2008 R2 ADS Vocabulary - Session 1 Flashcards
Planning Active Directory Structure
In Windows Server 2008 R2, an Active Directory (AD) is used to store objects such as users, computers, and devices on a network and to organize these objects in a secure, hierarchical structure.
Domain
A collection of computers and devices on a network that is controlled and managed as a unit, through common rules and procedures.
Forest
A domain tree or a grouping of multiple domain trees, each with a unique namespace.
Namespace
A defined zone in which each name is unique and can be resolved to a unique object.
To create a new forest in a network,
you need to be a member of the Enterprise Admins group on the server. Additionally, you should ensure that the DNS infrastructure is planned in detail and know the full DNS name that must be assigned to the forest.
Identifying the business requirements for a directory structure involves the following:
- Identifying dependencies between the groups in an organization, in terms of accessing network resources
- Determining whether each group wants to isolate its resources from other groups on the network
- Determining the number of forests that need to be created in order to meet the organization’s demands
Once you have identified business requirements and the needed number of forests, begin planning your domain design. You should first identify the following:
The factors that influence the domain design model, such as what resources are available and how extensive the network should be
The number of domains required in each forest, which is determined by the number of users, how frequently data changes across the network, and the speed of the links between the domains
Whether to upgrade the existing domains or deploy new ones
To perform an unattended installation or removal of AD DS in Windows Server 2008 R2
you can use the dcpromo command.
THE ACTIVE DIRECTORY MIGRATION TOOL
The Functions of the ADMT
The Active Directory Migration Tool (ADMT) enables you to easily move users, groups, and computers from one domain to another. For example, when upgrading your server operating system from Windows Server 2003 to Windows Server 2008 R2, you use the ADMT to migrate objects from the original domain to the new domain.
Remember that migrating resources involves moving them, rather than copying them, from a source domain to a target domain, and preserving or modifying characteristics of the objects to make them accessible in the new domain.
ADMT features
Low Client Impact
The ADMT automatically installs client software on source clients.
ADMT features
Migration of Security Settings
It migrates Security Identifier (SID) history attributes to a new domain, so that the security structure of the original domain is maintained.
ADMT features
Restructuring domains in the AD environment can involve using two types of migration
Interforest Migration
Intraforest Migration
ADMT features
Interforest Migration
Move resources between AD domains in different forests.
ADMT features
Intraforest Migration
Move resources between AD domains in the same forest.
ADMT features
The Migration Process
What tool should you use to keep sid history and passwords
Before you can migrate resources from a Microsoft Windows NT 4.0, Server 2000, or Server 2003 domain to Windows Server 2008 R2 AD DS, you should install the Password Expert Server (PES) service on a server in the source domain. This enables you to migrate passwords and SID history information. You first need to export the password key from the target domain.
ADMT features
The ADMT Role
As a systems administrator, you should also develop a migration test plan to enable you to test the validity of the migration plan systematically.
Once you have done this, you can use the test plan and the ADMT to check the results of the planned migration in a test environment.
The ADMT Reporting Wizard enables you to generate reports to assess the impact of a test migration. Each report is saved as a web page on the DC in the target domain, where the ADMT is installed. You can choose to generate the following reports:
- Migrated User Accounts Report
- Migrated Computer Accounts Report
- Expired Accounts Report
- Account References Report
- Account Name Conflicts Report
ADMT features
Upgrading an existing AD environment
What are the adprep commands
Using forestprep and domainprep
Using forestprep and domainprep
AD DS are responsible for authenticating computer and user accounts to ensure the core security of a network environment.
In addition to providing a structure for AD replication, sites simplify the following:
- Authentication
- Service Location
- Service Requests
An AD site can contain
several domains, and a domain can contain several sites.
You can define the physical sections of a network environment by using
subnets.
A subnet object is
a collection of computers and systems that are typically located near each other and that form separate partitions of the network.
A subnet can be compared to
a geographical area with several postal addresses that have the same postal code.
A site is
a group of related subnets or well-connected IP subnets.
DNS Configuration
The DNS resolves
resolves the host names of computers in a network into IP addresses, and vice versa.
DNS also resolves
Services, such as Active Directory’s Kerberos and LDAP services, using SRV records to multiple servers (domain controllers) which are then in turn resolved to their IP addresses.
