Microsoft Active Directory

Contents

Overview 1

Lesson: Creating a Forest and Domain Structure 2

Lesson: Examining and Configuring Active Directory Integrated DNS 22

Lesson: Raising Forest and Domain Functional Levels 38

Lesson: Creating Trust Relationships 44

Lesson: Securing Trusts by Using SID Filtering 57

Lab A: Implementing Active Directory 61

Module 2: Implementing an Active Directory Forest and Domain Structure

This course is based on the Release Candidate 2 version of Microsoft® Windows® Server 2003. All labs in the course are to be completed with the Release Candidate 2 version of Windows Server 2003. The components of this course are still in development. Content in the final release of the course may be different from the content included in this prerelease version.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, MSDN, PowerPoint, Visio, and Visual Basic are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Module 2: Implementing an Active Directory Forest and Domain Structure 1

Overview

This module presents installation requirements for Active Directory® directory service and explains how to create a forest and domain structure by using the Active Directory Installation Wizard. You will learn how to configure Domain Name System (DNS) in an Active Directory environment, raise forest and domain functional levels, create trust relationships, and secure trusts by using SID filtering.

After completing this module, you will be able to:

! Create a forest and domain structure. ! Configure DNS in an Active Directory environment. ! Raise the functional level of a forest and a domain. ! Create trust relationships between domains. ! Secure trusts by using SID filtering.

Introduction

Objectives

2 Module 2: Implementing an Active Directory Forest and Domain Structure

Lesson: Creating a Forest and Domain Structure

This lesson provides you with the skills and knowledge necessary for creating a forest and domain structure. You will learn how to verify a successful installation of Active Directory, common problems that may arise during Active Directory installation, and how to resolve these problems.

After completing this lesson, you will be able to:

! Identify the requirements for installing Active Directory. ! Describe the Active Directory installation process. ! Create a forest and domain structure. ! Add a replica domain controller to a domain. ! Rename a domain controller. ! Remove a domain controller from Active Directory. ! Verify an Active Directory installation. ! Troubleshoot an installation of Active Directory.

Introduction

Lesson objectives


Requirements for Installing Active Directory

Before you install Active Directory, you must ensure that the computer that is to be configured as a domain controller meets certain hardware and operating system requirements. In addition, the domain controller must be able to access a DNS server that meets certain requirements to support integration with Active Directory.

The following list identifies the requirements for Active Directory installation:

! A computer running Microsoft® Windows® Server 2003 Standard edition, Enterprise edition, or Datacenter edition. The Windows Server 2003, Web edition does not support Active Directory.

! A minimum of 250 megabytes (MB) of disk space�200 MB for the Active Directory database and 50 MB for the Active Directory database transaction log files. File size requirements for the Active Directory database and log files depend on the number and type of objects in the domain. Additional disk space is required if the domain controller is also a global catalog server.

! A partition or volume that is formatted with the NTFS file system. This is required for the SYSVOL folder.

! The necessary administrative privileges for creating a domain if you are creating a domain in an existing Windows Server 2003 network.

! Transmission Control Protocol/Internet Protocol (TCP/IP) installed and configured to use DNS.

Introduction

Requirements for domain controllers


! A DNS server that is authoritative for the DNS domain and supports the following:

• SRV resource records SRV records are DNS records that are used to identify computers that host specific services on a Windows Server 2003 network. For more information about SRV records, see What Are SRV Records in this module. The DNS server used to support Active Directory deployment must support SRV resource records. If your DNS software does not support SRV resource records, you must configure DNS locally during the Active Directory installation process or configure DNS manually after Active Directory is installed.

• Dynamic updates Microsoft highly recommends that DNS servers also support dynamic updates. The dynamic update protocol enables servers and clients in a DNS environment to add and modify records in the DNS database automatically, thereby reducing administrative efforts. If you are using DNS software that supports SRV resource records but does not support the dynamic update protocol, you must enter the SRV resource records manually in the DNS database.

• Incremental zone transfers In an incremental zone transfer, changes made to a zone on a master DNS server must be replicated to the secondary DNS servers for that zone. Incremental zone transfers are optional, but they are recommended because they save network bandwidth. They do this by allowing only new or modified resource records to be replicated between DNS servers, instead of allowing the entire zone database file to be replicated.

For more information about SRV resource records, dynamic updates, and incremental zone transfers, see �Windows 2000 DNS� under Additional Reading on the Web page on the Student Materials compact disc.

Note


The Active Directory Installation Process

The Active Directory installation process is started by running the Active Directory Installation Wizard. The installation process makes a number of changes to the Windows Server 2003 server on which Active Directory is being installed. Understanding these changes will help you troubleshoot problems that may arise post-installation.

The installation process performs the following tasks:

! Starts the Kerberos version 5 authentication protocol, and sets the Local Security Authority (LSA) policy to indicate that this server is a domain controller.

! Creates Active Directory Partitions. A directory partition is a portion of the directory namespace. Each directory partition contains a hierarchy or subtree of directory objects in the directory tree. During installation the schema directory partition, configuration directory partition, domain directory partition, the Forest DNS zone, and the domain DNS zone partition are created on the first domain controller in a forest and are updated through replication on each subsequent domain controller that is created in the forest.

