active directory 2008 implement at on & migration
TRANSCRIPT
-
8/8/2019 Active Directory 2008 Implement at On & Migration
1/148
Microsoft WindowsServer 2008
Implementation and
MigrationAt BHARAT HEAVY ELECTRICALS LIMITED
Wipro is submitting this document to BHEL on the understanding that the contents would
not be divulged to any third party without prior written consent from Wipro Infotech. The
contents of this document shall be used for the sole purpose of review & decision making.
No part of this publication may be reproduced, stored in a retrieval system or transmitted
in any form or by any means, whether electronic, mechanical, photocopying, recording orotherwise, without the written permission of Wipro. All product names referenced herein
are trademarks of their respective companies.
2008
Kamal Singh & Gurpreet Singh
12/22/2008
-
8/8/2019 Active Directory 2008 Implement at On & Migration
2/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 2
Document Management Information
Document Title: Microsoft Windows Server 2008 Active Directory Implementation and Migration
Document.
Document Status: Approved Wipro
Document Publication History
(All revisions made to this document must be listed in chronological order, with the most recent revision at thetop.)
Version
Number
Date Author(s) Remark
Draft 22-12-2008 Kamal Singh &
Gurpreet Singh
Microsoft Windows Server 2008 Active Directory
Implementation and Migration.
1.0 22-12-2008 Monojit Bhowmik Reviewed
Document Distribution List
Ver. No. Name and Company Purpose
1.0 Bharat Heavy Electrical Limited
Microsoft Windows Server 2008
Active Directory Implementation
and Migration.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
3/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 3
ContentsAbout this Document................................................................................................. 5
About the Project .................................................................................................... 5
Overview of Project .................................................................................................. 5
1 Company Profile: ...................................................................................... 6
1.1.1 Introduction to Active Directory .................................................................... 6
1.1.2 Why Have a Directory Service? ...................................................................... 6
1.1.3 The Windows Server 2003/2008 Directory Service .............................................. 6
1.1.4 Active Directory Services Features ................................................................. 7
1.1.5 Active Directory Components ....................................................................... 81.1.6 Logical Structures ..................................................................................... 8
1.1.7 Physical Structures .................................................................................... 9
1.1.8 Catalog ServicesThe Global Catalog ............................................................ 10
1.1.9 Global Catalog Functions ............................................................................ 10
1.1.10 Replication............................................................................................. 11
1.1.11 What Information Is Replicated .................................................................... 11
1.1.12 Trust Relationships ................................................................................... 11
1.1.13 Group Policies ......................................................................................... 12
1.1.14 DNS ...................................................................................................... 12
1.1.15 Operations Master Roles............................................................................. 12
1.1.16 Forest-Wide Operations Master Roles ............................................................. 12
1.1.17 Schema Master Role .................................................................................. 13
1.1.18 Domain Naming Master Role ........................................................................ 13
1.1.19 Domain-Wide Operations Master Roles ........................................................... 13
1.1.20 RID Master Role ....................................................................................... 13
1.1.21 PDC Emulator Role ................................................................................... 14
1.1.22 Infrastructure Master Role .......................................................................... 14
1.1.23 What Problems arises when Operation Masters Failure Occurs .............................. 14
1.2 What does an RODC do? ..................................................................................... 16
1.3 Who will be interested in this feature?................................................................... 16
1.4 Are there any special considerations? .................................................................... 17
1.5 What new functionality does this feature provide? .................................................... 17
1.5.2 TOOLS ................................................................................................ 123
-
8/8/2019 Active Directory 2008 Implement at On & Migration
4/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 4
1.5.3 NTDSUTIL Overview ................................................................................ 123
1.5.4 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL ........... 124
1.5.5 ADSIEDIT OVERVIEW ................................................................................ 124
1.5.6 DCDIAG OVERVIEW ................................................................................. 126
1.5.7 NETDIAG OVERVIEW ................................................................................ 128
1.5.8 REPLMON OVERVIEW ............................................................................... 134
Windows Server 2003/2008 - Replmon Support Tool Utility ........................................... 135
-
8/8/2019 Active Directory 2008 Implement at On & Migration
5/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 5
About this Document
This document is intended as reference guide for the Administrators of BHEL who was involved during the
implementation of Active Directory Right Management Service and DHCP NAP Enforcement and the
Specialists from Wipro and Customers end who was involved in the Project.
This Document will serve as guideline for the Project Approach and Implementation & Migration of Active
Directory 2008.
About the Project
The Customers objective for initiating this project is to have an in-house comprehensive solution for
addressing and resolving change and configuration needs in IT Infrastructure.
The activities involved in this project are as below:
Installation of Windows Server 2008 with latest Service Packs and Hot fixes in BHEL Kolkata HQ.
Creation of Microsoft Windows Server 2008 Additional Domain Controller.
Raising the Domain Functional Level.
Transfer FSMO Roles to the new Server 2008 Domain Controller.
Configuring Sites and Setting for Across the PSER Region.
Installing the new Additional Domain Controller.
Installing Read Only Domain Controller for Budge-Budge & Bakreswar Remote Locations.
