Module 1Introducing Active Directory Domain Services

Module OverviewOverview of Active Directory, Identity, and AccessActive Directory Components and ConceptsInstall Active Directory Domain Services

Lesson 1: Overview of Active Directory, Identity, and AccessInformation ProtectionIdentity and AccessAuthentication and AuthorizationAuthenticationAccess TokensSecurity Descriptors, ACLs, and ACEsAuthorizationStand-Alone (Workgroup) AuthenticationActive Directory Domains: Trusted Identity StoreActive Directory, Identity, and AccessActive Directory IDA services

Information ProtectionIts all about connecting users to the information they require securelyIDA: Identity and AccessAAA: Authentication, Authorization, AccountingCIA: Confidentiality, Integrity, Availability, and Authenticity

Identity and AccessIdentity: User accountSaved in an identity store (directory database)Security principalRepresented uniquely by the SIDResource: Shared FolderSecured with a security descriptorDACL or ACLACEs or permissions

Authentication and Authorization

AuthenticationTwo types of authentication

Local (interactive) Logonauthentication for logon to the local computerRemote (network) Logonauthentication for access to resources on another computerAuthentication is the process that verifies a users identityCredentials: At least two components requiredUser nameSecret, for example, password

Access Tokens

Users Access TokenOther access informationPrivileges (user rights)Member Group SIDsUser SID

Security Descriptors, ACLs and ACEs

Security DescriptorDACL or ACLACE Trustee (SID) Access MaskACE Trustee (SID) Access MaskSACL

AuthorizationAuthorization is the process that determines whether to grant or deny a user a requested level of access to a resourceThree components required for authorizationResourceSecurity TokenAccess RequestSystem finds first ACE in the ACL that allows or denies the requested access level for any SID in the users token

Stand-Alone (Workgroup) AuthenticationThe identity store is the SAM database on the Windows systemNo shared identity storeMultiple user accountsManagement of passwords is challenging

Active Directory Domains: Trusted Identity StoreCentralized identity store trusted by all domain membersCentralized authentication serviceHosted by a server performing the role of an AD DS domain controller

Active Directory, Identity, and AccessAn IDA infrastructure should:Store information about users, groups, computers and other identitiesAuthenticate an identityKerberos authentication used in Active Directory provides single sign-on. Users are authenticated only once.Control accessProvide an audit trail

Active Directory IDA ServicesActive Directory IDA services :Active Directory Lightweight Directory Services (AD LDS)Active Directory Certificate Services (AD CS)Active Directory Rights Management Services (AD RMS)Active Directory Federation Services (AD FS)

Lesson 2: Active Directory Components and ConceptsActive Directory as a DatabaseActive Directory Data StoreDomain Controllers Demonstration: Active Directory SchemaOrganizational UnitsDomainForestTreeReplicationSitesGlobal CatalogFunctional LevelsDNS and Application PartitionsTrust Relationships

Active Directory as a DatabaseActive Directory is a databaseEach record is an objectUsers, groups, computers, and so onEach field is an attributeLogon name, SID, password, description, membership, and so onIdentities (security principals or accounts)Services: Kerberos, DNS, and replicationAccessing the databaseWindows tools, user interfaces, and componentsAPIs (.NET, VBScript, Windows PowerShell)LDAP

Active Directory Data Store%systemroot%\NTDS\ntds.ditLogical partitionsDomain naming contextSchemaConfigurationGlobal catalog (Partial Attribute Set)DNS (application partitions)SYSVOL%systemroot%\SYSVOLLogon scriptsPolicies

Domain ControllersServers that perform the AD DS roleHost the Active Directory database (NTDS.DIT) and SYSVOLReplicated between domain controllersKerberos KDC service: Performs authenticationOther Active Directory servicesBest practicesAvailability: At least two in a domainSecurity: Server Core and RODCs

Demonstration: Active Directory SchemaIn this demonstration, you will see How the Schema acts as a blueprint for Active Directory by exploring the following Attributes and Object classes:AttributesobjectSIDsAMAccountNameunicodePwdmemberDescriptionClassesUserGroup

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Organizational UnitsObjectsUsersComputersOrganizational UnitsContainers that can be used to group objects within a domainCreate OUs to:Delegate administrative permissionsApply Group Policy

DomainRequires one or more domain controllersAll domain controllers replicate the Domain naming context (Domain NC)The domain is the context within which Users, Groups, Computers, and so on are createdReplication boundaryTrusted identity source: Any domain controller can authenticate any logon in the domainThe domain is the maximum scope (boundary) for certain administrative policiesPasswordLockout

ForestA collection of one or more Active Directory domain treesFirst domain is the forest root domainSingle configuration and schema replicated to all domain controllers in the forestA security and replication boundary

TreeOne or more domains in a single instance of AD DS that share contiguous DNS namespaceproseware.comtreyresearch.netantarctica.treyresearch.net

ReplicationMultimaster replicationObjects and attributes in the databaseContents of SYSVOL are replicatedSeveral components work to create an efficient and robust replication topology and to replicate granular changes to ADThe Configuration partition of the database stores information about sites, network topology, and replication

SitesAn Active Directory object that represents a well-connected portion of your networkAssociated with subnet objects representing IP subnetsIntrasite vs. intersite replicationReplication within a site occurs very quickly (1545 seconds)Replication between sites can be managedService localizationLog on to a domain controller in your site

