Chain of Survival and EMSC
Download
Report
Transcript Chain of Survival and EMSC
Configuring the Active Directory
Infrastructure
Exam Objectives
Working with Forests and Domains
Working with Sites
Working with Trusts
Copyright line.
Working with Forests and
Domains
You should know what type of domain you
want to install before you begin, and the
namespace it will use.
To improve a domain’s reliability, you should
always create at least two DCs in each
domain.
The first DC that you install in the forest is the
root DC. It is responsible for the GC and for
all five FSMO roles. Some roles can later be
transferred to other DCs for performance and
diversification.
Copyright line.
Slide 2
Working with Sites
Sites are used for optimizing the authentication process, by reducing
authentication traffic across slow, high-cost WAN links.
Subnets provide rapid and reliable communication between locations.
The primary role of sites is to increase the performance of a network,
which is achieved by economic and rapid transmission of data.
Replication enables transferring data from a data store present on a
source computer to an identical data store present on a destination
computer.
The KCC is a process that runs on a DC.
The process of associating a subnet with a site notifies Active Directory
sites about the physical networks that are represented by the site.
Cost is the value used to calculate site links by comparing one to others,
in terms of speed and reliability charges.
Copyright line.
Slide 3
Working with Trusts
Active Directory trust relationships allow users in one
domain to access resources in another domain
without having to create additional accounts in the
domain with the resources.
Whenever a child domain is created, two-way
transitive trusts are automatically created between
the parent and the child.
Forest trusts are created between the root domains
of two forests to allow users in one forest to access
resources in the other forest.
SID filtering is a security device that uses the domain
SID to verify each security principal.
Copyright line.
Slide 4
FAQ
Q: What is the big deal about raising the
functional levels of my domains and forests?
Shouldn’t I raise the levels as soon as they meet
the prerequisites?
A: No. Remember that functional levels, once
raised, cannot be lowered again. In addition,
some situations are better suited to skipping a
level, rather than raising to one level and then the
other. In this case, known future restructuring
and upgrade activities should be considered
before raising functional levels.
Copyright line.
Slide 5
FAQ
Q: How much of the Active Directory design stage
should be complete before I install my first DC?
A: Primarily, the DNS design should be complete,
and the decision should be made about how the
forest-root domain will be used. Additional DCs
and domains can be added later. FSMO roles and
GCs can be shifted as needed, and trusts with
other forests and external domains can be added
later. Essentially, the first DC that you install
should be in a lab environment. From that
perspective, you should install your first DC for
testing and training purposes as soon as
possible.
Copyright line.
Slide 6
FAQ
Q: If every FSMO role can be seized by another DC upon
failure, why would I want to spread the roles out among
different machines?
A: There are several reasons. Chief among these are the
associated risks of seizing roles. Lost or corrupted
directory data can result from FSMO failures, especially if
the malfunctioning machine ever comes back online.
Seizing roles should not be considered a routine operation.
Another consideration is performance. Each role exacts a
certain amount of CPU and memory overhead, and your
servers might perform better if roles are spread among
multiple systems. If that weren’t enough, some roles and
functions should not coexist on the same DC, such as the
Infrastructure Master and the GC. FSMO placement should
not be ignored, and this knowledge will be important on the
test.
Copyright line.
Slide 7
FAQ
Q: What are the differences between
external, realm, and shortcut trusts?
A: An external trust is created to establish
a relationship with a domain outside your
tree or forest. A realm trust is created to
establish a relationship with a nonMicrosoft network using Kerberos
authentication. A shortcut trust is used to
optimize the authentication process.
Copyright line.
Slide 8
FAQ
Q: What type of trust needs to be created
between the root domain and a domain
that is several layers deep inside the same
tree?
A: None. Transitive two-way trusts are
automatically created between the layers
of the tree structure. A root trust is also
created automatically so that any child
domain has a shortcut to the root domain.
Copyright line.
Slide 9
FAQ
Q: What is the difference between implied,
implicit, and explicit trusts?
