Designing Active Directory Domain Services
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
1
Learning Objectives • Create a virtual lab for testing different forest and domain designs • Plan for different domain and forest functional levels • Design Active Directory Domain Services domains and forests • Design trusts and implement a forest trust • Prepare forests and domains for Windows Server 2008 • Create and use an alternative UPN • Understand different tools used to migrate Active Directory objects MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
2
Basic Review of Active Directory Domain Services • Active Directory domain – Administrative boundary – Holds a database of objects
Figure 1-1 A two-tree, four-domain forest Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
3
Active Directory Tree • One or more domains with common namespace – Includes top-level name (.com) and second-level name (Cengage)
• Multiple trees within a forest allowed • Tree domains in the same forest – All domains share the same schema and global catalog
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
4
Active Directory Forest • Includes one or more trees – Comprised of one or more domains – A single root domain is a forest
• Considered a security boundary • Forest Enterprise Admins group – Can administer any domain in the forest – Cannot administer domains in other forests
• Common schema and common global catalog – Shared by all forest domains
• Built-in trust relationships with every other forest domain MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
5
Schema • Defines creatable Active Directory objects – User, computer, group • Each has specific properties defined by the schema
• If object not defined in the schema: – Object cannot be added to Active Directory
• Schema modification – ADPrep: Active Directory preparation tool
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
6
Trusts • When second or subsequent domain added to a forest: – Trust relationships automatically added to the parent domain – Allows child domain users access to parent domain resources • Parent domain users can be granted access to child domain resources
• Trusts within a forest: transitive trusts
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
7
Global Catalog • Listing of all forest objects • Single-domain forest: includes all domain objects (all forest objects) • Multi-domain forest: includes all objects from each forest domain – Includes subset of object properties
• Hosted on a domain controller – At least one GC server required for each domain
• Lightweight Directory Access Protocol (LDAP) – Used to query GC Active Directory information MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
8
Organizational Units • Used within a domain to organize objects • Reasons for creating Organizational Unit (OU) – Use Group Policy to manage users and computers – Delegate permissions to administrators to manage a group of user and computer objects
• Used to organize objects – Easier for administrators to manage them
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
9
Group Policy • Automates domain user and computer management and administration • Settings created once in Group Policy object (GPO) – Linked to a site, domain, or OU • Becomes the GPO’s scope
• GPO settings apply to all users and computers in the GPO scope • Group Policy Management Console (GPMC) – Primary tool for managing Group Policy – Two default Group Policies created in each domain MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
10
Site • Group of well-connected computers or wellconnected subnets • Example: – Rooms within a single building • Connected with a 1-Gb local area network (LAN)
– Second building well connected with a 1-Gb LAN – Two buildings linked together with a 256-Kb connection – Each building considered a site – Two buildings not well connected to each other MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
11
Understanding Domain and Forest Functional Levels • Functional level applied – Dictates available capabilities within domains and forest
• As functional levels rise: – More capabilities added
• Cannot raise levels – Until all domain controllers running specific versions of Windows Server
• Can only raise forest functional level – When all domains have reached the same level MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
12
Understanding Domain and Forest Functional Levels (cont’d.) • Can only raise domain functional level – When all domain controllers running the appropriate versions of Windows Server
• Design plan steps – Verify all domain controllers running at least Windows Server 2003 – Raise domain functional levels of each domain in each forest to at least Windows Server 2003 – Raise forest functional level of each forest to at least Windows Server 2003 MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
13
Domain Functional Level • Provide different capabilities • Domain functional levels: – – – –
Windows Server 2000 Native Windows Server 2003 Windows Server 2008 Windows Server 2008 R2
• Key concept – Domain functional levels directly related to the domain controllers in the domain
• Default domain functional level – Windows Server 2000 Native MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
14
Table 1-1 Domain Functional Level Features
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
15
Domain Functional Level (cont’d.) • Servers running older server operating systems cannot be promoted to domain controllers – Once domain functional level raised
• Windows Server 2008 significant addition – Fine-grained password and account lockout policies
• Activity 1-3: Raising the Domain Functional Level
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
16
Figure 1-4 Raising the domain functional level in Active Directory Users and Computers Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
17
Forest Functional Level Capabilities • Apply to all domains in the forest – Can be applied when all domains have been raised
• Cannot raise forest functional level – Until all domains raised
• Example: forest functional level of Windows Server 2008 – Indicates every domain and domain controller in the forest must be running at least Windows Server 2008
• Active Directory Domains and Trusts – Used to raise forest functional level MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
18
Table 1-2 Forest Functional Level Features
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
19
Designing Active Directory Domains and Forests • Involves determining forest and domain structure – Logical structure of Active Directory
• Primary questions – How many forests needed? – How many domains needed?
