Introducing Active Directory Domain Services (Ad DS) : Contents
Introducing Active Directory Domain Services (Ad DS) : Contents
Introducing Active Directory Domain Services (Ad DS) : Contents
Module 1
Introducing Active Directory Domain Services
(AD DS)
Contents:
Lesson 1: Introducing Active Directory, Identity, and Access
1-4
1-21
1-46
1-56
1-64
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Module Overview
Active Directory and its related services form the foundation for enterprise
networks running Windows as, together, they act to store information about the
identities of users, computers, and services; to authenticate a user or computer; and
to provide a mechanism with which the user or computer can access resources in
the enterprise. In this module, you will begin your exploration of Windows Server
2008 Active Directory by installing the Active Directory Domain Services (AD DS)
role and creating a domain controller (DC) in a new Active Directory forest. You
will find that Windows Server 2008 continues the evolution of Active Directory by
enhancing many of the concepts and features with which you are familiar from
your experience with Active Directory.
This module focuses on the creation of a new Active Directory forest with a single
domain in a single DC. The Lab in this module will guide you through the creation
of a domain named contoso.com that you will use for all other labs in this course. In
later modules, you will learn to implement other scenarios, including multidomain
forests, upgrades of existing forests to Windows Server 2008, and advanced
installation options.
1-2
1-3
Most importantly, this module sets the stage for the entire course by presenting a
"big picture" view of Active Directory. You will review key concepts of
authentication, authorization, and directory services, and you will take a high-level
look at the major components of Active Directory and how they fit together.
Whether you are highly experienced with Active Directory or newer to the
platform, this module will equip you with an understanding of where you are
heading in this course.
Objectives
After completing this module, you will be able to:
x
x
x
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 1
Active Directory Domain Services (AD DS) provides the functionality of an identity
and access (IDA) solution for enterprise networks. The lesson reviews key
concepts of IDA and Active Directory.
Objectives
After completing this lesson, you will be able to:
x
x
1-4
1-5
Key Points
If you boil it all down, the job of an information technology (IT) professional (IT
pro) is to connect users with the information they require to get their jobs done.
That would be pretty easy, if we didn't have to worry about a little thing called
"security." Because users require different levels of access to different classes of
information, we must manage associating the correct users with the correct levels
of access: information protection.
The industry defines several approaches to achieving information protection. Each
of these "alphabet soup" frameworks is simply a different perspective on the same
problem:
x
IDA: Identity and Access. Users and other security principals (which may
include computers, services, and groups) are represented as identities
(frequently called "accounts") that are given access (permissions) to
information, resources, or systems.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
x
1-6
1-7
Key Points
And at the core of information protection are two critical concepts: identity and
access, or IDA.
Let's spend a few minutes reviewing the fundamentals, components, processes,
and technologies involved with identity and access on Windows systems. Although
most or all of this information should be familiar to you from your previous
experience with Windows, it is important to set the stage for the role of Active
Directory, and to clarify the terminology, components, and processes involved with
IDA.
In a secured system, each user is represented by an identity. In the Windows
systems, the identity is the user account. The accounts for one or more users are
maintained in an identity store, also known as a directory database. An identity is
called a security principal in Windows systems. Security principals are uniquely
identified by an attribute called the security identifier, or SID.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
On the other end of the system is the resource to which the user requires access.
The resource is secured with permissions, and each permission specifies a pairing
of a specific level of access with an identity. Many Windows resources, including
and most significantly files and folders on NTFS volumes, are secured by an aptlynamed security descriptor that contains a discretionary access control list (DACL) in
which each permission takes the form of an access control entry (ACE).
1-8
Key Points
Between the user (security principal) and access to the resource are some
important concepts and processes.
The next four slides will detail this process.
1-9
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Authentication
Key Points
Authentication is the process of verifying a user's identity. The user supplies
credentials that consist of at least two components: a logon name and a secret
known only to the user and the system, such as a password. The system validates
the accuracy of the credentials presented by the user against those stored as part of
the identity.
There are two types of authentication: local and remote. Local, or interactive, logon
occurs when a user logs on to a computer directly, for example when you log on to
your laptop in the morning. Remote, or network, logon occurs when you connect
to another computer, such as a file server, mail server, or even a domain controller
to retrieve a logon script.
