SlideShare a Scribd company logo

teste

Download as PPTX, PDF
M
mvpjordao

This document provides an overview of a Microsoft course on implementing distributed Active Directory Domain Services deployments. It covers: - Deploying multiple domains and forests to meet organizational needs like security isolation, incompatible schemas, or multinational requirements. - Configuring trusts between domains and forests, including transitive parent-child trusts within a forest and selective two-way trusts between forests. - Upgrading existing AD DS environments to Windows Server 2012 R2 through in-place upgrades or introducing new domain controllers. - Migrating user and group accounts between forests while maintaining access through SID history during inter-forest migrations. The document includes demonstrations and exercises on implementing child domains, configuring forest

Technology
1 of 28
Microsoft® Official Course Module 4 Implementing Distributed Active Directory® Domain Services Deployments
Module Overview • Overview of Distributed AD DS Deployments • Deploying a Distributed AD DS Environment • Configuring AD DS Trusts
Lesson 1: Overview of Distributed AD DS Deployments • Discussion: AD DS Components Overview • Overview of Domain and Forest Boundaries in an AD DS Structure • Why Implement Multiple Domains? • Why Implement Multiple Forests? • Integrating On-Premises AD DS with Cloud Services • Implementing Windows Azure AD • DNS Requirements for Complex AD DS Environments
Discussion: AD DS Components Overview • What is an AD DS domain? • What is an AD DS tree? • What is an AD DS forest? • What is a trust relationship? • What is the global catalog?
Overview of Domain and Forest Boundaries in an AD DS Structure AD DS object Boundary type Domain Domain partition replication Administrative permissions Group Policy application Auditing Password and account policies Domain DNS zone replication Forest Security boundary Schema partition replication Configuration partition replication Global catalog replication Forest DNS zone replication
Why Implement Multiple Domains? Organizations may choose to deploy multiple domains to meet: • Domain replication requirements • DNS namespace requirements • Distributed administration requirements • Forest administrative group security requirements • Resource domain requirements
Why Implement Multiple Forests? Organizations may choose to deploy multiple forests to meet: • Security isolation requirements • Incompatible schema requirements • Multinational requirements • Extranet security requirements • Business merger or divestiture requirements
Integrating On-Premises AD DS with Cloud Services • Windows Azure AD: • Is a shared environment • Updating and upgrading is maintained by Microsoft • Can synchronize with on-premises AD DS • Does not support AD DS integrated applications • AD in Windows Azure: • Is a private environment • Updating and upgrading is the responsibility of the customer • Can be part of on-premises AD DS • Supports AD DS-aware applications
Implementing Windows Azure AD
DNS Requirements for Complex AD DS Environments When implementing DNS in a complex AD DS environment, you should: • Verify the DNS client configuration • Verify and monitor DNS name resolution • Optimize DNS name resolution between multiple namespaces • Use AD DS integrated DNS zones • Consider deploying a GlobalNames zone • Design interoperability for DNS in Windows Azure and on- premise
Lesson 2: Deploying a Distributed AD DS Environment • Demonstration: Installing a Domain Controller in a New Domain in an Existing Forest • AD DS Domain Functional Levels • AD DS Forest Functional Levels • Upgrading a Previous Version of AD DS to Windows Server 2012 R2 • Migrating to Windows Server 2012 R2 AD DS from a Previous Version
Demonstration: Installing a Domain Controller in a New Domain in an Existing Forest In this demonstration, you will see how to: • Configure an AD DS domain controller • Access the AD DS domain controller
AD DS Domain Functional Levels New functionality requires that domain controllers are running a particular version of Windows • Windows Server 2003 • Windows Server 2008 • Windows Server 2008 R2 • Windows Server 2012 • Windows Server 2012 R2 • Cannot raise functional level while domain controllers are running previous Windows Server versions • Cannot add domain controllers running previous Windows Server versions after raising functional level
AD DS Forest Functional Levels Windows Server 2003: • Forest trusts • Domain rename • Linked-value replication • Support for RODCs • Improved KCC • Conversion of inetOrgPerson objects to user objects • Deactivation and redefinition of attributes and object classes Windows Server 2008: • No new features; sets minimum level for all new domains Windows Server 2008 R2: • Active Directory Recycle Bin Windows Server 2012: • No new features; sets minimum level for all new domains Windows Server 2012 R2: • No new features; sets minimum level for all new domains
Upgrading a Previous Version of AD DS to Windows Server 2012 R2 Options to upgrade AD DS to Windows Server 2012 R2: • In-place upgrade (from Windows Server 2008, Windows Server 2008 R2 or Windows 2012) • Only domain controllers running Windows Server 2008 x64, Windows Server 2008 R2, or Windows 2012 can be upgraded • Introduce a new Windows Server 2012 R2 server into the domain and promote it to be a domain controller • This option is recommended • Both options require that the schema is at the Windows Server 2012 R2 level • The Active Directory Domain Services Installation Wizard will upgrade the schema automatically when run with appropriate permissions • ADPrep is available
Migrating to Windows Server 2012 R2 AD DS from a Previous Version fabrikam.net Adatum.com Security Principals that are migrated: • User accounts • Managed service accounts • Computer accounts • Groups Accounts get new SIDs, but resource access is maintained by using SID History Inter-forest migration
Migrating to Windows Server 2012 R2 AD DS from a Previous Version Security Principals that are migrated: • User accounts • Managed service accounts • Computer accounts • Groups Accounts get new SIDs, but resource access is maintained by using SID History Department IT distinguishedName CN=April Reagan,OU=IT,DC=fabrikam,DC=net givenName April name April Reagan objectSID S-1-5-21-322346712-1256085132-1900709958-1375 Department IT distinguishedName CN=April Reagan,OU=IT,DC=Adatum,DC=com givenName April name April Reagan objectSID S-1-5-21-433457823-2367196243-2011810069-2486 sIDHistory S-1-5-21-322346712-1256085132-1900709958-1375 NEW fabrikam.net Adatum.com
Lesson 3: Configuring AD DS Trusts • Overview of Different AD DS Trust Types • How Trusts Work Within a Forest • How Trusts Work Between Forests • Configuring Advanced AD DS Trust Settings • Demonstration: Configuring a Forest Trust
Trust type Transitive? Color P/C - Parent-child Yes Purple R - Tree root Yes Black E - External (domain or Kerberos realm) No Red/Dashed S - Shortcut Yes Green/Dotted F - Forest (complete or selective) Yes Blue CONTOSO (Windows NT 4.0 domain) Engineering (Kerberos realm) Overview of Different AD DS Trust Types P/C P/C R S Separate Forest P/C P/C F E E
3 1 CL1 4 D 2 adatum.com fabrikam.com EU.adatum.com ESP.fabrikam.com Shortcut Trust How Trusts Work Within a Forest Client computer CL1 requests access to a file on File server D
How Trusts Work Between Forests What Is a Forest Trust? A forest trust is a one-way or two-way trust relationship between the forest root domains of two forests asia.tailspintoys.com sales.wideworldimporters.com tailspintoys.com europe.tailspintoys.com wideworldimporters.com
Configuring Advanced AD DS Trust Settings Security considerations in forest trusts: • SID filtering • Selective authentication • Name suffix routing An incorrectly configured trust can allow unauthorized access to resources
Demonstration: Configuring a Forest Trust In this demonstration, you will see how to: • Configure DNS Name Resolution by using a conditional forwarder • Configure a two-way selective forest trust
Lab: Implementing Distributed AD DS Deployments • Exercise 1: Implementing Child Domains in AD DS • Exercise 2: Implementing Forest Trusts Logon Information Virtual Machines 20412D-LON-DC1, 20412D-TOR-DC1, 20412D-LON-SVR2, 20412D-TREY-DC1 User Name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 45 minutes
Lab Scenario A. Datum Corporation has deployed a single AD DS domain with all the domain controllers located in its London datacenter. As the company has grown and added branch offices with large numbers of users, it is becoming increasingly apparent that the current AD DS environment does not meet company requirements. The network team is concerned about the amount of AD DS–related network traffic that is crossing WAN links, which are becoming highly utilized. The company has also become increasingly integrated with partner organizations, some of which need access to shared resources and applications that are located on the A. Datum internal network. The security department at A. Datum wants to ensure that the access for these external users is as secure as possible.
Lab Scenario As one of the senior network administrators at A. Datum, you are responsible for implementing an AD DS infrastructure that will meet the company requirements. You are responsible for planning an AD DS domain and forest deployment that will provide optimal services for both internal and external users, while addressing the security requirements at A. Datum.
Lab Review • Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com? • What are the alternatives to creating a delegated subdomain record in the previous question? • When you create a forest trust, why would you create a selective trust instead of a complete trust?
Module Review and Takeaways • Common Issues and Troubleshooting Tips