Global CatalogPartial Attribute Set or Global CatalogContains every object in every domain in the forestContains only selected attributesA type of indexCan be searched from any domainVery important for many applicationsPASDomain APASDomain B

Functional LevelsDomain functional levelsForest functional levelsNew functionality requires that domain controllers are running a particular version of WindowsWindows 2000Windows Server 2003Windows Server 2008Windows Server 2008 R2Cannot raise functional level while domain controllers are running previous Windows versionsCannot add domain controllers running previous Windows versions after raising functional level

DNS and Application PartitionsActive Directory and DNS are closely integratedOne-to-one relationship between the DNS domain name and the logical domain unit of Active DirectoryComplete reliance on DNS to locate computers and services in the domainA domain controller acting as a DNS server can store the zone data in Active Directory itselfin an application partition

Trust RelationshipsExtends concept of trusted identity store to another domainTrusting domain (with the resource) trusts the identity store and authentication services of the trusted domainA trusted user can authenticate to, and be given access to resources in, the trusting domainWithin a forest, each domain trusts all other domainsTrust relationships can be established with external domains

Lesson 3: Install Active Directory Domain ServicesInstall and Configure a Domain ControllerPrepare to Create a New Forest with Windows Server 2008 R2

Install and Configure a Domain Controller Install the Active Directory Domain Services role by using the Server Manager 1 Choose the deployment configuration 3 Select the additional domain controller features 4 Run the Active Directory Domain Services Installation Wizard 2 Select the location for the database, log files, and SYSVOL folder 5 Configure the Directory Services Restore Mode Administrator Password 6

Prepare to Create a New Forest with Windows Server 2008 R2Domains DNS name (contoso.com) Domains NetBIOS name (contoso)Whether the new forest will need to support domain controllers running previous versions of Windows (affects choice of functional level)Details about how DNS will be implemented to support AD DSDefault: Creating domain controller adds DNS Server role as wellIP configuration for the domain controllerIPv4 and, optionally, IPv6User name and password of an account in the servers Administrators group. Account must have a password.Location for data store (ntds.dit) and SYSVOLDefault: %systemroot% (c:\windows)

Lab: Install an AD DS Domain Controller to Create a Single Domain ForestExercise 1: Perform Post-Installation Configuration TasksExercise 2: Install a New Windows Server 2008 Forest with the Windows InterfaceExercise 3: Raise Domain and Forest Functional Levels

Logon informationEstimated time: 30 minutes

Lab ScenarioYou have been hired to improve identity and access at Contoso, Ltd. The company currently has one server in a workgroup configuration. Employees connect to the server from their personal client computers. In anticipation of near-term growth, you need to improve the manageability and security of the companys resources. You decide to implement an AD DS domain and forest by promoting the server to a domain controller. You have just finished installing Windows Server 2008 R2 from the installation DVD.

Lab ReviewWhat can you do with the Initial Configuration Tasks console?What must you do before starting the dcpromo wizard?Which tool is used to raise the domain functional level?

Module Review and TakeawaysReview QuestionsCommon Issues Related to AD DS InstallationBest Practices Related to AD DS Installation Tools

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Presentation: 90minutesLab: 30minutes Module GoalThis module will provide a foundation for concepts and terminology related to Active Directory Domain Services (AD DS) as a technology and as a solution. By the end of the module, students will have created a single domain forest, and will know enough about AD DS to understand the importance of what theyve done. The lessons and topics in this module can be driven home for novices, skimmed or skipped for advanced classes, or skipped and returned to at appropriate times. The modules only lab is the creation of a domain, so even the lab can be skipped for courses based on time constraints or adequate student expertise.The most important guidance for instructors is to keep this module high level. Every concept, term, and component is returned to and detailed in later modules. Whats important is that students have an understanding for the business purpose for AD DS, the basic function of a directory service, and the interactions of its components. They need to have just enough understanding of logical and physical structural components and of concepts such as trusts and replication. Ensure that they are not distracted as these terms are touched upon in the later modules. So, dont try to teach more than what is in this module. This module helps the students see the forest; later modules take a close look at each tree.Be certain to read the instructor note on the Lesson Overview slide for Lesson 2.ObjectivesAfter completing this lesson, you will be able to:Position the strategic role of a directory service in an enterprise in relation to identity and access.Explain authentication and authorization processes. Identify the major components of AD DS.Understand the requirements for installing a domain controller to create a new forest.Identify the roles of and relationships between AD DS, AD LDS, AD RMS, AD FS, and AD CS.Module Exam ObjectivesConfiguring the Active Directory Infrastructure: Configure a forest or domainPreparation for DemosTo prepare for demos in this module, start 6425C-NYC-DC1. NYC-DC1 is the fully populated, WS2008 functional level, single domain controller forest. Log on as Administrator with the password, Pa$$w0rd. Preparation for LabsThere is one lab that occurs at the end of this module. If you wish to save time, you can ask students to start the virtual machine at the start of the module. The virtual machine used in Lab is 6425C-NYC-SVR-D.