Once you have installed a new DNS server on a DC, you can configure it by doing the following:
- Creating a forward or reverse lookup zone
- Setting the types of updates it must allow
- Specifying whether queries must be forwarded and to which servers
- Creating root hints
Operations Masters
Definition
To ensure consistency of the schema and to prevent conflicting updates into the AD database, AD employs the Flexible Single Master Operations (FSMO) role - or operations master.
AD assigns the following two operations master roles to a DC in each forest (by default to the first domain controller in the forest root domain):
- Domain Naming Master (Note: must be placed on a domain controller serving the global catalog)
- Schema Master
AD assigns the following three operations master roles to a DC in each domain (by default to the first domain controller in each domain):
- PDC Emulator
- Infrastructure Master (Note: do not place the global catalog on a domain controller that hosts the domains Infrastructure master role unless all domain controllers in the domain are global catalog servers or the forest has only one domain.)
- Relative Identifier (RID) Master
You can change the default configuration of the operations master roles by doing the following:
Transferring Roles
If an operations master is available and functional on a network, you can transfer an operations master role by moving it from one DC to another.
You can change the default configuration of the operations master roles by doing the following:
Seizing Roles
Seizing an operations master role involves assigning the role to another DC when the DC on which it is installed fails or is not available. You should only seize a role if the DC managing the role is permanently out of service.
Trusts and Trust Relationships (Logical Topology)
Trust Types
Trust relationships are created between domains, and enable users in one domain to access the resources of another domain. Domain Admins group members can create and manage trust relationships.
Once you have planned the required AD structure, you can begin creating it. Creating a new forest involves creating its first - or root - domain. There are three ways you can do this:
Using the Windows Interface
Using Unattended Installation parameters at the Command Line
Using an Answer File
Creating a Forest or Domain
The easiest way to create a domain is to use the Windows interface. To create a domain, you must do the following:
- Assign a static IP address to a Windows Server 2008 R2 server
- Use a wizard to add the Active Directory Domain Services (AD DS) role to the server
- Use a wizard to promote the server to a DC
Creating an Answer File
If you do not want to use the Windows interface, you can create a new forest by creating and running an answer file. A text editor of your choice can be used to create this answer file.
Specify a password that will be used for an offline administrator account in Directory Service Restore Mode.
After creating an answer file, you save it on the installation server, to a network shared folder, or to removable media for distribution.
To run the answer file, you use the dcpromo utility with the /unattend option, followed by the path to the answer file in double quotation marks.
You can add the DC that runs Windows Server 2008 R2 to an existing, non-Windows 2008 AD domain
by running the adprep /forestprep utility. You need to run this utility only once on the DC that holds the schema master operations master role. This command may be run by administrators belonging to the SchemaAdmin, EnterpriseAdmin, and Domain Admins groups.
Raising Functional Level
To enable Windows Server 2008 R2’s advanced AD DS features,
, you raise the functional level of the forest and the domain to Windows Server 2008 R2. To do this, you should be a member of the Domain Admins or Enterprise Admins groups.
You cannot reverse a change that raises the domain functional level.
Joining a Client to a Domain
After configuring a domain, you can add
add a client machine to the domain by configuring the client’s system properties
INSTALL WINDOWS SERVER 2008 R2
Using Installation Media
You can choose to install Windows Server 2008 R2 using the installation DVD. This method requires you to be present to work through the Install Windows Wizard.
Options for an Unattended Installation
An unattended installation of Windows Server 2008 R2 is
is one that does not require user input during the installation process. So you do not need to be physically present while installation of the server is in progress.
Windows Deployment Services
(WDS)
Windows Deployment Services (WDS) enables
you to deploy the WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files
Windows Deployment Services (WDS)
WDS client and then automate the latter stages of the Windows Setup. This two-stage approach is accomplished by using the following two unattend files:
- WDS Client Unattend File
* Image Unattend File
Using the AD single-domain model, you can delegate tasks to
administrators and ensure high-level administrative control.
Advantages of the single-domain model
- Simple administration
- Simple troubleshooting
- A single security boundary
A multiple-domain model may be more suitable if there is
significant geographical distance between branches of an organization. In this case, using multiple domains can reduce traffic and limit maintenance delays.
