Install Active Directory

1
Goals

• Install Active Directory
• Verify Active Directory installation
• Introduce operations master roles
• View the operations master role assignments for a
  domain
• Transfer operations master roles
• Implement an organizational unit structure within
  a domain
• Examine application data partitions
• Prepare for schema modifications

2
(Skill 1)
Installing Active Directory

• To organize objects and implement domain
  structure
• Install Active Directory on a Windows Server 2003
  computer using the Active Directory Installation
  Wizard
• During first time installation
• Create the root domain, a new domain tree, and a
  new forest
• Designate a Windows Server 2003 computer as a
  domain controller

3
(Skill 1)
Installing Active Directory (2)

• Creating a domain
• By default, the domain is configured to run in
  Windows 2000 mixed mode
• Windows 2000 mixed mode allows various domain
  controllers to coexist
• Windows NT 4.0 backup domain controllers (BDCs)
• Windows 2000 domain controllers (DCs)
• Windows Server 2003 domain controllers (DCs)

4
(Skill 1)
Installing Active Directory (3)

• If your network consists of only Windows 2000 and
  Windows Server 2003 domain controllers, switch to
  Windows 2000 native mode
• Windows 2000 native mode supports only
• Windows 2000 domain controllers
• Windows Server 2003 domain controllers
• Windows 2000 mixed mode and native mode are
  identical to those available in Windows 2000

5
(Skill 1)
Installing Active Directory (4)

• Windows Server 2003 provides two new modes
• Windows Server 2003 mode
• Only supports Windows Server 2003 domain
  controllers
• Gives you the additional ability to rename domain
  controllers at any time
• Windows Server 2003 interim mode is used when you
  upgrade a Windows NT 4.0 primary domain
  controller (PDC) to Windows Server 2003

6
(Skill 1)
Installing Active Directory (5)

• During Active Directory installation, three
  components are installed
• Domain Name System (DNS) service
• Database and database log files
• Shared system volume

7
(Skill 1)
Figure 2-1 Active Directory installation
8
(Skill 1)
Figure 2-2 Internet Protocol (TCP/IP) Properties
dialog box
9
(Skill 1)
Figure 2-3 Running Dcpromo
10
(Skill 1)
Figure 2-4 Detecting network settings
11
(Skill 1)
Figure 2-5 The Server Role screen
12
(Skill 1)
Figure 2-6 The Operating System Compatibility
screen
13
(Skill 1)
Figure 2-7 The Domain Controller Type screen
14
(Skill 1)
Figure 2-8 The Create New Domain screen
15
(Skill 1)
Figure 2-9 The Permissions screen
16
(Skill 1)
Figure 2-10 Adding a client to a domain
17
(Skill 2)
Verifying Active Directory Installation

• After you install Active Directory on the first
  domain controller, you may need to add additional
  Active Directory domain controllers
• Before installing additional domain controllers
• You need installation-critical information from
  Active Directory
• You must verify the initial installation to make
  sure certain components were successfully
  installed

18
(Skill 2)
Verifying Active Directory Installation (2)

• Use the Active Directory Users and Computers
  console to verify an Active Directory
  installation
• Use this console, which is an administrative
  tool, to create and delete objects, set their
  permissions, and modify their properties
• Use this console to control primary objects
• Organizational units (OUs)
• Windows Server 2003 user accounts, group
  accounts, computer accounts
• Published printers

19
(Skill 2)
Verifying Active Directory Installation (3)

• Verifying an Active Directory installation
• Verify the presence of the domain that you
  specified during the Active Directory
  installation
• Verify the presence of your new domain controller
  in the domain controllers OU
• The presence of certain administrative tools also
  verifies that Active Directory was successfully
  installed
• Active Directory and Trusts console
• Active Directory Sites and Services console

20
(Skill 2)
Verifying Active Directory Installation (4)

