Microsoft Active Directory Domain Services
Introduction
Active Directory stores information about users and computers on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.
Active Directory Components
- DOMAINS
- FOREST
- TREES
- DOMAIN CONTROLLERS
- ORGANIZATION UNIT
- FSMO
- forest is a collection of one or more domain trees.
- Tree is simply a collection of one or more domains
- DOMAINS and FOREST Makes up AD, Different SITES Makes up DOMAIN. DOMAIN CONTROLERS That goes in those SITES
Active Directory — Domains
Active Directory Domains That makes up AD FORESTS
The users and computers will log into ADD that DOMAIN will be in FOREST.
You can have many sub domains inside one single forest
for example : microsoft.com can have sub domains with azure.com
Note: always go for a single domain/single forest it will be easy
Active Directory — Forest
When company merge or buys another company — Forest and entrust it to another forest
Makes interact connection with both forest for users.
Forest to Forest Trust
Active Directory – Sites
An Active Directory site is a set of computers in one or more IP subnets connected using Local Area Network (LAN) technologies,
or as a set of LANs connected by a high-speed backbone.
Active Directory – Domain Controllers
A domain controller is a server that responds to authentication requests and verifies users on computer networks.
The domain controller keeps all that data organized and secured. The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD).
Active Directory – Organizational Units
An organizational unit (OU) is a container within a Microsoft Active Directory domain which can hold users, groups and computers.
Active Directory – FSMO Roles
Flexible single master operation (FSMO) is a Microsoft Active Directory feature that is a specialized domain controller task used when standard data transfer and update methods are inadequate. Tasks that do not suit multi master replication are only viable as flexible single-master operations.
There are five roles:
- Schema Master — Performs updates to the AD schema
- Domain Naming Master — Adding and removing domains and application from the AD forest
- PDU Emulator — Manage Password changes for computers and users accounts on replica domain controllers
- RID Master — Allocates active and standby RID polls to replica DCs in the same domain
- Infrastructure Master — Update’s cross-domain references and phantoms/tombstones from the global catalog
(A Global Catalog server is a domain controller that stores copies of all Active Directory objects in the forest)
Prepare DNS for Active Directory
Hostname
get-windowsfeature
install-windowsfeature dns
CREATING ZONE FILES
Forward Lookup Zone — New Zone
Primary Zone
ZoneName — microsoft.com
Allow both updates
Reverse Lookup Zone — New Zone
Primary Zone
Ipv4 ReverseLookupZone
Network ID 10.0.0
Create a new zone file
Allow both updates
Verify These changes
Go to microsoft.com fwd zone properties
Primary server : dc1.microsoft.com
Responsible person : hostmaster.microsoft.com
Name Servers
Edit : dc1.microsoft.com and remove the ipv6 if you don’t wont
VERIFYING
ipconfig -registerdns
nslookup dc1.microsoft.com
Install AD DS on Server Core and Install a New Forest
Install-windowsfeature -Name ad-domain-services -IncludeManagements
PROMOTING TO DNS
Install-addsforest -domainname “microsoft.com”
help Install-addsforest
NOTE: safemodeadministratorPassword used for recovering the domain in safe mode.
Add or Remove a Domain Controller from a Domain
PowerShell COMMANDS
(show you the active directory users been created in the domain)
get-aduser -filter *
(TO ADD DC)
install-addsdomaincontroller -domainname “microsoft.com” -credential (get-credential company\administrator)
(TO REMOVE DC)
uninstall-addsdomaincontroller -domainname “microsoft.com” -credential
Join a Domain Using Windows PowerShell
GUI
using pc properties and change domain
PowerShell
add-computer -domainname “microsoft.com” -newname mydesktop -Restart
Domain Controller Cloning
In this module you won’t be doing any live or hot cloning. Therefore, you will have to power down the DC machine of cloning, leave it power down until the process is finish and the turn it on.
shows the “not support cloning”
Get-ADDCCloningExcludedApplicationList
To make excluded application to included app and Makes inclusion list in .xml file
Get-ADDCCloningExcludedApplicationList -GenerateXml
Test to verify this machine is ready to be cloning and creates a DCCloneConfigfile
New-ADDCCloningConfigFile -static -IPv4Address “192.168.3.13” -IPv4DNSResolver “192.168.3.10” -IPv4SubnetMask “255.255.255.0” -Clonecomputername “DC4” -IPv4DefaultGateway “192.168.3.2”
After clones done, turn on the DC.
Global Catalog Server
The global catalog (GC) allows users and applications to find objects in an Active Directory domain tree, given one or more attributes of the target object.
The global catalog contains a partial replica of every naming context in the directory. It contains the schema and configuration naming contexts as well.
DC TYPE — GC stands for GLOBAL CATALOG
Global Catalog is a partial read only copy all the object in the forest.
In single domain/forest.
you will find every dc configured has GC
In Multiple in domain/forest.
you may not have every dc with GC
Modifying Active directory database directly.
NOTE: Careful when making modification to database
We must register the schema management DLL, for managing the schema itself.
regsvr32 schmmgmt.dll
To use mmc console to manage schema
open run and type mmc
You can add the AD schema.
And you will get the active directory database.
For troubleshooting,
ipconfig -registerdns
Transfer and Seize Operations Master Roles
active directory console
Operational master
To transfer the role
we can change which of the domain controller will be our schema operational master in MMC console
The domain naming master will be found in ACTIVE DIRECTORY DOMAIN AND TRUST
PowerShell
To transfer role from one dc to another.
move-addirectoryserveroperationmasterrole -Identity”DC2″ -OperationMasterRole PDCEmulator
if the transfer is permanent you can seize the old previous owner.
move-addirectoryserveroperationmasterrole -Identity”DC2″ -OperationMasterRole PDCEmulator -force
NOTE: seize the role from on another when you have a failed Domain controller
Install and Configure a Read-only Domain Controller
RODC = READ ONLY DOMAIN CONTROLLER
where the dc cannot be physically secured in a remote office where it’s in unsafe places. so, this will not have writable access to copy active directory database.
install-addsdomaincontroller -domainname “microsoft.com” -credential (get-credential company\administrator) -ReadonlyReplica
sitename: Default-First-site-name
Psswd: abc@123
ALLOW: A
Password Replication Policy.
- To make users not to replicate the password down or in local RODC database — DENY
- Users in allow group will have their passwords n users saved down- ALLOW
NOTE: You can also add additional GROUPS or choose advanced to make where the users and password will be store.
Managed BY,
To make an ADMIN to manage the RODC in remote location.
You can also add group and make it
Upgrade a Domain Controller
Get Healthy — Making sure the replication works properly
Extend the Schema — To check the needs of new OS VERSION
adprep /forestprep
adprep /domainprep
adprep /rodcprep
adprep /gpprep
Before upgrading OS or individual domain controllers must be done in order
Upgrade DCs to new OS- after the above done you can update.
Once you update every single OS in Domain controller and can be updated the domain and the forest in every dc can be updated.
Relocate FSMO Roles if necessary.
Raise Domain/forest functional level
Windows server 2008
Windows server 2008 R2
Windows server 2012
Windows server 2012 R2
Going to Active Directory Domains and Trust
and right click the domain and select Raise Domain/forest functional level
Or you can use Active Directory Users and Computers and right
click the domain name and select Raise Domain/forest functional level.
