IT ACADEMY LESSON PLAN. Microsoft Windows Server Active Directory

Transcription

1 2008 IT ACADEMY LESSON PLAN Microsoft Windows Server Active Directory

2 Microsoft Windows Server 2008 Active Directory: Lesson Plans Introduction Preparing to teach a course on Microsoft Windows Server 2008 Active Directory Configuration, based on Exam : TS: Active Directory Configuration for the first time can be a challenge requiring careful planning and organization. The Microsoft IT Academy provides these lesson plans to help you save time, skillfully manage the teaching environment, and successfully communicate the intended lesson. The lesson plans are flexible and have been created in a concise format of small teachable units to allow you to use them with any textbook. To support a textbook-independent teaching style, each lesson plan contains suggested demonstrations and explanations. These lesson plans have been developed to be independent of a predefined lesson schedule. Whether the course is taught in a one-semester or one-quarter term format, we suggest the following class format: a 60-minute lesson lecture followed by a 120-minute lab (hands-on performance) session. This model is recommended in order to increase student performance and enhance the knowledge and skills gained through active participation in the course. Each lesson plan includes: Learning Goals for each lesson. Learning Objectives that may be observed throughout the lesson. Lecture Outline that details what to present in each class. Quick Quiz of multiple choice and true/false type questions. Lesson Exercises and Lesson Projects are provided at the end of each Lesson Plan to directly connect the student with the materials that have just been covered in class. The projects can be used independent of a textbook or as an assessment to determine skill mastery. To simplify the scoring process, an annotated answer key for each exercise and project is included to adequately determine if the learning objective was accomplished through process of lecture and activity. Microsoft Video Resources at the end of each unit provide links to video resources available for classroom use at no charge through your IT Academy membership. They can be used in class or by students as self-paced instruction or as lesson reinforcement outside of class.

3 Lesson 1: An Introduction to Active Directory Domain Services Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to introduce students to the Windows Server 2008 Active Directory Domain Services (AD DS) and to point out the benefits of AD DS. The student will learn about the features of AD DS. Learning Objectives Upon completion of this lesson, students will be able to understand: Active Directory domain service Active Directory security Components of Active Directory Active Directory naming standards Working with functional levels in Active Directory Lesson Introduction What is Active Directory Domain Services? Explain that Microsoft Windows Server 2008 includes Active Directory Services that assist the administrator in managing and securing the network. Student will learn what Active Directory is and the components of AD and its functional levels. Instructors should do the following: Explain that directory services allow network administrators to define, manage, access, and secure network resources. Point out that the two components of Windows Server 2008 that provide directory services are Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). Explain that AD DS provides full directory services and is commonly referred to as Active Directory. Explain that AD LDS is a flexible platform that offers Active Directory functionality without the full overhead. Point out that any computer configured to use Active Directory DS role is considered to be a domain controller. Explain that the ability of Active Directory to keep all network domain controllers apprised of changes to the system is called replication. Point out that the process of a domain controller transmitting replication information to another domain controller is called outbound replication.

4 Point out that the process of a domain controller receiving updates from Active Directory via another domain controller is called inbound replication. Explain that Active Directory is used to simplify the security management of network resources and to extend interoperability with applications and devices. What is Active Directory Security? What Are the Components of Active Directory? Instructors should do the following: Point out that interoperability with prior versions of Microsoft Windows Active Directory Service is available in Windows Server 2008 through domain functional levels. Explain that Windows Server 2008 no longer supports the use of Windows NT domain controllers. Explain that Windows Server 2008 provides single sign-on access to any server on the domain. Explain that Active Directory offers a redundant solution and creates a fault tolerant system in the event of server failure or network connectivity failure. Point out that the Active Directory databases file (ntds.dit) is the common database file that is replicated to other domain controllers when changes occur. Explain that Windows Server 2008 includes a Read-Only Domain Controller (RODC) option, which maintains a copy of the ntds.dit file that cannot be modified. This file increases security for branch-office deployments. Explain that Publishing is a way to make an object available to the network as a resource listed in the Active Directory. Instructors should do the following: Explain that components in Active Directory provide flexibility through design, scalability, administration, and security. Point out that objects in Active Directory are categorized as container objects or leaf objects. Explain that a container object is an object that houses other objects. Explain that a leaf object cannot contain other objects and typically refers to a printer, folder, user, or group. Point out that the largest container object in Active Directory is called a forest. Explain that a forest enables a user to access resources across an entire Active Directory forest using a single logon.