1-10
1-11
Access Tokens
Key Points
After a user has been authenticated, the Local Security Authority (LSA) generates a
security access token (also called a security token or access token) that represents the
user to the system by collecting the user's SID and the SIDs of all groups to which
the user belongs. The access token also represents privileges (also called user
rights) held by the user on the system, for example the right to shut down the
system or even the right to log on to the system interactively (locally).
It is important to remember that the access token is generated and held locally, on
the computer that authenticated the user. When a user logs on to his or her
desktop (local or interactive logon), the desktop creates a security token and,
assuming the user has the right to log on to the system interactively, proceeds to
invoke the Windows Explorer process, which creates the desktop.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
When a user then connects to a server to access a shared file (remote or network
logon), the server authenticates the user and generates an access token on the
server that represents the user with the user's SID and the SIDs of all groups to
which that user belongs. The access token on the server is distinct from the access
token on the user's desktop. An access token is never transmitted over the
network, and the LSA of a Windows system would never accept the access token
generated by another LSA.
Of course, this should be the case because a user probably belongs to different
local groups on the server than on the user's desktop, and almost certainly holds
different privileges (user rights) on the server than on the desktop.
1-12
1-13
Key Points
The security descriptor of a secured resource, such as a file or folder on an NTFS
volume, fully describes the security characteristics of the resource. The security
descriptor contains the discretionary access control list (DACL), which contains access
control entries (ACEs or "permissions"). Each permission is made up of a flag that
indicates whether the ACE is an Allow or Deny ACE; a Trustee (the SID of a user or
group); and an access mask specifying a level of access. So the ACE defines who
(the Trustee represented by the SID) can or can't do what (represented by the
access mask).
The security descriptor also contains the system access control list (SACL), which
contains auditing settings and attributes such as the object's owner. Because the
DACL is the focus of most day-to-day security management for a resource, the
name and acronym is often shortened. Therefore, the shortened access control list,
or ACL, while technically inaccurate, is used by many administrators and much
documentation (including this course) to refer to the DACL.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Authorization
Key Points
Authorization is the process that determines whether to grant or deny a user a
requested level of access to a resource. An access request is made that indicates the
resource, the level of access, and the security token representing the user. The
security subsystem then examines the ACL of the resource, comparing the SIDs in
the ACEs to the SIDs in the security token. The first ACE that matches both a SID
in the token and the desired type of access determines whether the user is allowed
(if the ACE is an Allow ACE) or denied (if the ACE is a Deny ACE) access to the
resource. If no match is found, access is denied.
Additional Reading
x
x
1-14
1-15
Key Points
In a stand-alone configuration of Windows systems, also called a workgroup, each
computer maintains one and only one trusted identity store: a local list of users
and groups stored in the registry called the Security Accounts Manager database, or
SAM.
Because Windows systems are secure, a user cannot even log on to a computer
without a user account on that system. The user must present credentials that are
validated against the identities in the SAM. After a user has been authenticated and
authorized for local logon, the Windows Explorer process is launched, which
generates the familiar Windows desktop.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
1-16
1-17
Key Points
The management and security challenges of a workgroup are solved by
centralizing the identity store so that there is only one identity (user account)
required for any one useran identity store that is trusted by all computers. This
unit of trusted identity is created by the introduction of an Active Directory domain.
An Active Directory domain provides a centralized identity store trusted by all
domain membersthat is, all computers that themselves maintain accounts in the
domain. A domain also provides a centralized authentication service. Both the
identity store (the Active Directory database) and the authentication service, along
with a number of other components and services about which you will learn to
wrap this course, are hosted on a server performing the role of a domain controller.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
As mentioned in the introductions to the module and this lesson, Active Directory
provides the IDA solution for enterprise networks running Windows. IDA is
necessary to maintain the security of enterprise resources such as files, e-mail,
applications, and databases. And IDA infrastructure should do the following:
1-18
1-19
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Each of these services plays a role in extending IDA to support more complex
configurations and scenarios. Again, these details will be provided later in this
module.
