Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.
-
Upload
jemimah-skinner -
Category
Documents
-
view
234 -
download
11
Transcript of Microsoft ® Official Course Module 3 Maintaining Active Directory Domain Services.
Microsoft® Official Course
Module 3
Maintaining Active Directory Domain Services
Module Overview
Overview of AD DS
Implementing Virtualized Domain Controllers
Implementing Read-Only Domain Controllers
Administering AD DS•Managing the AD DS Database
Lesson 1: Overview of AD DS
Overview of AD DS Components
Understanding AD DS Forest and Schema Structure•Understanding AD DS Domain Structure
Overview of AD DS Components
Physical Components Logical Components
• Data store
• Domain controllers
• Global catalog server
• Read-only domain controllers
• Partitions
• Schema
• Domains
• Domain trees
• Forests
• Sites
• Organizational units
AD DS is composed of both physical and logical components
Understanding AD DS Forest and Schema Structure
adatum.com
Tree Root Domain
Forest Root Domain
atl.adatum.com
fabrikam.com
Understanding AD DS Domain Structure
• AD DS requires one or more domain controllers
• All domain controllers hold a copy of the domain database which is continually synchronized
• The domain is the context within which users, groups, and computers are created
• The domain is a replication boundary
• The domain is an administrative center for configuring and managing objects
• Any domain controller can authenticate any logon in the domain
Lesson 2: Implementing Virtualized Domain Controllers
Understanding Cloned Virtualized Domain Controllers
Deploying a Cloned Virtualized Domain Controller•Managing Virtualized Domain Controllers
Understanding Cloned Virtualized Domain Controllers
Windows Server 2012 provides the following functionality for virtual domain controllers:• Safe cloning• Safe snapshot restore
Implementing virtualized domain controllers provides the following benefits:• Rapid domain controller deployment• Scalable provisioning of domain controllers• Quick replacement or recovery of domain controllers• Easy provisioning of test environments
Deploying a Cloned Virtualized Domain Controller
You can clone an existing virtual domain controller safely by:1. Creating a DcCloneConfig.xml file, and storing it in
theAD DS database location
2. Taking the VDC offline, and exporting it3. Creating a new virtual machine by importing the
exported VDC
Export the VDC
Import the VDC
DcCloneConfig.xml to AD DS database
location
Managing Virtualized Domain Controllers
To replicate AD DS properly, ensure that:• A restored virtual domain controller can contact a writeable domain controller• You do not restore all domain controllers in a domain simultaneously• All changes originating since the last snapshot are replicated, or they will be lost
Considerations for managing snapshots:• Snapshots do not replace regular backups• Do not restore snapshots that were taken before the promotion of the domain controller• Do not host all virtual domain controllers on the same hypervisor
Lesson 3: Implementing Read-Only Domain Controllers
Considerations for Implementing RODCs
Managing RODC Credential Caching•Managing Local Administration for RODCs
Considerations for Implementing RODCs
•RODCs provide several important functions:• Credential caching• Administrative role separation• Read-only DNS
•To deploy an RODC:1. Ensure there is no computer account in AD DS
for the new RODC2. Precreate the RODC account in AD DS in the
Domain Controllers container3. Run the AD DS installation wizard on the new
RODC
Managing RODC Credential Caching
•Credential caching is managed through Password Replication Policies•Password Replication Policies:• Determine which credentials to cache on an RODC• User accounts• Computer accounts
• Contain an allowed and denied list• Allowed RODC Password Replication Group• Denied RODC Password Replication Group
•Do not cache domain administrative accounts
Managing Local Administration for RODCs
•Delegate RODC administration to local administrators•Set a single security principal as an administrator• User• Group
•Enable by using the following methods:• Managed By tab of RODC• dsmgmt• ntsdutil
•Cache the credentials of delegated administrators
Lesson 4: Administering AD DS
Overview of the Active Directory Administration Snap-ins
Overview of the Active Directory Administrative Center
Overview of the Active Directory Module for Windows PowerShell
Demonstration: Managing AD DS by Using Management Tools
Managing Operations Master Roles•Managing AD DS Backup and Recovery
Overview of the Active Directory Administration Snap-ins
•Active Directory administration snap-ins consist of four different MMC consoles:• Active Directory Users and Computers• Active Directory Sites and Services• Active Directory Domains and Trusts• Active Directory Schema
Overview of the Active Directory Administrative Center
•Active Directory Administrative Center is a task-oriented tool based on Windows PowerShell
Overview of the Active Directory Module for Windows PowerShell