To prepare the existing network environment for integration with Windows Server 2008 and Server 2008 R2, use the following commands:
adprep /forestprep
adprep /domainprep
/gpprep
adprep /rodcprep
adprep /forestprep
The adprep utility extends the AD schema and updates the necessary permissions to prepare a forest and a domain for a DC. It also prepares the Windows Server 2000 or Windows Server 2003 forest for a DC that runs Windows Server 2008 R2.
adprep /domainprep
The adprep /domainprep command prepares the Windows Server 2000 or Windows Server 2003 domain for the DC that runs Windows Server 2008 R2.
/gpprep
The /gpprep command, which you can run with the adprep /domainprep command, minimizes the replication traffic created by updating file system and AD permissions on the existing Group Policy Objects (GPOs).
adprep /rodcprep
The adprep /rodcprep command sets up the domain for an RODC. To install a Windows Server 2008 R2 RODC, you must be a member of the Enterprise Admins group.
Configuring the AD Physical Topology
Configuring the Global Catalog
The global catalog
is an index of objects in AD DS.
The global catalog is used to
to locate objects that are stored in other domains.
Every object in the forest is partially referenced in the global catalog.
Only those aspects of each object that are commonly used - for instance when conducting a search - are referenced in the global catalog.
The global catalog is used for the following purposes:
- Validating the object references of other domains in the forest
- Providing universal group membership information in a multiple-domain environment
- Providing authentication for user principal names (UPNs)
- Resolving UPNs and completing the logon process if a user logs on by using the UPN of a different DC
When you install AD DS, the global catalog for a new forest is automatically
created on its first DC, which is the root of the forest.
When planning the deployment of global catalogs, you must consider
the object replication needs of the network relative to network traffic flow.
(UGMC)
Universal Group Membership Caching
In a multi-domain environment with remote users with a local domain controller and a remote global catalog, UGMC can be enabled
enabled to avoid having to remotely contact the GC after the first logon.
The user’s Universal Group memberships are cached and updated
automatically every 8 hours by the remote DC.
Sites and Subnets
A site is
a logical representation of the physical topology - or structure - of an organization’s network.
A site consists of
servers and other objects related to AD replication.
The trust direction describes
describes the relationship between a trusting domain, which is the domain with the resources, and the trusted domain, which is the domain that requests the resources.
A trust direction is defined by
by a trust path, which is a series of trust relationships that are followed by an authentication request between two domains.
One-Way Trust
The access path between two different domains operates in one direction only.
Two-Way Trust
Both domains trust each other, so access requests can travel in both directions.
When you create a child domain, a two-way trust relationship is
is automatically established between the child domain and the parent domain.
A trust relationship can be transitive. A transitive trust relationship can be
extended beyond the two domains in which it is formed. This is useful for establishing trust relationships with multiple domains.
When a new domain is created in a forest in Windows Server 2008 R2, what trust is established by default?
a two-way, transitive trust relationship is created between the new domain and its parent domain by default.
Four different types of trusts in Windows Server 2008 R2
External Trusts
Forest Trusts
Realm Trusts
Shortcut Trusts
External Trusts
Extern& trusts are nontransitive and can be used to create one-way or two-way trust relationships between two domains. This type of trust enables users to access resources that are stored on external domains located in separate forests. It also provides access to the resources present on a Windows NT domain.
Forest Trusts
Forest trusts are transitive and can be used to create one-way or two-way trust relationships. A forest trust can be created between two forest root domains to enable users to share resources across different forests. If two forests have a two-way trust relationship between them, a request to access resources made by either forest is acknowledged by the other forest.
Realm Trusts
Realm trusts can be transitive or nontransitive, and can be used to create one-way or two-way trust relationships.
Shortcut Trusts
Shortcut trusts are transitive, and can be used to establish a one-way or two-way trust relationship between domains in a Windows Server 2008 R2 forest. Useful when users belonging to a domain regularly log on to other domains within a forest. It makes the authentication process between domains faster and more efficient, especially if the domains are separated by two domain trees.
AD Replication
Replication is managed on a per-partition basis; portions of active directory replicate to different domain controllers differently.
