Maintaining Active Directory Domain Services 20411B 3: Maintaining Active Directory Domain Services Presentation: 60 minutes Lab: 60 minutes Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411B_03.pptx. Important: We recommend that you use Microsoft Office PowerPoint 2007 or a newer version to display the slides for this course. If you use Office PowerPoint Viewer or an earlier version of Office PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 3 Maintaining Active Directory Domain Services

Managing the AD DS Database Module Overview 3: Maintaining Active Directory Domain Services Managing the AD DS Database  

Lesson 1: Overview of AD DS 20411B Lesson 1: Overview of AD DS 3: Maintaining Active Directory Domain Services Understanding AD DS Domain Structure  

Overview of AD DS Components 20411B Overview of AD DS Components 3: Maintaining Active Directory Domain Services AD DS is composed of both physical and logical components Physical Components Logical Components Data store Domain controllers Global catalog server Read-only domain controllers Partitions Schema Domains Domain trees Forests Sites Organizational units Provide an overview of AD DS components. Ensure that this is a high level overview, simply explaining how the components relate to each other. Both domain and forest/schema structure will be covered in subsequent topics. You may or may not need to cover this content, depending on the knowledge level of your students.

Understanding AD DS Forest and Schema Structure 20411B Understanding AD DS Forest and Schema Structure 3: Maintaining Active Directory Domain Services Forest Root Domain If required, introduce the concept of AD DS forest and schema. You may or may not need to cover this content, depending on the knowledge level of your students. Tree Root Domain adatum.com fabrikam.com atl.adatum.com

Understanding AD DS Domain Structure 20411B Understanding AD DS Domain Structure 3: Maintaining Active Directory Domain Services AD DS requires one or more domain controllers All domain controllers hold a copy of the domain database which is continually synchronized Introduce the important aspects of an AD DS domain infrastructure to students. You may or may not need to cover this content, depending on the knowledge level of your students. The domain is the context within which users, groups, and computers are created The domain is a replication boundary The domain is an administrative center for configuring and managing objects Any domain controller can authenticate any logon in the domain

Lesson 2: Implementing Virtualized Domain Controllers 20411B Lesson 2: Implementing Virtualized Domain Controllers 3: Maintaining Active Directory Domain Services Managing Virtualized Domain Controllers  

Understanding Cloned Virtualized Domain Controllers 20411B Understanding Cloned Virtualized Domain Controllers 3: Maintaining Active Directory Domain Services Windows Server 2012 provides the following functionality for virtual domain controllers: Safe cloning Safe snapshot restore Implementing virtualized domain controllers provides the following benefits: Rapid domain controller deployment Scalable provisioning of domain controllers Quick replacement or recovery of domain controllers Easy provisioning of test environments Give an overview of virtual domain controllers (VDCs), and introduce the new functionality that enables greater virtual domain-controller support in Windows Server 2012. Outline the key benefits that virtualized domain controllers provide.

Deploying a Cloned Virtualized Domain Controller 20411B Deploying a Cloned Virtualized Domain Controller 3: Maintaining Active Directory Domain Services You can clone an existing virtual domain controller safely by: Creating a DcCloneConfig.xml file, and storing it in the AD DS database location Taking the VDC offline, and exporting it Creating a new virtual machine by importing the exported VDC Outline the basic process for deploying a cloned VDC. DcCloneConfig.xml to AD DS database location Export the VDC Import the VDC

Managing Virtualized Domain Controllers 20411B Managing Virtualized Domain Controllers 3: Maintaining Active Directory Domain Services To replicate AD DS properly, ensure that: A restored virtual domain controller can contact a writeable domain controller You do not restore all domain controllers in a domain simultaneously All changes originating since the last snapshot are replicated, or they will be lost Considerations for managing snapshots: Snapshots do not replace regular backups Do not restore snapshots that were taken before the promotion of the domain controller Do not host all virtual domain controllers on the same hypervisor Take students through snapshot management of virtual domain controllers, and ensure that they observe the facets that they need to consider.

