Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.
-
Upload
jemimah-skinner -
Category
Documents
-
view
234 -
download
11
Transcript of Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.
![Page 1: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/1.jpg)
Microsoft® Official Course
Module 3
Maintaining Active Directory Domain Services
![Page 2: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/2.jpg)
Module Overview
Overview of AD DS
Implementing Virtualized Domain Controllers
Implementing Read-Only Domain Controllers
Administering AD DS•Managing the AD DS Database
![Page 3: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/3.jpg)
Lesson 1: Overview of AD DS
Overview of AD DS Components
Understanding AD DS Forest and Schema Structure•Understanding AD DS Domain Structure
![Page 4: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/4.jpg)
Overview of AD DS Components
Physical Components Logical Components
• Data store
• Domain controllers
• Global catalog server
• Read-only domain controllers
• Partitions
• Schema
• Domains
• Domain trees
• Forests
• Sites
• Organizational units
AD DS is composed of both physical and logical components
![Page 5: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/5.jpg)
Understanding AD DS Forest and Schema Structure
adatum.com
Tree Root Domain
Forest Root Domain
atl.adatum.com
fabrikam.com
![Page 6: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/6.jpg)
Understanding AD DS Domain Structure
• AD DS requires one or more domain controllers
• All domain controllers hold a copy of the domain database which is continually synchronized
• The domain is the context within which users, groups, and computers are created
• The domain is a replication boundary
• The domain is an administrative center for configuring and managing objects
• Any domain controller can authenticate any logon in the domain
![Page 7: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/7.jpg)
Lesson 2: Implementing Virtualized Domain Controllers
Understanding Cloned Virtualized Domain Controllers
Deploying a Cloned Virtualized Domain Controller•Managing Virtualized Domain Controllers
![Page 8: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/8.jpg)
Understanding Cloned Virtualized Domain Controllers
Windows Server 2012 provides the following functionality for virtual domain controllers:• Safe cloning• Safe snapshot restore
Implementing virtualized domain controllers provides the following benefits:• Rapid domain controller deployment• Scalable provisioning of domain controllers• Quick replacement or recovery of domain controllers• Easy provisioning of test environments
![Page 9: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/9.jpg)
Deploying a Cloned Virtualized Domain Controller
You can clone an existing virtual domain controller safely by:1. Creating a DcCloneConfig.xml file, and storing it in
theAD DS database location
2. Taking the VDC offline, and exporting it3. Creating a new virtual machine by importing the
exported VDC
Export the VDC
Import the VDC
DcCloneConfig.xml to AD DS database
location
![Page 10: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/10.jpg)
Managing Virtualized Domain Controllers
To replicate AD DS properly, ensure that:• A restored virtual domain controller can contact a writeable domain controller• You do not restore all domain controllers in a domain simultaneously• All changes originating since the last snapshot are replicated, or they will be lost
Considerations for managing snapshots:• Snapshots do not replace regular backups• Do not restore snapshots that were taken before the promotion of the domain controller• Do not host all virtual domain controllers on the same hypervisor
![Page 11: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/11.jpg)
Lesson 3: Implementing Read-Only Domain Controllers
Considerations for Implementing RODCs
Managing RODC Credential Caching•Managing Local Administration for RODCs
![Page 12: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/12.jpg)
Considerations for Implementing RODCs
•RODCs provide several important functions:• Credential caching• Administrative role separation• Read-only DNS
•To deploy an RODC:1. Ensure there is no computer account in AD DS
for the new RODC2. Precreate the RODC account in AD DS in the
Domain Controllers container3. Run the AD DS installation wizard on the new
RODC
![Page 13: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/13.jpg)
Managing RODC Credential Caching
•Credential caching is managed through Password Replication Policies•Password Replication Policies:• Determine which credentials to cache on an RODC• User accounts• Computer accounts
• Contain an allowed and denied list• Allowed RODC Password Replication Group• Denied RODC Password Replication Group
•Do not cache domain administrative accounts
![Page 14: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/14.jpg)
Managing Local Administration for RODCs
•Delegate RODC administration to local administrators•Set a single security principal as an administrator• User• Group
•Enable by using the following methods:• Managed By tab of RODC• dsmgmt• ntsdutil
•Cache the credentials of delegated administrators
![Page 15: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/15.jpg)
Lesson 4: Administering AD DS
Overview of the Active Directory Administration Snap-ins
Overview of the Active Directory Administrative Center
Overview of the Active Directory Module for Windows PowerShell
Demonstration: Managing AD DS by Using Management Tools
Managing Operations Master Roles•Managing AD DS Backup and Recovery
![Page 16: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/16.jpg)
Overview of the Active Directory Administration Snap-ins
•Active Directory administration snap-ins consist of four different MMC consoles:• Active Directory Users and Computers• Active Directory Sites and Services• Active Directory Domains and Trusts• Active Directory Schema
![Page 17: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/17.jpg)
Overview of the Active Directory Administrative Center
•Active Directory Administrative Center is a task-oriented tool based on Windows PowerShell
![Page 18: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/18.jpg)
Overview of the Active Directory Module for Windows PowerShell
