Implementing Active Directory

Lesson 2

Skills Matrix
Technology Skill

Objective Domain

Objective #

Installing a New Active

Directory Forest

Configure a forest or a
domain

2.1

Establishing and
Maintaining Trust
Relationships

Configure trusts

2.2

Configuring Active
Directory Lightweight
Directory Services

Configure Active
Directory Lightweight
Directory Services (AD
LDS)

3.1

Configuring a Read-Only
Domain Controller

Configure the Read-Only

Domain Controller
(RODC)

3.3

Server Manager
Located in Administrative Tools.
Can also be accessed by right-clicking My
Computer and selecting Manage.

Allows you to:

Add roles such as DNS server or Active
Directory Domain Services role.
Perform system diagnostics.
Configure system services.
Drill down into specific administrative tools.

Server Manager

Requirements for Active Directory

A server running Windows Server 2008
Standard Edition, Windows Server 2008
Enterprise Edition, or Windows Server 2008
Datacenter Edition (Full version or Server Core).
An administrator account and password on the
local machine.

Requirements for Active Directory

An NT file system (NTFS) partition for the
SYSVOL folder structure.
200 MB minimum free space on the previously
mentioned NTFS partition for Active Directory
database files.
50 MB minimum free space for the transaction log
files.
Transmission Control Protocol/Internet Protocol
(TCP/IP) must be installed and configured

An authoritative DNS server for the DNS domain

that supports service resource (SRV) records.
Recommends to support incremental zone transfers
and dynamic updates.

Installing Active Directory

To install
Active
Directory,
you will
need to first
add the
Active
Directory
Domain
Services
role using
Server
Manager.

Installing Active Directory

Installing Active Directory

The Active Directory Installation Wizard,
dcpromo, will guide you through any of the
following installation scenarios:
Adding a domain controller to an existing
environment.
Creating an entirely new forest structure.
Adding a child domain to an existing domain.
Adding a new domain tree to an existing forest.
Demoting domain controllers and eventually
removing a domain or forest.

Choosing the Deployment Configuration

Post-Installation Tasks
Upon completion of the Active Directory
installation, you should verify a number of
items:
Application directory partition creation.
Aging and scavenging for zones.
Forward lookup zones and SRV records.
Reverse lookup zones.

Application Partitions

Aging and Scavenging of DNS Records

Aging and scavenging are processes that
can be used by Windows Server 2008
DNS to clean up the DNS database after
DNS records become stale or out of
date.
Without this process, the DNS database
would require manual maintenance to
prevent server performance degradation
and potential disk-space issues.

Aging and Scavenging of DNS Records

DNS Records
Make sure Forward Lookup zone is
created.
Make sure Host (A) record is created for
your server.
Make sure DNS domains are created:
_msdcs
_sites
_tcp
_udp

DNS Records

Raising the Domain Functional Level

Open Active
Directory
Domains and
Trusts from the
Administrative
Tools folder.
Right-click the
domain you wish
to raise and
select Raise
Domain
Functional Level.

Raising the Forest Functional Level

Open Active Directory Domains and Trusts
from the Administrative Tools folder.
Right-click the Active Directory Domains
and Trusts icon in the console tree and
select Raise Forest Functional Level.

Raising the Forest Functional Level

If your domains have not all been raised to
at least Windows Server 2003, you will
receive an error indicating that raising the
forest functional level cannot take place
yet. If all domains have met the domain
functionality criteria of Windows Server
2008, you can click Raise to proceed.

Removing Active Directory

Click the Start menu, key dcpromo and
then press Enter.

Schema Management Console

Some commercial applications such as Microsoft
Exchange will modify the schema as a part of
their installation process.
You can also extend the schema manually using
the Active Directory Schema snap-in.
To modify the schema manually, you must be a
member of the Schema Admins group.
The Active Directory Schema snap-in should be
installed on the domain controller holding the
Schema Master Operations role.

Installing the Schema Management Snap-in

From a command prompt, key regsvr32
schmmgmt.dll.
Close the Command Prompt window, click
Start, and then select Run.
Key mmc /a in the dialog box and click
OK.
Click the File menu and select
Add/Remove Snap-in.

Trust Relationship
Trust relationships exist to make resource
accessibility easier between domains and
forests.
Many trust relationships are established by
default during the creation of the Active
Directory forest structure.
Trust relationships can be created using
the Active Directory Domains and Trusts
from the Administrative Tools folder.

Trust Relationships
Four trust types can be manually established in
Windows Server 2008:
Shortcut trusts - Used to shorten the treewalking process for users who require frequent
access to resources elsewhere in the forest.
Cross-forest trusts - Allows you to create twoway transitive trusts between separate forests.
External trusts - Used to configure a one-way
non-transitive trust.
Realm trusts - Allows you to configure trust
relationships between Windows Server 2008
Active Directory and a UNIX MIT Kerberos realm.

Revoking a Trust Using Netdom

Open a command prompt and type the
following text:
Netdom trust TrustingDomainName
/d:TrustedDomainName /remove
Press Enter.
Repeat these steps for the other end of
the trust relationship.

User Principal Name (UPN)

The name of a system user in an e-mail
address format.
username@domainname
Based on Internet RFC 822.

Changing the Default Suffix for User Principal

Names
Open Active Directory Domains and Trusts
from the Administrative Tools folder.
Right-click Active Directory Domains and
Trusts and choose Properties.
Click the UPN Suffix tab, key the new
suffix, and click Add.
Key more than one suffix if your forest has
more than one tree and then click OK.

Summary
Active Directory requires DNS to be
installed. DNS does not have to be
installed on a Windows Server 2003
machine, but the version of DNS used
does need to support SRV records for
Active Directory to function.
Planning the forest and domain structure
should include a checklist that can be
referenced for dialog information required
by the Active Directory Installation Wizard.

Summary
Verification of a solid Active Directory installation
includes verifying DNS zones and the creation of
SRV records.
Additional items, such as reverse lookups, aging,
and scavenging, also should be configured.

Application directory partitions are automatically

created when Active Directory integrated zones
are configured in DNS.
These partitions allow replica placement within
the forest structure.

Summary
System classes of the schema cannot be
modified, but additional classes can be
added. Classes and attributes cannot be
deleted, but they can be deactivated.
Planning forest and domain functionality is
dependent on the need for down-level
operating system compatibility.
Raising a forest or domain functional level
is a procedure that cannot be reversed.

Summary
Four types of manual trusts can be
created: shortcut, external, cross-forest,
and realm trusts.
Manual trusts can be created by using
Active Directory Domains and Trusts or
netdom at a command line.

Summary
UPNs provide a mechanism to make
access to resources in multiple domains
user-friendly.
UPNs follow a naming format similar to
email addresses.
You must be a member of the Enterprise
Admins group to add additional suffixes
that can be assigned at user object
creation.