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*-blank-Module 1: Introducing Active Directory Domain ServicesCourse 6425C*-blank-

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*This is only a setup for the lesson. There is enough room for detail later.Message to students: The industry as a whole is focused on information protection. This includes Microsoft and is exemplified by its Trustworthy Computing initiative.Objective: Present an industry perspective that will set the stage for discussing how Microsoft implements these concepts. Lesson flow: Do not go too deep into these information protection industry acronyms. This is only a setup for the lesson. There is enough room for detail later.This will help students understand that few of the high-level functions of Active Directory are Microsoft-specific. They all fit into wider industry efforts centered around information protection and security.There is a short definition of each acronym in the student handbook. The most important terms used on the slide and in the student text are detailed on upcoming slides. It is not recommended that you dive deeply into the three information protection acronyms on the slide: its a worm hole that does not add value to the first few minutes of the class. Instead, emphasize that the entire industry is focused on protection and security, and there are several frameworks within which to think about protection and security.

ReferencesMicrosoft Identity and Access Solutions: http://go.microsoft.com/fwlink/?LinkId=168700There are other third-party references available on these topics, which can be found by doing a web search.

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Introduce the most fundamental concepts and terms.Lesson flow: High-level slide. Details on subsequent slides. Note to students: Were moving slowly into Microsofts implementation of information protection, but terms such as Access Control List (ACL) and concepts are still industry standards.Use this slide to set up the most fundamental concepts and terminology related to identity and access (IDA), and the components, processes, and technologies related to IDA on Windows systems.Begin the discussion of identity and access by telling students what they already know: that the job of an information technology (IT) pro is to connect users with the information they require to get their jobs done. And, because users require different levels of access to different classes of information, we must manage associating the correct users with the correct levels of accessa task broadly known as information protection.At the core of information protection are two critical concepts: identity and access or IDA.Explain that in a secured system, each user is represented by an identity. In Windows systems, the identity is the user account, and the accounts from one or more users are maintained in an identity store, also known as a directory database. Dont go as far as mentioning Active Directory by name, because the lesson will build from stand-alone (workgroup) systems on which the directory database is the Security Accounts Manager (SAM) to the need for a centralized (domain) directory database, Active Directory.An identity is called a security principal in Windows systems, and security principals are uniquely identified by an attribute called the security identifier (SID). Dont yet introduce the concept that groups, computers, and inetOrgPerson objects are security principals. Two of those are only security principals in a domain. These come later.Explain that on the other end of a secured system is the resource to which the user requires access. The resource is secured with permissions, and each permission specifies a pairing of a specific level of access with an identity. Many Windows resources, including and most significantly files and folders on NTFS volumes, are secured by an aptly-name security descriptor that contains a discretionary access control list (DACL) in which each permission takes the form of an access control entry (ACE).You can explain now, or on one of the next few slides, that although DACL and ACE are technically accurate terms, most administrators and documentation, including this course, refer to the ACL and permissions.

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Module 1: Introducing Active Directory Domain ServicesCourse 6425CObjective: Summarize the big picture of authentication and authorization.Lesson flow: Still high-level. Each step summarized on this slide is detailed over the next four slides.ReferencesLogon and Authentication Technologies: http://go.microsoft.com/fwlink/?LinkId=168701Authorization and Access Control Technologies: http://go.microsoft.com/fwlink/?LinkId=168703

*Module 1: Introducing Active Directory Domain ServicesCourse 6425CObjective: Fully flesh out the terminology, concepts, and components of authentication.By the end of this slide, users should fully understand what authentication is.Define authentication as a process that verifies the users identity that answers the question, Is the user who she says she is? To achieve this, the user must identify herself, with a user name called a logon name, and the user must prove herself by providing a secret known only to herself into the system, such as a password.Mention that the most common way for users to authenticate is by providing a user name and password. However, some computer systems also support authentication based on smart cards, one-time passwords, or biometric information, such as fingerprint scans. Each of these act as credentials.Introduce the concept that there are two basic types of authentication: local and remote (or network) logon. Although the processes involved are very similar, the difference is called out in various places, including separate user rights for local versus network logon. So it is worthwhile for students to be familiar with the concepts and terminology.It is too early for novice students to introduce the complex behavior of Kerberos authentication, which only applies in a domain (not workgroup) environment. So keep the discussion focused on the general concepts and components of authentication, not on a specific authentication protocol.*Module 1: Introducing Active Directory Domain ServicesCourse 6425CObjective: Flesh out the concept of the security access token to a level that is appropriate for your students experience and knowledge. You shouldnt take too much time, but by the end of this slide there shouldnt be much question left as to what an access token is and, in particular, that it contains the user and group SIDs.Explain that one of the outcomes of authentication is the generation of a security token.Explain that the security token is a representation of the users full identity to the system. It is created when the Local Security Authority (LSA) authenticates the user. It contains the users SID, the SIDs for the groups to which the user belongs, and the users privileges. Emphasize that the security token is generated locally. A security token is never transmitted over the network, and no Windows system would even think of accepting a security token created by the local security authority of another system. Point out that this actually means when you log on to a system, that system creates a security token that represents who you are to that system, and when you connect to a server to access a file, that server creates a security token that represents who you are to that server. You may very well belong to different local groups, or have different privileges on the server than you do on the system to which you logged on.It is not recommended to go into detail about what privileges and other access information mean, and how they are stored by the token or used by the system. You can provide a generic definition of these elements, or skip it entirely.*Module 1: Introducing Active Directory Domain Services Course 6425CObjective: Flesh out the terminology and components related to a security descriptor.Lesson Flow: You should not digress into a discussion of NTFS permissions or effective permissions, but rather focus on clarifying terminology.Explain that many resources, including, most significant files and folders on NTFS volumes are secured with security descriptors. Security descriptors contain the system ACL (SACL), which itself contains information about the object owner and auditing settings, and the DACL, often referred to as the ACL even though there are technically two ACLs. Administrators spend most of their time managing the DACL, which itself is made up of one or more ACEs, or permissions. Optionally, introduce students to the most technical terminology by explaining that an ACE is a pairing of a security identifier representing the user (or computer or group), called the Trustee, and the level of access to which the user is being allowed or denied, represented as an Access Mask. Summarize by explaining that the ACE defines who (the Trustee represented by the SID) can or can't do what (represented by the access mask).