Lesson 3: Implementing Read-Only Domain Controllers 20411B Lesson 3: Implementing Read-Only Domain Controllers 3: Maintaining Active Directory Domain Services Managing Local Administration for RODCs  

Considerations for Implementing RODCs 20411B Considerations for Implementing RODCs 3: Maintaining Active Directory Domain Services RODCs provide several important functions: Credential caching Administrative role separation Read-only DNS To deploy an RODC: Ensure there is no computer account in AD DS for the new RODC Precreate the RODC account in AD DS in the Domain Controllers container Run the AD DS installation wizard on the new RODC Provide an overview of RODCs, along with some examples of where you should implement them. Highlight the key aspects of functionality that an RODC provides. Guide the students through the process of preparing for, and deploying, an RODC.

Managing RODC Credential Caching 20411B Managing RODC Credential Caching 3: Maintaining Active Directory Domain Services Credential caching is managed through Password Replication Policies Password Replication Policies: Determine which credentials to cache on an RODC User accounts Computer accounts Contain an allowed and denied list Allowed RODC Password Replication Group Denied RODC Password Replication Group Do not cache domain administrative accounts Explain to students how each RODC’s PRP controls credential caching for RODCs. Also, explain the domain-based groups that control which accounts are globally allowed or denied the ability to have credentials cached on all RODCs. Ensure that students understand the implications of caching domain administrative accounts and how this undermines the purpose of an RODC.

Managing Local Administration for RODCs 20411B Managing Local Administration for RODCs 3: Maintaining Active Directory Domain Services Delegate RODC administration to local administrators Set a single security principal as an administrator User Group Enable by using the following methods: Managed By tab of RODC dsmgmt ntsdutil Cache the credentials of delegated administrators Explain the reason for local administration of an RODC, and how you configure it.

Lesson 4: Administering AD DS 20411B Lesson 4: Administering AD DS 3: Maintaining Active Directory Domain Services Managing AD DS Backup and Recovery  

Overview of the Active Directory Administration Snap-ins 20411B Overview of the Active Directory Administration Snap-ins 3: Maintaining Active Directory Domain Services Active Directory administration snap-ins consist of four different MMC consoles: Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts Active Directory Schema Introduce the four management snap-ins for Active Directory.

Overview of the Active Directory Administrative Center 20411B Overview of the Active Directory Administrative Center 3: Maintaining Active Directory Domain Services Active Directory Administrative Center is a task-oriented tool based on Windows PowerShell  

Overview of the Active Directory Module for Windows PowerShell 20411B Overview of the Active Directory Module for Windows PowerShell 3: Maintaining Active Directory Domain Services The Active Directory module for Windows PowerShell provides full administrative functionality in these areas: User management Computer management Group management OU management Password policy management Searching and modifying objects Forest and domain management Domain controller and operations-masters management Managed service account management Site-replication management Central access and claims management Introduce the Active Directory module for Windows PowerShell. Explain the functionality contained in the module and its capabilities for AD DS management. Point out the new sets of cmdlets for site replication, and central access and claims management.

Demonstration: Managing AD DS by Using Management Tools 3: Maintaining Active Directory Domain Services In this demonstration, you will see how to: Create objects in Active Directory Users and Computers View object attributes in Active Directory Users and Computers Navigate within Active Directory Administrative Center Perform an administrative task in Active Directory Administrative Center Use the Windows PowerShell Viewer in Active Directory Administrative Center Manage AD DS objects with Windows PowerShell Preparation Steps You require the 20411B-LON-DC1 virtual machine. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps Active Directory Users and Computers View Objects On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, double-click the Adatum.com domain. Double-click the Computers container to see the computer objects in the container. Double-click the Research OU. Note the User and Group objects within the Research OU. Refresh the view Right-click the Adatum.com domain, and then click Refresh. In the toolbar, click the white and green Refresh icon. Create objects Right-click the Computers container, click New, and then click Computer. In the Computer name field, type LON-CL4, and then click OK. Configure object attributes In Active Directory Users and Computers, click the Computers container. Right-click LON-CL4, and then click Properties. In the LON-CL4 Properties window, click the Member Of tab. (More notes on the next slide)