5 Point out that for efficiency, partitions are used to divide information into naming contexts (NC). Explain that the two NCs that are replicated forest-wide and stored in the ntds.dit file are the Schema NC and Configuration NC. Point out that the Schema NC contains rules and definitions for creating and modifying object classes within Active Directory. Point out that the Configuration NC contains information regarding the physical topology of the network. Explain that each domain controller stores a copy of the Domain NC that consists of user, computer, and other information for a particular Active Directory domain. Explain that within a forest, Active Directory further divides to create administrative boundaries. Point out that a domain tree is a logical grouping of network resources and devices that contain one or more domains. Explain that the Active Directory global catalog is not considered a formal partition but should be replicated throughout the forest. Point out that the Active Directory can contain one or more organizational units (OUs) that can further subdivide users and resources. Explain that an OU is a container that represents a logical grouping of resources that have similar security guidelines. Point out that OUs are nested in hierarchical fashion, allowing a parent OU to contain one or more child OUs. Explain that the administration of an OU can be delegated to a department supervisor or manager to allow that person to manage daily resource access tasks. Explain that the Application Partition allows administrators to fine-tune administration by designating where information will be replicated to in the domain or forest. Explain that each resource in Active Directory is represented as an object and each object has a set of attributes. Explain that objects in Active Directory are defined in the Active Directory schema. Point out that a schema is a master database containing definitions of all objects in the Active Directory. Explain that a schema is created from two components: the object and its attributes. Explain that common attributes for all objects include a unique name, a globally unique identifier (GUID), required object attributes, and optional object attributes.

6 Point out that a site in Active Directory is defined as one or more IP subnets that are connected. Explain that replication within a site takes place at regularly scheduled intervals that are defined by the administrator. Explain that the Knowledge Consistency Checker (KCC) au- What Are the Active Directory Naming Standards? Instructors should do the following: Explain that the Lightweight Directory Access Protocol (LDAP) has become industry standard, since it enables data exchange between directory services and applications. Point out that LDAP defines the naming of all objects in the Active Directory database. Explain that a Distinguished Name (DN) defines an object in the Active Directory structure through its hierarchical path. Point out that the LDAP Naming Attributes include the Common Name, Organizational Unit Name, and Domain Components. Explain that the Domain Name System (DNS) is Active Directory s default name resolution method. Point out that the configuration of DNS is critical for proper functioning of Active Directory. Explain that DNS is a distributed name resolution service that provides name resolution for Active Directory domain and computer host name to IP address mappings on the network. Point out that computers are assigned an IP address and a DNS host name at installation. Explain that Active Directory relies on DNS to be a locator service for clients on the network. Explain that SRV records are the locator records within DNS that allow the client to locate an Active Directory domain controller. Explain that without SRV records, clients will be unable to authenticate against Active Directory.

7 Working with Functional Levels in Active Directory? Instructors should do the following: Point out that functional levels may be changed in Active Directory for a single domain within a multi-domain environment, allowing for rolling upgrades. Explain that changing functional levels is an irreversible action that can be undone only through a systemwide restore. Explain that the following are functional levels available in Windows Server 2008: Windows 2000 Native, Windows Server 2003, and Windows Server Point out that the following functionality is available for the Windows 2000 Native level: Install from Media, Application partitions, Drag-and-drop user interface, Global Group nesting and Universal Security groups, and SIDHistory. Point out that with the Windows Server 2003 functional level, the Windows 2000 Native level function is available as well as the following additional functions: lastlogontimestamp attributes, Passwords and inetorgperson objects, and Domain rename. Point out that the Windows 2000 functional level is the default forest functional level for Windows Server 2008 and includes the following features: Install from Media, Universal group caching, and Application Directory Partitions. Point out that the Windows Server 2003 functional level includes all Windows Server 2000 features as well as the following: Improved replication of group objects, Dynamic auxiliary class objects, User objects can be converted to inet- OrgPerson objects, Schema deactivations, Domain rename, Cross-forest trusts permitted, and Improved Intersite Topology Generator (ISTG). Discuss the guidelines that are important for raising a forest level in Windows Server Explain that trust relationships are used in Windows Server 2008 to allow access to multiple domains across enterprise networks. Point out that in a trust relationship, administrators from one domain grant access to resources for administrators from another domain. Explain that a shortcut trust or direct path between two domains may be created to expedite the process of creating a trust relationship. Explain that although an external trust can be created, allowing users in the trusting domain to have access to a trusted domain, it is a one-way trust. Users in the trusted domain may not access the trusting domain.

