SlideShare una empresa de Scribd logo
1 de 40
Descargar para leer sin conexión
Implementing Active Directory® Domain Services 1-1
Module 1
Implementing Active Directory® Domain
Services
Contents:
Lesson 1: Installing Active Directory Domain Services 1-3
Lesson 2: Deploying Read-Only Domain Controllers 1-14
Lesson 3: Configuring AD DS Domain Controller Roles 1-22
Lab: Implementing Read-Only Domain Controllers and Managing
Domain Controller Roles 1-29
BETA COURSEWARE. EXPIRES 4/11/2008
1-2 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Module Overview
Active Directory® Domain Services (AD DS) is installed as a server role in
Windows Server® 2008. You have several choices to make when you install AD DS
and run the Active Directory Installation Wizard. You must choose whether to
create a new domain or add a domain controller to an existing domain. You also
have the option of installing AD DS on a server running Windows Server 2008
Server Core or installing read-only domain controllers. After deploying the domain
controllers, you also must manage special domain controller roles, such as the
global catalog and operations masters.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-3
Lesson 1:
Installing Active Directory Domain Services
Windows Server 2008 provides several ways to install and configure Active
Directory Domain Services. This lesson describes the standard AD DS installation,
and then also describes some of the other options that are available when
performing the installation.
BETA COURSEWARE. EXPIRES 4/11/2008
1-4 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Requirements for Installing AD DS
Key Points
To install Active Directory Domain Services, the server must meet the following
requirements:
Windows Server 2008 operating system must be is installed. AD DS can only be
installed on the following editions:
• Windows Server 2008, Standard Edition
• Windows Server 2008, Enterprise Edition
• Windows Server 2008, Datacenter edition
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Requirements for Installing AD DS
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-5
What Are Domain and Forest Functional Levels?
Key Points
In Windows Server 2008, forest and domain functionality provides a way to enable
forest-wide or domain-wide Active Directory features in your network environment.
Different levels of forest and domain functionality are available, depending on
domain and forest functional level.
Additional Reading
• Active Directory Domain Services Help: Set the domain or forest functional
level
• Microsoft Technet article: Appendix of Functional Level Features
BETA COURSEWARE. EXPIRES 4/11/2008
1-6 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
AD DS Installation Process
Key Points
To configure a Windows Server 2008 domain controller, you must install the AD
DS server role and run the Active Directory Domain Services Installation wizard.
Do this using one of the following processes:
• Install the Server role by using Server Manager, and then run the installation
wizard by running DCPromo or the installation wizard from Server Manager.
• Run DCPromo from the Run command or a command prompt. This will
install the AD DS server role and then start the installation wizard.
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest and
Scenarios for Installing AD DS
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-7
Advanced Options for Installing AD DS
Key Points
Some of the Active Directory Domain Services Installation Wizard pages appear
only if you select the Use advanced mode installation check box on the Welcome
page of the wizard or by running DCPromo with the /adv switch. If you do not run
the installation wizard in advanced mode, the wizard uses default options that
apply to most configurations.
Question: When would you use the advanced options mode in your organization?
Additional Reading
• Active Directory Domain Services Help: Use advanced mode installation
• Microsoft Technet article: What's New in AD DS Installation and Removal
BETA COURSEWARE. EXPIRES 4/11/2008
1-8 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Installing AD DS from Media
Key Points
Before you can use backup media as the source for installing a domain controller,
use Ntdsutil.exe to create the installation media.
Question: Which types of installation media will you use in your organization?
Additional Reading
• Microsoft Technet article: Installing AD DS from Media
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-9
Demonstration: Verifying the AD DS installation
Question: What steps would you take if you noticed that the domain controller
installation failed?
Additional Reading
• Microsoft Technet article: Verifying an AD DS Installation
• Microsoft Technet article: Verifying Active Directory Installation
BETA COURSEWARE. EXPIRES 4/11/2008
1-10 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Upgrading to Windows Server 2008 AD DS
Key Points
To install a new Windows Server 2008 domain controller in an existing Windows
2000 Server or Windows Server 2003 domain, complete the following steps:
• If the domain controller is the first Windows Server 2008 domain controller in
the forest, you must prepare the forest for Windows Server 2008 by extending
the schema on the schema operations master. To extend the schema, run
adprep /forestprep. The adprep tool is located on the Windows Server 2008
installation media.
• If the domain controller is the first Windows Server 2008 domain controller in
a Windows 2000 Server domain, you must first prepare the domain by
running adprep /domainprep /gpprep on the infrastructure master. The
gpprep switch adds inheritable access control entry (ACEs) to the Group
Policy Objects (GPO) that are located in the SYSVOL shared folder and
synchronizes the SYSVOL shared folder among the controllers in the domain.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-11
• If the domain controller is the first Windows Server 2008 domain controller in
a Windows Server 2003 domain, you must prepare the domain by running
adprep /domainprep on the infrastructure master.
• After you install a writeable domain controller, you can install an RODC in the
Windows Server 2003 forest. Before doing this, you must prepare the forest by
running adprep /rodcprep. You can run adprep /rodcprep on any computer in
the forest. If the RODC will be a global catalog server, then you must run
adprep /domainprep in all domains in the forest, regardless of whether the
domain runs a Windows Server 2008 domain controller. By running adprep
/domainprep in all domains, the RODC can replicate global catalog data from
all domains in the forest and then advertise as a global catalog server.
Additional Reading
• Active Directory Domain Services Help: Installing Active Directory Domain
Services
• Microsoft Technet article: Installing a New Windows Server 2008 Forest:
• Microsoft Technet article: Scenarios for Installing AD DS
BETA COURSEWARE. EXPIRES 4/11/2008
1-12 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Installing AD DS on a Server Core Computer
Key Points
To install AD DS on a Windows Server 2008 computer running Server Core, you
must use an unattended setup. Windows Server 2008 Server Core does not
provide a graphical user interface (GUI) so you cannot run the Active Directory
Domain Services installation wizard.
To perform an unattended install of AD DS, use an answer file and the following
syntax with the Dcpromo command:
Dcpromo /answer[:filename] Where filename is the name of your answer
file.
Additional Reading
• Microsoft Technet article: Appendix of Unattended Installation Parameters
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-13
Discussion: Common Configuration for AD DS
Key Points
After installing a domain controller, you may need to perform additional tasks in
your environment. You can access checklists for the following common
configurations for AD DS in Server Manager, under Resources and Support.
Additional Reading
• AD DS Help: Common Configurations for Active Directory Domain Services
BETA COURSEWARE. EXPIRES 4/11/2008
1-14 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Lesson 2:
Deploying Read-Only Domain
Controllers
One of the important new features in Windows Server 2008 is the option to use
read-only domain controllers (RODCs). RODCs provide all of the functionality that
clients require while providing additional security for domain controllers deployed
in branch offices. When configuring RODCs, you can specify which user account
passwords will be cached on the server and configure delegated administrative
permissions for the domain controller. This lesson describes how to install and
configure RODCs.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-15
What Is a Read-Only Domain Controller?
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports.
An RODC hosts read-only partitions of the AD DS database. This means that no
changes can ever be made to the database copy that the RODC stores, and all AD
DS replication uses a one-way connection from a domain controller that has a
writeable database copy to the RODC.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
BETA COURSEWARE. EXPIRES 4/11/2008
1-16 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Read-Only Domain Controller Features
Key Points
See the list on the slide.
Additional Reading
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-17
Preparing to Install the RODC
Key Points
Before you can install an RODC, you must prepare the AD DS environment by
completing the following steps:
• Configure the domain and forest functional level
• Plan for Windows Server 2008 domain controller availability
• Prepare the forest and domain
