Module 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Module 1: Installing Active Directory Domain Services Presentation: 65 minutes Lab: 75 minutes This module helps students implement Active Directory Domain Services. After completing this module, students will be able to: Install Active Directory Domain Services. Deploy Read-Only Domain Controllers. Configure AD DS Domain Controller roles. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6425A_01.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier PowerPoint version, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Complete the practices. This section contains information that will help you teach this module. For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information. Module 1: Implementing Active Directory® Domain Services

Module 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Module Overview Module 1: Installing Active Directory Domain Services Installing Active Directory Domain Services Deploying Read-Only Domain Controllers Configuring AD DS Domain Controller Roles

Lesson 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Lesson 1: Installing Active Directory Domain Services Module 1: Installing Active Directory Domain Services Requirements for Installing AD DS What Are Domain and Forest Functional Levels? AD DS Installation Process Advanced Options for Installing AD DS Installing AD DS from Media Demonstration: Verifying the AD DS installation Upgrading to Windows Server 2008 AD DS Installing AD DS on a Server Core Computer Discussion: Common Configuration for AD DS

Requirements for Installing AD DS 4/20/2017Course 6425A Requirements for Installing AD DS Module 1: Installing Active Directory Domain Services Server requirements to install AD DS A computer running Windows Server 2008 Minimum disk space of 250 MB and a partition formatted with NTFS file system Mention that Windows Server 2008 is supported on both 32-bit hardware and 64-bit hardware. 64-bit hardware is recommended for domain controllers in organizations that have large numbers of users. Highlight the importance of Domain Name System (DNS) in the AD DS installation. Mention that the INSERT next module will cover the integration of DNS and AD DS. References Active Directory Domain Services Help: Installing Active Directory Domain Services Requirements for Installing AD DS: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95- 563e-40ba-b74a-9113152a59271033.mspx?mfr=true Network configuration TCP/IP must be configured, including DNS client settings DNS Server that supports dynamic updates must be available or will be configured on the domain controller Administrator permissions Local Administrator permissions to install the first domain controller in a forest Domain Administrator permissions to install additional domain controllers in a domain Enterprise Administrator permissions to install additional domains in a forest

What Are Domain and Forest Functional Levels? 4/20/2017Course 6425A What Are Domain and Forest Functional Levels? Module 1: Installing Active Directory Domain Services Functional levels: Determine the AD DS features available in a domain or forest Restrict which Windows Server operating systems can be run on domain controllers in the domain or forest Mention that functional levels do not affect which operating systems can be run on workstations and member servers that are joined to the domain or forest. A domain or forest that you configure with a Windows Server 2008 functional level can still have Windows NT® or later member servers. For students that are familiar with previous Windows Server versions, highlight that Windows Server 2008 does not support Windows 2000 Mixed functional level. This means that all Windows NT domain controllers must be removed from the domain and the domain functional level raised before Windows Server 2008 domain controllers can be installed. Mention that you can raise the domain and forest functional levels after installation by using Active Directory Users and Computers (to raise the domain functional level), or Active Directory Domains and Trusts (to raise the domain or forest functional level). Tell the students that there are links to additional information available about functional levels. References Active Directory Domain Services Help: Set the domain or forest functional level Appendix of Functional Level Features: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Supported functional levels: Domain Supported Domain Controller Operating Systems Forests Windows 2000 native Windows Server 2008 Windows Server 2003 Windows 2000 Windows 2000 Windows Server 2003 Windows Server 2008 Windows Server 2003 Windows Server 2003 Windows Server 2008 Windows Server 2008 Windows Server 2008

AD DS Installation Process 4/20/2017Course 6425A AD DS Installation Process Module 1: Installing Active Directory Domain Services Install the Active Directory Domain Services role using the Server Manager 1 Mention that you can skip the first step in the installation by just running DCPromo from a command line. When you choose this option, the AD DS server role is installed and then the Active Directory Domain Services Installation Wizard will start. The configuration options for step 3 will vary depending on whether this is the first domain controller in a forest, additional domain controller in a domain, or first domain controller in a new domain in a forest. Highlight the differences for each option. Stress the importance of documenting the Directory Services Restore Mode Administrator Password. Without this password, students will not be able to restore Active Directory in the event of a database failure. Mention that the password can be changed after installation by using the NTDSUtil command-line tool. References Active Directory Domain Services Help: Installing Active Directory Domain Services Installing a New Windows Server “Longhorn” Forest: Scenarios for Installing AD DS http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true   Run the Active Directory Domain Services Installation Wizard 2 Choose the deployment configuration 3 Select the additional domain controller features 4 Select the location for the database, log files, and SYSVOl folder 5 Configure the Directory Services Restore Mode Administrator Password 6