8 Explain that a cross-forest trust can be created, allowing users in domains running at least Windows Server 2003 functional levels to establish either one-way or two-way relationships. Lesson Quiz True/False 1. Active Directory utilizes a single-master database, with all updates and changes made on the primary domain controller. 2. A domain is the largest container object in Active Directory. 3. By default, security settings applied to an organizational unit will be inherited by all child organizational units. 4. Active Directory uses SRV records in DNS to locate domain controllers and global catalog servers. 5. Each domain within a single Active Directory forest will have its own individual Schema. Multiple Choice 1. Which of the following are valid container objects in Active Directory? Choose three. a) Organizational units b) Forests c) Domains d) Security groups 2. The Schema database contains what two types of information? a) Object attributes b) User names c) Object classes d) Active Directory containers 3. Active Directory uses what protocol for the basis of its naming format? a) NetBios b) DNS c) Answer Choice d) LDAP

9 4. What is the default forest functional level in Windows Server 2008 Active Directory? a) Windows Server 2003 b) Windows Server 2000 c) Windows Server 2000 Mixed d) Windows Server What type of trust can be created to improve performance between two Active Directory domains within the same forest that may be separated by a slow WAN link? a) External trust b) Two-way transitive trust c) Shortcut trust d) Direct domain trust Quiz Answers True/False 1. False. Active Directory utilizes a multi-master database. 2. False. A forest is the largest container object in Active Directory. 3. True. 4. True. 5. False. The Schema is defined at the forest level for all domains in a forest. Multiple Choice 1. A, B, C 2. A, C 3. D 4. B 5. C Class Projects Lesson 1 Exercise 1 List and explain the three partitions or naming contexts that are present on each domain controller. Explain how each is replicated. Explain what an application partition is used for. List eight types of objects that can be contained in an organizational unit.

10 Lesson 1 Project 1 List and explain the three domain functional levels supported in Windows Server 2008 Active Directory. What features are supported with each functional level? Give an example of when each functional level would be appropriate. What are the three forest functional levels supported in Windows Server 2008 Active directory? How do forest functional levels differ from domain functional levels? Microsoft Video Resources Windows Server 2008 R2 Quick Look Active Directory Administrative Center This video provides a quick look at Active Directory Administrative Center, the new administrative tool in Windows Server 2008 R2. Length: 6:25 Windows Server 2008 R2 Quick Look System Health Report A quick look at System Health Report, a tool in Windows Server 2008 R2 that helps you analyze your servers and provides you with prescriptive system diagnosis. Length: 4:36

11 Lesson 2: Implementation of Active Directory Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to guide students through the implementation of Windows Server 2008 Active Directory Domain Services (AD DS). Point out that students will use the components of AD DS that were discussed previously. Learning Objectives Upon completion of this lesson, students will be able to understand: Active Directory requirements Installing Active Directory Raising functional levels Additional Active Directory installation tasks Lesson Introduction Explain that Microsoft Windows Server 2008 implementation requires students to understand the system prerequisites that must be in place. Students will learn how to create a new Active Directory forest, domain tree, and domain. Understanding Active Directory Requirements Instructors should do the following: Explain the importance of being familiar with the Windows Server 2008 Central Administrative Interface. Demonstrate and describe the Central Administrative Interface to students. Point out that Active Directory is installed by configuring one or more domain controllers. Explain that the Active Directory Installation Wizard (dcpromo) is used to guide the installation scenarios of: Adding a domain controller to an existing environment. Creating an entirely new forest structure. Adding a child domain to an existing domain. Adding a new domain tree to an existing forest. Demoting domain controllers and eventually removing a domain or forest.

12 Point out that Active Directory may be installed on a full version of Windows Server 2008, Server Core, or a new installation option in Windows Server Explain the following requirements for installing Active Directory: The user must have an administrator account and password on the local machine. An NT File System (NTFS) partition for the SYSVOL folder structure must be set up. The NTFS partition must contain a minimum of 200 MB of free space. A minimum of 50 MB of file space is necessary to store the transaction log files. TCP/IP (Transmission Control Protocol/Internet Protocol) must be installed and configured. An Authoritative DNS Server for the DNS domain must be established. The user must know the potential size of the Active Directory database. Explain that it is advisable to gather all data needed for the Active Directory installation prior to beginning. The following are needed: Local administrator password Domain controller type Domain name Location for the AD database and log files Location for the SYSVOL folder structure Where DNS will be installed Directory Services Restore Mode (DSRM) password Installation CD or network location of the installation files Installation of the most up-to-date service packs and Installing Active Directory Instructors should do the following: Point out that the forest root domain is the first Active Directory Domain. Explain that child and additional domain trees may be added to the forest root domain. Explain that the dcpromo.exe command will launch the AD Installation Wizard. Point out that the first domain controller installed will house the Flexible Single Master Operations (FSMO) roles, which are server roles that work together to ensure multimaster functionality.