! Creates the forest root domain. If the server is the first domain controller on the network, the installation process creates the forest-root domain. During the creation of the forest root domain, operations master roles such as the primary domain controller (PDC) emulator, relative identifier (RID) operations master, domain naming master, schema master, and infrastructure master are assigned to the domain controller.

The operations master roles can be assigned to another domain controller when replica domain controllers are added to the domain.

Introduction

The installation process

Note


! Configures the membership of the domain controller in an appropriate site. If the Internet Protocol (IP) address of the server being promoted to a domain controller is within the range for a given subnet defined in Active Directory, the wizard configures the membership of the domain controller in the site associated with that subnet. If no subnet objects are defined or if the IP address of the server is not within the range of the subnet objects present in Active Directory, the server is placed in the Default-First-Site-Name site. Default-First-Site-Name is the first site that is set up automatically when you create the first domain controller in a forest. The Active Directory Installation Wizard creates a server object for the domain controller in the appropriate site. The server object contains information required for replication. The server object contains a reference to the computer object in the Domain Controllers organizational unit that represents the domain controller being created.

If a server object for this domain controller already exists in the Servers container in the site to which the domain controller is being added, it is deleted and then recreated, because the wizard assumes that you are performing a re-installation of Active Directory.

During the installation of Active Directory, security is enabled on the directory service and the file replication folders to control the access to Active Directory objects.

! Adds two new links to Group Policy security settings. These links are Domain Security Policy and Domain Controller Security Policy.

! Creates the shared system volume folder. The shared system volume is a folder structure that is hosted on all Windows Server 2003 domain controllers, and contains the following:

• The SYSVOL shared folder. This shared folder contains Group Policy information.

• The Net Logon shared folder. This shared folder contains logon scripts for non-Windows Server 2003 family-based computers.

! Creates the Active Directory database and log files. The default location for the database and log files is systemroot\Ntds.

For best performance, place the database and log files on separate hard disks. Installing the database and log files on separate hard disks ensures that reads and writes to the database and log files are not competing for input and output resources.

! Applies the user-provided password for the administrator account that is used to start the domain controller in Directory Services Restore Mode.

Note

Note


How to Create Forest and Domain Structure

The Active Directory Installation Wizard is used to create a forest and domain structure. When you install Active Directory for the first time in a network, you create the forest root domain. After you have created the forest root domain, use the wizard to create additional trees and child domains.

When you run the Active Directory Installation Wizard, you will be guided through the installation process and prompted for information. The information that you must provide when you install Active Directory varies according to the options that you select.

To create the forest root domain, perform the following steps:

1. Click Start, click Run, and then type dcpromo as the name of the program. The Active Directory Installation Wizard verifies the following:

• That the user currently logged on is a member of the local Administrators group.

• That the computer is running an operating system that supports Active Directory.

• That a previous installation or removal of Active Directory has not occurred without restarting the computer, or that an installation or removal of Active Directory is not currently in progress.

If any of these four verifications fail, an error message appears and you exit the wizard.

2. On the Welcome page, click Next.

Introduction

Procedure to create the forest root domain


3. On the Operating System Compatibility page, click Next.

The Operating System Compatibility page contains information relating to early Windows operating system compatibility. Windows Server 2003 implements a higher level of security than Windows 2000 does. Windows 95 and Microsoft Windows NT® service pack 3 and earlier are not able to authenticate to a Windows Server 2003 domain controller. However, you can install the Active Directory client on these operating systems to enable them to authenticate.

4. On the Domain Controller Type page, click Domain controller for a new domain, and then click Next.

5. On the Create New Domain page, click Domain in a new forest, and then click Next.

6. On the New Domain Name page, type the full DNS name for the new domain, and then click Next.

7. On the NetBIOS Domain Name page, verify the NetBIOS name, and then click Next. The NetBIOS name is used to identify the domain to client computers running earlier versions of Microsoft Windows and Microsoft Windows NT. The NetBIOS domain name is generated from the DNS domain name. The NetBIOS name is formed by taking up to the first 15 characters of the leftmost label in the DNS domain name. The wizard verifies that the NetBIOS domain name is unique and, if it is not, the user is prompted to change the name.

8. On the Database and Log Folders page, specify the location in which you want to install the database and log folders, and then click Next.

9. On the Shared System Volume page, type the location in which you want to install the SYSVOL folder, or click Browse to choose a location, and then click Next.

10. On the DNS Registration Diagnostics page, verify if an existing DNS server will be authoritative for this forest or, if necessary, choose to install and configure DNS on this server by clicking Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server, and then click Next.

11. On the Permissions page, specify whether to assign the default permissions on user and group objects that are compatible with servers running earlier versions of Windows and Windows NT, or only with servers running Windows Server 2003.

If the Permissions compatible with pre-Windows 2000 server operating systems option is selected, the Everyone group is added to the Pre-Windows 2000 Compatible Access group. This group has permissions to read user and group information in Active Directory.

Caution

Note


12. When prompted, specify the password for the directory services restore mode. Windows Server 2003 domain controllers maintain a small version of the Windows NT 4.0 account database. The only account in this database is the Administrator account and this account is required for authentication when starting the computer in Directory Services Restore mode, as the Active Directory directory service is not started in this mode.

