Active Directory Domain Services (AD DS) - Installation - Part I

Note: This article has been split into parts because of it's length, and this is Part 1 of the 3-part series.

Introduction

Active Directory Domain Services (AD DS) is a server role in Windows Server 2008 as well as Windows Server 2008 R2 versions of Operating Systems.  It provides directory services that can be used for centralization of resources, easy management and enhanced security.  In this post, we will talk about the following related to AD DS:

1. What's New in AD DS Installation

2. Requirements for Installing AD DS

3. Step-by-step Installation procedure

4. Best Practices

5. Known Issues

1. What's New in AD DS Installation

In the earlier version of Windows Server 2003, there were no concept of 'Roles' and 'Features'.  For installing directory services, we used dcpromo.exe directly.  However, there is a change from Windows Server 2008 onwards.  First we have to enable Active Directory Domain Services (AD DS) role from the Server Manager.  However, there are no changes in the installation options in Windows Server 2008 R2.  Only changes are functional levels for domain and forest.

If you are already having a Windows Server 2003 based forest and domains, before you proceed with the installation you will need to run adprep.exe for both Windows Server 2008 and Windows Server 2008 R2 environment.

When you install AD DS through the installation wizard (dcpromo.exe), following new options would be available for the domain controller:

a) Domain Name System (DNS) Server: Installation of DNS in Windows Server 2003 was optional, but recommended.  However, DNS installation and configuration is automatic.  When you install DNS on the first domain controller in the new child domain of Windows Server 2008 or R2, a delegation for the new domain is automatically created in DNS.

b) Global Catalog (GC) Server: In Windows Server 2003, installation of a Global catalog was automatic only for the first domain controller of the forest.  All subsequent domain controllers, if required, were supposed to be enabled as GC manually.  In Windows Server 2008 and R2 versions, you can select if you want the domain controller to be configured as GC also, in the installation wizard itself.

c) Read-only DC (RODC): The concept of read-only domain controller (RODC) was introduced in Windows Server 2008 onwards.  A writable domain controller should be present before you select the installation option of RODC.  Also, the first domain controller of the forest cannot be a RODC.

AD Installation Wizard (dcpromo.exe is alternative) contains new option of selecting the advanced mode, which is equivalent of dcpromo.exe /adv option that gives us the following to be configured/selected:

Create a new domain tree

a) Install from Media (IFM)

b) Selecting source domain controller for installation

c) Modifying the NetBIOS name generated by Wizard by default

d) Defining the Password Replication Policy (PRP) for an RODC

Other options available in the installation wizard are as follows:

Some addtional improvements on the Installation Wizard are:

a) By default the logged user credentials are taken; you can specify other account if needed

b) At the end of the Installation Wizard, there is an option to export all the selected options as a template or as an answer file for future installations and reference

c) You can specify 'password=*' and ensure it is prompted to enter directly, instead of saving it in the answer file

d) You can now force remove a domain controller, even from Directory Services Restore Mode (DSRM)

 Scenarios for Installing AD DS:

a) Install a new forest

b) Install a new domain in an existing forest

c) Install a new domain controller in an existing forest

d) Performing a staged RODC installation

e) Install AD DS from media

2. Requirements for Installing AD DS

The system requirements showcased here are estimates only and proper sizing of hardware should be done based on your requirements and load.  You may need some experienced professionals to do that for you.  For design considerations and recommendations, you can refer AD DS Design Guide.

Hardware Requirements:

Software Requirements:

a) A Server as per above hardware requirements, with Windows Server 2008 or Windows Server 2008 R2 installed

b) DNS Infrastructure

c) Powershell (if CLI to be used, however comes with default OS)

d) TCP/IP Addresses with good and redundant network connectivity

e) Answer file or Installation template, containing all the information required

Key Points to Remember:

i) There are many changes in Windows Server 2008 and Windows Server 2008 R2 when compared to Windows Server 2003 basesd Active Directory Domain Services installation

ii) Now you can use Server Core option along with RODC for installing AD DS in remote location, where physical and administrative security is a challenge.

iii) Many new options have been enabled in the Installation Wizard of Windows Server 2008 or R2 versions

iv) Hardware and Software requirements will differ as Windows Server 2008 and R2 versions are mainly 64-bit OS and thus scalability is very high

We are at the end of the Part 1 of the 3-part series and we need to revisit some of the important point we talked about AD DS Installation in this part. We will cover the "Step-by-Step Installation of AD DS" in the 2nd part of the series.