• Single-domain forest – Works for the majority of Active Directory designs – Compared with multiple domains and multiple forests • Easier to manage and maintain • Reduces potential problems MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
20
Autonomy vs. Isolation • Requirements – Determined by business needs – Implemented by creating one or more forests
• Important points – Autonomy • Provides independent, but not exclusive resource control
– Isolation • Provides independent and exclusive resource control
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
21
Autonomy • Independence achieved by: – Creating separate domains within a forest
• Does not provide exclusive control • Service autonomy – Organization independently manages the service • Manages a child domain within a forest
• Data autonomy – Organization independently manages the data • Store all objects in an Organizational Unit (OU) • Use the Delegation of Control Wizard MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
22
Isolation • Achieved by creating a separate forest – Resource sharing still allowed
• Summary – If part of an organization needs autonomy: • Delegated control over an OU can provide data autonomy • A separate domain in the forest can provide service autonomy
– If complete isolation required: • Design must include a separate forest MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
23
Creating a Separate Forest for a Separate Schema • If extensive schema changes required for a specific company department or branch – Create a separate forest for this group
• Provides isolation for the group • Limits schema complexities for most of the other users • Schema changes used by the specific group – Not seen in the primary forest
• One-way forest trust used for access to resources in the forest used by the majority of the users MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
24
Identifying Bandwidth Requirements for a Forest • Replication within a well-connected site – Rarely a problem
• Replication occurring over a wide area network (WAN) – Bandwidth consumption raises concerns
• Create two separate forests to eliminate the replication traffic • Replication between domains in a forest – Less extensive and does not include all domain controllers MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
25
Identifying Domain Requirements • Start the design with a single domain – Can handle more than 100,000 users
• Primary reason to create an additional domain – Provide service autonomy within a forest
• Additional reasons to create separate domains – Control replication traffic over WAN links – Protect root domain (and Enterprise Admins group) – Protect the root domain • And the accounts and groups in it MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
26
Identifying Domain Requirements (cont’d.) • Microsoft specific recommendations – Provide valid starting points
Table 1-3 Maximum Users in a Domain
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
27
Understanding Trusts • Trust relationships – Automatically created between domains in a forest – Created between individual domains in different forests or between forests – Can be one-way or two-way – Can be transitive or non-transitive
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
28
One-way and Two-way Trusts • Users in Domain B (trusted domain) granted access to resources in Domain A (trusting domain) – Expressed as Domain A trusts Domain B
• If arrow points both ways (two one-way arrows): – Two-way trust relationship exists
Figure 1-6 Typical one-way trust relationship Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
29
Transitive and Non-Transitive Trusts • Non-transitive trust – Creates an explicit trust relationship between two domains • Not transferred to any other domains
• Transitive trust – Granted between several domains • No explicit trust relationships created between the different domains
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
30
Figure 1-7 Transitive trusts in a forest Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
31
Transitive and Non-Transitive Trusts (cont’d.) • Without transitive trusts: – Explicit trust relationships needed between each domain
• Managed in Active Directory Domains and Trusts
Figure 1-8 Viewing a trust in Active Directory Domains and Trusts Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
32
Creating Trusts Between Forests • Trust relationships between domains in two separate forests – External trust • Non-transitive
– Forest trust • Transitive
• Forest trusts – Became available in Windows Server 2003 – Allows the creation of one transitive trust between all domains MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
33
Choosing the Authentication Method • Forest-wide authentication – Windows automatically authenticates users in other forests • Allowing resource access in the local forest
– Still requires user access • No restriction on which users granted access