3: Maintaining Active Directory Domain Services 20411B 3: Maintaining Active Directory Domain Services On the Member Of tab, click Add, type Research, and then click OK. Click OK to close the LON-CL4 Properties window. View all object attributes In Active Directory Users and Computers, in the menu toolbar, click View, and then click Advanced Features. Click the Computers container, right-click LON-CL4, and then click Properties. Click the Attribute Editor tab, and then scroll through the Attributes list. Click Cancel. Active Directory Administrative Center Navigation On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. Click Adatum (local), click Dynamic Access Control, and then click Global Search. In the navigation pane, click the tab for Tree View. Double-click Adatum (local) to expand the Adatum.com domain. Perform administrative tasks In Active Directory Administrative Center, click Overview. In the Reset Password section, in the User name field, type Adatum\Adam. In the Password and Confirm password fields, type Pa$$w0rd. Clear the check box for User must change password at next log on, and then click Apply. In the Global Search section, type Rex in the Search field, and then press Enter. (More notes on the next slide)

3: Maintaining Active Directory Domain Services 20411B 3: Maintaining Active Directory Domain Services Use the Windows PowerShell History Viewer In Active Directory Administrative Center, click the Windows PowerShell History toolbar at the bottom of the screen. View the details for the Set-ADAccountPassword cmdlet used to perform the most recent task. On LON-DC1, close all open windows. Windows PowerShell Create a group In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell. At the PowerShell prompt, type the following, and then press Enter: New-ADGroup –Name “SalesManagers”–GroupCategory Security –GroupScope Global –DisplayName “Sales Managers” –Path ”CN=Users,DC=Adatum,DC=com” In Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, double-click Adatum (local), and then, in the details pane, scroll down, and double-click the Users container. Confirm that the SalesManagers group is present in the Users container. Move an object to a new OU Switch to the PowerShell prompt. At the PowerShell prompt, type the following command, and then press Enter: Move-ADObject “CN=SalesManagers,CN=Users,DC=Adatum,DC=com” –TargetPath “OU=Sales,DC=Adatum,DC=com” (More notes on the next slide)

3: Maintaining Active Directory Domain Services 20411B 3: Maintaining Active Directory Domain Services Switch to Active Directory Administrative Center. In Active Directory Administrative Center, double-click Adatum (local), and then, in the details pane, scroll down and double-click the Sales OU. Confirm that the SalesManagers group has been moved to the Sales OU.

Managing Operations Master Roles 20411B Managing Operations Master Roles 3: Maintaining Active Directory Domain Services Operations Master Roles are assigned to the domain controller responsible for performing a specific task on the forest or domain Forest-wide Operations Master Roles Domain Naming Master Role Schema Master Role Domain-wide Operations Master Roles RID Master Role Infrastructure Master Role PDC Emulator Role  

Managing AD DS Backup and Recovery 3: Maintaining Active Directory Domain Services Non-authoritative or normal restore Restore domain controller to previously known good state Domain controller will be updated by using standard replication from partners Authoritative restore Mark objects that you want to be authoritative Domain controller is updated from its up-to-date-partners Domain controller sends authoritative updates to its partners Full server restore Typically performed in Windows Recovery environment Alternate location restore  

Lesson 5: Managing the AD DS Database 3: Maintaining Active Directory Domain Services Configuring the Active Directory Recycle Bin  