Regards,

Phani@Webgurukul

Concept: Active Directory Domain Services

Now what is this 'Active Directory Domain Services'?  In fact, we did talked about Active Directory Services, was that not about active directory which we know of Windows Server 2003.

I know this question might be there in many of your minds, and there is nothing wrong, even at the first glance I had the similar questions, few years back when Windows Server 2008 was launched.  From Windows Server 2008 onwards, Microsoft has introduced the concept of 'Role' which need to be enabled/installed before we install that service on the server. This actually gives us the flexibility of enabling only those roles which are required for that server.  In Windows Server 2003 also, we call them as 'Windows Component" and can be installed through 'Add/Remove Programs > Windows Component'. All the roles mentioned under Active Directory Services were present in Windows Server 2003/R2 also but were carrying a different name and few were required to be installed separately.  Here is a small comparison.

Since we started the 'Concept' section with Active Directory Services, we will continue and complete all the roles which we talked about in our first article (Concept: Active Directory Services).  Let's get into the technicality of this concept.  However, we will touch base only on the conceptual part as the series named and we will dig more into the technical aspects in another series dedicated to ADDS.

Overview of Active Directory Domain Services

Here is the most interesting part of all the roles of Active Directory Services.  We have already talked about it, however would like to review the same to refresh our understanding.

AD DS is nothing but the actual Active Directory Services of Windows Server 2003, which you are referring to.  It stores directory data and manages communication between users, computers, domains, including user logon processes, authentication and directory searches.  The server on which the AD DS role is installed and running is called as “Domain Controller”.

There are many improvements and new features which are not present in the earlier versions of AD DS.  Following are the few selected and important features which are new in Windows Server 2008:

Auditing 

Multiple fine-grained Password Policies 

Read-Only Domain Controllers 

Restartable Active Directory Domain Services 

Database Mounting Tool (Snapshot Viewer or Snapshot Browser) 

User Interface Improvements

Owner Rights

Basically, ADDS is a database, which store and manage information about network resources and other directory-enabled application data.  IT Administrators can use ADDS to organize all the resources in a structured manner including the Forests, Domains, Domain Controllers, OUs, Users, Computers, Groups etc.  Organizing the objects will result in the following benefits:

The forest in ADDS acts as a security boundary to ensure that it caters services to the authenticated objects and resources.  The administrator can change the scope of the security boundary with the help of trusts and other security permissions. By default, when you install ADDS for the first time in your organization, it would be single forest, single domain instance.

Depending on the need of your organization, geographical presence and business requirements you may want to create multiple domains.  In case of any mergers and acquisitions, it may be decided to retain both the AD forests as it is with required trusts and other connectivity in place.  You may find multiple trees within a forest also.

To make the life of IT Administrator more easy, multiple OUs can be created within a domain, based either on geographical locations, departments etc. to manage more effectively and also have multiple policies as per the requirement.

Features in ADDS

In this world of virus, malware, cyber-attacks and code vulnerabilities, in-built security of any application or service takes the first place for the line of defense. The security had been the prime concern in Windows platform when compared to non-windows platform.  However, that had been the story of the past; Microsoft has taken this seriously over past few years and lot of enhancements have been incorporated into OS, Applications starting from 2008 onwards.

Read-only domain controller (RODC): An RODC is a new type of domain controller that hosts read-only partitions of the Active Directory database. An RODC is particularly useful in cases in which:

The physical security of a domain controller cannot be ensured or its location does not include administrators with the domain-wide authority that is required to administer a writable domain controller.

Branch office users can benefit from a more efficient logon process that is provided by a local domain controller in the branch office.