• Selective authentication – Prevents automatic authentication of users in the other forests • Allowed To Authenticate permission required MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
34
Figure 1-9 Choosing the trust authentication level Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
35
Choosing the Authentication Method (cont’d.) • Forest-wide authentication – Any user can be authenticated – Only use if organization implicitly trusts the other organization
• Activity 1-5: Creating a Forest Trust with Selective Authentication • Activity 1-6: Configuring DNS to Support the Forest Trust
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
36
Granting Access to Users in Another Forest
Figure 1-11 Selecting users from another forest Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
37
Granting Access to Users in Another Forest (cont’d.) • Once a forest trust created – Can grant access to resources in one domain to users in another domain
• Once the other domain selected as the location – Users in the other domain can be located and granted access to the resource
• Same procedure used for forest-wide authentication or selective authentication • Selective authentication requires an additional step MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
38
Implementing Selective Authentication • Implementing selective authentication on a forest trust – Requires the Allowed to Authenticate permission on each server or computer where access granted – Accomplished through Active Directory Users and Computers
• Activity 1-7: Granting the Allowed to Authenticate Permission
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
39
Figure 1-12 Granting Allowed to Authenticate permission to the Domain Admins group in a trusted domain Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
40
Using ADPrep • Command-line tool available in the installation DVD Sources\ADPrep folder – Must be run with elevated permissions
• Needed if forest started with servers other than Windows Server 2008 • Three major switches – /ForestPrep – /DomainPrep – /RODCPrep MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
41
Preparing the Forest • ADPrep /ForestPrep command – Modifies forest schema – Run on server currently hosting the schema operations master role – Requires membership in each of the following groups • Enterprise Admins group • Schema Admins Group
• From the installation DVD run: – D:\Sources\ADPrep\ADPrep /ForestPrep – Provide time for replication MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
42
Preparing a Domain • Run ADPrep /DomainPrep command after ADPrep /ForestPrep • Run on server holding infrastructure operations master role – Must be Domain Admins group member – Need administrative permissions command prompt
• After command runs: – Can promote Windows Server 2008 and Windows Server 2008 R2 servers to domain controllers
• Can also run ADPrep /DomainPrep /GPPrep MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
43
Preparing for RODCs • Run the ADPrep /RODCPrep command • Required even if first domain controller in the forest created on a Windows Server 2008 or Windows Server 2008 R2 server • Can be run on any domain controller in the forest • Only needs to be run once • Must be a member of the Enterprise Admins group: – To run this command
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
44
Migration Strategies • Reasons for redesign: – Accommodate organization restructure – Reflect changes in the organization physical layout – Reduce organization complexity • By reducing the number of domains or forests
• Factors affecting the upgrade or migration – – – –
Time constraints Resource availability Funding Application compatibility
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
45
Active Directory Migration Tool (ADMT) • Migrates objects from one domain to another – Within the same forest or between different forests
• Objects commonly migrated: – Users, computers, groups
• Current ADMT version: version 3.1 – Free copy available at Microsoft’s download site
• ADMT source: where accounts migrating from • ADMT destination: where accounts migrating to
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
46
ADMT Versions Needed for Different Functional Levels • Functional level required for target domain: – Windows Server 2000 Native – Windows Server 2003 – Windows Server 2008
• Cannot migrate objects from Windows 2000 mixed domain functional level – Must remove or upgrade NT 4.0 domain controllers • Then raise the domain functional level
– Can also use ADMT v3.0 to migrate objects from NT 4.0 domains MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
47
Interforest and Intraforest Migration • Interforest migration – Objects migrated between domains in separate forests
• Intraforest migration – Objects migrated between domains in the same forest
Table 1-4 Comparison of Interforest and Intraforest Migrations
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
48
