Implementing Active Directory Lesson 2. Skills Matrix Technology SkillObjective DomainObjective #...
47
Implementing Active Implementing Active Directory Directory Lesson 2
-
Upload
gerald-carter -
Category
Documents
-
view
232 -
download
0
Transcript of Implementing Active Directory Lesson 2. Skills Matrix Technology SkillObjective DomainObjective #...
Implementing Active Implementing Active DirectoryDirectory
Lesson 2
Skills MatrixSkills Matrix
Technology Skill Objective Domain Objective #
Installing a New Active Directory Forest
Configure a forest or a domain
2.1
Establishing and Maintaining Trust Relationships
Configure trusts 2.2
Configuring Active Directory Lightweight Directory Services
Configure Active Directory Lightweight Directory Services (AD LDS)
3.1
Skills MatrixSkills Matrix
Technology Skill Objective Domain Objective #
Configuring a Read-Only Domain Controller
Configure the Read-Only Domain Controller (RODC)
3.3
Lesson 2Lesson 2
Installing a New Active Directory Forest
Click the Start menu, and select Server Manager.
Click Roles, and then click Add Roles under the Roles Summary section.
Read the Before You Begin window, and click Next.
Lesson 2Lesson 2
Installing a New Active Directory Forest (cont.)
On the Select Server Roles window, select Active Directory Domain Services.
Click Next to continue.
Lesson 2Lesson 2
Installing a New Active Directory Forest (cont.)
Click Next after you read the Introduction to AD Domain Services window.
Click Install to begin the installation process.
After the AD DS binaries have installed, click Close.
Drill down to the Active Directory Domain Service role.
Lesson 2Lesson 2
Installing a New Active Directory Forest (cont.)
Follow the instructions you see on the window, and click Run the Active Directory Domain Services Wizard.
Place a checkmark next to Use Advanced Mode Installation.
Click Next.
Lesson 2Lesson 2
Installing a New Active Directory Forest (cont.)
To create the first domain controller in a new Active Directory forest, select Create a new domain in a new forest and click Next.
You are prompted to enter the domain name of the Active Directory forest root domain. Enter this information, and click Next.
Enter the NetBIOS name for the domain, and click Next.
Lesson 2Lesson 2
Installing a New Active Directory Forest (cont.)
Select Windows Server 2003 as the forest functional level, and then click Next.
Select Windows Server 2003 as the domain functional level, and then click Next.
You can select one or more domain controller options for this domain controller. The DNS Server option is selected by default.
Lesson 2Lesson 2
Installing a New Active Directory Forest (cont.)
Click Next without making any changes.
Click Next to continue.
Click Next to accept the default locations.
Lesson 2Lesson 2
Installing a New Active Directory Forest (cont.)
Enter a strong password, and click Next to continue.
Click Next to begin the installation process.
Lesson 2Lesson 2
Creating a Directory Partition
Open DNS from the Administrative Tools folder.
Right-click the desired DNS server, and choose Create Default Application Directory Partitions.
Follow the steps to finalize the procedure.
Lesson 2Lesson 2
Configuring Aging and Scavenging
Select the DNS tool from the Administrative Tools folder.
Right-click the desired DNS server, and click Set Aging/Scavenging for all zones.
Select the Scavenge Stale Resource Records checkbox.
Modify any other desired properties, and click Apply to save your changes.
Lesson 2Lesson 2
Configuring Aging and Scavenging (cont.)
Place a checkmark next to Apply these settings to existing Active Directory–integrated zones. Click OK to continue.
Open DNS in the Administrative Tools folder.
Right-click the desired zone, and select Properties from the submenu.
Lesson 2Lesson 2
Configuring Aging and Scavenging (cont.)
Click the General tab, and click Aging.
Select the Scavenge Stale Resource Records checkbox.
Modify any other desired properties, and click Apply to save any changes.
Lesson 2Lesson 2
Verifying the Creation of a Forward Lookup Zone
Open DNS from the Administrative Tools folder.
Under DNS, expand your server.
Expand the Forward Lookup Zones heading. You should see the currently configured forward lookup zones:
_msdcs.yourdomain.com
yourdomain.com
Lesson 2Lesson 2
Verifying Zone and Record Creation
Open DNS from the Administrative Tools folder.
