Resource Page
CIS 2154 Syllabus CIS
2154 Schedule Chapter Lesson Notes: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12
Additional Study Topics: Utilities | Groups | Migration Issues | RIS
Windows 2000
Directory Services Administration
Chapter
2 Installing the Components of Active Directory
Active Directory is one of the most
important functions within a Windows 2000 domain. As such, its installation and
configuration, as well as its proper design and structure, can make or break most Windows
2000 deployments. The most important process of an Active Directory deployment revolves
around the pre-deployment discovery and planning, rather than the actual installation
itself.
A.
Data collation
1.
Current network design and services hosted
a.
Number of current legacy NT domains
b.
Current trust relationships
c.
Replication: Login scripts, policies, WINS, roaming profiles
d.
Administrative authority and responsibility: Some organizations consist of multiple
administrative groups with separate authority and server responsibility. Identifying these
types of political constraints in advance is necessary for success.
2.
Windows 2000=s new technologies
a.
Transitive trusts
b.
Active Directory sites
c.
IP security
B.
Prerequisites
Most systems will need more than the
Microsoft minimum hardware requirements.
a.
Microsoft-required minimum
i.
Pentium 166MHz
ii.
64MB RAM
a.
Pentium II 400MHz
b.
128MB RAM (256 recommended)
3.
DNS server: BIND version 8.1.2 required
a.
Support for service resource records required
b.
Microsoft DNS not required
c.
Dynamic DNS not required (but strongly recommended)
d.
WINS integration not required (but strongly recommended)
a.
Logs and database files should be split between physical (or logical) drives for
best performance and scalability (similar to Exchange and SQL installations)
b.
SYSVOL required to be on NTFS (log and databases not required)
C.
DCPROMO
DCPROMO, which is started from the RUN
line or from a command shell, starts the Active Directory installation. This application
is very simple to operate and provides for a number of custom configurations, which are
not obvious at first glance.Familiarity with DCPROMO is a fundamental requirement for
Windows 2000 deployment and is a starting point in any discussion of Active Directory.
1.
DCPROMO.EXE used for configuration of AD servers
a.
Promote Windows 2000 servers to AD controllers
i.
Create new AD domains, forests, trees
ii.
Add new domain controllers to existing installations
b.
Demote AD controllers to member servers
a.
New domain and new forest
b.
New domain within pre-existing forest
c.
Assign domain name
i.
Fully qualified domain name (FQDN) will now function as DNS domain for the
organization.
ii.
Name before first dot (for example, AMicrosoft@ in AMicrosoft.com@) will be used as the NetBIOS name
by default, although that can be changed. Modifying this setting beyond the default
configurations can cause a tremendous amount of configuration issues when dealing with
Windows 9x-based clients.
3.
Specifying file locations
i.
Jet database files: Can be installed on FAT or NTFS, but for security=s sake should always be installed on
NTFS-formatted drives. If installed on an independent drive, partition should be formatted
with 4K clusters.
b.
Log files: Transaction log files, used to ensure data integrity within the
database. If installed on independent disk, separate from the database files, should be
installed on partition of 8K clusters.
c.
SYSVOL files: Share used to house all public files. Has to be installed on NTFS 5.0
partition.
a.
Windows DNS service: Active Directory requires DNS, and Windows 2000 therefore
comes equipped with optional DNS service that supports a number of new features designed
to enhance Windows 2000=s operation and manageability.
b.
Non-Windows DNS service: Windows 2000 DNS service not required for use within the
Active Directory domain. However, if a third-party DNS solution is used for client name
resolution within the network, the DNS product used has to be BIND 8.1.1-compliant,
although Microsoft recommends no later than 8.1.2.
i.
Windows 2000 automatically creates the necessary BIND updates needed to support new
AD domain in file named NetLogon.dns located within \system32\config directory. Example of
this file located on page 65 of the text, within Figure 2-14.
_
The infrastructure
computer should be the only system configured as the DNS server in the domain, and should
be configured to accept automatic updates from anyone.
_
All servers using
DHCP should be set to static mapping during this installation process as well.
_
The domain name
used for the organization should have a separate DNS suffix as the domain name used in the
Internet namespace. For example AMicrosoft.Home@ should be used internally instead of AMicrosoft.com.@
_
If Windows 9x
clients are in the classroom as well (recommended to give the students the complete look
and feel of real-world environments), WINS services need to be added and configured to the
instructor=s machine to interface with the DNS
service.
II.
Creating sites
1.
A collection of well-connected IP subnets and domain controllers. (Well-connected
normally means via network segments at least 10MBs in size.) Used to segment replication
and authentication traffic, and to minimize AD impact on network segments.
2.
All Active Directory domains consist of one or more sites.
a.
First site called Default-First-Site-Name
b.
Second site requires creation of new IP subnet range.
3.
Each site created to segment local traffic.
a.
Each physical site (subnet separated by slow WAN links) should be created within
its own site.
b.
All AD servers within the site replicate only to other servers within the site.
c.
All clients within the site first authenticate to available servers within the
site.
1.