*Module 1: Introducing Active Directory Domain ServicesCourse 6425CObjective: Ensure that the concepts, terminology, and processes related to authorization are completely clear. Lesson flow: Again, you should steer clear from discussions of specific types of authorization such as NTFS authorization and effective permissions, and rather you should focus on the concepts as they apply to all forms of authorization.Lesson flow: Before continuing from this slide, pause to ask if there are any questions. This is the end of the story of Authentication and Authorization.Define authorization as the process that determines whether to grant a user a requested level of access to a resource.Three components are required for authorization. The security subsystem must know which resource the user is trying to access, what type of access is being requested, and the system must know who the user is, which is represented by the users security token.The security subsystem is then able to read the DACL of the resource and find the first ACE that allows or denies the requested level of access to any SID in the users token.Optional Internals Note: Because most users will be familiar with the fact that deny permissions always override allow permissions, and that explicit permissions always override inherited permissions, these effects are achieved because the ACEs in the ACL are ordered correctly. In an ACL, explicit ACEs come before inherited ACEs, and within those two groups, deny permissions come before allow permissions. The security subsystem then examines the ACL of the resource, comparing the SIDs in the ACEs to the SIDs in the security token. The first ACE that matches determines whether the user is allowed (if the ACE is an Allow ACE) or denied (if the ACE is a Deny ACE) access to the resource. If no match is found, access is denied.It is not recommended that you digress into a discussion of effective permissions, but most students will be familiar with the end results, and this little bit of detail will be interesting to students who are looking for more internals and for whom the information youre presenting is already quite familiar.*Objective: Define stand-alone (workgroup) configurations and clarify the management and security disadvantages of the model.Note: Build script is in the instructor notes.Present this scenario of a user (the green user) logging on to his or her desktop. In order to do that, the user must be authenticated, and therefore must have an identity in the only identity store trusted [note the intentional introduction of the word trust here, which sets the stage for intra domain trusts and trusts with other domains] by the LSA of the system, specifically the SAM.The user then needs to open a file in a shared folder on a server. The server, too, must authenticate the user for remote (network) logon. The only identity store trusted by the LSA of the server is its SAM database. Therefore, in order for the user to be authenticated, [CLICK TO BUILD] the user must also have an account in the SAM of the server. Not only must the user be authenticated with an account on the server, but because the server trusts only its local SAM as an identity store, permissions can only be assigned to security principals (Trustees) in the local SAM.If the user name and password of the account are the same as the account on the users desktop, the authentication process will occur but will be transparent to the user. If the user name or password are different, the user will be prompted for credentials.Ask students to consider what happens when the user changes his or her password on the desktop. Unless the user also changes the password on the server, the user will be prompted for credentials each time he or she accesses the shared folder.Because there is no shared identity store, there must be multiple user accounts, and the management of passwords becomes a challenge. The problem only gets worse as you add additional users to the story.[CLICK TO BUILD]The orange user must have an account on his or her desktop, and if the user requires access to resources on the server, there must be a separate account [CLICK TO BUILD] on the server, and again the synchronization of passwords and other account management tasks becomes twice as difficult.[CLICK TO BUILD] The blue user also needs one account on his or her desktop, and another on the server.Explain how the problem quickly becomes unmanageable, and therefore not secure, as more users, more resources, and more servers are introduced into the environment.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: A centralized directory service such as Active Directory provides a single identity store, authentication service, and point of management for administration.Drive home the advantages of a single identity store for security and manageability.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Active Directory (and AD DS specifically) is the core component of IDA. It is how Microsoft implements the broad industry concepts (IDA, AAA, CIA) laid out on the first slide. Define AD DS and mention that there are other services. Use this slide to wrap up discussion of identity and access, and the strategic role of AD DS as an enabler of IDA for enterprise networks. Be sure students understand that what was Active Directory in Windows Server 2003 is now AD DS and other services have been added into the AD family.Explain to students that AD DS, while a prominent player, is not the only component of IDA supported by Windows Server 2008 R2. You can list the other Active Directory services, but do not go into any detail about the roles they play.The slide also presents, for the first time, the term Kerberos. Use this opportunity to associate Kerberos with authentication. Point out that AD DS uses an industry standard authentication protocolit was not invented by Microsoft.You need not go into detail about Kerberos authentication at this time. Keep focused on ensuring that students understand the role of Active Directory. In the next lesson, you will introduce students to the concepts, terminology, processes and technologies of Active Directory itself.Kerberos authentication mechanisms are not enumerated in the course, but can be an excellent trainer value-add. It is recommended to discuss Kerberos workings in Lesson 14, the last module of the course, but if you have a particularly advanced class and want to digress for a moment, you could discuss Kerberos here.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective : Besides Active Directory, there are several other services that rely on AD DS and provide various authentication and authorization services.In this topic, you should briefly dicsuss four additional IDA services, and their purpose in AD DS environment. Do not go into the details, but give an high-level overview. For students who want to learn more about these services, direct them to 6426B training.*Module 1: Introducing Active Directory Domain ServicesCourse 6425CVERY IMPORTANT NOTES!This lesson introduces students to the concepts, terminology, processes, and technologies of Active Directory. It is probably one of the more important modules in the entire course. To provide a reasonable learning curve and instructional design for students of all levels, the first half to two-thirds of the class uses single domain controller environment so that students can focus on data management tasks and Group Policy. Only in the later part of the course are additional domain controllers, domains, trees, and forests introduced as service management scenarios are addressed. Therefore, concepts including domain functional level, replication, global catalog, and trust relationships are not detailed until later modules that cover specific service management topics that incorporate those concepts. However, some of the earlier modules that address data management scenarios require a reference to these concepts. For example, when discussing group membership, it is important to discuss which group scopes allow members from trusted domainsthere is a reference to trust relationships.A critical outcome of this module is that students understand just enough about each and every major component and concept of Active Directory, that they are not caught off guard when the initial references are made before those components, and concepts have been covered in complete detail.The lesson has been designed to provide that just enough level of detail. It is important that you as an instructor ensure that students are on the same page, at that level, at the end of this module. It is therefore important that you avoid the temptation to dive too deep, or to answer student questions that will take you on a digression into the details that are covered later in the course. It could be far too easy to teach the entire course within this single lesson.You will have to manage questions and student expectations, especially those from more experienced students, and give them the confidence that their questions will be answered in more than enough detail later in the course. Hopefully, the level of detail and technical terminology that you provided even in the introduction to Active Directory in the previous lesson will have begun to instill confidence in the more experienced students that this course will move rapidly into territory that is new and of interest to them. Fortunately, Module 2 is designed in great part to provide that spark of excitement to more experienced students.This intro lesson no longer arbitrarily separates objects into logical structure and physical structure objects. Instead, it lays out the components of Active Directory in a progressive story. When you boil it down, there is nothing in the Active Directory Schema that says an organizational unit (OU) is a logical object and a site is a physical object. That was just the way things used to be explained. It is recommended that you do not try to retrofit these slides into legacy instructional design related to logical versus physical objects. Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Begin this lesson with the fundamental assertion that Active Directory is, in the end, a database and the services that support or leverage that database.By framing Active Directory as a database, you will be able to draw comparisons and contrasts to database concepts and terminology that will be familiar to your students.Explain that each record in the Active Directory database represents an object such as a user, group, or computer. Dont list any additional objects such as sites or organizational units, as they will be introduced later in this lesson.Explain that each field in the database is an attribute for that object. Attributes include name, SID, password, description, and membership (for group object). You can mention other attributes as appropriate, but try to keep them focused on attributes of users, groups, and computersthe most familiar objects.Remind students that Active Directory is an integral piece of IDA: it acts as the identity store. Those identities are security principals. In the first lesson, users were highlighted as the security principal. This is the opportunity to mention that security principals include users, security groups, and computers. Make sure those three object classes are comfortable for students before mentioning inetOrgPerson objects. You can describe inetOrgPerson objects as a close relative of a user account. They are supported in Active Directory primarily for interoperability with certain third-party directory services. You can explain that few enterprises actually use inetOrgPerson objects. These objects are not mentioned elsewhere in the course, but it is good (particularly for certification purposes) for students to know there are actually four security principals in an AD DS enterprise.Point out that you can get in to Active Directory several ways. Be sure to mention and define Lightweight Directory Access Protocol (LDAP), and to point out that it, too, is an industry standard.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: The database were discussing is actually a file and a folder. NTDS.DIT as the database supporting the objects and attributes, and SYSVOL as a database (of sorts) supporting policy-based management (scripts and policies).Objective: Discuss or show the ntds.dit file and SYSVOL. Mention that there are logical partitions within NTDS.DIT. Do not go too deep.Discuss or show the interface the ntds.dit file.Using the slide, mention that the single database has logical partitions. You shouldnt go into too much detail yet; simply mention that there are sections or partitions that store particular types of information. You can point out that one of the partitions is the schema, which you have just discussed, and the domain partition. You can describe the Domain NC as the partition contains user, computer, and group objectsthe partition that most admins will be modifying on a day-to-day basis.Do not provide details about remaining partitions. Skip or simply list them, but let students know that the other partitions will be described as this and later lessons progress.Mention that another important store of Active Directory information is SYSVOL. Students will be familiar with the concept of logon scripts, and you just touched on Group Policy, so you can mention that many components that make Group Policy work are stored in, and distributed to clients from, SYSVOL. Point out that SYSVOL is shared and available to all domain users & computers.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: The database and services are hosted on servers called domain controllers.Objective: Introduce terms and concepts mentioned below.Continue by mentioning that domain controllers, that is servers performing the AD DS role, host the Active Directory database, SYSVOL, an authentication service such as Kerberos Key Distribution Center service (KDC) and other Active Directory services. For redundancy purposes, it is best to have at least two available domain controllers.Highlight that all domain controllers in a domain essentially are equal. Each domain controller holds a copy of the directory store, and updates can be made to the AD DS data on all domain controllers except for read-only domain controllers (RODCs).Emphasize the importance of having multiple domain controllers in each domain. This provides load balancing, but more importantly, it also provides recoverability if a server failure occurs.Mention that all domain controllers engage in authentication and authorization, thus making it a redundant system with fewer fail-points. The slide is intentionally vague about best practices. You can, if you would like, go into slightly more detail about putting domain controllers in remote sites to protect against an unavailable wide area network (WAN) connection. You can also talk about increasing the number of domain controllers to account not only for redundancy but for performance as well. It is recommended that you do not go too deeply into issues of domain controller placement however, because Module 13 (sites and replication) provides a better platform from which to share guidance about domain controller placement.Mention Server Core and RODCs. They are detailed in later modules but you can point out that there are options, in addition to physical security, for ensuring the security of domain controllers.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: The definition or blueprint of what can be contained in the database is the Schema.Objective: Give students a tour of the Schema to prepare them with an understanding of attributes, object classes, and the way objects come to exist in Active Directory.Make a transition to this slide by asking students, How does Active Directory know that it is able and allowed to create a record of a user object, and that a user object must have a logon name, password, and SID? The answer is because there is a part of Active Directory called the schema that serves as a blueprint for the rest of the directory service, specifying the types of objects (object classes) that are allowed, and the attributes of those objects (attributes).Demonstration stepsStart 6425C-NYC-DC1 and log on as Administrator with the password, Pa$$w0rd.Open D:\AdminTools\ADConsole.msc. Expand Active Directory, and then expand Active Directory Schema.Review the Attributes container. Attributes are definitions of a property and of its behavior. While scrolling through attributes, notice a couple of attributes whose purpose (if not name) is familiar. Open the Properties of each.objectSID (SID has been mentioned so often already, point out its attribute first)sAMAccountName (what most admins call the user name) Discussion point: attribute defines the type of an attribute (string in this case)unicodePwdmember Discussion point: Attributes can be multivalued. When used with a group, it is the list of one or more members.descriptionOpen the Classes container. While scrolling through, point out a couple of already familiar object classes, including user, computer, and group. Explain that object classes are created by referring to attributes in the pool of attributes that you just showed them.Open the group object class and demonstrate that it refers to the member attribute.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Before moving on from the slide, students should understand the following: Object classes define what can be stored in the directory. Attributes define the properties of those objects. The Schema is a part of Active Directory that acts as a blueprint by defining object classes and attributes.One of the goals of this slide is to allow you to dive into what is considered an internal (very detailed) aspect of AD DS. This will wake up and excite the more experienced students in your class. You can determine the right balance of information to provide at this point. You can go into more detail about the schema, perhaps describing the relationship between object classes. For example, a user is a child of person and an associate of securityPrincipal. It is not recommended that you discuss details of schema management or modification at this point, but it might be useful if youre working with advanced students to give them a more detailed view of how the schema itself works.Extra information, in case you are asked or wish to share some internals: the unicodePwd stores the hash of the password. The userPassword attribute is used to change/reset a passwordit is write-only. When you change a password, a write is made to userPassword. The system then calculates the hash and stores it in unicodePwd. You can never read userPassword. It is as if youve thrown the password down a hole and it has been changed on the way down. You can (with credentials and heavy lifting) read the hash (unicodePwd) but it is the result of a one-way function (OWF) so it is not easy to reverse-engineer it to the original password (a process called hacking).