13. Review the Summary page, and then click Next to begin the installation. 14. Restart the computer.

After you finish specifying the installation information, the Active Directory Installation Wizard installs Active Directory and converts the computer to a domain controller.

The procedure for creating a child domain by using the Active Directory Installation Wizard is similar to that of creating the forest root domain. The changes to the procedure are as follows:

! On the Create New Domain page, click Child domain in an existing domain tree.

! On the Network Credentials page, type the user name, password, and user domain of the user account you want to use for this operation. The user account must be a member of the Enterprise Admins group.

! On the Child Domain Installation page, verify the parent domain, and then type the new child domain name.

When you use the Active Directory Installation Wizard to create a child domain, it contacts the domain naming master and requests the addition or deletion. The domain naming master is responsible for ensuring that the domain names are unique. If the domain naming master is unavailable, you cannot add or remove domains.

The procedure for creating a tree by using the Active Directory Installation Wizard is similar to that of creating the forest root domain. The changes to the procedure are as follows:

! On the Create New Domain page, click Domain tree in an existing forest. ! On the Network Credentials page, type the user name, password, and user

domain of the user account you want to use for this operation, and then click Next. The user account must be a member of the Enterprise Admins group.

! On the New Domain Tree page, type the full DNS name for the new domain.

Creating a child domain

Creating a tree


How to Add a Replica Domain Controller

To enable fault tolerance in the event that a domain controller goes offline unexpectedly, you must have a minimum of two domain controllers in a single domain. Because all domain controllers in a domain replicate their domain-specific data to one another, installing multiple domain controllers in the domain automatically enables fault tolerance for the data stored in Active Directory. If a domain controller fails, the remaining domain controllers will provide authentication services and access to objects in Active Directory, allowing the domain to operate as usual.

Before you begin the installation, you need to determine whether the initial replication of Active Directory will be performed over the network from a nearby domain controller or whether the initial replication will be performed from a media backup.

Choose the network option if the replica domain controller will be installed:

! In a site where another domain controller exists. ! In a new site that is connected to an existing site by a high-speed network.

Choose the install from backup media option when you want to install the first domain controller in a remote site for an existing domain.

To install a replica domain controller, perform the following steps:

1. Run dcpromo. To install an additional domain controller from restored backup files, run dcpromo with the /adv option.

2. On the Domain Controller Type page, select Additional domain controller for an existing domain.

Introduction

Procedure


If you have run the Active Directory Installation Wizard with the /adv option, on the Copying Domain Information page, choose one of the following options:

• Over the network.

• From these restored backup files, and specify the location of the restored backup files.

When choosing the option to copy domain information from restored backup files, you must first back up the system state data of a domain controller running Windows Server 2003 from the domain in which this member server will become an additional domain controller. Then, you must restore locally the system state backup on the server on which you are installing Active Directory. For more information about backing up and restoring Active Directory, see Backing Up Active Directory and Restoring Active Directory in Module 10, �Maintaining Active Directory� in Course 2279, Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

If a domain controller that was backed up contains an application directory partition, the application directory partition will not be restored on the new domain controller. If the domain controller from which you restored the system state data was a global catalog server, you will have the option to make this new domain controller a global catalog server.

3. Specify the network credentials, the location for the Active Directory files, and the directory services restore mode administrator password. a. On the Network Credentials page, type the user name, password, and

user domain of the user account you want to use for this operation. The user account must be a member of the Domain Admins group for the target domain.

b. On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location.

c. On the Shared System Volume page, type the location in which you want to install the SYSVOL folder, or click Browse to choose a location.

d. On the Directory Services Restore Mode Administrator Password page, type and confirm the password you want to assign to this server�s administrator account that will be used when the computer is started in directory services restore mode, and then click Next.

e. Review the Summary page, and then click Next to begin the installation.

4. Restart the computer.

When a new domain controller is added to a domain, replication occurs to ensure consistency in Active Directory.

Note


How to Rename a Domain Controller

Windows Server 2003 allows you to rename a domain controller after it has been installed. To rename a domain controller, you must have Domain Admin rights. When you rename a domain controller, the new domain controller name must be added, and the old name must be removed from both the DNS and the Active Directory database. The rename domain controller feature is only available if the domain functional level is set to Windows Server 2003. For information on how to raise the domain functional level, see Raising Forest and Domain Functional Levels in this module.

To rename a domain controller, perform the following steps:

1. Run the System applet for Control Panel. 2. In the System Properties dialog box, on the Computer Name tab, click

Change. 3. Confirm that you want to rename the domain controller when prompted. 4. Enter the full computer name (including the primary DNS suffix), and then

click OK.

Renaming this domain controller may cause it to become temporarily unavailable to users and computers.

You can change the Primary DNS suffix for a domain controller when renaming the domain controller. However, this does not move the domain controller to a new Active Directory domain. For example if you rename the server dc2.nwtraders.msft to dc1.contoso.msft, the computer will still be a domain controller for the nwtraders.msft domain, even thought its Primary DNS suffix is contoso.msft. To move a domain controller to another domain, you must first demote the domain controller and then promote it to a domain controller in the new domain.