Overview of Project
Project Management and Installation of the Complete Project carried out by Wipro MSBU Infrastructure
Availability services team.
The Project flow is as follows:
y Configuration Gathering
y Implementation phase
y Documentation and Training
y Sign off for the Project
-
8/8/2019 Active Directory 2008 Implement at On & Migration
6/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 6
Team Involved executing the Project: Kamal Singh & Gurpreet Singh
Principal(S): Mr. Sudipta Biswas DGM IT
1 Company Profile:
BHEL is the largest engineering and manufacturing enterprise in India in the energy-related/infrastructure
sector, today. BHEL was established more than 40 years ago, ushering in the indigenous Heavy Electrical
Equipment industry in India - a dream that has been more than realized with a well-recognized track record
of performance. The company has been earning profits continuously since 1971-72 and paying dividends
since 1976-77.
BHEL manufactures over 180 products under 30 major product groups and caters to core sectors of the
Indian Economy viz., Power Generation & Transmission, Industry, Transportation, Telecommunication,
Renewable Energy, etc. The wide network ofBHEL's 14 manufacturing divisions, four Power Sector regional
centers, over 100 project sites, eight service centers and 18 regional offices, enables the Company topromptly serve its customers and provide them with suitable products, systems and services -- efficiently and
at competitive prices. The high level of quality & reliability of its products is due to the emphasis on design,
engineering and manufacturing to international standards by acquiring and adapting some of the best
technologies from leading companies in the world, together with technologies developed in its own R&D
Center.
1.1.1 Introduction to Active Directory
Active Directory directory service provides a single point of network resource management, allowing you to
add, remove, and relocate users and resources easily. This chapter introduces you to Active Directory
concepts and administration tasks and walks you through the steps involved in planning an Active Directoryinfrastructure.
1.1.2 Why Have a Directory Service?
A directory service provides the means to organize and simplify access to resources of a networked computer
system. Users and administrators might not know the exact name of the objects they need. However, they
might know one or more characteristics of the objects in question. As illustrated in Figure 1-1, they can use a
directory service to query the directory for a list of objects that match known characteristics. For example,
Find all color printers on the third floor queries the directory for all color printer objects that are associated
with the third floor characteristic (or maybe a location characteristic that has been set to third floor). A
directory service makes it possible to find an object based on one or more of its characteristics.
1.1.3 The Windows Server 2003/2008 Directory Service
Active Directory is the directory service included in the Windows Server 2003/2008 family. Active Directory
includes the directory, which stores information about network resources, as well as all the services that
-
8/8/2019 Active Directory 2008 Implement at On & Migration
7/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 7
make the information available and useful. Active Directory is also the directory service included in Windows
2000.
1.1.4 Active Directory Services Features
Active Directory in the Windows Server 2003/2008 family is a significant enhancement over the flat domain
model provided in Windows NT. Active Directory is integrated within the Windows Server 2003/2008 family
and offers the following features:
Centralized data storeall data in Active Directory resides in a single, distributed data repository, allowing
users easy access to the information from any location. A single distributed data store requires less
administration and duplication and improves the availability and organization of data.
ScalabilityActive Directory enables you to scale the directory to meet business and network requirements
through the configuration of domains and trees and the placement of domain controllers. Active Directory
allows millions of objects per domain and uses indexing technology and advanced replication techniques to
speed performance.
Extensibility The structure of the Active Directory database (the schema) can be expanded to allow
customized types of information.
Manageability In contrast to the flat domain model used in Windows NT, Active Directory is based on
hierarchical organizational structures. These organizational structures make it easier for you to control
administrative privileges and other security settings, and to make it easier for your users to locate network
resources such as files and printers.
Integration with the Domain Name System (DNS) Active Directory uses DNS, an Internet standard
service that translates easily readable host names to numeric Internet Protocol (IP) addresses. Althoughseparate and implemented differently for different purposes, Active Directory and DNS have the same
hierarchical structure. Active Directory clients use DNS to locate domain controllers. When using the
Windows Server 2003/2008 DNS service, primary DNS zones can be stored in Active Directory, enabling
replication to other Active Directory domain controllers.
Client configuration management Active Directory provides new technologies for managing client
configuration issues, such as user mobility and hard disk failures, with a minimum of administration and user
downtime.
Policy-based administration In Active Directory, policies are used to define the permitted actions and
settings for users and computers across a given site, domain, or organizational unit. Policy-basedmanagement simplifies tasks such as operating system updates, application installation, user profiles, and
desktop-system lock down.
Replication of information Active Directory provides multimaster replication technology to ensure
information availability, fault tolerance, load balancing, and other performance benefits. Multimaster
replication enables you to update the directory at any domain controller and replicates directory changes to
-
8/8/2019 Active Directory 2008 Implement at On & Migration
8/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 8
any other domain controller. Because multiple domain controllers are employed, replication continues, even
if any single domain controller stops working.
Flexible, secure authentication and authorizationActive Directory authentication and authorization
services provide protection for data while minimizing barriers to doing business over the Internet. Active
Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets
Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active
Directory provides security groups that span domains.
Security integration Active Directory is integrated with Windows Server 2003/2008 security. Access
control can be defined for each object in the directory and on each property of each object. Security policies
can be applied locally, or to a specified site, domain, or organizational unit.
