11.1. Planning an Active Directory Forest and Domain Structure Active Directory directory service is used when computers are organized into domains. The configuration of an organization's Active Directory infrastructure is critically important to ensure proper domain operations. Active Directory has physical and logical components. 11.1.1. Understanding Active Directory Infrastructure and Partitions Active Directory infrastructure is built around three key structures:
Domains Logical groupings of objects that allow centralized management and control. Every organization has at least one domain, which is implemented when Active Directory is installed on the first domain controller in that domain.
Domain trees Groups of domains that share the same namespace. Every domain tree has a root domain, which is at the top of the domain tree. Domains in a domain tree have two-way transitive trusts between them.
Forests Groups of domain trees that are grouped together to share resources. Every forest has a forest root domain, which is the first domain created in the forest. Domain trees in a forest have two-way transitive trusts between them. Forests and domains are considered to be the logical components of Active Directory. Use logical components to organize accounts and resources. Establish Active Directory infrastructure by creating the forest root domain, and then adding any other domains that are needed as necessary. Active Directory represents data stored in the database as objects. Objects have several types of names associated with them:
Common name (CN) The name assigned when the object is created with the CN= designator. For example, the user account for William R. Stanek is created as a user object and has the common name of CN=William R. Stanek.
Distinguished name (DN) Describes its place in the directory according to the series of containers in which it is stored. No two objects in the directory have the same distinguished name. Most objects are contained within Organizational Unit (OU) containers or within a default container (CN). As an example, the Engineering OU in the WilliamStanek.com domain would have a distinguished name of OU=engineering,DC=williamstanek,DC=com. All objects in the directory have parents except for the root of the directory tree, which is referred to as the rootDSE . The rootDSE represents the top of the logical namespace for a directory. Below the rootDSE is the root domain, which is established when you create the first domain in an Active Directory forest. Once established, the forest root domain never changes. When you install Active Directory on the first domain controller in a new forest, three containers are created below the rootDSE. These containers are as follows:
Forest Root Domain container The container for objects in the forest root domain.
Configuration container The container for the default configuration and all policy information.
Schema container The container for all objects classes, attributes, and syntaxes. The forest root domain, configuration, and schema containers are defined within like-named partitions:
Forest Root Domain partition Stores the Forest Root Domain container
Configuration partition Stores the Configuration container
Schema partition The Schema container Active Directory uses partitions to logically divide up the directory. Partitions are the largest logical category of objects in the directory. All directory partitions are created as instances of the domainDNS object class. Active Directory sees domains as another type of container object. When you create a new domain, you create a new container object in the directory tree which is stored in a domain directory partition for the purposes of management and replication. Active Directory partitions are used to distribute three general types of data:
Domain-wide data Domain-wide data is replicated to every domain controller in a domain. Data in a domain directory partition is replicated to every domain controller in the domain as a writeable replica.
Forest-wide data Forest-wide data is replicated to every domain controller in a forest. The configuration partition is replicated as a writable replica. The schema partition is replicated as a read-only replica and the only writeable replica is stored on a domain controller which is designated as having the schema operations master role.
Application data Application partition data is replicated on a forest-wide, domain-wide, or other basis to domain controllers that have a particular application partition. Domain controllers running Windows 2000 or earlier versions of Windows do not recognize user-defined application partitions. If a domain controller doesn't have an application partition, it doesn't receive a replica of the application partition. Another name for an application data partition is an application directory partition. Tip: All domain controllers store at least one domain directory partition and two forest-wide data partitions. If a domain controller is also a DNS server that uses Active Directory-integrated zones, the DNS data is stored in application data partitions. These application data partitions are: ForestDnsZones and DomainDnsZones. In addition to full replicas which are distributed within domains, Active Directory distributes partial replicas of every domain in the forest to special domain controllers designated as global catalog servers. These partial replicas contain information on every object in the forest and are used to facilitate searches and queries. Because only a subset of an object's attributes are stored, the data replica is significantly less than the total size of all object data stored in all domains in the forest. Every domain must have at least one global catalog server. By default, the first domain controller installed in a domain is configured as a global catalog server. The global catalog can be changed and additional servers can be designated for hosting global catalogs as necessary. 11.1.2. Creating the Forest Root Domain You create a forest root domain when you install Active Directory on the first domain controller in a new forest. Once you've established the forest root domain, you can add new domains to the forest. Any domains that are part of a different namespace as the forest root domain establish a root domain for a new domain tree. A forest root domain can be:
A dedicated root Used as a placeholder to start the directory. It has no accounts associated with it other than those created when the forest root is installed, and those that are needed to manage the forest. It is not used to assign access to resources.
