Transcript INSTALLING AND CONFIGURING ACTIVE DIRECTORY

Installing and Configuring Active
Directory
 Preparing for Active Directory
Installation
 Installing and Removing Active
Directory
 Verifying Active Directory Installation
 Troubleshooting Active Directory
Installation and Removal
1
Preparing for Active Directory
Installation
 Active Directory Installation Prerequisites:
– The Domain Structure
– The Domain Name
– The storage location of the database and log
files
– The location of the shared system volume
folder
– The DNS configuration method
– The DNS configuration
2
Determining the Domain
Structure
 You must assess your:
– Company’s physical environment
– Determine the forest root domain
– Determine the number of domains
– Organize domains in a hierarchy
3
Assessing the Physical
Environment
 The physical environment of your
organization’s network includes:
–
–
–
–
–
–
–
–
The current location of points on the network
The current number of users at each location
The current network type used at each location
The current location, link speed, and percentage of
available bandwidth of remote network links
The current TCP/IP subnets at each location
The current location of domain controllers
The current list of servers at each location and the
services that run on each
The current location of firewalls in the network
4
Physical Environment Example
5
Physical Environment
 In addition to your assessment of the
organization’s physical environment,
you should also consider other
infrastructures currently employed
– DNS
– Exchange Server
 Integrating DNS Structures
– Issues when using BIND
6
Determining the Forest Root
Domain
 Is the first domain you create in an Active
Directory Forest
 Must be centrally managed by an IT
organization that is responsible for making
domain hierarchy, naming and policy
decisions
 Start with a dedicated forest root domain
– Set up exclusively to administer the
forest infrastructure
7
Determining the Forest Root Domain
 Dedicated root domain is recommended:
– Enables you to control the number of
administrators
– Easily replicate the forest root across the
enterprise
– Never becomes obsolete
– Easily transfer the ownership
8
Determining the Number of
Domains
 You should begin planning your domain structure with
a single child domain under the root, and add more
domains only when the single child domain model no
longer meets your needs
 You should not create separate domains to reflect your
company’s organization of divisions and departments
– Use Organizational Units is recommended here
 Remember that a single Windows Server 2003 domain
can contain/maintain up to a million objects (Tested)
– Had restrictions in NT 4.0
9
Reasons to Create
More Than One Domain
 Decentralized network administration
 Replication control
 Different password requirements
between organizations
 Massive number of objects
 Different Internet domain names
 International requirements
 Internal political requirements
10
Defining a Domain Hierarchy
 If you require more than one domain, you
must organize the domains into a hierarchy
that fits the needs of your organization
 As domains are placed in a hierarchy, the twoway transitive trust relationship (default)
allows the domains to share resources
 Recap the differences between the logical
domain Tree and Forest components.
11
Planning a
Domain Namespace
 Domains are named using DNS name resolution
techniques. Plan the DNS namespace before using
DNS on the network.
 Decisions must be made about how DNS is to be used
and what goals will be accomplished using DNS.
– Has a DNS domain name been previously chosen
and registered for the Internet?
– Will the company’s internal Active Directory
namespace be the same or different from its
external Internet namespace?
– What naming requirements and guidelines must be
followed when choosing DNS domain names?
12
Choosing a
DNS Domain Name
 First choose and register a unique parent DNS name
that can be used for hosting the organization on the
Internet.
 Before deciding on a parent DNS name for the
organization, perform a search to see if the name is
already registered to another entity.
 The Internet DNS namespace is currently managed by
Network Solutions Inc., though other domain name
registrars are also available.
 Combine the parent DNS name with a location or
organizational name used within your organization to
form other sub-domain names.
13
Determining the Domain Name
 Use only the Internet standard characters. The
character set names may be up to 40 characters taken
from the printable characters of US-ASCII. However,
no distinction is made between use of upper and lower
case letters.
 Differentiate between internal and external name
spaces, if any.
 Base the internal DNS name on the Internet DNS
name
14
Determining the Domain Name




Never use the same domain name twice
Use only registered domain names
Use names that will remain static
Use short, distinct, meaningful names
15
Database and Shared System
Volume
 Installing Active Directory creates the database and
database log files, as well as the shared system
volume.
