This document provides an overview of Module 4 which covers implementing distributed Active Directory Domain Services deployments. It includes 3 lessons: an overview of distributed AD DS deployments; deploying a distributed AD DS environment; and configuring AD DS trusts. The lessons discuss topics such as AD DS components, domain and forest boundaries, reasons for multiple domains/forests, integrating on-premises AD DS with cloud services, upgrading and migrating AD DS, and configuring different types of trusts within and between forests.
SSDN Technology is a training institute located in Delhi Gurgaon, NCR & India which offer best MCSA - SQL SERVER 2012 training by our experienced trainer. We are providing live project training with full lab facility. For more details for a bright future call us at +91-9999-111-686.
http://www.ssdntech.com/sql-server-training.aspx
MCSA Installing & Configuring Windows Server 2012 70-410omardabbas
Highlights of the main topics requested for the 70-410 exam, covering main subjects with some info and details about most points and minor subjects requested
Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
SSDN Technology is a training institute located in Delhi Gurgaon, NCR & India which offer best MCSA - SQL SERVER 2012 training by our experienced trainer. We are providing live project training with full lab facility. For more details for a bright future call us at +91-9999-111-686.
http://www.ssdntech.com/sql-server-training.aspx
MCSA Installing & Configuring Windows Server 2012 70-410omardabbas
Highlights of the main topics requested for the 70-410 exam, covering main subjects with some info and details about most points and minor subjects requested
Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsAmazon Web Services
Enterprise organizations often require a global Active Directory footprint to support their Windows based workloads. This session will describe best practices for deploying Active Directory on AWS. Starting with a single VPC we will expand to many VPC’s in many Regions, thus demonstrating AWS capabilities to support a global Active Directory environment.
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...Amazon Web Services
Active Directory (AD) is essential for Windows workloads in the cloud. AWS offers customers multiple ways to integrate AD with cloud workloads like EC2, RDS, and AWS Enterprise Applications: AWS Directory Service for Microsoft Active Directory (Enterprise Edition) as a managed service and Active Directory running on AWS EC2 Windows instances. Which option is right for you? This session will discuss the key deployment considerations for each option to help you identify which best meets your project goals, and the effort involved. The session will cover options for integrating with your on-premises directory, port and security considerations, application considerations, and best practices.
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...Amazon Web Services
Do you have questions on how to best use Microsoft Active Directory with your AWS Windows workloads? Do you need a deep-dive on securely setting up trusts between your on-premises Active Directory and your AWS Directory Services for Microsoft Active Directory? This session will help you understand the differences between AWS Directory Service for Microsoft AD, building your own Microsoft Active Directory on Amazon EC2, or joining your cloud resources to your on-premises Active Directory over a direct network connection. After this session you will be an expert on how to setup single sign-on for your cloud applications and resources, using Group Policy for your EC2 systems, and how to securely configure trusts across your on-premises and AWS Cloud Active Directories.
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...Amazon Web Services
Directories are critical infrastructure used by applications to access information and policies about people, computers, and devices. Directories in the cloud help developers and enterprises focus on their core businesses without having to worry about directory deployment, global scale, availability, and performance. AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as Microsoft AD, provides Active Directory in the cloud for traditional .NET and Windows applications. It is also a prerequisite in new regions to connect AWS applications, such as Amazon WorkSpaces, Amazon RDS SQL Server and QuickSight, with Active Directory users on premises or in the cloud. Learn More: https://aws.amazon.com/government-education/
Best Practices for Integrating Active Directory with AWS WorkloadsAmazon Web Services
Active Directory (AD) is essential for Windows workloads in the cloud. AWS offers customers multiple ways to integrate AD with cloud workloads like EC2, RDS, and AWS Enterprise Applications: AWS Directory Service for Microsoft Active Directory (Enterprise Edition) as a managed service and Active Directory running on AWS EC2 Windows instances. Which option is right for you? This session will discuss the key deployment considerations for each option to help you identify which best meets your project goals, and the effort involved. The session will cover options for integrating with your on-premises directory, port and security considerations, application considerations, and best practices.
