2008 R2 ADS Vocabulary - Session 1 Flashcards
Planning Active Directory Structure
In Windows Server 2008 R2, an Active Directory (AD) is used to store objects such as users, computers, and devices on a network and to organize these objects in a secure, hierarchical structure.
Domain
A collection of computers and devices on a network that is controlled and managed as a unit, through common rules and procedures.
Forest
A domain tree or a grouping of multiple domain trees, each with a unique namespace.
Namespace
A defined zone in which each name is unique and can be resolved to a unique object.
To create a new forest in a network,
you need to be a member of the Enterprise Admins group on the server. Additionally, you should ensure that the DNS infrastructure is planned in detail and know the full DNS name that must be assigned to the forest.
Identifying the business requirements for a directory structure involves the following:
- Identifying dependencies between the groups in an organization, in terms of accessing network resources
- Determining whether each group wants to isolate its resources from other groups on the network
- Determining the number of forests that need to be created in order to meet the organization’s demands
Once you have identified business requirements and the needed number of forests, begin planning your domain design. You should first identify the following:
The factors that influence the domain design model, such as what resources are available and how extensive the network should be
The number of domains required in each forest, which is determined by the number of users, how frequently data changes across the network, and the speed of the links between the domains
Whether to upgrade the existing domains or deploy new ones
To perform an unattended installation or removal of AD DS in Windows Server 2008 R2
you can use the dcpromo command.
THE ACTIVE DIRECTORY MIGRATION TOOL
The Functions of the ADMT
The Active Directory Migration Tool (ADMT) enables you to easily move users, groups, and computers from one domain to another. For example, when upgrading your server operating system from Windows Server 2003 to Windows Server 2008 R2, you use the ADMT to migrate objects from the original domain to the new domain.
Remember that migrating resources involves moving them, rather than copying them, from a source domain to a target domain, and preserving or modifying characteristics of the objects to make them accessible in the new domain.
ADMT features
Low Client Impact
The ADMT automatically installs client software on source clients.
ADMT features
Migration of Security Settings
It migrates Security Identifier (SID) history attributes to a new domain, so that the security structure of the original domain is maintained.
ADMT features
Restructuring domains in the AD environment can involve using two types of migration
Interforest Migration
Intraforest Migration
ADMT features
Interforest Migration
Move resources between AD domains in different forests.
ADMT features
Intraforest Migration
Move resources between AD domains in the same forest.
ADMT features
The Migration Process
What tool should you use to keep sid history and passwords
Before you can migrate resources from a Microsoft Windows NT 4.0, Server 2000, or Server 2003 domain to Windows Server 2008 R2 AD DS, you should install the Password Expert Server (PES) service on a server in the source domain. This enables you to migrate passwords and SID history information. You first need to export the password key from the target domain.
ADMT features
The ADMT Role
As a systems administrator, you should also develop a migration test plan to enable you to test the validity of the migration plan systematically.
Once you have done this, you can use the test plan and the ADMT to check the results of the planned migration in a test environment.
The ADMT Reporting Wizard enables you to generate reports to assess the impact of a test migration. Each report is saved as a web page on the DC in the target domain, where the ADMT is installed. You can choose to generate the following reports:
- Migrated User Accounts Report
- Migrated Computer Accounts Report
- Expired Accounts Report
- Account References Report
- Account Name Conflicts Report
ADMT features
Upgrading an existing AD environment
What are the adprep commands
Using forestprep and domainprep
Using forestprep and domainprep
AD DS are responsible for authenticating computer and user accounts to ensure the core security of a network environment.
In addition to providing a structure for AD replication, sites simplify the following:
- Authentication
- Service Location
- Service Requests
An AD site can contain
several domains, and a domain can contain several sites.
You can define the physical sections of a network environment by using
subnets.
A subnet object is
a collection of computers and systems that are typically located near each other and that form separate partitions of the network.
A subnet can be compared to
a geographical area with several postal addresses that have the same postal code.
A site is
a group of related subnets or well-connected IP subnets.
DNS Configuration
The DNS resolves
resolves the host names of computers in a network into IP addresses, and vice versa.
DNS also resolves
Services, such as Active Directory’s Kerberos and LDAP services, using SRV records to multiple servers (domain controllers) which are then in turn resolved to their IP addresses.
Once you have installed a new DNS server on a DC, you can configure it by doing the following:
- Creating a forward or reverse lookup zone
- Setting the types of updates it must allow
- Specifying whether queries must be forwarded and to which servers
- Creating root hints
Operations Masters
Definition
To ensure consistency of the schema and to prevent conflicting updates into the AD database, AD employs the Flexible Single Master Operations (FSMO) role - or operations master.
AD assigns the following two operations master roles to a DC in each forest (by default to the first domain controller in the forest root domain):
- Domain Naming Master (Note: must be placed on a domain controller serving the global catalog)
- Schema Master
AD assigns the following three operations master roles to a DC in each domain (by default to the first domain controller in each domain):
- PDC Emulator
- Infrastructure Master (Note: do not place the global catalog on a domain controller that hosts the domains Infrastructure master role unless all domain controllers in the domain are global catalog servers or the forest has only one domain.)
- Relative Identifier (RID) Master
You can change the default configuration of the operations master roles by doing the following:
Transferring Roles
If an operations master is available and functional on a network, you can transfer an operations master role by moving it from one DC to another.
You can change the default configuration of the operations master roles by doing the following:
Seizing Roles
Seizing an operations master role involves assigning the role to another DC when the DC on which it is installed fails or is not available. You should only seize a role if the DC managing the role is permanently out of service.
