Active Directory is a system which offers centralized control of your computers. This video looks at what Active Directory is and why you would use it. The video explains the difference between a workgroup and a domain so you can better understand when you would want to deploy Active Directory.
Terminology used in the video
A workgroup is a network setup in which each computer on the network keeps its own store of user names and passwords. In order to access another computer on the network, you need to know a username and password on that computer. This does not scale well. The user will be prompted for a username and password when he or she accesses another computer when the passwords are not in sync.
Available only in a pure Windows 7 network. HomeGroup provides a simple way to share files and printers in a network. HomeGroup allows Windows 7 computers to be grouped together to share each other’s resources using just one centralized password.
A domain is a logical group of computers that share the same Active Directory database. A domain allows you to manage a group of computers rather than one by one. This is done through the central use of usernames and passwords and the configuration of computers using group policy.
A Domain Controller is a Windows Server that has Active Directory Services roles configured on it by using a process called promotion. The Domain Controller holds a writeable copy of the Active Directory database. Each domain has at least one Domain Controller but more should be added for redundancy.
Active Directory Database
Active Directory uses a database to hold objects like users and settings. The database uses multi-master replication and thus can have multiple copies of the database stored in multiple locations around the world. Each of these copies is writeable. Active Directory automatically fixes any replication conflicts that may occur by using a last writer wins system. That is, the latest update of any object is used when there is a replication conflict.
Active Directory supports multiple domains to be linked together by using a trust. Each domain has a separate Active Directory database but resources can be shared between the different domains.
This video explores the new features that are found in Windows Server 2008, Windows Server 2008 R2, and Service Pack 1. One of the biggest changes in Windows Server 2008 is that it is now very modular. You can customize Windows Server 2008 very easily by adding or subtracting roles and features from the operation system.
Windows Server 2008 Service Pack 1 for R2 New Features
Dynamic memory for Hyper-V
Windows Server 2008 R2 New Features
BranchCache (Requires Windows 7 client)
DirectAcess (Requires Windows 7 client)
Active Directory recycle bin
Starter group polices
Windows Server 2008 Active Directory New Features
Active Directory Certificate Services
Active Directory Application Mode (ADAM)
Active Directory Federation Services
Active Directory Rights Management
Read Only Domain Controllers
Active Directory is now restartable
Granular password Policy
Active Directory database snapshots
Windows Server 2008 Non Active Directory New Features
Self healing NTFS
Parallel session creation for Terminal Services
Clean server shutdown
Active Directory utilizes two main standards. These are the X.500 standard and LDAP. This video looks at how the X.500 standard is used to store the Active Directory objects in the database. It also looks at how LDAP is used to access this data and the formatting LDAP uses.
The Active Directory Database by default is stored in c:\windows\NTDS\ntds.dit. This file is based on the X.500 standard. Originally Active Directory was called NT Directory Services and this is where the file got its name.
Each domain in Active Directory will have a separate database. Domain Controllers hold the copy of the database in the ntds.dit file and replicate changes to each other. If you have more than one domain, then each separate domain will have its own copy of the ntds.dit file.
In order to organize objects in Active Directory more easily, objects in Active Directory can be organized into Organization Units, also known as OUs. These OUs are like folders on your hard disk.
LDAP uses a syntax that refers to the most significant part first followed by less significant or precise parts afterwards. This is the opposite of other systems, like filenames or paths. The main syntax of any LDAP command is like this example: CN=Joe, OU=Users, DC=ITFreeTraining, DC=Com. When an object can be defined uniquely, like in this example, it is called the distinguished name.
Canonical Name (CN)
This is the name of the object in Active Directory that you want to access. For example, if you wanted to access a user called Joe, you would use CN=Joe.
Organization Unit (OU)
Organization units in Active Directory are used to sort objects into different areas or folders. If you have multiple OUs, then start with the lowest in the tree and expand downwards. For example if a user was in Users\Acounts\Payable you would use OU=Users, OU=Accounts, OU=Payable.
Domain Component (DC)
This is the domain in which the object is located. For example DC=ITFreeTraining, DC=com.
Active Directory has forests and trees which are ways of representing multiple domains. This video looks at how domains sharing the same namespace are considered a tree. Domains in separate namespaces are considered separate trees in the same forest.
When you have multiple domains in the same namespace (e.g., ITFreeTraining.com, west.ITFreeTraining.com, and sales.ITFreeTraining.com), they are considered to be in the same tree. The tree also supports multiple levels of domains. For example, you could have west.sales.ITFreeTraining.com and east.ITFreeTraining.com in the same tree.
A forest is a collection of one or more domains which may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored. The schema defines the database for the whole forest but it should be remembered that each domain in the forest has its own copy of the database based on the schema.
Parent and child domains are automatically linked by a trust. Users in different domains can use these trusts to access resources in another domain assuming that they have access. Trees in the forest are linked together via a trust automatically. This ensures that any users in any domain in the forest can access any resource in the forest to which they have access.
In order for users to find resources in any domain in the forest (remember that each domain has a separate database), Domain Controllers can be made into Global Catalog Servers. A Global Catalog Server contains partial information about every object in the forest. Using this information, the user can conduct searches.
Before you deploy Active Directory in your organization you should ensure that the server hardware that you are using meets the minimum requirements to run Active Directory. This video looks at the hardware requirements needed by Active Directory to run in your organization.
Listed below are the minimum requirements. Whenever possible you should try to exceed these values as the minimum values will not give you the best Windows experience. To ensure you have enough room for the Active Directory database and room to expand, you should have at least a 100GB hard disk.
64bit Hardware Windows Server 2008/R2
1.4 Ghz CPU
1.3 Ghz dual core on Windows Server 2008 R2
64GB hard disk space
32bit hardware Windows Server 2008
512mb ROM (2GB recommended)
32GB hard disk space
32bit is not supported for Windows Server 2008 R2
Active directory also requires DNS Infrastructure to work. Certain DNS records need to be created in order for the clients to find domain controllers.