Expand the desired DNS server, and expand the DNS domain you wish to view. You should see the following entries:
_msdcs
_sites
_tcp
_udp
Lesson 2Lesson 2
Verifying Zone and Record Creation (cont.)
In addition, you may see the following zones created for application directory partition information:
DomainDNSZones
ForestDNSZones
Lesson 2Lesson 2
Verifying Zone and Record Creation (cont.)
From a command prompt, key nslookup and press Enter.
Key ls -t SRV domain (replace the word domain with your domain name), and press Enter.
Lesson 2Lesson 2
Verifying that Dynamic Updates Are Selected
Right-click the desired zone, and select Properties.
View the selected type of updates for this zone. By default, if the zone is Active Directory integrated, it will be set to Secure only.
Lesson 2Lesson 2
Creating a Reverse Lookup Zone
Open DNS from the Administrative Tools folder.
Expand the desired server, and right-click Reverse Lookup Zone.
Click New Zone to begin the wizard, and then click Next to bypass the initial welcome window.
Lesson 2Lesson 2
Creating a Reverse Lookup Zone (cont.)
Select the type of zone you wish to create. If this is the first reverse lookup zone, select Primary Zone. If this zone is to be stored on a domain controller running Active Directory integrated DNS, select Store the zone in Active Directory.
Click Next to continue.
Lesson 2Lesson 2
Creating a Reverse Lookup Zone (cont.)
Select the scope of replication for this zone, and click Next to continue.
Select the option to create an IPv4 reverse lookup zone if your network uses TCP/IP version 4 as its network protocol, or select the option to create an IPv6 reverse lookup zone if you have upgraded your networking hardware to use the new TCP/IP version 6.
Lesson 2Lesson 2
Creating a Reverse Lookup Zone (cont.)
Click Next to continue.
In the Reverse Lookup Zone Name dialog box, click the Network ID option, and enter the Network ID of the reverse lookup zone. The Reverse Lookup zone name should appear in the second option field.
Click Next to continue.
Lesson 2Lesson 2
Creating a Reverse Lookup Zone (cont.)
Select the level of secure updates that should be enabled for this zone, and click Next.
Review the summary zone creation window, and click Finish to complete the process.
If you haven't enabled dynamic updates, add any necessary resource records by right-clicking on the newly created zone and selecting New Pointer (New PTR).
Lesson 2Lesson 2
Raising the Domain Functional Level
Open Active Directory Domains and Trusts from the Administrative Tools folder.
Right-click the domain you wish to raise, and select Raise Domain Functional Level.
Lesson 2Lesson 2
Raising the Domain Functional Level (cont.)
Choose the level you wish to achieve from Select An Available Domain Functional Level, and then click Raise. You will be presented with the dialog box shown in Figure 2-15, which explains the irreversible nature of this procedure.
Click OK to acknowledge this warning, and raise the functional level of the domain.
Lesson 2Lesson 2
Raising the Forest Functional Level
Open Active Directory Domains and Trusts from the Administrative Tools folder.
Right-click the Active Directory Domains and Trusts icon in the console tree, and select Raise Forest Functional Level.
Lesson 2Lesson 2
Raising the Forest Functional Level (cont.)
If your domains have not all been raised to at least Windows Server 2003, you will receive an error indicating that raising the forest functional level cannot take place yet. If all domains have met the domain functionality criteria of Windows Server 2008, you can click Raise to proceed.
Lesson 2Lesson 2
Raising the Forest Functional Level (cont.)
A warning message explaining the irreversible nature of this procedure is displayed. Click OK to acknowledge this warning and raise the functional level of the forest.
Lesson 2Lesson 2
Adding a Second Domain Controller to the Forest Root Domain
Install the server operating system. You can configure the server as a member of a workgroup or as a member server within the existing domain.
Ensure that the new domain controller can resolve SRV records within the domain that you are joining it to.
Lesson 2Lesson 2
Adding a Second Domain Controller to the Forest Root Domain (cont.)
Add the Active Directory Domain Services role to this server, and configure it as an additional domain controller in an existing domain.
Transfer single operation master roles as necessary to this server.
Lesson 2Lesson 2
Removing Active Directory
Click the Start menu, key dcpromo, and then press Enter.