• Use the Active Directory Domains and Trusts
  console
• To manage the trust relationships between two or
  more domains in the same forest or different
  forests
• To provide interoperability with other domains
• To raise the domain functional level for a domain
• To transfer the domain naming master role from
  one domain controller to another
• To add or remove alternate User Principal Name
  (UPN) suffixes to/from user logon names

21
(Skill 2)
Figure 2-11 The Active Directory Domains and
Trusts console
22
(Skill 2)
Verifying Active Directory Installation (5)

• Use the Active Directory Sites and Services
  console
• To create sites and subnets
• To move domain controllers to the correct sites
• To configure servers as global catalog servers
• To create site links
• This information is used to decide the
  replication method for directory information and
  to process service requests

23
(Skill 2)
Figure 2-12 The Active Directory Sites and
Services console
24
(Skill 2)
Figure 2-13 Verifying the presence of a domain
controller
25
(Skill 2)
Figure 2-14 The Sysvol directory
26
(Skill 2)
Figure 2-15 The Ntds folder
27
(Skill 2)
Verifying Active Directory Installation (6)

• In addition to the three default consoles, you
  can also install an additional tool called the
  Active Directory Schema snap-in
• Permits you to view and modify the schema
• The schema defines the types of objects and the
  type of information pertaining to those objects
  that can be stored in Active Directory

28
(Skill 2)
Figure 2-16 The Active Directory Schema snap-in
installed
29
(Skill 3)
Introducing Operations Master Roles

• Replication models
• Multi-master replication model
• Used to control most functions
• All domain controllers have the ability to modify
  Active Directory
• Single-master model
• Used when a single domain controller modifies
  data to control certain types of events in Active
  Directory

30
(Skill 3)
Introducing Operations Master Roles (2)

• Each of these special functions is controlled by
  FSMO (Flexible Single Masters of Operations)
  servers or, more typically, operations masters
• Types of special functions
• Forest-wide operations master roles
• Domain-wide operations master roles

31
(Skill 3)
Introducing Operations Master Roles (3)

• Forest-wide operations master roles
• Two forest-wide FSMO roles
• Schema master role
• Domain naming master role
• Each of these roles can reside on only a single
  server for the entire forest
• By default, both roles will be held by the first
  domain controller created in the root domain of
  the forest

32
(Skill 3)
Introducing Operations Master Roles (4)

• Domain-wide operations master roles
• Three domain-wide roles
• Primary domain controller (PDC) emulator role
• Relative ID (RID) master role
• Infrastructure master role
• Each of these roles can reside on only a single
  domain controller in each domain
• By default, all three roles will be held by the
  first domain controller created in each domain

33
(Skill 3)
Introducing Operations Master Roles (5)

• When you create the first domain in a new forest,
  by default, all five operations master roles are
  assigned to the first domain controller in that
  domain
• Active Directory assigns only the domain-wide
  operations master roles to the first domain
  controller of any subsequent child domains that
  you create in the forest
• The first domain controller in each of the other
  domains holds the domain-wide operations master
  roles

34
(Skill 3)
Introducing Operations Master Roles (6)

• Guidelines for planning operations master roles
  for per-forest roles
• Assign the two forest-wide roles to a high-uptime
  server backups of this machine are of special
  importance
• Assign the schema master and the domain naming
  master roles to a single domain controller in one
  of the domains in the forest

35
(Skill 3)
Introducing Operations Master Roles (7)

• Guidelines for planning operations master roles
  for per-domain roles
• Have at least one additional domain controller
  act as a standby operations master for other
  operations masters
• If a domain controller fails, the standby domain
  controller can be manually configured to seize
  the failed domain controllers roles

36
(Skill 3)
Introducing Operations Master Roles (8)

• Guidelines for planning operations master roles
  for per-domain roles
• Assign both the RID master and the PDC emulator
  roles to the same domain controller
• If the domain is large, these roles can be
  assigned to separate domain controllers to reduce
  the load on the PDC emulator
• Make sure these servers are always capable of
  communicating with each other

