01-Implementing Active Directory Domain Services
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (867.27 KB, 32 trang )
<span class='text_page_counter'>(1)</span><div class='page_container' data-page=1>
Module 1:
Implementing Active
Directory
®Domain
</div>
<span class='text_page_counter'>(2)</span><div class='page_container' data-page=2>
Module Overview
•
Installing Active Directory Domain Services
•
Deploying Read-Only Domain Controllers
</div>
<span class='text_page_counter'>(3)</span><div class='page_container' data-page=3>
Lesson 1: Installing Active Directory
Domain Services
•
Requirements for Installing AD DS
•
What Are Domain and Forest Functional Levels?
•
AD DS Installation Process
•
Advanced Options for Installing AD DS
•
Installing AD DS from Media
•
Demonstration: Verifying the AD DS installation
•
Upgrading to Windows Server 2008 AD DS
•
Installing AD DS on a Server Core Computer
</div>
<span class='text_page_counter'>(4)</span><div class='page_container' data-page=4>
Requirements for Installing AD DS
• Local Administrator permissions to install the first
domain controller in a forest
• Domain Administrator permissions to install
additional domain controllers in a domain
• Enterprise Administrator permissions to install
additional domains in a forest
<b>Administrator </b>
<b>permissions </b>
• TCP/IP must be configured, including DNS
<b>client settings </b>
• DNS Server that supports dynamic updates must
be available or will be configured on the domain
<b>controller </b>
<b>Network </b>
<b>configuration </b>
• <b>A computer running Windows Server 2008 </b>
• Minimum disk space of 250 MB and a partition
<b>formatted with NTFS file system</b>
<b>Server </b>
</div>
<span class='text_page_counter'>(5)</span><div class='page_container' data-page=5>
What Are Domain and Forest Functional Levels?
<b>Functional levels:</b>
•<b> Determine the AD DS features available in a domain or forest</b>
•<b> Restrict which Windows Server operating systems can be</b>
<b> run on domain controllers in the domain or forest </b>
<b>Supported Domain Controller </b>
<b>Operating Systems</b>
Windows 2000
<b>Windows 2000 </b>
<b>native </b>
Windows
Server 2003
<b>Windows Server</b>
<b>2003 </b>
Windows Server
2008
<b>Windows Server </b>
<b>2008 </b>
<b>Forests</b>
<b>Domain</b>
• <b>Windows Server 2008 </b>
• Windows Server 2003
• <b>Windows 2000 </b>
• <b>Windows Server 2008 </b>
• Windows Server 2003
• <b>Windows Server 2008 </b>
</div>
<span class='text_page_counter'>(6)</span><div class='page_container' data-page=6>
AD DS Installation Process
<b> Install the Active Directory Domain Services role </b>
<b> using the Server Manager </b>
<b>1</b>
<b>1</b>
<b> Choose the deployment configuration </b>
<b>3</b>
<b>3</b>
<b> Select the additional domain controller features </b>
<b>4</b>
<b>4</b>
<b> Run the Active Directory Domain Services </b>
<b> Installation Wizard </b>
<b>2</b>
<b>2</b>
<b> Select the location for the database, log files, and </b>
<b> SYSVOl folder </b>
<b>5</b>
<b>5</b>
<b> Configure the Directory Services Restore </b>
<b> Mode Administrator Password </b>
<b>6</b>
</div>
<span class='text_page_counter'>(7)</span><div class='page_container' data-page=7>
Advanced Options for Installing AD DS
<b>Use the advanced mode options to:</b><sub> </sub>
•<b> Create a new domain tree</b>
•<b> Use backup media as the source for AD DS information</b>
<b>To access the advanced mode installation options, </b>
<b>choose the Advanced Mode option in the installation wizard or run </b>
<b>DCPromo /adv</b>
<b>To access the advanced mode installation options, </b>
<b>choose the Advanced Mode option in the installation wizard or run </b>
<b>DCPromo /adv</b>
•<b> Select the source domain controller for the installation</b>
•<b> Modify the default domain NetBIOS name</b>
</div>
<span class='text_page_counter'>(8)</span><div class='page_container' data-page=8>
Installing AD DS from Media
<b>Use Ntdsutil.exe to create the installation media </b>
<b>Use Ntdsutil.exe to create the installation media </b>
<b>Ntdsutil.exe can create the following types of installation media:</b><sub> </sub>
•<b> Full (or writable) domain controller </b>
•<b> Full (or writable) domain controller without SYSVOL data </b>
•<b> Read-only domain controller without SYSVOL data </b>
</div>
<span class='text_page_counter'>(9)</span><div class='page_container' data-page=9>
Demonstration: Verifying the AD DS Installation
</div>
<span class='text_page_counter'>(10)</span><div class='page_container' data-page=10>
Upgrading to Windows Server 2008 AD DS
<b>Before installing</b>
adprep /forestprep
<b>Windows 2000 </b>
<b>Windows 2003</b>
adprep
/domainprep /gpprep
<b>Windows Server</b>
<b>2000 </b>
adprep /domainprep
<b>Windows Server </b>
<b>2003 </b>
<b>Command</b>
<b>Current </b>
<b>Version</b>
• Windows Server 2008
domain controllers
• Windows Server 2008
domain controllers
• Windows Server 2008
domain controllers
<b>To prepare previous versions of Active Directory for a Windows </b>
<b>Server 2008 domain controller installation:</b>
adprep /rodcprep
<b>Windows Server </b>
<b>2003</b>
</div>
<span class='text_page_counter'>(11)</span><div class='page_container' data-page=11>
Installing AD DS on a Server Core Computer
<b>To install AD DS on a Server Core computer, perform an </b>
<b>unattended installation using an answer file</b>
<b>Use following syntax with the Dcpromo command:</b>
<i>Dcpromo /answer[:filename] </i>
<i><b>Where filename is the name of your answer</b></i>
<b>Use following syntax with the Dcpromo command:</b>
<i>Dcpromo /answer[:filename] </i>
</div>
<span class='text_page_counter'>(12)</span><div class='page_container' data-page=12>
Discussion: Common Configuration for AD DS
•
What additional steps would you take in your environment
after installing the first Windows Server 2008 domain
controller?