Staged installation of an RODC: This feature provides RODC installation in two stages. During the first stage, a member of the Domain Admins group creates an account for the RODC. During the second stage, a delegated user attaches a server to the RODC account. 

RODC filtered attribute set: A set of secret-like attributes that is not replicated to an RODC. This prevents the attribute values from being revealed if an RODC is stolen. The RODC filtered attribute set can be configured dynamically for an application. 

Administrator role separation: This feature allows domain administrators to delegate the installation and administration of an RODC to nonadministrative users.

Improved installation wizard: The Active Directory Domain Services Installation Wizard (dcpromo.exe) has improved support for unattended installations, site selection, staged installation for RODCs, and other advanced options. 

Generate secure installation media: With this feature, you can use Ntdsutil.exe in Windows Server 2008 to create secure installation media for subsequent AD DS and Active Directory Lightweight Directory Services (AD LDS) installations. 

In earlier versions of Windows Server, administrators were encouraged to use Ntbackup.exe to create domain controller installation media. In Windows Server 2008, administrators are encouraged to use Ntdsutil.exe to create installation media. 

You can create media that does not contain cached secrets (such as passwords) to use it for an RODC installation. When you remove cached secrets from the installation media, a malicious user who gains access to the installation media cannot extract any secrets from it. 

Restartable AD DS: You can use this feature to stop and restart AD DS without restarting the domain controller itself. Offline operations, such as offline defragmentation, can be completed more quickly because the domain controller does not have to be restarted in Directory Services Restore Mode.

Auditing AD DS changes: This feature sets up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.

Fine-grained password policy: This feature makes it possible for password and account lockout policies to be specified for certain users and global security groups in a domain. It uses new password-setting objects and precedence rules to remove the restriction of a single policy for each domain.

Dynamic MAPI ID Support: This feature makes it possible for Messaging API (MAPI) identifiers (IDs) to be assigned dynamically (that is, generated randomly from a reserved pool of MAPI IDs), in addition to being assigned statically. With dynamic MAPI IDs, you can extend your Active Directory schema and add custom attributes for Exchange Server.

Data mining tool: With this feature you can view AD DS and AD LDS data that is stored in snapshots or backups online. Although this feature does not enable you to restore deleted objects and containers, you can use it to compare data in snapshots or backups that are taken at different points in time to better decide which data to restore, without having to restart the domain controller or the AD LDS server.

(Courtesy: Microsoft Technet - Link)

The above features are new ones additional to what Active Directory Services on Windows Server 2003 was having.  Now, I hope you are aware of what ADDS role is all about.  We will dig more into the technical aspects as we progress.  Feel free to write me at [email protected] for any queries and clarifications.

Phani@Webgurukul

Restructuring AD Domains within a forest - Part I

Practical Challenges

Having multiple domains in a single forest, when the users are not much in number is always difficult to manage and increase the complexity of your architecture.  Since your active directory is a central database of all the users in your organization, where all the required information is captured, many office productivity and other internal applications tend to integrate with it making it more challenging for both IT Administrators and the Development teams.

When we speak about operational challenges, there are many that are encountered on a daily basis.  Applying group policies, upgrading schema whenever required, exporting user dumps, changes in security policies and so on and so forth; the list is endless when you deal with a multi-domain active directory environment.  In order to reduce the number of domains, lot of planning has to be done, as you would be making changes in the production environment.  We will see what all things you should be considering and taking a note of before you actually restructure your active directory environment.

Overview of restructuring Active Directory domains

On a very basic note, restructuring active directory domains should be giving you the following benefits apart from reducing the number of domains:

Decrease the administrative overhead

Decrease the replication traffic

Reduce the amount of user and group administration

Simplify the group policy configuration and administration

Let's get a deep dive into the technical aspects of restructuring now!

The most efficient active directory design would include the smallest possible number of domains.  You might have to restructure your domains in forest based on consideration of certain organizational requirements, administrative challenges and also security parameters.  We will get an inch deeper into the above considerations.