Understanding the AD DS Database 3: Maintaining Active Directory Domain Services The AD DS database holds all domain-based information in four partitions Introduce the key concepts of the AD DS database It is comprised of four partitions. It is stored in a database file called NTDS.dit that is located on each domain controller. Changes made to AD DS database are replicated to all domain controllers. Domain Partition Configuration Partition Schema Partition AD DS Database DC Application Partitions (optional)

Manage and control single master operations 20411B What Is NTDSUtil? 3: Maintaining Active Directory Domain Services With NTDSUtil you can: Manage and control single master operations Perform AD DS database maintenance Perform offline defragmentation Create and mount snapshots Move database files Maintain domain controller metadata Reset Directory Services Restore Mode password Introduce NTDSUtil and its role in AD DS maintenance.

Understanding Restartable AD DS 3: Maintaining Active Directory Domain Services AD DS can be started or stopped by using the Services console AD DS can be in three states: AD DS Started AD DS Stopped DSRM It is not possible to perform a system state restore while AD DS is in Stopped state Introduce restartable AD DS, and explain how it saves administrative time when performing AD DS maintenance.

Demonstration: Performing AD DS Database Maintenance 3: Maintaining Active Directory Domain Services In this demonstration, you will see how to: Stop AD DS Perform offline defragmentation of the AD DS database Check the integrity of the AD DS database Start AD DS Preparation Steps You require the 20411B-LON-DC1 virtual machine. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps Stop AD DS On LON-DC1, on the taskbar, click the Server Manager shortcut. In Server Manager, click Tools, and then click Services. In the Services window, right-click Active Directory Domain Services, and then click Stop. In the Stop Other Services dialog box, click Yes. Perform an offline defragmentation of the AD DS database On LON-DC1, on the taskbar, click the Windows PowerShell shortcut. In the command window, type ntdsutil, and then press Enter. At the ntdsutil.exe: prompt, type the following command, and then press Enter: activate instance NTDS files At the file maintenance: prompt, type the following command, and then press Enter: compact to C:\ (More notes on the next slide)

3: Maintaining Active Directory Domain Services 20411B 3: Maintaining Active Directory Domain Services Check the integrity of the offline database At the file maintenance: prompt, type the following command, and then press Enter: Integrity quit At the ntdsutil.exe: prompt, type the following command, and then press Enter: Quit Close the command prompt window. Start AD DS On the taskbar, click the Server Manager shortcut. In Server Manager, click Tools, and then click Services. In the Services window, right-click Active Directory Domain Services, and then click Start. Confirm that the Status column for Active Directory Domain Services is listed as Running.

Creating AD DS Snapshots 20411B Creating AD DS Snapshots 3: Maintaining Active Directory Domain Services Create a snapshot of Active Directory NTDSUtil Mount the snapshot to a unique port Expose the snapshot Right-click the root node of Active Directory Users and Computers, and choose Connect to Domain Controller Enter serverFQDN:port View (read-only) snapshot Cannot directly restore data from the snapshot Recover data Connect to the mounted snapshot, and export/reimport objects with LDIFDE Restore a backup from the same date as the snapshot Manually reenter data Explain the purpose of AD DS snapshots. Take the students through the process of capturing, mounting, viewing, and unmounting an AD DS snapshot.

Understanding How to Restore Deleted Objects 3: Maintaining Active Directory Domain Services Deleted objects are recovered through tombstone reanimation When object is deleted, most of attributes are cleared Authoritative restore requires AD DS downtime Take the students through the process of restoring AD DS objects (without using Active Directory Recycle Bin). Delete Garbage collect Live Tombstoned Physically deleted Reanimate tombstone/ authoritative restore

Configuring the Active Directory Recycle Bin 3: Maintaining Active Directory Domain Services Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime Uses Windows PowerShell with Active Directory Module or the Active Directory Administrative Center to restore objects Introduce the Active Directory Recycle Bin, comparing its functionality with reanimating a tombstoned object from AD DS backup. Introduce the new graphical interface provided by Active Directory Administrative Center in Windows Server 2012.

