830 likes | 1.02k Views
Goals. Install Active Directory Verify Active Directory installation Introduce operations master roles View the operations master role assignments for a domain Transfer operations master roles Implement an organizational unit structure within a domain Examine application data partitions
E N D
Goals • Install Active Directory • Verify Active Directory installation • Introduce operations master roles • View the operations master role assignments for a domain • Transfer operations master roles • Implement an organizational unit structure within a domain • Examine application data partitions • Prepare for schema modifications
(Skill 1) Installing Active Directory • To organize objects and implement domain structure • Install Active Directory on a Windows Server 2003 computer using the Active Directory Installation Wizard • During first time installation • Create the root domain, a new domain tree, and a new forest • Designate a Windows Server 2003 computer as a domain controller
(Skill 1) Installing Active Directory (2) • Creating a domain • By default, the domain is configured to run in Windows 2000 mixed mode • Windows 2000 mixed mode allows various domain controllers to coexist • Windows NT 4.0 backup domain controllers (BDCs) • Windows 2000 domain controllers (DCs) • Windows Server 2003 domain controllers (DCs)
(Skill 1) Installing Active Directory (3) • If your network consists of only Windows 2000 and Windows Server 2003 domain controllers, switch to Windows 2000 native mode • Windows 2000 native mode supports only • Windows 2000 domain controllers • Windows Server 2003 domain controllers • Windows 2000 mixed mode and native mode are identical to those available in Windows 2000
(Skill 1) Installing Active Directory (4) • Windows Server 2003 provides two new modes • Windows Server 2003 mode • Only supports Windows Server 2003 domain controllers • Gives you the additional ability to rename domain controllers at any time • Windows Server 2003 interim modeis used when you upgrade a Windows NT 4.0 primary domain controller (PDC) to Windows Server 2003
(Skill 1) Installing Active Directory (5) • During Active Directory installation, three components are installed • Domain Name System (DNS) service • Database and database log files • Shared system volume
(Skill 1) Figure 2-1Active Directory installation
(Skill 1) Figure 2-2 Internet Protocol (TCP/IP) Properties dialog box
(Skill 1) Figure 2-3 Running Dcpromo
(Skill 1) Figure 2-4 Detecting network settings
(Skill 1) Figure 2-5 The Server Role screen
(Skill 1) Figure 2-6 The Operating System Compatibility screen
(Skill 1) Figure 2-7 The Domain Controller Type screen
(Skill 1) Figure 2-8 The Create New Domain screen
(Skill 1) Figure 2-9 The Permissions screen
(Skill 1) Figure 2-10 Adding a client to a domain
(Skill 2) Verifying Active Directory Installation • After you install Active Directory on the first domain controller, you may need to add additional Active Directory domain controllers • Before installing additional domain controllers • You need installation-critical information from Active Directory • You must verify the initial installation to make sure certain components were successfully installed
(Skill 2) Verifying Active Directory Installation (2) • Use the Active Directory Users and Computersconsole to verify an Active Directory installation • Use this console, which is an administrative tool, to create and delete objects, set their permissions, and modify their properties • Use this console to control primary objects • Organizational units (OUs) • Windows Server 2003 user accounts, group accounts, computer accounts • Published printers
(Skill 2) Verifying Active Directory Installation (3) • Verifying an Active Directory installation • Verify the presence of the domain that you specified during the Active Directory installation • Verify the presence of your new domain controller in the domain controllers OU • The presence of certain administrative tools also verifies that Active Directory was successfully installed • Active Directory and Trusts console • Active Directory Sites and Services console
(Skill 2) Verifying Active Directory Installation (4) • Use the Active Directory Domains and Trusts console • To manage the trust relationships between two or more domains in the same forest or different forests • To provide interoperability with other domains • To raise the domain functional level for a domain • To transfer the domain naming master role from one domain controller to another • To add or remove alternate User Principal Name (UPN) suffixes to/from user logon names
(Skill 2) Figure 2-11 The Active Directory Domains and Trusts console
(Skill 2) Verifying Active Directory Installation (5) • Use the Active Directory Sites and Services console • To create sites and subnets • To move domain controllers to the correct sites • To configure servers as global catalog servers • To create site links • This information is used to decide the replication method for directory information and to process service requests
(Skill 2) Figure 2-12 The Active Directory Sites and Services console
(Skill 2) Figure 2-13 Verifying the presence of a domain controller
(Skill 2) Figure 2-14 The Sysvol directory
(Skill 2) Figure 2-15 The Ntds folder
(Skill 2) Verifying Active Directory Installation (6) • In addition to the three default consoles, you can also install an additional tool called the Active Directory Schema snap-in • Permits you to view and modify the schema • The schema defines the types of objects and the type of information pertaining to those objects that can be stored in Active Directory
(Skill 2) Figure 2-16 The Active Directory Schema snap-in installed
(Skill 3) Introducing Operations Master Roles • Replication models • Multi-master replication model • Used to control most functions • All domain controllers have the ability to modify Active Directory • Single-master model • Used when a single domain controller modifies data to control certain types of events in Active Directory
(Skill 3) Introducing Operations Master Roles (2) • Each of these special functions is controlled by FSMO (Flexible Single Masters of Operations) servers or, more typically, operations masters • Types of special functions • Forest-wide operations master roles • Domain-wide operations master roles
(Skill 3) Introducing Operations Master Roles (3) • Forest-wide operations master roles • Two forest-wide FSMO roles • Schema master role • Domain naming master role • Each of these roles can reside on only a single server for the entire forest • By default, both roles will be held by the first domain controller created in the root domain of the forest