Introduction

Procedure

Note


How to Remove a Domain Controller from Active Directory

Windows Server 2003 allows you to remove a domain controller that is no longer required or has been damaged by natural disaster. If the domain controller is the last domain controller in its domain, removing the domain controller will remove this domain from the forest. If this domain is the last domain in the forest, removing the domain controller will delete the forest.

To remove a domain controller that is online and is no longer required, perform the following steps:

1. Open the Active Directory Installation Wizard. 2. On the Remove Active Directory page, if this is the last domain controller

for the domain, select the This server is the last domain controller in the domain check box, and then click Next. The wizard will query Active Directory to determine whether there are other replica domain controllers for this domain. If you had checked the box indicating that it was the last replica domain controller and Active Directory still contained another domain controller server object, or vice versa, the wizard will not allow you to proceed. If this domain controller is the last replica for one or more application partitions, you will be prompted to confirm that you want to delete these partitions.

3. On the Administrator Password page, in the New Administrator Password and Confirm password dialog boxes, type your new administrator password, and then click Next.

4. On the Summary page, review the summary, and then click Next.

Introduction

Procedure to remove a domain controller that is online


To remove a domain controller that is damaged and cannot be started from Active Directory, restart the domain controller in directory services restore mode, and run the ntdsutil command with the metadata cleanup option. To do so perform the following steps:

1. At the command prompt, type the following command, and then press ENTER. Ntdsutil: metadata cleanup

2. At the Metadata cleanup prompt, type the following command, and then

press ENTER. Metadata cleanup: connections

3. At the Server connections prompt, type the following sequence of

commands to connect to a domain controller in the domain that contains the damaged domain controller. Server connections: Connect to server servername FQDN Server connections: quit

4. At the Metadata cleanup prompt, select operations target by typing the

following command: Metadata cleanup: select operations target

5. At the Select operations target prompt, type the following sequence of

commands to identify and select the damaged domain controller: Select operations target: list sites Select operations target: select site number Select operations target: list servers in site Select operations target: select server number Select operations target: quit

6. At the Metadata cleanup prompt, type the following command to remove

the damaged domain controller from Active Directory: Metadata cleanup: remove selected server Metadata cleanup: quit

When removing a domain controller that is a global catalog server, you must ensure that another global catalog is available to users before demoting it. Also, if the domain controller holds an operations master role, you must transfer the operations master role to another domain controller before removing it. For information about transferring the operations master role to another domain controller, see Module 9, �Managing Operations Masters� in Course 2279, Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Procedure to remove a domain controller that is damaged

Important


How to Verify the Active Directory Installation

The Active Directory installation process creates a number of default objects in the Active Directory database. In addition, it creates the shared system folder and the database and log files. You must verify the installation of Active Directory after the wizard completes the installation and the new domain controller restarts.

There are two steps involved in verifying SYSVOL. First, verify that the folder structure was created, and second, verify that the necessary shared folders were created. If the SYSVOL folder is not correctly created, data that is stored in the SYSVOL folder, such as Group Policy and scripts, will not be replicated between domain controllers.

To verify that the folder structure was created, perform the following steps:

1. Click Start, and then click Run. 2. In the Open box, type %systemroot%\sysvol, and then click OK.

Windows Explorer opens and displays the contents of the SYSVOL folder, which should include the subfolders Domain, Staging, Staging areas, and Sysvol.

Introduction

Verifying the creation of SYSVOL and its shares


To verify that the necessary shares have been created, perform the following steps:

1. Open a command prompt window. 2. At the command prompt, type net share and then press ENTER.

In the list of shared folders on this computer, you should see the shared folders listed in the following table.

Share name Resource Remark NETLOGON systemroot\SYSVOL\sysvol\domain\SCRIPTS Logon server share

SYSVOL systemroot\SYSVOL\sysvol Logon server share

To verify that the Active Directory database and log files were created, perform the following steps:

1. Click Start, and then click Run. 2. In the Open box, type %systemroot%\ntds and then click OK.

Windows Explorer opens and displays the contents of the Ntds folder, which should include the following files:

! Ntds.dit. This is the directory database file. ! Edb.*. These are the transaction logs and the checkpoint files. ! Res*.log. These are the reserved log files.

If you changed the location of the directory database and log files during the installation, replace %systemroot% with the correct location.

Verifying the creation of the Active Directory database and log files

Note


During the installation of Active Directory on the first domain controller in a new domain, several default objects are created. These objects include containers, users, computers, groups, and organizational units.

View these default objects by using the Active Directory Users and Computers administrative tool.

The following list describes the purpose of some of these default objects:

! Builtin (container). This is a container object that is used to hold the default built-in security groups.

! Computers (container). This object is the default location for computer accounts.

! Domain Controllers (organizational unit). This object is the default location for domain controller computer accounts.

! ForeignSecurityPrincipals (container). This object is used to hold security identifiers (SIDs) from external, trusted domains.

! Users (container). This object is the default location for user and group accounts.

! Lost and Found (container). This is the default container for orphaned objects.

! NTDS Quotas. Stores quota specifications. Quota objects determine the number of directory objects that a security principal can own in Active Directory.

! Program Data. The default location for storage of application data. ! System. Stores built-in system settings.