A: An implicit trust is one that is automatically
created by the system. An example is the trusts
created between parent and child domains. An
explicit trust is one that is manually created. An
example is a forest trust between two trees. An
implied trust is one that is implied because of the
transitive nature of trusts. An example is the trust
between two child domains that are in different
trees, and a forest trust was created between the
roots of the trees.
Copyright line.
Slide 10
FAQ
Q: What exactly does SID filtering
accomplish?
A: SID filtering is used to secure a trust
relationship where the possibility exists
that someone in the trusted domain might
try to elevate his or her own or someone
else’s privileges.
Copyright line.
Slide 11
FAQ
Q: How do you change the time the KCC
runs?
A: The KCC, which manages connection
objects for inter- and intrasite replication, runs
every 15 minutes by default. To change this,
start regedit and go to the
HKEY_LOCAL_MACHINE\SYSTEM\Current
ControlSet\Services\NTDS\Parameters
Registry entry. Then, from the Edit menu,
select New, DWORD Value.
Copyright line.
Slide 12
FAQ
Q: How do I move a server to a different site?
A: If the sites and subnets are configured, new
servers are automatically added to the site that owns
the subnet. However, a server can be manually
moved to a different site. To perform this task, start
the Active Directory Sites and Services. Expand
the site that currently contains the server, and expand
the Servers container. Right-click the server and
select Move from the context menu. There will be a
list of all the sites. Select the new target site, and
click OK.
Copyright line.
Slide 13
FAQ
Q: How can a server belong to more than one site?
A: By default, a server belongs to only one site. However, you
can configure a server to belong to multiple sites. Because sites
are necessary for replication, for clients to find resources, and to
decrease traffic on intersite connections, simply modifying a
site’s membership might cause performance problems. To
configure a server for multiple site membership, log on to the
server you want to join multiple sites. Start regedit or regedt32.
Go to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
cesNetlogon\Parameters Registry entry, select Add Value
from the Edit menu, enter the name Site Coverage and a
REG_MULTI_SZ value, and click OK. Next, enter the names of
the sites to join, each on a new line. (Press Shift + Enter to
move to the next line.) Click OK. Close the Registry Editor.
Copyright line.
Slide 14
FAQ
Q: How do I disable site link transitivity?
A: Site links are bridged together to make them
transitive so that the KCC can create connection
objects between DCs. We can disable site link
transitivity manually by bridging specific site links.
Start the Active Directory Sites and Services snapin. (Select Administrative Tools | Active Directory
Sites and Services from the Start menu.) Expand
the Sites folder and expand the Inter-Site
Transports folder. Right-click the protocol for which
you want to disable transitivity (IP or SMTP), and
select Properties. Clear the Bridge all site links
checkbox, and click Apply.
Copyright line.
Slide 15
FAQ
Q: How do you rename a site?
A: When you install your first DC, the DC creates the
default site, Default-First-Site-Name. This name isn’t
very descriptive, so you might want to rename it.
Start the Active Directory Sites and Services snapin. (Select Administrative Tools | Active Directory
Sites and Services from the Start menu.) Expand
the Sites folder. Right-click the site that is to be
renamed (e.g., Default-First-Site-Name), and select
Rename. Enter the new name, and press Enter.
Copyright line.
Slide 16
FAQ
Q: I want to enable GC functionality on a DC.
Where do I do that?
A: In the NTDS Settings Properties window
on the General tab. You simply check the box
next to Global Catalog and click OK.
Copyright line.
Slide 17
FAQ
Q: I have an office with only 10 users. Should
I put a GC server at this location?
A: Probably not; Microsoft recommends that
50 or more users at a location constitutes the
necessity for a local DC at that office.
Copyright line.
Slide 18
FAQ
Q: I am noticing a large amount of traffic
between my corporate office and branch
office. I recently added a GC server/DC at my
branch office. Why all the extra traffic?
