mcts guide to configuring microsoft windows server 2008 active directory n.
Download
Skip this Video
Download Presentation
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

Loading in 2 Seconds...

play fullscreen
1 / 50

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory - PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 10: Configuring and Maintaining the Active Directory Infrastructure. Describe and configure Active Directory functional levels Add and remove domains from a forest Configure Active Directory trusts

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory' - perry-pena


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mcts guide to configuring microsoft windows server 2008 active directory

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

Chapter 10: Configuring and Maintaining the Active Directory Infrastructure

objectives
Describe and configure Active Directory functional levels

Add and remove domains from a forest

Configure Active Directory trusts

Configure intrasite replication

Work with sites

Manage operations master roles

Objectives

MCTS Windows Server 2008 Active Directory

2

examining active directory functional levels
Examining Active Directory Functional Levels

Functional levels allow for Administrators to maintain backwards compatibility, despite the addition of new features

Functional levels should be set at the highest version domain controllers on the network support

Member servers / workstations are independent of functional levels

MCTS Windows Server 2008 Active Directory

forest functional levels
Forest Functional Levels

Forest functional level determines the features of Active Directory that have forest-wide implications

A Server 2008 domain controller supports the following functional levels:

Windows 2000

Lacks the ability to use forest trusts and to rename a domain

Windows 2003

Supports all the features present in Windows 2000, plus the following features: forest trusts, Knowledge Consistency Checker (KCC) improvements, linked-value replication, rename a domain , read only domain controller deployment

Windows 2008

All the features of 2003, but no additional features (yet)

MCTS Windows Server 2008 Active Directory

domain functional levels
Domain Functional Levels

A domain controller can’t be configured to run at a lower functional level than the functional level of the forest.

Like forest functional levels, domain functional levels can be raised but not lowered

Features:

Windows 2000 Native: Universal groups, group nesting, group conversion, Security identifier (SID) history

Windows Server 2003: All features of Windows 2000 native, domain controller renaming, logon timestamp replication, selective authentication, Users and Computers container redirection

Windows Server 2008: All features of Windows 2003, Distributed File System replication, fine-grained password policies, interactive logon information, Advanced Encryption Standard (AES) support

MCTS Windows Server 2008 Active Directory

raising the domain functional level
Raising the Domain Functional Level

All domain controllers must be running a Windows OS compatible with the desired functional level

Functional level can be raised in Active Directory Domains and Trusts

Only one domain controller needs to be raised to the new functional level, the rest will reflect the change automatically

Once the functional level is raised, it cannot be reversed

MCTS Windows Server 2008 Active Directory

raising the domain functional level cont
Raising the Domain Functional Level (cont.)

MCTS Windows Server 2008 Active Directory

raising the forest functional level
Raising the Forest Functional Level

You must be a member of the Domain Admins or Enterprise Admins group to raise the forest functional level

If raising both domain and forest functional levels, domain functional must be raised first

Domain functional levels must be equal or greater than forest functional levels

Once functional level is raised, it cannot be lowered

MCTS Windows Server 2008 Active Directory

raising the forest functional level cont
Raising the Forest Functional Level (cont.)

MCTS Windows Server 2008 Active Directory

preparing a forest and domain for windows server 2008 with adprep
Preparing a Forest and Domain for Windows Server 2008 with Adprep

The Adprep command-line program prepares an existing forest or domain for the addition of a Windows Server 2008 domain controller

To prepare the forest, run the adprep /forestprep command on a Windows Server 2003 or Windows 2000 domain controller acting as the schema master

Then run adprep /domainprep in each domain where you plan to add a Windows Server 2008 DC. Windows 2000 requires adprep /domainprep /gpprep

MCTS Windows Server 2008 Active Directory

preparing for a read only domain controller
Preparing for a Read Only Domain Controller

Before you can install an RODC in an existing domain that isn’t running all Windows Server 2008 DCs, follow these steps:

Verify the functional level is Windows Server 2003 or higher

Prepare the forest

Install at least one writeable DC running Windows Server 2008

Install an RODC on a full Windows Server 2008 installation or a Server Core installation

MCTS Windows Server 2008 Active Directory

removing a domain controller
Removing a Domain Controller

Be aware of some potential issues

If the DC performs any operations master roles, you must first transfer the role to another DC

If the DC is a global catalog server, make sure at least one other DC is a global catalog server

If it’s the only DC in the domain, you’ll also remove the domain

Dcpromo is used to remove domain services

If the server wasn’t the last DC, it will remain a member of the domain

MCTS Windows Server 2008 Active Directory

removing a domain
Removing a Domain

Two ways to remove a domain:

Dcpromo

Ntdsutil

If the DC crashed or was taken offline without using dcpromo to demote it to a regular server, you must use Ntdsutil to remove the domain

This process is called removing an orphaned domain

A metadata cleanup will remove all selected domain data from the rest of the forest

MCTS Windows Server 2008 Active Directory

using the active directory migration tool
Using the Active Directory Migration Tool

The Active Directory Migration Tool (ADMT) allows moving objects and restructuring Active Directory without users losing access to network resources, and has three main types of migration:

Intraforest migration

Interforest migration

Migration of an NT 4.0 domain to an Active Directory domain

Before attempting migration, you should review the Active Directory Migration guide

Terms used for migration planning and implementation:

SID History

Security Translation

Password Export Server (PES)

MCTS Windows Server 2008 Active Directory

configuring active directory trusts
Configuring Active Directory Trusts

Recall that all domains in a forest trust one another automatically through two-way transitive trusts, which you can’t remove

Types of trusts you can configure:

Shortcut trust

Forest trust

External trust

Realm trust

DNS must be configured so that FQDNs of DCs in all participating domains can be resolved

MCTS Windows Server 2008 Active Directory

configuring shortcut trusts
Configuring Shortcut Trusts

A shortcut trust is a one-way or two-way transitive trust between two domains in the same forest or two domains in trusting forests

Helps to reduce authorization delays between domains

Shortcut trusts between domains in different forests require a forest trust to be configured

Trusts between forests and external trusts might require additional DNS configuration

MCTS Windows Server 2008 Active Directory

configuring forest trusts
Configuring Forest Trusts

DNS must be configured correctly in both forest root domains

You must initiate the forest trust in Active Directory Domains and Trusts from the forest root domain

When creating a forest trust, you must specify the type of authentication you wish to use:

Forest-wide authentication is a property of a forest trust in which all users in a trusted forest can be authenticated to the trusting forest

Selective authentication enables administrators to specify users who can authenticate to selected resources in the trusting forest

MCTS Windows Server 2008 Active Directory

configuring external and realm trusts
Configuring External and Realm Trusts

An external trust is created between domains in different forests or between domains in a Windows Server 2003/2008 forest and a Windows 2000 server forest or Windows NT domain

An external trust is not transitive, and is nearly identical to creating a forest trust

When creating a realm trust, main consideration should be whether or not it should be transitive

MCTS Windows Server 2008 Active Directory

configuring trust properties
Configuring Trust Properties

The Properties dialog box of a forest trust contains three tabs:

The General Tab – Provides options:

The other domain supports Kerberos AES Encryption

Direction of trust

Transitivity of trust

Validate

Save As

The Name Suffix Routing Tab – Allows you to control which name suffixes used by the trusted forest are routed for authentication

Authentication Tab – Same options as the Outgoing Trust Authentication Level window

MCTS Windows Server 2008 Active Directory

sid filtering
SID Filtering

SIDHistory attribute can be used for nefarious purposes to gain administrative privileges in a trusting forest

To counter the security risk, Windows provides a feature called SID filtering

SID Filtering causes the trusting domain to ignore any SIDs that aren’t from the trusted domain

SID filtering is enabled by default on external trusts but is disabled on forest trusts

MCTS Windows Server 2008 Active Directory

configuring intrasite replication
Configuring Intrasite Replication

Intrasite and intersite replication use the same basic processes to replicate Active Directory data

Intersite replication is optimized to take slower WAN links into account

Intrasite replication can be initiated in one of two ways:

Notification

Periodic replication

Intrasite replication involves two main components: Knowledge Consistency Checker (KCC) and connection objects

MCTS Windows Server 2008 Active Directory

knowledge consistency checker kcc
Knowledge Consistency Checker (KCC)

KCC is a process that runs on every DC and, for intrasite replication, builds a replication topology among DCs in a site and establishes replication partners

The KCC on each domain controller uses data stored in the forest-wide configuration directory partition to create the replication topology

The replication topology can be recalculated manually in Active Directory Sites and Services

MCTS Windows Server 2008 Active Directory

connection objects
Connection Objects

Connection objects define the connection parameters between two replication partners

Changes to intrasite connection objects is usually unnecessary, but changes can be made in Active Directory Sites and Services

General tab in the Properties dialog box is the only one of interest for connection objects, and contains the following fields:

Change Schedule

Replicate from Server

Replicate from Site

Replicated Naming Context(s)

Partially Replicated Naming Context(s)

MCTS Windows Server 2008 Active Directory

creating connection objects
Creating Connection Objects

You can create connection objects for intrasite replication if you want to alter the replication topology manually