Recommended

Windows Server 2012 R2 Jump Start - Intro
Windows Server 2012 R2 Jump Start - IntroWindows Server 2012 R2 Jump Start - Intro
Windows Server 2012 R2 Jump Start - Intro
Paulo Freitas
 
windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2
Gol D Roger
 
Windows Server 2012 R2: Your Path to the Modern Business
Windows Server 2012 R2: Your Path to the Modern BusinessWindows Server 2012 R2: Your Path to the Modern Business
Windows Server 2012 R2: Your Path to the Modern Business
United Technology Group (UTG)
 
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Christopher Foot
 
Ads overview-en
Ads overview-enAds overview-en
Ads overview-en
Sandip More
 
Deploying Big-Data-as-a-Service (BDaaS) in the Enterprise
Deploying Big-Data-as-a-Service (BDaaS) in the EnterpriseDeploying Big-Data-as-a-Service (BDaaS) in the Enterprise
Deploying Big-Data-as-a-Service (BDaaS) in the Enterprise
Big-Data-as-a-Service (BDaaS) Meetup
 
SharePoint on Azure
SharePoint on Azure SharePoint on Azure
SharePoint on Azure
Usama Wahab Khan Cloud, Data and AI
 
SharePoint on Microsoft Azure
SharePoint on Microsoft AzureSharePoint on Microsoft Azure
SharePoint on Microsoft Azure
K.Mohamed Faizal
 

Recommended

Windows Server 2012 R2 Jump Start - Intro
Windows Server 2012 R2 Jump Start - IntroWindows Server 2012 R2 Jump Start - Intro
Windows Server 2012 R2 Jump Start - Intro
Paulo Freitas
 
windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2
Gol D Roger
 
Windows Server 2012 R2: Your Path to the Modern Business
Windows Server 2012 R2: Your Path to the Modern BusinessWindows Server 2012 R2: Your Path to the Modern Business
Windows Server 2012 R2: Your Path to the Modern Business
United Technology Group (UTG)
 
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Selecting a SQL Server Cloud Platform - IaaS, Amazon RDS or Azure SQL DB?
Christopher Foot
 