A nondedicated root Used as a normal part of the directory and has accounts associated with it. It is used to assign access to resources. When working with forests, keep the following in mind: All domain controllers share the same configuration container that is used to store the default configuration and policy information. All domains in a forest trust all the other domains in that forest. There are two-way transitive trusts between all domains in a forest. All domains in a forest have the same global catalog. The global catalog stores a partial replica of all objects in the forest. All domain controllers in a forest have the same schema. A single schema master is designated for the forest. All domains in the forest have the same top-level administrators. These are the members of the Enterprise Admins and Schema Admins groups. 11.1.3. Creating a Child Domain Use domains to logically group objects for central management and control. After you create the forest root domain, you can create additional domains to divide a forest into smaller components. Domains set the replication boundary for the domain directory partition and for domain policy information. When you make changes to the domain directory partition or to domain policy information on a domain controller in a domain, the changes are replicated automatically to the other domain controllers in the domain. In contrast, forest directory partitions, like the schema and configuration partitions, are replicated throughout a forest. Domain boundaries are also boundaries for resource access and administration. Users must be granted permission to access resources in another domain. Administrators of a domain can only manage resources in that domain by default. Group Policy settings that apply to one domain are independent from those applied to other domains. This allows you to configure policies in different ways for different domains. 11.1.4. Creating Application Data Partitions While some third-party vendors provide tools for creating application partitions that may be required by their software, you can create application partitions that may be required yourself using Active Directory Services Interfaces (ADSI): Ldp.exe, and Ntdstutil.exe. To manually create an application partition using Ntdsutil.exe, follow these steps: Type ntdsutil at a command prompt. At the ntdsutil: prompt, type domain management. Type create nc AppPartitionName DomainController, where AppPartitionName is the distinguished name of the application partition to create and DomainController is the fully qualified domain name of the domain controller on which to create the partition, such as: create nc dc=appdata1,dc=domain,dc=local engsvr52.domain.local ntdsutil then creates the application partition. If you need to delete an application partition, you delete nc. The syntax for delete nc is the same as for create nc. When you remove an application partition, any data contained in the partition is lost. You may also need to create and remove an application directory partition replica. This is an instance of a partition on another domain controller, which is created for data access or redundancy. To manually create an application partition replica using Ntdsutil.exe, follow these steps: Type ntdsutil at a command prompt. At the ntdsutil: prompt, type domain management. Type add nc replica AppPartitionName DomainController, where AppPartitionName is the distinguished name of the application partition for which you want to create a replica and is the fully qualified domain name of the domain controller on which to create the partition replica, such as: add nc replica dc=appdata1,dc=domain,dc=local engsvr84.domain.local nTDsutil then creates the application partition replica. If you need to delete an application partition, you use remove nc replica. The syntax for remove nc replica is the same as for add nc replica. When you remove an application partition replica, any data contained in the replica is lost. 11.1.5. Installing and Configuring an Active Directory Domain Controller Active Directory works in concert with DNS. DNS servers must be installed on the network prior to installing Active Directory and promoting servers to be domain controllers. To designate a server as a domain controller, use the Active Directory Installation Wizard (DCPROMO.EXE) to install the Active Directory directory service. During installation, you have the option of configuring the domain controller in a new domain or as an additional domain controller in an existing domain. To extend Active Directory infrastructure from the first domain in a new forest to include additional domains and domain trees, you must configure the domain controller in a new domain. This allows you to create: A new domain in a new forest A child domain in an existing domain tree A domain tree in an existing forest. Keep the following in mind when working with the Active Directory Installation Wizard: When you install a domain controller, DCPROMO deletes all local accounts, certificates and cryptographic keys. This occurs because domain controllers do not have local accounts or separate cryptographic keys. Thus, before installing Active Directory, you should determine whether the server has important local accounts or encrypted files and folders. When you are extending infrastructure to include new domain trees and domains, you should log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine, and then start the installation. When you are creating an additional domain controller in an existing domain, you should log on to the server using a domain account that is a member of the Domain Admins group in the domain of which the domain controller will be a part, and then start the installation. You can start an Active Directory installation using the Configure Your Server Wizard or by typing dcpromo at a command prompt. If you want to use the Configure Your Server wizard, click Configure Your Server Wizard on the Administrative Tools menu. When the wizard starts, click Next twice. On the Server Role page, select Domain Controller (Active Directory), and then click Next twice. Configure Your Server then starts the Active Directory Installation Wizard. You can perform an advanced installation of Active Directory in two ways:
Active Directory Installation Wizard With an answer file (DCPROMO /ANSWER:answerfile), where answerfile is the name of an answer file that contains answers to questions that should be automated during installation. Use this technique to automate the installation. The answer file that is used to install Windows Server 2003 can also be used to install Active Directory.