13 Demonstrate how to install a new Active Directory forest using the Server Manager. Point out that when installation is complete, the computer must be rebooted to configure the new domain controller. Explain the significance of verifying the correct installation and configuration of DNS. Explain that the administrator must verify that the following DNS items were created during installation: Application directory partition Aging and scavenging for zones Forward lookup zones and SRV records Reverse lookup zones Explain that it is important to know that: DNS Application directory partitions were created. It is necessary to be a member of the Enterprise Admin group to create or modify an application directory partition. An application directory partition can be created manually if it was not created through the installation wizard. Point out that aging and scavenging are processes for cleaning up the DNS database after DNS records become out of date. Demonstrate how to configure aging and scavenging through the DNS Tool found in the Administrative Tools Folder. Explain that the administrator must verify that appropriate DNS records were created during the installation wizard. Point out that Forward Lookup Zones are used for name resolution in computer host name to IP address mappings. Demonstrate how to verify the creation of a Forward Lookup Zone through the Administrative Tools Folder. Point out that each SRV record created in Active Directory contains the following: Protocol Domain name Time-to-live Priority Weight Port Demonstrate how to verify zone and record creation using the Administrative Tools Folder. Explain that Dynamic Updates must be selected in order for domain controllers to register their records with DNS.

14 Demonstrate how to verify that dynamic updates are selected through Active Directory Properties. Explain that Reverse Lookup Zones answer queries in which a client provides an IP address and DNS resolves the IP address to a host name. Demonstrate how to create a reverse lookup zone through the Administrative Tools Folder. Raising Functional Levels Instructors should do the following: Explain that the purpose of raising functional levels in Active Directory is to enable administrators to take advantage of more advanced features. Explain that domain and forest functional levels provide backward compatibility with previous versions of Windows Server. Point out that the key requirements for raising functional levels include knowing: This is a one-way operation. Each domain is handled independently. The forest functional level cannot be raised until all domains in the forest are raised to a minimum of the domain functional level. The administrator must be logged in as a member of the Domain Admins group to raise a domain. The administrator must be logged in as a member of the Enterprise Admins group to raise the forest. Demonstrate how to raise the domain functional level using tools in the Administrative Tools Folder. Demonstrate how to raise the forest functional level using tools in the Administrative Tools Folder. Explain that to provide fault tolerance, a second domain controller should be added to each domain. Demonstrate how to add a second domain controller to the forest root domain using administrative credentials on the existing Active Directory domain.

15 Additional Active Directory Installation Tasks Instructors should do the following: Explain that the Windows Server 2008 Server Core is an environment for running only specific services and roles. Point out that Server Core runs without the use of a graphical user interface (GUI). Demonstrate how to install Active Directory on Server Core using administrative credentials on the existing Active Directory domain. Explain that removing Active Directory from an Active Directory domain is done for troubleshooting purposes or to decommission older hardware. Demonstrate how to remove Active Directory using the administrative credentials on the existing Active Directory domain. Explain that a read-only domain controller (RODC) is a highsecurity domain controller suitable for deployment in a branch office. Demonstrate how to configure a read-only domain controller using administrative credentials on the domain where the RODC is be added. Point out that it is possible to run a staged installation of an RODC at a central location and then permit the administrator to complete the installation. Demonstrate how to set up a staged installation of an RODC using the tools available in the Administrative Tools Folder. Demonstrate how to complete a staged installation of an RODC as the remote administrator. Explain that if a writable domain controller is ever compromised, it is necessary to decommission an RODC to minimize damage. Demonstrate how to decommission an RODC using the options available in Active Directory. Point out that it may be necessary to modify the Active Directory Schema to support in-house applications. Discuss how students should plan for changes to the Active Directory Schema by understanding that: Schema extensions are replicated to all domain controllers. Default system classes cannot be modified. Classes and attributes added to the Schema cannot be removed. Triggers will replicate the modification throughout the forest.

16 Latency should be anticipated before all domain controllers contain consistent Schema information. Explain that the Active Directory Schema may be extended for commercial applications manually using a snap-in. Demonstrate how to install the Schema management snapin by logging in as a member of the Schema Admins group. Explain that Active Directory Lightweight Directory Services (AD LDS) allows directory-enabled applications to store data in the Active Directory Schema. Demonstrate how to configure AD LDS by logging in as a member of the local Administrators group. Point out that trust relationships are necessary to enable resource accessibility between domains and forests. Discuss the four types of trusts that can be established: Shortcut trusts Cross-forest trusts External trusts Realm trusts Demonstrate how to create a trust relationship by logging in as a member of the Domain Admins group on the local domain. Demonstrate how to verify a trust relationship using Active Directory by logging in as a member of the Domain Admins group. Demonstrate how to verify a trust relationship using NET- DOM by logging in as a member of the Domain Admins group. Demonstrate how to revoke a trust relationship using Active Directory Domains and Trusts by logging in as a member of the Domain Admins group. Demonstrate how to revoke a trust relationship using NET- DOM by logging in as a member of the Domain Admins group. Explain that a User Principal Name (UPN) is stored in the global catalog and is available forest-wide. Demonstrate how to change the default suffix for user principal names by logging in as a member of the Enterprise Admins group.