Additional Reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: AD DS: Read-Only Domain Controllers
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
BETA COURSEWARE. EXPIRES 4/11/2008
1-18 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Installing the RODC
Key Points
The RODC installation is almost identical to the installation of AD DS on a domain
controller with a writeable copy of the database. However there are a few extra
steps.
Additional Reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-19
Delegating the RODC Installation
Key Points
You can delegate the installation of an RODC by performing a two stage
installation.
Question: What are the benefits of delegating an RODC installation?
Additional reading
• AD DS Help: Delegate read-only domain controller installation and
administration
• Microsoft Technet article: AD DS: Read-Only Domain Controllers:
• Microsoft Technet article: Step-by-Step Guide for Read-Only Domain
Controller in Windows Server 2008 Beta 3:
BETA COURSEWARE. EXPIRES 4/11/2008
1-20 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
What Are Password Replication Policies?
Key Points
When deploy an RODC, you can configure a Password Replication Policy for the
RODC.
The Password Replication Policy acts as an access control list (ACL) that
determines if an RODC is permitted to cache a password.
The Password Replication Policy lists the accounts that you are allowing explicitly
to be cached and those that you are not. The passwords for any accounts are not
actually cached on the RODC until after the first time the user or computer
account is authenticated through the RODC.
Additional Reading
• AD DS Online Help: Specify Password Replication Policy
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-21
Demonstration: Configuring Administrator Role Separation
and Password Replication Policies
Questions: What is an alternative way to configure administrator role separation
and password replication policies?
Your organization has deployed two RODCs. How would you configure the
password replication policy if you wanted the credentials for all user accounts and
computer accounts except for administrators and executives to be cached on both
RODCs?
Additional Reading
• AD DS Help: Specify Password Replication Policy
BETA COURSEWARE. EXPIRES 4/11/2008
1-22 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Lesson 3:
Configuring AD DS Domain Controller
Roles
All domain controllers in a domain are essentially equal, meaning they all contain
the same data and provide the same services. However, you also can assign special
roles to domain controllers to provide additional services or address scenarios in
which only one domain controller should provide services at any given time. This
lesson describes how to configure and manage global catalog servers and
operations masters.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-23
What Are Global Catalog Servers?
Key Points
The global catalog is a partial, read-only replica of all domain directory partitions in
a forest. The global catalog is a partial replica because it includes only a limited set
of attributes for each of the forest’s objects. By including only the attributes that are
used the most for searching, the database of a single global catalog server can
represent every object in every domain in the forest.
The global catalog server hosts the global catalog and its domain information.
Active Directory configures the first domain controller automatically in the forest as
a global catalog server. You can add global catalog functionality to other domain
controllers or change the default location of the global catalog to another domain
controller.
Additional Reading
• Microsoft Technet article: Domain Controller Roles
BETA COURSEWARE. EXPIRES 4/11/2008
1-24 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Modifying the Global Catalog
Key Points
Sometimes you may want to customize the global catalog server to include
additional attributes. By default, for every object in the forest, the global catalog
server contains an object’s most common attributes. Applications and users can
query these attributes. For example, you can find a user by first name, last name, e-
mail address, or other common properties
Additional Reading
• Microsoft Technet article: Domain Controller Roles (Global Catalog Partial
Attribute Set section)
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-25
Demonstration: Configuring Global Catalog Servers
Questions: What types of errors or user experiences would lead you to investigate
whether you needed to configure another server as a global catalog server?
What are reasons why you would choose to replicate an attribute to the global
catalog?
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog
BETA COURSEWARE. EXPIRES 4/11/2008
1-26 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
What Are Operations Master Roles?
Key Points
Active Directory is designed as a multimaster replication system. However, for
certain directory operations, only a single authoritative server is required. The
domain controllers that perform specific roles are known as operations masters.
The domain controllers that hold operations master roles are designated to
perform specific tasks to ensure consistency and to eliminate the potential for
conflicting entries in the Active Directory database.
Additional Reading
• Microsoft Technet article: To add an attribute to the global catalog
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-27
Demonstration: Managing Operation Master Roles
Questions: Under what circumstances might you need to seize an operations
master role immediately rather than wait a few hours for a domain controller
currently holding the role to be repaired?
You are deploying the first domain controller in a new domain that will be a new
domain tree in the WoodgroveBank.com forest. What operations master roles will
this server hold by default?
Additional Reading
• Microsoft Technet article: Manage Operations Master Roles
BETA COURSEWARE. EXPIRES 4/11/2008
1-28 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
How Windows Time Service Works
Key Points
The Windows Time service, also known as W32Time, synchronizes the date and
time for all computers running on a Windows Server 2008 network. The Windows
Time service uses the Network Time Protocol (NTP) to ensure highly accurate time
settings throughout your network. You also can integrate the Windows Time
service with external time sources.
Additional Reading
• Microsoft Technet article: Windows Time Service Technical Reference
• Microsoft Technet article: Configuring a time source for the forest
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-29
Lab: Implementing Read-Only Domain
Controllers and Managing Domain Controller
Roles
Scenario:
Woodgrove Bank has begun their deployment of Windows Server 2008. The
organization has deployed several domain controllers at the corporate
headquarters and is preparing to deploy domain controllers in several branch
offices. The Enterprise Administrator created a design that requires read-only
domain controllers to be deployed on servers running Windows Server 2008 in all
branch offices. Your task is to deploy a domain controller in a branch office that
meets these requirements.
BETA COURSEWARE. EXPIRES 4/11/2008
1-30 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Exercise 1: Evaluating Forest and Server Readiness for
Installing an RODC
Woodgrove Bank has begun their deployment of Windows Server 2008. The
organization has deployed several domain controllers at the corporate
headquarters and is now preparing to deploy domain controllers in several of the
branch offices. The Enterprise Administrator has created a design that requires
read-only domain controllers to be deployed on servers running Windows Server
2008 in all branch offices.
Your task is to deploy a domain controller in a branch office that meets these
requirements
Note: Due to the limitations of the virtual lab environment, you will be installing the
RODC in the same site as the existing domain controllers. In a production
environment, you would complete the same steps even if the RODC was in a
different site.
The main tasks are as follows:
1. Start 6425A-NYC-DC1 and log on as Administrator.
2. Start 6425A-NYC-SVR1 and log on as Administrator.
3. Start 6425A-NYC-SVR1 and log on as Administrator.
4. Verify the forest and domain functional level are compatible with an RODC
deployment.
5. Verify the availability of a writeable domain controller running Windows
Server 2008.
5. Configure the computer account settings for the RODC.
Task 1: Start 6425A-NYC-DC1 and log on as Administrator
• Start 6425A-NYC-DC1 and log on as Administrator using the password
Pa$$w0rd.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-31
Task 2: Start 6425A-NYC-DC2 and log on as Administrator
• Start 6425A-NYC-DC2 and log on as Administrator using the password
Pa$$w0rd.
Task 3: Start 6425A-NYC-SVR1 and log on as Administrator
• Start 6425A-NYC-SVR1 and log on as Administrator using the password
Pa$$w0rd.
Task 3: Verify the forest and domain functional level are compatible
with an RODC deployment
1. On NYC-DC1, open Active Directory Users and Computers.
2. Right-click WoodgroveBank.com and verify that the domain functional level
and the forest functional level are set to Windows Server 2003.
Task 4: Verify the availability of a writeable domain controller running
Windows Server 2008
1. In Active Directory Users and Computers, check the properties for NYC-DC1.
2. Verify that the operating system name is Windows Server 2008 Enterprise.
Task 5: Configure the computer account settings for the RODC
1. On NYC-SVR1, open Server Manager.
