Copyright line. Configuring the Active Directory Infrastructure Exam Objectives Working with Forests and Domains Working with Sites Working with Trusts
Copyright line. Slide 2 Working with Forests and Domains You should know what type of domain you want to install before you begin, and the namespace it will use. To improve a domain’s reliability, you should always create at least two DCs in each domain. The first DC that you install in the forest is the root DC. It is responsible for the GC and for all five FSMO roles. Some roles can later be transferred to other DCs for performance and diversification.
Copyright line. Slide 3 Working with Sites Sites are used for optimizing the authentication process, by reducing authentication traffic across slow, high-cost WAN links. Subnets provide rapid and reliable communication between locations. The primary role of sites is to increase the performance of a network, which is achieved by economic and rapid transmission of data. Replication enables transferring data from a data store present on a source computer to an identical data store present on a destination computer. The KCC is a process that runs on a DC. The process of associating a subnet with a site notifies Active Directory sites about the physical networks that are represented by the site. Cost is the value used to calculate site links by comparing one to others, in terms of speed and reliability charges.
Copyright line. Slide 4 Working with Trusts Active Directory trust relationships allow users in one domain to access resources in another domain without having to create additional accounts in the domain with the resources. Whenever a child domain is created, two-way transitive trusts are automatically created between the parent and the child. Forest trusts are created between the root domains of two forests to allow users in one forest to access resources in the other forest. SID filtering is a security device that uses the domain SID to verify each security principal.
Copyright line. Slide 5 FAQ Q: What is the big deal about raising the functional levels of my domains and forests? Shouldn’t I raise the levels as soon as they meet the prerequisites? A: No. Remember that functional levels, once raised, cannot be lowered again. In addition, some situations are better suited to skipping a level, rather than raising to one level and then the other. In this case, known future restructuring and upgrade activities should be considered before raising functional levels.
Copyright line. Slide 6 FAQ Q: How much of the Active Directory design stage should be complete before I install my first DC? A: Primarily, the DNS design should be complete, and the decision should be made about how the forest-root domain will be used. Additional DCs and domains can be added later. FSMO roles and GCs can be shifted as needed, and trusts with other forests and external domains can be added later. Essentially, the first DC that you install should be in a lab environment. From that perspective, you should install your first DC for testing and training purposes as soon as possible.
Copyright line. Slide 7 FAQ Q: If every FSMO role can be seized by another DC upon failure, why would I want to spread the roles out among different machines? A: There are several reasons. Chief among these are the associated risks of seizing roles. Lost or corrupted directory data can result from FSMO failures, especially if the malfunctioning machine ever comes back online. Seizing roles should not be considered a routine operation. Another consideration is performance. Each role exacts a certain amount of CPU and memory overhead, and your servers might perform better if roles are spread among multiple systems. If that weren’t enough, some roles and functions should not coexist on the same DC, such as the Infrastructure Master and the GC. FSMO placement should not be ignored, and this knowledge will be important on the test.
Copyright line. Slide 8 FAQ Q: What are the differences between external, realm, and shortcut trusts? A: An external trust is created to establish a relationship with a domain outside your tree or forest. A realm trust is created to establish a relationship with a non- Microsoft network using Kerberos authentication. A shortcut trust is used to optimize the authentication process.
Copyright line. Slide 9 FAQ Q: What type of trust needs to be created between the root domain and a domain that is several layers deep inside the same tree? A: None. Transitive two-way trusts are automatically created between the layers of the tree structure. A root trust is also created automatically so that any child domain has a shortcut to the root domain.
Copyright line. Slide 10 FAQ Q: What is the difference between implied, implicit, and explicit trusts? A: An implicit trust is one that is automatically created by the system. An example is the trusts created between parent and child domains. An explicit trust is one that is manually created. An example is a forest trust between two trees. An implied trust is one that is implied because of the transitive nature of trusts. An example is the trust between two child domains that are in different trees, and a forest trust was created between the roots of the trees.
Copyright line. Slide 11 FAQ Q: What exactly does SID filtering accomplish? A: SID filtering is used to secure a trust relationship where the possibility exists that someone in the trusted domain might try to elevate his or her own or someone else’s privileges.
Copyright line. Slide 12 FAQ Q: How do you change the time the KCC runs? A: The KCC, which manages connection objects for inter- and intrasite replication, runs every 15 minutes by default. To change this, start regedit and go to the HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\NTDS\Parameters Registry entry. Then, from the Edit menu, select New, DWORD Value.
Copyright line. Slide 13 FAQ Q: How do I move a server to a different site? A: If the sites and subnets are configured, new servers are automatically added to the site that owns the subnet. However, a server can be manually moved to a different site. To perform this task, start the Active Directory Sites and Services. Expand the site that currently contains the server, and expand the Servers container. Right-click the server and select Move from the context menu. There will be a list of all the sites. Select the new target site, and click OK.
Copyright line. Slide 14 FAQ Q: How can a server belong to more than one site? A: By default, a server belongs to only one site. However, you can configure a server to belong to multiple sites. Because sites are necessary for replication, for clients to find resources, and to decrease traffic on intersite connections, simply modifying a site’s membership might cause performance problems. To configure a server for multiple site membership, log on to the server you want to join multiple sites. Start regedit or regedt32. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi cesNetlogon\Parameters Registry entry, select Add Value from the Edit menu, enter the name Site Coverage and a REG_MULTI_SZ value, and click OK. Next, enter the names of the sites to join, each on a new line. (Press Shift + Enter to move to the next line.) Click OK. Close the Registry Editor.