Advanced Options for Installing AD DS 4/20/2017Course 6425A Advanced Options for Installing AD DS Module 1: Installing Active Directory Domain Services To access the advanced mode installation options, choose the Advanced Mode option in the installation wizard or run DCPromo /adv Describe situations where administrators may choose to use each of the advanced installation options. Mention that the advanced mode installation option is available to address nonstandard domain controller installation options. Mention that some of the advanced installation options are available only after making initial selections in the wizard. For example, the option to change the domain NetBIOS name is available only when you are installing the first domain controller in a domain, not when you are installing additional domain controllers in the same domain. The options to use backup media as the source for AD DS information, select the source domain controller for the installation, or define the Password Replication Policy for an read-only domain controller (RODC) are available only when installing an additional domain controller in a domain. References Active Directory Domain Services Help: Use advanced mode installation What's New in AD DS Installation and Removal: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Use the advanced mode options to: Create a new domain tree Use backup media as the source for AD DS information Select the source domain controller for the installation Modify the default domain NetBIOS name Define the Password Replication Policy for an RODC

Installing AD DS from Media 4/20/2017Course 6425A Installing AD DS from Media Module 1: Installing Active Directory Domain Services Use Ntdsutil.exe to create the installation media Ntdsutil.exe can create the following types of installation media: Summarize the reasons why an organization might choose to use the install from media option when installing a domain controller. The primary benefit is that this will decrease the initial replication time when installing a domain controller in an office location with a slow network connection to another domain controller. Mention that although the initial AD DS data is extracted from the backup, the domain controller will still replicate with other domain controllers to ensure that the new domain controller has current information. Considering demonstrating the steps to create the media using Ntdsutil.exe. References Installing AD DS from Media: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e- 40ba-b74a-9113152a59271033.mspx?mfr=true Active Directory Domain Services Help: Use advanced mode installation Full (or writable) domain controller Full (or writable) domain controller without SYSVOL data Read-only domain controller without SYSVOL data Read-only domain controller

Demonstration: Verifying the AD DS Installation 4/20/2017Course 6425A Demonstration: Verifying the AD DS Installation Module 1: Installing Active Directory Domain Services In this demonstration, you will see how to verify the AD DS installation Demonstration steps for verifying the AD DS installation: To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Open Server Manager and verify that AD DS server role is installed. View the system services and verify that all required services are running. Open Active Directory Users and Computers and verify that the domain controller is listed in the Domain Controllers container. Open Active Directory Sites and Services and verify that the domain controller is listed in the appropriate site. Open the Event Viewer. Verify that there are no events indicating that the AD DS installation failed. Note: You can access all of the administration tools from within Server Manager. Consider accessing the tools from Server Manager so that students become familiar with using this interface. Open Windows Explorer and browse to C:\Windows\NTDS. Verify that the NTDS.dit and other files are located in the folder. Discussion question and answer Question: What steps would you take if you noticed that the domain controller installation failed? Answer: Verify the network connectivity and configuration. Ensure that existing domain controllers in the domain are accessible on the network. Check the installation media. Reference Verifying an AD DS Installation: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e- 40ba-b74a-9113152a59271033.mspx?mfr=true Verifying Active Directory Installation: http://technet2.microsoft.com/windowsserver/en/library/9530f1ae-ea53- 40c1-bcfb-a4bb535744bc1033.mspx?mfr=true Note: this last resource refers to verifying a Windows Server 2003 domain controller installation. Some of the specific steps for installation verification may be different in Windows Server 2008, but many of the concepts and procedures still apply.