AD Replication
The schema partition
(the definition of all forest objects and attributes)
AD Replication
configuration partition
(the map of the physical (sites and subnets) and logic& (domains and trusts) active directory forest)
The schema partition (the definition of all forest objects and attributes) and the configuration partition (the map of the physical (sites and subnets) and logic& (domains and trusts) active directory forest)
) replicate to all forest domain controllers.
The domain database partition
(the users, groups, OUs, and other domain objects) is only replicated to the domain controllers of the same domain.
Intra-site Replication
Is checked by what?
Intra-site replication is automatically configured by the Knowledge Consistency Checker (KCC) service and is performed as an activity-triggered process: when data changes, domain controllers automatically notify other domain controller partners in the same site of the change, and the other domain controllers can request to download that change.
Inter-site Replication
Inter-site replication is configured manually be defining site objects (which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in). Within each site an Intersite Topology Generator (ISTG) is automatically chosen which identifies a Bridgehead server, which is the representative replication server for a directory partition. When possible, multiple partitions are replicated through the same Bridgehead server. If desired, an administrator can override automatic ISTG selection and choose the Bridgehead server for a site. However, the ISTG service will not provide failover if that server should go offline. Site objects are linked by site links objects, which
define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost. If domains in a forest are not directly connected by sites in a site topology they will by default use automatic site link bridging to replicate according to the cost and schedule defined by the intermediate site links of the sites between them. If this mapping is inconsistent with the actual routing topology automatic site link bridging can be disabled and an explicit site link bridge can be manually created.
site objects
(which contain the domain controller server objects and subnet objects (so that clients can identify which site they are located in).
(ISTG)
Intersite Topology Generator
Bridgehead server,
which is the representative replication server for a directory partition.
site links objects
which
define the rules of replication through a schedule of available replication hours, a replication frequency, and a relative link cost.
automatic site link bridging
If domains in a forest are not directly connected by sites in a site topology they will by default use
Forcing Replication
- “Replicate Now” on the replication connection object in Active Directory Sites and Services console
- Cmdline: repadmin.exe utility
Read-Only Domain Controllers
the RODC.
RODC.
. It hosts read-only partitions of the database and provides security to data stored in that database.
An RODC provides
improved security, faster logon times, and access to network resources that is more efficient.
RODCs have the following features:
Support for a Read-Only Domain Name System (DNS)
Support for Administrator Role Separation
Unidirectional Replication with a Writable DC
Storage of a Read-Only AD DS Database
Support for Credential Caching
Creating an RODC Account
Connecting a Server Running AD DS to the RODC Account
RODC Operation
Role Separation and Read-Only DNS Role separation
Read-Only DNS
Support for a Read-Only Domain Name System (DNS)
In response to a client request to update a DNS record, the RODC DNS server returns the address of another DNS server on a DC that is not read-only. This DC then performs the update and the RODC DNS server replicates the updated DNS record to other DCs. This replication is performed only for the updated DNS record, not for the domain data or the entire list of changed zones.
Support for Administrator Role Separation
You can delegate local administrative permissions for an RODC to a domain user, without giving the user administrative permissions over the domain in which the RODC is installed. This enables a user to perform administrative operations such as installing software on the RODC and maintaining security.
Unidirectional Replication with a Writable DC
Replication occurs only from the writable DC to the RODC. If data corruption or malicious changes are made at the remote location, they will not replicate the rest of the domain or forest.
Storage of a Read-Only AD DS Database
An RODC database includes all the AD attributes and objects that are stored in the database of a writable DC but for account passwords.
Data stored in an RODC is read-only. Any changes must be made on a writable DC, which then replicates the updated data to the RODC database.
Support for Credential Caching
An RODC stores only its local computer and KRBTGT account details, which is used for Kerberos authentication.
When a client requests authentication, the RODC forwards the request to a writable DC. The writable DC then determines if the credentials should be cached on the RODC. The credentials are then cached for future requests, enabling faster logon times and reducing bandwidth used for authentication.
Installing an RODC in a domain involves two main steps:
Creating an RODC Account
Connecting a Server Running AD DS to the RODC Account
Creating an RODC Account
To create an RODC account in AD DS, you need to be a member of the Domain Administrators group. In addition to assigning an account name, you need to specify the site for which the account must be created.