Directory-enabled applications and infrastructure Features within Active Directory make it easier for
you to configure and manage applications and other directory-enabled network components. In addition,
Active Directory provides a powerful development environment through Active Directory Service Interfaces
(ADSI).
Interoperability with other directory services Active Directory is based on standard directory access
protocols, including Lightweight Directory Access Protocol (LDAP) version 3, and the Name Service Provider
Interface (NSPI), and can interoperate with other directory services employing these protocols. Because the
LDAP directory access protocol is an industry-standard directory service protocol, programs can be developed
using LDAP to share Active Directory information with other directory services that also support LDAP. The
NSPI protocol, which is used by Microsoft Exchange Server 4 and 5.x clients, is supported by Active Directory
to provide compatibility with the Exchange directory.
Signed and encrypted LDAP trafficby default, Active Directory tools in Windows Server 2003/2008 sign
and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a
known source and that it has not been tampered with.
1.1.5 Active Directory Components
Various Active Directory components are used to build a directory structure that meets the needs of your
organization. The following Active Directory components represent logical structures in an organization:
domains, organizational units (OUs), trees, and forests. The following Active Directory components represent
physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory
completely separates the logical structure from the physical structure.
1.1.6 Logical Structures
In Active Directory, you organize resources in a logical structurea structure that mirrors organizational
modelsusing domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a
resource by its name rather than by remembering its physical location. Because you group resources logically,
Active Directory makes the networks physical structure transparent to users.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
9/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 9
Domains: The core unit of logical structure in Active Directory is the domain, which can store millions of
objects. Objects stored in a domain are those considered vital to the network. These vital objects are items
the members of the networked community need in order to do their jobs: printers, documents, e-mail
addresses, databases, users, distributed components, and other resources. All network objects exist within a
domain, and each domain stores information only about the objects it contains. Active Directory is made up
of one or more domains. A domain can span more than one physical location.
OU: An OU is a container used to organize objects within a domain into a logical administrative group. OUs
provide a means for handling administrative tasks, such as the administration of users and resources, as they
are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as
user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain.
The OU hierarchy within a domain is independent of the OU hierarchy structure of other domainseach
domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide
administrative control in a hierarchical fashion.
Trees: A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003/2008 domains
that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a
contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next
lesson
Forests:A forest is a grouping or hierarchical arrangement of one or more separate, completely independent
domain trees. As such, forests have the following characteristics:
All domains in a forest share a common schema.
All domains in a forest share a common global catalog.
All domains in a forest are linked by implicit two-way transitive trusts.
Trees in a forest have different naming structures, according to their domains.
Domains in a forest operate independently, but the forest enables communication across the entire
organization.
1.1.7 Physical Structures
The physical components of Active Directory are sites and domain controllers. As an administrator, you use
these components to develop a directory structure that mirrors the physical structure of your organization.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
10/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 10
Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize
as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).
When you group subnets on your net-work, you should combine only subnets that have fast, cheap and
reliable network connections with one another. Fast network connections are at least 512 kilobits per
second (Kbps). An available bandwidth (the average amount of bandwidth that is available for use after
normal network traffic is handled) of 128 Kbps and higher is sufficient for a site.
Domain Controllers A domain controller is a computer running Windows Server 2003/2008 that stores a
replica of the domain directory (local domain database). Because a domain can contain one or more domain
controllers, each domain controller in a domain has a complete replica of the domains portion of the
directory. A domain controller can service only one domain. A domain controller also authenticates user
logon attempts and maintains the security policy for a domain.
1.1.8 Catalog ServicesThe Global Catalog
The global catalog is the central repository of information about objects in a tree or forest. By default, a
global catalog is created automatically on the initial domain controller in the first domain in the forest. A
domain controller that holds a copy of the global catalog is called a global catalog server. You can designate
any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to
replicate the global catalog information between global catalog servers in other domains. It stores a full
replica of all object attributes in the directory for its host domain and a partial replica of all object attributes
contained in the directory for every domain in the forest. The partial replica stores attributes most frequently
used in search operations (such as a users first and last names, logon name, and so on). Attributes are
marked or unmarked for replication in the global catalog when they are defined in the Active Directory
schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains,
ensuring that data in the global catalog is secure.
1.1.9 Global Catalog Functions
The global catalog performs the following two key functions:
It enables a user to log on to a network by providing universal group membership information to a domain
controller when a logon process is initiated.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
11/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 11
It enables finding directory information regardless of which domain in the forest actually contains the data.
1.1.10 Replication
Users and services should be able to access directory information at any time from any computer in the
domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain
controllers within a domain. Directory information is replicated to domain controllers both within and among
sites.
1.1.11 What Information Is Replicated
The information stored in the directory (in the Ntds.dit file) is logically partitioned into four categories. Each
of these information categories is referred to as a directory partition. A directory partition is also referred to
as a naming context. These directory partitions are the units of replication. The directory contains the
following partitions:
Schema partition: This partition defines the objects that can be created in the directory
and the attributes those objects can have. This data is common to all domains in a forest
and is replicated to all domain controllers in a forest.