37
(Skill 3)
Introducing Operations Master Roles (9)

• Guidelines for planning operations master roles
  for per-domain roles
• If there is more than one domain, do not assign
  the infrastructure master role to a domain
  controller that is hosting the global catalog
  service
• Global catalog
• Stores information about objects in a tree or a
  forest
• When this information changes, the global catalog
  updates the information through replication and
  always contains the latest information about
  objects

38
(Skill 3)
Introducing Operations Master Roles (10)

• Guidelines for planning operations master roles
  for per-domain roles
• If you assign the infrastructure master role to a
  domain controller that is also a global catalog
  server, the infrastructure master will not
  function properly, because there are no phantom
  references for it to update
• If possible, try to place the domain naming
  master on a server hosting the global catalog

39
(Skill 4)
Viewing the Operations Master Role Assignments
for a Domain

• To monitor the operations master roles, you must
  identify and view the domain controllers that
  hold the roles
• Regular monitoring of the operations masters
  roles in a domain or forest
• Enables you to determine the performance and load
  on each of the operations masters
• This enables you to decide which roles must be
  transferred to other domain controllers

40
(Skill 4)
Viewing the Operations Master Role Assignments
for a Domain (2)

• To view all of the domain-wide operations master
  role assignments, use the Active Directory Users
  and Computers console
• To view the schema master and the domain naming
  master roles, use the Active Directory Schema
  snap-in and the Active Directory Domains and
  Trusts console

41
(Skill 4)
Figure 2-17 Viewing the default domain-wide
operations master role assignments
42
(Skill 4)
Figure 2-18 The Change Schema Master dialog box
43
(Skill 4)
Figure 2-19 The Change Operations Master dialog
box
44
(Skill 5)
Transferring Operations Master Roles

• After you have identified the domain controllers
  that hold the operations master roles, you can
  easily transfer roles between domain controllers
• Conditions requiring that you transfer operations
  master roles
• When you want to change the default operations
  master because the domain controller is
  unavailable for replication
• When the performance of the domain controller
  holding the operations master role is
  deteriorating due to excess load

45
(Skill 5)
Transferring Operations Master Roles (2)

• You can transfer operations master roles between
  domain controllers within a forest, as well as
  within domains, with the assistance of the
  original operations master
• To transfer an operations master role from one
  domain controller to another, make sure that both
  domain controllers are available and connected to
  each other through the network

46
(Skill 5)
Transferring Operations Master Roles (3)

• Transferring an operations master role is a
  two-stage process
• Connect to the new domain controller that will
  hold the role
• Transfer the role to the domain controller you
  have identified

47
(Skill 5)
Transferring Operations Master Roles (4)

• You use the Active Directory Users and Computers
  console to transfer the relative ID master, PDC
  emulator, and infrastructure master roles
• You use the Active Directory Domains and Trusts
  console to transfer the domain naming master role

48
(Skill 5)
Transferring Operations Master Roles (5)

• Failure of an operations master
• An operations master may be unavailable due to a
  system failure
• If there is any chance of recovering it, you
  should do so
• If you cannot recover it, you can force the
  transfer of the operations master role to another
  Windows Server 2003 domain controller without the
  cooperation of the existing owner of the roles
• This process is called seizing the role
• Use the Ntdsutil.exe utility at the command
  prompt to seize any operations master role

49
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain

• Planning and creating an organizational unit (OU)
  structure is the last activity you perform to
  complete the implementation of Active Directory
• OUs are container objects used to organize
  objects in a domain into logical groups to
  centralize and simplify administration of a large
  number of objects
• You can manage users easily and efficiently in an
  OU
• In a multiple-domain model, each domain
  implements its own OU hierarchy

50
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain (2)