2. Click Change System Properties, and on the Computer Name tab, change the
computer name to TOR-DC1.
3. Restart the computer.
Result: At the end of this exercise, you will have verified that the domain and the
computer are ready to install an RODC.
BETA COURSEWARE. EXPIRES 4/11/2008
1-32 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Exercise 2: Installing and Configuring an RODC
You will install the RODC server role on the Windows Server 2008 computer. To
do this, you will prestage the computer account that the RODC will use. As part of
the prestaging, you will configure an administrative group with permissions to
install the domain controller.
After the installation is complete, you will verify that the installation completed
successfully. You also will configure password-replication policies for users that log
on to the domain controller.
The main tasks are as follows:
1. Pre-stage the computer account for the RODC.
2. Log on to TOR-DC1 as Administrator.
3. Install the RODC using the existing account. Use WoodgroveBankAxel as the
account with credentials to perform the installation.
4. Verify the successful installation of the domain controller.
5. Configure a password replication policy that enables credential caching for all
user accounts in Toronto.
Task 1: Pre-stage the computer account for the RODC
1. On NYC-DC1, open Active Directory Users and Computers.
2. Right-click the Domain Controllers organization unit and click Pre-create
Read-only Domain Controller account.
3. Complete the Active Directory Domain Services Installation Wizard using the
following selections:
a. Use advanced mode installation
b. Use the current credentials.
c. Computer name: TOR-DC1
d. Default site
e. Install only the DNS and RODC options
f. Delegate permission to install the RODC to Axel Delgado
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-33
Task 2: Log on to TOR-DC1 as Administrator
• Log on as Administrator using the password Pa$$w0rd.
Task 3: Install the RODC using the existing account. Use
WoodgroveBankAxel as the account with credentials to perform the
installation
1. On TOR-DC1, open a command prompt and type dcpromo
/UseExistingAccount:Attach, and then press ENTER:
2. Complete the Active Directory Domain Services Installation Wizard using the
following selections:
a. Use advanced mode installation
b. Provide Axel as the alternative credential
c. Use TOR-DC1 as the computer name
d. Use NYC-DC1.WoodgroveBank.com as the source domain controller
e. Accept the default location for the Database, Log Files, and SYSVOL files.
f. Use Pa$$w0rd as the Directory Services Restore Mode Administrator
Password
3. Reboot the computer when the installation finishes.
Task 4: Verify the successful installation of the domain controller
1. After NYC-SRV1 restarts, log on as Axel with a password of Pa$$w0rd.
2. In Server Manager, verify that Active Directory Domain Services server role is
installed.
3. Verify that all required services are running.
4. In Active Directory Users and Computers, verify that TOR-DC1 is listed in
the Domain Controllers organizational unit.
5. Verify that you do not have permission to add or remove domain objects.
BETA COURSEWARE. EXPIRES 4/11/2008
1-34 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
6. In Active Directory Sites and Services, verify that TOR-DC1 is listed in the
Servers list for the Default-First-Site-Name.
7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have
been created.
8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects
have been created for replication with TOR-DC1.
9. Open Event Viewer. In the Directory Service log, locate and view a message
with an event ID of 1128. This event ID verifies that a replication connection
object has been created between NYC-DC1 and TOR-DC1.
Task 5: Configure a password replication policy that enables credential
caching for all user accounts in Toronto
1. On NYC-DC1, in Active Directory Users and Computers, access the TOR-
DC1 Properties dialog box.
2. Add all of the Toronto groups to the Password replication policy.
Result: At the end of this exercise, you will have installed an RODC and configured
the RODC password replication policy for the RODC.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-35
Exercise 3: Configuring AD DS Domain Controller Roles
You will configure the RODC installed in the previous exercise as a global catalog
server. You also will assign operation master roles to an additional domain
controller in the domain.
The main tasks are as follows:
1. Use Active Directory Sites and Services to configure TOR-DC1 as a global
catalog server.
2. Configure NYC-DC2 as the infrastructure master and domain naming master
for the WoodgroveBank.com domain.
3. Add the Department attribute to the global catalog.
4. Shut down all virtual machines.
Task 1: Use Active Directory Sites and Services to configure TOR-DC1
as a global catalog server
1. On NYC-DC1, in Active Directory Sites and Services, locate the TOR-DC1
computer account.
2. Access the NTDS Settings, and select the Global Catalog check box.
Task 2: Configure NYC-DC2 as the infrastructure master and domain
naming master for the WoodgroveBank.com domain
1. On NYC-DC1, in Active Directory Users and Computers, change the
console’s focus to NYC-DC1.WoodgroveBank.com and then click OK.
2. Right-click WoodgroveBank.com, and then click Operations Masters.
Transfer the infrastructure master role to NYC-DC2.WoodgroveBank.com.
3. On NYC-DC2, open Active Directory Domains and Trusts. Access the
Operations Master settings and transfer the domain naming operations
master role to NYC-DC2.
BETA COURSEWARE. EXPIRES 4/11/2008
1-36 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
Task 3: Add the Department attribute to the global catalog
1. On NYC-DC1, use the regsvr32 schmmgmt.dll to register the Active Directory
Schema snap-in.
2. Create a new MMC and add the Active Directory Schema snap-in.
3. In the Active Directory Schema, access the Department attribute and
configure the attribute to replicate to the Global Catalog.
Task 4: Shut down all virtual machines and discard any changes
Result: At the end of this exercise, you will have configured a global catalog server and
configure AD DS domain controller roles.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-37
Module Review and Takeaways
Review Questions
1. You are deploying a domain controller in a branch office. The branch office
does not have a highly secure server room so you are concerned about the
security of the server. What two Windows Server 2008 features can you take
advantage of to enhance the security of the domain controller deployment?
2. You must create a new domain by installing a domain controller in your Active
Directory infrastructure. You are reviewing the inventory list of available
servers for this purpose. Which of the following computers could be used as a
domain controller?
A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB)
free hard disk space, TCP/IP.
B. Windows Server 2008 Enterprise Edition, NTFS files system, 500
megabyte (MB) free hard disk space, TCP/IP.
BETA COURSEWARE. EXPIRES 4/11/2008
1-38 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services
C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system,
1GB free hard disk space, TCP/IP.
D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free
hard disk space, TCP/IP.
3. You are deploying an RODC in branch office. You need to ensure that all users
in the branch office can authenticate even if the WAN connection from the
branch office is not available. Only the users who normally log on in the
branch office should be able to do this? How would you configure the
password replication policy?
4. You need to install a domain controller by using the install from media option.
What steps do you need to take to complete this process?
5. Will you be deploying RODCs in your AD DS environment? Describe the
deployment scenario.
6. You are deploying a domain controller in a branch office. The office has a
WAN connection to the main office that has very little available bandwidth and
is not very reliable. Should you configure the branch office domain controller
as a global catalog server?
Considerations
Keep the following considerations in mind when you are implementing RODCs
and managing domain controller roles:
• You can install the AD DS Server role on all Windows Server 2008 editions
except Windows Server 2008 Web Server Edition.
• Consider installing a RODC on a Windows Server 2008 Server Core computer
to provide additional security for your domain environment.
• To install AD DS on a Server Core computer, you must use an unattended
installation.
• Plan the password replication policies carefully in your organization. If you
enable credential caching for most of the accounts in your domain, you will
increase the impact to your organization if the RODC is compromised. If you
do not enable any credential caching, you increase the impact to the branch
office location if the WAN link to the main office is not available.
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-39
• In most cases, deploying a global catalog server in a site will improve the logon
experience for users. However, deploying a global catalog in a remote office
also increases the network utilized for replication.
• Operation master roles provide important services on a network but the
services are not usually time critical. Most of the time, if a domain controller
holding an operation master role fails, you do not immediately need to seize
the role to another domain controller if the failed server can be repaired within
a few hours.
BETA COURSEWARE. EXPIRES 4/11/2008
BETA COURSEWARE. EXPIRES 4/11/2008