You can also choose to specify the user or group authorized to perform the next installation step. If you do not do this, then only a member of the Enterprise Admins or Domain Admins groups will be able to complete the installation.
Connecting a Server Running AD DS to the RODC Account
Once you have created an RODC account, you need to install AD DS on the server that will act as the RODC, and then link the server to the RODC account.
Domain data that must reside locally on the server, such as databases and log files, must be replicated to the RODC. One way of doing this is to use the Install From Media (IFM) feature to install the source files directly. Alternatively, you can replicate the source files to the RODC from any other DC over the network.
RODC Operation
When a branch office user logs on, the RODC requests the user’s credentials from the hub site writable DC. The hub DC consults the RODC’s password replication policy and, if allowed, forwards the user’s credentials which are then stored in the RODC’s cache.
Role separation
Allows the authorization of remote users and groups to perform specific administrative tasks through different roles without granting administrative permissions for the domain or other DCs.
Read-Only DNS
Application directory partitions, including ForestDNSZones and DomainDNSZones partitions are replicated to the RODC. DNS updates are not written directly to the RODC.
Installing an RODC in a Forest
Prerequisites:
An existing Windows Server 2008 R2 DC that contains the PDC emulator FSMO role.
An existing Windows Server 2008 R2 DC that contains the GC. The RODC forwards all replication requests to this server for authentication.
Domain and forest functional levels must be raised to windows server 2003 or higher. (Not 2008!)
Adprep /rodcprep command must be run to update permissions on all DNS application directory partitions. Enterprise admins rights are required.
Installing an RODC in a Forest
Installation:
The AD DS role must be added to the server using the Server Manager Roles Wizard. AD DS is installed using the Active Directory Domain Services Installation Wizard.
DC Function Level Server 2000
Universal groups
Group Nesting
Group Conversion
SID History (Security Identifier)
DC Function Level Server 2003
LastLogonTimeStamp inetOrgPerson Domain Controller Rename - netdome (has to be installed on a DC) Container Redirection Authorization Manager constrained Delegation Selective Authentication
DC Function Level Server 2008
Sysvol Replication (DFS-DFGS) Advanced Encryption Sytem (AES 128 and 256) Last Interactive Logon Fine-grained passwords Access Base Enumeration
DC Function Level 2008 R2
Authentication Mechanism Assurance
Forest AD Features 2000 Native
Universal Group Caching
Forest AD Features Server 2003
Forest Trusts Domain Rename RODC - Read Only Domain Controllers Linked Value Replication User Object Conversion Schema Modification DynamicObjects Knowledge Consistency Checker Group Sites
Forest AD Features Server 2008
No new forest features
Forest AD Features Server 2008 R2
Active Directory Recycle Bin
Universal Groups
are enabled for both distribution groups and security groups
Group Nesting
Groups can contain other groups
Group Conversion
A security group can be converted to a distribution group and vice versa
Security Identifier (SID) History
Active Directory users, compouters and groups have an associated SIB whch is used during resource access. SID history allows a user’s old SID to be used in an upgraded domain alongside the new SID - access to resources on the older system is therefore retained even thoug the user now has a new SID
LastLogonTimeStamp
attribute is updated with the last logon time of the user or computer and is replicated throughout the domain
inetOrgPerson
the ability to set the userPassword attribute as the effective password on (the vocab word) and user objects
Domain Controller Rename
Netdom.exe can be used to rename domain controllers
Container Redirection
allows you to direct new user and computer accounts to containers (organizational units) other than the default users and computers containers
Authorization Manager
Can store its authorization policies in AD DS
Constrained Delegation
Can be used to restrict user credential delegation to specific destination services only
Selective Authentication
you can be specific about which users and groups from a trusted forest are allowed to authenticate to resources on servers in a trusting forest (lesson 4 module 1)
SYSVOL Replication
DFS (DFGS) replication support provides more robust and detailed replication of (vocab word) contents
Advanced Encryption System
DFS support for access-based enumeration (AES 128 and AES 256) and increased scalability
Last Interactive Logon
Hosts the following information: the total number of failed logons, the total number of failed logon attempts after a successful logon, the time of the last failed logon attempt, and the time of the last successful logon attempt at a t2008 Server or Vista/win 7 client
Fine-Grained Passwords
Administrators can specify unique password and account lockout policies for users or groups in the domain.
