you to control which
name suffixes used by the trusted forest are routed for
authentication
– Authentication tab – Same options as the Outgoing Trust
Authentication Level window
MCTS Windows Server 2008 Active Directory
19
SID Filtering
• sIDHistory attribute can be used for nefarious
purposes to gain administrative privileges in a
trusting forest
• To counter the security risk, Windows provides a
feature called SID filtering
• SID filtering causes the trusting domain to ignore
any SIDs that aren’t from the trusted domain
• SID filtering is enabled by default on external trusts
but is disabled on forest trusts
MCTS Windows Server 2008 Active Directory
20
Configuring Intrasite Replication
• Intrasite and intersite replication use the same
basic processes to replicate Active Directory data
• Intersite replication is optimized to take slower
WAN links into account
• Intrasite replication can be initiated in one of two
ways
– Notification
– Periodic replication
• Intrasite replication involves two main components:
Knowledge Consistency Checker (KCC) and
connection objects
MCTS Windows Server 2008 Active Directory
21
Knowledge Consistency Checker (KCC)
• KCC is a process that runs on every DC and, for
intrasite replication, builds a replication topology
among DCs in a site and establishes replication
partners
• The KCC on each domain controller uses data
stored in the forest-wide configuration directory
partition to create the replication topology
• The replication topology can be recalculated
manually in Active Directory Sites and Services
MCTS Windows Server 2008 Active Directory
22
Connection Objects
• Connection objects define the connection parameters
between two replication partners
• Changes to intrasite connection objects are usually
unnecessary, but changes can be made in Active Directory
Sites and Services
• General tab in the Properties dialog box is the only one of
interest for connection objects and contains the following
fields:
–
–
–
–
–
Change Schedule
Replicate from Server
Replicate from Site
Replicated Naming Context(s)
Partially Replicated Naming Context(s)
MCTS Windows Server 2008 Active Directory
23
Creating Connection Objects
• You can create connection objects for intrasite
replication if you want to alter the replication
topology manually
• By default, the schedule for a new connection
object is set to every 15 minutes, but this value can
be changed
• Changing the schedule for connection objects can
be useful for troubleshooting replication problems
MCTS Windows Server 2008 Active Directory
24
Checking Replication Status
• Active Directory Sites and Services can be used to
force the KCC to check the replication topology
• Repadmin.exe is a tool that will show detailed
information about connections and replication
status
• To use, type repadmin /showrepl
• Repadmin can also be used to show the partitions
being replicated by each connection object, force
replication to occur, force the KCC to recalculate
the topology, and other actions
MCTS Windows Server 2008 Active Directory
25
Global Catalog Replication
• Global Catalog contains a partial replica of all
objects in the forest, maintains universal group
memberships, provides cross-domain logon
support, and is used to locate objects throughout
the forest
• Global catalog servers keep inbound connections
with a DC in each domain the global catalog is built
from
• Connections between global catalog servers
always include replication of the global catalog
partition
MCTS Windows Server 2008 Active Directory
26
Global Catalog Replication (cont.)
MCTS Windows Server 2008 Active Directory
27
Special Replication Situations
• Most Active Directory database changes follow the
regular replication rules
• Certain changes require special processing
– Urgent replication events (trigger change notifications
immediately)
•
•
•
•
•
•
Account lockouts
Changes to the account lockout policy
Changes to the domain password policy
Changes to non-security principal passwords
Password change to a DC computer account
Changes to the RID master DC
– User Account password changes
MCTS Windows Server 2008 Active Directory
28
RODC Replication
• An RODC is treated like any other domain
controller when considering replication topology
• Limitations to keep in mind
– Connection between an RODC and a writeable DC is a oneway connection
– Two RODCs can replicate with one another, as long as one
has an incoming connection with a writeable DC
– The domain directory partition can be replicated only to an
RODC from a Windows Server 2008 DC; Windows Server
2003 DCs can replicate other partitions to an RODC
– When upgrading a domain from Windows Server 2003, the first
Windows Server 2008 DC must be writeable
MCTS Windows Server 2008 Active Directory
29
Creating Sites
• A site is an AD object containing domain controllers
and replication settings and is usually associated
with IP subnets and site links
• Sites are usually geographically dispersed and
connected by WAN links
• When you create a site, you’re asked to select a
site link
• DEFAULTIPSITELINK is the only choice unless
you’ve created other site links
MCTS Windows Server 2008 Active Directory
30
Creating Sites (cont.)