Más contenido relacionado

La actualidad más candente

เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...Tũi Wichets
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guidewebhostingguy
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Windows Server 2008 (Active Directory Yenilikleri)
Windows Server 2008 (Active Directory Yenilikleri)Windows Server 2008 (Active Directory Yenilikleri)
Windows Server 2008 (Active Directory Yenilikleri)ÇözümPARK
 
Windows Server 2008 Active Directory Components
Windows Server 2008 Active Directory ComponentsWindows Server 2008 Active Directory Components
Windows Server 2008 Active Directory ComponentsTũi Wichets
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 pptRaj Solanki
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory ProposalMJ Ferdous
 
0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartITimothy Chen
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2MICTT Palma
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structureJohn Carlo Catacutan
 
Active directory ii
Active directory   iiActive directory   ii
Active directory iideshvikas
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing  Active Directory DomainWindows Server 2012 Managing  Active Directory Domain
Windows Server 2012 Managing Active Directory DomainNapoleon NV
 

La actualidad más candente (20)

เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
เอกสาร แนวทาง การอินติเกรท Mac OS X เข้ากับ ระบบ Active Directory อย่างไร Bes...
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guide
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
 
Windows Server 2008 (Active Directory Yenilikleri)
Windows Server 2008 (Active Directory Yenilikleri)Windows Server 2008 (Active Directory Yenilikleri)
Windows Server 2008 (Active Directory Yenilikleri)
 
Windows Server 2008 Active Directory Components
Windows Server 2008 Active Directory ComponentsWindows Server 2008 Active Directory Components
Windows Server 2008 Active Directory Components
 
70 640 Lesson05 Ppt 041009
70 640 Lesson05 Ppt 04100970 640 Lesson05 Ppt 041009
70 640 Lesson05 Ppt 041009
 
Active Directory
Active Directory Active Directory
Active Directory
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 ppt
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory Proposal
 
70 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 04100970 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 041009
 
0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI
 
Mcts chapter 6
Mcts chapter 6Mcts chapter 6
Mcts chapter 6
 
70 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 04100970 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 041009
 
Mcitp course details
Mcitp course detailsMcitp course details
Mcitp course details
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2
 
70 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 04100970 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 041009
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structure
 
70 640 Lesson06 Ppt 041009
70 640 Lesson06 Ppt 04100970 640 Lesson06 Ppt 041009
70 640 Lesson06 Ppt 041009
 
Active directory ii
Active directory   iiActive directory   ii
Active directory ii
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing  Active Directory DomainWindows Server 2012 Managing  Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
 

Destacado

biubon step
biubon stepbiubon step
biubon stepiAND
 
6419 a configuring, managing and maintaining windows server 2008 servers
6419 a configuring, managing and maintaining windows server 2008 servers6419 a configuring, managing and maintaining windows server 2008 servers
6419 a configuring, managing and maintaining windows server 2008 serversbestip
 
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)Nishan Shetty
 
Module 4 sharing files by using windows 7
Module 4   sharing files by using windows 7Module 4   sharing files by using windows 7
Module 4 sharing files by using windows 7xeroxk
 
IT103 Microsoft Windows XP/OS Chap07
IT103 Microsoft Windows XP/OS Chap07IT103 Microsoft Windows XP/OS Chap07
IT103 Microsoft Windows XP/OS Chap07blusmurfydot1
 
IT109 Microsoft Windows 7 Operating Systems Unit 01
IT109 Microsoft Windows 7 Operating Systems Unit 01IT109 Microsoft Windows 7 Operating Systems Unit 01
IT109 Microsoft Windows 7 Operating Systems Unit 01blusmurfydot1
 
IT109 Microsoft Operating Systems Unit 05 lesson 06
IT109 Microsoft Operating Systems Unit 05 lesson 06IT109 Microsoft Operating Systems Unit 05 lesson 06
IT109 Microsoft Operating Systems Unit 05 lesson 06blusmurfydot1
 

Destacado (11)

biubon step
biubon stepbiubon step
biubon step
 
Unix
UnixUnix
Unix
 
6419 a configuring, managing and maintaining windows server 2008 servers
6419 a configuring, managing and maintaining windows server 2008 servers6419 a configuring, managing and maintaining windows server 2008 servers
6419 a configuring, managing and maintaining windows server 2008 servers
 
Library system
Library systemLibrary system
Library system
 
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)
WeFiLab(A Web-Based WiFi Laboratory Platform for Wireless Networking Education)
 
Module 4 sharing files by using windows 7
Module 4   sharing files by using windows 7Module 4   sharing files by using windows 7
Module 4 sharing files by using windows 7
 
70 271 Stu Chap05
70 271 Stu Chap0570 271 Stu Chap05
70 271 Stu Chap05
 
IT103 Microsoft Windows XP/OS Chap07
IT103 Microsoft Windows XP/OS Chap07IT103 Microsoft Windows XP/OS Chap07
IT103 Microsoft Windows XP/OS Chap07
 
70 271 Stu Chap03
70 271 Stu Chap0370 271 Stu Chap03
70 271 Stu Chap03
 
IT109 Microsoft Windows 7 Operating Systems Unit 01
IT109 Microsoft Windows 7 Operating Systems Unit 01IT109 Microsoft Windows 7 Operating Systems Unit 01
IT109 Microsoft Windows 7 Operating Systems Unit 01
 