Configuration partition: This partition describes the logical structure of the deployment,
including data such as domain structure or replication topology. This data is common to all
domains in a forest and is replicated to all domain controllers in a forest.
Domain partition: This partition describes all of the objects in a domain. This data is
domain-specific and is not replicated to any other domains. However, the data is
replicated to every domain controller in that domain.
Application Directory partition: This partition stores dynamic application-specific data in
Active Directory without significantly affecting network performance by enabling you to
control the scope of replication and the placement of replicas. The application directory
partition can contain any type of object except security principals (users, groups, and
computers). Data can be explicitly rerouted to administrator-specified domain controllers
within a forest in order to prevent unnecessary replication traffic, or it can be set to
replicate everything to all domain controllers in the same fashion as the schema,
configuration, and domain partitions.
1.1.12 Trust Relationships
A trust relationship is a link between two domains in which the trusting domain honors the logon
authentication of the trusted domain, as shown in Figure 1-13. Users and applications are authenticated in
the Windows Server 2003/2008 family using one of two trust protocols: Kerberos version 5 or NT LAN
-
8/8/2019 Active Directory 2008 Implement at On & Migration
12/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 12
Manager (NTLM). The Kerberos version 5 protocol is the default protocol for computers running Windows
Server 2003/2008. If any computer involved in a transaction does not support Kerberos version 5, the NTLM
protocol is used. A trust relationship is also permitted with any MIT Kerberos version 5 realms. There are two
domains in a trust relationshipthe trusting and the trusted Domain.
1.1.13 Group Policies
Group policies are collections of user and computer configuration settings that can be linked to computers,
sites, domains, and OUs to specify the behavior of users desk-tops. For example, using group policies, you
can set the programs that are available to users, the programs that appear on the users desktop, and Start
menu options.
1.1.14 DNS
DNS is a service used in Transmission Control Protocol/Internet Protocol (TCP/IP) net-works, such as the
Internet, to locate computers and services through user-friendly names. DNS provides a method of naming
computers and network services using a hierarchy of domains. When a user enters a user-friendly DNS name
in an application, DNS services can resolve the name to other information associated with the name, such as
an IP address. For example, its easy for most users who want to locate a computer on a network to
remember and learn a friendly name such as example.microsoft.com. However, computers communicate
over a network by using numeric addresses. DNS provides a way to map the user-friendly name for a
computer or service to its numeric address. If you have used a Web browser, you have used DNS.
1.1.15Operations Master Roles
Active Directory supports multimaster replication of the Active Directory database between all domain
controllers in the domain. However, some changes are impractical to perform in multimaster fashion, so one
or more domain controllers can be assigned to perform operations that are single-master (not permitted to
occur at different places in a network at the same time). Operations master roles are assigned to domain
controllers to perform single-master operations.
In any Active Directory forest, five operations master roles must be assigned to one or more domain
controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest.
You must be aware of operations master roles assigned to a domain controller if problems develop on the
domain controller or if you plan to take it out of service.
1.1.16 Forest-Wide Operations Master Roles
Every Active Directory forest must have the following roles:
Schema master
Domain naming master
-
8/8/2019 Active Directory 2008 Implement at On & Migration
13/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 13
These roles must be unique in the forest. This means that throughout the entire forest there can be only one
schema master and one domain naming master.
1.1.17Schema Master Role
The domain controller assigned the schema master role controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema master. At any time, there
can be only one schema master in the entire forest.
1.1.18Domain Naming Master Role
The domain controller holding the domain naming master role controls the addition or removal of domains
in the forest. There can be only one domain naming master in the entire forest at any time.
1.1.19Domain-Wide Operations Master Roles
Every domain in the forest must have the following roles:
Relative identifier (RID), or relative ID, master
Primary domain controller (PDC) emulator
Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can have only one RID
master, PDC emulator master, and infrastructure master.
1.1.20RID Master Role
The domain controller assigned the RID master role allocates sequences of relative IDs to each of the various
domain controllers in its domain. At any time, there can be only one domain controller acting as the RID
master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique
security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the
domain) and a relative ID that is unique for each security ID created in the domain.
To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must
initiate the move on the domain controller acting as the RID master of the domain that currently contains the
object.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
14/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 14
1.1.21PDC Emulator Role
If the domain contains computers operating without Windows Server 2003/2008 client soft-ware or if it
contains Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator
role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the
BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the
forest.
Even after all systems are upgraded to Windows Server 2003/2008, and the Windows Server 2003/2008
domain is operating at the Windows Server 2003/2008 functional level, the PDC emulator receives
preferential replication of password changes performed by other domain controllers in the domain. If a
password was recently changed, that change takes time to replicate to every domain controller in the
domain. If a logon authentication fails at another domain controller due to a bad password, that domain
controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
1.1.22Infrastructure Master Role
The domain controller assigned the infrastructure master role is responsible for updating the group-to-user
references whenever the members of groups are renamed or changed. At any time, there can be only one
domain controller acting as the infrastructure master in each domain.
When you rename or move a member of a group (and the member resides in a different domain from the
group), the group might temporarily appear not to contain that member. The infrastructure master of the
groups domain is responsible for updating the group so it knows the new name or location of the member.
