Implementing Active Directory Domain Services in Windows Server® 2008

Implementing AD DS in Windows Server 2008

Installing AD DS

Requirements for Installing AD DS

What Are Domain and Forest Functional Levels?

How To Install the AD DS Server Role

How To Verify an AD DS Installation

How To Configure the AD DS Installation Options

Self Test

Installing AD DS by Using Advanced Options

Advanced Options for Installing AD DS

Upgrading to Windows Server 2008 AD DS

Installing AD DS on a Server Core Computer

Self Test

Deploying Read-Only Domain Controllers

Using a Read-Only Domain Controller

Pre-Installation Tasks to Install an RODC

How To Install an RODC

6710

Delegate the RODC Installation

What Are Password Replication Policies?

How To Configure Administrator Role Separation and Password Replication Policies

Self Test

Configuring AD DS Domain Controller Roles

What Are Global Catalog Servers?

How To Configure Global Catalog Servers

What Are Operations Master Roles?

How To Manage Operation Master Roles

Self Test

Lab: Implementing Active Directory Domain Services

Scenario

Exercise Information

Launch the Lab

Lab Review

Installing AD DS

Installing AD DS

Lesson Introduction

Windows Server 2008 provides several options when installing AD DS. For example, you can choose to create a new forest or a new domain or join an existing domain, depending on your requirements. Based on your network size and needs, you can choose a single domain or multiple domains, and a single forest or multiple forests. You also need to decide the domain and forest functional level for your AD DS deployment. When installing AD DS, you must decide on the factors related to the deployment of domain controllers in an AD DS forest. This is because the number of domain controllers required to manage the forest depends on the size of the forest. You can choose the installation options that best suit your requirements.

Lesson Objectives

After completing this lesson, you will be able to:

Describe the requirements for installing the AD DS server role. Describe the domain and forest functional levels. Instal the AD DS server role by using the AD DS Installation Wizard. Verify that AD DS is installed successfully. Configure the AD DS Installation Options.

Installing AD DS

Requirements for Installing AD DS

Before you install AD DS, you must ensure that your computer meets the software and server configuration requirements. You must also ensure that you have the appropriate permissions to install AD DS.

What Are Domain and Forest Functional Levels?

The functional level of an Active Directory domain or forest depends on the version of the operating system running on the domain controllers in the domain or forest. The Active Directory functional level determines the advanced features that are available in the domain or forest.

How To Install the AD DS Server Role

Print this page.

The AD DS server role in Windows Server 2008 includes several new features. You can install the AD DS server role by using Server Manager. Launch the Add Roles Wizard to install server roles on Windows Server 2008. Select the server roles that you want to install on the server. For example, select AD DS server role. Install the server role that you have selected. After the installation is complete, launch the Active Directory Domain Services Installation Wizard to make the server a fully functional domain controller.

Open the Command Prompt window and use Dcpromo with the advanced switch to launch the Active Directory Domain Services Installation Wizard in the advanced mode. The Active Directory Domain Services Installation Wizard helps you to install the AD DS on the server and configure the server as an Active Directory domain controller (AD DC). Choose a deployment configuration to create a domain controller for an existing forest or for a new forest. For example, you can add the domain controller to an existing forest.

Specify the name of the domain in the forest where you want to install the domain controller. Next, specify the account credentials that have sufficient privileges to install the domain controller. Provide the domain credentials of the enterprise administrator. Select a domain for adding the additional domain controller. Select the site for the new domain controller. For example, select the default first site. Select additional options for the domain controller.

You can choose the domain controller to be a DNS server, a global catalog, or an RODC. If there is an existing DNS infrastructure, you do not have to install the DNS on the server. Specify whether the computer will use a dynamically assigned IP address or a static IP address because your network uses both static and dynamic IP addresses. The network uses IPv4, which is a static address, and IPv6, which is enabled with DHCP. Now, a message is displayed stating that a delegation for the DNS server cannot be created and the DNS would be handled by the parent domain controller.