Active Directory Installation Wizard With backup media (DCPROMO /ADV), where the /ADV option is used to start the wizard in advanced mode. You use this technique to restore Active Directory from backup media or a network share so the database for the new domain controller doesn't have to be replicated across the network in its entirety. Tip: Before you install Active Directory, you should configure the server to use a static IP address and designate a preferred DNS server. If you are installing the first domain controller in a domain, you can allow DNS to be configured automatically during Active Directory installation by making the server a DNS server and configuring DNS for use with Active Directory. To install an Active Directory domain controller, follow these steps: Start the Active Directory Installation Wizard. Click Next twice. On the Domain Controller Type page, specify the role of the server as shown in Figure 11-1. You must choose to either create a domain controller in a new domain or an additional domain controller for an existing domain. Click Next. Figure 11-1. Specify the domain controller type. If you choose to create an additional domain controller for an existing page, you see the Network Credentials page. On this page, type the username, password, and user domain of an account with Domain Admins privileges. When you click Next, you see the Database And Log Folders page as discussed in Step 7. Skip ahead to Step 7. If you choose to create a domain controller for a new domain, you will next need to choose whether to do one of the following:
Create a root domain in a new forest Choose Domain In A New Forest to establish the first domain controller in the organization or if you want to install a new forest that is completely separate from any existing forests. This establishes the forest root domain and means the domain controller will have the forest-wide operations master roles as well as the domain-wide operations master roles. Click Next to go directly to the New Domain Name page, skipping the Network Credentials page. You don't need specific credentials as you are establishing a new forest with its own set of security groups. Click Next to display the New Domain Name page. Type the full DNS name for the new domain. Domain names are not case sensitive, and use the letters A to Z, the numerals 0 to 9, and the hyphen (-) character. Each component of the domain name must be separated by a dot (.) and cannot be longer than 63 characters. Click Next.
Create a child domain in an existing domain tree Choose Child Domain In An Existing Domain Tree to establish the first domain controller in a domain that is a child domain of an existing domain. The necessary parent domain must already exist. Click Next to display the Network Credentials page. Type the username, password, and user domain of an account with Enterprise Admins privileges. Click Next to display the Child Domain Installation page. In the Parent Domain field, type the full DNS name for the parent domain or click Browse to search for an existing domain. In the Child Domain field, type the name component of the child domain. Click Next.
Create domain tree in an existing forest Choose Domain Tree In An Existing Forest to establish a new domain tree that is separate from any existing trees in the Active Directory forest. The domain name you use should not be a subdomain of an existing parent domain in any tree of the forest. Click Next to display the Network Credentials page. Type the user name, password, and user domain of an account with Enterprise Admins privileges. Click Next to display the New Domain Tree page. Type the full DNS name for the new domain. Click Next. The Active Directory Installation Wizard uses the domain name you specified to set a default NetBIOS domain name. You can accept the default or type a new NetBIOS name of up to 14 characters. If there are any problems creating the default name, the wizard will display a warning prompt similar to the one shown in the following screen. The wizard displays this prompt when there is a name collision on the default name originally selected and an alternate name has to be used. On the Database And Log Folders page, shown in Figure 11-2, specify the location for the Active Directory database folder and log folder. The default location for both is %SystemRoot%\NTDS. Click Next. Figure 11-2. Specify the location for database files and logs. On the Shared System Volume page, shown in Figure 11-3, specify the location for the Sysvol folder. The default location is %SystemRoot%\Sysvol. In most cases, you'll want to accept the default. Click Next. Figure 11-3. Specify the location for the Sysvol. The wizard examines the network environment and attempts to register the domain and the domain controller in DNS. If it has any problems with registration, the wizard will display a diagnostics page and allow you to correct the problems. Click Next. On the Permissions page, specify the default permissions for users and groups. As shown in Figure 11-4, the available options are: Figure 11-4. Specify the permissions type.
Permissions Compatible With Pre-Windows 2000 Server Operating Systems Reduces default security and allows anonymous user logons. Select this option only if the domain will have Windows NT servers running Windows NT applications or services that require anonymous user logons. When you choose this option, the wizard adds the special groups Everyone and Anonymous Logon to the Pre-Windows 2000 Compatible Access domain local group on the server that allows anonymous logon and anonymous access to Active Directory data.