Understanding and Using SID History • Security identifier (SID) – Uniquely identifies a domain/forest object – Created when object created – Grants access to any objects in the domain
• Discretionary Access Control List (DACL) – Controls access to any domain resource
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
49
Figure 1-13 Viewing SIDs in a DACL Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
50
Understanding and Using SID History (cont’d.) • Implementing SID history – Allows importing of the original SID when importing the account – Users retain access to data and resources
• ADMT supports SID history retention – Account can support multiple SIDs • Included in SID history
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
51
Using SID Filtering • Used when SID history presents security risk – If attacker obtains SID history data: • Attacker can assign these SIDs to the SID history attributed to accounts he creates in his own domain • New accounts have access to resources based on the SIDs listed in SID history
• Also referred to as SID filter quarantining • Risk prevention – Blocks the use of any SIDs not originating in the same domain MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
52
Using SID Filtering (cont’d.) • Disable SID filtering – Run Netdom command on the trusting domain • Requires command prompt with elevated permissions • Requires Domain Admins or Enterprise Admins group account member • Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No • /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>
– Use only after careful consideration
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
53
Figure 1-14 One-way trust between Cengage and CT Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
54
Using SID Filtering (cont’d.) • Activity 1-8: Verifying SID Filtering Status
Figure 1-15 Disabling SID filtering Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
55
Using Alternative UPN Suffixes • User Principal Name (UPN) – Allows a user to log on with an account that looks like an e-mail address
• May create alternative UPN suffixes – Assign these to users in the domain
• Activity 1-9: Creating an Alternative UPN Suffix
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
56
Figure 1-16 Creating an alternative UPN suffix Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
57
Figure 1-17 Assigning an alternative UPN suffix to a user account Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
58
Installing the ADMT • Install and run ADMT v3.1 on a Windows Server 2008 domain controller – In the target domain – Previous ADMT versions on this domain controller • Should be uninstalled first
• Activity 1-10: Installing ADMT
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
59
Enabling SID History for ADMT • Steps: – Create a domain local group in the source domain • Named netBiOSDomainName$$$
– Modify registry of the PDC emulator on the source domain • Create a DWord value of TcpipClientSupport in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\C ontrol\LSA subkey • Set the value to one
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
60
Enabling SID History for ADMT (cont’d.) • Steps (cont’d.) – Enable Success and Failure for Account Management in the Default Domain Controller Policy • Both the source and target domains
– Install and configure the Password Export Server (PES) service tool
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
61
Running ADMT • After installing ADMT v3.1 – Migration process can begin • Requires trust relationship between target and forest domains
• Trust examples: – Trust between two domains in the same forest • Can be a direct parent-child trust or a transitive trust
– External trust between two domains in different forests – Forest trust between two separate forests
• Activity 1-11: Running a Test Migration with ADMT MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
62
Figure 1-18 Selecting Group Account Migration Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
63
Figure 1-19 Completing the source and target domain selections Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
64
Figure 1-20 Successfully migrating a group Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
65
Summary • Active Directory basics – Tree, forest, schema, trusts, global catalog, Organizational Unit, Group Policy, site
• Domain and forest functional levels – Dictate available features
• Design considerations – Autonomy and isolation, separate forests, bandwidth requirements, domain requirements
• Active Directory Preparation (ADPrep) tool MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
66
Summary (cont’d.) • Trusts – One-way and two-way trusts, transitive and nontransitive trusts, trusts between forests
• Authentication methods – Forest-wide and selective authentication
• Migration considerations – Active Directory Migration Tool (ADMT) – Interforest and intraforest migration – SID history and SID filtering • Using the Netdom command MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)
67