•
How would these tasks change after you have deployed
additional domain controllers in your domain?
</div>
<span class='text_page_counter'>(13)</span><div class='page_container' data-page=13>
Lesson 2: Deploying Read-Only
Domain Controllers
•
What Is a Read-Only Domain Controller?
•
Read-Only Domain Controller Features
•
Preparing to Install the RODC
•
Installing the RODC
•
Delegating the RODC Installation
•
What Are Password Replication Policies?
</div>
<span class='text_page_counter'>(14)</span><div class='page_container' data-page=14>
What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the
Active Directory database, only accept
replicated changes to Active Directory,
and never initiate replication
RODCs host read-only partitions of the
Active Directory database, only accept
replicated changes to Active Directory,
and never initiate replication
<b>RODCs:</b>
•<b> Cannot hold operation master roles or be configured as </b>
replication bridgehead servers
•<b> Can be deployed on servers running Windows Server 2008 </b>
Server core for additional security
<b>RODCs provide:</b><sub> </sub>
•<b> Additional security for branch office with </b>
limited physical security
•<b> Additional security if applications must run on a </b>
<b> domain controller </b>
</div>
<span class='text_page_counter'>(15)</span><div class='page_container' data-page=15>
Read-Only Domain Controller Features
<b>RODCs provide:</b>
•<b> Unidirectional replication </b>
•<b> Credential caching </b>
•<b> Administrative role separation </b>
•<b> Read-only DNS </b>
</div>
<span class='text_page_counter'>(16)</span><div class='page_container' data-page=16>
Preparing to Install the RODC
<b>Before installing an RODC: </b><sub> </sub>
•<b> Ensure that the domain and forest is at a Windows Server </b>
<b> 2003 functional level </b>
•<b> Ensure a writeable domain controller running </b>
<b> Windows Server 2008 is available to replicate </b>
<b> the domain partition </b>
•<b> Run ADPrep /rodcprep to enable the RODC to replicate </b>
<b> DNS partitions </b>
</div>
<span class='text_page_counter'>(17)</span><div class='page_container' data-page=17>
Installing the RODC
<b> Choose the option to install an additional domain controller </b>
<b> in an existing domain </b>
<b>1</b>
<b>1</b>
<b> Choose advanced mode installation if you want to </b>
<b> configure the password replication policy</b>
<b>3</b>
<b>3</b>
<b> Select the option to install an RODC in the Active Directory </b>
<b> Domain Services Installation wizard </b>
<b>2</b>
<b>2</b>
<b> To install an RODC on a Server Core installation, use an </b>
<b> unattended installation file with the </b>
</div>
<span class='text_page_counter'>(18)</span><div class='page_container' data-page=18>
Delegating the RODC Installation
<b>To delegate the installation of a RODC: </b><sub> </sub>
•<b> Pre-create the RODC computer account in the </b>
<b> Domain Controllers container </b>
•<b> Assign a user or group with permission to install the RODC </b>
</div>
<span class='text_page_counter'>(19)</span><div class='page_container' data-page=19>
What Are Password Replication Policies?
•<b> The password replication policy determines how the </b>
<b> RODC performs credential caching for authenticated user </b>
•<b> By default, the RODC does not cache any user credentials </b>
<b> or computer credentials </b>
•<b> No credentials cached</b>
•<b> Enable credential caching on an RODC for specified accounts </b>
<b>Options for configuring password replication policies:</b>
</div>
<span class='text_page_counter'>(20)</span><div class='page_container' data-page=20>
Demonstration: Configuring Administrator Role
Separation and Password Replication Policies
In this demonstration, you will see how to:
•
Configure administrator role separation
•
Configure the RODC password replication groups
•
Track which users log on to a RODC
</div>
<span class='text_page_counter'>(21)</span><div class='page_container' data-page=21>
Lesson 3: Configuring AD DS Domain
Controller Roles
•
What Are Global Catalog Servers?