After installing Active Directory, you should examine the event logs for any errors that may have been encountered during the installation process. Error messages generated during the installation are recorded in the System, Directory Service, DNS Server, and File Replication service logs.

Verifying the creation of the default Active Directory structure

Examining the event logs for errors


How to Troubleshoot the Installation of Active Directory

When installing Active Directory, you may encounter problems. These problems could result from improper security credentials, usage of names that are not unique, an unreliable network, or insufficient resources.

The following is a list of some common problems that you may encounter while installing Active Directory, and some strategies for resolving them:

! Access denied while creating or adding domain controllers. The following are the possible solutions to this problem:

• If you receive this message when creating the first domain controller in a new forest, you are not logged on to the server with an account that belongs to the Local Administrators group. Log off and then log on using an account that belongs to the Local Administrators group.

• If you receive this message when you are adding a domain controller to an existing domain, you must supply credentials of a user account that is a member of the Domain Admins group or the Enterprise Admins group.

! DNS or NetBIOS domain names are not unique. When a domain is being created, both the DNS domain name and the NetBIOS domain names must be unique. If you receive an error message indicating that either one of the domain names is not unique, change the domain name.

Introduction

Common Active Directory installation problems


! Domain cannot be contacted. If you are adding a domain controller to an existing domain, ensure that you have network connectivity between the server being promoted to a domain controller and at least one of the existing domain controllers in the domain. Use the ping command from the command prompt to test connectivity with any of the domain controllers in the domain. The problem can also arise if DNS does not provide name resolution to at least one domain controller in the domain. To verify this, try connecting to a domain controller by using its DNS name. To do so: a. Open a command prompt. b. At the command prompt, type <Fully qualified domain name (FQDN) of

the domain controller> If DNS is not configured correctly, you will not be able to connect to the domain controller. You can also check whether DNS has been configured properly by verifying the A records registered by the domain controllers in the DNS database.

! Insufficient disk space Available disk space is less than the minimum required to install Active Directory. Increase partition size, or install Active Directory database and log files on separate partitions.


Practice: Creating a Child Domain

In this practice, you will install Active Directory and create a child domain within the forest-root domain nwtraders.msft. After installing Active Directory, you will verify the creation of the shared system volume folder, and the database and log files.

Northwind Traders is opening offices at new locations, and new domains will be created for each of these offices, within the nwtraders.msft domain.

To install Active Directory and create the forest root domain, perform the following steps:

1. Log on to the Nwtraders domain as Administrator with a password of P@ssw0rd.

2. Click Start, then Run, and then type dcpromo to start the Active Directory Installation Wizard.

3. On the Welcome to the Active Directory Installation Wizard page, click Next.

4. On the Operating System Compatibility page, click Next. 5. On the Domain Controller Type page, click Domain controller for a new

domain, and then click Next. 6. On the Create New Domain page, click Child domain in an existing

domain tree, and then click Next. 7. On the Network Credentials page, type the user name, password, and user

domain of the user account you want to use for this operation, and then click Next. The user account must be a member of the Enterprise Admins group.

8. On the Child Domain Installation page, verify that the parent domain is nwtraders.msft, type the new child domain name, and then click Next.

Introduction

Scenario

Procedure to create child domain


9. On the NetBIOS Domain Name page, verify the NetBIOS name, and click Next.

10. On the Database and Log Folders page, accept the default, and then click Next.

11. On the Shared System Volume page, leave the location to install the SYSVOL folder, and then click Next.

12. On the DNS Registration Diagnostics page, verify that the DNS configuration settings are accurate, and then click Next.

13. On the Permissions page, select Permissions compatible only with Windows 2000 or Windows .NET server operating systems, and then click Next.

14. On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the Administrator account for this server, and then click Next.

15. Review the Summary page, and then click Next to begin the installation, then click Finish on the Active Directory Installation Wizard.

16. Restart the computer.

To verify that Active Directory has been installed correctly, perform the following steps:

1. Ensure that SYSVOL has been properly created and shared. 2. Verify that the Active Directory database and log files have been created.

Procedure to verify the installation of Active Directory


Lesson: Examining and Configuring Active Directory Integrated DNS

Windows Server 2003 requires that a DNS infrastructure is in place or is installed when you install Active Directory. Before you create domains, you should understand how DNS and the Active Directory directory service are integrated and how client computers use DNS during logon. You should also be able to locate domain controllers and other services.

This lesson describes the format of SRV (service) resource records, the DNS records that are registered by domain controllers, and how SRV records are used to resolve resource providers. The lesson also covers how to configure the priority and weight of SRV records. Understanding the working of DNS integrated with Active Directory will help you resolve problems related to DNS, such as client logon problems.


! Describe the relationship between DNS and Active Directory. ! Explain the purpose of Active Directory-integrated zones. ! Describe the purpose of SRV records. ! Describe the SRV records that are registered by domain controllers. ! Examine the DNS records registered by a domain controller. ! Describe how client computers use DNS to locate domain controllers and

services. ! Configure SRV record priority and weight for a domain controller.

Introduction

Lesson objectives


DNS and Active Directory Namespaces

DNS domains and Active Directory domains use identical domain names for different namespaces. Using identical domain names enables computers in a Windows Server 2003 network to use DNS to locate domain controllers and other computers that provide Active Directory�related services.

