CIS 175 - LU1 Part 1

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

1

Designing Active Directory Domain Services


2

Learning Objectives

• Create a virtual lab for testing different forest and domain designs

• Plan for different domain and forest functional levels• Design Active Directory Domain Services domains

and forests• Design trusts and implement a forest trust• Prepare forests and domains for Windows Server

2008• Create and use an alternative UPN• Understand different tools used to migrate Active

Directory objects

Basic Review of Active Directory Domain Services

• Active Directory domain– Administrative boundary– Holds a database of

objects


3

Figure 1-1 A two-tree, four-domain forestCourtesy Course Technology/Cengage Learning


4

Active Directory Tree

• One or more domains with common namespace– Includes top-level name (.com) and second-level

name (Cengage)• Multiple trees within a forest allowed• Tree domains in the same forest

– All domains share the same schema and global catalog


5

Active Directory Forest

• Includes one or more trees– Comprised of one or more domains– A single root domain is a forest

• Considered a security boundary• Forest Enterprise Admins group

– Can administer any domain in the forest– Cannot administer domains in other forests

• Common schema and common global catalog– Shared by all forest domains

• Built-in trust relationships with every other forest domain


6

Schema

• Defines creatable Active Directory objects– User, computer, group

• Each has specific properties defined by the schema

• If object not defined in the schema:– Object cannot be added to Active Directory

• Schema modification– ADPrep: Active Directory preparation tool


7

Trusts

• When second or subsequent domain added to a forest:– Trust relationships automatically added to the parent

domain– Allows child domain users access to parent domain

resources• Parent domain users can be granted access to child

domain resources

• Trusts within a forest: transitive trusts


8

Global Catalog

• Listing of all forest objects• Single-domain forest: includes all domain objects

(all forest objects)• Multi-domain forest: includes all objects from each

forest domain– Includes subset of object properties

• Hosted on a domain controller– At least one GC server required for each domain

• Lightweight Directory Access Protocol (LDAP)– Used to query GC Active Directory information


9

Organizational Units

• Used within a domain to organize objects• Reasons for creating Organizational Unit (OU)

– Use Group Policy to manage users and computers– Delegate permissions to administrators to manage a

group of user and computer objects• Used to organize objects

– Easier for administrators to manage them


10

Group Policy

• Automates domain user and computer management and administration

• Settings created once in Group Policy object (GPO)– Linked to a site, domain, or OU

• Becomes the GPO’s scope

• GPO settings apply to all users and computers in the GPO scope• Group Policy Management Console (GPMC)– Primary tool for managing Group Policy– Two default Group Policies created in each domain


11

Site

• Group of well-connected computers or well-connected subnets

• Example:– Rooms within a single building

• Connected with a 1-Gb local area network (LAN)– Second building well connected with a 1-Gb LAN– Two buildings linked together with a 256-Kb

connection– Each building considered a site– Two buildings not well connected to each other


12

Understanding Domain and Forest Functional Levels

• Functional level applied– Dictates available capabilities within domains and

forest• As functional levels rise:

– More capabilities added• Cannot raise levels

– Until all domain controllers running specific versions of Windows Server

• Can only raise forest functional level– When all domains have reached the same level


13

Understanding Domain and Forest Functional Levels (cont’d.)

• Can only raise domain functional level– When all domain controllers running the appropriate

versions of Windows Server• Design plan steps

– Verify all domain controllers running at least Windows Server 2003

– Raise domain functional levels of each domain in each forest to at least Windows Server 2003

– Raise forest functional level of each forest to at least Windows Server 2003


14

Domain Functional Level

• Provide different capabilities• Domain functional levels:

– Windows Server 2000 Native– Windows Server 2003– Windows Server 2008– Windows Server 2008 R2

• Key concept – Domain functional levels directly related to the domain

controllers in the domain• Default domain functional level

– Windows Server 2000 Native


15

Table 1-1 Domain Functional Level Features


16

Domain Functional Level (cont’d.)