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: Active Directory can contain millions of objects. To improve manageability of the objects, they can be put into collections called containers or OUs.Objective: Get the term OU defined and understood. Focus on their existence to collect objects, and briefly touch on the highest level points shown on the slide. Active Directory is designed to support millions of objects. How do you secure, manage, and organize those objects? With container (in quotes) type objects called OUs.Introduce students to the concept of containers and OUs, and explain that the primary difference is that, although both objects are a form of container, OUs enable you to manage configuration of objects using a Group Policy. You are encouraged to mention as bullet points that OUs are created to support delegation and policy. But dont go into more detail. Do not allow yourself to be taken into a digression related to OU design. If that begins to happen, remind students that this lesson is all about introducing them to the components of Active Directory, not about detailing any one of them.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: One or more domain controllers service AD DS in a domain.Objective: Summarize the characteristics of a domain Lesson flow: Do not spend too much time on the slide.

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: One or more trees make up the entirety of an Active Directory instance, called a forest.Objective: Define terms and emphasize that the forest is the true boundary of all security and replicationDefine the forest as one or more Active Directory domain trees.Mention that the first domain installed in the forest, called the forest root domain, has some special characteristics that will be covered in later modules, but that the most important characteristic is the existence of several important groups including Enterprise Admins and Schema Admins. The Enterprise Admins group, in effect, owns and can access all objects in all resources in all domains in the forest. You might choose to point out that, because this is locked for power, most organizations choose to keep the Enterprise Admins group empty on a day-to-day basis, adding accounts to it only temporarily and on an as needed basis.Ask students to describe the structure they see on the slide:A two-tree, seven domain forest. If students raise a question about having more than one domain in a forest or about domain design, ask that the discussion be delayed until Module 15, when all of the nuances of AD DS have been laid out. Lesson 2 of Module 15 supports design discussions.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: The Domain Name Service (DNS) names of domains in AD make up one or more trees.Objective: Introduce the term tree as a less important concept related purely to the DNS namespaceMention that a tree is the result of the DNS namespace used by your domains. A tree is a distinct portion of the DNS namespace. A tree can be one domain (for example, a single domain, single tree forest) or more than one domain, as long as those domains share a contiguous DNS namespace.Be sure that students understand that a tree is simply two or more domains that share a contiguous DNS namespace. If two domains do not share a namespace, they make up separate trees in the forest.There is no need to go into the distinction between the diagramming of a forest from a DNS perspective (in which case proseware.com and treyresearch.net would be at the same level) versus a trust path perspective (shown on the slide with the forest root domain at the top). This information is covered in Module 15. However, the slide is created to give you the flexibility to do so if you want to.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Message: The domain controllers in a domain replicate between each other.Objective: Domain controllers replicate Active Directory in a multimaster fashion using a topology and technologies discussed in Module 13.Lesson flow: Focus on the Domain NC. A later slide supports discussion of the Schema and Configuration replication throughout the forest.The goal of this slide is simply to introduce the concept of replication so that students understand that both the contents of Active Directory and the SYSVOL are replicated between domain controllers.Be sure to enforce that replication is both efficient and robust. Details will be covered in Module 13, but far too often, students are quite concerned about the impact of replication, which in the real world is rarely a significant issue, let alone a design driver. By seeding the idea that replication is efficient and robust, it will be less likely that concerns about replication will distract students from what they need to learn between now and Module 13.This slide also explains the additional partition of the Active Directory database that was shown on an earlier slide: Configuration.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Module 1: Introducing Active Directory Domain ServicesCourse 6425CMessage: You can control replication and service localization using Active Directory Sites.Objective: Introduce term and purpose of Sites and Subnets at a high levelUse the concept of replication to transition to a discussion of sites.Explain that Active Directory sites are objects that represent a well-connected portion of your network. A site may be larger than what you consider a network site. For example, you might have two campuses in a metro area that you consider to be different sites, but if they are well connected, you might choose to represent them as a single Active Directory site. Introduce the concept that sites are logical objects in Active Directory that represent physical characteristics (geographic sites) of your network. You can draw a parallel to the fact that a user object represents a human being, and a computer object represents a computer.Explain that the sites enable you to control (or throttle) replication. You have the ability to manage replication between sites.Describe the concept of service localization by using the example of logon. Sites allow a client to identify the best instance of a distributed service. In the case of logon, sites allow Windows clients to locate a domain controller in their site, rather than authenticating to a domain controller on the other side of the world. Only if a domain controller is not available in the site will the client attempt to authenticate against a domain controller in another site.As with other concepts, do not go into too much detail. Module 13 covers sites, service localization, and replication in great detail.