To install Active Directory you need to promote your first server to a Domain Controller. This video looks at the process of using DCPromo as well as the prerequisites required. The video also discusses DNS requirements for Active Directory. DNS is required by Active Directory in order to operate.
Demo Network Setup 01:49
Demo DCPromo 04:47
Server must have an IPv4 and/or IPv6 static address.
DNS infrastructure (either Microsoft or 3rd party).
Microsoft DNS can be installed when promoting the server.
If you install DNS during the install, set the DNS server to 127.0.0.1
The Active Directory Domain Services role needs to be installed in order for the server to be promoted to a Domain Controller. This can be done through the server manager or when using DCPromo.
When you are ready to promote your server to a Domain Controller, run the command DCPromo. This will install the Active Directory binaries if required and run the wizard. If you already have an existing forest you can choose to add this server to an existing forest. If you do not have any Domain Controllers on your network you need to create a new forest.
The forest and domain functional levels affect only Domain Controllers. The domain functional level will determine which Domain Controller you can add to that domain. For example, if the domain functional level was set to Windows Server 2003, you would only be able to have Windows Server 2003 Domain Controllers and above in the domain. The forest level affects which domain levels you can have. If the forest level was set to Windows Server 2008, then only domains that have a functional level of Windows Server 2008 could be added to the forest. The higher the forest and domain levels, the more features of Active Directory that are available. If you are not sure what levels to configure, set the forest and domain functional levels low. You can always raise the functional levels but you can’t lower them.
The wizard will ask you for a recovery password. This will be used if you need to perform certain operations in Active Directory later on. For example, if you need to perform restore operations later on you can only perform these in Active Directory Recovery Mode which requires this password. For day to day activities this password is not required.
Once the server has been promoted to a Domain Controller, the local users and
groups will no longer be accessible for security reasons. If you need to configure access to a resource on the server (for example, you needed to share a folder), you will need to use a domain user.
This video looks at promoting a server running Windows Server 2008 R2 Core to a Domain Controller using the command line. This covers using an answer file and also using the command line only. The core edition of Windows Server is a scaled down version of Windows Server with very limited GUI options.
For a GUI interface for servers, check out Core Configurator,
This free open source product is great for quickly configuring Server Core and even supports promoting the server to a Domain Controller. Microsoft will not test you on this product so for the exam you should have an understanding of the command line tools demonstrated in this video. For the everyday administrator of Server Core, this product is a life saver.
The advantages of running Server Core are as follows:
Smaller attack surface due to less software running
Less CPU and memory used
Fewer updates required
The disadvantage of Server Core is it is harder to administer because it only comes with the command prompt. Server Core does support remote administrator tools. You can also use the core configurator listed above to give you access to some basic GUI admin tools to help initially configure Server Core.
Commands used in this video to configure the networking 02:04
netdom renamecomputer localhost /NewName:dc2
netsh interface IPv4 show interfaces
netsh interface IPv4 set address name=21 source=static address=192.168.1.2 mask=255.255.255.0 gateway=192.168.1.1
(The index of 21 listed above was obtained from the show interfaces command)
netsh interface IPv6 set address interface=21 address=fd00:0:0:1::2
netsh interface IPv4 add dnsserver name=21 address=192.168.1.1 index=1
netsh interface IPv4 add dnsserver name=21 address=127.0.0.1 index=2
oclist | more
start /w ocsetup DNS-Server-Core-Role
shutdown /r /t 0
ipconfig /all | more
Commands used to promote the server using an answer file 09:23
Net use * \\dc1\it
copy z:\dc1.txt c:\dc2.txt
Command line only 12:45
dcpromo /replicaOrnewDomain:replica /replicaDomainDNSName:ITFreeTraining.local /ConfirmGC:yes
/userdomain:ITFreeTraining.local /UserName=administrator /Password=P@ssw0rd
Global Catalog Servers contain a partial replica for every object in Active Directory. A Global Catalog Server is used to find objects in any domain in the forest. Any Domain Controller can be made into a Global Catalog Server. This video looks at how to remove or make a Domain Controller into a Global Catalog Server and also the reasons why and where you should put Global Catalog Servers.
Global Catalog Servers are used to find objects in any domain in the forest but it should be remembered that this does not give the user access to that object. Unless the user has the correct permissions they will not be able to access resources in other domains.
Global Catalog Servers also contain information about groups that span across domains and services that work at the forest level.
How to change a Domain Controller to a Global Catalog Server 04:18
Using the admin tool Active Directory Users and Computers to navigate to the computer account for your Domain Controller. By default this will be located in the Domain Controllers OU.
Open the properties for the Domain Controller and select the button NTDS settings.
Deselect or select the tickbox Global Catalog. Windows will do the rest.
Reasons to deploy Global Catalog Servers
Domain Controllers generate a security token for a user when they first login. If the user is in a group that spans multi–domains, that Domain Controller will need to contact a Global Catalog to get information about that group.
If a user logs in using a Universal Principal Name (UPN), that is, they log in using a user name in the form of username@domainname, a Domain Controller will need to access a Global Catalog Server before the log in is completed.
Global Catalog Servers work as an index to the forest. If you perform any searches on the forest you will need to contact a Global Catalog Server.
Microsoft recommends that any network that is separated by a Wide Area Network have a Global Catalog Server deployed at that location. This will ensure that users can log on if the Wide Area Network is down. In order for a computer to contact a Global Catalog Server, ports 389 (LDAP) and 3267 (Global Catalog) need to be opened. If these ports are not open then the user will not be able to use the remote Global Catalog Server.
Some software requires a Global Catalog Server in order to run. Exchange is a big user of the Global Catalog Server. If you have a decent amount of Exchange users on your network, you should consider deploying a Global Catalog Server close to these users.
Reasons not to deploy a Global Catalog Server
Global Catalog Servers put more load on the server in the form of searches and lookups from the client.
Global Catalogs need to keep their index up to date. This requires more network bandwidth.
In order to store the Global Catalog Server, you are required to have additional hard disk space on your server.