17 Lesson Quiz Microsoft Windows Server 2008 Active Directory Lesson Plans True/False 1. The Active Directory Installation Wizard can be launched by issuing the dcpromo.exe command. 2. After installing Active Directory and DNS, one of the postinstallation tasks requires creating the DNS Application Directory Partition. 3. When installing Microsoft DNS, Forward Lookup and Reverse Lookup Zones are configured by default. 4. The Server Core version of Windows Server 2008 does not utilize a GUI interface and must be administered through the Command Line. 5. Active Directory Lightweight Directory Services is designed for small branch offices that don t need the entire suite of Active Directory Services. Multiple Choice 1. To configure DNS to automatically clean up old DNS records, you should configure: a) Stale Resource Record Cleanup b) Forward Lookup Zone Cleanup c) Aging/Scavenging d) DNS Record age limits 2. Which of the following are valid zone types that can be selected when configuring Microsoft DNS? Choose three. a) Stub Zone b) Active Directory Zone c) Secondary Zone d) Primary Zone 3. Which level of Active Directory credential is required to raise the forest functional level? a) Domain Administrator b) Forest Administrator c) Enterprise Administrator d) Any of the above 4. Which two of the choices below are unique to a Windows Server 2008 Read Only Domain Controller? a) Outbound only replication b) Locally stored password replication policy c) Inbound replication only d) Must contain all FSMO roles

18 5. Which of the following are types of manual trusts that can be created in a Windows Server 2008 environment? Choose all that apply. a) Realm trust b) Shortcut trust c) Cross-forest trust d) External trust Quiz Answers True/False 1. True. 2. False. The DNS Application Directory Partition is created automatically during the AD and DNS installation process. 3. False. Only Forward Lookup zones are configured by default. 4. True. 5. False. The ASLDS role is used primarily by developers. Multiple Choice 1. C 2. A, C, D 3. C 4. B, C 5. A, B, C, D Class Projects Lesson 2 Exercise 1 Explain the items that should be verified in DNS to ensure that the Active Directory installation process has correctly configured the DNS Services. Explain what a DNS SRV record is used for. List and explain the six pieces of information stored with most SRV records.

19 Lesson 2 Project 1 You are a network administrator for ABC Corp. Your environment consists of three locations, one of which does not have highly skilled IT engineers and is not as secure as you would like it. There are 1,000 users spread throughout the three locations. You have been asked to set up an Active Directory environment using Windows Server Explain how you would recommend setting up the environment. How many and what types of domain controllers would you put in each location? How would you configure DNS? Microsoft Video Links Windows Server 2008 R2 Quick Look Server Core This video provides a quick overview to help you as an administrator in Windows Server 2008 R2, particularly a couple of enhancements inside Windows Server Core. Length: 5:07 Windows Server 2008 R2 Quick Look Active Directory Administrative Center This video provides a quick look at Active Directory Administrative Center, the new administrative tool in Windows Server 2008 R2. Length: 6:25

20 Lesson 3: Using Active Directory Sites Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to guide students through Active Directory Sites. Point out that students will learn about replication and site management. Learning Objectives Upon completion of this lesson, students will be able to: Understand Active Directory Sites Understand Active Directory Site replication Understand Active Directory Site management Lesson Introduction Explain that working with Microsoft Windows Server 2008 Active Directory Sites requires that students understand the purpose of sites and site replication. Students will learn the differences in replication types, how to implement a plan for management of a site, and monitoring site replication to prevent errors. Students will also learn that site replication is the tool used to sustain an efficient and consistent Active Directory environment. Understanding Active Directory Sites Instructors should do the following: Explain that replication is the process of duplicating Active Directory information between domain controllers for fault tolerance and redundancy. Explain that Active Directory Sites allow administrators to control replication traffic. Point out that Active Directory replicates through intrasite and intersite replication. Explain that intrasite replication is the replication of domain controllers that reside on the same Active Directory site. Explain that intersite replication is the replication of domain controllers that reside on different Active Directory sites. Explain that intersite replication is compressed to reduce bandwidth usage.

21 Point out that Active Directory sites have the following characteristics: Defined by IP Subnets. Multiple sites are joined by site links. Replication is organized by defined groups of servers. Clients query the site information within DNS, at logon, to determine the domain controller to access. Sites are independent of logical structure. Understanding Replication Instructors should do the following: Explain that Active Directory creates a replication topology so that all writeable domain controllers can communicate AD information with each other. Point out that one of the following conditions must be met for replication to occur: An object is added to or removed from Active Directory. The value of an attribute has changed. The name of an object has changed. Explain that an Update Sequence Number (USN) is maintained to keep track of any changes to the domain controller. Point out that in addition to the USN, a Version ID with each Active Directory attribute keeps track of how many times the attribute has been changed. Explain that Active Directory uses the Version ID and USN as tie-breakers to determine which attributes to keep and which to discard. Explain that the final tie-breaker is the time stamp. Point out that Active Directory will designate a bridgehead server to act as a gatekeeper to supervise site-to-site replication. Explain that convergence describes the amount of time required for replication to occur. Explain that prior to Intrasite Replication, the Knowledge Consistency Checker (KCC) maps the logical network topology between domain controllers. Point out that the KCC will select replication partners for a domain controller and create connection objects between domain controllers and the new partner. Explain that linked-value replication (LVR) triggers group member replication due to changes in functional levels.

