6425A_01 Install Active Directory Domain Services for DC Read-Only DC

8/14/2019 6425A_01 Install Active Directory Domain Services for DC Read-Only DC

1/32

Module 1:

Implementing ActiveDirectory DomainServices


2/32

Module Overview

Installing Active Directory Domain Services

Deploying Read-Only Domain Controllers

Configuring AD DS Domain Controller Roles

1 domain will need to have one DC to be /hold the Active Directoryserver


3/32

Lesson 1: Installing Active DirectoryDomain Services

Requirements for Installing AD DS

What Are Domain and Forest Functional Levels?

AD DS Installation Process

Advanced Options for Installing AD DS

Installing AD DS from Media Demonstration: Verifying the AD DS Installation

Upgrading to Windows Server 2008 AD DS

Installing AD DS on a Server Core Computer

Discussion: Common Configuration for AD DS


4/32

Requirements for Installing AD DS

Local Administrator permissions to install the firstdomain controller in a forest

Domain Administrator permissions to installadditional domain controllers in a domain

Enterprise Administrator permissions to installadditional domains in a forest

Administratorpermissions

TCP/IP must be configured, including DNSclient settings

DNS Server that supports dynamic updates mustbe available or will be configured on the domaincontroller

Networkconfiguration

A computer running Windows Server 2008 (WebServer edition not supported)

Minimum disk space of 250 MB and a partitionformatted with NTFS file system

Serverrequirements toinstall AD DS


5/32

What Are Domain and Forest Functional Levels?

Domain functional levelForrest functional levelFunctional levels:

Determine the AD DS features available in a domain or forest

Restrict which Windows Server operating systems can berun on domain controllers in the domain or forest

Supported Domain ControllerOperating Systems

Windows 2000Windows 2000native

WindowsServer 2003

Windows Server2003

Windows Server2008

Windows Server2008

ForestsDomain

Windows Server 2008

Windows Server 2003

Windows 2000 Server

Windows Server 2008 Windows Server 2003

Windows Server 2008

Supported functional levels:


6/32

AD DS Installation Process

Install the Active Directory Domain Services roleusing the Server Manager1

Choose the deployment configuration3

Select the additional domain controller features4

Run the Active Directory Domain ServicesInstallation Wizard

2

Select the location for the database, log files, andSYSVOL(System volume) folder5

Configure the Directory Services RestoreMode Administrator Password6


7/32

Advanced Options for Installing AD DS

Use the advanced mode options to:

Create a new domain tree with a different domain name

Use backup media as the source for AD DS information

To access the advanced mode installation options,

choose the Advanced Mode option in the Installation Wizard or runDCPromo /adv

Select the source domain controller for the installation

Modify the default domain NetBIOS name

Define the Password Replication Policy for an RODC


8/32

Installing AD DS from Media

Use Ntdsutil.exe to create the installation media

Ntdsutil.exe can create the following types of installation media:

Full (or writable) domain controller

Full (or writable) domain controller with SYSVOL data

domain controller with SYSVOL data: group npolicy objects (scripts) has a ve

Read-only domain controller: cannot save password


9/32

Demonstration: Verifying the AD DS Installation

In this demonstration, you will see how to verify theAD DS installation


10/32

Upgrading to Windows Server 2008 AD DS

Before installing

adprep /forestprepWindows 2000Windows 2003

adprep/domainprep /gpprep

Windows Server2000

adprep /domainprepWindows Server2003

CommandCurrent Version

Windows Server 2008domain controllers

Must be run before other

adprep commands Windows Server 2008

domain controllers

Windows Server 2008domain controllers

To prepare previous versions of Active Directory for a Windows Server2008 domain controller installation:

adprep /rodcprepWindows Server

2003

Windows Server 2008RODCs


11/32

Installing AD DS on a Server Core Computer

To install AD DS on a Server Core computer, perform an

unattended installation using an answer file

Use following syntax with the Dcpromo command:Dcpromo /answer[:filename]

Where filename is the name of your answer


12/32

Discussion: Common Configuration for AD DS

What additional steps would you take in your environmentafter installing the first Windows Server 2008 domain

controller?

How would these tasks change after you have deployedadditional domain controllers in your domain?

Which of the recommendations listed in the Server

Manager apply to your organization?


13/32

Lesson 2: Deploying Read-OnlyDomain Controllers

What Is a Read-Only Domain Controller?

Read-Only Domain Controller Features

Preparing to Install the RODC

Installing the RODC

Delegating the RODC Installation What Are Password Replication Policies?

Demonstration: Configuring Administrator Role Separationand Password Replication Policies


14/32

What Is a Read-Only Domain Controller?

