Microsoft® Official Course

Module 3

Maintaining Active Directory Domain Services

Module Overview

Overview of AD DS

Implementing Virtualized Domain Controllers

Implementing Read-Only Domain Controllers

Administering AD DS•Managing the AD DS Database

Lesson 1: Overview of AD DS

Overview of AD DS Components

Understanding AD DS Forest and Schema Structure•Understanding AD DS Domain Structure

Overview of AD DS Components

Physical Components Logical Components

• Data store

• Domain controllers

• Global catalog server

• Read-only domain controllers

• Partitions

• Schema

• Domains

• Domain trees

• Forests

• Sites

• Organizational units

AD DS is composed of both physical and logical components

Understanding AD DS Forest and Schema Structure

adatum.com

Tree Root Domain

Forest Root Domain

atl.adatum.com

fabrikam.com

Understanding AD DS Domain Structure

• AD DS requires one or more domain controllers

• All domain controllers hold a copy of the domain database which is continually synchronized

• The domain is the context within which users, groups, and computers are created

• The domain is a replication boundary

• The domain is an administrative center for configuring and managing objects

• Any domain controller can authenticate any logon in the domain

Lesson 2: Implementing Virtualized Domain Controllers

Understanding Cloned Virtualized Domain Controllers

Deploying a Cloned Virtualized Domain Controller•Managing Virtualized Domain Controllers

Understanding Cloned Virtualized Domain Controllers

Windows Server 2012 provides the following functionality for virtual domain controllers:• Safe cloning• Safe snapshot restore

Implementing virtualized domain controllers provides the following benefits:• Rapid domain controller deployment• Scalable provisioning of domain controllers• Quick replacement or recovery of domain controllers• Easy provisioning of test environments

Deploying a Cloned Virtualized Domain Controller

You can clone an existing virtual domain controller safely by:1. Creating a DcCloneConfig.xml file, and storing it in

theAD DS database location

2. Taking the VDC offline, and exporting it3. Creating a new virtual machine by importing the

exported VDC

Export the VDC

Import the VDC

DcCloneConfig.xml to AD DS database

location

Managing Virtualized Domain Controllers

To replicate AD DS properly, ensure that:• A restored virtual domain controller can contact a writeable domain controller• You do not restore all domain controllers in a domain simultaneously• All changes originating since the last snapshot are replicated, or they will be lost

Considerations for managing snapshots:• Snapshots do not replace regular backups• Do not restore snapshots that were taken before the promotion of the domain controller• Do not host all virtual domain controllers on the same hypervisor

Lesson 3: Implementing Read-Only Domain Controllers

Considerations for Implementing RODCs

Managing RODC Credential Caching•Managing Local Administration for RODCs

Considerations for Implementing RODCs

•RODCs provide several important functions:• Credential caching• Administrative role separation• Read-only DNS

•To deploy an RODC:1. Ensure there is no computer account in AD DS

for the new RODC2. Precreate the RODC account in AD DS in the

Domain Controllers container3. Run the AD DS installation wizard on the new

RODC

Managing RODC Credential Caching

•Credential caching is managed through Password Replication Policies•Password Replication Policies:• Determine which credentials to cache on an RODC• User accounts• Computer accounts

• Contain an allowed and denied list• Allowed RODC Password Replication Group• Denied RODC Password Replication Group

•Do not cache domain administrative accounts

Managing Local Administration for RODCs

•Delegate RODC administration to local administrators•Set a single security principal as an administrator• User• Group

•Enable by using the following methods:• Managed By tab of RODC• dsmgmt• ntsdutil

•Cache the credentials of delegated administrators

Lesson 4: Administering AD DS

Overview of the Active Directory Administration Snap-ins

Overview of the Active Directory Administrative Center

Overview of the Active Directory Module for Windows PowerShell

Demonstration: Managing AD DS by Using Management Tools

Managing Operations Master Roles•Managing AD DS Backup and Recovery

Overview of the Active Directory Administration Snap-ins

•Active Directory administration snap-ins consist of four different MMC consoles:• Active Directory Users and Computers• Active Directory Sites and Services• Active Directory Domains and Trusts• Active Directory Schema

Overview of the Active Directory Administrative Center

•Active Directory Administrative Center is a task-oriented tool based on Windows PowerShell

Overview of the Active Directory Module for Windows PowerShell

• The Active Directory module for Windows PowerShell provides full administrative functionality in these areas:• User management• Computer management• Group management• OU management• Password policy management• Searching and modifying objects• Forest and domain management• Domain controller and operations-masters management• Managed service account management• Site-replication management• Central access and claims management