Ads overview-en
Ads overview-enAds overview-en
Ads overview-en
Sandip More
 
Deploying Big-Data-as-a-Service (BDaaS) in the Enterprise
Deploying Big-Data-as-a-Service (BDaaS) in the EnterpriseDeploying Big-Data-as-a-Service (BDaaS) in the Enterprise
Deploying Big-Data-as-a-Service (BDaaS) in the Enterprise
Big-Data-as-a-Service (BDaaS) Meetup
 
SharePoint on Azure
SharePoint on Azure SharePoint on Azure
SharePoint on Azure
Usama Wahab Khan Cloud, Data and AI
 
SharePoint on Microsoft Azure
SharePoint on Microsoft AzureSharePoint on Microsoft Azure
SharePoint on Microsoft Azure
K.Mohamed Faizal
 
Spectrum scale object analytics
Spectrum scale object analyticsSpectrum scale object analytics
Spectrum scale object analytics
Smita Raut
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2
MICTT Palma
 
Product Presentation
Product PresentationProduct Presentation
Product Presentation
Ron Salazar
 
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
nnakasone
 
Data platforms 2017
Data platforms 2017Data platforms 2017
Data platforms 2017
Kellyn Pot'Vin-Gorman
 
Cloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support OrganizationsCloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support Organizations
Christopher Foot
 
Copy Data Management for the DBA
Copy Data Management for the DBACopy Data Management for the DBA
Copy Data Management for the DBA
Kellyn Pot'Vin-Gorman
 
#VMUGMTL DELL Breakout
#VMUGMTL DELL Breakout#VMUGMTL DELL Breakout
#VMUGMTL DELL Breakout
1CloudRoad.com
 
VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld 2013: Dell Solutions for VMware Virtual SAN VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld
 
Domain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows InteroperabilityDomain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows Interoperability
Novell
 
Who Will Win the Database Wars?
Who Will Win the Database Wars?Who Will Win the Database Wars?
Who Will Win the Database Wars?
Christopher Foot
 
Active directory
Active directoryActive directory
Active directory
Prasanth Menon
 
Lock, Stock and Backup: Data Guaranteed
Lock, Stock and Backup: Data GuaranteedLock, Stock and Backup: Data Guaranteed
Lock, Stock and Backup: Data Guaranteed
Jervin Real
 
Cl310
Cl310Cl310
Cl310
Juliette Ponnet
 
Fundamentals
FundamentalsFundamentals
Fundamentals
vamsi1986
 
Getting Started with Amazon Redshift
Getting Started with Amazon RedshiftGetting Started with Amazon Redshift
Getting Started with Amazon Redshift
Amazon Web Services
 
IBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingIBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive training
Smita Raut
 
Evaluating Cloud Database Offerings
Evaluating Cloud Database OfferingsEvaluating Cloud Database Offerings
Evaluating Cloud Database Offerings
Christopher Foot
 
Failover cluster
Failover clusterFailover cluster
Failover cluster
Chinmoy Jena
 
Cl115
Cl115Cl115
Cl115
Juliette Ponnet
 
MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04
Computer Networking
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
gameaxt
 

More Related Content

What's hot

Spectrum scale object analytics
Spectrum scale object analyticsSpectrum scale object analytics
Spectrum scale object analytics
Smita Raut
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2
MICTT Palma
 
Product Presentation
Product PresentationProduct Presentation
Product Presentation
Ron Salazar
 
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
nnakasone
 
Data platforms 2017
Data platforms 2017Data platforms 2017
Data platforms 2017
Kellyn Pot'Vin-Gorman
 
Cloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support OrganizationsCloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support Organizations
Christopher Foot
 
Copy Data Management for the DBA
Copy Data Management for the DBACopy Data Management for the DBA
Copy Data Management for the DBA
Kellyn Pot'Vin-Gorman
 
#VMUGMTL DELL Breakout
#VMUGMTL DELL Breakout#VMUGMTL DELL Breakout
#VMUGMTL DELL Breakout
1CloudRoad.com
 
VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld 2013: Dell Solutions for VMware Virtual SAN VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld
 
Domain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows InteroperabilityDomain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows Interoperability
Novell
 
Who Will Win the Database Wars?
Who Will Win the Database Wars?Who Will Win the Database Wars?
Who Will Win the Database Wars?
Christopher Foot
 
Active directory
Active directoryActive directory
Active directory
Prasanth Menon
 
Lock, Stock and Backup: Data Guaranteed
Lock, Stock and Backup: Data GuaranteedLock, Stock and Backup: Data Guaranteed
Lock, Stock and Backup: Data Guaranteed
Jervin Real
 
Cl310
Cl310Cl310
Cl310
Juliette Ponnet
 
Fundamentals
FundamentalsFundamentals
Fundamentals
vamsi1986
 
Getting Started with Amazon Redshift
Getting Started with Amazon RedshiftGetting Started with Amazon Redshift
Getting Started with Amazon Redshift
Amazon Web Services
 
IBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingIBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive training
Smita Raut
 
Evaluating Cloud Database Offerings
Evaluating Cloud Database OfferingsEvaluating Cloud Database Offerings
Evaluating Cloud Database Offerings
Christopher Foot
 
Failover cluster
Failover clusterFailover cluster
Failover cluster
Chinmoy Jena
 
Cl115
Cl115Cl115
Cl115
Juliette Ponnet
 

What's hot (20)

Spectrum scale object analytics
Spectrum scale object analyticsSpectrum scale object analytics
Spectrum scale object analytics
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2
 
Product Presentation
Product PresentationProduct Presentation
Product Presentation
 
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
Ai tour 2019 Mejores Practicas en Entornos de Produccion Big Data Open Source...
 