1-20
Lesson 2
Objectives
After completing this lesson, you will be able to:
x
1-21
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
Active Directory is, in the end, a database of enterprise resources and
configuration. A suite of services support that database and use the information in
the database to provide enterprise identity and access. In database terminology,
each "record" in the Active Directory database is an Active Directory object, such as
a user, group, or computer. Each "field" is an attribute, also called a property, of an
object. Attributes include the object's name, password, description, membership, or
SID.
Security principals, also called accounts, are a specific type of object in AD DS.
Security principals have several unique attributes, the most important of which is
the SID. The SID is used, as you learned in the previous lesson, to assign resource
access to the account.
1-22
1-23
In the previous lesson, you focused on only one security principal: users. However,
it is easier to manage resource access when you assign permissions to a group, and
there is a class of group object, called a security group, that is also a security
principal. Computers in a domain are also security principals. In fact, in the
computer object is very similar to a user object: it has a logon name and password
that the computer uses to authenticate with the domain at startup.
Finally, there is a class of objects called inetOrgPerson. This object class is used in
very specific situations to support interoperability with a handful of third party
directory services. inetOrgPerson is also a security principal and is, for sake of
brevity, very similar to a user account.
The Active Directory database is supported and used by a number of services,
including Kerberos (responsible for authentication), DNS (responsible for name
resolution), and the directory replication agent (DRA), responsible for replicating
the database between domain controllers.
The Active Directory database can be accessed a number of ways, using a variety of
Windows components, tools, and interfaces, or programmatically through APIs, or
using lightweight directory access protocol (LDAP).
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
In this demonstration, your instructor will introduce you to the role and structure
of the schema by giving you a tour of the Active Directory Schema.
The schema is often compared to a blueprint for Active Directory. It defines the
attributes and types of objects that can be stored in the directory. For example, the
fact that Active Directory can have user objects, and that user objects are required
to have a logon name and optionally an e-mail address is all determined by the
schema.
The schema has two primary containers. The Attributes container holds definitions
of every attribute supported by Active Directory. You can open the attributes for
properties with which you are already familiar:
x
1-24
1-25
The objectClasses container defines the types of objects that can be instantiated
(created) in the directory, including user and group. Object classes are associated
with attributes defined in the Attributes container. These associations determine
what object classes have which attributes, and which of those attributes are
mandatory for a particular object class.
Demonstration Steps
1.
2.
3.
Open the Classes container. While scrolling through, notice familiar object
classes, including user, computer, and group.
Additional Reading
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Organizational Units
Key Points
Active Directory is a hierarchical database. Objects in the data store can be
collected in containers. One type of container is the object class called container.
You have seen the default containers, including Users, Computers, and Builtin,
when you open the Active Directory Users and Computers snap-in. Another type of
container is the organizational unit (OU). OUs provide not only a container for
objects, but also a scope with which to manage the objects. That is because OUs
can have objects called Group Policy objects (GPOs) linked to them. GPOs can
contain configuration settings that will then be applied automatically by users or
computers in an OU.
Additional Reading
x
1-26
1-27
Policy-Based Management
Key Points
Policy-based administration eases the management burden of even the largest,
most complex networks by providing a single point to configure settings that are
then deployed to multiple systems.
Group Policy allows you to define security settings as well as thousands of
configuration settings for one or more users or computers in your enterprise. For
example, it is Group Policy that defines password and lockout policies for a
domain, specifying minimum password length and password expiration policy.
Group Policy can specify auditing settings, for example to monitor access to folders
on the server, or to watch for changes to security sensitive groups in the Active
Directory, such as Domain Admins. Group Policy can also manage configuration,
for example specifying a Microsoft Internet Explorer home page for a group of
users or preventing users from accessing registry editing tools.
The important concept of Group Policy to understand at this point in the course is
that Group Policy allows you to define configuration in an object called a Group
Policy object (GPO). A GPO can then be scoped (applied) to one or more users or
computers.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
x
1-28
1-29
Key Points
As mentioned in the previous lesson, AD DS stores its identities in the directorya
data store hosted on domain controllers. The directory is a single file named
ntds.dit, and is located by default in the %systemroot%\ntds folder on a domain
controller.