Domains and computers are represented by resource records in the DNS namespace, and by Active Directory objects in the Active Directory namespace. The DNS host name for a computer is the same name as that used for the computer account that is stored in Active Directory. The DNS domain name, which is called the primary DNS suffix, is also the same as the name of the Active Directory domain to which the computer is joined.

In other words, a computer is represented in the DNS namespace and the Active Directory namespace by the same name. For example, a computer named Computer1 that is joined to the Active Directory domain named training.microsoft.msft has the following fully qualified domain name (FQDN):

computer1.training.microsoft.msft

The integration of DNS and Active Directory is essential because a client computer in a Windows Server 2003 network must be able to locate a domain controller to allow users to log on to a domain or to use the services provided by Active Directory. To locate a domain controller, a computer uses DNS to locate the IP address for a computer that provides the required service within Active Directory.

Introduction

The relationship between the DNS namespace and the Active Directory namespace


What Are Active Directory-Integrated Zones?

One of the benefits of integrating DNS and Active Directory is the capability to integrate DNS zones into the Active Directory database. A zone is a portion of the domain namespace that has a logical grouping of resource records allowing zone transfers of these records as a single unit.

Microsoft DNS servers store information that is used to resolve host names to IP addresses and IP addresses to host names, in a database file with the extension .dns, for each zone.

Active Directory integrated zones are primary and stub DNS zones that are stored as objects in the Active Directory database. Zone objects can be stored in an Active Directory application partition or in an Active Directory domain partition. If zone objects are stored in an Active Directory application partition, only domain controllers that subscribe to the application partition will participate in the replication of this partition. However, if zone objects are stored in an Active Directory domain partition, they will be replicated to all domain controllers in the domain.

Introduction

Active Directory integrated zones


Active Directory-integrated zones offer the following benefits.

! Multi-master replication In a standard zone storage model, DNS updates are conducted based upon a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. When you configure Active Directory integrated zones, dynamic updates to DNS are conducted based upon a multi-master update model. In this model, any authoritative DNS server, such as a domain controller running a DNS server, is designated as a primary source for the zone. Because the master copy of the zone is maintained in the Active Directory database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multi-master update model of Active Directory, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.

! Secure dynamic updates Because DNS zones are Active Directory objects in Active Directory integrated zones, you can set permissions on records within those zones to control which computers can update their records. Therefore, updates that use the dynamic update protocol can come from only authorized computers.

! Performs standard zone transfers to DNS servers that are not configured as domain controllers and performs standard zone transfers to DNS servers that are in other domains. You must use standard zone transfers to replicate the zones to DNS servers in other domains.

For more information about Active Directory-integrated zones and DNS replication, see the What Are Active Directory-Integrated Zones topic in the Module 2 section on the Appendices page on the Student Materials compact disc.

Benefits of Active Directory integrated zones

Note


What Are SRV Resource Records?

For Active Directory to function properly, client computers must be able to locate servers that provide specific services such as authenticating logon requests and searching for information in Active Directory. To achieve this, Active Directory stores information about the location of the computers that provide these services in DNS records known as SRV resource records.

SRV resource records link the name of a service to the DNS computer name for the computer that offers that service. For example, an SRV record can contain information to help clients locate a domain controller in a specific domain or forest.

When a domain controller starts, it registers SRV records, which contain information about the services it provides, and an A resource record that contains its DNS computer name and its IP address. A DNS client later uses this combined information to locate the requested service on the appropriate domain controller.

All SRV records use a standard format, which consists of fields that contain the information used to map a specific service to the computer that provides the service. SRV records use the following format:

_service_.protocol.name ttl class SRV priority weight port target

Introduction

The purpose of SRV records

Format of SRV records


The following table describes each field in an SRV record:

Field Description _Service Specifies the name of the service, such as LDAP or Kerberos, provided

by the server that registers this SRV record.

_Protocol Specifies the transport protocol type, such as TCP or User Datagram Protocol (UDP).

Name Specifies the domain name referenced by the resource record.

Ttl Specifies the Time to Live (TTL) value in seconds, which is a standard field in DNS resource records specifying the length of time for which a record may be considered valid.

Class Specifies the standard DNS resource record class value, which is almost always �IN� for the Internet system. This is the only class supported by Windows Server 2003 DNS.

Priority Specifies the priority of the server. Clients attempt to contact the host with the lowest priority.

Weight Denotes a load balancing mechanism that clients use when selecting a target host. When the priority field is the same for two or more records in the same domain, clients randomly choose SRV records with higher weights.

Port Specifies the port where the server is �listening� for this service.

Target Specifies the FQDN, which is also called the full computer name, of the computer providing the service.

The following is an example of an SRV record of a computer:

_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 london.contoso.msft

The SRV record indicates that the computer provides the following services:

! Provides the LDAP service ! Provides the LDAP service by using the TCP transport protocol ! Registers the SRV record in the contoso.msft DNS domain ! Has a time to live (TTL) of 600 seconds or 10 minutes. ! Has an FQDN of london.contoso.msft

Example


SRV Records Registered by Domain Controllers

SRV records are registered by computers that provide an Active Directory service. In Windows Server 2003, domain controllers and global catalog servers register services with DNS.