By default, the schedule for a new connection object is set to every 15 minutes, but this value can be changed

Changing the schedule for connection objects can be useful for troubleshooting replication problems

MCTS Windows Server 2008 Active Directory

checking replication status
Checking Replication Status

Active Directory Sites and Services can be used to force the KCC to check the replication topology

Repadmin.exe is a tool that will show detailed information about connections and replication status

To use, type repadmin /showrepl

Repadmin can also be used to show the partitions being replicated by each connection object, force replication to occur, force the KCC to recalculate the topology, and other actions

MCTS Windows Server 2008 Active Directory

global catalog replication
Global Catalog Replication

Global Catalog contains a partial replica of all objects in the forest, maintains univeral group memberships, provides cross-domain logon support, and is used to locate objects throughout the forest

Global catalog servers keep inbound connections with a DC in each domain the global catalog is built from

Connections between global catalog servers always include replication of the global catalog partition

MCTS Windows Server 2008 Active Directory

global catalog replication cont
Global Catalog Replication (cont.)

MCTS Windows Server 2008 Active Directory

special replication situations
Special Replication Situations

Most Active Directory database changes follow the regular replication rules

Certain changes require special processing:

Urgent replication events (trigger change notifications immediately):

Account lockouts

Changes to the account lockout policy

Changes to the domain password policy

Changes to non-security principal passwords

Password change to a DC computer account

Changes to the RID master DC

User Account password changes

MCTS Windows Server 2008 Active Directory

rodc replication
RODC Replication

An RODC is treated like any other domain controller when considering replication topology

Limitations to keep in mind:

Connection between an RODC and a writeable DC is a one-way connection

Two RODCs can replicate with one another, as long as one has an incoming connection with a writeable DC

The domain directory partition can be replicated only to an RODC from a Windows Server 2008 DC. Windows Server 2003 DCs can replicate other partitions to an RODC

When upgrading a domain from Windows Server 2003, the first Windows Server 2008 DC must be writeable

MCTS Windows Server 2008 Active Directory

creating sites
Creating Sites

A site is an AD object containing domain controllers and replication settings and is usually associated with IP subnets and site links

Sites are usually geographically dispersed and connected by WAN links

When you create a site, you’re asked to select a site link

DEFAULTIPSITELINK is the only choice unless you’ve created other site links

MCTS Windows Server 2008 Active Directory

creating sites cont
Creating Sites (cont.)

MCTS Windows Server 2008 Active Directory

the significance of subnets
The Significance of Subnets

After creating a site, you must associate one or more subnets with it

AD uses this information in two important ways:

Placing new domain controllers in the appropriate site

Determining which site a client computer belongs to

If a client’s IP address doesn’t match a subnet in any of the defined sites, communication efficiency could degrade because the client might request services from servers in remote sites instead of locally

MCTS Windows Server 2008 Active Directory

configuring site links
Configuring Site Links

Any new sites you create use the default site link, DEFAULTIPSITELINK, for their connection with other sites

Additional site links can help adjust the replication schedule according to a network’s link characteristics

Descriptive names should be used for site links

A site can exist in more than one site link

MCTS Windows Server 2008 Active Directory

bridgehead servers
Bridgehead Servers

Intersite Topology Generator is responsible for assigning a bridgehead server for each directory partition in the site

Bridgehead servers are responsible for all intersite replication

Bridgehead servers can be designated manually

Repadmin /bridgeheads command can list which DCs in a site are acting as bridgehead servers to other sites

MCTS Windows Server 2008 Active Directory

intersite transport protocols
Intersite Transport Protocols

Two protocols can be used to replicate between sites:

IP

SMTP

IP is used by default in the DEFAULTIPSITELINK site link and is recommended in most cases

Simple Mail Transport Protocol is used primarily for e-mail and works well for slower, less reliable, or intermittent connections

DC can send multiple replication requests simultaneously without waiting for the reply

MCTS Windows Server 2008 Active Directory

site link bridges
Site Link Bridges

By default, site link bridging is enabled, which makes site links transitive

You can change the transitive behavior of site links by turning off site link bridging and creating site link bridges manually

Automatic site bridging can lead to over-utilization of a slower WAN link

Other reasons to create site link bridges manually:

Control traffic through firewalls

Accommodate partially routed network

Reduce confusion of the KCC

MCTS Windows Server 2008 Active Directory

the global catalog and universal group membership caching
The Global Catalog and Universal Group Membership Caching

Global catalog servers increase replication traffic

Windows Server 2008 includes universal group membership caching, which allows universal group membership information to be retrieved from a global catalog server in a different site, then cached locally on every DC in the site and updated every 8 hours