RODCs host read-only partitions of theAD DS database, only accept replicated

changes to Active Directory, and neverinitiate replication

RODCs:

Cannot hold operation master roles or be configured asreplication bridgehead servers

Can be deployed on servers running Windows Server 2008Server core for additional security

RODCs provide:

Additional security for branch office withlimited physical security

Additional security if applications must run on adomain controller

RODC


15/32

Read-Only Domain Controller Features

RODCs provide:

Unidirectional replication

Credential caching

Administrative role separation

Read-only DNS

RODC filtered attribute set


16/32

Preparing to Install the RODC

Before installing an RODC:

Ensure that the domain and forest is at a Windows Server2003 functional level

Ensure a writeable domain controller runningWindows Server 2008 is available to replicate thedomain partition

Run ADPrep /rodcprep to enable the RODC to replicateDNS partitions

Run ADPrep /domainprep in all domains if the RODC willbe a global catalog server


17/32

Installing the RODC

Choose the option to install an additional domain controller

in an existing domain1

Choose advanced mode installation if you want toconfigure the password replication policy

3

Select the option to install an RODC in the Active DirectoryDomain Services Installation wizard

2

To install an RODC on a Server Core installation, use anunattended installation file with theReplicaOrNewDomain=ReadOnlyReplica value


18/32

Delegating the RODC Installation

To delegate the permission to installation of an RODC:

Pre-create the RODC computer account in theDomain Controllers container

Assign a user or group with permission to install the RODC

mplete a delegated RODC installation, run DCPromothe/UseExistingAccount:Attach switch , (no need Domain Admin to create an


19/32

What Are Password Replication Policies?

The password replication policy determines how the

RODC performs credential caching for authenticated user

By default, the RODC does not cache any user credentialsor computer credentials

No credentials cached

Enable credential caching on an RODC for specified accounts

Options for configuring password replication policies:

Add users or groups to the Domain RODC PasswordAllowed group so credentials are cached on all RODCs

D t ti C fi i Ad i i t t R l


20/32

Demonstration: Configuring Administrator RoleSeparation and Password Replication Policies

In this demonstration, you will see how to:

Configure administrator role separation

Configure the RODC password replication groups

Track which users log on to an RODC

Configure password replication policies for those accounts

Lesson 3 Config ing AD DS Domain


21/32

Lesson 3: Configuring AD DS DomainController Roles

What Are Global Catalog Servers?

Modifying the Global Catalog Demonstration: Configuring Global Catalog Servers

What Are Operations Master Roles?

Demonstration: Managing Operation Master Roles

How Windows Time Service Works

*************************************

Each site should has at least 2 GC: Global catalog

Use Regsvr32.exe schemgmt.dll to open the schema

management s MMC


22/32

What Are Global Catalog Servers?

Domain

Domain

DomainDomainDomain

Domain Domain

Global Catalog ServerGlobal Catalog Server

Global CatalogGlobal Catalog

ResultResult

QueryQuery


23/32

Modifying the Global Catalog

firstNamelastNameemail addressaccountExpiresdistinguishedName

firstNamelastNameemail addressaccountExpiresdistinguishedName

CommonAttributes

Common

Attributes

Global Catalog ServerGlobal Catalog Server

Create additional

attributesCreate additional

attributes

Add only the additional attributes to which youquery or frequently referAdd only the additional attributes to which youquery or frequently refer

departmentfirstNamelastNameemail address

accountExpiresdistinguishedName

departmentfirstNamelastNameemail addressaccountExpiresdistinguishedName

ChangedAttributes

Changed

Attributes

Demonstration: Configuring Global


24/32

Demonstration: Configuring GlobalCatalog Servers


Configure global catalog servers using Active Directory Sites andServices

Configure a domain controller on Server Core as a global catalog server

Add attributes to the global catalog server

A GC will increase the bandwidth for Replication traffic for eachDomain

Each domain should has at least 2 DC


25/32

What Are Operations Masters Roles?

Role Description

Schema Master The 1st one DC in the master domain per forest

Performs all updates to the Active Directory schema

Domain NamingMaster

The 1st one DC in the master domain per forest

Manages adding and removing all domains anddirectory partitions

RID Master The 1st

one DC in a child domain per child domain

Allocates blocks of RIDs to each domain controller inthe domain

PDC Emulator The 1st one DC in a child domain per child domain

Minimizes replication latency for password changes

Synchronizes *system time* on all domain controllers in thedomain

InfrastructureMaster

The 1st one DC in a child domain per child domain

Updates object changes and references in its domain thatreplicate the change to the same object in all other domains

Demonstration: Managing Operations


26/32

Demonstration: Managing OperationsMaster Roles


Determine which server holds an operations master role

Move an operations master role

Seize an operations master role


27/32


28/32

How Windows Time Service Works

Time synchronization is important because:

Kerberos authentication includes a time stamp

Replication between domain controllers is time stamped

Windows Time service (W32Time)

provides network clocksynchronization for domaincontrollers and client computers

Domain controllersDomain controllers

PDC EmulatorPDC Emulator

Clientcomputers

Clientcomputers

In a Windows Server 2008 forest,

the PDC Emulator is used toprovide the authoritative timefor all other computers

L b I l ti R d O l D i C t ll d


29/32

Lab: Implementing Read-Only Domain Controllers andManaging Domain Controller Roles

Exercise 1: Evaluating Forest and Server Readiness forInstalling an RODC

Exercise 2: Installing and Configuring an RODC

Exercise 3: Configuring AD DS Domain Controller Roles

Logon information

Virtual machine 6425A-NYC-DC1,6425A-NYC-SVR1,

6425A-NYC-DC2

User name Administrator

Password Pa$$w0rd

Estimated time: 75 minutes


30/32

Lab Review

Why did Axels account not have permission to create anyobjects in AD DS?

What were the two connection objects that were createdfrom NYC-DC1 to TOR-DC1? Why was no connectionobject created from TOR-DC1 to NYC-DC1?

Could you have assigned the Domain Naming Master role

to TOR-DC1?

What would happen when you add a new attribute to theglobal catalog?


31/32

Module Review and Takeaways

Review questions

Key points


32/32

Documents

6425A_01 Install Active Directory Domain Services for DC Read-Only DC