 Replication of the shared system volume occurs on the
same schedule as replication of the Active Directory.
 File replication to or from the newly created system
volume may not be noticed until two replication
periods have elapsed, typically 10 minutes in duration.
 The first file replication period updates the
configuration of other system volumes so that they are
aware of the newly created system volume.
16
Database and
Database Log Files
 The database is the directory for the new
domain.
 Default location is %systemroot%\NTDS.
 If able place the database and its log file on
separate hard disks.
 Database name is NTDS.DIT
– Contains the schema, global catalog and
objects stored on a domain controller
17
Shared System Volume
 A folder structure that exists on all Windows
2003 domain controllers.
 Stores scripts and some of the group policy
objects for both the current domain and the
enterprise.
 Default location is %systemroot%\SYSVOL.
 Must be located on a partition or volume
formatted with NTFS 5.0.
 Replication occurs on the same schedule as
Active Directory
18
Determining the DNS
Configuration Method
 You can configure you Windows Server 2003
DNS server manually or you can allow it to be
configured automatically during the
installation of Active Directory
 You must have a DNS Server installed if you
are using Active Directory as DNS is the
locator service for Active Directory.
 Does not need to be a Windows Server 2003
DNS server
– Can be a BIND Server
19
Determining the DNS
Configuration
 If you manually install DNS, you must make sure that
the configuration meets the DNS requirements for
joining an Active Directory Domain
 Computers joining an Active Directory domain must
satisfy the following DNS requirements:
– Must be configured with a static IP address and the
IP address of the DNS server
– Service Records must exist on the DNS server
 How to configure a static IP address and DNS server
IP address on the computer
20
Configuring the Required DNS
Resource Records
 The following Service Location Records must exist on
the DNS server:
– _ldap._tcp.dc_msdcs.DNSDomainName
• This record identifies the names of the domain controllers
that serve the Active Directory domains
– A corresponding (A) resource record that identifies
the IP address for the domain controllers listed in
the SRV record
 To verify the appropriate records exist:
– Nslookup
– Need a reverse lookup zone to use Nslookup utility
21
Installing and Removing Active
Directory
 There are four ways to install Active
Directory:
– DCPromo.exe
– Using an answer file to perform an unattended
installation
– Using the network or backup media (to install
Active Directory on additional domain controllers
in the network using media)
– Using the Configure Your Server Wizard
22
Installing Active Directory using
DCPromo.exe
 Wizard Can Perform the Following Tasks:
– Add a domain controller to an existing domain
– Create the first domain controller of a new domain
– Create a new child domain
– Create a new domain tree
– Install a DNS server
– Create the database and database log files
– Create the shared system volume
– Remove Active Directory services from a domain
controller
23
Installing Active Directory using
an Answer File
 You can create an answer file to run the
Active Directory Installation Wizard
without having to respond to the screen
prompts
 Dcpromo /answer:(answerfile)
24
Installing Active Directory Using
the Network or Backup Media
 In Windows 2000, promoting a member server to
become an additional domain controller required
replicating the entire directory database
 Servers running Windows Server 2003 can be
promoted using a restored backup taken from a
Windows Server 2003 domain controller
 This backup can be stored on any backup media
 Reduces the amount of replication required to copy the
directory database
– Saves on bandwidth
 Enables you to configure a new DC quicker
 Dcpromo /adv
25
Using the Configure Your Server Wizard
26
Removing Active Directory from
a Domain Controller
 Run Dcpromo
 To remove AD, you must have the appropriate
credentials:
– Must have Enterprise admins, to remove the LAST DC in a
tree-root or domain
– To remove AD from a DC that is the last in the forest, you
must log on to the domain as Administrator or as a member of
the Domain Admins global group
– To remove AD from a domain controller that is not the last
DC in the domain, you must be logged on as a member of
either the Domain Admins global group or the Enterprise
Admins group
27
Verifying Active Directory
Installation
 You must verify that Active Directory has been
correctly installed
 You can do this by verifying the following:
– Domain Configuration
