Active Directory 2008 Implement at On & Migration

8/8/2019 Active Directory 2008 Implement at On & Migration

1/148

Microsoft WindowsServer 2008

Implementation and

MigrationAt BHARAT HEAVY ELECTRICALS LIMITED

Wipro is submitting this document to BHEL on the understanding that the contents would

not be divulged to any third party without prior written consent from Wipro Infotech. The

contents of this document shall be used for the sole purpose of review & decision making.

No part of this publication may be reproduced, stored in a retrieval system or transmitted

in any form or by any means, whether electronic, mechanical, photocopying, recording orotherwise, without the written permission of Wipro. All product names referenced herein

are trademarks of their respective companies.

2008

Kamal Singh & Gurpreet Singh

12/22/2008


2/148

Wipro Infotech - MSBU Division

BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

WIPRO BHEL Confidential Page 2

Document Management Information

Document Title: Microsoft Windows Server 2008 Active Directory Implementation and Migration

Document.

Document Status: Approved Wipro

Document Publication History

(All revisions made to this document must be listed in chronological order, with the most recent revision at thetop.)

Version

Number

Date Author(s) Remark

Draft 22-12-2008 Kamal Singh &

Gurpreet Singh

Microsoft Windows Server 2008 Active Directory

Implementation and Migration.

1.0 22-12-2008 Monojit Bhowmik Reviewed

Document Distribution List

Ver. No. Name and Company Purpose

1.0 Bharat Heavy Electrical Limited

Microsoft Windows Server 2008

Active Directory Implementation

and Migration.


3/148




ContentsAbout this Document................................................................................................. 5

About the Project .................................................................................................... 5

Overview of Project .................................................................................................. 5

1 Company Profile: ...................................................................................... 6

1.1.1 Introduction to Active Directory .................................................................... 6

1.1.2 Why Have a Directory Service? ...................................................................... 6

1.1.3 The Windows Server 2003/2008 Directory Service .............................................. 6

1.1.4 Active Directory Services Features ................................................................. 7

1.1.5 Active Directory Components ....................................................................... 81.1.6 Logical Structures ..................................................................................... 8

1.1.7 Physical Structures .................................................................................... 9

1.1.8 Catalog ServicesThe Global Catalog ............................................................ 10

1.1.9 Global Catalog Functions ............................................................................ 10

1.1.10 Replication............................................................................................. 11

1.1.11 What Information Is Replicated .................................................................... 11

1.1.12 Trust Relationships ................................................................................... 11

1.1.13 Group Policies ......................................................................................... 12

1.1.14 DNS ...................................................................................................... 12

1.1.15 Operations Master Roles............................................................................. 12

1.1.16 Forest-Wide Operations Master Roles ............................................................. 12

1.1.17 Schema Master Role .................................................................................. 13

1.1.18 Domain Naming Master Role ........................................................................ 13

1.1.19 Domain-Wide Operations Master Roles ........................................................... 13

1.1.20 RID Master Role ....................................................................................... 13

1.1.21 PDC Emulator Role ................................................................................... 14

1.1.22 Infrastructure Master Role .......................................................................... 14

1.1.23 What Problems arises when Operation Masters Failure Occurs .............................. 14

1.2 What does an RODC do? ..................................................................................... 16

1.3 Who will be interested in this feature?................................................................... 16

1.4 Are there any special considerations? .................................................................... 17

1.5 What new functionality does this feature provide? .................................................... 17

1.5.2 TOOLS ................................................................................................ 123


4/148




1.5.3 NTDSUTIL Overview ................................................................................ 123

1.5.4 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL ........... 124

1.5.5 ADSIEDIT OVERVIEW ................................................................................ 124

1.5.6 DCDIAG OVERVIEW ................................................................................. 126

1.5.7 NETDIAG OVERVIEW ................................................................................ 128

1.5.8 REPLMON OVERVIEW ............................................................................... 134

Windows Server 2003/2008 - Replmon Support Tool Utility ........................................... 135


5/148




About this Document

This document is intended as reference guide for the Administrators of BHEL who was involved during the

implementation of Active Directory Right Management Service and DHCP NAP Enforcement and the

Specialists from Wipro and Customers end who was involved in the Project.

This Document will serve as guideline for the Project Approach and Implementation & Migration of Active

Directory 2008.

About the Project

The Customers objective for initiating this project is to have an in-house comprehensive solution for

addressing and resolving change and configuration needs in IT Infrastructure.

The activities involved in this project are as below:

Installation of Windows Server 2008 with latest Service Packs and Hot fixes in BHEL Kolkata HQ.

Creation of Microsoft Windows Server 2008 Additional Domain Controller.

Raising the Domain Functional Level.

Transfer FSMO Roles to the new Server 2008 Domain Controller.

Configuring Sites and Setting for Across the PSER Region.