• The Active Directory module for Windows PowerShell provides full administrative functionality in these areas:• User management• Computer management• Group management• OU management• Password policy management• Searching and modifying objects• Forest and domain management• Domain controller and operations-masters management• Managed service account management• Site-replication management• Central access and claims management
Demonstration: Managing AD DS by Using Management Tools
• In this demonstration, you will see how to:• Create objects in Active Directory Users and Computers• View object attributes in Active Directory Users and Computers• Navigate within Active Directory Administrative Center• Perform an administrative task in Active Directory Administrative Center• Use the Windows PowerShell Viewer in Active Directory Administrative Center• Manage AD DS objects with Windows PowerShell
Managing Operations Master Roles
Operations Master Roles are assigned to the domain controller responsible for performing a specific task on the forest or domain
• Forest-wide Operations Master Roles• Domain Naming Master Role• Schema Master Role
• Domain-wide Operations Master Roles• RID Master Role• Infrastructure Master Role• PDC Emulator Role
Managing AD DS Backup and Recovery
• Non-authoritative or normal restore• Restore domain controller to previously known good state
• Domain controller will be updated by using standard replication from partners
• Authoritative restore • Restore domain controller to previously known good state
• Mark objects that you want to be authoritative
• Domain controller is updated from its up-to-date-partners
• Domain controller sends authoritative updates to its partners
• Full server restore • Typically performed in Windows Recovery environment
• Alternate location restore
Lesson 5: Managing the AD DS Database
Understanding the AD DS Database
What Is NTDSUtil?
Understanding Restartable AD DS
Demonstration: Performing AD DS Database Maintenance
Creating AD DS Snapshots
Understanding How to Restore Deleted Objects•Configuring the Active Directory Recycle Bin
Understanding the AD DS Database
•The AD DS database holds all domain-based information in four partitions
AD DSDatabaseDC
Schema Partition
ApplicationPartitions (optional)
ConfigurationPartition
Domain Partition
What Is NTDSUtil?
With NTDSUtil you can:•Manage and control single master operations•Perform AD DS database maintenance• Perform offline defragmentation• Create and mount snapshots• Move database files
•Maintain domain controller metadata•Reset Directory Services Restore Mode password
Understanding Restartable AD DS
•AD DS can be started or stopped by using the Services console•AD DS can be in three states:• AD DS Started• AD DS Stopped• DSRM
• It is not possible to perform a system state restore while AD DS is in Stopped state
Demonstration: Performing AD DS Database Maintenance
In this demonstration, you will see how to:•Stop AD DS•Perform offline defragmentation of the AD DS database•Check the integrity of the AD DS database•Start AD DS
Creating AD DS Snapshots
•Create a snapshot of Active Directory• NTDSUtil
•Mount the snapshot to a unique port• NTDSUtil
•Expose the snapshot• Right-click the root node of Active Directory Users and Computers,
and choose Connect to Domain Controller• Enter serverFQDN:port
•View (read-only) snapshot• Cannot directly restore data from the snapshot
•Recover data• Connect to the mounted snapshot, and export/reimport objects
with LDIFDE• Restore a backup from the same date as the snapshot• Manually reenter data
Understanding How to Restore Deleted Objects
• Deleted objects are recovered through tombstone reanimation• When object is deleted, most of attributes are cleared• Authoritative restore requires AD DS downtime
Live Tombstoned
Physically deleted
Garbage collect
Delete
Reanimate tombstone/authoritative restore
Configuring the Active Directory Recycle Bin
• Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime• Uses Windows PowerShell with Active Directory Module or the Active Directory Administrative Center to restore objects
Lab: Maintaining AD DS
Exercise 1: Installing and Configuring a RODC
Exercise 2: Configuring AD DS Snapshots•Exercise 3: Configuring the Active Directory Recycle Bin
Logon InformationVirtual machines: 20411B-LON-DC1
20411B-LON-SVR1User name: AdministratorPassword: Pa$$w0rd
Estimated Time: 75 minutes
Lab Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London, U.K.. An IT office and data center in London supports the head office and other locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum is making several organizational changes that require modifications to the AD DS infrastructure. A new location requires a secure method of providing onsite AD DS, and you have been asked to extend the capabilities of Active Directory Recycle Bin to the entire organization.
Review Questions
•Which AD DS objects should have their credentials cached on an RODC located in a remote location?•What benefits does Active Directory Administrative Center provide over Active Directory Users and Computers?
Module Review and Takeaways
Review Questions
Tools•Best Practice