Data platforms 2017
Data platforms 2017Data platforms 2017
Data platforms 2017
 
Cloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support OrganizationsCloud's Hidden Impact on IT Support Organizations
Cloud's Hidden Impact on IT Support Organizations
 
Copy Data Management for the DBA
Copy Data Management for the DBACopy Data Management for the DBA
Copy Data Management for the DBA
 
#VMUGMTL DELL Breakout
#VMUGMTL DELL Breakout#VMUGMTL DELL Breakout
#VMUGMTL DELL Breakout
 
VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld 2013: Dell Solutions for VMware Virtual SAN VMworld 2013: Dell Solutions for VMware Virtual SAN
VMworld 2013: Dell Solutions for VMware Virtual SAN
 
Domain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows InteroperabilityDomain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows Interoperability
 
Who Will Win the Database Wars?
Who Will Win the Database Wars?Who Will Win the Database Wars?
Who Will Win the Database Wars?
 
Active directory
Active directoryActive directory
Active directory
 
Lock, Stock and Backup: Data Guaranteed
Lock, Stock and Backup: Data GuaranteedLock, Stock and Backup: Data Guaranteed
Lock, Stock and Backup: Data Guaranteed
 
Cl310
Cl310Cl310
Cl310
 
Fundamentals
FundamentalsFundamentals
Fundamentals
 
Getting Started with Amazon Redshift
Getting Started with Amazon RedshiftGetting Started with Amazon Redshift
Getting Started with Amazon Redshift
 
IBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingIBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive training
 
Evaluating Cloud Database Offerings
Evaluating Cloud Database OfferingsEvaluating Cloud Database Offerings
Evaluating Cloud Database Offerings
 
Failover cluster
Failover clusterFailover cluster
Failover cluster
 
Cl115
Cl115Cl115
Cl115
 

Similar to teste

MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04
Computer Networking
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
gameaxt
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWS
Allice Shandler
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWS
TriNimbus
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
202066
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
syedasadraza13
 
Introduction to System and network administrations
Introduction to System and network administrationsIntroduction to System and network administrations
Introduction to System and network administrations
girmayou1
 
Windows server 2008 active directory
Windows server 2008 active directoryWindows server 2008 active directory
Windows server 2008 active directory
Raghu nath
 
ADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side server
BilalMehmood44
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx
AdiWidyanto2
 
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
Amazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
Amazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
Amazon Web Services
 
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
Amazon Web Services
 
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Amazon Web Services
 
Final domain control policy
Final domain control policy Final domain control policy
Final domain control policy
BhagyashriJadhav16
 
MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05
Computer Networking
 
Microsoft Windows Server 2012 R2 Overview - Presented by Atidan
Microsoft Windows Server 2012 R2 Overview - Presented by AtidanMicrosoft Windows Server 2012 R2 Overview - Presented by Atidan
Microsoft Windows Server 2012 R2 Overview - Presented by Atidan
David J Rosenthal
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365
InnoTech
 
Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...
Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...
Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...
David J Rosenthal
 

Similar to teste (20)

MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWS
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWS
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
Introduction to System and network administrations
Introduction to System and network administrationsIntroduction to System and network administrations
Introduction to System and network administrations
 
Windows server 2008 active directory
Windows server 2008 active directoryWindows server 2008 active directory
Windows server 2008 active directory
 
ADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side server
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx
 
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
 
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
 
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
 
Final domain control policy
Final domain control policy Final domain control policy
Final domain control policy
 
MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05
 
Microsoft Windows Server 2012 R2 Overview - Presented by Atidan
Microsoft Windows Server 2012 R2 Overview - Presented by AtidanMicrosoft Windows Server 2012 R2 Overview - Presented by Atidan
Microsoft Windows Server 2012 R2 Overview - Presented by Atidan
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365
 
Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...
Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...
Microsoft SQL Server 2014 Platform for Hybrid Cloud - Level 300 deck - From A...
 

Recently uploaded

Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 

Recently uploaded (20)

Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 

teste

  • 1. Microsoft® Official Course Module 4 Implementing Distributed Active Directory® Domain Services Deployments
  • 2. Module Overview • Overview of Distributed AD DS Deployments • Deploying a Distributed AD DS Environment • Configuring AD DS Trusts
  • 3. Lesson 1: Overview of Distributed AD DS Deployments • Discussion: AD DS Components Overview • Overview of Domain and Forest Boundaries in an AD DS Structure • Why Implement Multiple Domains? • Why Implement Multiple Forests? • Integrating On-Premises AD DS with Cloud Services • Implementing Windows Azure AD • DNS Requirements for Complex AD DS Environments
  • 4. Discussion: AD DS Components Overview • What is an AD DS domain? • What is an AD DS tree? • What is an AD DS forest? • What is a trust relationship? • What is the global catalog?
  • 5. Overview of Domain and Forest Boundaries in an AD DS Structure AD DS object Boundary type Domain Domain partition replication Administrative permissions Group Policy application Auditing Password and account policies Domain DNS zone replication Forest Security boundary Schema partition replication Configuration partition replication Global catalog replication Forest DNS zone replication
  • 6. Why Implement Multiple Domains? Organizations may choose to deploy multiple domains to meet: • Domain replication requirements • DNS namespace requirements • Distributed administration requirements • Forest administrative group security requirements • Resource domain requirements
  • 7. Why Implement Multiple Forests? Organizations may choose to deploy multiple forests to meet: • Security isolation requirements • Incompatible schema requirements • Multinational requirements • Extranet security requirements • Business merger or divestiture requirements
  • 8. Integrating On-Premises AD DS with Cloud Services • Windows Azure AD: • Is a shared environment • Updating and upgrading is maintained by Microsoft • Can synchronize with on-premises AD DS • Does not support AD DS integrated applications • AD in Windows Azure: • Is a private environment • Updating and upgrading is the responsibility of the customer • Can be part of on-premises AD DS • Supports AD DS-aware applications
  • 10. DNS Requirements for Complex AD DS Environments When implementing DNS in a complex AD DS environment, you should: • Verify the DNS client configuration • Verify and monitor DNS name resolution • Optimize DNS name resolution between multiple namespaces • Use AD DS integrated DNS zones • Consider deploying a GlobalNames zone • Design interoperability for DNS in Windows Azure and on- premise
  • 11. Lesson 2: Deploying a Distributed AD DS Environment • Demonstration: Installing a Domain Controller in a New Domain in an Existing Forest • AD DS Domain Functional Levels • AD DS Forest Functional Levels • Upgrading a Previous Version of AD DS to Windows Server 2012 R2 • Migrating to Windows Server 2012 R2 AD DS from a Previous Version
  • 12. Demonstration: Installing a Domain Controller in a New Domain in an Existing Forest In this demonstration, you will see how to: • Configure an AD DS domain controller • Access the AD DS domain controller
  • 13. AD DS Domain Functional Levels New functionality requires that domain controllers are running a particular version of Windows • Windows Server 2003 • Windows Server 2008 • Windows Server 2008 R2 • Windows Server 2012 • Windows Server 2012 R2 • Cannot raise functional level while domain controllers are running previous Windows Server versions • Cannot add domain controllers running previous Windows Server versions after raising functional level
  • 14. AD DS Forest Functional Levels Windows Server 2003: • Forest trusts • Domain rename • Linked-value replication • Support for RODCs • Improved KCC • Conversion of inetOrgPerson objects to user objects • Deactivation and redefinition of attributes and object classes Windows Server 2008: • No new features; sets minimum level for all new domains Windows Server 2008 R2: • Active Directory Recycle Bin Windows Server 2012: • No new features; sets minimum level for all new domains Windows Server 2012 R2: • No new features; sets minimum level for all new domains
  • 15. Upgrading a Previous Version of AD DS to Windows Server 2012 R2 Options to upgrade AD DS to Windows Server 2012 R2: • In-place upgrade (from Windows Server 2008, Windows Server 2008 R2 or Windows 2012) • Only domain controllers running Windows Server 2008 x64, Windows Server 2008 R2, or Windows 2012 can be upgraded • Introduce a new Windows Server 2012 R2 server into the domain and promote it to be a domain controller • This option is recommended • Both options require that the schema is at the Windows Server 2012 R2 level • The Active Directory Domain Services Installation Wizard will upgrade the schema automatically when run with appropriate permissions • ADPrep is available
  • 16. Migrating to Windows Server 2012 R2 AD DS from a Previous Version fabrikam.net Adatum.com Security Principals that are migrated: • User accounts • Managed service accounts • Computer accounts • Groups Accounts get new SIDs, but resource access is maintained by using SID History Inter-forest migration
  • 17. Migrating to Windows Server 2012 R2 AD DS from a Previous Version Security Principals that are migrated: • User accounts • Managed service accounts • Computer accounts • Groups Accounts get new SIDs, but resource access is maintained by using SID History Department IT distinguishedName CN=April Reagan,OU=IT,DC=fabrikam,DC=net givenName April name April Reagan objectSID S-1-5-21-322346712-1256085132-1900709958-1375 Department IT distinguishedName CN=April Reagan,OU=IT,DC=Adatum,DC=com givenName April name April Reagan objectSID S-1-5-21-433457823-2367196243-2011810069-2486 sIDHistory S-1-5-21-322346712-1256085132-1900709958-1375 NEW fabrikam.net Adatum.com
  • 18. Lesson 3: Configuring AD DS Trusts • Overview of Different AD DS Trust Types • How Trusts Work Within a Forest • How Trusts Work Between Forests • Configuring Advanced AD DS Trust Settings • Demonstration: Configuring a Forest Trust
  • 19. Trust type Transitive? Color P/C - Parent-child Yes Purple R - Tree root Yes Black E - External (domain or Kerberos realm) No Red/Dashed S - Shortcut Yes Green/Dotted F - Forest (complete or selective) Yes Blue CONTOSO (Windows NT 4.0 domain) Engineering (Kerberos realm) Overview of Different AD DS Trust Types P/C P/C R S Separate Forest P/C P/C F E E
  • 20. 3 1 CL1 4 D 2 adatum.com fabrikam.com EU.adatum.com ESP.fabrikam.com Shortcut Trust How Trusts Work Within a Forest Client computer CL1 requests access to a file on File server D
  • 21. How Trusts Work Between Forests What Is a Forest Trust? A forest trust is a one-way or two-way trust relationship between the forest root domains of two forests asia.tailspintoys.com sales.wideworldimporters.com tailspintoys.com europe.tailspintoys.com wideworldimporters.com
  • 22. Configuring Advanced AD DS Trust Settings Security considerations in forest trusts: • SID filtering • Selective authentication • Name suffix routing An incorrectly configured trust can allow unauthorized access to resources
  • 23. Demonstration: Configuring a Forest Trust In this demonstration, you will see how to: • Configure DNS Name Resolution by using a conditional forwarder • Configure a two-way selective forest trust
  • 24. Lab: Implementing Distributed AD DS Deployments • Exercise 1: Implementing Child Domains in AD DS • Exercise 2: Implementing Forest Trusts Logon Information Virtual Machines 20412D-LON-DC1, 20412D-TOR-DC1, 20412D-LON-SVR2, 20412D-TREY-DC1 User Name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 45 minutes
  • 25. Lab Scenario A. Datum Corporation has deployed a single AD DS domain with all the domain controllers located in its London datacenter. As the company has grown and added branch offices with large numbers of users, it is becoming increasingly apparent that the current AD DS environment does not meet company requirements. The network team is concerned about the amount of AD DS–related network traffic that is crossing WAN links, which are becoming highly utilized. The company has also become increasingly integrated with partner organizations, some of which need access to shared resources and applications that are located on the A. Datum internal network. The security department at A. Datum wants to ensure that the access for these external users is as secure as possible.
  • 26. Lab Scenario As one of the senior network administrators at A. Datum, you are responsible for implementing an AD DS infrastructure that will meet the company requirements. You are responsible for planning an AD DS domain and forest deployment that will provide optimal services for both internal and external users, while addressing the security requirements at A. Datum.
  • 27. Lab Review • Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com? • What are the alternatives to creating a delegated subdomain record in the previous question? • When you create a forest trust, why would you create a selective trust instead of a complete trust?
  • 28. Module Review and Takeaways • Common Issues and Troubleshooting Tips