• Advantages of creating OUs
• You can apply Group Policy to a particular group
  of users or computers independently of other
  groups of users and computers in other OUs
• You can structure a domain
• According to the departments and locations in
  your organization
• Without OUs, all users are maintained in a single
  list under a domain

51
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain (3)

• Advantages of creating OUs
• You can delegate administrative control over
  network resources to users
• You can easily accommodate any changes that take
  place in the structure of your organization, for
  example, reorganizing users between OUs requires
  less time and effort than reorganizing users
  between domains

52
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain (4)

• Advantages of creating OUs
• OUs simplify the viewing and administration of
  directory objects within a domain
• OUs allow administrators to have easy access to
  all objects at any level of the hierarchy
• Plan your OU structure carefully so the
  organizational units represent your organization
  in a meaningful and manageable way

53
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain (5)

• Three standard models are typically used to
  design an OU hierarchy
• Business function-based
• Geographically-based
• A combination of both business function and
  geographically-based

54
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain (6)

• Use the business function-based model to create
  an OU structure that reflects the various
  business functions within an organization
• Use the geographically-based model to create an
  OU structure that represents the location of
  branches in an organization

55
(Skill 6)
Figure 2-20 A business function-based OU structure
56
(Skill 6)
Figure 2-21 A geographically-based OU structure
57
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain (7)

• Use a combination of business function and
  geographically-based models to create an OU
  structure that reflects the various business
  functions within the different branches of an
  organization

58
(Skill 6)
Figure 2-22 A business function and
geographically-based OU structure
59
(Skill 6)
Figure 2-23 Creating an organizational unit
60
(Skill 6)
Implementing an Organizational Unit Structure
within a Domain (8)

• Each OU you create contains a set of default
  properties
• Each OU also has additional properties
• Properties are attributes you use to locate the
  OU
• Use the Active Directory Users and Computers
  console to set the properties

61
(Skill 6)
Figure 2-24 MKTG Properties dialog box
62
(Skill 7)
Understanding Application Data Partitions

• Application data partitions
• Are special database structures within Active
  Directory
• They hold information specific to a particular
  application
• To fully understand why they are necessary, you
  must first understand how they function in Active
  Directory

63
(Skill 7)
Understanding Application Data Partitions (2)

• A partition in Active Directory is a section of
  the database
• With its own root name (using LDAP distinguished
  names)
• With its own replication topology
• The critical principle is replication topology
• Since all partitions have their own topology,
  information changes in one partition do not force
  replication to other partitions

64
(Skill 7)
Figure 2-25 Using application data partitions
65
(Skill 7)
Understanding Application Data Partitions (3)

• Application data partitions have their own naming
  convention
• Applies to DNS names and LDAP distinguished names
• From the DNS side, an application data partition
  is typically configured as a child domain of an
  Active Directory domain
• From the LDAP side, the partition has its own
  LDAP distinguished name

66
(Skill 7)
Understanding Application Data Partitions (4)

• LDAP distinguished name
• An LDAP naming convention that is used in most,
  if not all, LDAP compliant databases
• Think of it as a path name describing the entire
  path to the object from within the database
• LDAP names are particularly important because
  some of the advanced Active Directory utilities
  (such as Ntdsutil) require them

67
(Skill 7)
Understanding Application Data Partitions (5)

• Administering application data partitions
• Typically, you will not need to perform any real
  administration
• Your application will usually create the
  partition for you, and perform all writes and
  changes
• Common current applications that make use of
  application data partitions are DNS and TAPI
• In certain cases, you may be required to create
  an application data partition

68
(Skill 7)
Understanding Application Data Partitions (6)

• To create an application data partition, you can
  use Ntdsutil.exe, a raw LDAP editor, or Active
  Directory Services Interface (ADSI)
• Ntdsutil is the most accessible of these tools
• It is a powerful and versatile tool for making
  major modifications to the Active Directory
  database
• Since it is a very powerful application, you have
  the potential for making major mistakes very
  quickly