Permissions Compatible Only With Windows 2000 or Windows Server 2003 Operating Systems Enforces default security and prevents anonymous user logons. If the domain will have Windows 2000 or later computers running Windows 2000 or later services and applications, choose this option so only authorized users can logon to the domain and access Active Directory data. Click Next. As shown in Figure 11-5, type and then confirm the password that should be used when starting the computer in Directory Services Restore Mode. This special password is used only for restore mode and is separate from the Administrator account password. Figure 11-5. Specify the restore mode password. Click Next. On the Summary page, review the installation options. Click Next to begin the installation and configuration of Active Directory. Click Finish. When prompted to restart the domain controller, click Restart Now. After installing Active Directory, you should verify the installation. Start by reviewing the installation logs, which are stored in the %SystemRoot%\Debug folder. The Dcpromo.log file is the primary log file for recording the details on the installation or removal of Active Directory. The Dcpromoui.log file is used to log details on the installation or removal of Active Directory related to the graphical user interface. After reviewing the installation logs, examine your organization's DNS servers to ensure that SRV records were created for the domain controller. The domain controller should also have NTDS and Sysvol folders. The Windows Support Tools contain two tools you can use to troubleshoot an Active Directory installation. These tools are:
Netdiag Netdiag is used for network connectivity testing. Use Netdiag whenever a computer is having network problems. Type neTDiag /q to perform network tests and return only errors. Type neTDiag /v to display verbose output. Type neTDiag /debug to list debugging details with reasons for success or failure.
Dcdiag Dcdiag is used for performing domain controller diagnostics. Type dcdiag /s:DomainController, where DomainController is the hostname or DNS name of the server on which to perform diagnostics. Use the /v option to display verbose output. Use the /? option to display help. Tip: In the %SystemRoot%\System32 folder, you'll find the Ntdsutil utility. This utility is used for performing Active Directory diagnostics and restores. Only experienced administrators should use Ntdsutil. 11.1.6. Uninstalling Active Directory and Demoting Domain Controllers To demote a domain controller and have it act as a standalone or member server, uninstall Active Directory by running the Active Directory Installation Wizard (DCPROMO.EXE) on the domain controller. You can also use the Configure Your Server wizard to demote a domain controller. Run the Configure Your Server wizard and remove the Domain Controller (Active Directory) role. Before demoting domain controllers, consider the following: If you remove Active Directory and there are other domain controllers in the domain, the computer becomes a member server of the domain. If you remove Active Directory from the last domain controller in a domain, the computer becomes a standalone server in a workgroup. However, you cannot demote the last domain controller in a domain if there are child domains. If child domains exist, removal of Active Directory fails. If the domain controller is also a DNS server, the DNS data in the ForestDnsZones and DomainDnsZones partitions are removed. If the domain controller is the last DNS server in the domain, this means the last replica of the DNS information is removed from the domain and all domain DNS records will be lost. If the domain controller has a TAPI application directory partition, you may need to use the Tapicfg.exe utility to remove the partition prior to demoting the domain controller. You can determine the location of any TAPI application directory partitions in the domain by typing tapicfg show at a command prompt. If you try to demote a domain controller that is also a global catalog, you will see a warning prompt. Don't remove the last global catalog from a domain. If you do this, users won't be able to log on to the domain. To determine the global catalog servers in a domain, type the following at a command prompt: dsquery server -domain DomainName | dsget server -isgc -dnsname where DomainName is the name of the domain. Tip: You must be a member of the Domain Admins group to remove an additional domain controller in a domain, and a member of the Enterprise Admins group to remove the last domain controller from a domain.
To demote a domain controller, follow these steps: Log on to the domain controller using an account with the appropriate administrator privileges. Start the Active Directory Installation Wizard by typing dcpromo at a command prompt. Click Next, and then follow the prompts. You will be prompted to type and confirm the password for the local Administrator account on the server. This is required because domain controllers don't have local accounts, but member or standalone servers do. The Active Directory Installation Wizard demotes domain controllers by: Removing Active Directory and related services. Removing domain controller SRV records from DNS. Removing Group Policy security settings for domain controllers and reenabling local security settings. Changing the computer account type and moving the computer account from the Domain Controllers container to the Computers container. Transferring any operations master roles from the server to another domain controller in the domain. Creating a local SAM account database and a local Administrator account. 11.1.7. Setting Active Directory Forest and Domain Functional Levels With Active Directory, each forest and each domain within a forest operates at a specific functional level. The functional level of forests and domains within forests are separate. The functional level for a forest is referred to as the forest functional level. The functional level for a domain within a forest is referred to as the domain functional level. While all domains in a forest have the same forest functional level, each domain in a forest can have a different domain functional level. The functional level determines how Active Directory can be used and what features are enabled. By default, Active Directory is configured to be compatible with Windows NT domains and clients. When a domain is operating in the default mode, a domain controller running Windows 2000 or later is designated as a PDC emulator. A PDC emulator is a special operations master role that allows the domain controller to act as the primary domain controller for Windows NT clients in the domain. Windows NT domains have a primary domain controller and one or more backup domain controllers rather than multiple domain controllers that are all equally accountable. The domain functional levels follow:
Windows 2000 mixed mode The default mode, unless you're upgrading from Windows NT 4.0. This mode supports Windows Server 2003, Windows 2000, and Windows NT domains. Domains operating in this mode can't use many Active Directory features, including group nesting, group type conversion, universal groups, easy domain controller renaming, update logon timestamps, migration of security principals, and Kerberos key distribution center (KDC) key version numbers.