Editor's Notes

  1. Presentation: 60 minutes Lab: 45 minutes After completing this module, the students will be able to: Describe the components of distributed Active Directory® Domain Services (AD DS) deployments. Describe how to deploy a distributed AD DS deployment. Explain how to configure AD DS trusts. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20412D_04.pptx. Important: We recommend that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
  2. Provide a brief overview of the module content.
  3. The module begins with a discussion of the components of an AD DS environment. You should use this module overview to assess the students’ understanding of these concepts: domains, trees, forests, and the global catalog.
  4. The main purpose of this topic is to assess the students’ competency level, and to ensure they have sufficient knowledge of AD DS before you embark on more advanced content. Question: What is an AD DS domain? Answer An AD DS domain is a logical grouping of user, computer, and group objects for the purpose of management and security. All of these objects are stored in the AD DS database, and a copy of this data is stored on every domain controller in the AD DS domain. Because of this, the AD DS database is fault-tolerant, and clients can access AD DS domain information at any AD DS domain controller in the AD DS domain. AD DS provides a searchable hierarchical directory, and provides a framework for applying configuration and security settings for objects in the enterprise. You can use AD DS and Group Policy Objects (GPOs) to apply configuration and security settings to user and computer accounts. Question: What is an AD DS domain tree? Answer An AD DS domain tree is a collection of one or more AD DS domains that form a contiguous namespace. For instance, if the first domain in the forest is adatum.com, you could create an additional domain as a child domain in that namespace. An example is atl.adatum.com. Sometimes it is beneficial to have more than one domain in the forest. When you add a domain to an existing forest, you can add it as a child domain to an existing domain. This adds the domain to the domain tree. You can also create the domain as a new domain tree in the forest. An example of this would be if A. Datum Corporation, an established company with an AD DS forest named adatum.com, acquired a company called Fabrikam, Inc. An additional tree called fabrikam.com could be created in the adatum.com forest. Although the new domain is a new domain tree and accompanying new namespace, it still is integrated with the existing forest.
  5. Question: What is an AD DS forest? Answer An AD DS forest is a collection of one or more AD DS trees. Each AD DS tree will contain one or more AD DS domains. The AD DS forest is the outermost boundary for the AD DS security and administration. Question: What are trust relationships? Answer Trust relationships (trusts) are authentication pipelines between different domains. Some trusts are generated automatically as part of the domain installation process, and others are trusts that you create manually for various reasons. Trust relationships form the framework that allows resource sharing between domains, and they also provide the structure that supports authentication between domains. Question: What is the global catalog? Answer The global catalog provides a central directory of every object in the forest, and is unique in each AD DS forest. Unlike the individual domain partitions that store a complete writeable attribute set for all objects in the domain, the global catalog is a read-only list of some attributes for every object in the forest. The global catalog makes it easy to locate objects from different domains in a multidomain forest. For example, Microsoft® Exchange Server uses the global catalog to locate all email recipients in a forest.
  6. In a complex AD DS environment, it is essential that the students understand how the various components—such as organizational units (OUs), domains, and forests—form boundaries for authentication, resource access, and searches. This topic describes the types of boundaries AD DS domains and forests provide. Mention that these boundaries usually form the criteria for why organizations choose to deploy multiple domains or forests. The next two topics cover this in more detail. Emphasize the fact that the forest is the only real security boundary in AD DS. Within an AD DS forest, domains do not provide a complete security boundary, because accounts such as the Enterprise Admins group from the forest root domain have administrative permissions in each domain.
  7. Discuss the different reasons why organizations might decide to deploy multiple domains, but also emphasize that there are rarely good technical reasons to deploy multiple domains. A single domain can contain millions of objects, and you can configure administrative autonomy at an OU level. You can provide multiple user principal names (UPNs) for users within a domain. In most cases, organizations create multiple domains for business reasons, not for technical reasons.
  8. Use this slide to discuss some of the reasons to implement multiple AD DS forests. Explain that in some cases, the business requirements may dictate different choices than technical requirements would dictate. Stress the importance of thorough planning and proper change control procedures, especially where AD DS schema modifications are planned.
  9. Discuss the difference between Windows Azure AD and installing Active Directory in Windows Azure. Discuss the special considerations for deploying Active Directory in Windows Azure.
  10. Discuss how to set up Windows Azure AD.
  11. Ask the students what makes DNS name resolution more complicated in an AD DS environment that includes multiple namespaces. Then ask them how they would resolve these issues. The students should be able to identify the options for optimizing name resolution in this environment. If they cannot do so, refer them to the topic in Module 1 where this was covered.
  12. Provide a brief overview of the lesson content.