(Skill 3) Introducing Operations Master Roles (4) • Domain-wide operations master roles • Three domain-wide roles • Primary domain controller (PDC) emulator role • Relative ID (RID) master role • Infrastructure master role • Each of these roles can reside on only a single domain controller in each domain • By default, all three roles will be held by the first domain controller created in each domain
(Skill 3) Introducing Operations Master Roles (5) • When you create the first domain in a new forest, by default, all five operations master roles are assigned to the first domain controller in that domain • Active Directory assigns only the domain-wide operations master roles to the first domain controller of any subsequent child domains that you create in the forest • The first domain controller in each of the other domains holds the domain-wide operations master roles
(Skill 3) Introducing Operations Master Roles (6) • Guidelines for planning operations master roles for per-forest roles • Assign the two forest-wide roles to a high-uptime server; backups of this machine are of special importance • Assign the schema master and the domain naming master roles to a single domain controller in one of the domains in the forest
(Skill 3) Introducing Operations Master Roles (7) • Guidelines for planning operations master roles for per-domain roles • Have at least one additional domain controller act as a standby operations master for other operations masters • If a domain controller fails, the standby domain controller can be manually configured to seize the failed domain controller’s roles
(Skill 3) Introducing Operations Master Roles (8) • Guidelines for planning operations master roles for per-domain roles • Assign both the RID master and the PDC emulator roles to the same domain controller • If the domain is large, these roles can be assigned to separate domain controllers to reduce the load on the PDC emulator • Make sure these servers are always capable of communicating with each other
(Skill 3) Introducing Operations Master Roles (9) • Guidelines for planning operations master roles for per-domain roles • If there is more than one domain, do not assign the infrastructure master role to a domain controller that is hosting the global catalog service • Global catalog • Stores information about objects in a tree or a forest • When this information changes, the global catalog updates the information through replication and always contains the latest information about objects
(Skill 3) Introducing Operations Master Roles (10) • Guidelines for planning operations master roles for per-domain roles • If you assign the infrastructure master role to a domain controller that is also a global catalog server, the infrastructure master will not function properly, because there are no “phantom” references for it to update • If possible, try to place the domain naming master on a server hosting the global catalog
(Skill 4) Viewing the Operations Master Role Assignments for a Domain • To monitor the operations master roles, you must identify and view the domain controllers that hold the roles • Regular monitoring of the operations masters roles in a domain or forest • Enables you to determine the performance and load on each of the operations masters • This enables you to decide which roles must be transferred to other domain controllers
(Skill 4) Viewing the Operations Master Role Assignments for a Domain (2) • To view all of the domain-wide operations master role assignments, use the Active Directory Users and Computers console • To view the schema master and the domain naming master roles, use the Active Directory Schema snap-in and the Active Directory Domains and Trusts console
(Skill 4) Figure 2-17 Viewing the default domain-wide operations master role assignments
(Skill 4) Figure 2-18 The Change Schema Master dialog box
(Skill 4) Figure 2-19 The Change Operations Master dialog box
(Skill 5) Transferring Operations Master Roles • After you have identified the domain controllers that hold the operations master roles, you can easily transfer roles between domain controllers • Conditions requiring that you transfer operations master roles • When you want to change the default operations master because the domain controller is unavailable for replication • When the performance of the domain controller holding the operations master role is deteriorating due to excess load
(Skill 5) Transferring Operations Master Roles (2) • You can transfer operations master roles between domain controllers within a forest, as well as within domains, with the assistance of the original operations master • To transfer an operations master role from one domain controller to another, make sure that both domain controllers are available and connected to each other through the network
(Skill 5) Transferring Operations Master Roles (3) • Transferring an operations master role is a two-stage process • Connect to the new domain controller that will hold the role • Transfer the role to the domain controller you have identified
(Skill 5) Transferring Operations Master Roles (4) • You use the Active Directory Users and Computers console to transfer the relative ID master, PDC emulator, and infrastructure master roles • You use the Active Directory Domains and Trusts console to transfer the domain naming master role
(Skill 5) Transferring Operations Master Roles (5) • Failure of an operations master • An operations master may be unavailable due to a system failure • If there is any chance of recovering it, you should do so • If you cannot recover it, you can force the transfer of the operations master role to another Windows Server 2003 domain controller without the cooperation of the existing owner of the roles • This process is called seizing the role • Use the Ntdsutil.exe utility at the command prompt to seize any operations master role
(Skill 6) Implementing an Organizational Unit Structure within a Domain • Planning and creating an organizational unit (OU) structure is the last activity you perform to complete the implementation of Active Directory • OUs are container objects used to organize objects in a domain into logical groups to centralize and simplify administration of a large number of objects • You can manage users easily and efficiently in an OU • In a multiple-domain model, each domain implements its own OU hierarchy
(Skill 6) Implementing an Organizational Unit Structure within a Domain (2) • Advantages of creating OUs • You can apply Group Policy to a particular group of users or computers independently of other groups of users and computers in other OUs • You can structure a domain • According to the departments and locations in your organization • Without OUs, all users are maintained in a single list under a domain