Active Directory has five operations master roles otherwise known as FSMO roles. These roles are assigned to one Domain Controller to ensure changes happen in only one location at a time. This ensures that the Active Directory database is kept consistent. This video goes through the five operations master roles. At the forest level, there is the Schema Master and Domain Naming Master. At the domain level, the 3 other operational roles are Infrastructure Master, PDC Emulator and RID Master.
Schema Master 01:32
Domain Naming Master 03:01
RID Master 03:53
PDC Emulator 07:06
Infrastructure Master 11:03
Schema Master (Forest Wide)
The Schema Master determines the structure and thus what can be stored in Active Directory. It contains details of every object that can be created and the attributes for that object. For example, if you want to add an attribute to every user in the forest (such as a field with the user’s pay grade in it), you would add an attribute to the schema to accommodate this change. It is important to think carefully before making changes to the schema as changes to the schema can’t be reversed but they can be disabled. If you want to test changes to the schema, create a new forest and make your changes there so the production environment is not affected.
Domain Naming Master (Forest Wide)
The Domain Naming Master is responsible for ensuring that two domains in the forest do not have the same name.
Relative ID Master (RID Master)
This master role allocates RID pools. A RID is a sequential number that is added to the end of a SID. A SID, or security identifier, is required for every Active Directory object. An example of a SID is shown here:
The RID is the last part of the SID, in this case 1340. The RID Master allocates a pool or block of RIDs to a Domain Controller. The Domain Controller uses the RID pool when Active Directory objects are created. The Domain Controller will request a new RID pool before it runs out. However, keep in mind that if you create a lot of Active Directory objects at once, the RID Master will need to be online to allocate new RID pools. If the Domain Controller runs out of RIDs and can’t contact the RID Master, no objects in Active Directory can be created on that Domain Controller.
PDC (Primary Domain Controller) Emulator
Originally the PDC Emulator provided a bridge between Windows NT4 Domain Controllers and Windows Server 2000 Domain Controllers. Even if you do not have any NT4 Domain Controllers on your network, it still provides some services.
The PDC Emulator forms the root of the time sync hierarchy in your domain. All other Domain Controllers will sync their time from this Domain Controller. Your clients and servers will in turn sync their time from their local Domain Controller. You should configure the PDC to sync its time from an external time source to ensure that it is accurate.
When a user enters in a wrong password, the PDC Emulator may be contacted to find out if this password is in fact an updated password. Password changes are replicated to the PDC Emulator first and thus it is considered the final authority on correct and incorrect passwords.
The PDC Emulator is contacted when changes to DFS (Distributed File System) are made. This can be switched off if the load on the PDC Emulator becomes too great.
The Infrastructure Master is responsible for ensuring that objects that use multiple domain references are kept up to date and consistent. When you are in a single domain you don’t need to worry about this. In a multiple domain environment with Windows Server 2000/2003 Domain Controllers, you must ensure that the Domain Controller that is holding the Infrastructure Master role is not a Global Catalog Server or all of the Domain Controllers will be Global Catalog Servers. If the Domain Controller is a Global Catalog Server this can cause objects in the domain not to update correctly. If you only have Windows Server 2008 Domain Controllers, you don’t need to worry about whether the Infrastructure Master is on a Global Catalog Server or not.
Active Directory has 5 operations master roles. These roles can be moved from Domain Controller to Domain Controller. Two are at the forest level and three are at the domain level. This video looks at how to move these operations roles from one Domain Controller to another.
How To Points
The 3 operations roles at the domain level are PDC Emulator, RID Master and Infrastructure Master.
These can be transferred using active users and computers by right clicking the domain and selecting operations master.
The 2 forest wide operations roles are Schema Master and Domain Naming Master.
To install the Schema Master, run Regsvr32 schmmgmt.dll. Then access it by using the mmc to add the schema snap in.
To move the Domain Naming Master role, run Active Directory domains and trusts and right click Active Directory domains and trusts.
In Active Directory there are five operations master roles known as FSMO roles. This video looks at which Domain Controllers you should put these roles on and also which Domain Controllers you should make into Global Catalog Servers.
There are five operations master roles. The Schema and Domain Naming Masters are forest wide so there will only one of each of these roles regardless of how many domains you have in your forest. The PDC Emulator, RID Master and Infrastructure Master are domain wide. There will always be 3 operations master roles per domain, one of each. When considering where to put the operations master roles, you should consider the availability of the operations role and what effect not having the operations master role available during an outage will have on your network.
Schema Master (Forest wide)
The Schema Master is generally found in the root domain in a multiple domain environment. On most networks it will not be used that often. For this reason availability is not a big issue so for ease of administration it will often be put on the same Domain Controller that has the Domain Naming Master. The Schema Master operations master role is not affected whether the Domain Controller is a Global Catalog Server or not.
Domain Naming Master (Forest wide)
The Domain Naming Master is required when domains are added or removed from the forest. It does require Global Catalog calls when domains are added or removed. For this reason it is recommended to make it a Global Catalog Server. However, this will not affect operations if it is not.
The PDC Emulator has the final say on authentication. For this reason the PDC Emulator will generally be placed on the network with the most users. The PDC Emulator can be made a Global Catalog Server; however, administrators will often remove the Global Catalog from the PDC Emulator if performance on the PDC Emulator becomes a problem.
The RID Master allocates blocks of RIDs. For this reason it does not have to be on the fastest Domain Controller or on the fastest link. Domain Controllers will request RIDs before they run out. The PDC Emulator generally uses more RIDs than other Domain Controllers on the network and thus a lot of administrators will place the RID operations master role on the same Domain Controller that is holding the PDC Emulator. Whether the Domain Controller is a Global Catalog Server or not does not affect the operation of the RID Master.
The Infrastructure Master role tracks references in multi-domain environments. In a single domain network the Infrastructure operations master role is not that important. In a multi-domain environment the role of the Infrastructure Master becomes more important. The choice of whether to make this a Global Catalog Server or not can affect its ability to keep cross domain reference up to date.