• Servers running older server operating systems cannot be promoted to domain controllers– Once domain functional level raised

• Windows Server 2008 significant addition– Fine-grained password and account lockout policies

• Activity 1-3: Raising the Domain Functional Level


17

Figure 1-4 Raising the domain functional level in Active Directory Users and ComputersCourtesy Course Technology/Cengage Learning


18

Forest Functional Level Capabilities

• Apply to all domains in the forest– Can be applied when all domains have been raised

• Cannot raise forest functional level– Until all domains raised

• Example: forest functional level of Windows Server 2008– Indicates every domain and domain controller in the

forest must be running at least Windows Server 2008• Active Directory Domains and Trusts

– Used to raise forest functional level


19

Table 1-2 Forest Functional Level Features


20

Designing Active Directory Domains and Forests

• Involves determining forest and domain structure– Logical structure of Active Directory

• Primary questions– How many forests needed?– How many domains needed?

• Single-domain forest– Works for the majority of Active Directory designs– Compared with multiple domains and multiple forests

• Easier to manage and maintain• Reduces potential problems


21

Autonomy vs. Isolation

• Requirements– Determined by business needs– Implemented by creating one or more forests

• Important points– Autonomy

• Provides independent, but not exclusive resource control

– Isolation• Provides independent and exclusive resource control


22

Autonomy

• Independence achieved by:– Creating separate domains within a forest

• Does not provide exclusive control• Service autonomy

– Organization independently manages the service• Manages a child domain within a forest

• Data autonomy– Organization independently manages the data

• Store all objects in an Organizational Unit (OU)• Use the Delegation of Control Wizard


23

Isolation

• Achieved by creating a separate forest– Resource sharing still allowed

• Summary– If part of an organization needs autonomy:

• Delegated control over an OU can provide data autonomy

• A separate domain in the forest can provide service autonomy

– If complete isolation required:• Design must include a separate forest


24

Creating a Separate Forest for a Separate Schema

• If extensive schema changes required for a specific company department or branch– Create a separate forest for this group

• Provides isolation for the group• Limits schema complexities for most of the other

users• Schema changes used by the specific group

– Not seen in the primary forest• One-way forest trust used for access to resources in

the forest used by the majority of the users


25

Identifying Bandwidth Requirements for a Forest

• Replication within a well-connected site– Rarely a problem

• Replication occurring over a wide area network (WAN)– Bandwidth consumption raises concerns

• Create two separate forests to eliminate the replication traffic

• Replication between domains in a forest– Less extensive and does not include all domain

controllers


26

Identifying Domain Requirements

• Start the design with a single domain– Can handle more than 100,000 users

• Primary reason to create an additional domain– Provide service autonomy within a forest

• Additional reasons to create separate domains– Control replication traffic over WAN links– Protect root domain (and Enterprise Admins group)– Protect the root domain

• And the accounts and groups in it


27

Identifying Domain Requirements (cont’d.)

• Microsoft specific recommendations– Provide valid starting points

Table 1-3 Maximum Users in a Domain


28

Understanding Trusts

• Trust relationships– Automatically created between domains in a forest– Created between individual domains in different

forests or between forests– Can be one-way or two-way– Can be transitive or non-transitive

One-way and Two-way Trusts

• Users in Domain B (trusted domain) granted access to resources in Domain A (trusting domain)– Expressed as Domain A trusts Domain B

• If arrow points both ways (two one-way arrows):– Two-way trust relationship exists


29

Figure 1-6 Typical one-way trust relationshipCourtesy Course Technology/Cengage Learning


30

Transitive and Non-Transitive Trusts

• Non-transitive trust– Creates an explicit trust relationship between two

domains• Not transferred to any other domains

• Transitive trust– Granted between several domains

• No explicit trust relationships created between the different domains


31

Figure 1-7 Transitive trusts in a forestCourtesy Course Technology/Cengage Learning


32

Transitive and Non-Transitive Trusts (cont’d.)