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...AWS Germany
Vortrag "Hybride Cloud Infrastrukturen durch Integration mit Active Directory" von Justin Bradley beim AWS Cloud Web Day für Windows Anwendungen. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/1Ucuzzx
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
2. Module Overview
• Overview of Distributed AD DS Deployments
• Deploying a Distributed AD DS Environment
• Configuring AD DS Trusts
3. Lesson 1: Overview of Distributed AD DS
Deployments
• Discussion: AD DS Components Overview
• Overview of Domain and Forest Boundaries in an
AD DS Structure
• Why Implement Multiple Domains?
• Why Implement Multiple Forests?
• Integrating On-Premises AD DS with Cloud
Services
• Implementing Windows Azure AD
• DNS Requirements for Complex AD DS
Environments
4. Discussion: AD DS Components Overview
• What is an AD DS domain?
• What is an AD DS tree?
• What is an AD DS forest?
• What is a trust relationship?
• What is the global catalog?
5. Overview of Domain and Forest Boundaries in an
AD DS Structure
AD DS object Boundary type
Domain Domain partition replication
Administrative permissions
Group Policy application
Auditing
Password and account policies
Domain DNS zone replication
Forest Security boundary
Schema partition replication
Configuration partition replication
Global catalog replication
Forest DNS zone replication
6. Why Implement Multiple Domains?
Organizations may choose to deploy multiple
domains to meet:
• Domain replication requirements
• DNS namespace requirements
• Distributed administration requirements
• Forest administrative group security requirements
• Resource domain requirements
7. Why Implement Multiple Forests?
Organizations may choose to deploy multiple
forests to meet:
• Security isolation requirements
• Incompatible schema requirements
• Multinational requirements
• Extranet security requirements
• Business merger or divestiture requirements
8. Integrating On-Premises AD DS with Cloud
Services
• Windows Azure AD:
• Is a shared environment
• Patching and upgrading is maintained by Microsoft
• Can synchronize with on-premises AD DS
• Does not support AD DS integrated applications
• AD in Azure:
• Is a private Environment
• Patching and upgrading is the responsibility of the
customer
• Can be part of on-premises AD DS
• Supports AD DS aware applications
10. DNS Requirements for Complex AD DS
Environments
When implementing DNS in a complex AD DS
environment, you should:
• Verify the DNS client configuration
• Verify and monitor DNS name resolution
• Optimize DNS name resolution between multiple
namespaces
• Use AD DS integrated DNS zones
• Consider deploying a GlobalNames zone
• Design interoperability for DNS in Windows Azure and on-
premise
11. Lesson 2: Deploying a Distributed AD DS
Environment
• Demonstration: Installing a Domain Controller in a
New Domain in a Forest
• AD DS Domain Functional Levels
• AD DS Forest Functional Levels
• Upgrading a Previous Version of AD DS to
Windows Server 2012 R2
• Migrating to Windows Server 2012 R2 AD DS from
a Previous Version
12. Demonstration: Installing a Domain Controller in
a New Domain in a Forest
In this demonstration, you will see how to:
• Configure an AD DS domain controller
• Access the AD DS domain controller
13. AD DS Domain Functional Levels
New functionality requires that domain controllers
are running a particular version of Windows
• Windows Server 2003
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Cannot raise functional level while domain
controllers are running previous Windows Server
versions
• Cannot add domain controllers running previous
Windows Server versions after raising functional
level
14. AD DS Forest Functional Levels
Windows Server 2003:
• Forest trusts
• Domain rename
• Linked-value replication
• Support for RODCs
• Improved KCC
• Conversion of inetOrgPerson objects to user objects
• Deactivation and redefinition of attributes and object classes
Windows Server 2008:
• No new features; sets minimum level for all new domains