IT109 Microsoft Operating Systems Unit 05 lesson 06
IT109 Microsoft Operating Systems Unit 05 lesson 06IT109 Microsoft Operating Systems Unit 05 lesson 06
IT109 Microsoft Operating Systems Unit 05 lesson 06
 

Similar a Material modulo04 asf6501(6425-a_01)

Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02gameaxt
 
E brochure it254_actived2012
E brochure it254_actived2012E brochure it254_actived2012
E brochure it254_actived2012I-r Papa
 
Upgrading from WinS 2008/2008 R2 to WinS 2012
Upgrading from WinS 2008/2008 R2 to WinS 2012Upgrading from WinS 2008/2008 R2 to WinS 2012
Upgrading from WinS 2008/2008 R2 to WinS 2012iTawy Community
 
Technical Report_Sercer 2012 R2 - Adeeb Raja
Technical Report_Sercer 2012 R2 - Adeeb RajaTechnical Report_Sercer 2012 R2 - Adeeb Raja
Technical Report_Sercer 2012 R2 - Adeeb RajaAdeeb Raja
 
Reply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxReply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxsodhi3
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services202066
 
Installation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanInstallation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanQuek Lilian
 
Active Directory 2008 R2 Updates
Active Directory 2008 R2 UpdatesActive Directory 2008 R2 Updates
Active Directory 2008 R2 UpdatesAmit Gatenyo
 
Active Directory Upgrade
Active Directory UpgradeActive Directory Upgrade
Active Directory UpgradeSpiffy
 
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in DelhiBest MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in DelhiInformation Technology
 
Instalacion de windows server 2012
Instalacion de windows server 2012Instalacion de windows server 2012
Instalacion de windows server 2012Salazar Jorge
 
CSS computer system servicing-presentation.pptx
CSS computer system servicing-presentation.pptxCSS computer system servicing-presentation.pptx
CSS computer system servicing-presentation.pptxGelreyLugoJaysonAli
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365InnoTech
 
Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2
Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2
Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2pasalapudi
 
Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012Aidan Finn
 
70-417 Microsoft Exam
70-417 Microsoft Exam70-417 Microsoft Exam
70-417 Microsoft Examteena timmy
 

Similar a Material modulo04 asf6501(6425-a_01) (20)

Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
Windows sever 2008
Windows sever 2008Windows sever 2008
Windows sever 2008
 
Chapter Two.pptx
Chapter Two.pptxChapter Two.pptx
Chapter Two.pptx
 
E brochure it254_actived2012
E brochure it254_actived2012E brochure it254_actived2012
E brochure it254_actived2012
 
teste
testeteste
teste
 
Upgrading from WinS 2008/2008 R2 to WinS 2012
Upgrading from WinS 2008/2008 R2 to WinS 2012Upgrading from WinS 2008/2008 R2 to WinS 2012
Upgrading from WinS 2008/2008 R2 to WinS 2012
 
Technical Report_Sercer 2012 R2 - Adeeb Raja
Technical Report_Sercer 2012 R2 - Adeeb RajaTechnical Report_Sercer 2012 R2 - Adeeb Raja
Technical Report_Sercer 2012 R2 - Adeeb Raja
 
Reply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxReply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docx
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
 
Installation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanInstallation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP Padman
 
Active Directory 2008 R2 Updates
Active Directory 2008 R2 UpdatesActive Directory 2008 R2 Updates
Active Directory 2008 R2 Updates
 
Active Directory Upgrade
Active Directory UpgradeActive Directory Upgrade
Active Directory Upgrade
 
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in DelhiBest MCSA - SQL SERVER 2012 Training Institute in Delhi
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
 
MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04
 
Instalacion de windows server 2012
Instalacion de windows server 2012Instalacion de windows server 2012
Instalacion de windows server 2012
 
CSS computer system servicing-presentation.pptx
CSS computer system servicing-presentation.pptxCSS computer system servicing-presentation.pptx
CSS computer system servicing-presentation.pptx
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365
 
Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2
Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2
Aioug2017 deploying-ebs-on-prem-and-on-oracle-cloud v2
 
Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012Why Upgrade To Windows Server 2012
Why Upgrade To Windows Server 2012
 
70-417 Microsoft Exam
70-417 Microsoft Exam70-417 Microsoft Exam
70-417 Microsoft Exam
 

Último

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 

Último (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 

Material modulo04 asf6501(6425-a_01)