*Objective: Define the problem created [for example, for searching] in a multidomain environment and the solution (global catalog) and introduce the internals (partial attribute set).Lesson flow: Tell the story described in the instructor notes below.Remind students that if there is more than one domain in the forest, the configuration and schema are replicated to all domains in the forest but the information in the domain naming context is replicated only between domain controllers in that domain.How, then, can a user in one domain search for objects in another domain?The Global Catalog is referred to regularly before it is covered in detail in Module 12. Therefore it is important that, on the slide, you introduce students to the global catalog in such a way that they understand its purpose, its contents, and the reason many organizations are choosing to make every domain controller a global catalog server.The visual on the slide is designed to help you tell a story. A user in Domain B (green user) is searching for another user by first and last name. The other user (orange user) is in Domain A within the same forest. Because the Domain NC is replicated only to domain controllers within a domain, the details about the orange user are known only to the domain controllers in Domain A. There would be no way for the green user in Domain B to find the orange user in Domain A, because the data in the Domain NCs is not shared.The global catalogs primary purpose is to support directory queries. Explain that it contains information about every object in every domain in the forest, but to improve performance and reduce size, it does not contain every attribute. Instead, it contains only the attributes that are more likely to be useful inquiries. First name and last name are certainly two of those attributes. So the global catalog, or partial attribute set (PAS) contains the indexed attributes for users in other domains. Most search tools are directed to global catalog servers automatically, and there must be at least one in the domain, so when the green user searches by first name or last name for the Orange user, the global catalog will return a result, along with a reference to the full user object in the source domain (Domain A).If the green user drills for details that the global catalog cannot provide, the client will simply open the source object in Domain A.Highlight the importance of the Global Catalog for applications (particularly Microsoft Exchange Server). Therefore, Active Directory should be designed correctly before applications such as Exchange Server are introduced.The Global Catalog is detailed in Module 12. Instructor note: So that you know where the course is going, the recommendation of the course is the current best practice guidance: Make every domain controller a global catalog. Of course, there will be (very limited) situations where this is not appropriate, but in the vast majority of enterprises, and almost all enterprises running Exchange, this will be the best practice.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Define functional levels. Ensure that students know that functional level relates only to the domain controllers.Lesson flow: Define the concept of functional levels. Lesson 1 of Module 15 returns to the concept and summarizes the features of each functional level. The module also has a lab in which students experiment with and raise functional levels. In this introductory module, students are not yet assumed to understand Password Setting Object (PSO), Read Only Domain Controllers (RODCs), and other features that are part of each functional level, so you will return to wrap up functional levels in Module 15, after each of the features has been detailed.Present the terms domain functional level and forest functional level and describe them as switches that enable new functionality that has been introduced by newer versions of Windows.Be certain that students understand that it is only the domain controllers that must be running at least a certain version of Windows in order to raise the functional level to that version. It does not matter what version of Windows is being run on domain member workstations or servers.As you discussed, functional levels mention one or two features that are easy for students to understand the benefit of. For example, at domain functional level Windows Server 2008, you are able to implement fine-grained password policies so that, for example, you can require users that are members of administrative groups to maintain longer passwords, and change the more frequently, and nonadministrative users. Students will understand the business value of such a feature. You can then use that understanding to encourage students to upgrade domain controllers as quickly as reasonably possible to the newest version of Windows, and then to raise the functional level of the domain.Point out that some applications/services will have dependencies on functional level.Also make sure that students understand that one domain can be at a higher functional level while another domain in the forest is at a lower functional level. However, the forest functional level cannot be raised until all domains are at the appropriate domain functional level.Again, the goal of this slide is to introduce students to the concepts, but you do not have to go into too much detail. Functional levels are described in a later module. As long as students understand the idea that, once domain controllers are running a newer version of Windows, they are able to take advantage of newer features, students will be able to understand references to functional levels in earlier modules.