Installing the new Additional Domain Controller.

Installing Read Only Domain Controller for Budge-Budge & Bakreswar Remote Locations.

Overview of Project

Project Management and Installation of the Complete Project carried out by Wipro MSBU Infrastructure

Availability services team.

The Project flow is as follows:

y Configuration Gathering

y Implementation phase

y Documentation and Training

y Sign off for the Project


6/148




Team Involved executing the Project: Kamal Singh & Gurpreet Singh

Principal(S): Mr. Sudipta Biswas DGM IT

1 Company Profile:

BHEL is the largest engineering and manufacturing enterprise in India in the energy-related/infrastructure

sector, today. BHEL was established more than 40 years ago, ushering in the indigenous Heavy Electrical

Equipment industry in India - a dream that has been more than realized with a well-recognized track record

of performance. The company has been earning profits continuously since 1971-72 and paying dividends

since 1976-77.

BHEL manufactures over 180 products under 30 major product groups and caters to core sectors of the

Indian Economy viz., Power Generation & Transmission, Industry, Transportation, Telecommunication,

Renewable Energy, etc. The wide network ofBHEL's 14 manufacturing divisions, four Power Sector regional

centers, over 100 project sites, eight service centers and 18 regional offices, enables the Company topromptly serve its customers and provide them with suitable products, systems and services -- efficiently and

at competitive prices. The high level of quality & reliability of its products is due to the emphasis on design,

engineering and manufacturing to international standards by acquiring and adapting some of the best

technologies from leading companies in the world, together with technologies developed in its own R&D

Center.

1.1.1 Introduction to Active Directory

Active Directory directory service provides a single point of network resource management, allowing you to

add, remove, and relocate users and resources easily. This chapter introduces you to Active Directory

concepts and administration tasks and walks you through the steps involved in planning an Active Directoryinfrastructure.

1.1.2 Why Have a Directory Service?

A directory service provides the means to organize and simplify access to resources of a networked computer

system. Users and administrators might not know the exact name of the objects they need. However, they

might know one or more characteristics of the objects in question. As illustrated in Figure 1-1, they can use a

directory service to query the directory for a list of objects that match known characteristics. For example,

Find all color printers on the third floor queries the directory for all color printer objects that are associated

with the third floor characteristic (or maybe a location characteristic that has been set to third floor). A

directory service makes it possible to find an object based on one or more of its characteristics.

1.1.3 The Windows Server 2003/2008 Directory Service

Active Directory is the directory service included in the Windows Server 2003/2008 family. Active Directory

includes the directory, which stores information about network resources, as well as all the services that


7/148




make the information available and useful. Active Directory is also the directory service included in Windows

2000.

1.1.4 Active Directory Services Features

Active Directory in the Windows Server 2003/2008 family is a significant enhancement over the flat domain

model provided in Windows NT. Active Directory is integrated within the Windows Server 2003/2008 family

and offers the following features:

Centralized data storeall data in Active Directory resides in a single, distributed data repository, allowing

users easy access to the information from any location. A single distributed data store requires less

administration and duplication and improves the availability and organization of data.

ScalabilityActive Directory enables you to scale the directory to meet business and network requirements

through the configuration of domains and trees and the placement of domain controllers. Active Directory

allows millions of objects per domain and uses indexing technology and advanced replication techniques to

speed performance.

Extensibility The structure of the Active Directory database (the schema) can be expanded to allow

customized types of information.

Manageability In contrast to the flat domain model used in Windows NT, Active Directory is based on

hierarchical organizational structures. These organizational structures make it easier for you to control

administrative privileges and other security settings, and to make it easier for your users to locate network

resources such as files and printers.

Integration with the Domain Name System (DNS) Active Directory uses DNS, an Internet standard

service that translates easily readable host names to numeric Internet Protocol (IP) addresses. Althoughseparate and implemented differently for different purposes, Active Directory and DNS have the same

hierarchical structure. Active Directory clients use DNS to locate domain controllers. When using the

Windows Server 2003/2008 DNS service, primary DNS zones can be stored in Active Directory, enabling

replication to other Active Directory domain controllers.

Client configuration management Active Directory provides new technologies for managing client

configuration issues, such as user mobility and hard disk failures, with a minimum of administration and user

downtime.

Policy-based administration In Active Directory, policies are used to define the permitted actions and

settings for users and computers across a given site, domain, or organizational unit. Policy-basedmanagement simplifies tasks such as operating system updates, application installation, user profiles, and

desktop-system lock down.

Replication of information Active Directory provides multimaster replication technology to ensure

information availability, fault tolerance, load balancing, and other performance benefits. Multimaster

replication enables you to update the directory at any domain controller and replicates directory changes to


8/148




any other domain controller. Because multiple domain controllers are employed, replication continues, even

if any single domain controller stops working.