Upgrading to Windows Server 2008 AD DS 4/20/2017Course 6425A Upgrading to Windows Server 2008 AD DS Module 1: Installing Active Directory Domain Services To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation: Current Version Before installing Command Windows 2000 Windows 2003 Mention that to install a Windows Server 2008 domain controller in an existing Windows 2000 Server or Windows Server 2003 domain, the students must first run the ADPrep command-line tool to prepare the environment for the Windows Server 2008 installation. Details for the ADPrep switches are provided in the Scenarios for Installing AD DS resource. Resources Active Directory Domain Services Help: Installing Active Directory Domain Services Installing a New Windows Server “Longhorn” Forest: Scenarios for Installing AD DS: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true   Additional Resources Appendix of Unattended Installation Parameters http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Windows Server 2008 domain controllers adprep /forestprep Windows Server 2000 Windows Server 2008 domain controllers adprep /domainprep /gpprep Windows Server 2003 Windows Server 2008 domain controllers adprep /domainprep Windows Server 2003 Windows Server 2008 RODCs adprep /rodcprep

Installing AD DS on a Server Core Computer 4/20/2017Course 6425A Installing AD DS on a Server Core Computer Module 1: Installing Active Directory Domain Services To install AD DS on a Server Core computer, perform an unattended installation using an answer file Use following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer Stress that the only way to install AD DS on a server running Windows Server 2008 Server Core is to use an unattended installation. Mention that there are many additional settings that you can configure during an unattended installation – the slide just highlights those that are most important. Reference Appendix of Unattended Installation Parameters http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true

Discussion: Common Configuration for AD DS 4/20/2017Course 6425A Discussion: Common Configuration for AD DS Module 1: Installing Active Directory Domain Services What additional steps would you take in your environment after installing the first Windows Server 2008 domain controller? How would these tasks change after you have deployed additional domain controllers in your domain? Which of the recommendations listed in the Server Manager apply to your organization? Consider showing the recommendations listed in the Recommendations and Support section in the Active Directory Domain Services role section in Server Manager. Pick several of the additional tasks and use the discussion questions to review the tasks. Reference AD DS Help: Common Configurations for Active Directory Domain Services

Lesson 2: Deploying Read-Only Domain Controllers 4/20/2017Course 6425A Lesson 2: Deploying Read-Only Domain Controllers Module 1: Installing Active Directory Domain Services What Is a Read-Only Domain Controller? Read-Only Domain Controller Features Preparing to Install the RODC Installing the RODC Delegating the RODC Installation What Are Password Replication Policies? Demonstration: Configuring Administrator Role Separation and Password Replication Policies

What Is a Read-Only Domain Controller? 4/20/2017Course 6425A What Is a Read-Only Domain Controller? Module 1: Installing Active Directory Domain Services RODCs host read-only partitions of the Active Directory database, only accept replicated changes to Active Directory, and never initiate replication RODC RODCs provide: If students are familiar with Windows NT 4.0, compare the RODC with the Windows NT Backup domain controller (BDC). These domain controllers are similar, but the RODC provides several more features, such as delegating administration and credential caching. Mention that RODCs are designed primarily to be deployed in a branch office. Reference AD DS: Read-Only Domain Controllers: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true   Additional security for branch office with limited physical security Additional security if applications must run on a domain controller RODCs: Cannot hold operation master roles or be configured as replication bridgehead servers Can be deployed on servers running Windows Server 2008 Server core for additional security

Read-Only Domain Controller Features 4/20/2017Course 6425A Read-Only Domain Controller Features Module 1: Installing Active Directory Domain Services RODCs provide: Unidirectional replication Emphasize the security benefits of running an RODC, including that: Even if an RODC is compromised, or an attacker gains physical access to the domain controller, the changes made to the RODC will never be replicated to another domain controller. You can delegate administrative control of the RODC so that a local administrator in the branch office can perform tasks such as install updates. However, this administrator will have no permissions in the rest of the domain or on other domain controllers. You can configure the RODC to cache no passwords or to cache passwords of specific personnel who will log on to the domain controller. This limits the exposure of user passwords if the RODC is compromised. By deploying an RODC on a computer running Server Core, you add an additional level of security by removing most of the administration tools that are used to manage Active Directory. Reference AD DS: Read-Only Domain Controllers: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Credential caching Administrative role separation Read-only DNS RODC filtered attribute set