You can also install AD DS from the media. If you have backup media, you can replicate the data from that media to any location. For example, you can replicate data over the network from an existing domain controller. Choose the source domain controller. You can let the wizard automatically select the domain controller. Alternately, you can choose a specific domain controller, NYC DC1 WoodgroveBank.com. Specify the location where you want to store the AD DC database, the log files, and the SYSVOL. You also need to assign a complex password for the administrator account, which is different from the domain administrator account.

Review the selections that you have made for the installation. By installing AD DS, you can change the domain membership of the computer from a workgroup and replicate the Active Directory items across the network. You can also create the appropriate folders and set the appropriate commissions on these folders. Then, you can install the administration tools for Active Directory. After this, you can replicate the schema, directory partition, and critical domain information.

The AD DS installation also includes the creation of the groups for Active Directory on the computer. The installation also sets the domain name as the DNS computer name and sets the Quality Assurance Division (QAD) on the directory service files and the registry keys. You can set the computer to reboot after the installation is complete.

This demonstration showed you how to install the AD DS server role.

How To Verify an AD DS Installation

Print this page.

After you install AD DS, you need to verify the installation. First, check the Directory Service event logs for errors by using Server Manager. The events summary provides information about the number of events, the event type, the event ID, the date and time of the event, and the source of the event. Review the event log for errors, and resolve them. For example, the event ID 1925 displays an error message that the replication of one of the domain controllers has failed after several attempts.

You need to resolve the error to replicate the domain controller with the source domain controller. Next, open the Active Directory Users and Computers console and verify whether the domain controller that you have installed is listed in the container of the Active Directory domain controllers. When verifying, notice that the domain controller, NYC-SVR1, is listed in the WoodgroveBank.com domain. Also notice that the new domain controller is a global catalog and it is on the default first site. Open Active Directory Sites and Services to ensure that the replication objects of the new domain controller exist on the default site.

For each server, there are replication objects that control replication to other servers on the site. Notice that the replication objects of the NYC-SVR1 server exist in the NTDS settings. Ensure that the proper containers are created in Windows Explorer. Notice that the ntds.dit file exists in the NTDS container in the Windows directory. Also, notice that the Woodgrove Bank domain container exists in the SYSVOL container. You can also view the policies and scripts containers in the Woodgrove Bank domain container.

This demonstration showed you how to verify an AD DS Installation.

Installing AD DS by Using Advanced Options

Installing AD DS by Using Advanced Options

Lesson Introduction

You can install AD DS by using the default options available in the Active Directory Installation Wizard. Windows Server 2008 provides some advanced options to install AD DS which override the default configurations. The advanced options are also available when you install AD DS on a computer running Windows Server 2008 Server Core. You can easily upgrade a Windows Server 2000 or Windows Server 2003 domain to a Windows Server 2008 domain.

Lesson Objectives

After completing this lesson, you will be able to:

Describe the advanced options available in Windows Server 2008 for installing AD DS. Describe how to upgrade to Windows Server 2008 AD DS. Describe the steps for installing AD DS on a Server Core computer.

Advanced Options for Installing AD DS

To install AD DS by using the advanced mode, you can use one of two available methods.

You can select the Use advanced mode installation check box on the Welcome page of the AD DS Installation Wizard. You can also run the Dcpromo utility by using the /adv switch. The AD DS Installation Wizard pages that appear in the advanced mode provide the following options.

Upgrading to Windows Server 2008 AD DS

Transcript

To install a new Windows Server 2008 domain controller in an existing Windows domain, you must prepare both the forest and the domain for the installation. To prepare the forest to receive the first Windows Server 2008 domain controller, you must extend the schema on the schema operations master. To extend the schema, run the adprep tool with the forestprep parameter.

The Windows Server 2008 installation media contains the adprep tool. If the domain controller is the first Windows Server 2008 domain controller in a Windows 2000 Server domain, you must first prepare the domain by running adprep with the domainprep and gpprep parameters on the infrastructure master.

The gpprep switch adds inheritable access control entry (ACE) to Group Policy Objects (GPOs) that are located in the SYSVOL shared folder, and then synchronizes the SYSVOL shared folder among the controllers in the domain. If the domain controller is the first Windows Server 2008 domain controller in a Windows Server 2003 domain, you must prepare the domain by running adprep within the domainprep parameter on the infrastructure master.