– DNS configuration
– DNS Integration With Active Directory
– Installation of the shared system volume
– Operation of the Directory Services Restore
Mode boot option
28
Troubleshooting Active Directory
Installation and Removal
 Troubleshooting Active Directory Installation
– You cannot reach the server from which you are
–
–
–
–
installing, perhaps because the DNS name is not
registered yet
The name of the domain you are authenticating
against is incorrect or not available yet
The user name and password you supplied are
incorrect
The DNS server settings are not configured
correctly
You are unable to remove data in Active Directory
after an unsuccessful removal of Active Directory
29
Troubleshooting Active Directory
Installation and Removal
 Tools available to help diagnose and
resolve problems
– Directory Service Log
– NetDiag.exe – Network connectivity tester
– DcDiag.exe – Domain controller diagnostic
tool
– Dcpromoui.log, Dcpromos.log and
Dcpromo.log files
– Ntdsutil – Active Directory diagnostic tool
30
Troubleshooting Active Directory
Installation and Removal
 Troubleshooting with the Directory
Service log in Event Viewer
31
Troubleshooting Active Directory
Installation and Removal
 Troubleshooting with netdiag.exe
 Included with the support tools on the
installation CD
 Netdiag.exe diagnoses network problems
by checking all aspects of a host
computer’s network configuration and
connection
 Netdiag has the following syntax
32
Troubleshooting Active Directory
Installation and Removal
33
Troubleshooting Active Directory
Installation and Removal
 Run Netdiag whenever a computer is having network
problems
 The utility tries to diagnose the problem and can even
flag problem areas for closer inspection
 Can fix simple DNS problems with the optional /fix
switch
 How to install the Windows Server 2003 support tools
 To use Netdiag
– Netdiag /debug
34
Troubleshooting Active Directory
Installation and Removal
 Troubleshooting with Dcdiag.exe
– Is a command line diagnostic tool included in the support
tools
– Analyzes the stat of domain controllers in a forest or
enterprise and reports any problems
– Runs a series of tests to verify different functional areas of
Active Directory
– You can specify which domain controllers are tested
– Read only tool that does not affect the state of the enterprise
and performs an automatic analysis of the domain controller
with little user intervention
– Dcdiag tool verifies
• DNS names for the server are registered
• The server can be reached by IP address, LDAP and RPC
35
Troubleshooting Active Directory
Installation and Removal
 Dcdiag.exe syntax
36
Troubleshooting Active Directory
Installation and Removal
37
Troubleshooting Active Directory
Installation and Removal
 Example of Dcdiag.exe
– Dcdiag /s:domain_controller_name
/test:connectivity
38
Troubleshooting Active Directory
Installation and Removal
 Troubleshooting with the Dcpromo Log
files
 Following logs are created when you
install Active Directory
– Dcpromoui.log
– Dcpromos.log
– Dcpromo.log
39
Troubleshooting Active Directory
Installation and Removal
 Dcpromoui.log
– Contains detailed progress report of the Active Directory
installation from a graphical interface perspective
– Following information about the installation or removal is
logged
• The name of the source domain controller for replication
• The directory partitions that were replicated to the target
server
• The number of items that were replicated in each directory
partition
• The services configured on the target domain controller
• The access control entries set on the registry and files
• The sysvol directories
• Applicable error messages
• Applicable selections that were entered by the
Administrator during the installation
40
Troubleshooting Active Directory
Installation and Removal
 Dcpromos.log
– Similar to the Dcpromoui.log file
– Is created by the user interface during the
graphical user interface mode setup when a
3.x or 4.0 domain controller is promoted to
a Windows 2003 domain controller
41
Troubleshooting Active Directory
Installation and Removal
 Dcpromo.log
– Records settings used for promotion or
demotion, such as the site name, the path
for Active Directory Database and log files,
time synchronization and information about
the computer account
– Captures the creation of the Active
Directory database, Sysvol trees and the
installation, modification and removal of
services
42
– Log is located in %systemroot%\debug
Troubleshooting Active Directory
Installation and Removal
 Troubleshooting with Ntdsutil.exe
– Command line tool that provides
management facilities for Active Directory
– By default is installed in the
%systemroot%\system32 directory
43