Preparing to Install the RODC 4/20/2017Course 6425A Preparing to Install the RODC Module 1: Installing Active Directory Domain Services Before installing an RODC: Ensure that the domain and forest is at a Windows Server 2003 functional level The forest functional level must be Windows Server 2003, so that linked-value replication is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003, so that Kerberos constrained delegation is available. Stress that although an RODC can replicate changes to the schema, configuration, and any application partitions from a Windows Server 2003 domain controller, it can replicate changes only to the domain partition from a Windows Server 2008 domain controller. Mention that although you can install an RODC in a forest that is configured at the Windows Server 2003 functional level, it is a better practice to raise the functional level to Windows Server 2008 before installing RODCs. Reference AD DS Help: Delegate read-only domain controller installation and administration AD DS: Read-Only Domain Controllers: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Ensure a writeable domain controller running Windows Server 2008 is available to replicate the domain partition Run ADPrep /rodcprep to enable the RODC to replicate DNS partitions Run ADPrep /domainprep in all domains if the RODC will be a global catalog server

Module 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Installing the RODC Module 1: Installing Active Directory Domain Services Choose the option to install an additional domain controller in an existing domain 1 Select the option to install an RODC in the Active Directory Domain Services Installation wizard 2 Mention that password replication is covered in a later topic. When installing an RODC using an unattend file, you can specify additional settings in the file, such as which passwords will be cached on the server, and domain controller will operate as the replication source. However, only the ReplicaOrNewDomain=ReadOnlyReplica setting is required. Reference AD DS Help: Delegate read-only domain controller installation and administration Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Choose advanced mode installation if you want to configure the password replication policy 3 To install an RODC on a Server Core installation, use an unattended installation file with the ReplicaOrNewDomain=ReadOnlyReplica value

Delegating the RODC Installation 4/20/2017Course 6425A Delegating the RODC Installation Module 1: Installing Active Directory Domain Services To delegate the installation of a RODC: Pre-create the RODC computer account in the Domain Controllers container When you pre-create the RODC computer account and delegate permissions, the Active Directory Installation runs as if you are completing the installation. You can specify the password replication policy and assign the local user or group that will have permission to complete the installation. Reference AD DS Help: Delegate read-only domain controller installation and administration AD DS: Read-Only Domain Controllers: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3: http://technet2.microsoft.com/windowsserver2008/en/library/c1f9eb95-563e-40ba-b74a- 9113152a59271033.mspx?mfr=true Assign a user or group with permission to install the RODC To complete a delegated RODC installation, run DCPromo with the /UseExistingAccount:Attach switch

What Are Password Replication Policies? 4/20/2017Course 6425A What Are Password Replication Policies? Module 1: Installing Active Directory Domain Services The password replication policy determines how the RODC performs credential caching for authenticated user By default, the RODC does not cache any user credentials or computer credentials Discuss the balance required when designing the RODC password replication policies. Caching no accounts, or very few accounts, may increase the security for the RODC, but it also has the potential of increasing user dissatisfaction because users cannot log on to the domain when the Wide Area Network (WAN) connection between the site with the RODC and a site with an writeable domain controller is unavailable. Discuss the three options: - No credentials cached. Provides maximum security by requiring access to a writeable domain controller for users to log on. - Enable credential caching on an RODC for specified accounts. Add users or groups in the branch office to the password replication policy. - Add users and groups from the domain to the Domain RODC Password Replication Allowed Group. This group applies to all RODCs and provides least security. Reference AD DS Online Help: Specify Password Replication Policy Options for configuring password replication policies: No credentials cached Enable credential caching on an RODC for specified accounts Add users or groups to the Domain RODC Password Allowed group so credentials are cached on all RODCs

Module 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Demonstration: Configuring Administrator Role Separation and Password Replication Policies Module 1: Installing Active Directory Domain Services In this demonstration, you will see how to: Configure administrator role separation Configure the RODC password replication groups Track which users log on to a RODC Configure password replication policies for those accounts Demonstration steps To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-MIA-RODC virtual machines running. Start the demonstration by showing how to configure administrator role separation. Log on to MIA-RODC as an administrator and use the Dsmgmt tool to add a user account as a local administrator. Then log off and log on to the computer using the user account that you added. Stress that normally, a user account that is not part of an administrative group would not be able to log on interactively on a domain controller. Log off MIA- RODC. To show password replication policies, start by showing the Allowed RODC Password Replication Group and the Denied RODC Password Replication Group. Discuss the implications of adding users or groups to either of the groups. Emphasize that these groups apply to all RODCs in the domain. Next demonstrate how to track which users have logged on to an RODC. One NYC-DC1, access MIA- RODC’s properties in Active Directory Users and Computers and verify that the account that you added as a local administrator is listed as having logged on to the RODC. Then demonstrate how to configure password replication policies. Start by enabling caching for the local administrator account. Then choose another account and demonstrate how to deny password replication for the account. Finally, access the user properties for the account that you configured as a local administrator on the RODC. Demonstrate how to view user properties to determine which RODCs have cached a copy of the user’s credentials. Review questions 1. What is an alternative way to configure administrator role separation and password replication policies? Answer: You can configure both of these settings during RODC installation, either when you run the Active Directory Domain Services Installation wizard on the RODC or when you are staging the computer account for delegated installation. 2. Your organization has deployed two RODCs. How would you configure the password replication policy if you wanted the credentials for all user accounts and computer accounts, except for administrators and executives, to be cached on both RODCs? Answer: Add all users and computer accounts to the Allowed RODC Password Replication Group. You could do this by adding the Domain Users group and the Domain Computers group to the Allowed RODC Password Replication Group. Then add the administrator and executive groups to the Denied RODC Password Replication Group. Reference AD DS Help: Specify Password Replication Policy