Windows Server 2008 R2:
• Active Directory Recycle Bin
Windows Server 2012:
• No new features; sets minimum level for all new domains
15. Upgrading a Previous Version of AD DS to
Windows Server 2012 R2
Options to upgrade AD DS to Windows Server 2012 R2:
• In-place upgrade (from Windows Server 2008 or Windows Server
2008 R2)
• Only domain controllers running Windows Server 2008 x64 or
Windows Server 2008 R2 can be upgraded
• Introduce a new Windows Server 2012 R2 server into the domain
and promote it to be a domain controller
• This option is recommended
• Both options require that the schema is at the Windows Server 2012
R2 level
• The Active Directory Domain Services Installation Wizard will
upgrade the schema automatically when run with appropriate
permissions
• ADPrep is available
16. Migrating to Windows Server 2012 R2 AD DS
from a Previous Version
fabrikam.net Adatum.com
Security Principals that are
migrated:
• User accounts
• Managed service accounts
• Computer accounts
• Groups
Accounts get new SIDs,
but resource access is
maintained by using
SID History
17. Migrating to Windows Server 2012 R2 AD DS
from a Previous Version
Security Principals that are
migrated:
• User accounts
• Managed service accounts
• Computer accounts
• Groups
Accounts get new SIDs,
but resource access is
maintained by using
SID History
Department IT
distinguishedName CN=April Reagan,OU=IT,DC=Adatum,DC=com
givenName April
name April Reagan
objectSID S-1-5-21-322346712-1256085132-1900709958-1375
Department IT
distinguishedName CN=April Reagan,OU=IT,DC=Adatum,DC=com
givenName April
name April Reagan
objectSID S-1-5-21-433457823-2367196243-2011810069-2486
sIDHistory S-1-5-21-322346712-1256085132-1900709958-1375
NEW
fabrikam.net Adatum.com
18. Lesson 3: Configuring AD DS Trusts
• Overview of Different AD DS Trust Types
• How Trusts Work Within a Forest
• How Trusts Work Between Forests
• Configuring Advanced AD DS Trust Settings
• Demonstration: Configuring a Forest Trust
19. Overview of Different AD DS Trust Types
Trust type Transitive? Color
P/C - Parent-child Yes Purple
R - Tree root Yes Black
E - External (domain or Kerberos realm) No Red/Dashed
S - Shortcut Yes Green/Dotted
F - Forest (complete or selective) Yes Blue
CONTOSO
(Windows NT 4.0 domain)
Engineering (Kerberos realm)
P/C
P/C
R
S
Separate Forest
P/C P/C
F
E
E
20. How Trusts Work Within a Forest
3
1
CL1
4
D
2
adatum.com fabrikam.com
EU.adatum.com ESP.fabrikam.com
Shortcut Trust
Client computer CL1 requests access to a file on File server D
21. How Trusts Work Between Forests
What Is a Forest Trust?
A forest trust is a one-way or two-way trust relationship
between the forest root domains of two forests
asia.tailspintoys.com sales.wideworldimporters.com
tailspintoys.com
europe.tailspintoys.com
wideworldimporters.com
22. Configuring Advanced AD DS Trust Settings
Security considerations in forest trusts:
• SID filtering
• Selective authentication
• Name suffix routing
An incorrectly configured trust can allow
unauthorized access to resources
23. Demonstration: Configuring a Forest Trust
In this demonstration, you will see how to:
• Configure DNS Name Resolution by using a conditional
forwarder
• Configure a two-way selective forest trust
24. Lab: Implementing Distributed AD DS
Deployments
• Exercise 1: Implementing Child Domains in AD DS
• Exercise 2: Implementing Forest Trusts
Logon Information
Virtual Machines 20412C-LON-DC1
20412C-TOR-DC1
20412C-LON-SVR2
20412C-TREY-DC1
User Name: AdatumAdministrator
Password: Pa$$w0rd
Estimated Time: 45 minutes
25. Lab Scenario
A. Datum Corporation has deployed a single AD DS
domain with all the domain controllers located in its
London data center. As the company has grown and added
branch offices with large numbers of users, it is becoming
increasingly apparent that the current AD DS environment
does not meet company requirements. The network team
is concerned about the amount of AD DS–related network
traffic that is crossing WAN links, which are becoming
highly utilized.