When a domain controller starts, the Net Logon service running on the domain controller uses dynamic updates to register SRV resource records in the DNS database. These SRV records map the name of the service provided by the domain controller to the DNS computer name for that domain controller.

To enable a computer to locate a domain controller, domain controllers running Windows Server 2003 register SRV records in the following format:

_Service._Protocol.DcType._msdcs.DnsDomainName or DnsForestName

The _msdcs component in these SRV records denotes a subdomain in the DNS namespace that is specific to Microsoft, which allows computers to locate domain controllers that have functions in the domain or forest that are specific to Windows Server 2003.

The possible values for the DCType component, which is a prefix to the _msdcs subdomain, specify the following server roles types:

! dc for a domain controller ! gc for global catalog server

Introduction

How services are registered with DNS

Services registered with DNS


The presence of the _msdcs subdomain means that domain controllers running Windows Server 2003 also register the following SRV records:

_ldap._tcp.dc._msdcs.DnsDomainName

_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName

_ldap._tcp.gc._msdcs.DnsForestName

_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName

_kerberos._tcp.dc._msdcs.DnsDomainName

_kerberos._tcp.SiteName._sites.dc._msdcs.DnsDomainName

The following table lists some of the SRV records registered by domain controllers and defines the lookup criteria that each record supports.

SRV record Lookup criteria _ldap._tcp.DnsDomainName Allows a computer to find an LDAP server in the domain

named by DnsDomainName.

All domain controllers register this record.

_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName Allows a computer to find a domain controller in the domain named by DnsDomainName and in the site named by SiteName. Note that SiteName is the relative distinguished name of the site object that is stored in Active Directory.

All domain controllers register this record.

_gc._tcp.DnsForestName Allows a computer to find a global catalog server in the forest named by DnsForestName. Note that DnsForestName is the domain name of the forest root domain.

Only domain controllers configured as global catalog servers register this record.

_gc._tcp.SiteName._sites. DnsForestName Allows a computer to find a global catalog server in the forest named DnsForestName and in the site named by SiteName.

Only domain controllers configured as global catalog servers register this record.

_kerberos._tcp.DnsDomainName Allows a computer to locate a KDC server for the domain named by DnsDomainName.

All domain controllers running the Kerberos version 5 service register this record.

_kerberos._tcp.SiteName. _sites.DnsDomainName Allows a computer to locate a KDC server for the domainnamed by DnsDomainName and in the site named by SiteName.

All domain controllers running the Kerberos V5 service register this record.


How to Examine the Records Registered by a Domain Controller

You can use either the DNS console or the NSLookup utility to view the SRV records registered by domain controllers.

To view the SRV resource records registered domain controllers by using the DNS snap-in, perform the following steps:

1. Open DNS from the Administrative Tools menu. 2. Double-click Server (where Server is the name of your DNS server),

double-click Forward Lookup Zones, and then double-click domain (where domain is the domain name).

3. Open the following folders in the domain folder to view the SRV resource records that are registered:

• _msdcs

• _sites

• _tcp

• _udp

Introduction

Procedure for viewing SRV records by using the DNS Snap-in


To view the list of SRV resource records that are registered by using the nslookup command, perform the following steps:

1. Open a command prompt window, and run the nslookup utility. 2. Type ls �t SRV domain (where domain is the domain name), and then press

ENTER. The SRV resource records that are registered will be listed. To save the results of this list to a file, type ls �t SRV domain > filename (where filename is any name you give to the file).

If you do not have a reverse lookup zone configured, time-outs will be reported when you first run nslookup. This reporting happens because nslookup generates a reverse lookup to determine the host name of the DNS server based on its IP address.

Procedure for viewing SRV records by using nslookup

Note


Multimedia: How Client Computers Use DNS to Locate Domain Controllers and Services

This animation shows how client computers use DNS to locate domain controllers and services. The animation will show the complete process starting with net logon and ending with the client contacting a domain controller by using the list of domain controller IP addresses returned by DNS.

To log on to a Windows Server 2003 domain or to search Active Directory, a client computer must contact a domain controller. All domain controllers register both A resource records and SRV records. The A resource record contains the FQDN and IP address for the domain controller. The SRV record contains the FQDN of the domain controller and the name of the service that the domain controller provides. Therefore, the client computer can query DNS to locate a domain controller.

Introduction

How clients locate resources


The following describes the process of how a computer locates a domain controller:

1. A user logs on to the domain, initiates an Active Directory search, or performs other tasks that require a domain controller. The Net Logon service on the client (the computer that is locating the domain controller) starts the DsGetDcName application programming interface (API).

2. Net Logon collects information about the client and the specific service required; this information will be included in the DNS query. This information is specified by the following DsGetDcName parameters:

• ComputerName. The name of the client computer.

• DomainName. The name of the DNS domain that will be queried.

• SiteName. The name of the site in which the domain controller should be located. If the site is not specified, the domain controller that will be located is in the site that is closest to the site in which the client computer is located.

The client also specifies that the domain controller should be an LDAP server in the domain named by DomainName, or a global catalog server or KDC server for the forest in which DomainName is located.

