2. Installing and Administering Active Directory
**********************
Determining the Domain Structure
Transmission Control Protocol/Internet Protocol (TCP/IP)
Berkeley Internet Name Domain (BIND)
Internet Software Consortium (ISC)
**********************
The only purpose of the forest root domain is to serve as the root, and you can easily transfer ownership of the root.
The role of a dedicated forest root domain is to define and manage the infrastructure.
**********************
Security Accounts Manager (SAM)
Primary Domain Controller (PDC)
**********************
Active Directory Files and Folders
Extensible Storage Engine (ESE)
The directory database is stored in a file named Ntds.dit.
The Shared System Volume must be located on an NTFS partition or NTFS volume.
**********************
Installing Active Directory
There are four ways to install Active Directory:
By using the Active Directory Installation Wizard
Using an answer file to perform an unattended installation
Using the network or backup media
Using the Configure Your Server Wizard
**********************
Dynamic Host Configuration Protocol (DHCP)
Telephony Application Programming Interface (TAPI)
**********************
Installing Active Directory Using the Network or Backup Media
Amount of replication required depends on the age of the backup.
The backup cannot be older than the tombstone lifetime of the domain, which is 60 days by default.
**********************
Verifying DNS Configuration Settings
If you have difficulty installing Active Directory, verify your DNS settings on both the client and the server, especially if you see a message that indicated the domain or domain controller could not be contacted.
**********************
Troubleshooting the Active Directory Installation and Removal
Common problems encountered when installing and removing Active Directory:
You can’t reach the server from which you are installing, may be because the DNS name is not registered yet.
The name of the Domain you are authenticating against is wrong or not available.
The username and password you supplied are wrong.
The DNS server settings are configured incorrectly.
**********************
Windows Server 2003 provides the following tools to diagnose and resolve problems encountered during Active Directory installation and removal:
Directory Service log
Network Connectivity tester
Domain Controller diagnostic tool
Dcpromoui.log
Dcpromos.log
Dcpromo.log
Active Directory diagnostic tool
**********************
Network Connectivity Tester (Netdiag.exe)
Run Netdiag whenever a computer is having network problems.
**********************
Domain Controller Diagnostic tool (Dcdiag.exe)
It analyzes the state of domain controllers in a forest or enterprise and reports any problems.
You can use it to perform a test that diagnoses domain controller connectivity, which is common Active Directory installation troubleshooting issue.
**********************
The Dcpromoui.log file contains a detailed progress report of the Active Directory installation and removal processes.
**********************
Access control entries (ACEs)
**********************
Active Directory Diagnostics tool (Ntdsutil.exe)
You can use Ntdsutil to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.
**********************
Administering Active Directory
Two main tools are used to administer active directory:
Active directory administrative consoles
Active Directory Specific tools
The administrative consoles can also be installed on other servers running windows server 2003 using the optional Administrative Tools package (adminpack.msi).
This allows you to administer Active Directory from a computer that is not a domain controller.
**********************
Domain Functional Levels
The three functional levels are:
Windows 2000 Mixed
Windows 2000 Native
Windows Server 2003
The Windows 2000 mixed domain functional level is the default functional level in Windows Server 2003 domains.
The disabled features includes: Universal Groups; Global group nesting; local access to Domain Local groups; and the conversion of distribution groups to security groups and vice versa. In addition, multimaster replication and the retention of SID Histories for migrated security principles are not supported.
Domains at Windows 2000 Native domain functional level do not support domain renaming and forest trusts, which are new features of Windows 2003 domain controllers.
You can use Active Directory Users and Computers console to raise a domain’s domain functional level.
**********************
Forest Functional Level
The default forest level in Windows Server 2003 is called Windows 2000 forest functional level.
You can use the Active Directory Domain and Trusts console in Administrative Tools to raise a forest’s functional level.
**********************
UPN Suffixes
A UPN suffix is the part of a UPN to the right of the @ character.
**********************
Distributed File System (DFS)
**********************
Backing Up Active Directory
Hardware Compatibility List (HCL)
When you back up Active Directory, The Backup or Restore Wizard automatically back up all the system components and all the distributed services that Active Directory requires. Collectively, these components and services are known as system state data.
If the server is a domain controller, Active Directory and the Sysvol directory are also contained in the system state date.
**********************
Restoring Active Directory
Two ways to restore Active Directory:
Nonauthoritatively
Authoratatively
In nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication.
An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup.
To authoritatively restore Active Directory data, you must run Ntdsutil utility after you have performed a nonauthoritative restore and before you restart the server.
If you authoritatively restore objects that affect trust relationships or computer account passwords, you must reset the passwords.
**********************
No comments:
Post a Comment