The database is divided into several partitions, which will be detailed in later
modules. The partitions include:
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
x
x
DNS: If you use Active Directory-integrated DNS, the DNS zones and resource
records are stored in a partition.
Partial Attribute Set (PAS): This partition is used by the Global Catalog,
which is detailed in a later topic in this lesson, and in Module 12.
Additional Reading
x
You will learn more about the partitions of Active Directory and about SYSVOL
throughout this course. DNS is a focus of Module 10, and the PAS is examined
in detail in Module 12. The contents of SYSVOL are explored in Module 6 and
the objects stored in the Configuration are covered in Module 12. The objects
in the Domain partition are covered in Modules 3-6 and database maintenance
and administration tasks are detailed in Modules 9 and 13.
1-30
1-31
Domain Controllers
Key Points
Domain controllers, also referred to as DCs, are servers that perform the AD DS
role. As part of that role, they host and replicate the Active Directory database
(NTDS.DIT) and SYSVOL.
DCs also run the Kerberos Key Distribution Center service, which performs
authentication and other Active Directory services.
Because authentication is so critical to enterprise, you can imagine that the bestpractice guidance is to have at least two available domain controllers, so that if
clients are unable to access one, they have access to another.
In addition to availability, you must ensure that domain controllers are secure. In
addition to physical security (e.g. placing DCs in secure datacenters), two options
exist to improve the security of domain controllers:
x
Sever Core: You can install Windows Server 2008 with the Server Core
installation option. This installs a minimal configuration of Windows Server
2008 that features a Command Prompt user interface, rather than Explorer.
You will install a Server Core DC in the Lab for Module 11.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
x
Domain Controllers are discussed throughout this course, but Modules 11 and
12 are focused specifically on domain controller administration and
placement. Module 9 discusses RODCs.
1-32
1-33
Domain
Key Points
One or more domain controllers are required to create an Active Directory domain.
A domain is an administrative unit within which certain capabilities and
characteristics are shared. First, all domain controllers replicate the domains
partition of the data store, which contains, among other things, the identity data for
the domains users, groups, and computers. Because all DCs maintain the same
identity store, any DC can authenticate any identity in a domain.
Additionally, a domain is a scope of administrative policies such as password
complexity and account lockout policies. Such policies configured in one domain
affect all accounts in the domain and do not affect accounts in other domains.
Changes can be made to objects in the Active Directory database by any domain
controller, and will replicate to all other domain controllers. Therefore, in networks
where replication of all data between domain controllers cannot be supported, it
may be necessary to implement more than one domain in order to manage the
replication of subsets of identities.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Additional Reading
x
You will learn more about domains throughout this course, and Module 14
focuses on the design considerations related to how many domains you
should have in your enterprise.
1-34
1-35
Replication
Key Points
Replication services distribute directory data across a network. This includes both
the data store itself as well as data required to implement policies and
configuration, including logon scripts. As you will learn in Module 12, Active
Directory replication is both efficient and robust.
Active Directory maintains a separate partition of the data store named
Configuration that maintains information about network configuration, topology,
and services: the Configuration NC.
Additional Reading
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Sites
Key Points
When you consider the network topology of a distributed enterprise, you will
certainly discuss the networks sites. Sites in Active Directory, however, have a very
specific meaning because there is a specific object class called site.
An Active Directory site is an object that represents a portion of the enterprise
within which network connectivity is good. A site creates a boundary of replication
and service utilization.
Domain controllers within a site replicate changes within seconds. Changes are
replicated between sites on a controlled basis with the assumption that intersite
connections are slow, expensive, or unreliable compared to the connections within
a site.
Additionally, clients will prefer to use distributed services provided by servers in
their site, or the closest site. For example, when a user logs on to the domain, the
Windows client first attempts to authenticate with a domain controller in its site.
Only if no domain controller is available in the site will the client attempt to
authenticate with a DC in another site.
1-36
Additional Reading
x
Active Directory site and subnet objects are the focus of Module 12.