Windows 2000 native mode This mode supports Windows Server 2003 and Windows 2000 domains only. Windows NT domains are not supported. Domains operating in this mode can use group nesting, group type conversion, universal groups, and migration of security principals. Domains operating in this mode aren't able to use easy domain controller renaming, update logon timestamps, and Kerberos KDC key version numbers.
Windows Server 2003 interim mode This mode supports Windows Server 2003 and Windows NT domains only. Windows 2000 domains aren't supported. If you upgrade from a Windows NT domain to a Windows Server 2003 domain, this is the default mode. Only servers running Windows NT and Windows Server 2003 can be used.
Windows Server 2003 mode This mode supports Windows Server 2003 domains only. Windows NT and Windows 2000 domains are not supported. Domains in this mode can use all Active Directory features, including group nesting, group type conversion, universal groups, easy domain controller renaming, updating logon timestamps, migration of security principals, and Kerberos KDC key version numbers. Domain functional level can be raised, but not lowered. You can: Raise the domain functional level from Windows 2000 Mixed mode to Windows 2000 Native mode. Raise the domain functional level from Windows 2000 Native mode or Windows Server 2003 Interim mode to Windows Server 2003 mode. To raise the domain functional level, follow these steps: Start Active Directory Domains And Trusts from the Administrative Tools menu. Right-click the domain, and then click All Tasks Raise Domain Functional Level. The current domain name and functional level is displayed in the Raise Domain Functional Level dialog box. When you click OK, the new domain functional level is replicated to each domain controller in the domain. You can't reserve this action. The forest functional levels follow:
Windows 2000 The default mode, unless you're upgrading from Windows NT 4.0. This mode supports domain controllers running Windows Server 2003, Windows 2000, and Windows NT. Forests operating in this mode can't use many Active Directory features, including extended two-way trusts between forests, domain rename, domain restructure using renaming, and global catalog replication enhancements.
Windows Server 2003 interim mode This mode supports Windows Server 2003 and Windows NT only. Windows 2000 domain controllers aren't supported. If you upgrade from Windows NT to a Windows Server 2003, this is the default mode for the forest.
Windows Server 2003 mode This mode supports Windows Server 2003 domain controllers only. Windows NT and Windows 2000 domain controllers are not supported. Forests operating in this mode can use many Active Directory features, including extended two-way trusts between forests, domain rename, domain restructure using renaming, and global catalog replication enhancements. Forest functional level can be raised, but not lowered. You can: To raise the forest functional level, follow these steps: Start Active Directory Domains And Trusts from the Administrative Tools menu. Right-click the domain, and then click Raise Forest Functional Level. The current forest name and functional level is displayed in the Raise Forest Functional Level dialog box. To change the forest functionality, use the selection list provided to choose the new forest functional level, and then click Raise. When you click OK, the new forest functional level is replicated to each domain controller in the forest. You can't reserve this action. 11.1.8. Using UPN Suffixes Every user account has a User Principal Name (UPN) that consists of the User Logon Name combined with the at symbol (@) and a UPN suffix. The names of the current domain and the root domain are set as the default UPN suffix. You can specify an alternate UPN suffix to use to simplify logon or provide additional logon security. This name is used only within the forest and does not have to be a valid DNS name. For example, if the UPN suffix for a domain is tech.domain.local, you could use an alternate UPN suffix to simplify this domain. This would allow the user Williams to log on using williams@domain rather than williams@tech.domain.local. You can add or remove UPN suffixes for an Active Directory forest and all domains within that forest by completing the following steps: Start Active Directory Domains And Trusts from the Administrative Tools menu. Right-click the Active Directory Domains And Trusts node, and then click Properties. To add a UPN suffix, type the alternate suffix in the box provided, and then click Add. To remove a UPN suffix, click the suffix to remove in the list provided, and then click Remove. Click OK. |