Flexible, secure authentication and authorizationActive Directory authentication and authorization

services provide protection for data while minimizing barriers to doing business over the Internet. Active

Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets

Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active

Directory provides security groups that span domains.

Security integration Active Directory is integrated with Windows Server 2003/2008 security. Access

control can be defined for each object in the directory and on each property of each object. Security policies

can be applied locally, or to a specified site, domain, or organizational unit.

Directory-enabled applications and infrastructure Features within Active Directory make it easier for

you to configure and manage applications and other directory-enabled network components. In addition,

Active Directory provides a powerful development environment through Active Directory Service Interfaces

(ADSI).

Interoperability with other directory services Active Directory is based on standard directory access

protocols, including Lightweight Directory Access Protocol (LDAP) version 3, and the Name Service Provider

Interface (NSPI), and can interoperate with other directory services employing these protocols. Because the

LDAP directory access protocol is an industry-standard directory service protocol, programs can be developed

using LDAP to share Active Directory information with other directory services that also support LDAP. The

NSPI protocol, which is used by Microsoft Exchange Server 4 and 5.x clients, is supported by Active Directory

to provide compatibility with the Exchange directory.

Signed and encrypted LDAP trafficby default, Active Directory tools in Windows Server 2003/2008 sign

and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a

known source and that it has not been tampered with.

1.1.5 Active Directory Components

Various Active Directory components are used to build a directory structure that meets the needs of your

organization. The following Active Directory components represent logical structures in an organization:

domains, organizational units (OUs), trees, and forests. The following Active Directory components represent

physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory

completely separates the logical structure from the physical structure.

1.1.6 Logical Structures

In Active Directory, you organize resources in a logical structurea structure that mirrors organizational

modelsusing domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a

resource by its name rather than by remembering its physical location. Because you group resources logically,

Active Directory makes the networks physical structure transparent to users.


9/148




Domains: The core unit of logical structure in Active Directory is the domain, which can store millions of

objects. Objects stored in a domain are those considered vital to the network. These vital objects are items

the members of the networked community need in order to do their jobs: printers, documents, e-mail

addresses, databases, users, distributed components, and other resources. All network objects exist within a

domain, and each domain stores information only about the objects it contains. Active Directory is made up

of one or more domains. A domain can span more than one physical location.

OU: An OU is a container used to organize objects within a domain into a logical administrative group. OUs

provide a means for handling administrative tasks, such as the administration of users and resources, as they

are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as

user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain.

The OU hierarchy within a domain is independent of the OU hierarchy structure of other domainseach

domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide

administrative control in a hierarchical fashion.

Trees: A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003/2008 domains

that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a

contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next

lesson

Forests:A forest is a grouping or hierarchical arrangement of one or more separate, completely independent

domain trees. As such, forests have the following characteristics:

All domains in a forest share a common schema.

All domains in a forest share a common global catalog.

All domains in a forest are linked by implicit two-way transitive trusts.

Trees in a forest have different naming structures, according to their domains.

Domains in a forest operate independently, but the forest enables communication across the entire

organization.

1.1.7 Physical Structures

The physical components of Active Directory are sites and domain controllers. As an administrator, you use

these components to develop a directory structure that mirrors the physical structure of your organization.


10/148




Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize

as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).

When you group subnets on your net-work, you should combine only subnets that have fast, cheap and

reliable network connections with one another. Fast network connections are at least 512 kilobits per

second (Kbps). An available bandwidth (the average amount of bandwidth that is available for use after

normal network traffic is handled) of 128 Kbps and higher is sufficient for a site.

Domain Controllers A domain controller is a computer running Windows Server 2003/2008 that stores a

replica of the domain directory (local domain database). Because a domain can contain one or more domain

controllers, each domain controller in a domain has a complete replica of the domains portion of the

directory. A domain controller can service only one domain. A domain controller also authenticates user

logon attempts and maintains the security policy for a domain.

1.1.8 Catalog ServicesThe Global Catalog

The global catalog is the central repository of information about objects in a tree or forest. By default, a

global catalog is created automatically on the initial domain controller in the first domain in the forest. A

domain controller that holds a copy of the global catalog is called a global catalog server. You can designate

any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to

replicate the global catalog information between global catalog servers in other domains. It stores a full

replica of all object attributes in the directory for its host domain and a partial replica of all object attributes

contained in the directory for every domain in the forest. The partial replica stores attributes most frequently

used in search operations (such as a users first and last names, logon name, and so on). Attributes are

marked or unmarked for replication in the global catalog when they are defined in the Active Directory

schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains,

ensuring that data in the global catalog is secure.

1.1.9 Global Catalog Functions

The global catalog performs the following two key functions:

It enables a user to log on to a network by providing universal group membership information to a domain

controller when a logon process is initiated.


11/148




It enables finding directory information regardless of which domain in the forest actually contains the data.