• The Active Directory module for Windows PowerShell provides full administrative functionality in these areas:• User management• Computer management• Group management• OU management• Password policy management• Searching and modifying objects• Forest and domain management• Domain controller and operations-masters management• Managed service account management• Site-replication management• Central access and claims management
![Page 19: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/19.jpg)
Demonstration: Managing AD DS by Using Management Tools
• In this demonstration, you will see how to:• Create objects in Active Directory Users and Computers• View object attributes in Active Directory Users and Computers• Navigate within Active Directory Administrative Center• Perform an administrative task in Active Directory Administrative Center• Use the Windows PowerShell Viewer in Active Directory Administrative Center• Manage AD DS objects with Windows PowerShell
![Page 20: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/20.jpg)
Managing Operations Master Roles
Operations Master Roles are assigned to the domain controller responsible for performing a specific task on the forest or domain
• Forest-wide Operations Master Roles• Domain Naming Master Role• Schema Master Role
• Domain-wide Operations Master Roles• RID Master Role• Infrastructure Master Role• PDC Emulator Role
![Page 21: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/21.jpg)
Managing AD DS Backup and Recovery
• Non-authoritative or normal restore• Restore domain controller to previously known good state
• Domain controller will be updated by using standard replication from partners
• Authoritative restore • Restore domain controller to previously known good state
• Mark objects that you want to be authoritative
• Domain controller is updated from its up-to-date-partners
• Domain controller sends authoritative updates to its partners
• Full server restore • Typically performed in Windows Recovery environment
• Alternate location restore
![Page 22: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/22.jpg)
Lesson 5: Managing the AD DS Database
Understanding the AD DS Database
What Is NTDSUtil?
Understanding Restartable AD DS
Demonstration: Performing AD DS Database Maintenance
Creating AD DS Snapshots
Understanding How to Restore Deleted Objects•Configuring the Active Directory Recycle Bin
![Page 23: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/23.jpg)
Understanding the AD DS Database
•The AD DS database holds all domain-based information in four partitions
AD DSDatabaseDC
Schema Partition
ApplicationPartitions (optional)
ConfigurationPartition
Domain Partition
![Page 24: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/24.jpg)
What Is NTDSUtil?
With NTDSUtil you can:•Manage and control single master operations•Perform AD DS database maintenance• Perform offline defragmentation• Create and mount snapshots• Move database files
•Maintain domain controller metadata•Reset Directory Services Restore Mode password
![Page 25: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/25.jpg)
Understanding Restartable AD DS
•AD DS can be started or stopped by using the Services console•AD DS can be in three states:• AD DS Started• AD DS Stopped• DSRM
• It is not possible to perform a system state restore while AD DS is in Stopped state
![Page 26: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/26.jpg)
Demonstration: Performing AD DS Database Maintenance
In this demonstration, you will see how to:•Stop AD DS•Perform offline defragmentation of the AD DS database•Check the integrity of the AD DS database•Start AD DS
![Page 27: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/27.jpg)
Creating AD DS Snapshots
•Create a snapshot of Active Directory• NTDSUtil
•Mount the snapshot to a unique port• NTDSUtil
•Expose the snapshot• Right-click the root node of Active Directory Users and Computers,
and choose Connect to Domain Controller• Enter serverFQDN:port
•View (read-only) snapshot• Cannot directly restore data from the snapshot
•Recover data• Connect to the mounted snapshot, and export/reimport objects
with LDIFDE• Restore a backup from the same date as the snapshot• Manually reenter data
![Page 28: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/28.jpg)
Understanding How to Restore Deleted Objects
• Deleted objects are recovered through tombstone reanimation• When object is deleted, most of attributes are cleared• Authoritative restore requires AD DS downtime
Live Tombstoned
Physically deleted
Garbage collect
Delete
Reanimate tombstone/authoritative restore
![Page 29: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/29.jpg)
Configuring the Active Directory Recycle Bin
• Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime• Uses Windows PowerShell with Active Directory Module or the Active Directory Administrative Center to restore objects
![Page 30: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/30.jpg)
Lab: Maintaining AD DS
Exercise 1: Installing and Configuring a RODC
Exercise 2: Configuring AD DS Snapshots•Exercise 3: Configuring the Active Directory Recycle Bin
Logon InformationVirtual machines: 20411B-LON-DC1
20411B-LON-SVR1User name: AdministratorPassword: Pa$$w0rd
Estimated Time: 75 minutes
![Page 31: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/31.jpg)
Lab Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London, U.K.. An IT office and data center in London supports the head office and other locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum is making several organizational changes that require modifications to the AD DS infrastructure. A new location requires a secure method of providing onsite AD DS, and you have been asked to extend the capabilities of Active Directory Recycle Bin to the entire organization.
![Page 32: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/32.jpg)
Review Questions
•Which AD DS objects should have their credentials cached on an RODC located in a remote location?•What benefits does Active Directory Administrative Center provide over Active Directory Users and Computers?
![Page 33: Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649eab5503460f94bb17e8/html5/thumbnails/33.jpg)
Module Review and Takeaways
Review Questions
Tools•Best Practice