26. Lab Scenario
The company has also become increasingly integrated with
partner organizations, some of which need access to shared
resources and applications that are located on the A. Datum
internal network. The security department at A. Datum
wants to ensure that the access for these external users is as
secure as possible.
As one of the senior network administrators at A. Datum,
you are responsible for implementing an AD DS
infrastructure that will meet the company requirements. You
are responsible for planning an AD DS domain and forest
deployment that will provide optimal services for both
internal and external users, while addressing the security
requirements at A. Datum.
27. Lab Review
• Why did you configure a delegated subdomain
record in DNS on LON-DC1 before adding the
child domain na.adatum.com?
• What are the alternatives to creating a delegated
subdomain record in the previous question?
• When you are creating a forest trust, why would
you create a selective trust instead of a complete
trust?
Editor's Notes
Presentation: 60 minutes
Lab: 45 minutes
After completing this module, the students will be able to:
Describe the components of distributed Active Directory® Domain Services (AD DS) deployments.
Describe how to deploy a distributed AD DS deployment.
Explain how to configure AD DS trusts.
Required materials
To teach this module, you need the Microsoft® Office PowerPoint® file 20412C_04.pptx.
Important: We recommend that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly.
Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the lab exercises.
Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
Provide a brief overview of the module content.
The module begins with a discussion of the components of an AD DS environment. You should use this module overview to assess the students’ understanding of these concepts: domains, trees, forests, and the global catalog.
The main purpose of this topic is to assess the competency level of the students, and to ensure they have sufficient knowledge of AD DS before you embark on more advanced content.
Question
What is an AD DS domain?
Answer
An AD DS domain is a logical grouping of user, computer, and group objects for the purpose of management and security. All of these objects are stored in the AD DS database, and a copy of this data is stored on every domain controller in the AD DS domain. Because of this, the AD DS database is fault-tolerant, and clients can access AD DS domain information at any AD DS domain controller in the AD DS domain. AD DS provides a searchable hierarchical directory, and provides a framework for applying configuration and security settings for objects in the enterprise. You can use AD DS and Group Policy Objects (GPOs) to apply configuration and security settings to user and computer accounts.
Question
What is an AD DS domain tree?
Answer
An AD DS domain tree is a collection of one or more AD DS domains that form a contiguous namespace. For instance, if the first domain in the forest is adatum.com, you could create an additional domain as a child domain in that namespace. An example is atl.adatum.com.
Sometimes it is beneficial to have more than one domain in the forest. When you add a domain to an existing forest, you can add it as a child domain to an existing domain. This adds the domain to the domain tree. You can also create the domain as a new domain tree in the forest. An example of this would be if A. Datum Corporation, an established company with an AD DS forest named adatum.com, acquired a company called Fabrikam, Inc. An additional tree called fabrikam.com could be created in the adatum.com forest. Although the new domain is a new domain tree and accompanying new namespace, it is still integrated with the existing forest.
Question
What is an AD DS forest?
Answer
An AD DS forest is a collection of one or more AD DS trees. Each AD DS tree will contain one or more AD DS domains. The AD DS forest is the outermost boundary for the AD DS security and administration.
Question
What are trust relationships?
Answer
Trust relationships (trusts) are authentication pipelines between different domains. Some trusts are generated automatically as part of the domain installation process, and others are trusts that you create manually for various reasons. Trust relationships form the framework that allows resource sharing between domains, and they also provide the structure that supports authentication between domains.
Question
What is the global catalog?
