Implementing Active Directory
Lesson 2
Skills Matrix
Technology Skill
Objective Domain
Objective #
Installing a New Active
Directory Forest
Configure a forest or a
domain
2.1
Establishing and
Maintaining Trust
Relationships
Configure trusts
2.2
Configuring Active
Directory Lightweight
Directory Services
Configure Active
Directory Lightweight
Directory Services (AD
LDS)
3.1
Configuring a Read-Only
Domain Controller
Configure the Read-Only
Domain Controller
(RODC)
3.3
Server Manager
• Located in Administrative Tools.
– Can also be accessed by right-clicking My
Computer and selecting Manage.
• Allows you to:
– Add roles such as DNS server or Active
Directory Domain Services role.
– Perform system diagnostics.
– Configure system services.
– Drill down into specific administrative tools.
Server Manager
Requirements for Active Directory
• A server running Windows Server 2008 Standard
Edition, Windows Server 2008 Enterprise Edition,
or Windows Server 2008 Datacenter Edition (Full
version or Server Core).
• An administrator account and password on the
local machine.
Requirements for Active Directory
• An NT file system (NTFS) partition for the SYSVOL
folder structure.
– 200 MB minimum free space on the previously
mentioned NTFS partition for Active Directory
database files.
– 50 MB minimum free space for the transaction log
files.
– Transmission Control Protocol/Internet Protocol
(TCP/IP) must be installed and configured
• An authoritative DNS server for the DNS domain
that supports service resource (SRV) records.
– Recommends to support incremental zone transfers
and dynamic updates.
Installing Active Directory
• To install
Active
Directory,
you will need
to first add
the Active
Directory
Domain
Services role
using Server
Manager.
Installing Active Directory
Installing Active Directory
• The Active Directory Installation Wizard, dcpromo,
will guide you through any of the following
installation scenarios:
– Adding a domain controller to an existing
environment.
– Creating an entirely new forest structure.
– Adding a child domain to an existing domain.
– Adding a new domain tree to an existing forest.
– Demoting domain controllers and eventually
removing a domain or forest.
Choosing the Deployment Configuration
Post-Installation Tasks
• Upon completion of the Active Directory
installation, you should verify a number of
items:
– Application directory partition creation.
– Aging and scavenging for zones.
– Forward lookup zones and SRV records.
– Reverse lookup zones.
Application Partitions
Aging and Scavenging of DNS Records
• Aging and scavenging are processes that
can be used by Windows Server 2008 DNS
to clean up the DNS database after DNS
records become “stale” or out of date.
• Without this process, the DNS database
would require manual maintenance to
prevent server performance degradation and
potential disk-space issues.
Aging and Scavenging of DNS Records
DNS Records
• Make sure Forward Lookup zone is created.
• Make sure Host (A) record is created for your
server.
• Make sure DNS domain nodes are created:
– _msdcs
– _sites
– _tcp
– _udp
DNS Records
Domain Name System (DNS)
• Provides name resolution for a TPC/IP
network.
• Active Directory requires DNS as the default
name resolution method.
• Example Resource Records (RR):
– Host (A) – Host name to IP.
– Pointer (PTR) – IP to Host name.
– Service (SRV) – Locator service for
LDAP/Domain controllers services.
FUNCTIONS OF DNS
YOU MUST REMEMBER THESE
• DNS PROVIDES NAME RESOLUTION (BOTH
FORWARD AND REVERSE NAME RESOLUTION)
• DNS FUNCTIONS AS A SERVICE LOCATOR
FOR SERVICES OFFERED BY ACTIVE
DIRECTORY DOMAIN CONTROLLERS.
• DNS PROVIDES A NAMING CONTEXT FOR
ACTIVE DIRECTORY.
Raising the Domain Functional Level
• Open Active
Directory Domains
and Trusts from
the Administrative
Tools folder.
• Right-click the
domain you wish
to raise and select
Raise Domain
Functional Level.
Raising the Forest Functional Level
• Open Active Directory Domains and Trusts
from the Administrative Tools folder.
• Right-click the Active Directory Domains and
Trusts icon in the console tree and select
Raise Forest Functional Level.
Raising the Forest Functional Level
• If your domains have not all been raised to
at least Windows Server 2003, you will
receive an error indicating that raising the
forest functional level cannot take place yet.
If all domains have met the domain
functionality criteria of Windows Server
2008, you can click Raise to proceed.
Removing Active Directory
• Click the Start menu, key dcpromo and then
press Enter.
• Use dcpromo /forceremoval to remove AD
without having the DC try to synchronize any
changes with replica dc’s in the domain.
Schema Management Console
• Some commercial applications such as Microsoft
Exchange will modify the schema as a part of their
installation process.
• You can also extend the schema manually using
the Active Directory Schema snap-in.
• To modify the schema manually, you must be a
member of the Schema Admins group.
• The Active Directory Schema snap-in should be
installed on the domain controller holding the
Schema Master Operations role.
Installing the Schema Management Snap-in
• From a command prompt, key regsvr32
schmmgmt.dll.