1-37
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Tree
Key Points
The domain name system (DNS) namespace of domains in a forest create trees
within the forest. If a domain is a subdomain of another domain, the two domains
are considered a tree. For example, if the treyresearch.net forest contains two
domains, treyresearch.net and antarctica.treyresearch.net, those domains constitute
a contiguous portion of the DNS namespace, so they are a single tree. If, on the
other hand, the two domains are treyresearch.net and proseware.com, which are
not contiguous in the DNS namespace, the forest is considered to have two trees.
Trees are the direct result of the DNS names chosen for domains in the forest.
The slide illustrates an Active Directory forest for Trey Research, which maintains a
small operation at a field station in Antarctica. Because the link from Antarctica to
the headquarters is expensive, slow, and unreliable, Antarctica is configured as a
separate domain. The DNS name of the forest is treyresearch.net. The Antarctica
domain is a child domain in the DNS namespace, antarctica.treyresearch.net, so it
is considered a child domain in the domain tree.
The proseware.com domain, because it does not share a contiguous DNS
namespace, is another tree in the same forest.
1-38
1-39
Additional Reading
x
The concepts and design of a multidomain forest are discussed in Module 14.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Forest
Key Points
A forest is a collection of one or more Active Directory domains. The first domain
installed in a forest is called the forest root domain. A forest contains a single
definition of network configuration and a single instance of the directory schema.
In other words, every domain controller in a forest replicates the Configuration
and Schema partitions.
A forest is a single instance of the directoryno data is replicated by Active
Directory outside the boundaries of the forest. Therefore, the forest defines both a
replication and a security boundary.
Additional Reading
x
The concepts and design of a multidomain forest are discussed in Module 14.
1-40
1-41
Key Points
Several components and technologies enable you to query Active Directory and
locate objects in the data store. A partition of the data store called the global catalog
(also known as the partial attribute set) contains information about every object in
the directory. It is a type of index that can be used to locate objects in the directory.
This is particularly important if you are searching for objects in another domain
within a forest. Because the domain controllers in your domain will not contain
information about objects in other domains, you must rely on the global catalog,
which has the indexed, partial attribute set for all objects in other domains.
Additional Reading
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Functional Level
Key Points
The functionality available in an Active Directory domain or forest depends on its
functional level. The functional level is an AD DS setting that enables advanced
domain-wide or forest-wide AD DS features. There are three domain functional
levels, Windows 2000 native, Windows Server 2003 and Windows Server 2008,
and two forest functional levels, Windows Server 2003 and Windows Server 2008.
As you raise the functional level of a domain or forest, features provided by that
version of Windows become available to AD DS. For example, when domain
functional level is raised to Windows Server 2008, a new attribute becomes
available that reveals the last time a user successfully logged onto a computer, the
computer to which the user last logged on, and the number of failed logon
attempts since the last logon. The important thing to know about functional levels
is that they determine the versions of Windows permitted on domain controllers.
Before you raise the domain functional level to Windows Server 2008, all domain
controllers must be running Windows Server 2008.
Additional Reading
x
1-42
1-43
Key Points
Active Directory and DNS have a very close relationship. First, there is a one-to-one
relationship between a DNS name and an Active Directory domain. Second, there
is a complete reliance on DNS to locate computers and services within the domain.
Third, it is very common to configure domain controllers to also serve as DNS
servers. When you do this, you have the option to store DNS data, called a zone, in
Active Directory itself.
The Active Directory data store can also be used to support applications and
services not directly related to AD DS. Within the database, application partitions
can store data to support applications that require replicated data. The domain
name system (DNS) service on a Windows Server 2008 server can store its
information in a database called an Active Directory integrated zone, which is
maintained as an application partition in AD DS and replicated using Active
Directory replication services.
Additional Reading
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Trust Relationships
Key Points
At the beginning of this module, you considered the default, stand-alone,
"workgroup," configuration of Windows Server. You then learned that, when a
machine joins a domain, the Local Security Authority of the system begins to trust
the identity store and authentication services provided by the domain. That allows
a user account stored in the domain to be authenticated by and provide access to
resources on the server.
The same concept can be extended to other domains. A domain can authenticate
users from another domain and can allow those users to be assigned access to
resources in the domain. This is done by establishing a domain trust relationship.