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Active Directory and DNS are tightly integrated, and DNS data can be stored in Active Directory. It is necessary that students in this class have a basic understanding of DNS. This slide is meant to allow you to touch briefly upon the close relationship between DNS and Active Directory. This slide should be used only lightly, as the next modules presume out-of-box default DNS configuration. All details about DNS can be saved for discussion in Module 11.What is useful to point out is that if a domain controller is itself a DNS server, you can store the DNS database (the zone) in Active Directory itself. Depending on the experience level of your students, you may want to downplay or skip over the detail of DNS being stored in an application partition, or you may want to point out the business value of an application partition for other Active Directoryaware applications. You could briefly extend the concept of application partitions to mention that Active Directory can similarly support other applications and services not directly related to AD DS. The benefit of doing so is that you are able to take advantage of the efficient, robust, and well-maintained replication topology and technologies used by your domain controllers.

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Extend the concept of trust to cover domain trust relationships.Use this slide to introduce the concept of trusts.Explain a trust relationship by returning to the concept of a workgroup. In its default, stand-alone configuration (workgroup), a Windows system trusts only its own identity storeits SAM database.When a computer joins a domain, it extends its realm of trust to include the shared identity store and authentication service provided by the domain controllers of the domain. Now, the server will authenticate and can assign permissions to a user that is not in its SAM, but rather in the trusted identity store in the domain.With that introduction is a small step to the concept of trust relationships, in which a domain extends its roam of trust to include an identity store and authentication service provided by another domain. Users in the trusted domain/identity store can now be authenticated by and assign resources in the trusting domain.You do not have to go much further than this. Module 15 details multiple domains scenarios and trust relationships, and gives you the opportunity to present interesting ways to remember trusted and trusting. Do not go to that point in this module. Simply take the existing concepts of workgroup and trust and help students see the path to domain trust relationships.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Instructor notes are minimal in this lesson because it is a simple technical lesson.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Outline the major steps of installing and configuring a domain controller.Students will perform these steps in the Lab for this module.In this Module, the focus is on a new Windows Server 2008 forest with a single domain tree with a single domain, and a single domain controller. Modules 10-14 will explore more complex multisite topologies, multidomain controller domains, multiple domain forests, and multiple forest models.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Objective: Describe the information that should be collected before creating a new forest during installation.Before beginning to create a new domain or forest, you must collect certain configuration information that will be requested during installation.Module 1: Introducing Active Directory Domain ServicesCourse 6425C*ScenarioYou have been hired to improve identity and access at Contoso, Ltd. The company currently has one server in a workgroup configuration. Employees connect to the server from their personal client computers. In anticipation of near-term growth, you have been tasked with improving the manageability and security of the companys resources. You decide to implement an AD DS domain and forest by promoting the server to a domain controller. You have just finished installing Windows Server 2008 R2 from the installation DVD.

Exercise 1In this exercise, students will prepare the server by performing post-installation configuration tasks.Exercise 2In this exercise, students will add the AD DS role and create the forest and domain by promoting HQDC01 to be the first domain controller in the contoso.com forest.Exercise 3In this exercise, students will raise domain and forest functional level to Windows Server 2008 R2.

Module 1: Introducing Active Directory Domain ServicesCourse 6425C*-blank-Module 1: Introducing Active Directory Domain ServicesCourse 6425C*Lab Review

What can you do with the Initial Configuration Tasks console? Answer : This console is used to perform some basic administrative tasks such changing time zone or computer name.What must you do before starting the dcpromo wizard? Answer : You must add the Active Directory Domain Services role.Which tool is used to raise the domain functional level? Answer : The Active Directory Domains and Trusts tool is used to raise the domain functional level.

*Module 1: Introducing Active Directory Domain ServicesCourse 6425CReview QuestionsWhat is the main difference between authentication and authorization? Answer: Authentication is the process of providing credentials from user to identity store or an authentication service. By performing authentication, no right to access resource is granted. Authentication only confirms the identity of a user. On the other hand, authorization is a process of granting rights to access a specific resource based on an ACL. To proceed with authorization, authentication must first be performed. Why is global catalogimportant in a multidomain environment? Answer: Because the domain controllers in your domain will not contain information about objects in other domains, you must rely on the global catalog, which has the indexed, partial attribute set for all objects in other domains.Which tools can you use to install AD DS? Answer: First, you must use Server Manager to install the AD DS role, and after that you should run dcpromo to make the server a domain controller.

Common Issues Related to AD DS Installation

Best Practices Related to Active Directory Domain ServicesUse strong password for Directory Service Restore Mode.Make all domain controllers into Global Catalog servers.Use static IP addresses for domain controllers.

*Module 1: Introducing Active Directory Domain ServicesCourse 6425C*ToolsModule 1: Introducing Active Directory Domain ServicesCourse 6425C