• Close the Command Prompt window, click
Start, and then select Run.
• Key mmc /a in the dialog box and click OK.
• Click the File menu and select Add/Remove
Snap-in.
Trust Relationship
• Trust relationships exist to make resource
accessibility easier between domains and
forests.
• Many trust relationships are established by
default during the creation of the Active
Directory forest structure.
• Trust relationships can be created using the
Active Directory Domains and Trusts from
the Administrative Tools folder.
Trust Relationships
• Four trust types can be manually established in
Windows Server 2008:
– Shortcut trusts - Used to shorten the “tree-walking”
process for users who require frequent access to
resources elsewhere in the forest.
– Cross-forest trusts - Allows you to create two-way
transitive trusts between separate forests.
– External trusts - Used to configure a one-way nontransitive trust.
– Realm trusts - Allows you to configure trust
relationships between Windows Server 2008 Active
Directory and a UNIX MIT Kerberos realm.
Revoking a Trust Using Netdom
• Open a command prompt and type the
following text:
Netdom trust TrustingDomainName
/d:TrustedDomainName /remove
• Press Enter.
• Repeat these steps for the other end of the
trust relationship.
User Principal Name (UPN)
• The name of a system user in an e-mail
address format.
username@domainname
• Based on Internet RFC 822.
• UPN’s are stored in and resolved from the
Global Catalog
Changing the Default Suffix for User Principal
Names
• Open Active Directory Domains and Trusts
from the Administrative Tools folder.
• Right-click Active Directory Domains and
Trusts and choose Properties.
• Click the UPN Suffix tab, key the new suffix,
and click Add.
• Key more than one suffix if your forest has
more than one tree and then click OK.
SID vs GUID – are they the same? - NO
• SIDs (Security IDentifiers) are used for access control.
GUIDs (Globally Unique IDentifiers) are used for replication- objects
are identified by their GUIDs when DCs are determining what to
replicate.
SIDs identify security principals, while GUIDs identify objects in
the directory- whether or not they're security principals.
SIDs are variable-length; GUIDs are 128 bits in length. A portion of
the SID for every security principal in a given domain is the same
(because it identifies the domain), whereas GUIDs are generated based
on things such as the replica of the AD database in which the object
was created, the time at which it was created, and so forth. SIDs, on
the other hand are simply sequentially generated within a domain and
are comprised of the domain's SID and a RID (relative IDentifier
within the domain).
All of the above refers to GUIDs in the context of AD, not hardware.
GUID DEFINITION AND USES
•
•
•
•
•
•
•
A globally unique identifier or GUID (pronounced /ˈɡuːɪd/ or /ˈɡwɪd/) is a unique reference number
used as an identifier in computer software. The term GUID also is used for Microsoft's implementation
of the Universally Unique Identifier (UUID) standard.
The value of a GUID is represented as a 32-character hexadecimal string, such as {21EC2020-3AEA1069-A2DD-08002B30309D}, and is usually stored as a 128-bit integer. The total number of unique
keys is 2128 or 3.4×1038 — roughly 2 trillion per cubic millimeter of the entire volume of the Earth.
This number is so large that the probability of the same number being generated randomly twice is
extremely small.
Database servers can use GUIDs to create unique row identifiers, solving the chicken and
egg problem inherent with sequential row IDs.
Microsoft Windows uses GUIDs internally to identify the classes and interfaces of COM
objects. A script can activate a specific class or object without having to know the name
or location of the dynamic linked library that contains it.
Intel's GUID Partition Table, a system for partitioning hard drives. (GPT)
ActiveX, a system for downloading and installing controls in a web browser, uses GUIDs to
uniquely identify each control.
SecondLife uses GUIDs for identification of all assets in its world.
Summary
• Active Directory requires DNS to be installed.
DNS does not have to be installed on a
Windows Server 2003 machine, but the
version of DNS used does need to support
SRV records for Active Directory to function.
• Planning the forest and domain structure
should include a checklist that can be
referenced for dialog information required by
the Active Directory Installation Wizard.
Summary
• Verification of a solid Active Directory installation
includes verifying DNS zones and the creation of
SRV records.
– Additional items, such as reverse lookups, aging,
and scavenging, also should be configured.
• Application directory partitions are automatically
created when Active Directory integrated zones are
configured in DNS.
– These partitions allow replica placement within the
forest structure.
Summary
• System classes of the schema cannot be
modified, but additional classes can be
added. Classes and attributes cannot be
deleted, but they can be deactivated.
• Planning forest and domain functionality is
dependent on the need for down-level
operating system compatibility.
– Raising a forest or domain functional level is
a procedure that cannot be reversed.
Summary
• Four types of manual trusts can be created:
shortcut, external, cross-forest, and realm
trusts.
• Manual trusts can be created by using Active
Directory Domains and Trusts or netdom at a
command line.
Summary
• UPNs provide a mechanism to make access
to resources in multiple domains userfriendly.
• UPNs follow a naming format similar to
email addresses.
• You must be a member of the Enterprise
Admins group to add additional suffixes that
can be assigned at user object creation.