The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group update.
Only an administrator looking at that particular group membership would notice the temporary
inconsistency.
1.1.23 What Problems arises when Operation Masters Failure Occurs
Schema Master Failure Temporary loss of the schema operations master is not visible to network users. It is
not visible to network administrators either, unless they are trying to modify the schema or install an
application that modifies the schema during installation. If the schema master will be unavailable for an
unacceptable length of time, you can seize the role to the domain controller youve chosen to act as the
standby schema master. However, seizing this role is a step that you should take only when the failure of the
schema master is permanent.
Domain Naming Master FailureTemporary loss of the domain naming master is not visible to network
users. It is not visible to network administrators either, unless they are trying to add a domain to the forest or
remove a domain from the forest. If the domain naming master will be unavailable for an unacceptable
-
8/8/2019 Active Directory 2008 Implement at On & Migration
15/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 15
length of time, you can seize the role to the domain controller youve chosen to act as the standby domain
naming master. However, seizing this role is a step that you should take only when the failure of the domain
naming master is permanent.
RID Master Failure Temporary loss of the RID operations master is not visible to network users. It is not
visible to network administrators either, unless they are creating objects and the domain in which they are
creating the objects runs out of relative identifiers. If the RID master will be unavailable for an unacceptable
length of time, you can seize the role to the domain controller youve chosen to act as the standby RID
master. However, seizing this role is a step that you should take only when the failure of the RID master is
permanent.
PDC Emulator Failure The loss of the PDC emulator affects network users. Therefore, when the PDC
emulator is not available, you might need to immediately seize the role. If the current PDC emulator will be
unavailable for an unacceptable length of time and its domain has clients without Windows Server
2003/2008 client software, or if it contains Windows NT backup domain controllers, seize the PDC emulator
role to the domain controller youve chosen to act as the standby PDC emulator. When the original PDC
emulator is returned to service, you can return the role to the original domain controller.
Infrastructure Master Failure Temporary loss of the infrastructure master is not visible to network users. It
is not visible to network administrators either, unless they have recently moved or renamed a large number
of accounts. If the infrastructure master will be unavailable for an unacceptable length of time, you can seize
the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any
domain), ideally in the same site as a global catalog server. When the original infrastructure master is
returned to service, you can transfer the role back to the original domain controller.
Read-Only Domain Controllers
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008
operating system. With an RODC, organizations can easily deploy a domain controller in locations where
physical security cannot be guaranteed. An RODC hosts read-only partitions of the
Active Directory Domain Services (AD DS) database.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a widearea network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch
offices often cannot provide the adequate physical security that is required for a writable domain controller.
Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This
can increase the amount of time that is required to log on. It can also hamper access to network resources.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
16/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 16
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a
result, users in this situation can receive the following benefits:
Improved security
Faster logon times
More efficient access to resources on the network
1.2 What does an RODC do?
Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a
way to deploy a domain controller more securely in locations that require fast and reliable authentication
services but cannot ensure physical security for a writable domain controller.
However, your organization may also choose to deploy an RODC for special administrative requirements. For
example, a line-of-business (LOB) application may run successfully only if it is installed on a domain
controller. Or, the domain controller might be the only server in the branch office, and it may have to host
server applications.
In such cases, the LOB application owner must often log on to the domain controller interactively or use
Terminal Services to configure and manage the application. This situation creates a security risk that may be
unacceptable on a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant
a non-administrative domain user the right to log on to an RODC while minimizing the security risk to the
Active Directory forest.
You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a
primary threat, for example, in an extranet or application-facing role.
1.3 Who will be interested in this feature?
RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically
have the following characteristics:
Relatively few users
Poor physical security
Relatively poor network bandwidth to a hub site
Little knowledge of information technology (IT)
You should review this section, and the additional supporting documentation about RODC, if you are in any of
the following groups:
-
8/8/2019 Active Directory 2008 Implement at On & Migration
17/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 17
IT planners and analysts who are technically evaluating the product
Enterprise IT planners and designers for organizations
Those responsible for IT security
AD DS administrators who deal with small branch offices
1.4 Are there any special considerations?
To deploy an RODC, at least one writable domain controller in the domain must be running Windows
Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or
higher.
1.5 What new functionality does this feature provide?
RODC addresses some of the problems that are commonly found in branch offices. These locations might nothave a domain controller. Or, they might have a writable domain controller but not the physical security,
network bandwidth, or local expertise to support it. The following RODC functionality mitigates these
problems:
Read-only AD DS database
Unidirectional replication
Credential caching
Administrator role separation
Read-only Domain Name System (DNS)
1.5.1.1 Read-only AD DS database
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable
domain controller holds. However, changes cannot be made to the database that is stored on the RODC.
Changes must be made on a writable domain controller and then replicated back to the RODC.
Local applications that request Read access to the directory can obtain access. Lightweight Directory
Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This
response directs them to a writable domain controller, normally in a hub site.
1.5.1.2 RODC filtered attribute set
Some applications that use AD DS as a data store might have credential-like data (such as passwords,credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is
compromised.