Lesson 3: Configuring AD DS Domain Controller Roles 4/20/2017Course 6425A Lesson 3: Configuring AD DS Domain Controller Roles Module 1: Installing Active Directory Domain Services What Are Global Catalog Servers? Modifying the Global Catalog Demonstration: Configuring Global Catalog Servers What Are Operations Master Roles? Demonstration: Managing Operation Master Roles How Windows Time Service Works

What Are Global Catalog Servers? 4/20/2017Course 6425A What Are Global Catalog Servers? Module 1: Installing Active Directory Domain Services Domain Global Catalog Server Global Catalog Result Query The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Stress that global catalog servers also must be domain controllers. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The global catalog provides a resource for searching an Active Directory forest. By default, only the first domain controller installed in a forest is a global catalog server. In most cases, you should designate at least one global catalog server in each Active Directory site. Client computers must have access to a global catalog server to log on. Therefore, in most cases, you must have at least one global catalog server in every site to take advantage of the benefits of minimizing network traffic that using sites provides. Reference What Is the Global Catalog?: http://technet2.microsoft.com/windowsserver/en/library/c7ea7ed1-4241-4794- 9ce8-471da6a3a7271033.mspx?mfr=true

Modifying the Global Catalog 4/20/2017Course 6425A Modifying the Global Catalog Module 1: Installing Active Directory Domain Services Common Attributes Changed Attributes firstName lastName email address accountExpires distinguishedName department firstName lastName email address accountExpires distinguishedName Mention that the global catalog server contains an object’s most common attributes for every object in the entire forest. Applications and users can query these attributes. For example, you can find a user by first name, last name, e-mail address, or other common properties of a user account. To decide whether to add an attribute to a global catalog server, use these considerations: - Add only attributes that users or applications in your organization frequently query or to which they refer. - Determine how frequently an attribute is updated during replication. Active Directory replicates all attributes that are stored in the global catalog to every global catalog server in the forest. The smaller the attribute, the lower the impact on replication. If the attribute is large, but seldom changes, it has a smaller replication impact than a small attribute that changes often. Mention that installing some applications, for example Exchange Server, also can make changes to the global catalog. When you install Exchange Server, it adds specific attributes for e-mail to the Active Directory schema and adds attributes to the global catalog. Reference How the Global Catalog Works (Global Catalog Partial Attribute Set section): http://technet2.microsoft.com/windowsserver/en/library/c7ea7ed1-4241-4794-9ce8- 471da6a3a7271033.mspx?mfr=true Create additional attributes Global Catalog Server Add only the additional attributes that you query or refer to frequently