Access Base Enumeration
Presents a view of aDFS namespace to a user that shows only the folders in the namespace to which the user has a t least read permission - folders that the user is not permitted to read remain hidden
Universal Group Caching
at a remote location that do not have access to a global catalog
Application Directory Partitions
Introduction of configuratble replicable of application partitions with Active Directory
Forest Trusts
Allows you to establish inter forest trusts
RODC - Read Only Domain Controller
A DC which host a read-only copy of the AD database and that can be strategically placed in a remote office to provide user authentication and group membership
Linked Value Replication
Linked value replication, replicates an individual group membership change rather than the entire multi-values member attribute.
User Object Conversion
The ability to convert an inetOrgPerson object instance into a User object instance and to complete the conversion in the opposite direction
Schema Modifications
Allows an administrator to deactivate or alter schema object classes and attributes
dynamicObjects
Used by developers and application, the schema allows instances of the dynamic auxillary class in domain directory partitions
Knowledge Consistency Checker
Enable AD DS to support replication in forests with more than 100 sites
Group Types
The introduction of application basic groups and LDAP query groups
AD Recycle Bin
provides the ability to restore deleted objects in ther entirety while (vocab word) is running
Raise DC Level 2 things must be in place
- member of Domain Admin or Enterprise Admin
2. PDC Emulator DC must be accessible
Function Level on the Forest Level needs to be set on how many DC?
One Domain Controller, the new level will be replicated to each controller in the (vocab word).
How to raise function level steps
Start, admin tools, acitve Directory Domains and Trusts, right click on domain, Raise domain function level box and select - same for forest but choose the Raise Forest Function Level option box
ADS has to be extended to support the inclusion of a (_____________) DC
2008 R2
Adprep.exe
extends the active directory schema to support upgraded server installation
where is adprep.exe found?
- 2008 installation disk in \sources\adprep
- 2008 R2 installation disk in \support\adprep
32bit and 64 bit version
adprep.exe must be executed from an
elevated command prompt
adprep.exe parameters are used to complete the following tasks:
Updating the Active Directory Schema Updatiang security descriptors, Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder, Creating new objects as required Creating new containers as required
adprep commands
adprep /forestprep
adprep /domainprep
adprep /domainprep /gpprep
adprep /rodcprep
adprep /forestprep
prepares a forest for the intor of a DC that runs Server 2008 and R2. The command is run on the DC that hosts the Schema Master Role.
adprep /domainprep
prepares a domain for the intro of a DC that runs 2008 or 2008 R2. command should be run after the forestprep command is complete and afterer the changes have replicated to all the domain controllers in the forest. The command should be run on each domain where you plan to add a DC that runs 2008 or $2 . You must run this command on the DC that host the DC infrastructure master role
adprep /domainprep /gpprep
Similar to the /doaminprep command but adds only the inheritable access control entries (ACE’s) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACE’s give enterprise domain controllers read access permissions on GPOs - these permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy. The command must be run on the domain controller that hosts the domain’s infrastructure master role.
adprep /rodcprep
Updates permissions on application directory partitions (including DNS Services) to enable replication of the partitions to REad Only Domain Controllers (RODCs) - the operation runs remotely and contacts the domain controller hosting the infrastructure master in each domain to update the permissions. The command must be run from any domain controller.
If you are adding a RODC to the forest
run adprep /rodcprep immediately after the running of adprep /forestprep command and both must be run on the DC with Schema and Infrastructure Masters running
Adprep /rodcprep can run from
any computer, runs remotely but it must be able to contact the forest’s domain naming master to obtain a list of forest application directory partitions. It then must contact the infrastructure master in each domain for each of the application directory partitions. If an infrastructure master is unavailable, the (vocab word) command will fail and you must rerun until success is achieved.
Need to find what computer hosts the various operation master roles
using and elevated command prompt on a comaputer with netdom.exe toll installed (usually a DC) then press the enter key
ie: c:\netdom query fsmo
ADMT is a free tool used to
move migrate user accounts, groups, computers and other Active Directory object between Active directory domains and forests.