1.1.10 Replication

Users and services should be able to access directory information at any time from any computer in the

domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain

controllers within a domain. Directory information is replicated to domain controllers both within and among

sites.

1.1.11 What Information Is Replicated

The information stored in the directory (in the Ntds.dit file) is logically partitioned into four categories. Each

of these information categories is referred to as a directory partition. A directory partition is also referred to

as a naming context. These directory partitions are the units of replication. The directory contains the

following partitions:

Schema partition: This partition defines the objects that can be created in the directory

and the attributes those objects can have. This data is common to all domains in a forest

and is replicated to all domain controllers in a forest.

Configuration partition: This partition describes the logical structure of the deployment,

including data such as domain structure or replication topology. This data is common to all

domains in a forest and is replicated to all domain controllers in a forest.

Domain partition: This partition describes all of the objects in a domain. This data is

domain-specific and is not replicated to any other domains. However, the data is

replicated to every domain controller in that domain.

Application Directory partition: This partition stores dynamic application-specific data in

Active Directory without significantly affecting network performance by enabling you to

control the scope of replication and the placement of replicas. The application directory

partition can contain any type of object except security principals (users, groups, and

computers). Data can be explicitly rerouted to administrator-specified domain controllers

within a forest in order to prevent unnecessary replication traffic, or it can be set to

replicate everything to all domain controllers in the same fashion as the schema,

configuration, and domain partitions.

1.1.12 Trust Relationships

A trust relationship is a link between two domains in which the trusting domain honors the logon

authentication of the trusted domain, as shown in Figure 1-13. Users and applications are authenticated in

the Windows Server 2003/2008 family using one of two trust protocols: Kerberos version 5 or NT LAN


12/148




Manager (NTLM). The Kerberos version 5 protocol is the default protocol for computers running Windows

Server 2003/2008. If any computer involved in a transaction does not support Kerberos version 5, the NTLM

protocol is used. A trust relationship is also permitted with any MIT Kerberos version 5 realms. There are two

domains in a trust relationshipthe trusting and the trusted Domain.

1.1.13 Group Policies

Group policies are collections of user and computer configuration settings that can be linked to computers,

sites, domains, and OUs to specify the behavior of users desk-tops. For example, using group policies, you

can set the programs that are available to users, the programs that appear on the users desktop, and Start

menu options.

1.1.14 DNS

DNS is a service used in Transmission Control Protocol/Internet Protocol (TCP/IP) net-works, such as the

Internet, to locate computers and services through user-friendly names. DNS provides a method of naming

computers and network services using a hierarchy of domains. When a user enters a user-friendly DNS name

in an application, DNS services can resolve the name to other information associated with the name, such as

an IP address. For example, its easy for most users who want to locate a computer on a network to

remember and learn a friendly name such as example.microsoft.com. However, computers communicate

over a network by using numeric addresses. DNS provides a way to map the user-friendly name for a

computer or service to its numeric address. If you have used a Web browser, you have used DNS.

1.1.15Operations Master Roles

Active Directory supports multimaster replication of the Active Directory database between all domain

controllers in the domain. However, some changes are impractical to perform in multimaster fashion, so one

or more domain controllers can be assigned to perform operations that are single-master (not permitted to

occur at different places in a network at the same time). Operations master roles are assigned to domain

controllers to perform single-master operations.

In any Active Directory forest, five operations master roles must be assigned to one or more domain

controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest.

You must be aware of operations master roles assigned to a domain controller if problems develop on the

domain controller or if you plan to take it out of service.

1.1.16 Forest-Wide Operations Master Roles

Every Active Directory forest must have the following roles:

Schema master

Domain naming master


13/148




These roles must be unique in the forest. This means that throughout the entire forest there can be only one

schema master and one domain naming master.

1.1.17Schema Master Role

The domain controller assigned the schema master role controls all updates and modifications to the

schema. To update the schema of a forest, you must have access to the schema master. At any time, there

can be only one schema master in the entire forest.

1.1.18Domain Naming Master Role

The domain controller holding the domain naming master role controls the addition or removal of domains

in the forest. There can be only one domain naming master in the entire forest at any time.

1.1.19Domain-Wide Operations Master Roles

Every domain in the forest must have the following roles:

Relative identifier (RID), or relative ID, master

Primary domain controller (PDC) emulator

Infrastructure master

These roles must be unique in each domain. This means that each domain in the forest can have only one RID

master, PDC emulator master, and infrastructure master.

1.1.20RID Master Role

The domain controller assigned the RID master role allocates sequences of relative IDs to each of the various

domain controllers in its domain. At any time, there can be only one domain controller acting as the RID

master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique

security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the

domain) and a relative ID that is unique for each security ID created in the domain.

To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must

initiate the move on the domain controller acting as the RID master of the domain that currently contains the

object.


