Welcome, fellow system admin!
Continuing with our 70-410 exam series that we started, today we will be moving on to another important feature of Windows Server 2012 R2, which is Active Directory Domain Services.
If you are interested in learning more about the entire series, head over to the dedicated page that I have created here.
In today’s 70-410 Objective 5.1, we will be covering:
- Add or Remove a Domain Controller from Domain.
- Install a DC from Install from Media (IFM).
- Install ADDS on server core.
- Upgrade a Domain Controller.
- Resolve DNS SRV Record Registration Issues.
- Configure a Global Catalog Server.
- Deploy Active Directory IaaS in Microsoft Azure.
We will first try to look into the basics of the Active Directory Terminologies and the components that make up the Active Directory Domain to understand this objective better.
Domain: A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory Database.
Forests: An AD forest is the highest level of organization with Ad. Each forest shares a single database, a single global address list, and a security boundary. By default, a user or administrator in one forest cannot access another forest.
Sites: A site is a graphical location of high network connectivity that may connect to other locations that are similarly configured.
Domain Controllers: Domain Controllers are the hosts of Active Directory. They contain the AD database. AD DS is a Multimaster model, where each DC shares changes with each other.
Global Catalogs: Global Catalog provides a subset of total AD domain database. A global catalog is a DC that stores a copy of all AD objects in a forest.
The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all the other domains in the forest.
Organizational Units: An OU is a container within a Microsoft AD Domain which can hold users, groups, and computers.
It is the smallest unit to which an administrator can assign Group Policy Settings or account permissions.
Flexible Single Master Operations Roles
Active Directory has five special roles which are vital for the smooth running of AD as a Multimaster system. There are forest-wide roles and domain-wide roles.
The forest-wide roles must appear once, per forest, the domain-wide roles must appear once per domain.
There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is below.
- Performs updates to the AD schema.
- These updates include Adprep/forestprep, MS Exchange and other applications that must modify the AD schema.
- Must be online when schema updates are performed.
- generally placed on the forest root PDC.
Domain Naming Master
- Adds and removes domains and application partitions to and from the AD forest.
- Must be online when domain and application partitions in a forest are added or removed.
- Generally placed on the forest root PDC.
- Manages password changes for computers and user accounts on replica domain controllers.
- Consulted by replica domain controllers where service authentication requests have mismatched passwords.
- Target DC for Group Policy updates.
- Target DC for legacy applications that perform writable operations and for some admin tools.
- Must be online and accessible at all times.
- Generally placed on the higher performance hardware in a reliable site alongside other DC’s.
- Timekeeper for domain and forest.
- Allocates active and standby RID pools to replica DC’s in the same domain.
- Must be online for newly promoted DC’s to obtain a local RID pool or when existing DC’s must update their current or standby RID pool application.
- Generally placed on forest root PDC.
- Updates cross-domain references from Global Catalog.
- A separate infrastructure master is created for each partition including the default forest-wide and domain-wide application partitions.
There are various ways to convert a member server to Domain Controller.
From Server Manager > Add Roles and Features > Active Directory Domain Services Role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementServices
Once the role is installed, you will now have to promote the machine as Domain Controller.
Read More: Install Domain Controller on Server 2008 R2
To remove a Domain Controller from Domain, we have a couple of ways of doing it.
From Server Manager > Remove Roles and Features > Active Directory Domain Services
But first you will have to demote the Domain Controller.
Kindly find the link to the TechNet article below on how to demote a Domain Controller.
Install from Media is one of the ways of converting a member server to Domain Controller.
This method comes handy when the DC needs to be added to a remote location having no good network connectivity/
On the server which is already a Domain Controller, type the following by opening up the command prompt as an Administrator
activate instance ntds
create full C:\ifm
It creates a folder called ifm on C drive with the required information.
As we have seen before, installing on ADDS on Server Core is only possible from PowerShell and is a ver easy process.
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Next step is to promote the machine as a Domain Controller.
Install-ADDSDomainController -DomainName enterprisedaddy.com -Credentials (Get-Credential enterprisedddy\Administrator)
You will also have to end up providing the SafeMode Admin Password.
You will sometimes come across situations wherein you will have to upgrade Domain Controller with a new Operating System like Windows Server 2012 R2.
It is a fairly straight forward process.
- Make sure that AD environment is healthy (stuff like Replication).
- Extend the schema.
Let us say that I have the ISO mounted on the D drive.
Adprep /rodcprep (if you plan to install any RODC’s)
- Upgrade the present Domain Controller to New OS.
- Relocate FSMo roles if necessary.
- Raise Domain/Forest functional level.
You can raise the Forest/Domain functional level from AD Domains and Trusts.
DNS is essential for a service like Active Directory. To accommodate directory services such as AD DS, a special resource record is created that enabled clients to locate DC’s and other vital AD DS services.
When a new DC is created, one of the important parts of the process is the registration of the server in the DNS.
If the DNS registration fails, then clients cannot locate the DC. Computers will be unable to use that Dc to join to the domain, existing members may be unable to logon, and other DC’s cannot replicate with it.
To register the DC to the DNS, if dynamic updates are enabled.
If dynamic updates are disabled, then the file netlogon.dns needs to be added to the DNS Server.
It can be found in the directory C:\Windows\System32\config
The first Domain Controller in a new Domain is always a Global Catalog server.
To check whether the server is Global or not, or make a server Global Catalog, you need to go to Active Directory Sites and Services.
From Server Manager > AD Sites and Services > Servers > ServerName > NTDS Settings > Right click on Properties.
I am not really sure as to why Microsoft has included this particular objective in the exam.
I believe it is just to make you aware of the Microsoft’s cloud platform Azure.
In any case, the below is a handy MSDN article that explains how to install Active Directory in Azure.
I hope that this article has been informative and thank you for reading.