Installing AD DS on a Server Core Computer

To install AD DS on a Windows Server 2008 computer running Server Core, you must use an unattended installation setup. To perform an unattended installation of AD DS, use an answer file and the following Dcpromo command.

Dcpromo /answer[:filename]

In this command, filename is the name of the answer file.

AD DS Installation Answer Files

The answer file is a plain text file with a [DCInstall] header. The answer file defines the installation parameters that you can select or specify in the AD DS Installation Wizard.

For example, if you want to install the first domain controller in the EMEA. WoodgroveBank.com domain, you can use the following answer file:

[DCInstall]

InstallDNS=Yes

ConfirmGc=No

RebootOnCompletion=Yes

NewDomain=Child

NewDomainDNSName=EMEA.WoodgroveBank.com

ParentDomainDNSName=WoodgroveBank.com

ChildName=EMEA

DomainLevel=2

SafeModeAdminPassword=Pa$$w0rd

SiteName=EMEA

UserDomain=WoodgroveBank.com

UserName=WoodgroveBank\Administrator

Password=*

If you do not configure a value in the answer file, then, the unattended installation will use the default setting for that value during installation.

To simplify the process of creating the answer file that an unattended installation requires, select the Export settings option on the Summary page of the AD DS Installation Wizard. When you select this option, the wizard saves your installation configurations to an answer file. You can use this answer file for later installations.

Deploying Read-Only Domain Controllers

Deploying Read-Only Domain Controllers

Lesson Introduction

One of the important new features introduced in Windows Server 2008 is the option to create RODCs. RODC is an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. RODCs provide the functionality that clients require, including providing additional security for domain controllers deployed in branch offices. You can install RODC in two stages, the pre-installation and the installation tasks. When you configure RODCs, you can allow or deny caching of specific user account passwords through Password Replication Policies.

Lesson Objectives

After completing this lesson, you will be able to:

Describe the deployment scenarios for an RODC. Describe the pre-installation tasks to install an RODC. Install an RODC. Describe how to delegate an RODC installation. Describe the configuration options for Password Replication Policies for RODCs. Configure Password Replication Policies for RODCs.

Pre-Installation Tasks to Install an RODC

Before installing an RODC, you must prepare the AD DS environment. Preparation of an AD DS environment includes pre-installation tasks such as configuring the domain and forest functional level, ensuring the availability of a writable Windows Server 2008 domain controller, and preparing the forest and the domain. In addition, before you begin the installation, you must create an RODC computer account. You can also delegate rights to users or groups for installation, if required.

The following table provides the pre-installation tasks that you should perform before installing an RODC.

How To Install an RODC

The installation of an RODC differs from the installation of a normal domain controller in the following ways:

Before you install an RODC, you must create an RODC account in Active Directory. You must connect the RODC to a domain only after attaching it to the RODC account created before

the installation. The RODC installation provides two options—delegation of installation and caching of passwords.

o You can delegate the installation of the actual domain controller to non-administrative users by using the advanced mode of the Dcpromo utility.

o You can specify the users who can cache their passwords on the RODC, during or after installation.

The best deployment option for an RODC is to install the RODC on a computer that runs Windows Server 2008 Server Core. To perform an unattended installation, create an answer file that contains the lines specified in the following table.

Delegate the RODC Installation

You can delegate the installation of an RODC to users who do not have administrative rights. To accomplish this delegation, you must perform the following two-stage installation.

What Are Password Replication Policies?

The default RODC configuration does not allow caching of passwords on the RODC. However, when you install an RODC, you can explicitly specify the user accounts for which the RODC can or cannot cache passwords. The list of these user accounts is stored in the Password Replication Policy. This policy acts as an access control list (ACL) that determines whether the RODC can cache a password. However, the RODC does not cache the passwords of the user or computer accounts until the user or computer accounts are authenticated by the RODC.