22 Point out that the primary principle for KCCs is the Rule of Three, which states that no single domain controller should be more than three hops away from any domain controller that can originate a change to the Active Directory database. Point out that the KCC will run every 15 minutes and analyzes the best path and placement for connection objects. Point out that intrasite replication minimizes latency to allow for quick changes. Explain that KCC creates a dual counter-rotating ring that reroutes traffic if a domain controller in the ring fails. Explain that domain controllers use change notification to inform one another of changes that need to be replicated. Point out that some operations will generate an urgent rep- Understanding Site Management Instructors should do the following: Point out that the administrator may create and manage additional sites to better control the replication traffic. Demonstrate how to rename the default first-site name using the Active Directory Sites and Services MMC Snap-in. Demonstrate how to create a new site using Active Directory Sites and Services. Demonstrate how to create a new subnet to correspond with any new physical segment on the network. Point out that Active Directory Sites must use intersite replication to enable global network communication. Explain that a site link is a logical, transitive connection between two sites that mirrors the routed connections between networks and allows for replication. Point out that one site within the Active Directory environment must run the intersite topology generator (ISTG), which enables bridgehead server selection and mapping of the topology. Explain that cost, schedule, and frequency control the behavior of replication traffic over a site link. Demonstrate how to create a new site link object through Active Directory Sites and Services. Explain that when appropriate protocols must be selected when configuring replication. Point out that Remote Procedure Calls over Internet Protocol (RPC over IP) and Simple Mail Transport Protocol (SMTP) are the two possible protocols for replication.

23 Explain that RPC over IP is the default protocol for all replication traffic and is commonly used to communicate with network services. Explain that SMTP should be used when a direct or reliable IP connection is not available and is the standard messaging protocol. Explain that a bridgehead server is designated to minimize the bandwidth required for intersite replications, since this is a bandwidth intensive process. Explain that the administrator may select to override the default bridgehead server and create a preferred bridgehead server list. Demonstrate how to designate preferred bridgehead servers through Active Directory Sites and Services. Point out that domain controllers from different sites can communication through the site link bridge. Explain that the site link bridge is enabled by default. Demonstrate how to disable automatic site link bridging through Active Directory Sites and Services. Demonstrate how to create a manual site link bridge through Active Directory Sites and Services. Point out that administrators may have to force or manage replication due to an Active Directory problem. Demonstrate how to refresh the intrasite replication topology through Active Directory Sites and Services. Demonstrate how to determine which server holds the ISTG (Intersite Topology Generator) role through Active Directory Sites and Services. Demonstrate how to force manual replication, between two Domain Controllers to correct errors or inconsistencies, through Active Directory Sites and Services. Point out that many issues can be prevented by monitoring the replication activity. Explain out that two tools for monitoring replication are Dcdiag and Repadmin. Explain that the following can be accomplished with Dcdiag: Perform connectivity and replications tests Report DNS registration problems Analyze the permissions required for replication Analyze the state of domain controllers within the forest

24 Explain that the following can be accomplished with Repadmin: View the replication topology from each domain controller Manually create a replication topology Force replication between domain controllers View the replication metadata Lesson Quiz True/False 1. While intrasite replication occurs almost immediately, intersite replication occurs at a configured interval, which by default is every 180 minutes. 2. Active Directory sites replicate the logical structure of the environment and can contain only one Active Directory domain. 3. The bridgehead server in an Active Directory site receives replication updates from all domain controllers in remote sites. 4. Intrasite replication uses the Knowledge Consistency Checker (KCC) to determine replication paths. 5. In a multi-site environment, each domain controller runs the Intersite Topology Generator to determine site replication paths. Multiple Choice 1. Active Directory sites are based on which of the following? a) Domain structure b) Forest Structure c) IP subnets d) DNS naming 2. Active Directory replication occurs when all of the following occur except: a) The name of an object changes b) A client PC logons to the domain c) An objected is added or removed from Active Directory d) The value of an attribute has changed