14/148




1.1.21PDC Emulator Role

If the domain contains computers operating without Windows Server 2003/2008 client soft-ware or if it

contains Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator

role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the

BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the

forest.

Even after all systems are upgraded to Windows Server 2003/2008, and the Windows Server 2003/2008

domain is operating at the Windows Server 2003/2008 functional level, the PDC emulator receives

preferential replication of password changes performed by other domain controllers in the domain. If a

password was recently changed, that change takes time to replicate to every domain controller in the

domain. If a logon authentication fails at another domain controller due to a bad password, that domain

controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.

1.1.22Infrastructure Master Role

The domain controller assigned the infrastructure master role is responsible for updating the group-to-user

references whenever the members of groups are renamed or changed. At any time, there can be only one

domain controller acting as the infrastructure master in each domain.

When you rename or move a member of a group (and the member resides in a different domain from the

group), the group might temporarily appear not to contain that member. The infrastructure master of the

groups domain is responsible for updating the group so it knows the new name or location of the member.

The infrastructure master distributes the update via multimaster replication.

There is no compromise to security during the time between the member rename and the group update.

Only an administrator looking at that particular group membership would notice the temporary

inconsistency.

1.1.23 What Problems arises when Operation Masters Failure Occurs

Schema Master Failure Temporary loss of the schema operations master is not visible to network users. It is

not visible to network administrators either, unless they are trying to modify the schema or install an

application that modifies the schema during installation. If the schema master will be unavailable for an

unacceptable length of time, you can seize the role to the domain controller youve chosen to act as the

standby schema master. However, seizing this role is a step that you should take only when the failure of the

schema master is permanent.

Domain Naming Master FailureTemporary loss of the domain naming master is not visible to network

users. It is not visible to network administrators either, unless they are trying to add a domain to the forest or

remove a domain from the forest. If the domain naming master will be unavailable for an unacceptable


15/148




length of time, you can seize the role to the domain controller youve chosen to act as the standby domain

naming master. However, seizing this role is a step that you should take only when the failure of the domain

naming master is permanent.

RID Master Failure Temporary loss of the RID operations master is not visible to network users. It is not

visible to network administrators either, unless they are creating objects and the domain in which they are

creating the objects runs out of relative identifiers. If the RID master will be unavailable for an unacceptable

length of time, you can seize the role to the domain controller youve chosen to act as the standby RID

master. However, seizing this role is a step that you should take only when the failure of the RID master is

permanent.

PDC Emulator Failure The loss of the PDC emulator affects network users. Therefore, when the PDC

emulator is not available, you might need to immediately seize the role. If the current PDC emulator will be

unavailable for an unacceptable length of time and its domain has clients without Windows Server

2003/2008 client software, or if it contains Windows NT backup domain controllers, seize the PDC emulator

role to the domain controller youve chosen to act as the standby PDC emulator. When the original PDC

emulator is returned to service, you can return the role to the original domain controller.

Infrastructure Master Failure Temporary loss of the infrastructure master is not visible to network users. It

is not visible to network administrators either, unless they have recently moved or renamed a large number

of accounts. If the infrastructure master will be unavailable for an unacceptable length of time, you can seize

the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any

domain), ideally in the same site as a global catalog server. When the original infrastructure master is

returned to service, you can transfer the role back to the original domain controller.

Read-Only Domain Controllers

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008

operating system. With an RODC, organizations can easily deploy a domain controller in locations where

physical security cannot be guaranteed. An RODC hosts read-only partitions of the

Active Directory Domain Services (AD DS) database.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a widearea network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch

offices often cannot provide the adequate physical security that is required for a writable domain controller.

Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This

can increase the amount of time that is required to log on. It can also hamper access to network resources.


16/148




Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a

result, users in this situation can receive the following benefits:

Improved security

Faster logon times

More efficient access to resources on the network

1.2 What does an RODC do?

Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a

way to deploy a domain controller more securely in locations that require fast and reliable authentication

services but cannot ensure physical security for a writable domain controller.

However, your organization may also choose to deploy an RODC for special administrative requirements. For

example, a line-of-business (LOB) application may run successfully only if it is installed on a domain

controller. Or, the domain controller might be the only server in the branch office, and it may have to host

server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use

Terminal Services to configure and manage the application. This situation creates a security risk that may be

unacceptable on a writable domain controller.

An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant

a non-administrative domain user the right to log on to an RODC while minimizing the security risk to the

Active Directory forest.

You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a

primary threat, for example, in an extranet or application-facing role.

1.3 Who will be interested in this feature?

RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically

have the following characteristics:

Relatively few users

Poor physical security

Relatively poor network bandwidth to a hub site

Little knowledge of information technology (IT)

You should review this section, and the additional supporting documentation about RODC, if you are in any of

the following groups:


17/148




IT planners and analysts who are technically evaluating the product

Enterprise IT planners and designers for organizations

Those responsible for IT security

AD DS administrators who deal with small branch offices

1.4 Are there any special considerations?

To deploy an RODC, at least one writable domain controller in the domain must be running Windows

Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or

higher.