  • 1. Implementing Active Directory® Domain Services 1-1 Module 1 Implementing Active Directory® Domain Services Contents: Lesson 1: Installing Active Directory Domain Services 1-3 Lesson 2: Deploying Read-Only Domain Controllers 1-14 Lesson 3: Configuring AD DS Domain Controller Roles 1-22 Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles 1-29 BETA COURSEWARE. EXPIRES 4/11/2008
  • 2. 1-2 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Module Overview Active Directory® Domain Services (AD DS) is installed as a server role in Windows Server® 2008. You have several choices to make when you install AD DS and run the Active Directory Installation Wizard. You must choose whether to create a new domain or add a domain controller to an existing domain. You also have the option of installing AD DS on a server running Windows Server 2008 Server Core or installing read-only domain controllers. After deploying the domain controllers, you also must manage special domain controller roles, such as the global catalog and operations masters. BETA COURSEWARE. EXPIRES 4/11/2008
  • 3. Implementing Active Directory® Domain Services 1-3 Lesson 1: Installing Active Directory Domain Services Windows Server 2008 provides several ways to install and configure Active Directory Domain Services. This lesson describes the standard AD DS installation, and then also describes some of the other options that are available when performing the installation. BETA COURSEWARE. EXPIRES 4/11/2008
  • 4. 1-4 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Requirements for Installing AD DS Key Points To install Active Directory Domain Services, the server must meet the following requirements: Windows Server 2008 operating system must be is installed. AD DS can only be installed on the following editions: • Windows Server 2008, Standard Edition • Windows Server 2008, Enterprise Edition • Windows Server 2008, Datacenter edition Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Requirements for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
  • 5. Implementing Active Directory® Domain Services 1-5 What Are Domain and Forest Functional Levels? Key Points In Windows Server 2008, forest and domain functionality provides a way to enable forest-wide or domain-wide Active Directory features in your network environment. Different levels of forest and domain functionality are available, depending on domain and forest functional level. Additional Reading • Active Directory Domain Services Help: Set the domain or forest functional level • Microsoft Technet article: Appendix of Functional Level Features BETA COURSEWARE. EXPIRES 4/11/2008
  • 6. 1-6 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services AD DS Installation Process Key Points To configure a Windows Server 2008 domain controller, you must install the AD DS server role and run the Active Directory Domain Services Installation wizard. Do this using one of the following processes: • Install the Server role by using Server Manager, and then run the installation wizard by running DCPromo or the installation wizard from Server Manager. • Run DCPromo from the Run command or a command prompt. This will install the AD DS server role and then start the installation wizard. Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Installing a New Windows Server 2008 Forest and Scenarios for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
  • 7. Implementing Active Directory® Domain Services 1-7 Advanced Options for Installing AD DS Key Points Some of the Active Directory Domain Services Installation Wizard pages appear only if you select the Use advanced mode installation check box on the Welcome page of the wizard or by running DCPromo with the /adv switch. If you do not run the installation wizard in advanced mode, the wizard uses default options that apply to most configurations. Question: When would you use the advanced options mode in your organization? Additional Reading • Active Directory Domain Services Help: Use advanced mode installation • Microsoft Technet article: What's New in AD DS Installation and Removal BETA COURSEWARE. EXPIRES 4/11/2008
  • 8. 1-8 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing AD DS from Media Key Points Before you can use backup media as the source for installing a domain controller, use Ntdsutil.exe to create the installation media. Question: Which types of installation media will you use in your organization? Additional Reading • Microsoft Technet article: Installing AD DS from Media BETA COURSEWARE. EXPIRES 4/11/2008
  • 9. Implementing Active Directory® Domain Services 1-9 Demonstration: Verifying the AD DS installation Question: What steps would you take if you noticed that the domain controller installation failed? Additional Reading • Microsoft Technet article: Verifying an AD DS Installation • Microsoft Technet article: Verifying Active Directory Installation BETA COURSEWARE. EXPIRES 4/11/2008
  • 10. 1-10 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Upgrading to Windows Server 2008 AD DS Key Points To install a new Windows Server 2008 domain controller in an existing Windows 2000 Server or Windows Server 2003 domain, complete the following steps: • If the domain controller is the first Windows Server 2008 domain controller in the forest, you must prepare the forest for Windows Server 2008 by extending the schema on the schema operations master. To extend the schema, run adprep /forestprep. The adprep tool is located on the Windows Server 2008 installation media. • If the domain controller is the first Windows Server 2008 domain controller in a Windows 2000 Server domain, you must first prepare the domain by running adprep /domainprep /gpprep on the infrastructure master. The gpprep switch adds inheritable access control entry (ACEs) to the Group Policy Objects (GPO) that are located in the SYSVOL shared folder and synchronizes the SYSVOL shared folder among the controllers in the domain. BETA COURSEWARE. EXPIRES 4/11/2008
  • 11. Implementing Active Directory® Domain Services 1-11 • If the domain controller is the first Windows Server 2008 domain controller in a Windows Server 2003 domain, you must prepare the domain by running adprep /domainprep on the infrastructure master. • After you install a writeable domain controller, you can install an RODC in the Windows Server 2003 forest. Before doing this, you must prepare the forest by running adprep /rodcprep. You can run adprep /rodcprep on any computer in the forest. If the RODC will be a global catalog server, then you must run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. By running adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server. Additional Reading • Active Directory Domain Services Help: Installing Active Directory Domain Services • Microsoft Technet article: Installing a New Windows Server 2008 Forest: • Microsoft Technet article: Scenarios for Installing AD DS BETA COURSEWARE. EXPIRES 4/11/2008
  • 12. 1-12 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing AD DS on a Server Core Computer Key Points To install AD DS on a Windows Server 2008 computer running Server Core, you must use an unattended setup. Windows Server 2008 Server Core does not provide a graphical user interface (GUI) so you cannot run the Active Directory Domain Services installation wizard. To perform an unattended install of AD DS, use an answer file and the following syntax with the Dcpromo command: Dcpromo /answer[:filename] Where filename is the name of your answer file. Additional Reading • Microsoft Technet article: Appendix of Unattended Installation Parameters BETA COURSEWARE. EXPIRES 4/11/2008
  • 13. Implementing Active Directory® Domain Services 1-13 Discussion: Common Configuration for AD DS Key Points After installing a domain controller, you may need to perform additional tasks in your environment. You can access checklists for the following common configurations for AD DS in Server Manager, under Resources and Support. Additional Reading • AD DS Help: Common Configurations for Active Directory Domain Services BETA COURSEWARE. EXPIRES 4/11/2008
  • 14. 1-14 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Lesson 2: Deploying Read-Only Domain Controllers One of the important new features in Windows Server 2008 is the option to use read-only domain controllers (RODCs). RODCs provide all of the functionality that clients require while providing additional security for domain controllers deployed in branch offices. When configuring RODCs, you can specify which user account passwords will be cached on the server and configure delegated administrative permissions for the domain controller. This lesson describes how to install and configure RODCs. BETA COURSEWARE. EXPIRES 4/11/2008
  • 15. Implementing Active Directory® Domain Services 1-15 What Is a Read-Only Domain Controller? Key Points An RODC is a new type of domain controller that Windows Server 2008 supports. An RODC hosts read-only partitions of the AD DS database. This means that no changes can ever be made to the database copy that the RODC stores, and all AD DS replication uses a one-way connection from a domain controller that has a writeable database copy to the RODC. Additional Reading • Microsoft Technet article: AD DS: Read-Only Domain Controllers BETA COURSEWARE. EXPIRES 4/11/2008
  • 16. 1-16 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Read-Only Domain Controller Features Key Points See the list on the slide. Additional Reading • Microsoft Technet article: AD DS: Read-Only Domain Controllers • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