25 3. What is the connection called that connects two sites and enables replication to occur? a) Site Bridge b) Transitive trust c) Route Path d) Site Link 4. Which two of the following protocols can be used for intersite replication? a) DNS b) IP c) SNMP d) IPX/SPX 5. Which two of the following tools can be used to monitor and manage Active Directory sites? a) Dcdaig b) Netdiag c) Nslookup d) Repadmin Quiz Answers True/False 1. True. 2. False. AD sites represent the physical structure of the environment and may contain multiple domains. 3. False. Bridgehead servers communicate only the bridgehead server in the remote sites for replication information. 4. True. 5. False. One domain controller within each site runs the ISTG process. Multiple Choice 1. C 2. B 3. D 4. B 5. A, D

26 Class Projects Lesson 3 Exercise 1 Explain how Active Directory keeps track of changes to the ntds.dit file and handles changes that are replicated. What three factors can be used to determine if a replicated change should be added by the receiving domain controller? List and explain the three attributes that should be configured when creating a site link in a multiple site environment. Lesson 3 Project 1 Explain in detail the intrasite and intersite replication process. Include in your definition the replication protocols used, factors used to determine which replication protocol is appropriate, replication interval, how replication partners are determined, how compression is used or not used, etc. Microsoft Video Resources Windows Server 2008 R2 Quick Look Active Directory Administrative Center This video provides a quick look at Active Directory Administrative Center, the new administrative tool in Windows Server 2008 R2. Length: 6:25 Windows Server 2008 R2 Quick Look System Health Report A quick look at System Health Report, a tool in Windows Server 2008 R2 that helps you analyze your servers and provides you with prescriptive system diagnosis. Length: 4:36

27 Lesson 4: Using Global Catalog and Flexible Single Master Operations (FSMO) Roles Microsoft Windows Server 2008 Active Directory Lesson Plans Learning Goals//The goal of this lesson is to explain the important role of the global catalog server in Active Directory. Point out that students will also learn about the Flexible Single Master Operations role in Active Directory domains and forest. Learning Objectives Upon completion of this lesson, students will be able to: Understand the global catalog Understand Flexible Single Master Operations (FSMO) roles Understand site management Lesson Introduction Explain that Microsoft Windows Server 2008 Active Directory s global catalog and Flexible Single Master Operation (FSMO) roles are important roles in the accurate functionality of Active Directory. Students will learn about the placement of the global catalog, and how to add or remove a global catalog. Student will also learn the function of Relative Identifier, Infrastructure Master, Primary Domain Controller Emulator, Domain Naming, and Schema Master FSMO roles in the Active Directory domain and forest. Understanding the Global Catalog Instructors should do the following: Explain that the global catalog houses a subset of forestwide Active Directory objects and is a central repository of object copies. Point out that complete object copies and partial copies of objects from other domains within the same forest are referred to as partial attribute sets (PAS). Explain that by default the first domain controller installed on a forest houses the global catalog server. Point out that the four main functions of the global catalog are: Facilitating searches for objects in the forest. Resolving User Principal Names (UPN).

28 Maintaining universal group membership information. Maintaining a copy of all objects in the domain. Explain that a universal group contains users, groups, and computers from any domain in the forest. Explain that when an attribute is indexed, it is stored in the PAS and replicated to all global catalogs. Explain that if a global catalog server is not available, then universal global memberships are stored on the local domain controller. This is called universal group membership caching. Point out the following benefits of universal caching: Eliminates the need for a global catalog in remote locations Provides better logon performance for users with cached information Minimizes WAN usage for replication traffic Demonstrate how to enable universal group membership caching using Active Directory Sites and Services. Point out that the following guidelines will help the administrator determine if an additional global catalog server is needed: Each site should contain a global catalog server to facilitate user logons. The amount of bandwidth necessary to replicate the global catalog information should be considered. The domain controller must have ample hard drive space to house the global catalog. The site containing port 3268, the port used for Active Directory object searches, must also be the site containing the global catalog server. Demonstrate how to configure an additional global catalog server using Active Directory Sites and Services. Understanding Flexible Single Master Operations (FSMO) Roles Instructors should do the following: Explain that FSMO includes specialized roles such as schema management or adding and removing additional domains from an Active Directory forest. Explain that Active Directory supports a total of five FSMO roles, and their functionality is distributed among domainwide and forest-wide FSMOs.

29 Point out that the three domain-specific FSMO roles that are: Relative Identifier (RID) Master Infrastructure Master Primary Domain Controller (PDC) Master Explain that the Relative Identifier (RID) Master is related to the domain that it was created for and is assigned to an object at creation. Point out that RIDs are a part of the object s security identifier (SID). Explain that the Infrastructure Master is responsible for replicating changes to an object s SID or distinguished name (DN). Point out that the Infrastructure Master replicates changes to all domains that have a trust relationship with the source domain. Explain that the Primary Domain Controller (PDC) emulator is responsible for the following tasks: Time management synchronization within an Active Directory Domain Managing edits to Group Policy Objects Managing replication of security-sensitive account replication events Explain that the following Active Directory time synchronization processes are used to assist in conflict resolution: Client and member services within a domain will synchronize their clocks against the domain controller that authenticated them. Domain controllers in each domain will synchronize their time against the PDC Emulator of their domain. The PDC Emulator of each domain in the forest will synchronize its time against the PDC Emulator of the forest root domain. The PDC Emulator of the forest root domain can obtain its time from the internal clock. Point out that the two roles in Active Directory that have forest-wide authority are: Domain Naming Master Schema Master Explain that the Domain Naming Master role is held by only one domain controller in the forest, and this role verifies the uniqueness of the name to the forest. Explain that the Schema Master role is the manager for all schema modifications that take place in the Active Directory.