  13. Preparation Steps Start 20412D-LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd. Start 20412D-TOR-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps Install the AD DS binaries on TOR-DC1 On TOR-DC1, in the Server Manager, click Add Roles and Features. In the Add Roles and Features Wizard, click Next. On the Select installation type page, ensure that Role-based or feature-based installation is selected, and then click Next. On the Select destination server page, ensure that Select a server from the pool is selected. In the Server Pool page, verify that TOR-DC1.Adatum.com is highlighted, and then click Next. On the Select server roles page, select the Active Directory Domain Services check box, click Add Features, and then click Next. On the Select features page, click Next. On the Active Directory Domain Services page, review the message, and then click Next. On the Confirm installation selections page, review the message, and then click Install. Installation will take several minutes. On the Results page, click Promote this server to a domain controller. The wizard continues. Configure TOR-DC1 as an AD DS domain controller using the AD DS Installation Wizard On the Deployment Configuration page, select the Add a new domain to an existing forest option, and then, next to Select domain type, confirm that Child Domain is selected. In the Parent domain name field, verify that Adatum.com is listed. In the New domain name box, type NA, and then click Next. On the Domain Controller Options page, ensure that Windows Server 2012 R2 is selected as the
  14. Domain functional level, that Domain Name System (DNS) server is selected, and that Global Catalog (GC) is selected. In the Type the Directory Services Restore Mode (DSRM) password text boxes, type Pa$$w0rd in both boxes, and then click Next. On the DNS Options page, click Next. On the following three windows (Additional Options, Paths, and Review Options), click Next. In the Prerequisites Check window, click Install. Review the information, and allow TOR-DC1 to reboot as an AD DS domain controller in the new AD DS domain that you created in the AD DS forest. Sign in to TOR-DC1 as NA\Administrator with the password Pa$$w0rd, and review some of the AD DS tools to confirm the installation of the new domain.
  15. Describe the different AD DS functional levels, and have the students consider the advantages of upgrading to the highest possible level. Point out to the students that many businesses are still running their AD DS domains at a lower functional level than they could. For example, it is not unusual to find that a company is running AD DS domains in Microsoft Windows 2000 Server native mode, when all of the AD DS domain controllers are running Windows Server 2003 or newer. Point out that some options for enabling Kerberos support for clients are enabled as soon as you install Windows Server 2012 domain controllers in a domain, but the features specifically mentioned in the text are only enabled at the Windows Server 2012 domain functional level.
  16. Describe the process of using the Active Directory Migration Tool (ADMT) or a similar utility. Explain the SID-History attribute, and run the ldp.exe tool to demonstrate how to view all the configured attributes for an object. Discuss migration complexity. Mention different aspects that make migrations complex, such as maintaining access to resources in both forests or domains, cleaning up permissions after the migration, and migrating users, clients, or groups in batches, because most companies are not able to migrate them simultaneously.
  17. You might want to draw a diagram adding domains and trusts, and use it to describe each of the trust types as you proceed. Do not go into detail about shortcut trusts at this stage, because this will be discussed in the next topic. Forest trusts have a separate section as well. The slide is presented in three clicks. The slide begins by showing the default trusts in a forest. The purple lines represent parent-child trusts, while the black line represents a tree-root trust. The double arrowheads represent that these are two-way trusts. The first click shows a forest trust that has been created by an administrator; the trust is represented with a blue line, with a double arrowhead representing a two-way trust. The second click shows the external trusts that have been created by an administrator. The trusts are represented with dashed red lines, with one arrowhead to represent a one-way trust. The trusts depicted have been established between a Kerberos realm and an NT 4.0 domain. The last click shows a shortcut trust has been created by an administrator between two domains in a forest. The trust is represented by a dotted green line, with a double arrowhead representing a two-way trust.
  18. This is a build slide in six clicks. The initial slide shows the AD DS environment, which consists of a single AD DS forest with two domain trees: adatum.com and fabrikam.com. The two child domains, EU.adatum.com and ESP.fabrikam.com, are located physically in the same city in Spain, EU. There is frequent resource sharing between these two AD DS domains. The parent AD DS domains, Adatum.com and Fabrikam.com, exist in North American cities. Although there are transitive trust relationships between all the AD DS domains in the AD DS forest, there is no direct authentication link between EU.adatum.com and ESP.fabrikam.com. On the first click, the slide shows the authentication process that is required when a user from client computer CL1 wishes to access a file on file server D. On the second click, CL1 contacts the local AD DS domain controller CL 1 and is referred to the AD DS domain controller 2 next in line. On the third click, the AD DS domain controller 2 refers CL1 to the AD DS domain controller 3, in fabrikam.com. On the fourth click, the AD DS domain controller 3 refers CL1 to the AD DS domain controller 4 in ESP.fabrikam.com. On the fifth click, CL1 uses the ticket issued by the AD DS domain controller 4 to contact the file server D, located in ESP.farikam.com. On the sixth and last click, a shortcut trust is established between ESP.fabrikam.com and EU.adatum.com. Now that CL1 has received a ticket from the local AD DS domain controller 1, it can contact the AD DS domain controller 4 in the ESP.fabrikam.com AD DS domain, and then receive a ticket to access the file server D. In this scenario, without the shortcut trust in place, several communications will have to travel to North America and back. The network link may not be fast or 100 percent reliable, or it could be expensive. Therefore, the shortcut trust improves performance in more than one way.