In a trust relationship, the trusting domain extends its realm of trust so that it
trusts the identity store and authentication services of the trusting domain. User
accounts in the trusting domain can best be authenticated, and the SIDs of user
accounts in the trusted domain can be added to ACLs in the trusting domain.
Within a forest, each domain trusts every other domain. You must manually
establish trust relationships between domains that are in different forests.
1-44
Additional Reading
x
1-45
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 3
This lesson discusses how to install Active Directory Domain Services and how to
configure a domain controller.
Objectives
After completing this lesson, you will be able to:
x
x
1-46
1-47
Key Points
Installing Windows Server 2008 is a straightforward process:
1.
2.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
The Install Windows wizard appears, shown the following screen shot:
3.
Select the language, regional setting, and keyboard layout that is correct for
your system, and then click Next.
1-48
4.
1-49
5.
6.
7.
8.
On the Where Do You Want to Install Windows? page, select the disk on
which you want to install Windows Server 2008.
If you need to create, delete, extend, or format partitions, or if you need to load
a custom mass storage driver in order to access the disk subsystem, click
Advanced Options.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
9.
Click Next.
The Installing Windows dialog box appears, shown in the following screen
shot. The window keeps you apprised of the progress of Windows installation.
1-50
1-51
11. Enter a password for the Administrator account in both the New Password
and Confirm Password boxes, and then press ENTER.
The password must be at least seven characters long and must have at least
three of four character types:
x
Upper case: AZ
Lower case: az
Numeric: 09
Non-alphanumeric: symbols such as $, #, @, and !
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Key Points
In order to reduce management costs as well as to reduce exposure to security
vulnerabilities, Windows Server 2008 setup installs only the core operating system
components. Unlike previous versions of Windows, however, the result is a
minimal installation rather than an all-in-one server. Therefore, after installation of
the operating system, you must add the components required for the server based
on the role it will play in your enterprise. Windows Server 2008 functionality is
added as roles and features. The Server Management console gives you the ability
to add and remove roles. It also exposes the most common administrative snap-ins
based on the server's role.
1-52
1-53
Key Points
Before you install the AD DS role on a server and promote it to act as a domain
controller, you should plan your Active Directory infrastructure. Among the
information you will need to create a domain controller are:
x
The domains name and DNS name. A domain must have a unique DNS name,
for example contoso.com, as well as a short name, for example CONTOSO,
called a NetBIOS name. NetBIOS is a network protocol that has been used
since the first versions of Windows NT, and is still used by some legacy
applications.
Whether the domain will need to support domain controllers running
previous versions of Windows. When you create a new Active Directory forest,
you will configure the functional level. If the domain will include only
Windows Server 2008 domain controllers, you can set the functional level
accordingly to benefit from the enhanced features introduced by this version
of Windows.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
x
x
Additional Reading
x
This list comprises the settings that you will be prompted to configure when
creating a domain controller. There are a number of additional considerations
regarding the deployment of AD DS in an enterprise setting. See the Windows
Server 2008 Technical Library at http://go.microsoft.com/fwlink
/?LinkId=168483 for more information.
1-54
1-55
Key Points
To install and configure a Windows Server 2008 domain controller, you must first
install the AD DS role using Server Manager. Doing so adds the files and registry
components necessary for the server to later become a domain controller. But
adding the role does not actually configure and enable the server as a domain
controller. That's step is performed by running the Active Directory Domain
Services Installation Wizard. The AD DS Installation Wizard, also known as
DCPromo because the wizard can be launched using the dcpromo.exe command,
steps you through the process of selecting the deployment configuration, adding
additional domain controller features such as the DNS role, specifying the location
for Active Directory files, and configuring the Directory Services Restore Mode
Administrator Password, a password that is used when restoring Active Directory
from a backup, as you'll learn in Module 13.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Scenario
You have been hired to improve identity and access at Contoso, Ltd. The company
currently has one server in a workgroup configuration. Employees connect to the
server from their personal client computers. In anticipation of near-term growth,
you have been tasked with improving the manageability and security of the
companys resources. You decide to implement an AD DS domain and forest by
promoting the server to a domain controller. You have just finished installing
Windows Server 2008 from the installation DVD.
1-56
1-57
2.
3.
4.
Change IP configuration.