30 Point out that the following should be considered when determining the locations for the FSMO role: Number of domains that will be part of the domain Physical structure of the network Number of domain controllers that will be available on each domain Point out that the two attributes used to describe a domain controller are: Highly available High capacity Explain that highly available domain controllers are centrally located and contain additional hardware to keep the controller functioning properly. Explain that high-capacity domain controllers have great processing ability and more memory, and are available through faster network access. Point out that the two techniques used to manage FSMO role outages are: Role transfer Role seizure Explain that role transfer occurs when the FSMO is moved from one domain controller to another. Explain that role seizure occurs when a forced transfer of FSMO from one domain controller to another occurs due to failure. Demonstrate how to view the RID Master, PDC Emulator, or Infrastructure Master FSMO Role holders using the Active Directory Users and Computer MMC Snap-in. Demonstrate how to view the Domain Naming Master FSMO Role holder through Active Directory Domains and Trusts. Demonstrate how to view the Schema Master FSMO Role holder through the Active Directory Schema Snap-in. Demonstrate how to transfer the RID Master, PDS Emulator, or Infrastructure Master FSMO Role through the Active Directory Users and Computers MMC Snap-in. Demonstrate how to transfer the Domain Naming Master FSMO Role through Active Directory Domains and Trusts snap-in. Demonstrate how to transfer the Schema Master FSMO Role through the Active Directory Schema Snap-in. Demonstrate how to seize an FSMO Role through the command prompt.

31 Lesson Quiz True/False 1. A global catalog server will contain a complete copy of its Domain NC, but not information about other domains in the forest. 2. For redundancy, it is recommended that each domain have at least two RID Masters. 3. If a user object, John Doe, is deleted and then re-created later exactly as it was before being deleted, it will receive the same GUID as the original John Doe. 4. The Domain Naming Master is a domain-specific FSMO role that has responsibility for ensuring that all names within a domain are unique. 5. If the RID Master fails, the failure will not be visible until the domain controller runs out of RIDS that were previously assigned by the RID Master. Multiple Choice 1. What feature of Windows Server 2008 can allow remote members of Universal groups to log on to the domain when a local global catalog server is not available? a) Two-way transitive trusts between domains b) Local cached credentials c) Universal Group Caching d) RID Master 2. Which three of the following FSMO roles are domain specific? a) Relative Identifier (RID) Master b) Schema Master c) Primary Domain Controller (PDC) Emulator d) Infrastructure Master 3. Which two of the following five FSMO roles have forestwide authority? a) Domain Naming Master b) RID Master c) Schema Master d) Infrastructure Master

32 4. It s considered a best practice to run which two of the following FSMO roles on the same domain controller? a) Schema Master b) PDC Emulator c) Domain Name Master d) RID Master 5. Which of the following procedures would be used to recover from a domain controller failure when the domain controller was running one or more of the FSMO roles? a) Role Seizure b) Role Transfer c) Role Migration d) Role Failover Quiz Answers True/False 1. False. A global catalog server contains a complete copy of its domain NC and a partial attribute set for all other domains in the forest. 2. False. There can only be one RID Master per domain. 3. False. When an object is deleted, the GUID will never be used again. 4. False. The Domain Naming Master is a forest-wide FSMO role that is responsible for the creation of domains, domain trees, and application data partitions. 5. True. Multiple Choice 1. C 2. A, C, D 3. A, C 4. B, D 5. A Class Projects Lesson 4 Exercise 1 List and explain the four primary functions of a global catalog server.

33 List and explain the five FSMO roles in a Windows Server 2008 forest. Explain which FSMO roles are domain specific and which are forest wide. Lesson 4 Project 1 You are the Active Directory administrator for a multi-domain Active Directory forest with five locations. What factors should you consider when determining the placement and number of global catalog servers? What factors should you consider when determining where to place the FSMO roles? Microsoft Video Resources Active Directory Domain Services in Microsoft Windows Server 2008 Demonstrates new features and enhancements that are focused around the fundamentals: improved security, reliability, performance, reduced operational complexity, and increased deployment flexibility. This session presents the Windows Server 2008 features in Active Directory. Length: 48:06