Demonstration: Managing AD DS by Using Management Tools

• In this demonstration, you will see how to:• Create objects in Active Directory Users and Computers• View object attributes in Active Directory Users and Computers• Navigate within Active Directory Administrative Center• Perform an administrative task in Active Directory Administrative Center• Use the Windows PowerShell Viewer in Active Directory Administrative Center• Manage AD DS objects with Windows PowerShell

Managing Operations Master Roles

Operations Master Roles are assigned to the domain controller responsible for performing a specific task on the forest or domain

• Forest-wide Operations Master Roles• Domain Naming Master Role• Schema Master Role

• Domain-wide Operations Master Roles• RID Master Role• Infrastructure Master Role• PDC Emulator Role

Managing AD DS Backup and Recovery

• Non-authoritative or normal restore• Restore domain controller to previously known good state

• Domain controller will be updated by using standard replication from partners

• Authoritative restore • Restore domain controller to previously known good state

• Mark objects that you want to be authoritative

• Domain controller is updated from its up-to-date-partners

• Domain controller sends authoritative updates to its partners

• Full server restore • Typically performed in Windows Recovery environment

• Alternate location restore

Lesson 5: Managing the AD DS Database

Understanding the AD DS Database

What Is NTDSUtil?

Understanding Restartable AD DS

Demonstration: Performing AD DS Database Maintenance

Creating AD DS Snapshots

Understanding How to Restore Deleted Objects•Configuring the Active Directory Recycle Bin

Understanding the AD DS Database

•The AD DS database holds all domain-based information in four partitions

AD DSDatabaseDC

Schema Partition

ApplicationPartitions (optional)

ConfigurationPartition

Domain Partition

What Is NTDSUtil?

With NTDSUtil you can:•Manage and control single master operations•Perform AD DS database maintenance• Perform offline defragmentation• Create and mount snapshots• Move database files

•Maintain domain controller metadata•Reset Directory Services Restore Mode password

Understanding Restartable AD DS

•AD DS can be started or stopped by using the Services console•AD DS can be in three states:• AD DS Started• AD DS Stopped• DSRM

• It is not possible to perform a system state restore while AD DS is in Stopped state

Demonstration: Performing AD DS Database Maintenance

In this demonstration, you will see how to:•Stop AD DS•Perform offline defragmentation of the AD DS database•Check the integrity of the AD DS database•Start AD DS

Creating AD DS Snapshots

•Create a snapshot of Active Directory• NTDSUtil

•Mount the snapshot to a unique port• NTDSUtil

•Expose the snapshot• Right-click the root node of Active Directory Users and Computers,

and choose Connect to Domain Controller• Enter serverFQDN:port

•View (read-only) snapshot• Cannot directly restore data from the snapshot

•Recover data• Connect to the mounted snapshot, and export/reimport objects

with LDIFDE• Restore a backup from the same date as the snapshot• Manually reenter data

Understanding How to Restore Deleted Objects

• Deleted objects are recovered through tombstone reanimation• When object is deleted, most of attributes are cleared• Authoritative restore requires AD DS downtime

Live Tombstoned

Physically deleted

Garbage collect

Delete

Reanimate tombstone/authoritative restore

Configuring the Active Directory Recycle Bin

• Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime• Uses Windows PowerShell with Active Directory Module or the Active Directory Administrative Center to restore objects

Lab: Maintaining AD DS

Exercise 1: Installing and Configuring a RODC

Exercise 2: Configuring AD DS Snapshots•Exercise 3: Configuring the Active Directory Recycle Bin

Logon InformationVirtual machines: 20411B-LON-DC1

20411B-LON-SVR1User name: AdministratorPassword: Pa$$w0rd

Estimated Time: 75 minutes

Lab Scenario

A. Datum Corporation is a global engineering and manufacturing company with its head office in London, U.K.. An IT office and data center in London supports the head office and other locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure.

A. Datum is making several organizational changes that require modifications to the AD DS infrastructure. A new location requires a secure method of providing onsite AD DS, and you have been asked to extend the capabilities of Active Directory Recycle Bin to the entire organization.

Review Questions

•Which AD DS objects should have their credentials cached on an RODC located in a remote location?•What benefits does Active Directory Administrative Center provide over Active Directory Users and Computers?

Module Review and Takeaways

Review Questions

Tools•Best Practice