  • 17. Implementing Active Directory® Domain Services 1-17 Preparing to Install the RODC Key Points Before you can install an RODC, you must prepare the AD DS environment by completing the following steps: • Configure the domain and forest functional level • Plan for Windows Server 2008 domain controller availability • Prepare the forest and domain Additional Reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: AD DS: Read-Only Domain Controllers • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
  • 18. 1-18 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Installing the RODC Key Points The RODC installation is almost identical to the installation of AD DS on a domain controller with a writeable copy of the database. However there are a few extra steps. Additional Reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3 BETA COURSEWARE. EXPIRES 4/11/2008
  • 19. Implementing Active Directory® Domain Services 1-19 Delegating the RODC Installation Key Points You can delegate the installation of an RODC by performing a two stage installation. Question: What are the benefits of delegating an RODC installation? Additional reading • AD DS Help: Delegate read-only domain controller installation and administration • Microsoft Technet article: AD DS: Read-Only Domain Controllers: • Microsoft Technet article: Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Beta 3: BETA COURSEWARE. EXPIRES 4/11/2008
  • 20. 1-20 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services What Are Password Replication Policies? Key Points When deploy an RODC, you can configure a Password Replication Policy for the RODC. The Password Replication Policy acts as an access control list (ACL) that determines if an RODC is permitted to cache a password. The Password Replication Policy lists the accounts that you are allowing explicitly to be cached and those that you are not. The passwords for any accounts are not actually cached on the RODC until after the first time the user or computer account is authenticated through the RODC. Additional Reading • AD DS Online Help: Specify Password Replication Policy BETA COURSEWARE. EXPIRES 4/11/2008
  • 21. Implementing Active Directory® Domain Services 1-21 Demonstration: Configuring Administrator Role Separation and Password Replication Policies Questions: What is an alternative way to configure administrator role separation and password replication policies? Your organization has deployed two RODCs. How would you configure the password replication policy if you wanted the credentials for all user accounts and computer accounts except for administrators and executives to be cached on both RODCs? Additional Reading • AD DS Help: Specify Password Replication Policy BETA COURSEWARE. EXPIRES 4/11/2008
  • 22. 1-22 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Lesson 3: Configuring AD DS Domain Controller Roles All domain controllers in a domain are essentially equal, meaning they all contain the same data and provide the same services. However, you also can assign special roles to domain controllers to provide additional services or address scenarios in which only one domain controller should provide services at any given time. This lesson describes how to configure and manage global catalog servers and operations masters. BETA COURSEWARE. EXPIRES 4/11/2008
  • 23. Implementing Active Directory® Domain Services 1-23 What Are Global Catalog Servers? Key Points The global catalog is a partial, read-only replica of all domain directory partitions in a forest. The global catalog is a partial replica because it includes only a limited set of attributes for each of the forest’s objects. By including only the attributes that are used the most for searching, the database of a single global catalog server can represent every object in every domain in the forest. The global catalog server hosts the global catalog and its domain information. Active Directory configures the first domain controller automatically in the forest as a global catalog server. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller. Additional Reading • Microsoft Technet article: Domain Controller Roles BETA COURSEWARE. EXPIRES 4/11/2008
  • 24. 1-24 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Modifying the Global Catalog Key Points Sometimes you may want to customize the global catalog server to include additional attributes. By default, for every object in the forest, the global catalog server contains an object’s most common attributes. Applications and users can query these attributes. For example, you can find a user by first name, last name, e- mail address, or other common properties Additional Reading • Microsoft Technet article: Domain Controller Roles (Global Catalog Partial Attribute Set section) BETA COURSEWARE. EXPIRES 4/11/2008
  • 25. Implementing Active Directory® Domain Services 1-25 Demonstration: Configuring Global Catalog Servers Questions: What types of errors or user experiences would lead you to investigate whether you needed to configure another server as a global catalog server? What are reasons why you would choose to replicate an attribute to the global catalog? Additional Reading • Microsoft Technet article: To add an attribute to the global catalog BETA COURSEWARE. EXPIRES 4/11/2008
  • 26. 1-26 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services What Are Operations Master Roles? Key Points Active Directory is designed as a multimaster replication system. However, for certain directory operations, only a single authoritative server is required. The domain controllers that perform specific roles are known as operations masters. The domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Additional Reading • Microsoft Technet article: To add an attribute to the global catalog BETA COURSEWARE. EXPIRES 4/11/2008
  • 27. Implementing Active Directory® Domain Services 1-27 Demonstration: Managing Operation Master Roles Questions: Under what circumstances might you need to seize an operations master role immediately rather than wait a few hours for a domain controller currently holding the role to be repaired? You are deploying the first domain controller in a new domain that will be a new domain tree in the WoodgroveBank.com forest. What operations master roles will this server hold by default? Additional Reading • Microsoft Technet article: Manage Operations Master Roles BETA COURSEWARE. EXPIRES 4/11/2008
  • 28. 1-28 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services How Windows Time Service Works Key Points The Windows Time service, also known as W32Time, synchronizes the date and time for all computers running on a Windows Server 2008 network. The Windows Time service uses the Network Time Protocol (NTP) to ensure highly accurate time settings throughout your network. You also can integrate the Windows Time service with external time sources. Additional Reading • Microsoft Technet article: Windows Time Service Technical Reference • Microsoft Technet article: Configuring a time source for the forest BETA COURSEWARE. EXPIRES 4/11/2008
  • 29. Implementing Active Directory® Domain Services 1-29 Lab: Implementing Read-Only Domain Controllers and Managing Domain Controller Roles Scenario: Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is preparing to deploy domain controllers in several branch offices. The Enterprise Administrator created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements. BETA COURSEWARE. EXPIRES 4/11/2008
  • 30. 1-30 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Exercise 1: Evaluating Forest and Server Readiness for Installing an RODC Woodgrove Bank has begun their deployment of Windows Server 2008. The organization has deployed several domain controllers at the corporate headquarters and is now preparing to deploy domain controllers in several of the branch offices. The Enterprise Administrator has created a design that requires read-only domain controllers to be deployed on servers running Windows Server 2008 in all branch offices. Your task is to deploy a domain controller in a branch office that meets these requirements Note: Due to the limitations of the virtual lab environment, you will be installing the RODC in the same site as the existing domain controllers. In a production environment, you would complete the same steps even if the RODC was in a different site. The main tasks are as follows: 1. Start 6425A-NYC-DC1 and log on as Administrator. 2. Start 6425A-NYC-SVR1 and log on as Administrator. 3. Start 6425A-NYC-SVR1 and log on as Administrator. 4. Verify the forest and domain functional level are compatible with an RODC deployment. 5. Verify the availability of a writeable domain controller running Windows Server 2008. 5. Configure the computer account settings for the RODC. Task 1: Start 6425A-NYC-DC1 and log on as Administrator • Start 6425A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd. BETA COURSEWARE. EXPIRES 4/11/2008
  • 31. Implementing Active Directory® Domain Services 1-31 Task 2: Start 6425A-NYC-DC2 and log on as Administrator • Start 6425A-NYC-DC2 and log on as Administrator using the password Pa$$w0rd. Task 3: Start 6425A-NYC-SVR1 and log on as Administrator • Start 6425A-NYC-SVR1 and log on as Administrator using the password Pa$$w0rd. Task 3: Verify the forest and domain functional level are compatible with an RODC deployment 1. On NYC-DC1, open Active Directory Users and Computers. 2. Right-click WoodgroveBank.com and verify that the domain functional level and the forest functional level are set to Windows Server 2003. Task 4: Verify the availability of a writeable domain controller running Windows Server 2008 1. In Active Directory Users and Computers, check the properties for NYC-DC1. 2. Verify that the operating system name is Windows Server 2008 Enterprise. Task 5: Configure the computer account settings for the RODC 1. On NYC-SVR1, open Server Manager. 2. Click Change System Properties, and on the Computer Name tab, change the computer name to TOR-DC1. 3. Restart the computer. Result: At the end of this exercise, you will have verified that the domain and the computer are ready to install an RODC. BETA COURSEWARE. EXPIRES 4/11/2008