If you have Windows Server 2000 or 2003 Domain Controllers on your network, you need to ensure the Infrastructure Master is not a Global Catalog Server or all your Domain Controllers on the network will become Global Catalog Servers. In a pure Windows Server 2008 environment, it does not matter whether you make the Domain Controller a Global Catalog Server or not.
Disadvantages of making a Domain Controller a Global Catalog Server
Making a Domain Controller a Global Catalog Server will increase the amount of hard disk space that it requires and also the amount of network bandwidth that it will use. Nowadays it is not as big of a concern as it was when Windows Server 2000 came out. Global Catalog Servers are also used by clients to perform searches and to look up objects. This can increase the load on the Domain Controller.
Active Directory has five operational master roles that can be transferred from domain controller to domain controller as required. In some cases the role may not be able to be transferred; for example, if the hardware on the domain controller was to fail, a transfer cannot be made. When this occurs, the operational master role must be seized. This video looks at how to seize an operational master role, clean up the Active Directory database afterwards, and recover a server that has had an operational master role seized.
Demo seizing the role 04:40
Demo cleaning up the Active Directory database 08:55
Demo removing Active Directory from a recovered server 14:04
What is an operational master role?
See our operational master role video for more information.
Impact of missing operational master role
Seizing an operational master role from a failed server is a drastic step. Once complete, the domain controller can not be started back up on the network. Before seizing the operational master role, first consider the effect the missing operational master role will have as listed below.
Schema master: If this role is missing then changes will not be able to be made to the Active Directory schema. The schema defines the design of the Active Directory database. If you are not planning on making changes to the structure of the Active Directory database this role could be off line indefinitely.
Domain Naming Master: This is required when adding/removing domains. If you are not adding or removing domains the Domain Naming Operational Master Role could be offline indefinitely.
Relative ID Master: Otherwise known as RID master, it allocates RID’s to Domain Controllers. These are used to create Active Directory objects. Without RID’s Domain Controllers cannot create new objects. RID’s are allocated in pools so a domain controller will not run out quickly unless a lot of Active Directory objects are created at once.
PDC Emulator: A PDC emulator is considered the final authority on password authentication. If the PDC emulator is down, a user may experience problems logging in just after a password change. Short outage should not be problem but it is recommended to try to recover the domain controller holding the PDC emulator quickly if it fails.
Infrastructure master: In a single domain/forest environment, a missing infrastructure master will not cause any problems. In a multiple domain environment, this will only cause problems if none of your domain controllers are global catalog servers. If this is the case, cross domain objects may not be updated correctly when changed.
Seizing a role
Seizing a role is considered a last resort and once completed the domain controller that was holding that operational master role will not be able to be started back up on the network again. A domain controller that can have an operational master role transferred or seized is often referred to as a standby operational master.
In order to seize an operational master role, you need to run the command NTDSUtil from the command prompt. Once inside the tool, run the following commands.
connect to server (Domain controller role will be seized by)
Seize PDC|RID master|schema master|infrastructure master|naming master
Removing Domain Controller Configuration
Once you seize the operational master role, the configure data for that domain controller will still exist in Active Directory. This can be removed by performing the following steps.
Run NTDSUtil from the command prompt
connect to server (any domain controller)
select operational target
select domain (your domain number shown in list domain)
select site (your site number shown in list sites)
list servers in site
select server (your server number shown in list servers in site)
Remove selected server
Run Active Directory Sites and Services from administrative tools
Find the record for your failed domain controller. It should not have domain listed next to its name. Press delete to delete the record.
Reusing a failed server
If you have seized an operational master role from a domain controller and later recover the domain controller, Active Directory will need to be removed from the domain controller before it can be added and reused on the domain. This can be done with the following steps.
Make sure the server is not connected to the network.
From the command line run DCPromo /ForceRemoval
In any environment you need to ensure that the time and date on your computers is set correctly. If the time drifts too far from the correct time, this can cause problems logging in to the network and cause time sensitive authentication systems to fail. This video looks at keeping computers in your domain up to date and configuring your computers to use a reliable external time source.
All computers have a battery on the motherboard that is responsible for ensuring the internal clock inside the computer does not lose power even when the computer is not plugged in. The internal clock can lose or gain time as time passes. If the clocks get out of sync with the correct time, this can affect authentication systems. Authentication systems that use tickets generate the tickets using the time and date. Big differences in these times will mean that new tickets that were just created will be invalid and can’t be used.
When you have computers in a domain, Windows will use a hierarchy approach to ensure that all the times for the computers in the domain are up to date. The root of the hierarchy is the domain controller that is holding the PDC operational master role. This domain controller should have a reliable clock installed in it and/or synced off an external time source. This will ensure that all computers that sync their time from the PDC emulator will have the correct time. If the time is set incorrectly on the PDC emulator, all of the internal clocks of the computers in the domain eventually will be synced to this incorrect time. For this reason it is important to ensure that the domain controller with the PDC emulator role always has the correct time.
Below the PDC emulator in the time hierarchy are all the domain controllers. The domain controllers are responsible for making sure all other computers on the network have the correct time. This includes clients and other servers in the domain known as member servers.
If you have a network with multiple domains, the child domains should sync their time from the parent domain. The domain controller holding the PDC emulator operational master role in each child domain should be configured to sync their time from the closest domain controller in the parent domain. The PDC emulator in the child domain does not need to sync its time from the PDC emulator in the parent domain; however, it can do so if required.
Syncing the time from an external time source
In order to keep the time current on the PDC emulator or a stand alone server, an external time source can be used. These external time sources are grouped together to form a hierarchy. Each level of the hierarchy is called a stratum. At the top of the hierarchy is stratum 0 which is a very accurate physical time clock. These include atomic, GPS, and radio clocks. In order to access the time from these hardware clocks, these clocks are directly connected to stratum 1 clocks. Stratum 1 clocks may be configured for private access only to decrease the load on them. At the next level is stratum 2. These clocks sync their time directly from stratum 1 and are generally publicly accessible. It is generally considered better to sync from these time clocks rather than stratum 1 as there are more stratum 2 external time clocks, which helps to reduce the load on stratum 1 time clocks. Regardless of which stratum you choose, you should try to choose an external time server that is close to your server. Refer to http://support.microsoft.com/kb/262680 for information on how to find an external time source close to you.