Demonstration: Configuring Global Catalog Servers 4/20/2017Course 6425A Demonstration: Configuring Global Catalog Servers Module 1: Installing Active Directory Domain Services In this demonstration, you will see how to: Configure global catalog servers using Active Directory Sites and Services Configure a domain controller on Server Core as a global catalog server Add attributes to the global catalog server Demonstration steps To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 virtual machines running. Open Active Directory Sites and Services and show how to configure a domain controller as a global catalog server. Mention that you can use the same steps to install a global catalog on a computer running Server Core by running Active Directory Sites and Services on computer other than the Server Core computer, or you can install the global catalog by including the /confirmGC Yes option in the unattend installation file. Show how to register the Active Directory Schema snap-in (Regsvr32 schmmgmt.dll) and then how to add the snap-in to an MMC. Show how to modify the department attribute so that it will be replicated to the global catalog. Mention that to modify the schema, the administrator must be a member of the Schema Admins group. Discussion questions 1. What types of errors or user experiences would lead you to investigate whether you needed to configure another server as a global catalog server? Answer: Answers could include: Users cannot log on to the domain in a remote office that contains a domain controller when the network connection to the main office is unavailable. Users complain that it takes a long time to log on when they use a user principal name (UPN). Global address list lookups are very slow in Microsoft® Office Outlook. 2. What are reasons why you would choose to replicate an attribute to the global catalog? You are deploying an application that is distributed across multiple domains and that needs to be able to search AD DS based on the attribute. You want users to be able to search for specific attributes (such as the Department attribute) across multiple domains. Reference To add an attribute to the global catalog: http://technet2.microsoft.com/windowsserver/en/library/42ae2845- a7aa-4f02-8944-175f6541125f1033.mspx?mfr=true

What Are Operations Master Roles? 4/20/2017Course 6425A What Are Operations Master Roles? Module 1: Installing Active Directory Domain Services Role Description Schema Master One per forest Performs all updates to the Active Directory schema Domain Naming Master Manages adding and removing all domains and directory partitions RID Master One per domain Allocates blocks of RIDs to each domain controller in the domain PDC Emulator Minimizes replication latency for password changes Synchronizes time on all domain controllers in the domain Infrastructure Master Updates object references in its domain that point to the object in another domain Mention that Active Directory uses operations master roles to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries. Also mention that Active Directory uses multimaster replication, which means that changes can be made on any of a domain’s controllers. However, multimaster replication also can allow conflicting updates that potentially can lead to problems when data is replicated throughout the domain or forest. Operations masters are designed to prevent conflicting changes. Stress that some operation master roles are forest wide and some are domain wide. For students that are not familiar with how security identifiers (SIDs) are assigned, you may need to provide some information on how the SID is made up of a domain SID, and a relative identifier (RID). To ensure that each security principal in the domain gets a unique SID, one domain controller must be responsible for distributing the RIDs to each domain controller. The infrastructure master role can be difficult to understand for students. One way to illustrate the server role is to use a group that contains a user account from a different domain. When the user account display name is modified in its home domain, the infrastructure master updates the display name on the group membership list. Avoid spending too much time on discussing the design implications for the operations masters placement. Refer students to Course 2282: Designing a Microsoft® Windows Server 2003 Active Directory® and Network Infrastructure if they want more details on these designs. Reference What are Operations Masters? http://technet2.microsoft.com/windowsserver/en/library/42ae2845-a7aa-4f02- 8944-175f6541125f1033.mspx?mfr=true

Demonstration: Managing Operations Master Roles 4/20/2017Course 6425A Demonstration: Managing Operations Master Roles Module 1: Installing Active Directory Domain Services In this demonstration, you will see how to: Determine which server holds an operations master role Move an operations master role Seize an operations master role Demonstration steps To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 virtual machines running. To complete this demonstration, you will need to have two domain controllers running. One domain controller will have the operations master roles, the other domain controller will be used to move the roles. Start the demonstration by showing students how to determine which server holds an operations master role: - Use Active Directory Users and Computer to show which server is holding the domain wide operations master roles. - Use Active Directory Domains and Trusts to show which domain controller is holding the domain naming master role. - Use Active Directory Schema schema snap-in to show which domain controller is holding the schema master role. Show how to move the operations master roles using one of the administration tools. For example, move the RID Master to the second domain controller and then shut down the domain controller. Show how to seize the RID Master role from the shut down domain controller. Use the following commands in NTDSUtil: 1. Open a command prompt, and type ntdsutil. 2. At the Ntdsutil prompt, type roles. 3. At the Fsmo Maintenance prompt, type connections. 4. At the Server Connections prompt, type connect to server servername.domainname. The servername is the domain controller to which you want to seize the operations master role. Type quit to return to the Fsmo Maintenance prompt. 5. At the Fsmo Maintenance prompt, type seize operations_master_role. The operations_master_role is the role you want to seize and can be schema master, domain naming master, infrastructure master, RID master, or PDC. 6. Accept the warning statement. The server first will try to perform a normal transfer of the operations master role. When that fails because the failed domain controller cannot be contacted, the role will be seized. Discussion questions 1. Under what circumstances might you need to seize an operations master role immediately rather than wait a few hours for a domain controller currently holding the role to be repaired? Answer: This will happen rarely because most of the time the unavailability of a domain controller holding an operations master role does not result in immediate service disruption. You would seize the role only if you needed to perform an action immediately that required the operations master (such as create a large number of new user while the RID master is unavailable or add a new domain while the domain naming master is unavailable). In general, you should not seize a operations master role if you are planning on repairing the failed server that is holding the role. 2. You are deploying the first domain controller in a new domain that will be a new domain tree in the WoodgroveBank.com forest. What operations master roles will this server hold by default? Answer: RID master, PDC emulator, and Infrastructure master. The forest wide operations master roles will be held by a domain controller in the forest root domain. Reference Managing Operations Master Roles: http://technet2.microsoft.com/windowsserver/en/library/42ae2845-a7aa-4f02-8944- 175f6541125f1033.mspx?mfr=true