• Without transitive trusts:– Explicit trust relationships needed between each

domain• Managed in Active Directory Domains and Trusts

Figure 1-8 Viewing a trust in Active Directory Domains and TrustsCourtesy Course Technology/Cengage Learning


33

Creating Trusts Between Forests

• Trust relationships between domains in two separate forests– External trust

• Non-transitive– Forest trust

• Transitive

• Forest trusts– Became available in Windows Server 2003– Allows the creation of one transitive trust between all

domains


34

Choosing the Authentication Method

• Forest-wide authentication– Windows automatically authenticates users in other

forests• Allowing resource access in the local forest

– Still requires user access• No restriction on which users granted access

• Selective authentication– Prevents automatic authentication of users in the

other forests• Allowed To Authenticate permission required


35

Figure 1-9 Choosing the trust authentication levelCourtesy Course Technology/Cengage Learning


36

Choosing the Authentication Method (cont’d.)

• Forest-wide authentication– Any user can be authenticated– Only use if organization implicitly trusts the other

organization• Activity 1-5: Creating a Forest Trust with Selective

Authentication• Activity 1-6: Configuring DNS to Support the Forest

Trust


37

Granting Access to Users in Another Forest

Figure 1-11 Selecting users from another forestCourtesy Course Technology/Cengage Learning


38

Granting Access to Users in Another Forest (cont’d.)

• Once a forest trust created– Can grant access to resources in one domain to users

in another domain• Once the other domain selected as the location

– Users in the other domain can be located and granted access to the resource

• Same procedure used for forest-wide authentication or selective authentication

• Selective authentication requires an additional step


39

Implementing Selective Authentication

• Implementing selective authentication on a forest trust– Requires the Allowed to Authenticate permission on

each server or computer where access granted– Accomplished through Active Directory Users and

Computers• Activity 1-7: Granting the Allowed to Authenticate

Permission


40

Figure 1-12 Granting Allowed to Authenticate permission to the Domain Admins group in a trusted domainCourtesy Course Technology/Cengage Learning


41

Using ADPrep

• Command-line tool available in the installation DVD Sources\ADPrep folder– Must be run with elevated permissions

• Needed if forest started with servers other than Windows Server 2008

• Three major switches– /ForestPrep– /DomainPrep– /RODCPrep


42

Preparing the Forest

• ADPrep /ForestPrep command– Modifies forest schema– Run on server currently hosting the schema

operations master role– Requires membership in each of the following groups

• Enterprise Admins group• Schema Admins Group

• From the installation DVD run:– D:\Sources\ADPrep\ADPrep /ForestPrep– Provide time for replication


43

Preparing a Domain

• Run ADPrep /DomainPrep command after ADPrep /ForestPrep

• Run on server holding infrastructure operations master role– Must be Domain Admins group member– Need administrative permissions command prompt

• After command runs:– Can promote Windows Server 2008 and Windows

Server 2008 R2 servers to domain controllers• Can also run ADPrep /DomainPrep /GPPrep


44

Preparing for RODCs

• Run the ADPrep /RODCPrep command• Required even if first domain controller in the forest

created on a Windows Server 2008 or Windows Server 2008 R2 server

• Can be run on any domain controller in the forest• Only needs to be run once• Must be a member of the Enterprise Admins group:

– To run this command


45

Migration Strategies

• Reasons for redesign:– Accommodate organization restructure– Reflect changes in the organization physical layout– Reduce organization complexity

• By reducing the number of domains or forests

• Factors affecting the upgrade or migration– Time constraints– Resource availability– Funding– Application compatibility


46

Active Directory Migration Tool (ADMT)

• Migrates objects from one domain to another– Within the same forest or between different forests

• Objects commonly migrated:– Users, computers, groups

• Current ADMT version: version 3.1– Free copy available at Microsoft’s download site

• ADMT source: where accounts migrating from• ADMT destination: where accounts migrating to


47

ADMT Versions Needed for Different Functional Levels

• Functional level required for target domain:– Windows Server 2000 Native– Windows Server 2003– Windows Server 2008

• Cannot migrate objects from Windows 2000 mixed domain functional level– Must remove or upgrade NT 4.0 domain controllers

• Then raise the domain functional level– Can also use ADMT v3.0 to migrate objects from NT

4.0 domains

Interforest and Intraforest Migration

• Interforest migration– Objects migrated between domains in separate

forests• Intraforest migration

– Objects migrated between domains in the same forest


48

Table 1-4 Comparison of Interforest and Intraforest Migrations


49

Understanding and Using SID History

• Security identifier (SID)– Uniquely identifies a domain/forest object– Created when object created– Grants access to any objects in the domain

• Discretionary Access Control List (DACL)– Controls access to any domain resource


50

Figure 1-13 Viewing SIDs in a DACLCourtesy Course Technology/Cengage Learning


51

Understanding and Using SID History (cont’d.)

