01 Administering

8/13/2019 01 Administering

1/21

www

.technocorp.co.in

Administering

AD DS Domain Controller


2/21

www

.technocorp.co.in

Module Overview

Domain Controller Installation Options Install a Server Core DC

Manage Operations Masters

Configure DFS-R Replication of SYSVOL


3/21


4/21

www

.technocorp.co.in

Install a Domain Controller by UsingWindows Interface

To install a DC:1. Add the AD DS role by using Server Manager2. Install and configure AD DS with the Active Directory Domain Services Installation Wizard

DCPROMO.exe Installs the AD DS role if it is not already installed


5/21

www

.technocorp.co.in

Unattended Installation Options andAnswer Files Options can be specified at the command line

/option:valuefor example, /newdnsdomainname:contoso.com

dcpromo.exe /?[:operation] for help

Options can be specified in an answer file

Answer file can be called by usingdcpromo.exe /unattend:path to answer file

Options on command line will override answer file Options not specified will be prompted by wizard

Except in Server Core

Recommendation: Use dcpromo.exe on full installation and expofile for command line or Server Core

[DCINSTALL]NewDomainDNSName=contoso.com


6/21

www

.technocorp.co.in

Install a New Windows Server 2008Forest

[DCINSTALL]

ReplicaOrNewDomain=domainNewDomain=forestNewDomainDNSName=fqdnDomainNetBiosName=nameForestLevel={0, 2, 3}DomainLevel={0, 2,3}InstallDNS=yesDatabasePath="path"

LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwdRebootOnCompletion=yes

dcpromo.exe /unattend/installDNS:yes /dnsOnNetwork:/replicaOrNewDomain:domain/newDomain:forest/newDomainDnsName:contoso.c/DomainNetbiosName:contoso/databasePath:"e:\ntds"/logPath:"f:\ntdslogs"/sysvolpath:"g:\sysvol"/safeModeAdminPassword:passw

/forestLevel:3 /domainLevel:3/rebootOnCompletion:yes

dcpromo.exe

/unattend:path


7/21


8/21

www

.technocorp.co.in

Install an Additional DC in a Domain

[DCINSTALL]ReplicaOrNewDomain=replicaReplicaDomainDNSName=fqdnUserDomain=fqdnUserName=DOMAIN\username*Password=password*InstallDNS=yesConfirmGC=yes

DatabasePath="path"LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwdRebootOnCompletion=yes

dcpromo.exe /unattend

/replicaOrNewDomain:replica/replicaDomainDNSName:contoso/installDNS:yes /confirmGC:yes/databasePath:"e:\ntds"/logPath:"f:\ntdslogs"/sysvolpath:"g:\sysvol"/safeModeAdminPassword:passw/rebootOnCompletion:yes

dcpromo.exe/unattend:path


9/21

www.technocorp.co.in

Install a New Windows Server 2008Domain[DCINSTALL]

ReplicaOrNewDomain=domainNewDomain=childParentDomainDNSName=fqdn

UserDomain=fqdnUserName= DOMAIN\username*Password=password*ChildName=name*DomainNetBiosName=nameDomainLevel={0,2,3}*InstallDNS=yesCreateDNSDelegation=yesDNSDelegationUserName=DOMAIN\usernameDNSDelegationPassword=password*DatabasePath="path"LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwd

RebootOnCompletion=yes

dcpromo.exe /una/installDNS:yes/replicaOrNewDoma/newDomain:child/ParentDomainDNS/newDomainDnsNa/childName:subsidia/DomainNetbiosNam/databasePath:"e:\n/logPath:"f:\ntdslog/sysvolpath:"g:\sys/safeModeAdminPas/forestLevel:3 /dom

/rebootOnCompletio

dcpromo.ex/unattend:


10/21


11/21


Stage the Installation of an RODC

Create the account for the RODC Right-click the Domain Controllers OUPre-Create Read-only Domain Controller Accou

