Implementing Active Directory
Lesson 2
Skills Matrix
Technology Skill
Objective Domain
Objective #
Installing a New Active
Directory Forest
Configure a forest or a
domain
2.1
Establishing and
Maintaining Trust
Relationships
Configure trusts
2.2
Configuring Active
Directory Lightweight
Directory Services
Configure Active
Directory Lightweight
Directory Services (AD
LDS)
3.1
Configuring a Read-Only
Domain Controller
Configure the Read-Only
Domain Controller
(RODC)
3.3
Server Manager
• Located in Administrative Tools.
– Can also be accessed by right-clicking My Computer
and selecting Manage.
• Allows you to:
– Add roles such as DNS server or Active Directory
Domain Services role.
– Perform system diagnostics.
– Configure system services.
– Drill down into specific administrative tools.
Server Manager
Requirements for Active Directory
• A server running Windows Server 2008 Standard
Edition, Windows Server 2008 Enterprise Edition, or
Windows Server 2008 Datacenter Edition (Full
version or Server Core).
• An administrator account and password on the local
machine.
Requirements for Active Directory
• An NT file system (NTFS) partition for the SYSVOL folder
structure.
– 200 MB minimum free space on the previously mentioned
NTFS partition for Active Directory database files.
– 50 MB minimum free space for the transaction log files.
– Transmission Control Protocol/Internet Protocol (TCP/IP)
must be installed and configured
• An authoritative DNS server for the DNS domain that
supports service resource (SRV) records.
– Recommends to support incremental zone transfers and
dynamic updates.
Installing Active Directory
• To install
Active
Directory,
you will need
to first add
the Active
Directory
Domain
Services role
using Server
Manager.
Installing Active Directory
Installing Active Directory
• The Active Directory Installation Wizard, dcpromo, will
guide you through any of the following installation
scenarios:
–
–
–
–
–
Adding a domain controller to an existing environment.
Creating an entirely new forest structure.
Adding a child domain to an existing domain.
Adding a new domain tree to an existing forest.
Demoting domain controllers and eventually removing a
domain or forest.
Choosing the Deployment Configuration
Post-Installation Tasks
• Upon completion of the Active Directory
installation, you should verify a number of items:
– Application directory partition creation.
– Aging and scavenging for zones.
– Forward lookup zones and SRV records.
– Reverse lookup zones.
Application Partitions
Aging and Scavenging of DNS Records
• Aging and scavenging are processes that can be
used by Windows Server 2008 DNS to clean up
the DNS database after DNS records become
“stale” or out of date.
• Without this process, the DNS database would
require manual maintenance to prevent server
performance degradation and potential diskspace issues.
Aging and Scavenging of DNS Records
DNS Records
• Make sure Forward Lookup zone is created.
• Make sure Host (A) record is created for your
server.
• Make sure DNS domains are created:
– _msdcs
– _sites
– _tcp
– _udp
DNS Records
Raising the Domain Functional Level
• Open Active
Directory Domains
and Trusts from the
Administrative
Tools folder.
• Right-click the
domain you wish to
raise and select
Raise Domain
Functional Level.
Raising the Forest Functional Level
• Open Active Directory Domains and Trusts from
the Administrative Tools folder.
• Right-click the Active Directory Domains and
Trusts icon in the console tree and select Raise
Forest Functional Level.
Raising the Forest Functional Level
• If your domains have not all been raised to at
least Windows Server 2003, you will receive an
error indicating that raising the forest functional
level cannot take place yet. If all domains have
met the domain functionality criteria of Windows
Server 2008, you can click Raise to proceed.
Removing Active Directory
• Click the Start menu, key dcpromo and then press
Enter.
Schema Management Console
• Some commercial applications such as Microsoft
Exchange will modify the schema as a part of their
installation process.
• You can also extend the schema manually using the
Active Directory Schema snap-in.
• To modify the schema manually, you must be a member
of the Schema Admins group.
• The Active Directory Schema snap-in should be installed
on the domain controller holding the Schema Master
Operations role.
Installing the Schema Management
Snap-in
• From a command prompt, key regsvr32
schmmgmt.dll.
• Close the Command Prompt window, click Start,
and then select Run.
• Key mmc /a in the dialog box and click OK.
• Click the File menu and select Add/Remove Snapin.
Trust Relationship
• Trust relationships exist to make resource
accessibility easier between domains and forests.
• Many trust relationships are established by
default during the creation of the Active Directory
forest structure.
• Trust relationships can be created using the Active
Directory Domains and Trusts from the
Administrative Tools folder.
Trust Relationships
• Four trust types can be manually established in
Windows Server 2008:
– Shortcut trusts - Used to shorten the “tree-walking”
process for users who require frequent access to
resources elsewhere in the forest.
– Cross-forest trusts - Allows you to create two-way
transitive trusts between separate forests.
– External trusts - Used to configure a one-way nontransitive trust.
– Realm trusts - Allows you to configure trust
relationships between Windows Server 2008 Active
Directory and a UNIX MIT Kerberos realm.
Revoking a Trust Using Netdom
• Open a command prompt and type the following
text:
Netdom trust TrustingDomainName
/d:TrustedDomainName /remove
• Press Enter.
• Repeat these steps for the other end of the trust
relationship.
User Principal Name (UPN)
• The name of a system user in an e-mail address
format.
username@domainname
• Based on Internet RFC 822.
Changing the Default Suffix for User
Principal Names
• Open Active Directory Domains and Trusts from
the Administrative Tools folder.
• Right-click Active Directory Domains and Trusts
and choose Properties.
• Click the UPN Suffix tab, key the new suffix, and
click Add.
• Key more than one suffix if your forest has more
than one tree and then click OK.
Summary
• Active Directory requires DNS to be installed. DNS
does not have to be installed on a Windows
Server 2003 machine, but the version of DNS used
does need to support SRV records for Active
Directory to function.
• Planning the forest and domain structure should
include a checklist that can be referenced for
dialog information required by the Active
Directory Installation Wizard.
Summary
• Verification of a solid Active Directory installation
includes verifying DNS zones and the creation of SRV
records.
– Additional items, such as reverse lookups, aging, and
scavenging, also should be configured.
• Application directory partitions are automatically created
when Active Directory integrated zones are configured in
DNS.
– These partitions allow replica placement within the forest
structure.
Summary
• System classes of the schema cannot be modified,
but additional classes can be added. Classes and
attributes cannot be deleted, but they can be
deactivated.
• Planning forest and domain functionality is
dependent on the need for down-level operating
system compatibility.
– Raising a forest or domain functional level is a
procedure that cannot be reversed.
Summary
• Four types of manual trusts can be created:
shortcut, external, cross-forest, and realm trusts.
• Manual trusts can be created by using Active
Directory Domains and Trusts or netdom at a
command line.
Summary
• UPNs provide a mechanism to make access to
resources in multiple domains user-friendly.
• UPNs follow a naming format similar to email
addresses.
• You must be a member of the Enterprise Admins
group to add additional suffixes that can be
assigned at user object creation.