ADMT V3.0
windows NT 4.0 and Active Directory Forests Domains.
ADMT V3.2
used to migrate 2003, 2008, 2008 R2 forest Domains
ADMT has these features
Preservation of object SID Histories
Can migrate computer accounts, including domain controllers
Can migrate user accounts/profiles
Accommodates the use of a SQL database to host migration data
Accommodate pre - testing before commitment
Provides a measure of rollback
Migration is secured using encryption
ADMT v3.2 Forest Migration capabilities
can be performed between domains in the same forest - intra forest migration, or between domains in different forests - inter-forest migration. During inter-forest restructurieng or migration, the source domain remains intact - migrated object are copied, while both domains remain operational during restructuring.
ADMT v3.2 provides wizards that automate migration tasks
user, groups, service accounts, computers migrations. The console provides a convenient interface or use can use the command line interface using the admt.exe utility and parameters or include text files containibg ines of migration options and parameters.
ADMT v3.2 allows you to test, simulate migration
provides analysis reports and log files which can be used to iron out any issues prior to any final migration.
SIDs
every security principal (user, group, computer, etc) in an AD domain has an associated security identifier that is unique to a domain. When a user attempts to access an Active Directory resource, for example a file, the Access Control List (ACL) for the file checks its Access Control Entries (ACEs) to check the level of access the associated SID has for the resource, or whether the SID is denied access to the the resource. When a security principal is deleted, the asscoiated SID is never reassigned and remains unused.
ACLs
All Active Directory resources have an associated ACL, which maintains a list of access control entries (ACEs) that link specific resource permissions with the SID of an Active Directory Security Principal - user, group, computer, etc - the ACE entries can include the extent of an allow permission or deny permission
sIDHistory
in addition to the SID attribute, an AD Security principal also has an associated sIDHistory attribute which maintains a list of previously held SIDs. If a user is moved from one domain to another, a new principle SID is defined for the use and the old domain SID is added to the sIDHistory attribute. When a user attempts to accesss a system resource in the source domain, both the new SID and any older SIDs are used when mapping permissions on the resource ACE list of the source domain - by doing this, the user maintains access levels to any resource in the new domain, while at the same time retaining aceess to resources in the source domain.
ADMT Tool also includes Security Translation Wizard
this allows you to replace an orginal SID of a migrated security principal’s with the new SID on the ACEs of all resources in the original source domain - this achieves the same effect as the sIDHistory attribute. In general, sIDHIstory is uused to maintain access and functionality during igration and the security translation is then performed to complet the rprocess
ADMT Security Translation Wizard can translate:
File and folder permissions Printer Permissions Share Permissions Registry Permissions User Rights Group Membership
adprep is run on
legacy machines - the older machines
dcpromo is used for
to demote a domain controller and to remove active directory
RODC can be installed on forest operating at a forest functional level of
Server 2003 or better
Server core is a fully functional version of windows server which characterized by a reduce set of
server roles and fetures and a non-GUI management interface. Server Core is designed to improve security, operate on reduced hardware resources and is managed via command line utilities and windows powershell but can be managed from the GUI of a remote server
Shortcut Trust
is deployed to minimize response latency for usder requiring frequent authentiction or resource access on a domain which is either deeply nested or the end of a slow communications link. A shortcut trust can be configured as a one-way trust
Forest Trust
a forest defines the security boundary of Active Directory implementation a forest trust allos you to establish a two way transitive trust between forests. Forest trust were introduced in Server 2003 and both forests must be operating at this functional level or higher to avail of forest trusts. The forest trust established transitive trust between all domains in each foret - the trust can be defined as a one-way incoming or outgoing or two way. UPNs can be used for authentication in either forest.
External Trust
are deployed to establish a one way trust with 2000 doain and a 2008 $2 domain or between two indivdiaul 2008 R2 Active Directory domains in seperate forests - typically a business partner or project collaboration partner.
Realm
allows trust between Windows 200 R2 Active Directory and a Unix Platform
UPN
User Principal Name - are stored in the global catalog and are deployed to avaoid the use of multiple user domain logons. Using a upn logon a user can logon to any domain ,, DC within a forest.