Delegation of RODC Installation and Administration

Delegate to a group

Members of the group can join RODC to domain

Members of the group are local Administrators after join

Attach the server to the RODC account Server must be a member of a workgroup

dcpromo /UseExistingAccount:attach

Att h S t P t d ROD


12/21


Attach a Server to a Prestaged RODAccount

GUI Active DirectoryDomain Services Wizard:dcpromo.exe/useexistingaccount:attach

[DCINSTALL]ReplicaDomainDNSName=fqdnUserDomain=fqdn

UserName= DOMAIN\username*Password=password*InstallDNS=yesConfirmGC=yesDatabasePath="path"LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwdRebootOnCompletion=yes

dcpromo.exe /unattend/UseExistingAccount:Attach

/ReplicaDomainDNSName:conto

/UserDomain:contoso.com/UserName:contoso\dan/password:*/databasePath:"e:\ntds"/logPath:"f:\ntdslogs"/sysvolpath:"g:\sysvol"/safeModeAdminPassword:passw/rebootOnCompletion:yes

dcpromo.exe/useexistingaccount

/unattend:path


13/21


Install AD DS from Media

Install from media (IFM)

Create installation mediaa specialized backup of AD DS

Use installation media for creation of DC Significantly reduce over-the-network replication

DC will need to replicate changes since backup was made

ntdsutilactivate instance ntdsifm create sysvol fullpath : media with sysvol for writable DC

create fullpath : media without sysvol for writable DC create sysvol rodcpath : media with sysvol for read-only DC

create rodcpath : media without sysvol for read-only DC

Active Directory Domain Services Installation Wizard, select Use Mode

ReplicationSourcePath option/switch


14/21


Remove a Domain Controller

GUI Active Directory Domain

Services Wizard:dcpromo.exe

Command line:dcpromo.exe /uninstallbinaries

If DC cannot contact the domaindcpromo /forceremoval

Then you must clean up metadata: KB 216498

[DCINSTALL]UserName= DOMAIN\username*UserDomain=fqdnPassword=password*

AdministratorPassword=password*RemoveApplicationPartitions=yesRemoveDNSDelegation=yesDNSDelegationUserName=DOMAIN\usernameDNSDelegationPassword=password* dcpromo.exe /unattend

/uninstallbinaries/UserName:contoso\dan

/password:*/administratorpassword:Pa$

dcpromo.exe/uninstallbinaries/unattend:path


15/21


Manage Operations Masters

Understand Single Master Operations Operations Master Roles

Optimize the Placement of Operations Masters

Identify Operations Masters

Transfer Operations Master Roles

Seize Operations Master Roles


16/21


Understand Single Master Operatio

In any multimaster replication topology, some operations msingle master

Many terms used for single master operations in AD DS Operations master (or operations master roles)

Single master roles

Operations tokens

Flexible single master operations (FSMOs)

Roles

ForestDomain namingSchema

DomainRelative identifier (RID)InfrastructurePDC Emulator


17/21


Operations Master Roles

Forest-wide Domain naming: Adds/removes domains to/from the forest Schema: Makes changes to the schema

Domain-wide RID: Provides pools of RIDs to DCs, which use them for SIDs

Infrastructure: Tracks changes to objects in other domains that are members of groups i

PDC: Plays several very important roles

Emulates a Primary Domain Controller (PDC): compatibility

Special password update handling

Default target for Group Policy updates

Master time source for domain

Domain master browser


18/21


19/21

ww

w.technocorp.co.in

Identify Operations Masters

User interface tools PDC Emulator: Active Directory Users And Computers

RID: Active Directory Users And Computers

Infrastructure: Active Directory Users And Computers

Schema: Active Directory Schema

Domain Naming: Active Directory Domains and Trusts

Command line tools NTDSUtil

DCDiag

netdom query fsmo


20/21

ww

w.technocorp.co.in

Transfer Operations Master Roles

Scenarios for transferring roles To distribute roles away from the forest domain root DC

Prior to taking a role holding DC offline for maintenance

Prior to demoting a role holding DC

Procedure for transferring roles Ensure that the new role holder is up to date with replication from the current role hold

Open the appropriate administrative snap-in

Connect to the targetdomain controllers

Open the Operations Master dialog box and click Change

Oruse NTDSUtil to change transfer the master


21/21

ww

w.technocorp.co.in

Seize Operations Master Roles

Recognize operations master failures Typically you notice when you attempt to perform an action for which the master is resp

receive an error

Respond to an operations master failure Determine whether the DC can be brought online, and when

Evaluate whether the enterprise can continue to function temporarily without the DC

Seize the role by using NTDSUtil Return a role to its original holder?

Only for PDC and Infrastructure tokens

If Schema, RID, or domain naming have been seized, you must decommission the failed promote it again

Documents

01 Administering