For these types of applications, you can dynamically configure a set of attributes in the schema for domain
objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set.
Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the
forest.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
18/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 18
A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate
attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes
from a domain controller that is running Windows Server 2008, the replication request is denied. However, if
the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003,the replication request can succeed.
Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to
configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC
that is compromised cannot be exploited in this manner because domain controllers that are running
Windows Server 2003 are not allowed in the forest.
You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it
is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific
Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute
has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).
The RODC filtered attribute set is configured on the server that holds the schema operations master role. If
you try to add a system-critical attribute to the RODC filtered set while the schema master is running
Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-
critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation
appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema
master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set.
This ensures that system-critical attributes are not included in the RODC filtered attribute set.
1.5.1.3 Unidirectional replication
Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly,writable domain controllers that are replication partners do not have to pull changes from the RODC. This
means that any changes or corruption that a malicious user might make at branch locations cannot replicate
from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and
the effort required to monitor replication.
RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of
SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
1.5.1.4 Credential caching
Credential caching is the storage of user or computer credentials. Credentials consist of a small set of
approximately 10 passwords that are associated with security principals. By default, an RODC does not store
user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt
account that each RODC has. You must explicitly allow any other credential caching on an RODC.
The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different
krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts
ticket-granting ticket (TGT) requests.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
19/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 19
After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at
the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes
that the request is coming from an RODC and consults the Password Replication Policy in effect for that
RODC.
The Password Replication Policy determines if a user's credentials or a computer's credentials can be
replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the
writable domain controller replicates the credentials to the RODC, and the RODC caches them.
After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until
the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that
it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards
requests to a writable domain controller.)
By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of
credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has
credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials
that are cached can potentially be cracked.
Leaving credential caching disabled might further limit exposure, but it results in all authentication requests
being forwarded to a writable domain controller. An administrator can modify the default Password
Replication Policy to allow users' credentials to be cached at the RODC.
1.5.1.5 Administrator role separation
You can delegate local administrative permissions for an RODC to any domain user without granting that user
any user rights for the domain or other domain controllers. This permits a local branch user to log on to anRODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user
cannot log on to any other domain controller or perform any other administrative task in the domain. In this
way, the branch user can be delegated the ability to effectively manage the RODC in the branch office
without compromising the security of the rest of the domain.
1.5.1.6 Read-only DNS
You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory
partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an
RODC, clients can query it for name resolution as they query any other DNS server.
However, the DNS server on an RODC is read-only and therefore does not support client updates directly.
Creation of Root Domain Controller on Windows Server 2008.
TCP/IP configuration of Root Domain Controller in Salt-lake.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
20/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 20
GENERAL CONFIGURATION ON SALT-LAKE RDC.
HARD DISK PARTITION INFORMATION OF RDC.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
21/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 21
A New Simple volume created for AD Database.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
22/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 22
Welcome wizard click next.
Specify the size of volume.
Choose a Drive Letter and then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
23/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 23
Format the volume with NTFS file system with appropriate details.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
24/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 24
Format completed successfully.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
25/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 25
Installation of DNS server role on BHELPSERRDC01.
Welcome wizard, click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
26/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 26
Check the DNS server and then click next.
Click Next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
27/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 27
Process of adding the DNS server role started.
RDC Creation in salt-lake:
-
8/8/2019 Active Directory 2008 Implement at On & Migration
28/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 28
To configure this server as an additional Root Domain Server, firstly we configure it as Additional Domain
Controller for the domain bhelpser.co.in.
Welcome wizard.
Check the advanced mode installation check box then Click next.
Click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
29/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 29
Select Existing forest and Add a DC to an existing domain.
Provide the name of the existing domain name.
Supply the credential of domain admin for creating ADC.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
30/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 30
Select the domain bhelpser.co.in and then click next.
Select the default first site and then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
31/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 31
Check the Global catalog option and then click next.
Select the first option for replicating the database over the network.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
32/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 32
Select the appropriate domain controller.
Specify the path for Active Directory Database.
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
Summary of the whole wizard.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
33/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 33
Click next.
Process of installation of Active Directory Services started.
After the restart we have given the server more than 24hrs to complete the replication of all Active Directory
components.
Once the replication is complete the size of AD Database file ndts.dit indicates the completion of replication fromRoot Domain Controller.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
34/148
-
8/8/2019 Active Directory 2008 Implement at On & Migration
35/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 35
-
8/8/2019 Active Directory 2008 Implement at On & Migration
36/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 36
Name Servers.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
37/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 37
Forwarder
Raising the Domain Functional Level.
Before transferring the Roles, function levels of existing RDC must be raised.
Open Active Directory Users and Computers. Right click on bhelpser.co.in and then Raise the Domain Functional
level.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
38/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 38
Select Windows Server 2008 and then Raise.
Click ok to proceed.
Domain Functional Level successfully raised.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
39/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 39
Open Active Directory Domain and Trust. Right click on bhelpser.co.in and then Raise the Forest Functional level.
Select Windows Server 2008 then click Raise.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
40/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 40
Click OK to proceed.
Forest Functional Level successfully raised.