MCTS Windows Server 2008 Active Directory
31
The Significance of Subnets
• After creating a site, you must associate one or
more subnets with it
• AD uses this information in two important ways
– Placing new domain controllers in the appropriate site
– Determining which site a client computer belongs to
• If a client’s IP address doesn’t match a subnet in
any of the defined sites, communication efficiency
could degrade because the client might request
services from servers in remote sites instead of
locally
MCTS Windows Server 2008 Active Directory
32
Configuring Site Links
• Any new sites you create use the default site link,
DEFAULTIPSITELINK, for their connection with
other sites
• Additional site links can help adjust the replication
schedule according to a network’s link
characteristics
• Descriptive names should be used for site links
• A site can exist in more than one site link
MCTS Windows Server 2008 Active Directory
33
Bridgehead Servers
• Intersite Topology Generator is responsible for
assigning a bridgehead server for each directory
partition in the site
• Bridgehead servers are responsible for all intersite
replication
• Bridgehead servers can be designated manually
• Repadmin /bridgeheads command can list which
DCs in a site are acting as bridgehead servers to
other sites
MCTS Windows Server 2008 Active Directory
34
Intersite Transport Protocols
• Two protocols can be used to replicate between
sites
– IP
– SMTP
• IP is used by default in the DEFAULTIPSITELINK
site link and is recommended in most cases
• Simple Mail Transport Protocol is used primarily for
e-mail and works well for slower, less reliable, or
intermittent connections
• DC can send multiple replication requests
simultaneously without waiting for the reply
MCTS Windows Server 2008 Active Directory
35
Site Link Bridges
• By default, site link bridging is enabled, which
makes site links transitive
• You can change the transitive behavior of site links
by turning off site link bridging and creating site link
bridges manually
• Automatic site bridging can lead to over-utilization
of a slower WAN link
• Other reasons to create site link bridges manually:
– Control traffic through firewalls
– Accommodate partially routed network
– Reduce confusion of the KCC
MCTS Windows Server 2008 Active Directory
36
The Global Catalog and Universal Group
Membership Caching
• Global catalog servers increase replication traffic
• Windows Server 2008 includes universal group
membership caching, which allows universal group
membership information to be retrieved from a
global catalog server in a different site and then
cached locally on every DC in the site and updated
every 8 hours
• Microsoft recommends placing a global catalog
server in the site when the number of accounts
exceeds 500 and the number of DCs exceeds two
MCTS Windows Server 2008 Active Directory
37
Operations Master Best Practices
• If you build a new forest, the first DC installed
performs all five FSMO roles
• This is acceptable for small environments, but
larger environments may perform better if these
roles are transferred to separate servers
• Common rules for operations masters
– Unless your domain is small, transfer operations master roles
to other DCs
– Place the servers performing these roles where network
availability is high
– Designate an alternate DC for all roles
MCTS Windows Server 2008 Active Directory
38
Domain Naming Master
• The domain naming master is needed when a
domain or domain controller is added or removed
from the forest
• Attempting to add or remove a domain while the
DC performing this role is down is not advisable
• When possible, the domain naming master should
be a direct replication partner with another DC
that’s also a global catalog server in the same site
MCTS Windows Server 2008 Active Directory
39
Schema Master
• The schema master is needed when the Active
Directory schema is changed
• Generally, the schema master role should be
transferred to another server only when you’re
certain the original server will be down permanently
MCTS Windows Server 2008 Active Directory
40
PDC Emulator
• Processes password changes for older Windows
clients (Windows 9x and NT)
• Should be placed where there is a high
concentration of users
• Shouldn’t be placed on a DC that is also a global
catalog server
MCTS Windows Server 2008 Active Directory
41
RID Master
• Every Active Directory object uses an RID to create
the object’s SID
• RID Master provides these RIDs to domain
controllers
• Ideally placed with the PDC emulator because the
PDC emulator uses the RID master’s services
frequently
MCTS Windows Server 2008 Active Directory
42
Infrastructure Master
• Role is most needed when many objects have
been moved or renamed
• Shouldn’t be performed by a DC that’s also a
global catalog server but should be at least in the
same site as a global catalog server
• If the Master fails, the role can be moved to
another DC if necessary
MCTS Windows Server 2008 Active Directory
43
Transferring Operations Master Roles
• Transferring an operations master role means
moving the role’s function from one server to
another while the original server is still in operation
• Generally done for the following reasons:
– DC performing the role was the first DC in the forest and
therefore holds all roles
– DC performing the role is being moved to a location that isn’t
well suited for the role
– The current DC’s performance is inadequate because of the
resources the FSMO role requires
– The current DC is being taken out of service temporarily or
permanently
MCTS Windows Server 2008 Active Directory
44
Transferring Operations Master Roles
(cont.)
MCTS Windows Server 2008 Active Directory
45
Seizing Operations Master Roles
• An operations master role is seized when the
current role holder is no longer online because of
some type of failure
• Seizing should never be done when the current
role holder is accessible
• Seizing is done with the ntdsutil command
MCTS Windows Server 2008 Active Directory
46
Chapter Summary
• Administrators can configure functional levels on a
new domain controller to maintain backward
compatibility
• Functional levels can be raised but not lowered
• Windows Server 2008 supports three forest
functional levels: Windows 2000, Windows Server
2003, and Windows Server 2008; supported
domain functional levels have nearly identical
names
• You can raise functional levels when you install
AD, or you can raise them manually
MCTS Windows Server 2008 Active Directory
47
Chapter Summary (cont.)
• Before you can install a Windows Server 2008
server as a DC in an existing Windows Server
2003 or Windows 2000 server domain, existing
domain controllers must be prepared
• Before you can install RODC in an existing domain,
the forest functional level must be at least Windows
Server 2003 or higher
• To remove a domain controller, you use dcpromo
or ntdsutil
• Use the Active Directory Migration Tool to migrate
accounts from one domain or forest to another
MCTS Windows Server 2008 Active Directory
48
Chapter Summary (cont.)
• Before creating a trust of any type, DNS must be
configured so that FQDNs of domain controllers in
all participating domains can be resolved
• Some trust properties you can configure include
the trust direction and transitivity, name suffix
routing, and authentication
• Both intrasite and intersite replication use the same
basic processes to replicate Active Directory data;
the main goal is to balance data replication
timeliness and efficiency
MCTS Windows Server 2008 Active Directory
49
Chapter Summary (cont.)
• A site is an Active Directory object containing domain
controllers and default settings for replication within the site
and is usually associated with one or more IP subnets and
site links
• Connection objects provide the connection and replication
parameters between two servers
• Bridgehead servers are responsible for all intersite
replication
• Universal group membership caching resolves the potential
conflict between faster logons and additional replication
traffic
• Deciding where to place the FSMO role holder is part of your
overall Active Directory design strategy
MCTS Windows Server 2008 Active Directory
50
Related documents
reading
reading
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Faculty Directory Information Form
Faculty Directory Information Form
Data Classification Examples
Data Classification Examples
Membership Enrollment Form
Membership Enrollment Form
Download
advertisement