Active Directory


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Active Directory

  1. 1. Active Directory Installation
  2. 2. Naming <ul><li>Computer has </li></ul><ul><ul><li>Full computer name, generally same as DNS name, consisting of </li></ul></ul><ul><ul><ul><li>Computer name </li></ul></ul></ul><ul><ul><ul><li>Primary DNS suffix </li></ul></ul></ul><ul><ul><li>NetBIOS name </li></ul></ul><ul><li>Domain has </li></ul><ul><ul><li>DNS name </li></ul></ul><ul><ul><li>NetBIOS name </li></ul></ul>
  3. 3. Changing Names <ul><li>Can change </li></ul><ul><ul><li>Computer name of a workstation or member server </li></ul></ul><ul><ul><li>Primary DNS suffix of a workstation or member server </li></ul></ul><ul><li>Cannot change </li></ul><ul><ul><li>Domain name </li></ul></ul><ul><ul><ul><li>Applies to both DNS and NetBIOS names </li></ul></ul></ul><ul><ul><li>Computer name of a domain controller </li></ul></ul><ul><ul><ul><li>Applies to both DNS and NetBIOS names </li></ul></ul></ul><ul><li>Must ensure that server names are correct before promoting to DC </li></ul>
  4. 4. Full Computer Name <ul><li>Set in System Properties/Network Identification </li></ul><ul><li>Made by concatenating </li></ul><ul><ul><li>Computer Name </li></ul></ul><ul><ul><ul><li>Generally same as hostname (part of DNS name up to first ‘.’) </li></ul></ul></ul><ul><ul><li>Primary DNS suffix </li></ul></ul><ul><li>NetBIOS name is always first 15 characters of computer name </li></ul><ul><ul><li>Cannot be changed </li></ul></ul><ul><ul><li>Must still be unique if using central WINS servers </li></ul></ul><ul><ul><li>Recommended unique for DCs even if not using central WINS servers </li></ul></ul>
  5. 5. Naming Conventions <ul><li>Computer name </li></ul><ul><ul><li>Unitcode +name of choice </li></ul></ul><ul><ul><ul><li>E.g. oucs-fred, chem-w2kserver1 </li></ul></ul></ul><ul><ul><li>Recommended to keep 15 characters or less </li></ul></ul><ul><li>Primary DNS suffix </li></ul><ul><ul><li>DNS domain name (e.g., </li></ul></ul><ul><li> for full details </li></ul>
  6. 6. Prerequisites for Active Directory Installation <ul><li>2000 Server, correctly named </li></ul><ul><li>NTFS Partition </li></ul><ul><li>Minimum of 200MB for AD database </li></ul><ul><li>Minimum of 50MB for log files </li></ul><ul><li>TCP/IP Protocol configured to use DNS </li></ul><ul><li>If at all possible, have at least two DCs for resilience </li></ul>
  7. 7. Information Required for Active Directory Installation <ul><li>Domain name for new AD domain </li></ul><ul><ul><li>DNS name (must be same as unit name) </li></ul></ul><ul><ul><li>NetBIOS name </li></ul></ul><ul><ul><li>NB although untested, it is possible for a domain controller to have a different primary DNS suffix from the AD domain name </li></ul></ul><ul><ul><ul><li>Need to turn off “Change primary DNS suffix when domain membership changes” option in System Properties before promoting to DC </li></ul></ul></ul><ul><li>Location for AD database and log files </li></ul><ul><li>Password for Directory Services Restore Mode Administrator account </li></ul>
  8. 8. Installing Active Directory on the First Domain Controller <ul><li>Run dcpromo to start the AD installation wizard </li></ul><ul><ul><li>Don’t use the initial screen to configure the server — less flexible </li></ul></ul><ul><li>Make it a DC for a new domain, create a new domain tree and new forest of domain trees </li></ul><ul><li>AD domain name must be same as unit DNS name for correct DNS integration </li></ul><ul><li>NetBIOS name of domain same as first part of DNS name by default </li></ul><ul><ul><li>May need to change, especially if already using this name for existing NT domain </li></ul></ul>
  9. 9. Installing AD on the First Domain Controller cont. <ul><li>For best performance, put database files and log files on different hard disks </li></ul><ul><li>Sysvol must be on NTFS partition </li></ul><ul><li>Only choose “Permissions compatible with pre-2000 computers” if you have NT servers in domain </li></ul><ul><li>Don’t forget the Directory Services Restore Mode administrator password — it is not the same as the AD Administrator account </li></ul>
  10. 10. Installing Active Directory on Subsequent Domain Controllers <ul><li>Run dcpromo </li></ul><ul><li>Select option to set up Additional DC for existing domain </li></ul><ul><li>Put main AD administrator account details into Network credentials page </li></ul><ul><li>Give DNS name of domain </li></ul><ul><li>For other information, as per the first DC </li></ul>
  11. 11. Post-installation Tasks <ul><li>Install and Configure DNS if necessary </li></ul><ul><ul><li>For second and subsequent DCs, the first DC must already have DNS configured </li></ul></ul><ul><li>Check SRV records correctly registered in DNS (more information later) </li></ul><ul><li>If no NT DCs, switch to native mode </li></ul><ul><ul><li>AD Users and Computers/Properties of domain/General tab/Change Mode </li></ul></ul><ul><ul><li>Cannot be reversed </li></ul></ul>
  12. 12. Post-installation Tasks cont. <ul><li>Check creation of default containers </li></ul><ul><ul><li>Active Directory Users and Computers </li></ul></ul><ul><ul><li>Computers, Users, ForeignSecurityPrincipals, Domain Controllers </li></ul></ul><ul><li>Verify SYSVOL creation </li></ul><ul><ul><li>Run %systemroot%sysvol (change if you put it somewhere else) </li></ul></ul><ul><ul><li>Check existence of following directories </li></ul></ul><ul><ul><ul><li>domain, staging, staging areas, sysvol </li></ul></ul></ul><ul><ul><li>Verify shares </li></ul></ul><ul><ul><ul><li>Command Prompt — “net share” command </li></ul></ul></ul><ul><ul><ul><li>Look for NETLOGON and SYSVOL shares </li></ul></ul></ul>
  13. 13. Post-installation Tasks cont. <ul><li>Verify AD database and log file existence </li></ul><ul><ul><li>Run %systemroot% tds (change if you put them elsewhere) </li></ul></ul><ul><ul><li>Check for ntds.dit (database), edb.* (transaction logs and checkpoint file), res*.log (reserved transaction logs) </li></ul></ul><ul><li>Check for replication partner entries in AD Sites and Services under NTDS Settings for each server </li></ul><ul><li>Check event logs for errors </li></ul>
  14. 14. Removing Active Directory from a Domain Controller <ul><li>First, good idea to ensure replication is up to date; may want to move Operations Master roles manually; may need to change time synchronization if PDC emulator changes </li></ul><ul><li>Run dcpromo </li></ul><ul><li>Note that unlike NT, 2000 servers can be promoted to DCs and demoted to member servers as desired </li></ul><ul><li>Note also that demoting the last domain controller in a domain will delete all information contained in AD </li></ul><ul><ul><li>Users, groups, etc. </li></ul></ul>
  15. 15. References <ul><li>Best practice methods for Windows 2000 Domain Controller setup </li></ul><ul><ul><li> </li></ul></ul><ul><li>Promoting and demoting domain controllers </li></ul><ul><ul><li> </li></ul></ul>
  16. 16. References <ul><li>How to Verify an Active Directory Installation </li></ul><ul><ul><li> </li></ul></ul>