•
Modifying the Global Catalog
•
Demonstration: Configuring Global Catalog Servers
•
What Are Operations Master Roles?
•
Demonstration: Managing Operation Master Roles
</div>
<span class='text_page_counter'>(22)</span><div class='page_container' data-page=22></div>
<span class='text_page_counter'>(23)</span><div class='page_container' data-page=23>
Modifying the Global Catalog
firstName
lastName
email address
accountExpires
distinguishedName
firstName
lastName
email address
accountExpires
distinguishedName
<b>Common </b>
<b>Attributes</b>
<b>Common </b>
<b>Attributes</b>
<b>Global Catalog </b>
<b>Server</b>
<b>Global Catalog </b>
<b>Server</b>
<b>Create </b>
<b>additional</b>
<b>attributes</b>
<b>Create </b>
<b>additional</b>
<b>attributes</b>
<b>Add only the additional attributes that you </b>
<b>query or refer to frequently </b>
<b>Add only the additional attributes that you </b>
<b>query or refer to frequently </b>
</div>
<span class='text_page_counter'>(24)</span><div class='page_container' data-page=24>
Demonstration: Configuring Global
Catalog Servers
In this demonstration, you will see how to:
•
Configure global catalog servers using Active Directory
Sites and Services
•
Configure a domain controller on Server Core as a global
catalog server
</div>
<span class='text_page_counter'>(25)</span><div class='page_container' data-page=25>
What Are Operations Master Roles?
<b>Role</b> <b>Description</b>
Schema Master • One per forest
• Performs all updates to the Active Directory schema
Domain
Naming Master
• One per forest
• Manages adding and removing all domains and
directory partitions
RID Master
• One per domain
• Allocates blocks of RIDs to each domain controller in
the domain
PDC Emulator
• One per domain
• Minimizes replication latency for password changes
• Synchronizes time on all domain controllers in the domain
Infrastructure
Master
• One per domain
</div>
<span class='text_page_counter'>(26)</span><div class='page_container' data-page=26>
Demonstration: Managing Operations
Master Roles
In this demonstration, you will see how to:
•
Determine which server holds an operations master role
•
Move an operations master role
</div>
<span class='text_page_counter'>(27)</span><div class='page_container' data-page=27>
How Windows Time Service Works
<b>Time synchronization is important because: </b>
•<b> Kerberos authentication includes a time stamp</b>
•<b> Replication between domain controllers is time stamped</b>
<b> Windows Time service (W32Time) </b>
<b> provides network clock </b>
<b> synchronization for domain </b>
<b> controllers and client computers</b>
<b>Domain controllers</b>
<b>Domain controllers</b>
<b>PDC Emulator</b>
<b>PDC Emulator</b>
<b>Client </b>
<b>computers</b>
<b>Client </b>
<b>computers</b>
<b> In a Windows Server 2008 forest, </b>
</div>
<span class='text_page_counter'>(28)</span><div class='page_container' data-page=28>
Lab: Implementing Read-Only
Domain Controllers
•
Exercise 1: Evaluating Forest and Server Readiness for
Installing an RODC
•
Exercise 2: Installing and Configuring an RODC
•
Exercise 3: Configuring AD DS Domain Controller Roles
Logon information
Virtual machine
<b>6425A-NYC-DC1, </b>
<b></b>
<b>NYC-SVR1, </b>
<b>6425A-NYC-DC2</b>
<b> </b>User name
<b>Administrator</b>
Password
<b>Pa$$w0rd</b>
</div>
<span class='text_page_counter'>(29)</span><div class='page_container' data-page=29>
Lab Review
•
Why did Axel’s account not have permission to create any
objects in AD DS?
•
What were the two connection objects that were created
from NYC-DC1 to TOR-DC1? Why was no connection
object created from TOR-DC1 to NYC-DC1?
•
Could you have assigned the Domain Naming Master role
to TOR-DC1?
</div>
<span class='text_page_counter'>(30)</span><div class='page_container' data-page=30>
Module Review and Takeaways
•
Review questions
</div>
<span class='text_page_counter'>(31)</span><div class='page_container' data-page=31>
Beta Feedback Tool
•
Beta feedback tool helps:
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
</div>
<span class='text_page_counter'>(32)</span><div class='page_container' data-page=32>
Beta Feedback
•
<b>Overall flow of module:</b>
Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
•
<b>Pacing:</b>
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
•
<b>Learner activities:</b>
Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
</div>
<!--links-->