Upgrading the schema
Upgrading the schema of windows server 2008 requires its installation files.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
41/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 41
-
8/8/2019 Active Directory 2008 Implement at On & Migration
42/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 42
After upgrading, our 2003 server able to recognize the windows server 2008.
Transferring the five Operation Master Roles to BHELPSERRDC01.
Querying the Naming master roles on our existing Windows Server 2003 RDC.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003/2008 Microsoft Corp.
C:\>netdom query fsmoSchema owner cal002.bhelpser.co.in
Domain role owner cal002.bhelpser.co.in
PDC role cal002.bhelpser.co.in
RID pool manager cal002.bhelpser.co.in
Infrastructure owner cal002.bhelpser.co.in
The command completed successfully.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
43/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 43
To transfer the roles through command-line ntdsutil command is used.
Type roles then press enter.
Type connections then press enter.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
44/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 44
To connect the server type connect to server bhelpserrdc01 then it will connect to our server 2008.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
45/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 45
To transfer Domain Naming Master type transfer domain naming master.
Click yes to confirmation dialog box.
Domain Naming Master transferred to bhelpserrdc01.
To transfer Infrastructure Master type transfer infrastructure master.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
46/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 46
Click yes to confirmation dialog box.
Infrastructure Master transferred to bhelpserrdc01.
To transfer PDC type transfer pdc.
Click yes to confirmation dialog box.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
47/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 47
PDC transferred to bhelpserrdc01.
To transfer RID master type transfer rid master.
Click yes to confirmation dialog box.
RID master transferred to bhelpserrdc01.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
48/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 48
To transfer Schema master type transfer schema master.
Click yes to confirmation dialog box.
Schema master transferred to bhelpserrdc01.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
49/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 49
Querying the Naming master roles
-
8/8/2019 Active Directory 2008 Implement at On & Migration
50/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 50
Creation of separate OUs for Kolkata-Salt lake, Budge-budge and Bakreswar sites.
Provide a name for the OU.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
51/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 51
Hierarchical Structure for Kolkata site.
Hierarchical Structure for Bakreswar site.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
52/148
-
8/8/2019 Active Directory 2008 Implement at On & Migration
53/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 53
Group Policy Settings
Account lockout duration set to 15 minutes. Account will lock out after 3 invalid logon attempts.
Check both Success and failure events. Enable the policy Shutdown system immediately if unable
to log security audits.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
54/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 54
Set the maximum system log size to 10MB. Set the maximum application log size to 10MB
z
.
Set the security log size to 10MB. Enables auditing of all user rights in conjunction with Audit
Privilege Use auditing being enabled.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
55/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 55
This feature is provided for the system availability reasons such as the users machine being disconnected from the
network or domain controllers not being available.
Creation of separate DNS zones for different subnets.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
56/148
-
8/8/2019 Active Directory 2008 Implement at On & Migration
57/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 57
Select the IPv4 addresses.
Provide the network Id for the creation of zone.
Zone created successfully.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
58/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 58
Welcome wizard.
Select the primary zone. Click next.
Select the method for the replication.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
59/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 59
Select the IPv4 Addresses.
Provide the unique network Id for this zone.
Select for both no- secure and secure updates.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
60/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 60
Zone created successfully.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
61/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 61
Welcome wizard.
Select primary zone.
Select the method for the replication of zone.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
62/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 62
Select IPv4 addresses.
Provide the unique network Id for this zone.
Select for both non-secure and secure updates.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
63/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 63
Zone created successfully.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
64/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 64
Sites and settings for different sites.
Different Sites and settings will be created for the replication between Domain Controllers.
Creation of different Subnets.Right click on Subnet and select New Subnet to create a Subnet.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
65/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 65
Provide the IP Subnet and its subnet mask.
Right click on Subnet and select New Subnet to create a Subnet.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
66/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 66
Provide the IP Subnet and its Subnet Mask.
Creation of different Sites.
Right click on Sites and select New Site to create a Site.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
67/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 67
Provide the name for Bakreswar Site and select the Default Site Link.
Site for Bakreswar successfully created.
Go to the properties of Subnet.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
68/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 68
Set the description to recognize easily.
Creation of different site link.
Select New Site Link
-
8/8/2019 Active Directory 2008 Implement at On & Migration
69/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 69
Set the name for New Site Link.
Choose the settings for replication between Domain Controllers.
Decrease the replication frequency.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
70/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 70
Create a Site for Budge-budge.
Select New Site.
Set the name for new site.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
71/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 71
Go to the properties page of subnet.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
72/148
-
8/8/2019 Active Directory 2008 Implement at On & Migration
73/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 73
Different Sites and settings are created for the replication between Domain Controllers.
Creation of Additional Domain Controller on Windows Server 2008.
Basic details of ADC.
TCP/IP configuration of Additional Domain Controller in Salt-lake.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
74/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 74
Sever name changes to BHELPSERADC01.
Hard disk partition information of BHELPSERRDC01.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
75/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 75
A New Simple volume created for AD Database.
Welcome wizard click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
76/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 76
Specify the size of volume.
Choose a Drive Letter and then click next.
Format the volume with NTFS file system with appropriate details.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
77/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 77
Format completed successfully.
