Module 1: Implementing Active Directory ® Domain Services (AD DS)
-
Upload
augustine-richardson -
Category
Documents
-
view
235 -
download
0
Transcript of Module 1: Implementing Active Directory ® Domain Services (AD DS)
Module Overview
• Installing Active Directory Domain Services(ADDS)
• Deploying Read-Only Domain Controllers
• Configuring AD DS Domain Controller Roles
What are ADDS?
• Active Directory Domain Services (AD DS) provides the functionality of an identity and access (IDA) solution for enterprise networks.
• Store information about users, groups, computers, and other identities.
• Authenticate an identity.
The server will not grant the user access to the document unless the server can verify the identity presented in the access request as valid.
Kerberos Authentication: a protocol called Kerberos is used to authenticate identi-ties.
• Control access
• Provide an audit trail
Technologies of ADDS Active Directory Domain Services (Identity): designed to
provide a central repository for identity mana gement within an organization.
Active Directory Lightweight Directory Services (Applications): provides support for directory-enabled applications.
Active Directory Certificate Services (Trust): set up a certificate authority for issuing digital certificates as part of a public key infrastructure (PKI) that binds the identity of a person, device, or service to a corresponding private key.
Active Directory Rights Management Services (Integrity): information-protection technology that enables you to implement persistent usage policy templates that define allowed and unauthorized use whether online, offline, inside, or outside the firewall.
Active Directory Federation Services (Partnership):enables an organization to extend IDA across multiple platforms, including both Windows and non-Windows environmen ts
Components of an Active Directory Infrastructure
Active Directory data store
Domain controllers
Domain
Forest
Tree
Functional level
Organizational units
Sites
Active Directory data store
• Stores identities in the directory a data store hosted on domain controllers.
• Located by default in the folder %SystemRoot%\Ntds.dit
• The database is divided in to several partitions, including the schema, configuration, global catalog, and the doma in naming context that contains the data about objects within a domain—the users, groups, and computers, for example
Domain controllers (DC)
• DCs are servers that perform the AD DS role.
• The Kerberos Key Distribution Center (KDC) service, which Performs authentication, and other Active Directory services.
Domain
• One or more domain controllers are required to create an Active Directory domain.
• A domain is an administrative unit with in which certain capabilities and characteristics are shared.
• All domain controllers replicate the domain’s partition of the data store, which contains other things the identity data for the domain’s users, groups, and computers.
Forest
• A forest is a collection of one or more Active Directory domains.
• The first domain installed in a forest is called the forest root domain.
• The forest defines a security boundary.
Tree
• Create by the DNS namespace of domains in a forest.
• A domain is a subdomain of another domain, the two domains are considered a tree.
Functional level
• The functional level is an AD DS setting that enables advanced domain-wide or forest-wide AD DS features.
• Three domain functional levels:
Windows 2000 native.
Windows Server 2003
Windows Server 2008.
• Two forest functional levels:
Microsoft Window s Server 2003.
Windows Server 2008.
Organizational units
• Objects in the data store can be collected in containers.
• One type of container is the object class called con-tainer
• Default containers, including Users, Computers, and Builtin,…
• Another type of con-tainer is the organizational unit (OU)
OUs provide not only a container for objects but also a scope with which to manage the objects.
Sites
• An Active Directory site is an object that represents a portion of the enterprise within which network connectivity is good.
• Domain controllers within a site replicate changes within seconds.
For exam-ple, when a user logs on to the domain, the Windows client first attempts to authenticate with a domain controller in its site. Only if no domain controller is available in the site will the client attempt to authenticate with a DC in another site.
Requirements for Installing AD DS
• Local Administrator permissions to install the first domain controller in a forest
• Domain Administrator permissions to install additional domain controllers in a domain
• Enterprise Administrator permissions to install additional domains in a forest
Administrator permissions
• TCP/IP must be configured, including DNS client settings
• DNS Server that supports dynamic updates must be available or will be configured on the domain controller
Network configuration
• A computer running Windows Server 2008 • Minimum disk space of 250 MB and a partition
formatted with NTFS file system
Server requirements to install AD DS
AD DS Installation Process
Install the Active Directory Domain Services role using the Server Manager 11
Choose the deployment configuration 33
Select the additional domain controller features 44
Run the Active Directory Domain Services Installation Wizard 22
Select the location for the database, log files, and SYSVOl folder 55
Configure the Directory Services Restore Mode Administrator Password 66
Advanced Options for Installing AD DS
Use the advanced mode options to:
• Create a new domain tree
• Use backup media as the source for AD DS information
To access the advanced mode installation options, choose the Advanced Mode option in the installation wizard or run DCPromo /adv
To access the advanced mode installation options, choose the Advanced Mode option in the installation wizard or run DCPromo /adv
• Select the source domain controller for the installation
• Modify the default domain NetBIOS name
• Define the Password Replication Policy for an RODC
Installing AD DS from Media
Use Ntdsutil.exe to create the installation media Use Ntdsutil.exe to create the installation media
Ntdsutil.exe can create the following types of installation media:
• Full (or writable) domain controller
• Full (or writable) domain controller without SYSVOL data
• Read-only domain controller without SYSVOL data
• Read-only domain controller
Upgrading to Windows Server 2008 AD DS
Before installing
adprep /forestprepWindows 2000 Windows 2003
adprep /domainprep /gpprep
Windows Server2000
adprep /domainprepWindows Server 2003
CommandCurrent Version
• Windows Server 2008 domain controllers
• Windows Server 2008 domain controllers
• Windows Server 2008 domain controllers
To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation:
adprep /rodcprepWindows Server
2003
• Windows Server 2008 RODCs
Installing AD DS on a Server Core Computer
To install AD DS on a Server Core computer, perform an unattended installation using an answer file
Use following syntax with the Dcpromo command:Dcpromo /answer[:filename] Where filename is the name of your answer
Use following syntax with the Dcpromo command:Dcpromo /answer[:filename] Where filename is the name of your answer
Lesson 2: Deploying Read-Only Domain Controllers
• What Is a Read-Only Domain Controller?