How Windows Time Service Works 4/20/2017Course 6425A How Windows Time Service Works Module 1: Installing Active Directory Domain Services Domain controllers PDC Emulator Client computers Windows Time service (W32Time) provides network clock synchronization for domain controllers and client computers The Windows Time service is essential to the successful operation of Kerberos authentication and, therefore, to Active Directory–based authentication. Any Kerberos-aware application, relies on time synchronization between the computers that are participating in the authentication request. If the client’s time is more than five minutes different than the domain controller time, authentication will fail. Active Directory domain controllers also must have synchronized clocks to help ensure accurate data replication. One of the criteria for determining which updates need to be replicated is the attribute time stamp. Inconsistent times on domain controllers will result in inconsistent replication. Mention that a best practice is to configure the PDC emulator to use an external time source. See the resource Configuring a time source for the forest for information on how to do this. Reference What Is Windows Time Service?: http://technet2.microsoft.com/windowsserver/en/library/a0fcd250-e5f7- 41b3-b0e8-240f8236e2101033.mspx?mfr=true How Windows Time Service Works: http://technet2.microsoft.com/windowsserver/en/library/a0fcd250-e5f7- 41b3-b0e8-240f8236e2101033.mspx?mfr=true Configuring a time source for the forest: http://technet2.microsoft.com/windowsserver/en/library/8990703a- a197-4717-b6e5-b7406d9f91f01033.mspx?mfr=true In a Windows Server 2008 forest, the PDC Emulator is used to provide the authoritative time for all other computers Time synchronization is important because: Kerberos authentication includes a time stamp Replication between domain controllers is time stamped

Lab: Implementing Read-Only Domain Controllers 4/20/2017Course 6425A Lab: Implementing Read-Only Domain Controllers Module 1: Installing Active Directory Domain Services Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC Exercise 2: Installing and Configuring an RODC Exercise 3: Configuring AD DS Domain Controller Roles In this lab, students will implement Read-Only Domain Controllers. Lab Goal: Implement and configure a read-only domain controller and configure Active Directory server roles. Main tasks: Prepare the forest for an RODC installation Determine server readiness for deploying an RODC Pre-stage the RODC computer account. Install an RODC Configure the password replication policies and configure local administrators. Configure AD DS server roles Scenario: Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is now preparing to deploy domain controllers in several of the branch offices. The Enterprise Administrator has created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 Server Core in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements. This lab will consist of 3 exercises. Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC The student will evaluate the forest and server readiness for install an RODC. The student will prepare the forest for the installation. The student will also examine the configuration of a server running Server Core to ensure that it meets the prerequisites for the RODC installation. Exercise 2: Installing and Configuring an RODC The student will install the RODC server role on the computer running Server Core. After the installation is complete, the student will verify that the installation completed successfully, and will also configure password replication policies for users that log on to the domain controller. Exercise 3: Configuring AD DS Domain Controller Roles The student will configure the RODC installed in the previous exercise as a global catalog server, and will also assign operation master roles to an additional domain controller in the domain. Inputs: Design documentation describing the required RODC deployment Outputs: Successful installation and configuration of the RODC. Logon information Virtual machine 6425A-NYC-DC1, 6425A-NYC-SVR1, 6425A-NYC-DC2 User name Administrator Password Pa$$w0rd Estimated time: 75 minutes