You can use the following three options when you implement a Password Replication Policy:

You can accept the default RODC configuration so that the RODC does not cache any credentials. You can explicitly allow or deny the RODC to cache User or Computer credentials. To do this, you

can access the RODC computer account properties in Active Directory Users and Computers and add users, groups, or computer accounts to the appropriate list.

You can configure RODC replication groups for credential caching. AD DS designates the following two accounts that manage credential caching on the RODC:

o The Allowed RODC Password Replication Group includes all accounts whose credentials can be cached on all RODCs in the domain. By default, this group does not have any members.

o The Denied RODC Password Replication Group includes all accounts whose credentials are not cached explicitly by the RODCs in a domain. By default, this group contains all administrator accounts and all domain controller accounts.

When you implement the Password Replication Policy, you must balance user convenience with security concerns. If you do not allow caching of passwords on the RODC, the users cannot log on to the RODC when a connection to a writable Windows Server 2008 domain controller is not available. However, if you allow caching of all passwords on the RODC, the chances of an RODC security breach increase.

How To Configure Administrator Role Separation and Password Replication Policies

Print this page.

You can configure a user account as an administrative group on RODC by changing the administrative rights. The account with administrative rights becomes a member of the local administrative group. Notice that the group with the administrative rights is displayed. You can select another user, group, or built-in security principal to administer the RODC. Before selecting an object type, check whether the object is available. If a specific object type is not found, you must select the object type before entering the object name.

Notice that the group that you select need not be made a member of the Domain Admins security group. You can prepopulate the RODC password cache to enable RODC to replicate and cache the passwords of each authenticated user and computer. In the list of built-in groups, not all the groups have access to password replication. Notice that the Allowed RODC Password Replication Group is allowed to access password replication. Ensure that the selected user name is added to the built-in group list. Now, the next time the user authenticates from the RODC, the domain controller automatically caches the password. You can select and prepopulate the RODC passwords of users and computers.

View the user and computer accounts for which passwords are stored on the RODC. Also view the accounts that are authenticated to access the writable version of the domain controller. Now, add members to the Password Replication Group. Select any user or computer and add it to the allowed RODC Password Replication Group. RODC allows all the members of the added group to cache passwords.

This demonstration showed you how to configure administrator role separation and Password Replication Policies.

Configuring AD DS Domain Controller Roles

Configuring AD DS Domain Controller Roles

Lesson Introduction

The Active Directory database contains information about all objects in a domain. A domain controller that performs the role of a Global Catalog server helps you to locate an object in any domain in a forest. In addition, all domain controllers in a domain contain the same AD DS database and provide similar services. AD DS supports multiple-master replication for its database. However, you can perform certain tasks such as replicating configurations and schema directory partitions only in one domain controller to ensure AD DS consistency. Therefore, you can assign one domain controller with the operations master role.

Lesson Objectives

After completing this lesson, you will be able to:

Describe Global Catalog servers. Configure Global Catalog servers. Describe the purpose of operations master roles in Windows Server 2008. Manage operations master roles.

What Are Global Catalog Servers?

The Global Catalog server is a partial, read-only replica of all domain directory partitions in a forest. It is a partial replica because it includes only a limited set of attributes for each of the objects in the forest. By including only the attributes that are used for searching, the database of a single Global Catalog server can represent every object in every domain in the forest. A Global Catalog server performs several key functions, including processing user logons, processing Universal Principal Name (UPN) logons, and locating directory information.

How To Configure Global Catalog Servers

Print this page.

You can promote a domain controller as a Global Catalog server by using the dcpromo wizard or the Active Directory Installation Wizard. If you are installing the domain controller on Server Core, you cannot use the installation wizard because Server Core does not support the GUI mode. In such instances, you can configure a domain controller on Server Core by using an unattended installation file. The unattended installation file provides the answers to the questions that will be presented in GUI.

To configure a domain controller as a Global Catalog server on a Server Core computer, open the sample unattended installation file, NYC-RODC.txt. Modify the answer file by adding ConfirmGC=Yes. The modified answer file will automatically configure the Server Core domain controller as a Global Catalog server. Alternatively, you can configure a Global Catalog server by using Active Directory Sites and Services.

