11 IMPLEMENTING ACTIVE DIRECTORY Chapter 2
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY2 REQUIREMENTS FOR ACTIVE DIRECTORY Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter) Cannot use Web Edition for Active Directory Access as a local administrator NT file system (NTFS) partition for Sysvol 200 MB minimum free space Transmission Control Protocol/Internet Protocol (TCP/IP) Domain Name System (DNS) to host service location (SRV) resource records Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter) Cannot use Web Edition for Active Directory Access as a local administrator NT file system (NTFS) partition for Sysvol 200 MB minimum free space Transmission Control Protocol/Internet Protocol (TCP/IP) Domain Name System (DNS) to host service location (SRV) resource records
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY3 ACTIVE DIRECTORY INSTALLATION PROCESS Complete pre-installation tasks Plan and test before you install in a production environment Complete pre-installation tasks Plan and test before you install in a production environment
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY4 ACTIVE DIRECTORY INSTALLATION Dcpromo or Manage Your Server If already a domain controller, Dcpromo allows you to remove Active Directory Operating system compatibility issues Microsoft Windows 95 Microsoft Windows NT 4, Service Pack 3 Dcpromo or Manage Your Server If already a domain controller, Dcpromo allows you to remove Active Directory Operating system compatibility issues Microsoft Windows 95 Microsoft Windows NT 4, Service Pack 3
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY5 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS Domain Controller type Domain controller for a new domain Replica domain controller Install in a new or existing forest? Install in a new or existing domain tree? Use the appropriate names Domain Name System (DNS) Fully Qualified Domain Name (FQDN) NetBIOS Domain Controller type Domain controller for a new domain Replica domain controller Install in a new or existing forest? Install in a new or existing domain tree? Use the appropriate names Domain Name System (DNS) Fully Qualified Domain Name (FQDN) NetBIOS
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY6 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS Database and Log Folders Shared System Volume (Sysvol) %systemroot%\NTDS NTFS required Database and Log Folders Shared System Volume (Sysvol) %systemroot%\NTDS NTFS required
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY7 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY8 DNS REGISTRATION AND DIAGNOSTICS If DNS is not detected, you can choose to automatically install and configure. Otherwise, you must manually install and configure. SRV resource records required Dynamic updates highly recommended Incremental zone transfers recommended If DNS is not detected, you can choose to automatically install and configure. Otherwise, you must manually install and configure. SRV resource records required Dynamic updates highly recommended Incremental zone transfers recommended
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY9 PERMISSIONS Pre–Windows 2000 Windows Server 2003 Pre–Windows 2000 Windows Server 2003
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY10 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS Directory Services Restore Mode Administrator password Password used to enter Directory Services Restore Mode Required for Active Directory maintenance Completing the Active Directory installation Confirm your configuration Restart your new domain controller Directory Services Restore Mode Administrator password Password used to enter Directory Services Restore Mode Required for Active Directory maintenance Completing the Active Directory installation Confirm your configuration Restart your new domain controller
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY11 VERIFY AND FINALIZE DNS Application Directory partition creation DomainDNSZones ForestDNSZones Automatically created when Active Directory Integrated DNS is used Can be managed only by Enterprise Admins Aging and scavenging options Forward lookup zones and SRV resource records Application Directory partition creation DomainDNSZones ForestDNSZones Automatically created when Active Directory Integrated DNS is used Can be managed only by Enterprise Admins Aging and scavenging options Forward lookup zones and SRV resource records
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY12 DNS UPDATES AND RECORD STORAGE Dynamic updates Secure only Nonsecure and secure None Store the zone in Active Directory, named Active Directory–integrated Reverse lookup zones Dynamic updates Secure only Nonsecure and secure None Store the zone in Active Directory, named Active Directory–integrated Reverse lookup zones