1.5 What new functionality does this feature provide?

RODC addresses some of the problems that are commonly found in branch offices. These locations might nothave a domain controller. Or, they might have a writable domain controller but not the physical security,

network bandwidth, or local expertise to support it. The following RODC functionality mitigates these

problems:

Read-only AD DS database

Unidirectional replication

Credential caching

Administrator role separation

Read-only Domain Name System (DNS)

1.5.1.1 Read-only AD DS database

Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable

domain controller holds. However, changes cannot be made to the database that is stored on the RODC.

Changes must be made on a writable domain controller and then replicated back to the RODC.

Local applications that request Read access to the directory can obtain access. Lightweight Directory

Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This

response directs them to a writable domain controller, normally in a hub site.

1.5.1.2 RODC filtered attribute set

Some applications that use AD DS as a data store might have credential-like data (such as passwords,credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is

compromised.

For these types of applications, you can dynamically configure a set of attributes in the schema for domain

objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set.

Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the

forest.


18/148




A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate

attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes

from a domain controller that is running Windows Server 2008, the replication request is denied. However, if

the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003,the replication request can succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to

configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC

that is compromised cannot be exploited in this manner because domain controllers that are running

Windows Server 2003 are not allowed in the forest.

You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it

is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific

Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute

has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).

The RODC filtered attribute set is configured on the server that holds the schema operations master role. If

you try to add a system-critical attribute to the RODC filtered set while the schema master is running

Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-

critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation

appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema

master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set.

This ensures that system-critical attributes are not included in the RODC filtered attribute set.

1.5.1.3 Unidirectional replication

Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly,writable domain controllers that are replication partners do not have to pull changes from the RODC. This

means that any changes or corruption that a malicious user might make at branch locations cannot replicate

from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and

the effort required to monitor replication.

RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of

SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.

1.5.1.4 Credential caching

Credential caching is the storage of user or computer credentials. Credentials consist of a small set of

approximately 10 passwords that are associated with security principals. By default, an RODC does not store

user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt

account that each RODC has. You must explicitly allow any other credential caching on an RODC.

The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different

krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts

ticket-granting ticket (TGT) requests.


19/148




After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at

the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes

that the request is coming from an RODC and consults the Password Replication Policy in effect for that

RODC.

The Password Replication Policy determines if a user's credentials or a computer's credentials can be

replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the

writable domain controller replicates the credentials to the RODC, and the RODC caches them.

After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until

the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that

it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards

requests to a writable domain controller.)

By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of

credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has

credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials

that are cached can potentially be cracked.

Leaving credential caching disabled might further limit exposure, but it results in all authentication requests

being forwarded to a writable domain controller. An administrator can modify the default Password

Replication Policy to allow users' credentials to be cached at the RODC.

1.5.1.5 Administrator role separation

You can delegate local administrative permissions for an RODC to any domain user without granting that user

any user rights for the domain or other domain controllers. This permits a local branch user to log on to anRODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user

cannot log on to any other domain controller or perform any other administrative task in the domain. In this

way, the branch user can be delegated the ability to effectively manage the RODC in the branch office

without compromising the security of the rest of the domain.

1.5.1.6 Read-only DNS

You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory

partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an

RODC, clients can query it for name resolution as they query any other DNS server.

However, the DNS server on an RODC is read-only and therefore does not support client updates directly.

Creation of Root Domain Controller on Windows Server 2008.

TCP/IP configuration of Root Domain Controller in Salt-lake.


20/148




GENERAL CONFIGURATION ON SALT-LAKE RDC.

HARD DISK PARTITION INFORMATION OF RDC.


21/148




A New Simple volume created for AD Database.


22/148




Welcome wizard click next.

Specify the size of volume.

Choose a Drive Letter and then click next.


23/148




Format the volume with NTFS file system with appropriate details.


24/148




Format completed successfully.


25/148




Installation of DNS server role on BHELPSERRDC01.

Welcome wizard, click next.


26/148




Check the DNS server and then click next.

Click Next.


27/148




Process of adding the DNS server role started.

RDC Creation in salt-lake:


28/148




To configure this server as an additional Root Domain Server, firstly we configure it as Additional Domain

Controller for the domain bhelpser.co.in.

Welcome wizard.

Check the advanced mode installation check box then Click next.

Click next.


29/148




Select Existing forest and Add a DC to an existing domain.

Provide the name of the existing domain name.

Supply the credential of domain admin for creating ADC.


30/148




Select the domain bhelpser.co.in and then click next.

Select the default first site and then click next.


31/148




Check the Global catalog option and then click next.