To configure an external time source run the following command.
w32tm /config /ManualPeerList:(TimeServer) /SyncFromFlags:manual /Reliable:yes /Update
Active Directory has functional levels at the domain and forest levels which determine which Active Directory features are available. The higher the functional level the more features available. This video looks at which domain functional levels are available and how to raise the domain functional level to get access to these features. The next video in this free series looks at the forest functional levels.
Raising the domain function level demo 17:46
The different domain functional levels and the features you get from the functional level are listed below.
Windows 2000 native
* Gives basic Active Directory functionality
Windows Server 2003
* Allows the computer name of a domain controller to be changed.
* Adds last login time stamp to each user account
* Adds UserPassword to iNetOrgPerson object. This is used when migrating from a 3rd party directory service. It allows the 3rd party password to be stored in Active Directory.
* Constrained delegation. Delegation is when credentials are passed from one system to another; e.g., an administrator connects to a computer and then attempts to have that computer connect to a file share on another computer using the administrator’s credentials. Delegation is disabled by default in Active Directory. Windows Server 2003 domain functional level allows you to determine which services are delegated and which are not and to which computers. You could, for example, trust delegation only for file sharing to only a particular server. Before this domain functional level delegation was to everything or nothing.
* Selected authentication for forests. When using multiple forests this feature allows the administrator to configure which users from the trusted forest can have access to which services in the forest that they would normally have access to by default. A user from another forest needs to have access to resources in the either forest like any other user through permissions like NTFS so selected authentication does not change that. The difference with selected authentication is that you can configure which services they can use which would normally be available to everyone. For example, a domain controller will by default authenticate any user from either forest. With selected authentication you can configure which domain controllers will be allowed to authenticate users from the other forest.
* Adds support to store authorization policies in Active Directory.
Windows Server 2008
* DFS for replication of SysVol share.
* Advanced Encryption System (AES) for Kerberos
* Additional last login details. Adds attributes like number of failed login attempts.
* Fine-grained password. Allows multiple password policies to be defined in the same domain.
Windows Server 2008 R2
* Authentication Mechanism Assurance. Adds details to the Kerberos ticket about how it was authenticated, e.g., if a SmartCard was used to authenticate the user.
* Automatic SPN (Service Principal Names) management. Allows services account password to be managed by Active Directory.
Mixed or Interim
domain functional levels that are mixed or interim have been upgraded from an NT4 domain and may have some domain controllers that are still NT4. Once you have removed all of the NT4 domain controllers, raise the domain functional level to one of the domain functional levels listed above.
Rasing the Domain Function Level
In order to raise the domain functional level, you need to ensure that all of the domain controllers in your domain are at that domain functional level or higher. For example, if you had 3 Windows Server 2008 DC’s, 4 Windows Server 2003 DC’s and 1 Windows 2000 DC the highest domain functional level that you could go to would be Windows 2000 native. If you upgrade the Windows Server 2000 domain controller to Windows Server 2003, you could raise the domain functional level to Windows Server 2003. Remember also that once you raise your domain functional level you will not be able to add any down level domain controllers to the domain. For example, if you raise the domain functional level to Windows Server 2008, you would not be able to add any domain controllers for Windows 2000 and Windows 2003. Regardless of the domain functional level you can add any Windows client operating system or server to the domain of any operating system level. Raising the domain functional level is a one way process and can’t be reversed once complete.
Raising the domain functional level
To raise the functional level, open Active Directory User and Computer and right click on your domain and select raise domain functional level. Select the domain functional level that you want and select raise.
Like domain functional levels, the forest functional level determines which additional features in Active Directory will be available. In order to raise your forest functional level, all domains in the forest domain functional level must be at that corresponding forest functional level or higher. This video looks at the features that are available at each forest level and how to raise the forest level.
Raise forest functional demo 17:45
When looking at an existing network with multiple domains, you need to consider the possibility that these domains were put in place originally due to limitations in Active Directory. Previously, Active Directory was not able to support more than one password policy per domain and even though the number was quite high, there were some limits on how many users could be put into certain groups. Because of these limits, more domains may have been created than would be required nowadays. When raising your domain and forest functional level, consider if any domains can be combined. Doing so will reduce the complexity of your network and make it easier to support.
Listed below are all the different forest levels and the features that each forest level adds. Remember that to raise the functional level of your forest all domains in that forest must be at that functional level or higher. In other words, the level to which you can raise the forest level will be determined by the domain in the forest with the lowest domain functional level.
Windows 2000 native
Basic Active Directory features
Windows Server 2003
Forest Trust: Allows a trust relationship between two forests. A forest trust allows resources to be shared between the forests.
Rename Domains: This allows you to change a domain name.
Link Value Replication: This means that only changes in group membership are replicated. Without link value replication, if a group is changed in two locations at once, the record with the newest time stamp is used replacing all the other records and thus all changes in those records are lost. Using link value replication also reduces the amount of data that is sent over the network during replication.
Improved Knowledge Consistency Checker (KCC): The KCC is responsible for creating replication links between sites. With this forest functional level the KCC has been improved, particularly working with large deployments.
Dynamic Auxiliary Class: Allows Active Directory objects to be created with an expiration time.
Convert INetOrgPerson to user: Allows an INetOrgPerson object to be converted to a user object and vice versa. The INetOrgPerson object is used when importing or exporting users from Active Directory to a 3rd party directory system. Being able to convert a user object in Active Directory to an INetOrgPerson object makes the process of exporting and importing users with Active Directory a lot easier.
Window Server 2008 RODC: This forest level is required if you want to start using Windows Server 2008 Read Only Domain Controllers in Active Directory.
Deactivation of attributes: Once you make a change to the schema of Active Directory it can’t be deleted. Deactivation allows you to deactivate attributes in the Schema that are no longer required.