Answer
The global catalog provides a central directory of every object in the forest, and is unique in each AD DS forest. Unlike the individual domain partitions that store a complete writeable attribute set for all objects in the domain, the global catalog is a read-only list of some attributes for every object in the forest. The global catalog makes it easy to locate objects from different domains in a multidomain forest. For example, Microsoft® Exchange Server uses the global catalog to locate all email recipients in a forest.
In a complex AD DS environment, it is essential that the students understand how the various components—such as organizational units (OUs), domains, and forests—form boundaries for authentication, resource access, and searches.
This topic describes the types of boundaries AD DS domains and forests provide. Mention that these boundaries usually form the criteria for why organizations choose to deploy multiple domains or forests. The next two topics cover this in more detail.
Emphasize the fact that the forest is the only real security boundary in AD DS. Within an AD DS forest, domains do not provide a complete security boundary, because accounts such as the Enterprise Admins group from the forest root domain have administrative permissions in each domain.
Discuss the different reasons why organizations might decide to deploy multiple domains, but also emphasize that there are rarely good technical reasons to deploy multiple domains. A single domain can contain millions of objects, and you can configure administrative autonomy at an OU level. You can provide multiple user principal names (UPNs) for users within a domain. In most cases, organizations create multiple domains for business reasons, not for technical reasons.
Use this slide to discuss some of the reasons to implement multiple AD DS forests. Explain that in some cases, the business requirements may dictate different choices than technical requirements would dictate. Stress the importance of thorough planning and proper change control procedures, especially where AD DS schema modifications are planned.
Discuss the difference between Windows Azure AD and installing Active Directory in Azure. Discuss the special considerations for deploying Active Directory in Windows Azure.
Discuss how to set up Windows Azure AD.
Ask the students what makes DNS name resolution more complicated in an AD DS environment that includes multiple namespaces. Then ask them how they would resolve these issues. The students should be able to identify the options for optimizing name resolution in this environment. If they cannot do so, refer to the topic in Module 1 where this was covered.
Provide a brief overview of the lesson content.
Preparation Steps
Start 20412C-LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
Start 20412C-TOR-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
Demonstration Steps
Install the AD DS binaries on TOR-DC1
On TOR-DC1, in the Server Manager, click Add Roles and Features.
In the Add Roles and Features Wizard, click Next.
On the Select installation type page, ensure that Role-based or feature-based installation is selected, and then click Next.
On the Select destination server page, ensure that Select a server from the pool is selected. In the Server Pool page, verify that TOR-DC1.Adatum.com is highlighted, and then click Next.
On the Select server roles page, select the Active Directory Domain Services check box, click Add Features, and then click Next.
On the Select features page, click Next.
On the Active Directory Domain Services page, review the message, and then click Next.
On the Confirm installation selections page, review the message, and then click Install. Installation will take several minutes.
On the Results page, click Promote this server to a domain controller. The wizard continues.
Configure TOR-DC1 as an AD DS domain controller using the AD DS Installation Wizard
On the Deployment Configuration page, select the Add a new domain to an existing forest option, and then, next to Select domain type, confirm that Child Domain is selected.
In the Parent domain name field, verify that Adatum.com is listed.
In the New domain name box, type NA, and then click Next.
On the Domain Controller Options page, ensure that Windows Server 2012 R2 is selected as the Domain functional level, that Domain Name System (DNS) server is selected, and that Global Catalog (GC) is selected.
In the Type the Directory Services Restore Mode (DSRM) password text boxes, type Pa$$w0rd in both boxes, and then click Next.
On the DNS Options page, click Next.
On the following three windows (Additional Options, Paths, and Review Options), click Next. In the Prerequisites Check window, click Install.
Review the information, and allow TOR-DC1 to reboot as an AD DS domain controller in the new AD DS domain that you created in the AD DS forest.
Sign in to TOR-DC1 as NA\Administrator with the password Pa$$w0rd, and review some of the AD DS tools to confirm the installation of the new domain.