Open the properties of the NTDS settings. Promote the computer as a Global Catalog server by enabling the Global Catalog option. After you configure the computer as a Global Catalog server, view the attributes stored in it by using the Active Directory Schema Management console. The Active Directory Schema Management console is not installed by default. First, you need to register the schema management DLL. Register the schema management DLL by using the regsvr32 schmmgmt.dll command. Then, install the Schema Management console. To do this, open a blank management console.

Add the Active Directory Schema snap-in to the console. Now, view the list of attributes stored in the Global Catalog. Next, view the properties of an attribute. Notice that the Department attribute is not stored in the Global Catalog. If you want this attribute to be available for searching, replicate this attribute to the Global Catalog. After the replication is complete, the Department attribute will be available in the Global Catalog for searching.

This demonstration showed you how to configure Global Catalog servers in Windows Server 2008.

What Are Operations Master Roles?

Active Directory functions as a multiple-master replication system. However, for specific directory operations, you must make changes to Active Directory only through a single authoritative server. Operations masters are domain controllers that perform these specific directory operations to ensure consistency of the Active Directory database and eliminate the chances of registering conflicting entries in the database. AD DS provides five operations masters—Schema master, Domain naming master, RID master, primary domain controller (PDC) emulator, and Infrastructure master.

When you install Active Directory and create the first domain controller of a forest, the domain controller possesses all five roles. Similarly, the first domain controller in each new domain acquires the per-domain operations master roles. After you add more domain controllers to a domain, you can transfer these roles to other domain controllers.

How To Manage Operation Master Roles

Print this page.

In Windows Server 2008, you can identify, transfer, and seize operations master roles. To find out which servers hold which FSMO roles in an Active Directory forest, open the Active Directory tool, Active Directory Users and Computers. View the servers that are hosting the domain operations master roles such as the RID master, the PDC emulator, and the infrastructure master. A domain controller also provides the schema master and the domain naming master roles. You can identify the schema master role by using the Schema Management tool and the domain naming master role by using the Active Directory Domains and Trusts Management tool.

You can manage the operations master roles either by controlled transfer or by seizure. Use controlled transfer when you want to move a role from one server to another. To transfer an operations master role from one domain controller to another domain controller, first, connect to the source domain controller. For example, transfer the infrastructure master role from domain controller1 to domain controller2. Notice that the infrastructure master role is currently running on domain controller1. To transfer the infrastructure master role to domain controller2, click Change. Next, verify whether the operations master role was transferred successfully. To do this, open Operations Masters and view the server that holds the infrastructure master role. Notice that the infrastructure master role is currently running on domain controller2, whereas the PDC emulator role and the RID master role are still running on domain controller1.

You cannot transfer a role if the server that is running that particular role fails. In such cases, you need to seize the role. To seize the role, open a Command Prompt window with administrative privileges. You can seize the role by using the ndts utility. Activate the instance for ntds. Go to roles. Go to connections. Connect to the server that you want to seize. Notice that you are connected to the server by using the credentials of domain administrator. After you establish the connection, exit from the server connections prompt. Use the seize infrastructure master command to force the domain controller to claim ownership of the role. Confirm the seizure of the role from domain controller2 with domain controller1. Exit from the FSMO maintenance and the ntdsdutil prompts.

This demonstration showed you how to manage operations master roles in Windows Server 2008.

Course 6710: Implementing Active Directory Domain Services

Print this page.

Note:

These lab instructions are located on the Launch the Lab page of the course, as well as in the expandable Lab Instructions pane of the launched lab. Both sets contain the same information, so please use the instructions from the location you feel is most convenient.

Lab Scenario

You are a server administrator at Woodgrove Bank. The organization has several domain controllers at the corporate headquarters and now prepares to deploy domain controllers in its branch offices. Your organization wants to enhance the security of the data and applications by managing users and resources. You are asked to configure AD DS in Windows Server 2008. To do this, you need to deploy Windows Server 2008 domain controllers by installing additional domain controllers and including an RODC on the Server Core.

Exercise 1: Installing and Configuring an RODC

In this exercise, you will install the RODC server role on a Windows Server 2008 server core computer. Then, you will verify the installation and configure password replication policies for users who log on to the domain controllers to cache passwords on the RODC.