Window Server 2008
No new features are added to Active Directory with this forest functional level.
Window Server 2008 R2
Active Directory Recycle bin: Allows deleted objects in Active Directory to be restored.
Raising the Forest Functional Level
To raise a forest functional level, run Active Directory Domains and Trusts from administrative tools from the start menu. Right click the root of the tree and select raise forest functional level. From the dialog box select the forest functional level that you want and press raise. Remember that the process can’t be reversed once done and there may be a delay while replication occurs before the changes take effect.
This video looks at upgrading your current Active Directory environment so that you can deploy Windows Server 2008/R2 domain controllers in your environment. The video looks at the prerequisites required, the commands you need to run and a demonstration of how to prepare your environment for Windows Server 2008/R2
Upgrading demo 05:40
The following only needs to be done if you are planning to deploy Windows Server 2008 or Windows Server 2008 R2 Domain controllers on your network. If you only want to use Windows Server 2008 as a member server (that is, you do not want to promote it to a domain controller), you can do this without having to perform any of the steps in this video.
Remove all NT4 Domain controllers
Upgrade all Domain controllers to Windows Server 2000 SP4 or above
Domain functional level needs to be Windows 2000 or higher
Forest functional level needs to Windows Server 2000 or higher
The user performing the upgrade needs to be a member of the following groups:
Schema /Enterprise/Domain Administrator
For more information on the domain and forest functional levels, please see the following videos.
Forest Functional Level Video
Domain Functional Levels Video
Preparing your environment
In order to prepare your environment you need to run a tool called ADPrep. This can be found on the Windows Server 2008/R2 DVD under the Support folder. ADPrep has been updated since Windows Server 2008 and thus the first two commands listed below need to be run again when installing your first Windows Server 2008 R2 Domain Controller on a network with Windows Server 2008 Domain Controllers.
This command needs to be run once per forest. The command needs to be run on the server holding the schema operational master role.
The following commands need to be run once on every domain in which you are going to deploy Windows Server 2008/R2 Domain Controllers. The following commands need to be run on the Domain controller holding the infrastructure master.
ADPrep /DomainPrep /GPPrep
The following command only needs to be run if you are going to deploy Windows Server 2008 Read Only domain controllers. If you are not sure, run the command anyway as it does not affect the run of Active Directory if Read Only Domain Controllers are not deployed.
To check the forest level, run Active Directory Domain and Trusts, right click the domain and select raise domain functional level. Make sure it is Windows Server 2000 native or higher.
To find out which domain controllers are holding which operational master roles, run the following command:
netdom query fsmo
To upgrade the forest, on the Domain Controller holding the schema operational master role, run the command line ADPrep /ForestPrep.
The process normally takes about 5 minutes or so. Once it is completed, allow some time for the changes to replicate through your network or force a replication.
To check whether your domain meets the minimum requirement for the domain functional level Windows Server 2000, run the command Active Directory Users and Computers. Right click the domain and select raise domain functional level.
The following commands need to be run on all domains on which you want to deploy Windows Server 2008 domain controllers. The following commands also need to be run on the Domain Controller holding the infrastructure operational master role.
ADPrep /DomainPrep /GPPrep
The following command only needs to be run if you are planning on using Windows Server 2008 Read Only Domain Controllers.
This video looks at how to add a child domain to an existing domain in Active Directory. Child domains can access resources from the parent and also from any other domain in the forest. This video will look at adding the east domain to the existing domain.
Demonstration at 04:35
Things to consider before adding a child domain
The more domains that you have in your forest, the harder it will be to administer your network. When possible, you should attempt to reduce the number of domains in your forest. Sometimes due to company needs or security reasons, extra domains may be created. It should be remembered that in Windows Server 2008 there have been a number of improvements and features which in previous versions of Windows would have required additional domains. These are:
1) Active Directory could previously only have one password policy per domain. If your domain functional level is Windows Server 2008 or higher, you can support multiple password policies for the same domain.
2) With Windows NT the database was limited to 40 MB, which was around 40,000 objects. Because of this multiple domains may have been required, whereas Active Directory now only requires one.
New domains may also be created due to different business unit requirements. In a lot of cases you can separate departments and even companies using organization units inside Active Directory; however, dealing with things like different company budgets is not as simple. If the companies have different IT support staff, they will probably want different domains.
Creating a new domain or adding a domain controller to an existing domain is all done using DCPromo.
1) When asked, select the option at the top existing forest. Under this, select the option, “create a new domain in an existing forest.” This will create the first domain controller in your new domain in the existing forest.
2) You will next be asked for the credentials for a user to add the domain to the existing forest. This needs to be a user in the enterprise administrators group; however, the user does not need to be in the root domain: they can be located in any domain in the forest.
3) Next you need to enter in the name of the parent domain of the child domain. If you are creating a new tree, enter in the new namespace. DCPromo will understand this is a new tree rather than a child domain.
4) Once the relevant details are entered, a Domain Naming Master will be contacted to see if this domain already exists. If the Doman Naming Master can’t be contacted DCPromo will fail.
5) Once the Domain Naming Master has been contacted and it has been confirmed this domain does not already exist, you will be asked for the domain functional level. What is available will be determined by what the current forest functional level is.
6) Next you need to select the site where the domain controller will be. If no sites have been created, you can use “default first site name” for the site.
7) Next you can decide if the domain controller is a DNS server and/or a global catalog server. Even if you are creating a completely separate domain you can use a DNS server or even a 3rd party DNS system like UNIX.
8) The wizard will ask you where to put the database, log file and SysVol folder. In most cases leave this on the default.
9) The next screen will ask for an Active Directory recovery password. This is used in certain recovery situations including restoring deleted objects.
At any stage you can add and remove domain controllers from Active Directory. This video looks at how to remove the last domain controller from a child domain. When this occurs, the Active Directory database will be removed and with it anything that was stored in it. This video looks at how to remove a child domain; however, the same process could be used to remove the last domain controller in the forest.
Demo at 03:46
If you need to remove a domain controller that has failed from Active Directory, refer to video http://itfreetraining.com/70-640/seizing-roles/.
