IMPLEMENTING ACTIVE DIRECTORY

1
IMPLEMENTING ACTIVE DIRECTORY

• Chapter 2

2
REQUIREMENTS FOR ACTIVE DIRECTORY

• Server 2003 (Standard, Enterprise, Datacenter)
• Cannot use Web Edition for Active Directory
• Access as a local administrator
• NTFS partition for Sysvol
• 200 MB minimum free space
• TCP/IP
• DNS to host SRV resource records

P23
3
ACTIVE DIRECTORY INSTALLATION PROCESS

• Complete pre-installation tasks
• Local Administrator password
• Domain controller type (1st, additional, etc)
• Domain name
• File locations
• Password for Directory Services Restore Mode
• Plan and test before you install in a production
  environment

P29-30
4
ACTIVE DIRECTORY INSTALLATION

• Dcpromo or Manage Your Server
• If already a domain controller, Dcpromo allows
  you to remove Active Directory
• Operating system compatibility issues
• Microsoft Windows 95
• Microsoft Windows NT 4, Service Pack 3

P30
5
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS

• Domain Controller type
• Domain controller for a new domain
• Replica domain controller
• Install in a new or existing forest?
• Install in a new or existing domain tree?
• Use the appropriate names
• DNS
• FQDN
• NetBIOS

P31-33
6
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS

• Database and Log Folders
• Shared System Volume (Sysvol)
• systemroot\NTDS
• NTFS required

P35
7
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS
P36
8
DNS REGISTRATION AND DIAGNOSTICS

• If DNS is not detected, you can choose to
  automatically install and configure. Otherwise,
  you must manually install and configure.
• SRV resource records required
• Dynamic updates highly recommended
• Incremental zone transfers recommended

P37
9
PERMISSIONS

• PreWindows 2000
• Allows the pre-Windows 2000 compatibility access
  group access to Active Directory
• Windows Server 2003

P37
10
ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS

• Directory Services Restore Mode Administrator
  password
• Password used to enter Directory Services Restore
  Mode
• Required for Active Directory maintenance
• Completing the Active Directory installation
• Confirm your configuration
• Restart your new domain controller

P37-38
11
VERIFY AND FINALIZE DNS

• Application Directory partition creation
• DomainDNSZones
• ForestDNSZones
• Automatically created when Active Directory
  Integrated DNS is used
• Can be managed only by Enterprise Admins
• Aging and scavenging options
• Forward lookup zones and SRV resource records

P39
12
DNS UPDATES AND RECORD STORAGE

• Dynamic updates
• Secure only
• Nonsecure and secure
• None
• Store the zone in Active Directory, named Active
  Directoryintegrated
• Reverse lookup zones

P41-44
13
REPLICA DOMAIN CONTROLLER

• Provides load balancing and fault tolerance
• If one domain controller fails, there is another
  holding the Active Directory records
• Clients can use either domain controller for
  authentication
• DNS fault tolerance
• If Active Directoryintegrated, the records are
  automatically copied to other domain controllers
• If not Active Directoryintegrated, you can use a
  secondary zone for fault tolerance of records

P45
14
REPLICA DOMAIN CONTROLLER

• DNS load balancing
• Install DNS service on additional server
• Configure client computer to use the new server
  as their Preferred DNS server

P45
15
SCHEMA MODIFICATION

• Some applications modify the schema
• Examples include e-mail programs, backup
  programs, and directory integration software
• Must be a member of Schema Admins to install
  these applications or to manually modify the
  schema
• Schema changes trigger replication to all domain
  controllers in the forest
• Default system classes cannot be modified
• Class and attribute changes cannot be removed,
  but can be deactivated

P46-47
16
RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS

• Once complete, cannot be undone without a
  reinstall
• Each domain functional level can be raised
  independently of other domains
• Forest functional levels can be raised only when
  all domains are at Windows 2000 native or higher
• Domain Admins membership required to raise domain
  functional level
• Enterprise Admins membership required to raise
  forest functional level

P48
17
ESTABLISHING AND MAINTAINING TRUSTS

• Shortcut trust
• Used to improve resource access
• Reduces the length of the trust path
• Transitive
• Cross-forest trust
• Default one-way
• Available only to Windows Server 2003 forests
• Between Forest Root Domains

P49-50
18
ESTABLISHING AND MAINTAINING TRUST

• External
• Can be used for Windows NT Server 4.0 and
  Windows 2000 domain trusts
• Between any domain in one forest and any domain
  in the other forest
• Not transitive
• Realm
• Used between third-party Kerberos implementations
• Not transitive

P51
19
MANAGING TRUSTS

• Verifying trusts
• Active Directory Domains And Trusts
• netdom trust domain1 /dcontoso /verify
• Revoking trust relationships
• Active Directory Domains And Trusts
• netdom trust domain1 /dcontoso /remove

P52-53
20
USER PRINCIPAL NAMES

• Allows users to log on without specifying a
  domain separately
• Can be the users e-mail address
• By default, the User Principal Name (UPN) suffix
  is the same as the forest root domain name
• Can add UPN suffix in Active Directory Domains
  And Trusts
• Can modify UPN on a per-user basis

P54
21
SUMMARY

• Active Directory requires DNS and SRV resource
  record support
• Verifying Active Directory installation
• Active Directory partitions
• Schema modification and replication
• Forest and domain functional levels
• Trust types Shortcut, cross-forest, external,
  realm