The main tasks in this exercise are as follows:

Pre-stage the RODC computer account. Create the unattended answer file. Promote NYC-SVR2 to become an additional domain controller in the WoodgroveBank domain. Verify whether NYC-SVR2 is added as an additional domain controller in the WoodgroveBank

domain. Configure password replication policies for the NYC Branch Managers group on the RODC.

Task 1: You are logged on to the NYC-DC1 server with the user name, WoodgroveBank\Administrator, and the password, Pa$$w0rd. Proceed to the next task.

1. If you need to log on to the NYC-DC1 server, click the Ctrl-Alt-Delete button. 2. Enter the following:

o Username: WoodgroveBank\Administrator o Password: Pa$$w0rd

3. Click the Forward button. You are connected to the NYC-DC1 server.

Task 2: Pre-stage the RODC computer account.

1. Open the Active Directory Users and Computers console. 2. Pre-create an RODC account by using the following information:

o Domain: WoodgroveBank.com o Computer name: NYC-SVR2

Result

You have pre-staged the RODC computer account.

Task 3: You are logged on to the NYC-SVR2 server with the user name, WoodgroveBank\administrator, and the password, Pa$$w0rd. Proceed to the next task.

1. If you need to log on to NYC-SVR2, click the Ctrl-Alt-Delete button. 2. Enter the following:

o Username: WoodgroveBank\administrator o Password: Pa$$w0rd

3. Click the Forward button. You are connected to the NYC-SVR2 server.

Task 4: Create the unattended answer file.

1. Open Command Prompt on NYC-SVR2. 2. Create an unattended RODC.txt file.

Result

You have created the unattended answer file.

Task 5: Promote NYC-SVR2 to become an additional domain controller in the WoodgroveBank domain.

1. Configure NYC-SVR2 as an additional domain controller in the WoodgroveBank domain.

Result

You have promoted NYC-SVR2 to become an additional domain controller in the WoodgroveBank domain.

Task 6: Switch to the NYC-DC1 server with the user name, WoodgroveBank\Administrator, and the password, Pa$$w0rd. Proceed to the next task.

1. If you need to log on to NYC-DC1, click the Ctrl-Alt-Delete button. 2. Enter the following:

o Username: WoodgroveBank\Administrator o Password: Pa$$w0rd

3. Click the Forward button. You are connected to the NYC-DC1 server.

Task 7: Verify whether NYC-DC1 is added as an additional domain controller in the WoodgroveBank domain.

1. Check whether NYC-DC1 has been added as an additional domain controller.

Result

You have verified whether NYC-DC1 is added as an additional domain controller in the WoodgroveBank domain.

Task 8: Configure password replication policies for the NYC Branch Managers group on the RODC.

1. Add the NYC_BranchManagersGG group to the password replication policy list.

Result

You have configured password replication policies for the NYC Branch Managers group on the RODC.

Task 9: You have completed all tasks in this exercise.

1. A successful completion of this exercise results in the following outcomes: o The RODC computer account is pre-staged. o The unattended answer file is created. o NYC-SVR2 is promoted to become an additional domain controller in the WoodgroveBank

domain. o Addition of NYC-SVR2 as an additional domain controller in the WoodgroveBank domain is

verified. o Password replication policies are configured for the NYC Branch Managers group on the

RODC. 2. To proceed to another exercise, click the desired exercise.

Exercise 2: Configuring RODC as a Global Catalog server

In this exercise, you will configure NYC-SVR2 as a global catalog server.

Task 1: Configure NYC-SVR2 as a global catalog server.

1. Open Active Directory Users and Computers console. 2. Configure NYC-SVR2 as a global catalog server by configuring the NTDS Settings properties.

Result

You have configured NYC-SVR2 as a global catalog server.

Task 2: You have completed all tasks in this exercise.

1. A successful completion of this exercise results in the following outcome: o NYC-SVR2 is configured as a global catalog server.

Lab Resources

There are no additional lab resources for this lab.

Module Summary

Module Summary