Select the first option for replicating the database over the network.


32/148




Select the appropriate domain controller.

Specify the path for Active Directory Database.

Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.

Summary of the whole wizard.


33/148




Click next.

Process of installation of Active Directory Services started.

After the restart we have given the server more than 24hrs to complete the replication of all Active Directory

components.

Once the replication is complete the size of AD Database file ndts.dit indicates the completion of replication fromRoot Domain Controller.


34/148


35/148





36/148




Name Servers.


37/148




Forwarder

Raising the Domain Functional Level.

Before transferring the Roles, function levels of existing RDC must be raised.

Open Active Directory Users and Computers. Right click on bhelpser.co.in and then Raise the Domain Functional

level.


38/148




Select Windows Server 2008 and then Raise.

Click ok to proceed.

Domain Functional Level successfully raised.


39/148




Open Active Directory Domain and Trust. Right click on bhelpser.co.in and then Raise the Forest Functional level.

Select Windows Server 2008 then click Raise.


40/148




Click OK to proceed.

Forest Functional Level successfully raised.

Upgrading the schema

Upgrading the schema of windows server 2008 requires its installation files.


41/148





42/148




After upgrading, our 2003 server able to recognize the windows server 2008.

Transferring the five Operation Master Roles to BHELPSERRDC01.

Querying the Naming master roles on our existing Windows Server 2003 RDC.

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003/2008 Microsoft Corp.

C:\>netdom query fsmoSchema owner cal002.bhelpser.co.in

Domain role owner cal002.bhelpser.co.in

PDC role cal002.bhelpser.co.in

RID pool manager cal002.bhelpser.co.in

Infrastructure owner cal002.bhelpser.co.in

The command completed successfully.


43/148




To transfer the roles through command-line ntdsutil command is used.

Type roles then press enter.

Type connections then press enter.


44/148




To connect the server type connect to server bhelpserrdc01 then it will connect to our server 2008.


45/148




To transfer Domain Naming Master type transfer domain naming master.

Click yes to confirmation dialog box.

Domain Naming Master transferred to bhelpserrdc01.

To transfer Infrastructure Master type transfer infrastructure master.


46/148





Infrastructure Master transferred to bhelpserrdc01.

To transfer PDC type transfer pdc.



47/148




PDC transferred to bhelpserrdc01.

To transfer RID master type transfer rid master.


RID master transferred to bhelpserrdc01.


48/148




To transfer Schema master type transfer schema master.


Schema master transferred to bhelpserrdc01.


49/148




Querying the Naming master roles


50/148




Creation of separate OUs for Kolkata-Salt lake, Budge-budge and Bakreswar sites.

Provide a name for the OU.


51/148




Hierarchical Structure for Kolkata site.

Hierarchical Structure for Bakreswar site.


52/148


53/148




Group Policy Settings

Account lockout duration set to 15 minutes. Account will lock out after 3 invalid logon attempts.

Check both Success and failure events. Enable the policy Shutdown system immediately if unable

to log security audits.


54/148




Set the maximum system log size to 10MB. Set the maximum application log size to 10MB

z

.

Set the security log size to 10MB. Enables auditing of all user rights in conjunction with Audit

Privilege Use auditing being enabled.


55/148




This feature is provided for the system availability reasons such as the users machine being disconnected from the

network or domain controllers not being available.

Creation of separate DNS zones for different subnets.


56/148


57/148




Select the IPv4 addresses.

Provide the network Id for the creation of zone.

Zone created successfully.


58/148




Welcome wizard.

Select the primary zone. Click next.

Select the method for the replication.


59/148




Select the IPv4 Addresses.

Provide the unique network Id for this zone.

Select for both no- secure and secure updates.


60/148






61/148




Welcome wizard.

Select primary zone.

Select the method for the replication of zone.


62/148




Select IPv4 addresses.

Provide the unique network Id for this zone.

Select for both non-secure and secure updates.


63/148






64/148




Sites and settings for different sites.

Different Sites and settings will be created for the replication between Domain Controllers.

Creation of different Subnets.Right click on Subnet and select New Subnet to create a Subnet.


65/148




Provide the IP Subnet and its subnet mask.

Right click on Subnet and select New Subnet to create a Subnet.


66/148




Provide the IP Subnet and its Subnet Mask.

Creation of different Sites.

Right click on Sites and select New Site to create a Site.


67/148




Provide the name for Bakreswar Site and select the Default Site Link.

Site for Bakreswar successfully created.

Go to the properties of Subnet.


68/148




Set the description to recognize easily.

Creation of different site link.

Select New Site Link


69/148




Set the name for New Site Link.

Choose the settings for replication between Domain Controllers.

Decrease the replication frequency.


70/148




Create a Site for Budge-budge.

Select New Site.

Set the name for new site.


71/148




Go to the properties page of subnet.