69
(Skill 7)
Understanding Application Data Partitions (7)

• Ntdsutil command line utility
• Must be run in Directory Services Restore Mode on
  the domain controller on which you wish to make a
  change
• Application data partitions can only be created
  by Enterprise Administrators
• By default, the only Enterprise Administrator is
  the Administrator account in the forest root
  domain

70
(Skill 8)
Preparing for Schema Modifications

• Schema
• Considered the blueprint or rulebook for Active
  Directory
• Defines the structure and rules for the Active
  Directory database
• To understand more specifically what the schema
  does, you need to understand more about the
  structure of Active Directory

71
(Skill 8)
Preparing for Schema Modifications (2)

• Active Directory is composed of various types of
  objects
• Each object is defined by its type, which is
  referred to as the object class
• Each object class is defined by the attributes
  included in the class
• Attributes are specific fields for the object
  that store a particular type of information
• Different object classes can have different
  attributes, which are suited to the needs of the
  object

72
(Skill 8)
Figure 2-26 Object classes and attributes
73
(Skill 8)
Preparing for Schema Modifications (3)

• You can examine and change most of the attributes
  for an object class by opening the object class
  in the Active Directory Schema snap-in
• You can add attributes to an existing class
• You can create a new class using new or existing
  attributes to drastically change the
  functionality of Active Directory
• This allows Active Directory to support your own
  customized applications and data

74
(Skill 8)
Preparing for Schema Modifications (4)

• A mistake made in the schema can have very severe
  consequences
• Microsoft has put several safeguards in place to
  reduce the chance that mistakes may occur when
  you are viewing or editing the schema

75
(Skill 8)
Preparing for Schema Modifications (5)

• Some of Microsofts safeguards
• Object classes and attributes can be deactivated,
  but they cannot be deleted
• Deactivating a class results in the inability to
  create new objects in that class.
• Deactivating an attribute results in the
  inability to add the attribute to other classes
• Mandatory attributes of an existing class cannot
  be deactivated

76
(Skill 8)
Preparing for Schema Modifications (6)

• Some of Microsofts safeguards
• Default attributes, which are required for Active
  Directory to function properly, cannot be
  deactivated
• The schema can only be modified on the schema
  master
• Only members of the Schema Admins group have
  permission to modify the schema, by default
• The Active Directory Schema snap-in is not
  installed by default

77
(Skill 8)
Preparing for Schema Modifications (7)

• Precautions exist because of the scope of schema
  modifications
• However, there are a few instances in which a
  schema modification is warranted

78
(Skill 8)
Preparing for Schema Modifications (8)

• Most commonly, schema modifications are performed
  for one of two reasons
• To support business requirements, you may need to
  add a new attribute or class to the schema
• To support new Active Directory-integrated
  applications that store a portion of their data
  in the Active Directory database, you may need to
  supply new attributes or classes

79
(Skill 8)
Preparing for Schema Modifications (9)

• If you choose to modify the schema in the Active
  Directory Schema snap-in, follow these
  precautions
• Thoroughly evaluate the need for the schema
  modification and make sure that modifying the
  schema is the best solution
• Specifically define the modification to be
  performed
• Create a script or use another programmatic
  method to apply the modification and test it
  thoroughly in an offline environment

80
(Skill 8)
Preparing for Schema Modifications (10)

• Steps to modify the schema
• Connect to the schema operations master,
  preferably using an account that is not a member
  of the Schema Admins group
• Use the Run as facility to launch the application
  you are using to modify the schema as a member of
  the Schema Admins group

81
(Skill 8)
Preparing for Schema Modifications (11)

• Steps to modify the schema
• If the operations master is a Windows 2000 domain
  controller, enable writes on the schema
• Modify the schema
• If the operations master is a Windows 2000 domain
  controller, disable writes on the schema
• Disconnect from the schema operations master

82
(Skill 8)
Figure 2-27 Viewing an object class in the Schema
console