A: More than likely, you didn’t set up a site for
each location. Having GC servers located in
sites helps to control replication and should
cut down on bandwidth usage. Data is
compressed before being sent between sites,
which keeps bandwidth usage down.
Copyright line.
Slide 19
Exam Warning
With Windows Server 2008 and beyond,
you will see more and more references
to UPN use in single or multiple domain
environments. Be sure to understand
how the UPN works in relation to logon,
and how the GC keeps this information
available efficiently.
Copyright line.
Slide 20
Exam Warning
Be prepared to see diagrams that show
network layouts and the various GC servers
you have on your network. Part of being a
successful network administrator is being
able to determine whether the design is good.
Because many Active Directory-integrated
applications, such as Microsoft Exchange,
need access to a GC for authentication, GCs
should be placed in sites that support these
applications, as well as sites that are
connected over lower-speed WAN links.
Copyright line.
Slide 21
Test Day Tip
Universal Groups can exist only if the
functional level of your network is Windows
2000 native or later. Universal Group
information is replicated between GC servers.
Replication traffic can consume bandwidth,
which is why site topology is important;
putting a GC at each site keeps replication
traffic to a minimum.
Copyright line.
Slide 22
Test Day Tip
Microsoft’s documentation recommends that
if you have 50 or more users at a given
location, you should give that location a DC
serving as a GC server. This will help to
reduce the number of queries crossing the
WAN for Active Directory object searches.
Copyright line.
Slide 23
Exam Warning
Remember this distinction between the GC
and the Schema Master: The GC contains a
limited set of attributes of all objects in the
Active Directory. The Schema Master
contains formal definitions of every object
class that can exist in the forest and every
object attribute that can exist within an object.
In other words, the GC contains every object,
whereas the schema contains every definition
of every type of object.
Copyright line.
Slide 24
Test Day Tip
As a network administrator, you must be
familiar with the various roles and services
offered by the Active Directory Sites. You
needn’t worry about memorizing every detail
for this particular exam. What you do have to
know are the basics of how each role and
services of Active Directory Sites works, and
how Active Directory Sites can be used
efficiently in terms of data transmission as
part of a large network.
Copyright line.
Slide 25
Exam Warning
Make sure you are familiar with the benefits
provided by a domain, and how a domain
works to provide them for you.
Copyright line.
Slide 26
Test Day Tip
Make sure you know and understand the
differences between the physical and logical
structures of the network. Be aware of how
each is used to build the most efficient
replication topology.
Copyright line.
Slide 27
Test Day Tip
Remember that default Windows Server 2008 trust relationships
are friendly. The default and most common trusts in Active
Directory, which are parent and child and tree-root trusts, are
both bidirectional and transitive, meaning that the trust path
extends throughout the entire forest. You can remember this
type of transitive trust with the old saying, “Any friend of yours is
a friend of mine.”
Other types of Windows Server 2008 trusts exist, such as forest,
shortcut, and external, each of which can be bidirectional or
unidirectional and have different transitivity properties. One of
the first things you should do when you sit down at the testing
station is to write down the trusts and their properties on your
scratch paper. Do this before starting the test so as not to waste
valuable time.
Copyright line.
Slide 28
Test Day Tip
On the day of the test, you will want to review
the types of trusts as well as when to use
them. On the exam, you might be given a
scenario that will require you to determine the
type of trust that will best meet the
requirements in the scenario.
Copyright line.
Slide 29
Exam Warning
Although the trust relationship is considered
transitive, this applies only to the child
domains within forests. The transitive nature
of the trust exists only within the two forests
explicitly joined by a forest trust. The
transitivity does not extend to a third forest
unless you create another explicit trust.
Copyright line.
Slide 30
Exam Warning
You will always need to create an external
trust when connecting to a Windows NT 4.0
or earlier domain. These domains are not
eligible to participate in Active Directory.
These trusts must be one-way trusts. If you
have worked with Windows NT 4.0, you will
remember that the only trusts allowed were
nontransitive one-way trusts.
Copyright line.
Slide 31