5.
6.
Start 6425B-HQDC01-D.
Log on with username Administrator and password Pa$$w0rd (where the 0
is a zero).
Using the Initial Configuration Tasks window, change the time zone so that it
is appropriate for your location.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
IP Address: 10.0.0.11
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1
Preferred DNS Server: 10.0.0.11
Using the Initial Configuration Tasks window, rename the server to HQDC01.
Do not restart the server.
In the Initial Configuration Tasks window, note the Add roles and Add
features links.
In the next exercise, you will use Server Manager to add roles and features to
HQDC01. These links are another way to perform the same tasks.
By default, the Initial Configuration Tasks window will appear each time you
log on to the server.
2.
Select the Do not show this window at logon check box to prevent the
window from appearing.
If you need to open the Initial Configuration Tasks window in the future, you
do so by running the Oobe.exe command.
3.
1-58
4.
1-59
5.
Click Yes.
The computer restarts.
Results: After this exercise, you will have a server named HQDC01 in the correct time
zone, with display resolution of at least 1024 x 768, and with the IP configuration
specified in Task 4.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
2.
3.
4.
2.
Using Server Manager, add the role, Active Directory Domain Services.
Accept all defaults.
In Server Manager, expand the Roles node in the tree pane, and then select
Active Directory Domain Services.
2.
Click the Run the Active Directory Domain Services Installation Wizard
(dcpromo.exe) link.
The Active Directory Domain Services Installation Wizard appears.
3.
Click Next.
4.
On the Operating System Compatibility page, review the warning about the
default security settings for Windows Server 2008 domain controllers, and
then click Next.
5.
1-60
6.
1-61
On the Name the Forest Root Domain page, type contoso.com, and then
click Next.
The system performs a check to ensure that the DNS and NetBIOS names are
not already in use on the network.
7.
On the Set Forest Functional Level page, choose Windows Server 2008, and
then click Next.
The Additional Domain Controller Options page appears.
Each of the functional levels is described in the Details box on the page.
Choosing Windows Server 2008 forest functional level ensures that all
domains in the forest operate at the Windows Server 2008 domain functional
level, which enables several new features provided by Windows Server 2008.
In a production environment, you would choose Windows Server 2008 forest
functional level when creating a new forest if you require the features provided
by the Windows Server 2008 domain functional level and if you will not be
adding any domain controllers running operating systems prior to Windows
Server 2008.
DNS Server is selected by default. The Active Directory Domain Services
Installation Wizard will create a DNS infrastructure during AD DS installation.
The first domain controller in a forest must be a global catalog server and
cannot be a read-only domain controller (RODC).
8.
Click Next.
A Static IP assignment warning appears.
Because discussion of IPv6 is beyond the scope of this training kit, you did not
assign a static IPv6 address to the server in Exercise 2. You did assign a static
IPv4 address in Exercise 1, and other labs in this course will use IPv4. You can
therefore ignore this error in the context of the exercise.
9.
Click Yes, the computer will use a dynamically assigned IP address (not
recommended).
A warning appears that informs you that a delegation for the DNS server
cannot be created.
In the context of this exercise, you can ignore this error. Delegations of DNS
domains will be discussed later in this course.
10. Click Yes to close the Active Directory Domain Services Installation Wizard
warning message.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
11. On the Location for Database, Log Files, and SYSVOL page, accept the
default locations for the database file, the directory service log files, and the
SYSVOL files, and then click Next.
The best practice in a production environment is to store these files on three
separate volumes that do not contain applications or other files not related to
AD DS. This best practice design improves performance and increases the
efficiency of backup and restore.
12. On the Directory Services Restore Mode Administrator Password page, type
Pa$$w0rd in both the Password and Confirmed Password boxes. Click
Next.
In a production environment, you should use a very strong password for the
Directory Services Restore Mode Administrator Password. Do not forget the
password you assign to the Directory Services Restore Mode Administrator.
13. On the Summary page, review your selections.
If any settings are incorrect, click Back to make modifications.
14. Click Next.
Configuration of AD DS begins. After several minutes of configuration, the
Completing the Active Directory Domain Services Installation Wizard page
appears.