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY13 REPLICA DOMAIN CONTROLLER Provides load balancing and fault tolerance If one domain controller fails, there is another holding the Active Directory records Clients can use either domain controller for authentication DNS fault tolerance If Active Directory–integrated, the records are automatically copied to other domain controllers If not Active Directory–integrated, you can use a secondary zone for fault tolerance of records Provides load balancing and fault tolerance If one domain controller fails, there is another holding the Active Directory records Clients can use either domain controller for authentication DNS fault tolerance If Active Directory–integrated, the records are automatically copied to other domain controllers If not Active Directory–integrated, you can use a secondary zone for fault tolerance of records
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY14 REPLICA DOMAIN CONTROLLER DNS load balancing Install DNS service on additional server Configure client computer to use the new server as their Preferred DNS server DNS load balancing Install DNS service on additional server Configure client computer to use the new server as their Preferred DNS server
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY15 SCHEMA MODIFICATION Some applications modify the schema Examples include: programs, backup programs, and directory integration software Must be a member of Schema Admins to install these applications or to manually modify the schema Schema changes trigger replication to all domain controllers in the forest Default system classes cannot be modified Class and attribute changes cannot be removed, but can be deactivated Some applications modify the schema Examples include: programs, backup programs, and directory integration software Must be a member of Schema Admins to install these applications or to manually modify the schema Schema changes trigger replication to all domain controllers in the forest Default system classes cannot be modified Class and attribute changes cannot be removed, but can be deactivated
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY16 RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS Once complete, cannot be undone without a reinstall Each domain functional level can be raised independently of other domains Forest functional levels can be raised only when all domains are at Windows 2000 native or higher Domain Admins membership required to raise domain functional level Enterprise Admins membership required to raise forest functional level Once complete, cannot be undone without a reinstall Each domain functional level can be raised independently of other domains Forest functional levels can be raised only when all domains are at Windows 2000 native or higher Domain Admins membership required to raise domain functional level Enterprise Admins membership required to raise forest functional level
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY17 ESTABLISHING AND MAINTAINING TRUSTS Shortcut trust Used to improve resource access Reduces the length of the trust path Transitive Cross-forest trust Initially one-way; can create two one-way trusts to provide access in either direction Available only to Windows Server 2003 forests Transitive Shortcut trust Used to improve resource access Reduces the length of the trust path Transitive Cross-forest trust Initially one-way; can create two one-way trusts to provide access in either direction Available only to Windows Server 2003 forests Transitive
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY18 ESTABLISHING AND MAINTAINING TRUST External Can be used for Windows NT Server 4.0 and Windows 2000 domain trusts Not transitive Realm Used between third-party Kerberos implementations Not transitive External Can be used for Windows NT Server 4.0 and Windows 2000 domain trusts Not transitive Realm Used between third-party Kerberos implementations Not transitive
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY19 MANAGING TRUSTS Verifying trusts Active Directory Domains And Trusts netdom trust domain1 /d:contoso /verify Revoking trust relationships Active Directory Domains And Trusts netdom trust domain1 /d:contoso /remove Verifying trusts Active Directory Domains And Trusts netdom trust domain1 /d:contoso /verify Revoking trust relationships Active Directory Domains And Trusts netdom trust domain1 /d:contoso /remove
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY20 USER PRINCIPAL NAMES Allows users to log on without specifying a domain separately Can be the user’s address By default, the User Principal Name (UPN) suffix is the same as the forest root domain name Can add UPN suffix in Active Directory Domains And Trusts Can modify UPN on a per-user basis Allows users to log on without specifying a domain separately Can be the user’s address By default, the User Principal Name (UPN) suffix is the same as the forest root domain name Can add UPN suffix in Active Directory Domains And Trusts Can modify UPN on a per-user basis
Chapter 2: IMPLEMENTING ACTIVE DIRECTORY21 SUMMARY Active Directory requires DNS and SRV resource record support Verifying Active Directory installation Active Directory partitions Schema modification and replication Forest and domain functional levels Trust types: Shortcut, cross-forest, external, realm Active Directory requires DNS and SRV resource record support Verifying Active Directory installation Active Directory partitions Schema modification and replication Forest and domain functional levels Trust types: Shortcut, cross-forest, external, realm