Back from March break, hope yours was as good as mine. Lets get back to studying.
Windows Server 2008 Active Directory
This lesson covers new and enhanced features of AD in Windows Server 2008. It doesn’t cover the general day to day tasks which as an experienced System Administrator, you already know.
Introducing Windows Server 2008 Active Directory Server Role
What’s new:
- Read-Only Domain Controllers
- New Enhanced Tools and Wizards
- Fine-grain Security Policies
- Restartable AD DS
- AD DS Data Mining Tool
- Auditing Enhancements
Planning and Information on RODCs
Read only domain controllers are domain controllers you may install in areas where physical security is not guaranteed. Think a branch office where multiple people can access the server. Before you may have had a WAN connection to the branch office with the Domain Controller in the head office. If the WAN connection failed then the users on the other end were in trouble; RODCs address this problem. You need a writeable Windows Server 2008 in the domain. Your forest functional level and domain function level must be Windows Server 2003. When a user logs into the network on the remote end, the first login is authenticated across the WAN, but the RODC pulls that information to its machine so the subsequent logins are served by the RODC. You can also create Password Replication Policies which will control which passwords get cached on the RODC. You can delegate management (non-admin access) of the RODC to a local user. Finally, RODCs do not support client updates on DNS and does not register NS resource records. When a clients wants to update is DNS records against an RODC, the RODC points the client to a writeable DC.
Utilizing wizard Enhancements
A new option for dcpromo is a the /adv mode. The advanced mode allows you to select the source DC for the installation. You can also use backup media from an existing DC to cut down on network traffic on the initial replication. You can create a new domain tree and change the default NetBIOS name. You can set forest and domain functional levels when you create new forest or domain. You can configure the Password Replication Policy for an RODC. Another change is the selection of existing domain names instead typing. When creating a answer file password=* will make the system prompt instead of having a password stored in clear text in the answer file.
Delegating RODC Installation
You can have part of the RODC done at the HQ then have a branch user who is delegated authority to complete the task. A user with delegated authority can complete the task by running dcpromo /UseExistingAccount:Attach.
Utilizing MMC Enhancements
There are some enhancements. A find command has been added to the toolbar and action menu. You can easily discover which site a DC is in now. You can also use the MMC to determine which passwords have been sent to a RODC.
Planning Fine-Grained Password and Account Lockout Policies
I showed this in my presentation last February to the OWSUG. Fine grained passwords need a domain functional level of Windows Server 2008. Its best to create a group and change the settings on the group to what you want for your password policies (You can’t apply it to a GPO, user or group only). The tool you use to change the settings is either ADSIEdit or create an LDF file with the settings and then use ldifde command.
Planning the Use of the Data Mining Tool
You can create snapshots of your AD using dsamain.exe. You can use a LDAP tool to view the snapshot. Data mining will help you develop a backup and recovery plan for your AD data.
Planning AD DS Auditing
Windows Server 2008 turns on Audit Directory Service Access by default. Auditing in Windows Server 2008 has new levels, detailed or normal. Event IDs 5136 – Modify, 5137 – Create, 5138 – Undelete, 5139 – Move.
Planning Domain and Forest Functionality
Remember you can raise the functional level of a domain but it is almost impossible to lower them.
Domain Functional Level Considerations
Windows 2008 Server supports the following levels:
- Windows 2000 Native
- Windows Server 2003
- Windows Server 2008
Domain Functional Level | Supported DCs |
---|---|
Windows 2000 Native | Windows 2000 Server Windows Server 2003 Windows Server 2008 |
Windows Server 2003 | Windows Server 2003 Windows Server 2008 |
Windows Server 2008 | Windows Server 2008 |
Not covered was the domain mode (Windows 2003 interim) which allows an upgrade from Windows NT straight to Windows Server 2003.
Be sure to check out the table on page 153 of the book and remember some of the features of each of the levels. Remember to change a domain name, you need to be at a Windows Server 2003 level. For fine grained password policies, the level needs to be Windows Server 2008.
Forest Functional Level Considerations
Forest Functional Level | Supported DCs |
---|---|
Windows 2000 | Windows NT 4.0 Windows 2000 Server Windows Server 2003 Windows Server 2008 |
Windows Server 2003 | Windows Server 2003 Windows Server 2008 |
Windows Server 2008 | Windows Server 2008 |
On page 155 of the book, another good chart describing what has changed between Windows 2000 and the Windows Server 2003 levels. There has been no change so far between Windows Server 2003 and the Windows Server 2008 levels.
Forest Level Trusts
Trust Types
- Shortcut Trust – Makes it quicker for authentication for users in one child domain who access resources in a different child domain.
- External Trust – When a domain needs requires a trust with a domain that doesn’t belong to the forest. For example, a Windows Server 2008 domain trusting a Windows NT domain.
- Realm Trust – A trust between a Windows Domain and a Unix realm.
Creating Forest Trusts
Forest trusts are created in Active Directory Domains and Trusts from the admin tools. You need to connect to a DC in the forest root domain before creating the trust. Right click on the domain, click properties and go to the Trust tab. Click new to launch the wizard. You get the choice on type of trust and you can select one-way incoming, one-way outgoing and two-way. You then get the option of deciding your side of the trust or both. If you do both, you need to know the admin password for the other domain as well. After that, you can select Forest Wide authentication or Selective Authentication.
Whew, this was a big lesson and lots to digest. Spend significant amounts of time on this lesson as you can bet you will see a few questions on this subject on the exam. Active Directory is the bread and butter of Windows Server.
*Disclaimer:
My notes in helping me prepare for the 70-646 Exam, PRO: Windows Server 2008, Server Administrator are just those, notes and I am trying to help highlight what is covered in the book, not replicate it. If you want to pass the exam, you will need more than just these notes to pass. I suggest you get a good book and get familiar with the product. The expectation is that you have about one year of experience with Windows 2008 Server (your mileage may vary) when writing this exam. The book I am using for my preparation and where I am drawing the information for these notes is the Microsoft Press book, MCITP Exam Prep 70-646: Windows Server Administration; ISBN: 0735625107.