Operational Master Roles
If the domain controller is holding any operational master roles, these can be moved manually or DCPromo will automatically move them to another domain controller when the domain controller is demoted. Refer to our video on moving operation master roles for information on how to move operational master roles: http://itfreetraining.com/70-640/moving-operation-roles/.
If you want to check if your domain controller is holding any operational master roles you can run the following command from the command prompt:
NetDom Query FSMO
Global Catalog Servers
If you are removing a domain controller that is a global catalog server, you should consider the effect that this will have on your domain. Even in a single forest, single domain environment global catalog servers are used by applications for performing searches in Active Directory. For this reason you should always have at least one domain controller in your domain. Refer to http://itfreetraining.com/70-640/global-catalog-servers/ for information about the role a global catalog server has on your network.
Effects of removing the database
Before removing the last domain controller and thus Active Directory, you should consider what is stored in Active Directory and thus what you are losing. Removing the database will remove any accounts in that domain but will also remove any certificates that are stored in Active Directory as well. Before removing the last domain controller it is recommended that the domain controller be shut down for a period of time before it is demoted. If no problems are found, start the domain controller back up and then demote it.
To check if the domain controller is holding any operational master roles run the command:
Run NetDemo Query FSMO
To demote the server run the command DCPromo. The wizard will ask you if this is the last domain controller in the domain. If this domain controller is the last domain controller, tick this box. If you still have other functional domain controllers on the network you should remove these before ticking this box to ensure the domain is removed cleanly. If there are domain controllers that are still in the domain but are not operational and thus will not be used on the network again, tick the option this is the last domain controller in the domain. Ticking this box will remove the domain even if there are domain controllers that are still registered in the Active Directory database.
If you are getting errors in DCPromo, run DCPromo with the /forceremoval switch and it will ignore these errors.
DCPromo will ask you to set a local administrator password. When Active Directory has been removed you will need this password to login locally to the server. If you still have a domain controller left in the domain, the server will become a member server and you can still use a domain account to login to the server.
Trusts in Active Directory create the pathways for authentication to occur. They are used to link Active Directory domains to each other and also link Active Directory domains to non Microsoft systems.
In order to share resources between two domains, there must be a trust or trusts connecting the two domains. Trusts do not provide access they only create a pathway to the destination. Think of trusts like roads: if you need to get to a house and there is a road between you and the house, you can drive to the destination. If the house is locked you won’t be able get in unless you have the key. The same applies with trusts: you need the path to the resource via a trust and permission to access the resource.
Trust direction (One-way or two)
Trusts can be one-way or two-way. If the trust is two-way, then the domain on either side can access the other side. If the trust is one-way, the terminology used to describe the trust will usually be “Domain A trusts domain B.” This means that domain A is the trusting domain and domain B will be the trusted domain. For a user in a certain domain to access a resource in another domain, the user needs to be in the trusted domain.
A transitive trust is when a trust can be extended outside of the two domains in which it was created. A domain connected via a transitive trust can thus access any other domain when there is a path of transitive trusts between that domain and the target domain.
A non-transitive trust is a trust that will not extend past the domains it was created with. If domain A was connected to domain B and domain B connected to domain C using non-transitive trusts the following would occur. Domain A and domain B would be able to access each other. Domain B could access domain C. Domain A, however, could not access domain C. Even though the domains are indirectly connected, since the trust is non-transitive the connection will stop once it gets to domain B. In order for domain A and domain C to communicate using non-transitive trust you would need to create another trust between domain A and domain C. Think of it like having to catch two buses to get to your destination but only having one bus ticket. Transitive and non-transitive trusts will work together. When using both, the pathway through the network will simply stop as soon as a non-transitive trust is travelled over.
Parent child trust
When you create a child domain, a transitive trust will automatically be created between the parent and child domain that is transitive.
When you create a new tree in the forest, a tree trust will be created automatically between the root domain (the first domain created in the forest) and the new tree. Each new tree will have a tree trust created between that tree and the root domain. These trusts are transitive and essentially the same as the transitive trusts that link parent and child domains.
If you have two domains that communicate with each other on a regular basis you can create a shortcut trust. This is the same as a transitive trust but is manually created by an administrator to reduce the number of trusts a user needs to travel over to get from one domain to another.
A forest trust links two Active Directory forests together. These are created manually by an administrator and are transitive. They essentially work the same as the other trusts except they connect forests together. In order to create this trust, both forests must be at the Windows Server 2003 forest functional level or higher.
A realm trust is used to connect Active Directory with Kerberos V5 realm on a non-Windows system like Unix. In order to create a realm trust, the domain must be at the Windows Server 2003 functional level or higher. These can be transitive or non-transitive, one-way or two.
An external trust is an old one-way trust that is used to connect to systems like Windows NT4. To make them two-way, you can create one trust in each direction. They are non-transitive. They can also be used when it is not possible to create a forest trust, e.g., one or both forest functional levels are not high enough.
When creating a forest trust you have the option to use selective or forest-wide authentication. Certain resources on the network will be open to anyone. These include authenticating from a domain controller. If you use selective authentication you will need to specify which resources the users will have access to. This gives the administrator a lot more control. This setting should be used when creating a forest trust between your company and an external company.
User accounts have an area in them called Sid history. When a user account is migrated from one domain to another, Sid history contains the Sid from the old domain. Using Sid history means the user can access resources when permissions were defined using the old Sid. Windows Server 2003 and above will remove Sid history when travelling over a trust. This is done for security reasons and can be disabled.
To make changes to trusts in Active Directory, open Active Directory Domain and Trusts from administrative tools. This will show all the domains in the forest and also any trusts for those domains, manually created trusts or automatically created trusts. To create a new trust, open the properties for one of the domains and select the tab, “trusts.” At the bottom of the trust tab select the option, “new trust,” to launch the trust wizard.