Trusts and Trust Relationships (Logical Topology)
Trust Types
Trust relationships are created between domains, and enable users in one domain to access the resources of another domain. Domain Admins group members can create and manage trust relationships.
Once you have planned the required AD structure, you can begin creating it. Creating a new forest involves creating its first - or root - domain. There are three ways you can do this:
Using the Windows Interface
Using Unattended Installation parameters at the Command Line
Using an Answer File
Creating a Forest or Domain
The easiest way to create a domain is to use the Windows interface. To create a domain, you must do the following:
- Assign a static IP address to a Windows Server 2008 R2 server
- Use a wizard to add the Active Directory Domain Services (AD DS) role to the server
- Use a wizard to promote the server to a DC
Creating an Answer File
If you do not want to use the Windows interface, you can create a new forest by creating and running an answer file. A text editor of your choice can be used to create this answer file.
Specify a password that will be used for an offline administrator account in Directory Service Restore Mode.
After creating an answer file, you save it on the installation server, to a network shared folder, or to removable media for distribution.
To run the answer file, you use the dcpromo utility with the /unattend option, followed by the path to the answer file in double quotation marks.
You can add the DC that runs Windows Server 2008 R2 to an existing, non-Windows 2008 AD domain
by running the adprep /forestprep utility. You need to run this utility only once on the DC that holds the schema master operations master role. This command may be run by administrators belonging to the SchemaAdmin, EnterpriseAdmin, and Domain Admins groups.
Raising Functional Level
To enable Windows Server 2008 R2’s advanced AD DS features,
, you raise the functional level of the forest and the domain to Windows Server 2008 R2. To do this, you should be a member of the Domain Admins or Enterprise Admins groups.
You cannot reverse a change that raises the domain functional level.
Joining a Client to a Domain
After configuring a domain, you can add
add a client machine to the domain by configuring the client’s system properties
INSTALL WINDOWS SERVER 2008 R2
Using Installation Media
You can choose to install Windows Server 2008 R2 using the installation DVD. This method requires you to be present to work through the Install Windows Wizard.
Options for an Unattended Installation
An unattended installation of Windows Server 2008 R2 is
is one that does not require user input during the installation process. So you do not need to be physically present while installation of the server is in progress.
Windows Deployment Services
(WDS)
Windows Deployment Services (WDS) enables
you to deploy the WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files
Windows Deployment Services (WDS)
WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files:
- WDS Client Unattend File
* Image Unattend File
Using the AD single-domain model, you can delegate tasks to
administrators and ensure high-level administrative control.
Advantages of the single-domain model
- Simple administration
- Simple troubleshooting
- A single security boundary
A multiple-domain model may be more suitable if there is
significant geographical distance between branches of an organization. In this case, using multiple domains can reduce traffic and limit maintenance delays.
To prepare the existing network environment for integration with Windows Server 2008 and Server 2008 R2, use the following commands:
adprep /forestprep
adprep /domainprep
/gpprep
adprep /rodcprep
adprep /forestprep
The adprep utility extends the AD schema and updates the necessary permissions to prepare a forest and a domain for a DC. It also prepares the Windows Server 2000 or Windows Server 2003 forest for a DC that runs Windows Server 2008 R2.
adprep /domainprep
The adprep /domainprep command prepares the Windows Server 2000 or Windows Server 2003 domain for the DC that runs Windows Server 2008 R2.
/gpprep
The /gpprep command, which you can run with the adprep /domainprep command, minimizes the replication traffic created by updating file system and AD permissions on the existing Group Policy Objects (GPOs).
adprep /rodcprep
The adprep /rodcprep command sets up the domain for an RODC. To install a Windows Server 2008 R2 RODC, you must be a member of the Enterprise Admins group.
Configuring the AD Physical Topology
Configuring the Global Catalog
The global catalog
is an index of objects in AD DS.
The global catalog is used to
to locate objects that are stored in other domains.
Every object in the forest is partially referenced in the global catalog.
Only those aspects of each object that are commonly used - for instance when conducting a search - are referenced in the global catalog.
The global catalog is used for the following purposes:
- Validating the object references of other domains in the forest
- Providing universal group membership information in a multiple-domain environment
- Providing authentication for user principal names (UPNs)
- Resolving UPNs and completing the logon process if a user logs on by using the UPN of a different DC
When you install AD DS, the global catalog for a new forest is automatically
created on its first DC, which is the root of the forest.
When planning the deployment of global catalogs, you must consider
the object replication needs of the network relative to network traffic flow.
(UGMC)
Universal Group Membership Caching
In a multi-domain environment with remote users with a local domain controller and a remote global catalog, UGMC can be enabled
enabled to avoid having to remotely contact the GC after the first logon.
The user’s Universal Group memberships are cached and updated
automatically every 8 hours by the remote DC.
Sites and Subnets
A site is
a logical representation of the physical topology - or structure - of an organization’s network.
A site consists of
servers and other objects related to AD replication.
The trust direction describes
describes the relationship between a trusting domain, which is the domain with the resources, and the trusted domain, which is the domain that requests the resources.
A trust direction is defined by
by a trust path, which is a series of trust relationships that are followed by an authentication request between two domains.
One-Way Trust
The access path between two different domains operates in one direction only.
Two-Way Trust
Both domains trust each other, so access requests can travel in both directions.
When you create a child domain, a two-way trust relationship is
is automatically established between the child domain and the parent domain.
A trust relationship can be transitive. A transitive trust relationship can be
extended beyond the two domains in which it is formed. This is useful for establishing trust relationships with multiple domains.