• Read-Only Domain Controller Features
• Preparing to Install the RODC
• Installing the RODC
• Delegating the RODC Installation
• What Are Password Replication Policies?
• Demonstration: Configuring Administrator Role Separation and Password Replication Policies
What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the Active Directory database, only accept replicated changes to Active Directory, and never initiate replication
RODCs host read-only partitions of the Active Directory database, only accept replicated changes to Active Directory, and never initiate replication
RODCs:
• Cannot hold operation master roles or be configured as replication bridgehead servers
• Can be deployed on servers running Windows Server 2008 Server core for additional security
RODCs provide:
• Additional security for branch office with limited physical security
• Additional security if applications must run on a domain controller
RODCRODC
Read-Only Domain Controller Features
RODCs provide:
• Unidirectional replication
• Credential caching
• Administrative role separation
• Read-only DNS
• RODC filtered attribute set
Preparing to Install the RODC
Before installing an RODC:
• Ensure that the domain and forest is at a Windows Server 2003 functional level
• Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition
• Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions
• Run ADPrep /domainprep in all domains if the RODC will be a global catalog server
Installing the RODC
Choose the option to install an additional domain controller in an existing domain 11
Choose advanced mode installation if you want to configure the password replication policy33
Select the option to install an RODC in the Active Directory Domain Services Installation wizard 22
To install an RODC on a Server Core installation, use an unattended installation file with the ReplicaOrNewDomain=ReadOnlyReplica value
Delegating the RODC Installation
To delegate the installation of a RODC:
• Pre-create the RODC computer account in the Domain Controllers container
• Assign a user or group with permission to install the RODC
To complete a delegated RODC installation, run DCPromo with the /UseExistingAccount:Attach switch
What Are Password Replication Policies?
• The password replication policy determines how the RODC performs credential caching for authenticated user
• By default, the RODC does not cache any user credentials or computer credentials
• No credentials cached
• Enable credential caching on an RODC for specified accounts
Options for configuring password replication policies:
• Add users or groups to the Domain RODC Password Allowed group so credentials are cached on all RODCs
Lesson 3: Configuring AD DS Domain Controller Roles
• What Are Global Catalog Servers?
• Modifying the Global Catalog
• Demonstration: Configuring Global Catalog Servers
• What Are Operations Master Roles?
• Demonstration: Managing Operation Master Roles
• How Windows Time Service Works
What Are Global Catalog Servers?
Domain
Domain
DomainDomainDomain
Domain Domain
Global Catalog Server
Global Catalog Server
Global CatalogGlobal Catalog
ResultResult
QueryQuery
Modifying the Global Catalog
firstNamelastNameemail addressaccountExpiresdistinguishedName
firstNamelastNameemail addressaccountExpiresdistinguishedName
Common AttributesCommon Attributes
Global Catalog Server
Global Catalog Server
Create additionalattributes
Create additionalattributes
Add only the additional attributes that you query or refer to frequently Add only the additional attributes that you query or refer to frequently
departmentfirstNamelastNameemail addressaccountExpiresdistinguishedName
departmentfirstNamelastNameemail addressaccountExpiresdistinguishedName
Changed AttributesChanged Attributes
What Are Operations Master Roles?
Role Description
Schema Master
• One per forest
• Performs all updates to the Active Directory schema
Domain Naming Master
• One per forest
• Manages adding and removing all domains and directory partitions
RID Master
• One per domain
• Allocates blocks of RIDs to each domain controller in the domain
PDC Emulator
• One per domain
• Minimizes replication latency for password changes
• Synchronizes time on all domain controllers in the domain
Infrastructure Master
• One per domain
• Updates object references in its domain that point to the object in another domain
How Windows Time Service Works
Time synchronization is important because:
• Kerberos authentication includes a time stamp
• Replication between domain controllers is time stamped
Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers
Domain controllersDomain controllers
PDC EmulatorPDC Emulator
Client computers
Client computers
In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers
Beta Feedback Tool
• Beta feedback tool helps: Collect student roster information, module feedback, and
course evaluations. Identify and sort the changes that students request, thereby
facilitating a quick team triage. Save data to a database in SQL Server that you can later
query.
• Walkthrough of the tool
Beta Feedback
• Overall flow of module: Which topics did you think flowed smoothly, from topic to
topic? Was something taught out of order?
• Pacing: Were you able to keep up? Are there any places where the
pace felt too slow? Were you able to process what the instructor said before
moving on to next topic? Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?• Learner activities:
Which demos helped you learn the most? Why do you think that is?
Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?
Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?