Вы находитесь на странице: 1из 34

Module 2: Implementing

an Active Directory
Forest and Domain
Structure
Overview

Creating a Forest and Domain Structure


Examining Active Directory Integrated DNS
Raising Forest and Domain Functional Levels
Creating Trust Relationships
Lesson: Creating a Forest and Domain Structure

Requirements for Installing Active Directory


The Active Directory Installation Process
How to Create a Forest and Domain Structure
How to Add a Replica Domain Controller
How to Rename a Domain Controller
How to Remove a Domain Controller from
Active Directory
How to Verify the Active Directory Installation
How to Troubleshoot the Installation of Active Directory
Requirements for Installing Active Directory

A computer running Windows Server 2003


Minimum disk space of 250 MB and a partition formatted
with NTFS
Administrative privileges for creating a domain
TCP/IP that is installed and configured to use DNS
An authoritative DNS server that supports SRV resource
records
The Active Directory Installation Process

The installation process


Starts the security protocol and sets the security policy
Creates the:
Active Directory partitions, database, and log files
Forest root domain
SYSVOL folder
Configures the site membership of the domain controller
Enables security on the directory service and the file
replication folders
Applies the password for restore mode
How to Create a Forest and Domain Structure

You can refer to the following procedure when you


create a forest and domain structure in the lab
How to Add a Replica Domain Controller

You can refer to the following procedure when you add


a replica domain controller to a domain in the practice
How to Rename a Domain Controller

Your instructor will demonstrate how to rename a


domain controller
How to Remove a Domain Controller from Active Directory

You can refer to the following procedure when you


remove a domain controller in the lab
How to Verify the Active Directory Installation

Your instructor will demonstrate how to:

Verify the creation of


SYSVOL and its shares
The directory database and log files
The default Active Directory structure
Verify the installation results by examining the event
logs
How to Troubleshoot the Installation of Active Directory

Symptom Possible causes


You are not logged on using an account in the Local
Access denied when Administrators group
creating or adding a Your credentials are not from a user account that is a
domain controller member of the Domain Admins or Enterprise Admins
group
DNS or NetBIOS
Another domain has the same DNS or NetBIOS
domain names are not
name
unique

Domain cannot be Network error


contacted DNS error

Available disk space is less than the minimum


Insufficient disk space
required to install Active Directory
Practice: Creating a Child Domain

In this practice, you will


 Install Active Directory and create a child
domain in nwtraders.msft
 Verify the installation of Active Directory
Lesson: Examining Active Directory Integrated DNS

DNS and Active Directory Namespaces


What Are Active Directory Integrated Zones?
What Are SRV Resource Records?
SRV Records Registered by Domain Controllers
How to Examine the Records Registered by a Domain
Controller
Multimedia: How Client Computers Use DNS to Locate
Domain Controllers and Services
DNS and Active Directory Namespaces

DNS Namespace

“.” DNS Root Domain

com.
Active Directory Namespace

microsoft
microsoft.msft
training
sales

sales. microsoft.msft training. microsoft.msft


computer1

= DNS node (domain or computer) = Active Directory domain


What Are Active Directory Integrated Zones?

Active Directory Integrated Zones

Are primary and stub DNS zones that are stored


as objects in the Active Directory database
Can be stored in an application or a domain
partition
Offer the following benefits
 Multimaster replication
 Secure dynamic updates
 Standard zone transfers to other DNS servers
What Are SRV Resource Records?

SRV resource records are DNS records that map a


service to the computer that provides the service
Format of SRV records

_Service_.Protocol.Name Ttl Class SRV Priority Weight Port Target

Example

_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 london.contoso.msft


SRV Records Registered by Domain Controllers

Domain controllers running Windows Server 2003


register SRV records in the _msdcs subdomain in the
following format:
_Service._Protocol.DcType._msdcs.DnsDomainName
Examples
_ldap._tcp.DnsDomainName
_ldap._tcp.SiteName._sites.dc
_msdcs.DnsDomainName
_gc._tcp.DnsForestName
_gc._tcp.SiteName._sites.DnsForestName
_kerberos._tcp.DnsDomainName
_kerberos._tcp.SiteName
_sites.DnsDomainName
How to Examine the Records Registered by a Domain
Controller

Your instructor will demonstrate how to examine the


records registered by a domain controller by using the
DNS console or the NSLookup utility
Multimedia: How Client Computers Use DNS to Locate
Domain Controllers and Services

DNS Server

Domain Controller

Client
Practice: Verifying SRV Records

In this practice, you will examine the SRV


records that are registered by your domain
controller
Lesson: Raising Forest and Domain Functional Levels

What Is Forest and Domain Functionality?


Requirements for Enabling New Windows Server 2003
Features
How to Raise the Functional Level
What Is Forest and Domain Functionality?

Enable forest-wide or domain-wide Active Directory


features
Network Domain Forest
environment functional levels functional levels
Windows 2000
mixed-mode domain
Windows 2000
native-mode domain
Windows Server 2003
Domain
Windows Server 2003
Interim
Requirements for Enabling New Windows Server 2003
Features

Requirement Domain Forest


Domain controllers
Windows Server 2003 Windows Server 2003
must run:

Domain functional Raised to Able to be raised to


level must be: Windows Server 2003 Windows Server 2003
Domain administrator to
Enterprise administrator to
Administrator: raise domain functional
raise forest functional level
level
How to Raise the Functional Level

Your instructor will demonstrate how to raise the forest


and domain functional levels
Practice: Raising the Domain Functional Level

In this practice, you will raise the functional


level of your domain
Lesson: Creating Trust Relationships

Types of Trusts
What Are Trusted Domain Objects?
How Trusts Work in a Forest
How Trusts Work Across Forests
How to Create Trusts
How to Verify and Revoke a Trust
Types of Trusts

Tree/Root Forest
Trust Trust
Parent/Child
Trust

Shortcut Trust
Realm External
Trust Trust
What Are Trusted Domain Objects?

Trusted domain objects

Represent each trust relationship in a particular


domain
Store information such as transitivity and trust
type
How Trusts Work in a Forest

Forest Root
Domain

Tree One
Tree Root
Domain
Domain 1

Domain A

Domain 2
Tree Two

Domain B Domain C
How Trusts Work Across Forests

Forest trust
6
Global Global
catalog catalog
nwtraders.msft contoso.msft

4
2
5 Seattle
3 7
8
1
Vancouver
9
vancouver.nwtraders.msft seattle.contoso.msft
How to Create Trusts

Your instructor will demonstrate how to create trusts by


using Active Directory Domains and Trusts
How to Verify and Revoke a Trust

Your instructor will demonstrate how to verify and


revoke a trust by using Active Directory Domains and
Trusts
Practice: Creating a Shortcut Trust

In this practice, you will


 Create a shortcut trust between your
domain and another domain in your forest
 Validate the shortcut trust
Lab A: Implementing Active Directory

Removing a Child Domain from


Active Directory
Creating an Active Directory Forest Root
Domain
Creating an Active Directory Child Domain
Raising Domain and Forest Functional
Level
Creating a Forest Trust

Оценить