Organizational & Security requirements: Certain organization would be having different policies and procedures based on the geographical regions, especially if it is spread globally.  These policies and procedures are generally based on the local laws and compliance policies.  Since most of the security policies and other parameters are limited to your domain security boundary, they cannot be different within the same domain.

Administrative challenges: Many changes are required on a regular basis, especially on the group policies and other settings of the users, based on the need of business and other internal organizational requirements.  If the number of domains are more, then we will have repeat the same exercise multiple times.  Another example, as listed in the starting of the article, would be updating schema, which can be a rare scenario.

As part of the exercise to restructure active directory domains; you may have to consider if there is a need to restructure your network topology on the following aspects as well:

If there is a need to upgrade your network components as well

If there is a need to increase the network bandwidth, as number of domain controllers also might reduce

The restructuring process is similar to migrating user, group and computer accounts from one domain to another.  The only difference is that at the end of the migration, the source domain is decommissioned.  

Restructuring Process

To maintain minimum downtime and ensure that all the resources are accessible to the end users which they were having before the migration, it is recommended to use Active Directory Migration Tool (ADMT) to migrate all the objects; users, computers and groups.  The following snapshot describes the process that is recommended by Microsoft for the restructuring process.

We will conclude the first part here and in the next part we will discuss on what all background information we need and take into consideration for the restructuring process to be seamless and successful.  We will also try to incorporate the checklist that can be used to track the end to end restructuring process, probably as a last part.

Phani@Webgurukul

There's a point in life when you get tired of chasing everyone and trying to fix everything, but it's not giving up. It's realizing that you don't need certain people and their crap.

Concept: Active Directory Services

There is nothing new to you that I had to introduce the term "Active Directory Services"; which has been the buzz word in the world of Infrastructure services, especially for the professionals working on the Microsoft platform.  So, what great about Active Directory Services (ADS).

History

Active Directory is the brainchild of Microsoft and it was first previewed in 1999, and released its first version with Windows 2000 Server.  Active Directory (AD) was based on LDAP directory services created especially for Windows domain networks.  Even it was based on LDAP, the three main components for AD to work properly were:

Lightweight Directory Access Protocol (LDAP) - Directory Services

Kerberos - Authentication

DNS - Name Resolution

The first version of AD was revised over a period of time and subsequently improved to a very large extent and it has completed its journey through Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and finally to the latest version of Windows, i.e. Windows Server 2008 R2.

Active Directory has evolved so much that it is the one of the mostly used directory services for the corporate world.  Microsoft, as on January 2012, occupies around 92% of market share of the planet.  That's the competition they face on the Operating System (OS) aspect.

Active Directory has been made the integral part of the Operating System, right from its birth.  With the latest version of Windows Server 2008, it has been designated as a role on the server.  Leaving the past behind, if we see the latest version of the OS, following are the different roles that are part of Active Directory Services:

Active Directory Domain Services (AD DS)

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Certificate Services (AD CS)

Active Directory Federation Services (AD FS)

Active Directory Right Management Services (AD RMS)

If you are new to Windows or Active Directory, and wondering if they exist at any point of time in the earlier versions of Windows; yes they did.  Microsoft has just changed the naming conventions of different services.  The following section we will elaborate each and every service where I would disclose the old name and versions.

1.  Active Directory Domain Services (AD DS)

AD DS is nothing but the actual Active Directory Services of Windows Server 2003, which you are referring to.  It stores directory data and manages communication between users, computers, domains, including user logon processes, authentication and directory searches.  The server on which the AD DS role is installed and running is called as "Domain Controller".

There are many improvements and new features which are not present in the earlier versions of AD DS.  Following are the few selected and important features which are new in Windows Server 2008:

Auditing 

Multiple fine-grained Password Policies 

Read-Only Domain Controllers 

Restartable Active Directory Domain Services 

Database Mounting Tool (Snapshot Viewer or Snapshot Browser) 

User Interface Improvements

Owner Rights

2.  Active Directory Lightweight Directory Services (AD LDS)

This role was formerly known as Active Directory Application Mode (ADAM) in Windows Server 2003.  However, with this role, you can provide directory services for directory-enabled applications without incurring the overhead of domains and forests and the requirements of single schema throughout the forest.

