Docstoc

70-294_AD_Ch02

Document Sample
70-294_AD_Ch02 Powered By Docstoc
					                  4-2-1




Chapter 2

IMPLEMENTING ACTIVE
DIRECTORY
                   Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-2




Learning Objectives
 Upon completion of this lesson, the student will be
  able to:
    Understand the requirements for installing an Active
     Directory directory service.
    Configure Domain name System (DNS) for Active
     Directory.
    Create a forest and domain structure.
    Modify the Active Directory schema.
    Raise the domain and forest functional level.
    Establish and manage trust relationship.
    Create or delete a User Principle Name (UPN)
                  Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-3



REQUIREMENTS FOR ACTIVE
DIRECTORY
 Microsoft Windows Server 2003 (Standard,
    Enterprise, Datacenter)
   Cannot use Web Edition for Active Directory
   Access as a local administrator
   NT file system (NTFS) partition for Sysvol
   200 MB minimum free space
   Transmission Control Protocol/Internet Protocol
    (TCP/IP)
   Domain Name System (DNS) to host service
    location (SRV) resource records
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-4



ACTIVE DIRECTORY INSTALLATION
PROCESS
 Complete pre-installation tasks
 Plan and test before you install in a production
  environment
                Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-5




ACTIVE DIRECTORY INSTALLATION
 DCPROMO or Manage Your Server Web page
 If already a domain controller, DCPROMO allows you
  to remove Active Directory
 Operating system compatibility issues
   Microsoft Windows 95
   Microsoft Windows NT 4, Service Pack 3
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-6



ACTIVE DIRECTORY INSTALLATION
WIZARD OPTIONS
 Domain Controller type
    Domain controller for a new domain
    Replica domain controller
 Install in a new or existing forest?
 Install in a new or existing domain tree?
 Use the appropriate names
    Domain Name System (DNS)
    Fully Qualified Domain Name (FQDN)
    NetBIOS
               Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-7



ACTIVE DIRECTORY INSTALLATION
WIZARD OPTIONS
 Database and Log Folders
 Shared System Volume (Sysvol)
   %systemroot%\NTDS
   NTFS required
        Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-8



ACTIVE DIRECTORY
INSTALLATION WIZARD OPTIONS
                Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-9



DNS REGISTRATION AND
DIAGNOSTICS
 If DNS is not detected, you can choose to
  automatically install and configure. Otherwise,
  you must manually install and configure.
 SRV resource records required
 Dynamic updates highly recommended
 Incremental zone transfers recommended
              Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-10




PERMISSIONS
 Pre–Windows 2000
 Windows Server 2003
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-11



ACTIVE DIRECTORY INSTALLATION
WIZARD OPTIONS
 Directory Services Restore Mode Administrator
  password
    Password used to enter Directory Services Restore
     Mode
    Required for Active Directory maintenance
 Completing the Active Directory installation
    Confirm your configuration
    Restart your new domain controller
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-12




VERIFY AND FINALIZE DNS
 Application Directory partition creation
    DomainDNSZones
    ForestDNSZones
 Automatically created when Active Directory
  Integrated DNS is used
 Can be managed only by Enterprise Admins
 Aging and scavenging options
 Forward lookup zones and SRV resource records
                  Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-13



DNS UPDATES AND RECORD
STORAGE
 Dynamic updates
   Secure only
   Nonsecure and secure
   None
 Store the zone in Active Directory, named Active
  Directory–integrated
 Reverse lookup zones
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-14




REPLICA DOMAIN CONTROLLER
 Provides load balancing and fault tolerance
   If one domain controller fails, there is another holding
    the Active Directory records
   Clients can use either domain controller for
    authentication
 DNS fault tolerance
   If Active Directory–integrated, the records are
    automatically copied to other domain controllers
   If not Active Directory–integrated, you can use a
    secondary zone for fault tolerance of records
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-15




REPLICA DOMAIN CONTROLLER
 DNS load balancing
   Install DNS service on additional server
   Configure client computer to use the new server as
    their Preferred DNS server
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-16




SCHEMA MODIFICATION
 Some applications modify the schema
   Examples include: e-mail programs, backup programs,
    and directory integration software
   Must be a member of Schema Admins to install these
    applications or to manually modify the schema
 Schema changes trigger replication to all domain
  controllers in the forest
 Default system classes cannot be modified
 Class and attribute changes cannot be removed, but
  can be deactivated
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-17



RAISING DOMAIN AND FOREST
FUNCTIONAL LEVELS
 Once complete, cannot be undone without a
  reinstall
 Each domain functional level can be raised
  independently of other domains
 Forest functional levels can be raised only when all
  domains are at Windows 2000 native or higher
 Domain Admins membership required to raise
  domain functional level
 Enterprise Admins membership required to raise
  forest functional level
                   Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-18



ESTABLISHING AND MAINTAINING
TRUSTS
 Shortcut trust
    Used to improve resource access
    Reduces the length of the trust path
    Transitive
 Cross-forest trust
    Initially one-way; can create two one-way trusts to
     provide access in either direction
    Available only to Windows Server 2003 forests
    Transitive
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-19



ESTABLISHING AND
MAINTAINING TRUSTS
 External
   Can be used for Windows NT Server 4.0 and
    Windows 2000 domain trusts
   Not transitive
 Realm
   Used between third-party Kerberos implementations
   Not transitive
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-20




MANAGING TRUSTS
 Verifying trusts
    Active Directory Domains And Trusts
    netdom trust domain1 /d:contoso /verify
 Revoking trust relationships
    Active Directory Domains And Trusts
    netdom trust domain1 /d:contoso /remove
                 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-21




USER PRINCIPAL NAMES
 Allows users to log on without specifying a domain
  separately
 Can be the user’s e-mail address
 By default, the User Principal Name (UPN) suffix is
  the same as the forest root domain name
 Can add UPN suffix in Active Directory Domains
  And Trusts
 Can modify UPN on a per-user basis
 Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-22




Any Questions
                   Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-23




Chapter Summary
 Active Directory requires DNS and SRV resource
  record support
 Verifying Active Directory installation
 Active Directory partitions
 Schema modification and replication
 Forest and domain functional levels
 Trust types: Shortcut, cross-forest, external, realm
                Chapter 2: IMPLEMENTING ACTIVE DIRECTORY   4-2-24




In-Class Lab
 Lab 2 – Installing Active Directory
   Exercise 2-1: Installing a Forest and Domain
   Exercise 2-2: Verifying SRV Record
            Creation
   Exercise 2-3: Configuring the Even #
                   Computer
   Exercise 2-4: Installing a Child Domain
   Exercise 2-5: Verifying Child LDAP SRV
            Records.