Click Next to bypass the initial welcome window. If you see a message warning you that the domain controller is also a global catalog server, click OK to continue.
Click Next to continue.
Lesson 2Lesson 2
Removing Active Directory (cont.)
Enter a local administrator password for the newly demoted server in the Password field, and then enter it again in the Confirm password: field. Click Next to continue.
On the Summary window, review your choices, and click Next to begin the uninstall process.
Lesson 2Lesson 2
Installing the Schema Management Snap-in
From a command prompt, key regsvr32 schmmgmt.dll.
Close the Command Prompt window, click Start, and then select Run.
Key mmc /a in the dialog box, and click OK.
Click the File menu, and select Add/Remove Snap-in.
Lesson 2Lesson 2
Installing the Schema Management Snap-in (cont.)
Click Add to see the list of available snap-ins.
Double-click Active Directory Schema in the list.
Click Close, and click OK.
If you want to save this console for future use, click File and then click Save.
Lesson 2Lesson 2
Creating a Trust Relationship
Open Active Directory Domains and Trusts from the Administrative Tools folder.
In the console tree on the left, right-click the domain for which you wish to establish a trust, and select Properties.
Click the Trusts tab, and click New Trust to begin the New Trust Wizard. Click Next to continue.
Lesson 2Lesson 2
Creating a Trust Relationship (cont.)
On the Trust Name page, key the DNS name of the domain and click Next.
On the Trust page, select the desired trust type.
On the Direction of Trust page, select the type and direction of the desired trust. Choose Allow authentication for all resources in the local domain or Allow authentication only for selected resources in the local domain.
Lesson 2Lesson 2
Verifying a Trust Relationship Using Active Directory
In Active Directory Domains and Trusts, right-click the domain for which you want to verify trusts, and select Properties.
On the Trusts tab, select Domains Trusted By This Domain (Outgoing) or Domains that Trust This Domain (Incoming).
Select the appropriate trust, and click Properties.
Lesson 2Lesson 2
Verifying a Trust Relationship Using Active Directory (cont.)
Click Validate. You will be prompted to choose to validate only one side of the trust or validate both sides of the trust simultaneously. Select Yes to validate both sides of the trust.
You will be prompted to supply an administrative user account and password on the target domain. Select No to manually log onto the target domain to validate the other side of the trust relationship.
Lesson 2Lesson 2
Revoking a Trust Using Netdom
Open a command prompt and enter the following text:Netdom trust TrustingDomainName /d:TrustedDomainName /remove
Press Enter.
Repeat Steps 1 and 2 for the other end of the trust relationship.
Lesson 2Lesson 2
Changing the Default Suffix for User Principal Names
Open Active Directory Domains and Trusts from the Administrative Tools folder.
Right-click Active Directory Domains and Trusts, and choose Properties.
Click the UPN Suffix tab, key the new suffix, and click Add.
Key more than one suffix if your forest has more than one tree, and then click OK.
SummarySummary
You Learned
Active Directory requires DNS to be installed. DNS does not have to be installed on a Windows Server 2003 machine, but the version of DNS used does need to support SRV records for Active Directory to function.
Planning the forest and domain structure should include a checklist that can be referenced for dialog information required by the Active Directory Installation Wizard.
SummarySummary
You Learned (cont.)
Verification of a solid Active Directory installation includes verifying DNS zones and the creation of SRV records. Additional items, such as reverse lookups, aging, and scavenging, also should be configured.
Application directory partitions are automatically created when Active Directory integrated zones are configured in DNS. These partitions allow replica placement within the forest structure.
SummarySummary
You Learned (cont.)
System classes of the schema cannot be modified, but additional classes can be added. Classes and attributes cannot be deleted, but they can be deactivated.
Planning forest and domain functionality is dependent on the need for down-level operating system compatibility. Raising a forest or domain functional level is a procedure that cannot be reversed.
SummarySummary
You Learned (cont.)
Four types of manual trusts can be created: shortcut, external, cross-forest, and realm trusts. Manual trusts can be created by using Active Directory Domains and Trusts or netdom at a command line.
SummarySummary
You Learned (cont.)
UPNs provide a mechanism to make access to resources in multiple domains user friendly. UPNs follow a naming format similar to email addresses. You must be a member of the Enterprise Admins group to add additional suffixes that can be assigned at user object creation.