Describe the different AD DS functional levels, and have the students consider the advantages of upgrading to the highest possible level. Point out to the students that many businesses are still running their AD DS domains at a lower functional level than they could. For example, it is not unusual to find that a company is running AD DS domains in Microsoft Windows 2000 Server native mode, when all of the AD DS domain controllers are running Windows Server 2003 or newer.
Point out that some options for enabling Kerberos support for clients are enabled as soon as you install Windows Server 2012 domain controllers in a domain, but the features specifically mentioned in the text are only enabled at the Windows Server 2012 domain functional level.
Describe the process of using the Active Directory Migration Tool (ADMT) or a similar utility. Explain the SID-History attribute, and run the ldp.exe tool to demonstrate how to see all the configured attributes for an object.
Discuss the complexity of migrations. Mention different aspects that make migrations complex, such as keeping access to resources in both forests or domains, cleaning up permissions after the migration, and migrating users, clients, or groups in batches, because most companies are not able to migrate them simultaneously.
Animation
The animation is presented with 1 mouse click.
When the slide is first presented the slide illustrates objects being migrated from one domain to another.
Clicking the mouse hides the domain abstract and shows some user fields, including objectSID andsIDHistory, and how they migrate.
You may want to draw a diagram adding domains and trusts, and use it to describe each of the trust types as you proceed. Do not go into detail about shortcut trusts at this stage, because this will be discussed in the next topic. Forest trusts have a separate section as well.
The slide is presented in three clicks.
The slide begins by showing the default trusts in a forest. The purple lines represent parent-child trusts, while the black line represents a tree-root trust. The double arrowheads represent that these are two-way trusts.
The first click shows a forest trust has been created by an administrator; the trust is represented with a blue line, with a double arrowhead representing a two-way trust.
The second click shows the external trusts that have been created by an administrator. The trusts are represented with dashed red lines, with one arrowhead to represent a one-way trust. The trusts depicted have been established between a Kerberos realm and an NT 4.0 domain.
The last click shows a shortcut trust has been created by an administrator between two domains in a forest. The trust is represented by a dotted green line, with a double arrowhead representing a two-way trust.
This is a build slide in six clicks.
The initial slide shows the AD DS environment, which consists of a single AD DS forest with two domain trees: adatum.com and fabrikam.com. The two child domains, EU.adatum.com and ESP.fabrikam.com, are physically located in the same city in Spain, EU. There is frequent resource sharing between these two AD DS domains. The parent AD DS domains, Adatum.com and Fabrikam.com, exist in North American cities. Although there are transitive trust relationships between all the AD DS domains in the AD DS forest, there is no direct authentication link between EU.adatum.com and ESP.fabrikam.com.
On the first click, the slide shows the authentication process that is required when a user from client computer CL1 wishes to access a file on file server D.
On the second click, CL1 contacts the local AD DS domain controller CL 1 and is referred to the AD DS domain controller 2 next in line.
On the third click, the AD DS domain controller 2 refers CL1 to the AD DS domain controller 3, in fabrikam.com.
On the fourth click, the AD DS domain controller 3 refers CL1 to the AD DS domain controller 4 in ESP.fabrikam.com.
On the fifth click, CL1 uses the ticket issued by the AD DS domain controller 4 to contact the file server D, located in ESP.farikam.com.
On the sixth and last click, a shortcut trust is established between ESP.fabrikam.com and EU.adatum.com. Now that CL1 has received a ticket from the local AD DS domain controller 1, it can contact the AD DS domain controller 4 in the ESP.fabrikam.com AD DS domain, and then receive a ticket to access the file server D.
In this scenario, without the shortcut trust in place, several communications will have to travel to North America and back. The network link may not be fast or 100 percent reliable, or it could be expensive. Therefore, the shortcut trust improves performance in more than one way.
Open Active Directory Domains and Trusts. Show where you can create a new trust relationship, and how you can choose different types: for example, forest and domain.
If the students want more information on this subject, show the following links to illustrate where they can obtain resources.