  • 32. 1-32 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Exercise 2: Installing and Configuring an RODC You will install the RODC server role on the Windows Server 2008 computer. To do this, you will prestage the computer account that the RODC will use. As part of the prestaging, you will configure an administrative group with permissions to install the domain controller. After the installation is complete, you will verify that the installation completed successfully. You also will configure password-replication policies for users that log on to the domain controller. The main tasks are as follows: 1. Pre-stage the computer account for the RODC. 2. Log on to TOR-DC1 as Administrator. 3. Install the RODC using the existing account. Use WoodgroveBankAxel as the account with credentials to perform the installation. 4. Verify the successful installation of the domain controller. 5. Configure a password replication policy that enables credential caching for all user accounts in Toronto. Task 1: Pre-stage the computer account for the RODC 1. On NYC-DC1, open Active Directory Users and Computers. 2. Right-click the Domain Controllers organization unit and click Pre-create Read-only Domain Controller account. 3. Complete the Active Directory Domain Services Installation Wizard using the following selections: a. Use advanced mode installation b. Use the current credentials. c. Computer name: TOR-DC1 d. Default site e. Install only the DNS and RODC options f. Delegate permission to install the RODC to Axel Delgado BETA COURSEWARE. EXPIRES 4/11/2008
  • 33. Implementing Active Directory® Domain Services 1-33 Task 2: Log on to TOR-DC1 as Administrator • Log on as Administrator using the password Pa$$w0rd. Task 3: Install the RODC using the existing account. Use WoodgroveBankAxel as the account with credentials to perform the installation 1. On TOR-DC1, open a command prompt and type dcpromo /UseExistingAccount:Attach, and then press ENTER: 2. Complete the Active Directory Domain Services Installation Wizard using the following selections: a. Use advanced mode installation b. Provide Axel as the alternative credential c. Use TOR-DC1 as the computer name d. Use NYC-DC1.WoodgroveBank.com as the source domain controller e. Accept the default location for the Database, Log Files, and SYSVOL files. f. Use Pa$$w0rd as the Directory Services Restore Mode Administrator Password 3. Reboot the computer when the installation finishes. Task 4: Verify the successful installation of the domain controller 1. After NYC-SRV1 restarts, log on as Axel with a password of Pa$$w0rd. 2. In Server Manager, verify that Active Directory Domain Services server role is installed. 3. Verify that all required services are running. 4. In Active Directory Users and Computers, verify that TOR-DC1 is listed in the Domain Controllers organizational unit. 5. Verify that you do not have permission to add or remove domain objects. BETA COURSEWARE. EXPIRES 4/11/2008
  • 34. 1-34 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services 6. In Active Directory Sites and Services, verify that TOR-DC1 is listed in the Servers list for the Default-First-Site-Name. 7. Check the NTDS Settings for TOR-DC1. Confirm that connection objects have been created. 8. Check the NTDS Settings for NYC-DC1. Confirm that no connection objects have been created for replication with TOR-DC1. 9. Open Event Viewer. In the Directory Service log, locate and view a message with an event ID of 1128. This event ID verifies that a replication connection object has been created between NYC-DC1 and TOR-DC1. Task 5: Configure a password replication policy that enables credential caching for all user accounts in Toronto 1. On NYC-DC1, in Active Directory Users and Computers, access the TOR- DC1 Properties dialog box. 2. Add all of the Toronto groups to the Password replication policy. Result: At the end of this exercise, you will have installed an RODC and configured the RODC password replication policy for the RODC. BETA COURSEWARE. EXPIRES 4/11/2008
  • 35. Implementing Active Directory® Domain Services 1-35 Exercise 3: Configuring AD DS Domain Controller Roles You will configure the RODC installed in the previous exercise as a global catalog server. You also will assign operation master roles to an additional domain controller in the domain. The main tasks are as follows: 1. Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server. 2. Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain. 3. Add the Department attribute to the global catalog. 4. Shut down all virtual machines. Task 1: Use Active Directory Sites and Services to configure TOR-DC1 as a global catalog server 1. On NYC-DC1, in Active Directory Sites and Services, locate the TOR-DC1 computer account. 2. Access the NTDS Settings, and select the Global Catalog check box. Task 2: Configure NYC-DC2 as the infrastructure master and domain naming master for the WoodgroveBank.com domain 1. On NYC-DC1, in Active Directory Users and Computers, change the console’s focus to NYC-DC1.WoodgroveBank.com and then click OK. 2. Right-click WoodgroveBank.com, and then click Operations Masters. Transfer the infrastructure master role to NYC-DC2.WoodgroveBank.com. 3. On NYC-DC2, open Active Directory Domains and Trusts. Access the Operations Master settings and transfer the domain naming operations master role to NYC-DC2. BETA COURSEWARE. EXPIRES 4/11/2008
  • 36. 1-36 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services Task 3: Add the Department attribute to the global catalog 1. On NYC-DC1, use the regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in. 2. Create a new MMC and add the Active Directory Schema snap-in. 3. In the Active Directory Schema, access the Department attribute and configure the attribute to replicate to the Global Catalog. Task 4: Shut down all virtual machines and discard any changes Result: At the end of this exercise, you will have configured a global catalog server and configure AD DS domain controller roles. BETA COURSEWARE. EXPIRES 4/11/2008
  • 37. Implementing Active Directory® Domain Services 1-37 Module Review and Takeaways Review Questions 1. You are deploying a domain controller in a branch office. The branch office does not have a highly secure server room so you are concerned about the security of the server. What two Windows Server 2008 features can you take advantage of to enhance the security of the domain controller deployment? 2. You must create a new domain by installing a domain controller in your Active Directory infrastructure. You are reviewing the inventory list of available servers for this purpose. Which of the following computers could be used as a domain controller? A. Windows Server 2008 Web Edition, NTFS files system, 1 gigabyte (GB) free hard disk space, TCP/IP. B. Windows Server 2008 Enterprise Edition, NTFS files system, 500 megabyte (MB) free hard disk space, TCP/IP. BETA COURSEWARE. EXPIRES 4/11/2008
  • 38. 1-38 6425A: Configuring Windows Server® 2008 Active Directory® Domain Services C. Windows Server 2008 Server Core Enterprise Edition, NTFS files system, 1GB free hard disk space, TCP/IP. D. Windows Server 2008 Standard Edition, NTFS files system, 500 MB free hard disk space, TCP/IP. 3. You are deploying an RODC in branch office. You need to ensure that all users in the branch office can authenticate even if the WAN connection from the branch office is not available. Only the users who normally log on in the branch office should be able to do this? How would you configure the password replication policy? 4. You need to install a domain controller by using the install from media option. What steps do you need to take to complete this process? 5. Will you be deploying RODCs in your AD DS environment? Describe the deployment scenario. 6. You are deploying a domain controller in a branch office. The office has a WAN connection to the main office that has very little available bandwidth and is not very reliable. Should you configure the branch office domain controller as a global catalog server? Considerations Keep the following considerations in mind when you are implementing RODCs and managing domain controller roles: • You can install the AD DS Server role on all Windows Server 2008 editions except Windows Server 2008 Web Server Edition. • Consider installing a RODC on a Windows Server 2008 Server Core computer to provide additional security for your domain environment. • To install AD DS on a Server Core computer, you must use an unattended installation. • Plan the password replication policies carefully in your organization. If you enable credential caching for most of the accounts in your domain, you will increase the impact to your organization if the RODC is compromised. If you do not enable any credential caching, you increase the impact to the branch office location if the WAN link to the main office is not available. BETA COURSEWARE. EXPIRES 4/11/2008
  • 39. Implementing Active Directory® Domain Services 1-39 • In most cases, deploying a global catalog server in a site will improve the logon experience for users. However, deploying a global catalog in a remote office also increases the network utilized for replication. • Operation master roles provide important services on a network but the services are not usually time critical. Most of the time, if a domain controller holding an operation master role fails, you do not immediately need to seize the role to another domain controller if the failed server can be repaired within a few hours. BETA COURSEWARE. EXPIRES 4/11/2008