Copyright line. Slide 15 FAQ Q: How do I disable site link transitivity? A: Site links are bridged together to make them transitive so that the KCC can create connection objects between DCs. We can disable site link transitivity manually by bridging specific site links. Start the Active Directory Sites and Services snap- in. (Select Administrative Tools | Active Directory Sites and Services from the Start menu.) Expand the Sites folder and expand the Inter-Site Transports folder. Right-click the protocol for which you want to disable transitivity (IP or SMTP), and select Properties. Clear the Bridge all site links checkbox, and click Apply.
Copyright line. Slide 16 FAQ Q: How do you rename a site? A: When you install your first DC, the DC creates the default site, Default-First-Site-Name. This name isn’t very descriptive, so you might want to rename it. Start the Active Directory Sites and Services snap- in. (Select Administrative Tools | Active Directory Sites and Services from the Start menu.) Expand the Sites folder. Right-click the site that is to be renamed (e.g., Default-First-Site-Name), and select Rename. Enter the new name, and press Enter.
Copyright line. Slide 17 FAQ Q: I want to enable GC functionality on a DC. Where do I do that? A: In the NTDS Settings Properties window on the General tab. You simply check the box next to Global Catalog and click OK.
Copyright line. Slide 18 FAQ Q: I have an office with only 10 users. Should I put a GC server at this location? A: Probably not; Microsoft recommends that 50 or more users at a location constitutes the necessity for a local DC at that office.
Copyright line. Slide 19 FAQ Q: I am noticing a large amount of traffic between my corporate office and branch office. I recently added a GC server/DC at my branch office. Why all the extra traffic? A: More than likely, you didn’t set up a site for each location. Having GC servers located in sites helps to control replication and should cut down on bandwidth usage. Data is compressed before being sent between sites, which keeps bandwidth usage down.
Copyright line. Slide 20 Exam Warning With Windows Server 2008 and beyond, you will see more and more references to UPN use in single or multiple domain environments. Be sure to understand how the UPN works in relation to logon, and how the GC keeps this information available efficiently.
Copyright line. Slide 21 Exam Warning Be prepared to see diagrams that show network layouts and the various GC servers you have on your network. Part of being a successful network administrator is being able to determine whether the design is good. Because many Active Directory-integrated applications, such as Microsoft Exchange, need access to a GC for authentication, GCs should be placed in sites that support these applications, as well as sites that are connected over lower-speed WAN links.
Copyright line. Slide 22 Test Day Tip Universal Groups can exist only if the functional level of your network is Windows 2000 native or later. Universal Group information is replicated between GC servers. Replication traffic can consume bandwidth, which is why site topology is important; putting a GC at each site keeps replication traffic to a minimum.
Copyright line. Slide 23 Test Day Tip Microsoft’s documentation recommends that if you have 50 or more users at a given location, you should give that location a DC serving as a GC server. This will help to reduce the number of queries crossing the WAN for Active Directory object searches.
Copyright line. Slide 24 Exam Warning Remember this distinction between the GC and the Schema Master: The GC contains a limited set of attributes of all objects in the Active Directory. The Schema Master contains formal definitions of every object class that can exist in the forest and every object attribute that can exist within an object. In other words, the GC contains every object, whereas the schema contains every definition of every type of object.
Copyright line. Slide 25 Test Day Tip As a network administrator, you must be familiar with the various roles and services offered by the Active Directory Sites. You needn’t worry about memorizing every detail for this particular exam. What you do have to know are the basics of how each role and services of Active Directory Sites works, and how Active Directory Sites can be used efficiently in terms of data transmission as part of a large network.
Copyright line. Slide 26 Exam Warning Make sure you are familiar with the benefits provided by a domain, and how a domain works to provide them for you.
Copyright line. Slide 27 Test Day Tip Make sure you know and understand the differences between the physical and logical structures of the network. Be aware of how each is used to build the most efficient replication topology.
Copyright line. Slide 28 Test Day Tip Remember that default Windows Server 2008 trust relationships are friendly. The default and most common trusts in Active Directory, which are parent and child and tree-root trusts, are both bidirectional and transitive, meaning that the trust path extends throughout the entire forest. You can remember this type of transitive trust with the old saying, “Any friend of yours is a friend of mine.” Other types of Windows Server 2008 trusts exist, such as forest, shortcut, and external, each of which can be bidirectional or unidirectional and have different transitivity properties. One of the first things you should do when you sit down at the testing station is to write down the trusts and their properties on your scratch paper. Do this before starting the test so as not to waste valuable time.
Copyright line. Slide 29 Test Day Tip On the day of the test, you will want to review the types of trusts as well as when to use them. On the exam, you might be given a scenario that will require you to determine the type of trust that will best meet the requirements in the scenario.
Copyright line. Slide 30 Exam Warning Although the trust relationship is considered transitive, this applies only to the child domains within forests. The transitive nature of the trust exists only within the two forests explicitly joined by a forest trust. The transitivity does not extend to a third forest unless you create another explicit trust.
Copyright line. Slide 31 Exam Warning You will always need to create an external trust when connecting to a Windows NT 4.0 or earlier domain. These domains are not eligible to participate in Active Directory. These trusts must be one-way trusts. If you have worked with Windows NT 4.0, you will remember that the only trusts allowed were nontransitive one-way trusts.