Module 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Lab Review Module 1: Installing Active Directory Domain Services Why did Axel’s account not have permission to create any objects in AD DS? What were the two connection objects that were created from NYC-DC1 to TOR-DC1? Why was no connection object created from TOR-DC1 to NYC-DC1? Could you have assigned the Domain Naming Master role to TOR-DC1? What would happen when you add a new attribute to the global catalog? Lab Review Questions 1. Why did Axel’s account not have permission to create any objects in AD DS? Answer: Axel’s account has local administrative permissions on TOR-DC1 so he can open the administrative tools, but he does not have any permissions in AD DS. He has been delegated permissions only for the TOR-DC1 RODC. 2. What were the two connection objects that were created from NYC-DC1 to TOR-DC1? Why was no connection object created from TOR-DC1 to NYC-DC1? Answer: The two connection objects were for AD DS replication and for DFRS replication. No connection object was created from TOR-DC1 to NYC-DC1 because TOR-DC1 is an RODC. This means that all replication will flow in only one direction. 3. Could you have assigned the Domain Naming Master role to TOR-DC1? Answer: No, because an RODC cannot host any of the operation master roles. 4. What would happen when you add a new attribute to the global catalog? Answer: First the schema update would need to replicate to all other domain controllers, and then the global catalog would need to be recalculated and replicated to all global catalog servers.

Module Review and Takeaways 4/20/2017Course 6425A Module Review and Takeaways Module 1: Installing Active Directory Domain Services Review questions Key points Review questions 1. You are deploying a domain controller in a branch office. The branch office does not have a highly secure server room so you are concerned about the security of the server. What two Windows Server 2008 features can you take advantage of to enhance the security of the domain controller deployment? Answer: You could deploy a RODC on a Windows Server 2008 Server Core computer. This means that the administration tools are not easily available on the server, and even if changes are made to the domain information, the changes will never be replicated to the other domain controllers in the domain. 2. You must create a new domain by installing a domain controller in your Active Directory infrastructure. You are reviewing the inventory list of available servers for this purpose. Which of the following computers could be used as a domain controller? Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB) free hard disk space, TCP/IP. Windows Server 2008 Enterprise Edition, NTFS files system, 500 megabyte (MB) free hard disk space, TCP/IP. Windows Server 2008 Server Core Enterprise Edition, NTFS files system, 1GB free hard disk space, TCP/IP. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free hard disk space, TCP/IP. Answer: B, C and D could all be used as domain controllers. 3. You are deploying an RODC in branch office. You need to ensure that all users in the branch office can authenticate even if the WAN connection from the branch office is not available. Only the users who normally log on in the branch office should be able to do this? How would you configure the password replication policy? Answer: You would add all of the users in the branch office to the password replication policy. Ideally, you should do this by adding the groups to the policy. 4. You need to install a domain controller by using the install from media option. What steps do you need to take to complete this process? Answer: Use NTDSUtil to create the backup media. Copy the installation files to removeable media or to a network location. Start the Active Directory Domain Services Installation wizard on the server. Choose the option to install from media. Specify the location for the installation files on the backup media. 5. Will you be deploying RODCs in your AD DS environment? Describe the deployment scenario. Answer: Answers will vary. RODCs will most often be deployed in organizations with branch office deployments where the security of the domain controllers cannot be guaranteed. 6. You are deploying a domain controller in a branch office. The office has a WAN connection to the main office that has very little available bandwidth and is not very reliable. Should you configure the branch office domain controller as a global catalog server? Answer: Answers may vary. If the organization only has a single domain, then you should probably configure the domain controller as a global catalog server. If the organization has multiple domains with thousands of users in each domain, then it would be better to enable universal group caching and not configure the domain controller as a global catalog server.

Module 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Beta Feedback Tool Module 1: Installing Active Directory Domain Services Beta feedback tool helps: Collect student roster information, module feedback, and course evaluations. Identify and sort the changes that students request, thereby facilitating a quick team triage. Save data to a database in SQL Server that you can later query. Walkthrough of the tool

Module 1: Installing Active Directory Domain Services 4/20/2017Course 6425A Beta Feedback Module 1: Installing Active Directory Domain Services Overall flow of module: Which topics did you think flowed smoothly, from topic to topic? Was something taught out of order? Pacing: Were you able to keep up? Are there any places where the pace felt too slow? Were you able to process what the instructor said before moving on to next topic? Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Learner activities: Which demos helped you learn the most? Why do you think that is? Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?