• Implementing SID history– Allows importing of the original SID when importing

the account– Users retain access to data and resources

• ADMT supports SID history retention– Account can support multiple SIDs

• Included in SID history


52

Using SID Filtering

• Used when SID history presents security risk– If attacker obtains SID history data:

• Attacker can assign these SIDs to the SID history attributed to accounts he creates in his own domain

• New accounts have access to resources based on the SIDs listed in SID history

• Also referred to as SID filter quarantining• Risk prevention

– Blocks the use of any SIDs not originating in the same domain


53

Using SID Filtering (cont’d.)

• Disable SID filtering– Run Netdom command on the trusting domain

• Requires command prompt with elevated permissions• Requires Domain Admins or Enterprise Admins group

account member• Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No

• /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

– Use only after careful consideration


54

Figure 1-14 One-way trust between Cengage and CTCourtesy Course Technology/Cengage Learning


55

Using SID Filtering (cont’d.)

• Activity 1-8: Verifying SID Filtering Status

Figure 1-15 Disabling SID filteringCourtesy Course Technology/Cengage Learning


56

Using Alternative UPN Suffixes

• User Principal Name (UPN)– Allows a user to log on with an account that looks like

an e-mail address• May create alternative UPN suffixes

– Assign these to users in the domain• Activity 1-9: Creating an Alternative UPN Suffix


57

Figure 1-16 Creating an alternative UPN suffixCourtesy Course Technology/Cengage Learning


58

Figure 1-17 Assigning an alternative UPN suffix to a user accountCourtesy Course Technology/Cengage Learning


59

Installing the ADMT

• Install and run ADMT v3.1 on a Windows Server 2008 domain controller– In the target domain– Previous ADMT versions on this domain controller

• Should be uninstalled first

• Activity 1-10: Installing ADMT


60

Enabling SID History for ADMT

• Steps:– Create a domain local group in the source domain

• Named netBiOSDomainName$$$– Modify registry of the PDC emulator on the source

domain• Create a DWord value of TcpipClientSupport in the

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA subkey

• Set the value to one


61

Enabling SID History for ADMT (cont’d.)

• Steps (cont’d.)– Enable Success and Failure for Account Management

in the Default Domain Controller Policy• Both the source and target domains

– Install and configure the Password Export Server (PES) service tool


62

Running ADMT

• After installing ADMT v3.1– Migration process can begin

• Requires trust relationship between target and forest domains

• Trust examples:– Trust between two domains in the same forest

• Can be a direct parent-child trust or a transitive trust– External trust between two domains in different

forests– Forest trust between two separate forests

• Activity 1-11: Running a Test Migration with ADMT


63

Figure 1-18 Selecting Group Account MigrationCourtesy Course Technology/Cengage Learning


64

Figure 1-19 Completing the source and target domain selectionsCourtesy Course Technology/Cengage Learning


65

Figure 1-20 Successfully migrating a groupCourtesy Course Technology/Cengage Learning


66

Summary

• Active Directory basics– Tree, forest, schema, trusts, global catalog,

Organizational Unit, Group Policy, site• Domain and forest functional levels

– Dictate available features• Design considerations

– Autonomy and isolation, separate forests, bandwidth requirements, domain requirements

• Active Directory Preparation (ADPrep) tool


67

Summary (cont’d.)

• Trusts– One-way and two-way trusts, transitive and non-

transitive trusts, trusts between forests• Authentication methods

– Forest-wide and selective authentication• Migration considerations

– Active Directory Migration Tool (ADMT)– Interforest and intraforest migration– SID history and SID filtering

• Using the Netdom command

Documents

CIS 175 - LU1 Part 1