3. Active Directory Certificate Services (AD CS)

This specific role also was part of Windows Server 2003 that we were suppose to install manually, if we really need Certificate Services in our environment.  But, what are these Certificate services at the first place?  AD CS is an identity and access control security technology that provides customization services for creating and managing public key certificates used in software security systems that employ public key technologies.

Some of the new features that come along with AD CS role on Windows Server 2008 are as follows:

Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis. 

Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.

Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

4.  Active Directory Federation Services (AD FS)

Federation services were also present in Windows Server 2003 as well.  However, AD FS is used to provide web single-sign-on (SSO) services to authenticate a user to multiple web applications over the life of a single online session.  There were some improvements with Windows Server 2008 onwards, which are listed below for your instant reference.  It will be detailed in subsequent articles.

Improved installation: AD FS is included in Windows Server 2008 as a server role, and there are new server validation checks in the installation wizard.

Improved application support: AD FS is more tightly integrated with Microsoft Office SharePoint® Server 2007 and Active Directory Rights Management Services (AD RMS).

A better administrative experience when you establish federated trusts: Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.

5.  Active Directory Rights Management Services (AD RMS)

Rights Management Services was also present in Windows Server 2003, but a lot of changes in the improvements and new features have been incorporated in Windows Server 2008 based instances.  AD RMS is an information protection technology that works with AD RMS enabled applications to help safegaurd digital information from unauthorized use.  Content owners can define who can open, modify, print, forward or take other actions with the information.

Further, the following features have been updated in the latest version of AD RMS:

Inclusion of AD RMS in Windows Server 2008 as a server role

Administration through a Microsoft Management Console (MMC)

Integration with Active Directory Federation Services (AD FS)

Self-enrollment of AD RMS servers

Ability to delegate responsibility by means of new AD RMS administrative roles

Active Directory on Windows Server 2008 has a lot in it's belly.  It is up to our requirements and understanding on what level we would be able to capitalize on the features utilize to our benefits and productivity.  We will see more in-depth on the Active Directory Domain Services and other related technologies very soon.  Keeping watching this website for updates.

Phani@Webgurukul

Smile.......it will either warm their heart or piss them off! Either way you WIN!

Mathematics claims that there is no Valentine's Day in 2012. Check yourself out! 14-02-12=0 Surprised!!

Sometimes I pretend to be NORMAL, But it gets boring so, I go back to BEING ME!

Webgurukul gets a new Avatar!

In one of my article written sometime back, which rests as of now in archives (not available to public, will be made available soon), refers the below quotation from Esther Dyson.

Change means that what was before wasn't perfect. People want things to be better. ~Esther Dyson

I personally wanted to make Webgurukul not a boring place to visit, and thus decided to add some spice to it.  I am impressed with the simplicity of Tumblr and thought of giving it a try.  It's worth taking the risk.

I thought of putting some additional efforts to make Webgurukul a more happening place that it is now!  I am planning to put the following sections as a new additions to bring out the best to you; which are in addition to the articles I would be sharing with you on a regular basis.

1. Concepts | This would be a quick refresh of one of the technical concept, which will help you not to forget some really simple but will not be on top of your mind, when you really wanted it.

2. Tips 'N' Tricks | Theoretical concepts do vary from the practical scenarios. Here I would try to share the tips and tricks from the real-time issues and activities.  You are never going to get these in any of the books and other trainings.

3. Training | Till now I have limited myself to share my knowledge to the close friends and colleagues.  I wanted to expand this to the public.  I have not yet decided on how it would be made possible, but it is on my wishlist and will put all possible efforts to make it happen, at least once in a quarter.

I am unaware of the possibility that I would deliver; but will not hesitate to step-in and see why I would fail to deliver.

Keep watching this space and I will not disappoint you.  F5 yourself!

Note: Old site can be accessed at http://history.webgurukul.net.

Phani@Webgurukul