Additional Reading: For more information on configuring SID filter quarantining on external trusts, see http://go.microsoft.com/fwlink/?LinkId=270030.
For more information on enabling selective authentication over a forest trust, see http://go.microsoft.com/fwlink/?LinkId=270046.
For more information on name-suffix routing, see http://go.microsoft.com/fwlink/?LinkId=270047.
Explain to the students that in the lab they will configure a selective forest trust between adatum.com and treyresearch.net. They will also enable users to authenticate to the LON-SVR2 server, and they will test it.
Preparation Steps
Start 20412C-LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd. LON-DC1 has an IP address of 172.16.0.10, and is configured to use itself as the primary DNS server.
Start 20412C-TREY-DC1, and sign in as treyresearch\Administrator with the password Pa$$w0rd. TREY-DC1 has an IP address of 172.16.10.10, and is configured to use itself as the primary DNS server.
Demonstration Steps
Configure DNS name resolution by using a conditional forwarder
On LON-DC1, in Server Manager, click the Tools menu, and in the drop-down list, click DNS. The DNS manager opens.
In the DNS Manager, expand LON-DC1, click and then right-click Conditional Forwarders, and then click New Conditional Forwarder.
In the New Conditional Forwarder window, in the DNS Domain: box, type treyresearch.net.
In the IP addresses of the master servers: text box, type 172.16.10.10. Click in the open space, and then click OK. (If an error displays, ignore it).
Close the DNS Manager.
Switch to TREY-DC1, and repeat steps 1 through 5. Use the domain name Adatum.com with the IP address 172.16.0.10.
Configure a two-way selective forest trust
In LON-DC1, from the Tools menu, click Active Directory Domains and Trusts.
When the Active Directory Domains and Trusts window opens, right-click Adatum.com, and then click Properties.
In the Adatum.com Properties dialog box, on the Trusts tab, click New Trust.
In the New Trust Wizard, click Next.
On the Trust Name page, in the Name text box, type treyresearch.net, and then click Next.
In the New Trust Wizard, click Forest trust, and then click Next.
In the Direction of Trust page, click Two-way, and then click Next.
In the Sides of Trust page, click Both this domain and the specified domain, and then click Next.
In the User name: text box, type Administrator. In the Password text box, type Pa$$w0rd, and then click Next.
In the Outgoing Trust Authentication Level-Local Forest page, click Selective authentication, and then click Next,
In the Outgoing Trust Authentication Level-Specified Forest page, click Selective authentication, and then click Next.
In the Trust Selections Complete page, click Next.
In the Trust Creation Complete page, click Next.
In the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next.
In the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next.
On the Completing the New Trust Wizard page, click Finish.
In the Adatum.com Properties dialog box, click OK.
Tell the students to ensure that LON-DC1 is running before they start the other machines.
Exercise 1: Implementing Child Domains in AD DS
A. Datum has decided to deploy a new domain in the adatum.com forest for the North American region. The first domain controller will be deployed in Toronto, and the domain name will be na.adatum.com. You need to configure and install the new domain controller.
Exercise 2: Implementing Forest Trusts
A. Datum is working on several high-priority projects with a partner organization named Trey Research. To simplify the process of enabling access to resources located in the two organizations, they have deployed a WAN between London and Munich, where Trey Research is located. You now need to implement and validate a forest trust between the two forests, and configure the trust to allow access to only selected servers in London.
Question
Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com?
Answer
Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com?
Question
What are the alternatives to creating a delegated subdomain record in the previous question?
Answer
On LON-DC1, you could create a stub zone for na.adatum.com to provide an up-to-date list of the DNS servers for the na.adatum.com DNS domain. You could also configure on LON-DC1 a secondary DNS zone file for na.adatum.com, but it would entail more DNS replication traffic.
Question
When you are creating a forest trust, why would you create a selective trust instead of a complete trust?
Answer
You would create a selective trust instead of a complete trust if you did not require a full link-up between two forests, but wanted a strictly controlled amount of interactivity.