72/148


73/148




Different Sites and settings are created for the replication between Domain Controllers.

Creation of Additional Domain Controller on Windows Server 2008.

Basic details of ADC.

TCP/IP configuration of Additional Domain Controller in Salt-lake.


74/148




Sever name changes to BHELPSERADC01.

Hard disk partition information of BHELPSERRDC01.


75/148




A New Simple volume created for AD Database.

Welcome wizard click next.


76/148




Specify the size of volume.

Choose a Drive Letter and then click next.

Format the volume with NTFS file system with appropriate details.


77/148




Format completed successfully.

Installation of DNS BHELPSERADC01.


78/148




Click Add roles

Welcome wizard, click next


79/148





Click next.


80/148





DNS server role service successfully installed.


81/148




ADC creation in salt-lake.

Configure this server as an additional Active Directory Domain Server for the domain bhelpser.co.in.

Open cmd and type dcpromo.

Welcome wizard.


82/148





Click next.


83/148







84/148







85/148




Select the default first site and then click next.

Check the Global catalog option and then click next.


86/148





Select the root domain controller.


87/148







88/148





Click next.



89/148




Click on Finish button.

Click finish and restart before the changes take effect.

After the restart server will require more than 24hrs to complete the replication of all Active Directory

components.


90/148




Creation of Read Only Domain Controller on Windows Server 2008 at Budge-budge.

TCP/IP configuration of Read-only Domain Controller at Budge-budge.

Sever name changes to BHELBUDGRODC01.


91/148




Installation of DNS on BHELBUDGRODC01.


92/148




Click Add roles




93/148




Click next.



94/148





RODC creation in Budge-budge.

Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.



95/148




Welcome wizard.



96/148


97/148







98/148






99/148




Select the budge-budge site and then click next.

Select Gloabal catalog and RODC then click next.


100/148




Select Allowed RODC Password Replication and click next.

Select Allow password for the account to replicate to this RODC.

Add Domain Users.


101/148




Set the domain administrator user account for delegation of RODC Installation and Administration.



102/148




Select the root domain controller.



103/148






Click next.


104/148




Exported settings of DCPROMO wizard.


; DCPROMO unattend file (automatically generated by dcpromo)

; Usage:

; dcpromo.exe /unattend:C:\Bhel Implementation\rodc-settings.txt

;

; You may need to fill in password fields prior to using the unattend file.; If you leave the values for "Password" and/or "DNSDelegationPassword"

; as "*", then you will be asked for credentials at runtime.

;

[DCInstall]

; Read-Only Replica DC promotion

ReplicaOrNewDomain=ReadOnlyReplicaReplicaDomainDNSName=bhelpser.co.in

; RODC Password Replication Policy

PasswordReplicationDenied="BUILTIN\Administrators"

PasswordReplicationDenied="BUILTIN\Server Operators"

PasswordReplicationDenied="BUILTIN\Backup Operators"

PasswordReplicationDenied="BUILTIN\Account Operators"

PasswordReplicationDenied="BHELPSER\Denied RODC Password Replication Group"

PasswordReplicationAllowed="BHELPSER\Allowed RODC Password Replication Group"

PasswordReplicationAllowed="BHELPSER\Domain Users"

DelegatedAdmin="BHELPSER\emperor"

SiteName=Budge-Budge

InstallDNS=Yes

ConfirmGc=Yes

CreateDNSDelegation=No

UserDomain=bhelpser.co.in

UserName=bhelpser.co.in\emperor

Password=*

ReplicationSourceDC=BHELPSERRDC01.bhelpser.co.in

DatabasePath="D:\Windows\NTDS"

LogPath="D:\Windows\NTDS"

SYSVOLPath="D:\Windows\SYSVOL"

; Set SafeModeAdminPassword to the correct value prior to using the unattend file

SafeModeAdminPassword=

; Run-time flags (optional)

; CriticalReplicationOnly=Yes

; RebootOnCompletion=Yes


105/148




Click on Finish Button.

Click finish and restart before the changes take effect.

After the restart server will require enough time to replicate.


106/148




In RODC there is no option grayed out for Creating any users & groups.

Creation of Read Only Domain Controller on Windows Server 2008 at Bakreswar.

TCP/IP configuration of Read-only Domain Controller at Bakreswar.


107/148




Sever name changes to BHELBAKRRODC01.

Installation of DNS on BHELBAKRRODC01.


108/148




Click Add roles



109/148





Click next.


110/148







111/148




RODC creation in Bakreswar.

Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.


Welcome wizard, Click on Next Button


112/148





Click on Next.


113/148







114/148







115/148




Select the bakreswar site and then click next.

Select Global catalog and RODC then click next.

8/8/2019 Active Directory 2008 Implement at On & Migra

Active Directory 2008 Implement at On & Migration

Documents

Transcript of Active Directory 2008 Implement at On & Migration