Microsoft recommends placing a global catalog server in the site when the number of accounts exceeds 500 and the number of DCs exceeds two

MCTS Windows Server 2008 Active Directory

operations master best practices
Operations Master Best Practices

If you build a new forest, the first DC installed performs all five FSMO roles

This is acceptable for small environments, but larger environments may perform better if these roles are transferred to separate servers

Common rules for operations masters:

Unless your domain is small, transfer operations master roles to other DCs

Place the servers performing these roles where network availability is high

Designate an alternate DC for all roles

MCTS Windows Server 2008 Active Directory

domain naming master
Domain Naming Master

The domain naming master is needed when a domain or domain controller is added or removed from the forest

Attempting to add or remove a domain while the DC performing this role is down is not advisable

When possible, the domain naming master should be a direct replication partner with another DC that’s also a global catalog server in the same site

MCTS Windows Server 2008 Active Directory

schema master
Schema Master

The schema master is needed when the Active Directory schema is changed

Generally, the schema master role should be transferred to another server only when you’re certain the original server will be down permanently

MCTS Windows Server 2008 Active Directory

pdc emulator
PDC Emulator

Processes password changes for older Windows clients (Windows 9x and NT)

Should be placed where there is a high concentration of users

Shouldn’t be placed on a DC that is also a global catalog server

MCTS Windows Server 2008 Active Directory

rid master
RID Master

Every Active Directory object uses an RID to create the object’s SID

RID Master provides these RIDs to domain controllers

Ideally placed with the PDC emulator because the PDC emulator uses the RID master’s services frequently

MCTS Windows Server 2008 Active Directory

infrastructure master
Infrastructure Master

Role is most needed when many objects have been moved or renamed

Shouldn’t be performed by a DC that’s also a global catalog server, but should be at least in the same site as a global catalog server

If the Master fails, the role can be moved to another DC if necessary

MCTS Windows Server 2008 Active Directory

transferring operations master roles
Transferring Operations Master Roles

Transferring an operations master role means moving the role’s function from one server to another while the original server is still in operation

Generally done for the following reasons:

DC performing the role was the first DC in the forest, and therefore holds all roles

DC performing the role is being moved to a location that isn’t well suited for the role

The current DC’s performance is inadequate because of the resources the FSMO role requires

The current DC is being taken out of service temporarily or permanently

MCTS Windows Server 2008 Active Directory

transferring operations master roles cont
Transferring Operations Master Roles (cont.)

MCTS Windows Server 2008 Active Directory

seizing operations master roles
Seizing Operations Master Roles

An operations master role is seized when the current role holder is no longer online because of some type of failure

Seizing should never be done when the current role holder is accessible

Seizing is done with the ntdsutil command

MCTS Windows Server 2008 Active Directory

chapter summary
Chapter Summary

Administrators can configure functional levels on a new domain controller to maintain backward compatibility

Functional levels can be raised but not lowered

Windows Server 2008 supports three forest functional levels: Windows 2000, Windows Server 2003, and Windows Server 2008. Supported domain functional levels have nearly identical names

You can raise functional levels when you install AD, or you can raise them manually

MCTS Windows Server 2008 Active Directory

chapter summary cont
Chapter Summary (cont.)

Before you can install a Windows Server 2008 server as a DC in an existing Windows Server 2003 or Windows 2000 server domain, existing domain controllers must be prepared

Before you can install RODC in an existing domain, the forest functional level must be at least Windows Server 2003 or higher

To remove a domain controller, you use dcpromo or ntdsutil

Use the Active Directory Migration Tool to migrate accounts from one domain or forest to another

MCTS Windows Server 2008 Active Directory

chapter summary cont1
Chapter Summary (cont.)

Before creating a trust of any type, DNS must be configured so that FQDNs of domain controllers in all participating domains can be resolved

Some trust properties you can configure include the trust direction and transitivity, name suffix routing, and authentication

Both intrasite and intersite replication use the same basic processes to replicate Active Directory data; the main goal is to balance data replication timeliness and efficiency

MCTS Windows Server 2008 Active Directory

chapter summary cont2
Chapter Summary (cont.)

A site is an Active Directory object containing domain controllers and default settings for replication within the site and is usually associated with one or more IP subnets and site links

Connection objects provide the connection and replication parameters between two servers

Bridgehead servers are responsible for all intersite replication

Universal group membership caching resolves the potential conflict between faster logons and additional replication traffic

Deciding where to place the FSMO role holder is part of your overall Active Directory design strategy

MCTS Windows Server 2008 Active Directory