  19. Open Active Directory Domains and Trusts. Show where you can create a new trust relationship, and how you can choose different types: for example, forest and domain.
  20. If the students want more information on this subject, show the following links to illustrate where they can obtain resources. Additional Reading: For more information on configuring SID filter quarantining on external trusts, see http://go.microsoft.com/fwlink/?LinkId=270030 For more information on enabling selective authentication over a forest trust, see http://go.microsoft.com/fwlink/?LinkId=270046 For more information on name-suffix routing, see http://go.microsoft.com/fwlink/?LinkId=270047
  21. Explain to the students that in the lab they will configure a selective forest trust between adatum.com and treyresearch.net. They also will enable users to authenticate to the LON-SVR2 server, and they will test it. Preparation Steps Start 20412D-LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd. LON-DC1 has an IP address of 172.16.0.10, and is configured to use itself as the primary DNS server. Start 20412D-TREY-DC1, and sign in as treyresearch\Administrator with the password Pa$$w0rd. TREY-DC1 has an IP address of 172.16.10.10, and is configured to use itself as the primary DNS server. Demonstration Steps Configure DNS name resolution by using a conditional forwarder On LON-DC1, in Server Manager, click the Tools menu, and in the drop-down list, click DNS. The DNS manager opens. In the DNS Manager, expand LON-DC1, click and then right-click Conditional Forwarders, and then click New Conditional Forwarder. In the New Conditional Forwarder window, in the DNS Domain: box, type TreyResearch.net. In the IP addresses of the master servers: text box, type 172.16.10.10. Click in the open space, and then click OK. (If an error displays, ignore it). Close the DNS Manager. Switch to TREY-DC1, and repeat steps 1 through 5. Use the domain name Adatum.com with the IP address 172.16.0.10. Configure a two-way selective forest trust In LON-DC1, from the Tools menu, click Active Directory Domains and Trusts. When the Active Directory Domains and Trusts window opens, right-click Adatum.com, and then
  22. click Properties. In the Adatum.com Properties dialog box, on the Trusts tab, click New Trust. In the New Trust Wizard, click Next. On the Trust Name page, in the Name text box, type treyresearch.net, and then click Next. In the New Trust Wizard, click Forest trust, and then click Next. In the Direction of Trust page, click Two-way, and then click Next. In the Sides of Trust page, click Both this domain and the specified domain, and then click Next. In the User name: text box, type Administrator. In the Password text box, type Pa$$w0rd, and then click Next. In the Outgoing Trust Authentication Level--Local Forest page, click Selective authentication, and then click Next. In the Outgoing Trust Authentication Level-Specified Forest page, click Selective authentication, and then click Next. In the Trust Selections Complete page, click Next. In the Trust Creation Complete page, click Next. In the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next. In the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next. On the Completing the New Trust Wizard page, click Finish. In the Adatum.com Properties dialog box, click OK.
  23. Tell the students to ensure that LON-DC1 is running before they start the other machines. Exercise 1: Implementing Child Domains in AD DS A. Datum has decided to deploy a new domain in the adatum.com forest for the North American region. The first domain controller will be deployed in Toronto, and the domain name will be na.adatum.com. You need to configure and install the new domain controller. Exercise 2: Implementing Forest Trusts A. Datum is working on several high-priority projects with a partner organization named Trey Research. To simplify the process of enabling access to resources located in the two organizations, companies have deployed a WAN between London and Munich, where Trey Research is located. You now need to implement and validate a forest trust between the two forests, and configure the trust to allow access to only selected servers in London.
  24. Question: Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com? Answer: Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com? Question: What are the alternatives to creating a delegated subdomain record in the previous question? Answer: On LON-DC1, you could create a stub zone for na.adatum.com to provide an up-to-date list of the DNS servers for the na.adatum.com DNS domain. You also could configure on LON-DC1 a secondary DNS zone file for na.adatum.com, but that would entail more DNS replication traffic. Question: When you create a forest trust, why would you create a selective trust instead of a complete trust? Answer: You would create a selective trust instead of a complete trust if you did not require a full link-up between two forests, but wanted a strictly controlled amount of interactivity.
  25. Common Issues and Troubleshooting Tips Common Issue: You receive error messages such as: DNS lookup failure, RPC server unavailable, domain does not exist, or domain controller could not be found. Troubleshooting Tip: Usually, these errors are caused by a DNS record lookup failure or incorrectly configured firewall. Ensure that at least two working DNS servers are available on the network. Ensure that every computer has at least two DNS servers that are configured in the network configuration. Verify that DNS servers are able to successfully resolve queries for DNS records outside of their DNS domain (for instance, Internet addresses). Use various troubleshooting tools such as nslookup, dnslint, DCdiag, netdiag, repadmin, replmon, and Event Viewer. Common Issue: User cannot be authenticated to access resources on another AD DS domain or Kerberos realm. Troubleshooting Tip: Use the Active Directory Domains and Trusts console, (Domain.msc), or the command-line tool Netdom to validate trust relationships. If necessary, reset the trust password. Check to ensure that trust relationships are configured for the right direction. Verify that all AD DS domain controllers have registered all of the correct SRV records in the DNS database. (You can restart the netlogon service on an AD DS domain controller to force it to reregister the SRV records in the DNS database.)