Exercise 3: Configuring the Active Directory Recycle Bin Lab: Maintaining AD DS 3: Maintaining Active Directory Domain Services Exercise 3: Configuring the Active Directory Recycle Bin Exercise 1: Installing and Configuring a RODC A. Datum is adding a new branch office. You have been asked to configure a RODC to service logon requests at the branch office. You also need to configure password policies that ensure caching only of passwords for local users in the branch office. Exercise 2: Configuring AD DS Snapshots As part of the overall disaster recovery plan for A. Datum, you have been instructed to test the process for taking Active Directory snapshots and viewing them. If the process is successful, you will schedule them to occur on a regular basis to assist in the recovery of deleted or modified AD DS objects. The main tasks for this exercise are: Create a snapshot of AD DS. Make a change to AD DS. Mount an Active Directory snapshot, and create a new instance. Explore a snapshot with Active Directory Users and Computers. Exercise 3: Configuring the Active Directory Recycle Bin As part of the Disaster Recovery plan for AD DS, you need to configure and test the Active Directory Recycle Bin to allow for object and container level recovery. Enable the Active Directory Recycle Bin. Create and delete test users. Restore the deleted users. Logon Information Virtual machines: 20411B-LON-DC1 20411B-LON-SVR1 User name: Administrator Password: Pa$$w0rd Estimated Time: 75 minutes

20411B Lab Scenario 3: Maintaining Active Directory Domain Services A. Datum Corporation is a global engineering and manufacturing company with its head office in London, U.K.. An IT office and data center in London supports the head office and other locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure. A. Datum is making several organizational changes that require modifications to the AD DS infrastructure. A new location requires a secure method of providing onsite AD DS, and you have been asked to extend the capabilities of Active Directory Recycle Bin to the entire organization.

20411B Review Questions 3: Maintaining Active Directory Domain Services Which AD DS objects should have their credentials cached on an RODC located in a remote location? What benefits does Active Directory Administrative Center provide over Active Directory Users and Computers? Question Which AD DS objects should have their credentials cached on an RODC located in a remote location? Answer Typically, you would cache credentials for user, service, and computer accounts located remotely, and which require authentication to AD DS. What benefits does Active Directory Administrative Center provide over Active Directory Users and Computers? Active Directory Administrative Center is built on Windows PowerShell, so you can perform tasks on a larger scale with more flexibility. You also can use the Active Directory Administrative Center to administer components like Active Directory Recycle Bin and fine-grained password policies, unlike Active Directory Users and Computers.

Module Review and Takeaways 20411B Module Review and Takeaways 3: Maintaining Active Directory Domain Services Best Practice Tools Tool Used for Where to find it Hyper-V Manager Managing virtualized hosts on Windows Server 2012 Server Manager - Tools Active Directory module for Windows PowerShell Managing AD DS through scripts and from the command line Active Directory Users and Computers Managing objects in AD DS Server Manager – Tools Active Directory Administrative Center Managing objects in AD DS, enabling and managing the Active Directory Recycle Bin Ntdsutil.exe Managing AD DS snapshots Command prompt Dsamain.exe Mounting AD DS snapshots for browsing (More notes on the next slide)

3: Maintaining Active Directory Domain Services 20411B 3: Maintaining Active Directory Domain Services Best Practices for Administering AD DS Do not virtualize all domain controllers on the same hypervisor host or server. Virtual machine snapshots provide an excellent reference point or quick recovery method, but you should not use them as a replacement for regular backups. They also will not allow you to recover objects by reverting to an older snapshot. Use RODCs when physical security makes a writable domain controller unfeasible. Use the best tool for the job. Active Directory Users and Computers is the most commonly used tool for managing AD DS, but it is not always the best. You can use Active Directory Administrative Center for performing large-scale tasks or those tasks that involve multiple objects. You also can use the Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated administrative tasks. Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be invaluable in saving time when recovering accidentally deleted objects in AD DS.