15. Click Finish.
16. Click Restart Now.
The computer restarts.
17. Continue with Task 3 (optional) or skip to Task 4.
2.
Expand the Roles node in the tree pane, and expand the Active Directory
Domain Services node.
3.
1-62
4.
1-63
5.
6.
7.
2.
Shut down HQDC01 and do not save any changes you made while doing this
lab exercise.
Results: After this exercise, you will have a single-domain forest named contoso.com
with a single domain controller named HQDC01.
Lab Review
After this lab you will have:
x
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lesson 4
Active Directory Domain Services is not the only component of IDA that is
supported by Windows Server 2008. With the release of Windows Server 2008,
Microsoft has consolidated a number of previously separate components into an
integrated IDA platform. Active Directory itself now includes five different
technologies, each of which play a role in extending Active Directory to support
applications, identity, and information protection.
Objectives
After completing this lesson, you will be able to:
x
1-64
1-65
Key Points
Active Directory Lightweight Directory Services (AD LDS) is essentially a standalone version of Active Directory, accessed by applications using Lightweight
Directory Access Protocol (LDAP).
AD LDS is the replacement for Active Directory Application Mode (ADAM). The
name of the previous version of the tool indicates its purpose: AD LDS is designed
to provide support for directory-enabled applications. It can be used for
applications that require a directory store but do not require the type of
infrastructure provided by an Active Directory domain.
Each instance of AD LDS can have its own schema, configuration, and application
partitions. This allows you to create a highly customized directory store without
impacting your production IDA infrastructure, based on AD DS. While AD LDS is
not dependent on AD DS, in a domain environment AD LDS is able to use AD DS
authentication of Windows security principals (users, computers, and groups).
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
1-66
1-67
Key Points
Active Directory Certificate Services (AD CS) extend the concept of trust so that a
user, computer, organization, or service can prove its identity outside or inside the
border of your Active Directory forest.
Certificates are issued from a certificate authority (CA). When a user, computer, or
service uses a certificate to prove its identity, the client in the transaction must trust
the issuing CA. A list of trusted root CAs, which includes, for example, VeriSign
and Thawte, is maintained by Windows, and updated as part of Windows Update.
If you think about the last time you made a purchase on an Intranet site, you will
recall that it was probably performed on a site using secure sockets layer (SSL),
with an HTTPS:// address. The server proves its identity to the client, your
browser, representing a certificate issued by a CA that your browser trusts, such as
VeriSign or Thawte.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
1-68
1-69
Key Points
Active Directory Rights Management Services (AD RMS) creates a framework with
which you can ensure the integrity of information, both within and outside of your
organization.
In a traditional model of information protection, access control lists (ACLs) are
used to define how information can be accessed. For example, a user may be given
read permission to a document. However, there is nothing to prevent that user
from performing any number of actions once that document has been opened. The
user can make changes to the document and save it in any location, can print the
document, can forward the document via e-mail to a user who otherwise does not
have read permission to the document, and so on.
AD RMS addresses these and other such scenarios by enforcing information use
policies. This is all accomplished using licenses and encryption to protect
information, and by having rights managementenabled applications that can
consume the licenses, create usage policies, open protected content, and enforce
usage policies.
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
AD RMS is one of the more complex Active Directory services to implement, in that
it has dependencies upon AD DS as well as a number of other technologies,
including IIS, a database (Microsoft SQL Server in production, or the Windows
Internal Database for testing), rights managementenabled applications, and, if
information protection and usage is to be extended beyond the borders of your
Active Directory forest, Active Directory Federation Services (AD FS).
1-70
1-71
Key Points
Active Directory Federation Services (AD FS) allows an organization to extend the
authority of the directory service for authenticating users across multiple
organizations, platforms, and network environments.
The traditional Windows domains trust relationship creates a trust in which the
trusting domain allows the trusted domain to authenticate users, but the result is
that all users in the trusted domain are trusted. Additionally, in order to maintain a
trust, several firewall exceptions must be made that are not palatable to many
organizations, and certainly not for supporting Web facing applications.
AD FS projects authenticated identities from your AD DS (or AD LDS) directory
service using a Web services model that has several very important effects.
x
Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
1-72