The trust wizard will in most cases detect the type of trust that you want. If it fails to detect the other side, there may be a DNS issue or firewall issue. In this case you can manually select which trust you want to create. In order to create the trust on the other end, you will be asked for a username and password. If you don’t have this, an administrator on the other side will need to run the wizard on the other side. In some cases, a shared password needs to be agreed upon and entered on each side in order to create the trust.
If you create a forest trust using selective authentication, users traveling over this forest trust will not be able to authenticate from a domain controller by default. In order to allow them to authenticate, they need to be given permissions. To do this, open “Active Directory Users and Computers.” For the option to appear you need to go to “view” and make sure “advanced features” is enabled. To enable access, open the security for the domain controller and ensure that the user has the permission “allowed to authenticate.”
Active Directory allows you to model your physical network topology using sites. This video looks at how to create sites in Active Directory. Creating sites allows you to control how data is replicated in your organization.
Microsoft defines a site as a group of well-connected networks.
Advantages of sites
1) Sites automatically direct users to the closest resource.
2) Schedules can be configured that allow the administrator to control when replication will occur.
Multiple networks can be combined together regardless of which IP address ranges they use. If you have two networks separated by a high speed networking device, you may want to combine these networks together. Usually networks that are separated by a Wide Area Network will be put into different sites. You could also place different networks into different sites for security reasons. For example, if you had a secure network holding your intellectual property separated by a firewall, you may decide to put this network in its own site to reduce the amount of traffic travelling between the networks. Less traffic travelling between the networks means fewer rules that have to be created on the firewall between the networks.
Protect objects from accidental deletion
A lot of objects in Active Directory have the option to protect the object from accidental deletion. The tick box for this will be found in the properties for the object on the object tab. If the option is ticked and an attempt to delete the object or move the object is made, an access denied message will be displayed. To perform either of these actions, the tickbox needs to be cleared first.
To create or change the site configuration, open Active Directory Sites and Services from administrative tools under the start menu.
When you first install Active Directory, a site will be created called Default-First-Site-Name. This site can be renamed to another site, deleted when no longer required, or simply not used.
Under the site container, the Domain Controller/s for that site will be listed. When you promote a server to a Domain Controller, the wizard will look at the IP address of the server and suggest a site in which to put the Domain Controller or you can choose your own. For this reason, the Domain Controller should be put into the correct site when it is promoted assuming the site existed. If you need to physically move the Domain Controller or it has been put into the wrong site, you can move the Domain Controller object to another site at any time.
To create a new site, right click sites and select new site. The network address will then need to be entered (either the IPv4 or IPv6 network address).
This video looks at how Domain Controllers in Active Directory replicate data between each other. Domain Controllers can either replicate at the site level or between sites. A different approach is used for each because at the site level you want changes to happen quickly. Between sites replication may be reduced and may even be configured to happen only outside business hours.
This is replication that happens inside one site between the Domain Controllers in that site. Active Directory will automatically connect all the Domain Controllers together to form a ring. Each Domain Controller will have two incoming connections and two outgoing connections. This ensures some redundancy in the site if a Domain Controller were to become unavailable.
Intrasite replication happens 15 seconds after a change is made to the Active Directory database. If there are more than 3 hops between Domain Controllers in the one site, then more connections will be made between the Doman Controllers until the hop count is less than 3 between all Domain Controllers. This ensures that a change will reach all Domain Controllers in the one site in less than a minute.
Intersite replication is replication that happens between different sites in Active Directory. These connections are not made automatically and need to be made by an Administrator.
Bridge Head Server
In each site, a Domain Controller is selected to replicate changes from that site to another site. This Domain Controller is called a Bridge Head Server. The Bridge Head Server is selected automatically but you can also manually select a Domain Controller or Domain Controllers to be a Bridge Head Server in a site. If you do manually select the Bridge Head Server/s and all the Bridge Head Servers are down, replication will not occur form that site.
A site link is created by an Administrator to link sites together. Site links can have a replication schedule applied to them to determine when replication occurs.
Site Link Cost
Each site link can have a cost associated with it. This is a numeric value that weights the site link. The site links with the lowest cost between two sites will be used. This allows you to configure Active Directory to use backup site links when the primary site link goes down.
Site links support two different transport protocols. These are RPC over IP and SMTP. SMTP does not support file replication and thus on most networks only RPC over IP will be used. SMTP could be used between domains in the forest as this kind of replication does not require file replication. RPC over IP is often referred to as just IP.
Knowledge Consistency Checker (KCC)
The KCC is responsible for creating connections between different Domain Controllers inside a site and between sites. It does this with information from the Active Directory database so, given the same data, it should always make the same decisions about which connection to create. The KCC runs every 15 minutes.
To create site links in Active Directory, open Active Directory Sites and Services from administrative tools under the start menu.
Site links are under Inter-Site Transports. Under here are the two folders for IP and SMTP transports.
Under IP there may be a site link called DEFAULTSITELINK. This is created automatically when Active Directory is installed. You can use this site link or create a new site link. If you do use this site link, it is recommended that you rename the site link to a more meaningful name.
To create a new site link, right click IP or SMTP and select New Site Link. From the wizard you need to select which sites will use that site link. Microsoft recommends that you should not put more than 3 sites in the one site link.
In the properties of the site link you can configure the schedule for the site link, how often replication will occur and also the cost that will be used with the site link.
If you want to see the connections that have been created automatically or manually between different Domain Controllers, expand down until you reach NTDS. In here you will see all the incoming connections for that Domain Controller. To see the outgoing connections, you can open the properties for NTDS and select the connection tab.
If you want to force the KCC to run, right click NTDS settings, select all tasks and then check replication Topology.
To force a replication, right click a connection and select replicate now. Even through the connection is incoming only, this will replicate data in both directions.
To force the knowledge consistency checker to run, enter the following (without the site parameter this will only run on that Domain Controller):
RepAdmin /KCC site:(Site name)
To force a replication run the following:
This will show the bridge head servers:
“How Active Directory Replication Topology Works” http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx
“Active Directory Replication Tools and Settings“ http://technet.microsoft.com/en-us/library/cc739941(WS.10).aspx