Sites and Services MMC snap-ins used for all site configuration and management.
2.
All sites have to be connected via a site link.
a.
Default site link called DefaultIPSiteLink.
b.
All new sites must be assigned a site link at the time of creation.
1.
IP-based routing designation as described by the subnet mask.
a.
IP addresses are binary numbers represented in decimal formats to make it easier on
people. For example, 209.28.111.67 is easier for humans to understand and remember than
11010001.11100.1101111.1000011
b.
IP addresses are sets of four octets, which can contain decimal numbers of 0
through 255.
i.
Zero is all zeros in binary.
ii.
255 is all ones in binary (eight ones, to be exact).
2.
Subnet masks are IP numbers used to split all IP addresses into two separate
numbers.
a.
The host address is anything designated by a 0 in the subnet mask.
b.
The network address is anything designated by a 1 in the subnet mask.
c.
Subnet masks allow the IP protocol to be routable, and are configured differently
within most networks to allow the protocol to meet different needs.
B.
Creating subnets within Active Directory
1.
Requires IP range and subnet mask for network
a.
A mask has to be contiguous; ones and zeros cannot intermix in the decimal
representation of the name.
b.
The mask is shown using /x standard. For example, /16 translates into 255.255.0.0,
which translates into 11111111.11111111.00000000.00000000
2.
Each subnet assigned to a site object
1.
Used to define how sites replicate traffic among each other
2.
Specified in order of priority and to allow for the creation of backup replication
routes for sites to communicate
3.
Interfaces with the Knowledge Consistency Checker (KCC).
1.
Created within the Sites and Services MMC snap-in under the site link object. (This
is shown in Figure 2-20 on page 80 of the text.)
2.
Two separate site link protocols can be used to interoperate between the domains.
a.
IP (RPC) is the traditional method for NT servers to communicate and is the primary
method used by servers within a site. IP- or RPC-based traffic is the default method used
to connect sites together.
b.
SMTP used when low-speed asynchronous replication is necessary between sites. In
addition, SMTP can be used over Internet connections, which are problematic for RPC-based
communication. It is worth noting that SMTP is also an IP-based protocol and part of the
TCP/IP protocol stack.
V.
Assigning bridgehead servers
A.
What is a bridgehead server?
1.
Servers within a site designated to receive all of the replication traffic from
another site. A single AD server can be the replication host for multiple or individual
sites and can be configured to only act as a backup in case the other servers are
unavailable.
B.
Creating bridgehead servers
1.
Within the Sites and Services MMC snap-in, configure the server object to become a
bridgehead.
2.
Plan the deployment of bridgehead servers to allow for the most efficient use of
both network and replication load on the servers.
VI.
Creating site link bridges
A.
What is a site link bridge?
In a large organization, special
attention has to be paid to the planning and construction of the site link bridges. A site
link bridge is a collection of site connections, created and configured in advance, used
to route replication between multiple sites.
1.
By default, all site links are non-transitive.
a.
Connecting site links to form a site link bridge allows multiple sites to replicate
across a small number of site links and to share a common replication structure.
b.
If site link bridging is not utilized, all sites have to be directly connected to
each other via site links.
2.
Site link bridges do not contain route costs. They assume the cost of all the sites
used to move from domain to another.
3.
Site link bridges allow for backup replication links to only be used when needed.
4.
Site link bridges decrease administrative overhead involved in site management.
B.
Creating site link bridges
1.
Created in Sites and Services MMC snap-in.
VII. Creating
connectionless objects
A.
What are connectionless objects?
1.
Objects used to manage inbound connections to a domain controller.
2.
Automatically created and managed by the KCC.
a.
Manual configuration supported, but not managed by KCC, which can cause a decrease
in network reliability.
b.
Automatically created objects can be assigned manual ownership that allows for the
customization of replication schedule, but removes KCC automatic management.
3.
Can use IP-, RPC-, or SMTP-based connection.
B.
Creating connectionless objects
1.
Possible to create object designated to use protocol not supported by the site
links in place, which will in turn not function until a supporting site link is created.
2.
IP and RPC more efficient, but less forgiving of unstable network.
3.
SMTP slower, but very forgiving of networking Aflapping.@
VIII.
Creating global catalogs
A.
What is a global catalog?
Global catalog servers exist within
every domain and are required to be domain controllers.
1.
Holds a full copy of local domain=s database, and a partial replica of
the forest=s other domains= database
2.
Responsible for replicating its local domain changes and updates to all the other
domains
a.
Provides data necessary to search for objects from other domains and then point
requesting user to domains in question for further reference
3.
Holds all reference to universal groups and therefore required for domain logon of
all users
a.
Administrator account capable of logon even when global catalog is unavailable.
b.
Global catalog servers should be in every site and domain within the organization.
c.
AD-aware services like Exchange 2000 also need global catalog servers to be
available to resolve authentication and address list requests.
B.
How to create global catalog servers
1.
Created using the Sights and Services MMC snap-in, shown in Figure 2-30 on page 103
of the text.
2.
Configured by accessing the properties page of the NTDS settings.