4-2-1 Chapter 2 IMPLEMENTING ACTIVE DIRECTORY Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-2 Learning Objectives Upon completion of this lesson, the student will be able to: Understand the requirements for installing an Active Directory directory service. Configure Domain name System (DNS) for Active Directory. Create a forest and domain structure. Modify the Active Directory schema. Raise the domain and forest functional level. Establish and manage trust relationship. Create or delete a User Principle Name (UPN) Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-3 REQUIREMENTS FOR ACTIVE DIRECTORY Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter) Cannot use Web Edition for Active Directory Access as a local administrator NT file system (NTFS) partition for Sysvol 200 MB minimum free space Transmission Control Protocol/Internet Protocol (TCP/IP) Domain Name System (DNS) to host service location (SRV) resource records Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-4 ACTIVE DIRECTORY INSTALLATION PROCESS Complete pre-installation tasks Plan and test before you install in a production environment Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-5 ACTIVE DIRECTORY INSTALLATION DCPROMO or Manage Your Server Web page If already a domain controller, DCPROMO allows you to remove Active Directory Operating system compatibility issues Microsoft Windows 95 Microsoft Windows NT 4, Service Pack 3 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-6 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS Domain Controller type Domain controller for a new domain Replica domain controller Install in a new or existing forest? Install in a new or existing domain tree? Use the appropriate names Domain Name System (DNS) Fully Qualified Domain Name (FQDN) NetBIOS Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-7 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS Database and Log Folders Shared System Volume (Sysvol) %systemroot%\NTDS NTFS required Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-8 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-9 DNS REGISTRATION AND DIAGNOSTICS If DNS is not detected, you can choose to automatically install and configure. Otherwise, you must manually install and configure. SRV resource records required Dynamic updates highly recommended Incremental zone transfers recommended Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-10 PERMISSIONS Pre–Windows 2000 Windows Server 2003 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-11 ACTIVE DIRECTORY INSTALLATION WIZARD OPTIONS Directory Services Restore Mode Administrator password Password used to enter Directory Services Restore Mode Required for Active Directory maintenance Completing the Active Directory installation Confirm your configuration Restart your new domain controller Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-12 VERIFY AND FINALIZE DNS Application Directory partition creation DomainDNSZones ForestDNSZones Automatically created when Active Directory Integrated DNS is used Can be managed only by Enterprise Admins Aging and scavenging options Forward lookup zones and SRV resource records Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-13 DNS UPDATES AND RECORD STORAGE Dynamic updates Secure only Nonsecure and secure None Store the zone in Active Directory, named Active Directory–integrated Reverse lookup zones Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-14 REPLICA DOMAIN CONTROLLER Provides load balancing and fault tolerance If one domain controller fails, there is another holding the Active Directory records Clients can use either domain controller for authentication DNS fault tolerance If Active Directory–integrated, the records are automatically copied to other domain controllers If not Active Directory–integrated, you can use a secondary zone for fault tolerance of records Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-15 REPLICA DOMAIN CONTROLLER DNS load balancing Install DNS service on additional server Configure client computer to use the new server as their Preferred DNS server Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-16 SCHEMA MODIFICATION Some applications modify the schema Examples include: e-mail programs, backup programs, and directory integration software Must be a member of Schema Admins to install these applications or to manually modify the schema Schema changes trigger replication to all domain controllers in the forest Default system classes cannot be modified Class and attribute changes cannot be removed, but can be deactivated Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-17 RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS Once complete, cannot be undone without a reinstall Each domain functional level can be raised independently of other domains Forest functional levels can be raised only when all domains are at Windows 2000 native or higher Domain Admins membership required to raise domain functional level Enterprise Admins membership required to raise forest functional level Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-18 ESTABLISHING AND MAINTAINING TRUSTS Shortcut trust Used to improve resource access Reduces the length of the trust path Transitive Cross-forest trust Initially one-way; can create two one-way trusts to provide access in either direction Available only to Windows Server 2003 forests Transitive Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-19 ESTABLISHING AND MAINTAINING TRUSTS External Can be used for Windows NT Server 4.0 and Windows 2000 domain trusts Not transitive Realm Used between third-party Kerberos implementations Not transitive Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-20 MANAGING TRUSTS Verifying trusts Active Directory Domains And Trusts netdom trust domain1 /d:contoso /verify Revoking trust relationships Active Directory Domains And Trusts netdom trust domain1 /d:contoso /remove Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-21 USER PRINCIPAL NAMES Allows users to log on without specifying a domain separately Can be the user’s e-mail address By default, the User Principal Name (UPN) suffix is the same as the forest root domain name Can add UPN suffix in Active Directory Domains And Trusts Can modify UPN on a per-user basis Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-22 Any Questions Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-23 Chapter Summary Active Directory requires DNS and SRV resource record support Verifying Active Directory installation Active Directory partitions Schema modification and replication Forest and domain functional levels Trust types: Shortcut, cross-forest, external, realm Chapter 2: IMPLEMENTING ACTIVE DIRECTORY 4-2-24 In-Class Lab Lab 2 – Installing Active Directory Exercise 2-1: Installing a Forest and Domain Exercise 2-2: Verifying SRV Record Creation Exercise 2-3: Configuring the Even # Computer Exercise 2-4: Installing a Child Domain Exercise 2-5: Verifying Child LDAP SRV Records.