Installation of DNS BHELPSERADC01.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
78/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 78
Click Add roles
Welcome wizard, click next
-
8/8/2019 Active Directory 2008 Implement at On & Migration
79/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 79
Check the DNS server and then click next.
Click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
80/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 80
Process of adding the DNS server role started.
DNS server role service successfully installed.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
81/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 81
ADC creation in salt-lake.
Configure this server as an additional Active Directory Domain Server for the domain bhelpser.co.in.
Open cmd and type dcpromo.
Welcome wizard.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
82/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 82
Check the advanced mode installation check box then Click next.
Click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
83/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 83
Select Existing forest and Add a DC to an existing domain.
Provide the name of the existing domain name.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
84/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 84
Supply the credential of domain admin for creating ADC.
Select the domain bhelpser.co.in and then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
85/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 85
Select the default first site and then click next.
Check the Global catalog option and then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
86/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 86
Select the first option for replicating the database over the network.
Select the root domain controller.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
87/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 87
Specify the path for Active Directory Database.
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
88/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 88
Summary of the whole wizard.
Click next.
Process of installation of Active Directory Services started.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
89/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 89
Click on Finish button.
Click finish and restart before the changes take effect.
After the restart server will require more than 24hrs to complete the replication of all Active Directory
components.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
90/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 90
Creation of Read Only Domain Controller on Windows Server 2008 at Budge-budge.
TCP/IP configuration of Read-only Domain Controller at Budge-budge.
Sever name changes to BHELBUDGRODC01.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
91/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 91
Installation of DNS on BHELBUDGRODC01.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
92/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 92
Click Add roles
Welcome wizard, click next
Check the DNS server and then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
93/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 93
Click next.
Process of adding the DNS server role started.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
94/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 94
DNS server role service successfully installed.
RODC creation in Budge-budge.
Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.
Open cmd and type dcpromo.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
95/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 95
Welcome wizard.
Check the advanced mode installation check box then Click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
96/148
-
8/8/2019 Active Directory 2008 Implement at On & Migration
97/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 97
Provide the name of the existing domain name.
Supply the credential of domain admin for creating ADC.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
98/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 98
Select the domain bhelpser.co.in and then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
99/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 99
Select the budge-budge site and then click next.
Select Gloabal catalog and RODC then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
100/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 100
Select Allowed RODC Password Replication and click next.
Select Allow password for the account to replicate to this RODC.
Add Domain Users.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
101/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 101
Set the domain administrator user account for delegation of RODC Installation and Administration.
Select the first option for replicating the database over the network.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
102/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 102
Select the root domain controller.
Specify the path for Active Directory Database.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
103/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 103
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
Summary of the whole wizard.
Click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
104/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 104
Exported settings of DCPROMO wizard.
Process of installation of Active Directory Services started.
; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
; dcpromo.exe /unattend:C:\Bhel Implementation\rodc-settings.txt
;
; You may need to fill in password fields prior to using the unattend file.; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
;
[DCInstall]
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplicaReplicaDomainDNSName=bhelpser.co.in
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="BHELPSER\Denied RODC Password Replication Group"
PasswordReplicationAllowed="BHELPSER\Allowed RODC Password Replication Group"
PasswordReplicationAllowed="BHELPSER\Domain Users"
DelegatedAdmin="BHELPSER\emperor"
SiteName=Budge-Budge
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=bhelpser.co.in
UserName=bhelpser.co.in\emperor
Password=*
ReplicationSourceDC=BHELPSERRDC01.bhelpser.co.in
DatabasePath="D:\Windows\NTDS"
LogPath="D:\Windows\NTDS"
SYSVOLPath="D:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
; RebootOnCompletion=Yes
-
8/8/2019 Active Directory 2008 Implement at On & Migration
105/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 105
Click on Finish Button.
Click finish and restart before the changes take effect.
After the restart server will require enough time to replicate.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
106/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 106
In RODC there is no option grayed out for Creating any users & groups.
Creation of Read Only Domain Controller on Windows Server 2008 at Bakreswar.
TCP/IP configuration of Read-only Domain Controller at Bakreswar.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
107/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 107
Sever name changes to BHELBAKRRODC01.
Installation of DNS on BHELBAKRRODC01.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
108/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 108
Click Add roles
Welcome wizard, click next
-
8/8/2019 Active Directory 2008 Implement at On & Migration
109/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 109
Check the DNS server and then click next.
Click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
110/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 110
Process of adding the DNS server role started.
DNS server role service successfully installed.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
111/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 111
RODC creation in Bakreswar.
Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.
Open cmd and type dcpromo.
Welcome wizard, Click on Next Button
-
8/8/2019 Active Directory 2008 Implement at On & Migration
112/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 112
Check the advanced mode installation check box then Click next.
Click on Next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
113/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 113
Select Existing forest and Add a DC to an existing domain.
Provide the name of the existing domain name.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
114/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 114
Supply the credential of domain admin for creating ADC.
Select the domain bhelpser.co.in and then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migration
115/148
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
WIPRO BHEL Confidential Page 115
Select the bakreswar site and then click next.
Select Global catalog and RODC then click next.
-
8/8/2019 Active Directory 2008 Implement at On & Migra