3. The Net Logon service sends a DNS query to a DNS server. This DNS query contains the information it collected from the client and specifies the service that is required.

4. The DNS server queries the DNS zone database for SRV records that match the service required by the client in the domain named by DomainName.

5. The DNS server returns a list of IP addresses of domain controllers that provide the service requested in the domain specified by the client.

6. The Net Logon service sends a datagram (an LDAP UDP message) to one or more of the located domain controllers to determine whether it is running and whether it supports the specified domain.

7. Each available domain controller responds to the datagram to indicate that it is currently operational, and then returns the information to DsGetDcName. The Net Logon service returns the information to the client from the domain controller that responds first.

8. The client computer chooses the first domain controller that responds and meets the criteria, and then sends the request to that domain controller.

The Net Logon service caches the domain controller information so that it is not necessary that the client computer repeat the discovery process for subsequent requests. Caching this information also encourages the consistent use of the same domain controller.

For more information about how client computers use DNS to locate domain controllers and services, and site coverage, see the How Client Computers Use DNS to Locate Domain Controllers and Services topic in the Module 2 section on the Appendices page on the Student Materials compact disc.

Note


How to Configure the Priority and Weight Values in SRV Records

In a Windows Server 2003 domain, certain domain controllers perform special roles known as the operations master roles. These roles require a domain controller to perform tasks, such as providing support to Windows NT 4.0 backup domain controllers, in addition to providing domain authentication and authorization services. Such domain controllers may therefore be subjected to higher utilization. To reduce utilization of such domain controllers, you can hide them by reducing the priority and weight values in the SRV records for these servers.

To reduce the priority and weight of a domain controller, you modify its Windows registry and specify LDAPSRVWEIGHT and LDAPSRVPRIORITY values to be included in its SRV record.

Introduction

Procedure


To change the priority and weight of a domain controller, perform the following steps:

1. Run Regedit.exe. 2. Locate the HKLM\SYSTEM\CurrentControlSet\Services\

Netlogon\Parameters key in the registry. 3. Create two new reg_dword values, LdapSrvWeight and LDapSrvPriority. 4. Set the appropriate values based on what you are trying to accomplish for

each given domain controller. The LdapSrvPriority parameter specifies the priority of the domain controller. A client trying to discover a domain controller in this domain will contact the domain controller with the lowest-numbered priority. Domain controllers with the same priority will be tried in a pseudorandom order. Set the priority value high if you want to reduce the utilization of a domain controller. The LdapSrvWeight parameter specifies the weight of the domain controller. When domain controllers have the same priority, clients select a domain controller based on its weight. A higher weight increases the probability of the domain controller being selected by a client.

5. Restart the domain controller.


Practice: Verifying and Configuring SRV Records

In this practice you will examine _MS subdomains, and the structure and hierarchy of the records registered by a domain controller by using the DNS console and the NSLookup utility. You will also configure the priority and weight of your domain controller.

You have just created a child domain on your network. You want to verify that your domain controller has registered its SRV records with Active Directory. Because you plan on making this domain controller a PDC emulator, you want to configure the priority and weight of the domain controller.

To view the SRV resource records registered domain controllers by using the DNS snap-in, perform the following steps:


2. Open DNS from the Administrative Tools menu. 3. Double-click Server (where Server is the name of your DNS server),

double-click Forward Lookup Zones, and then double-click domain (where domain is the domain name).

4. Open the following folders in the domain folder to view the SRV resource records that are registered:

• _msdcs

• _sites

• _tcp

• _udp

Introduction

Scenario

Procedure to examine SRV records registered by domain controllers


To change the priority and weight of your domain controller, perform the following steps:

1. Create two new reg_dword values, LdapSrvWeight and LDapSrvPriority, within the HKLM\SYSTEM\CurrentControlSet\Services\ Netlogon\Parameters key in the registry.

2. Set the weight and priority to 200 and 1 respectively.

Procedure to change the priority and weight of a domain controller


Lesson: Raising Forest and Domain Functional Levels

Forest and domain functionality determines the Active Directory features that are enabled. This lesson introduces the features that are enabled based on forest and domain functionality, and how to raise the functionality of a forest and a domain.


! Describe forest and domain functionality. ! Describe the requirements for raising the forest and domain functional

levels. ! Raise the functional level of a forest and a domain.

Introduction

Lesson objectives


What Is Forest and Domain Functionality?

Forest and domain functionality is a Windows Server 2003 feature that provides a way to enable domain- or forest-wide Active Directory features within your network environment. Different levels of domain functionality and forest functionality are available depending on your environment.

Domain functionality enables features that will affect the entire domain and that domain only. There are four domain functional levels available:

! Windows 2000 mixed This is the default functional level. You can raise the domain functional level to either Windows 2000 native or Windows Server 2003. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security identifier (SID) history capabilities.

! Windows 2000 native This functional level can be used if the domain contains only Windows 2000 and Windows Server 2003 domain controllers. Even though domain controllers running Windows 2000 Server are not aware of domain functionality, Active Directory features such as Universal security groups, group nesting, and security identifier (SID) history capabilities are available.

! Windows 2003 Server This is the highest functional level for a domain, and can be used only if all the domain controllers in the domain are running Windows Server 2003. All Active Directory features for the domain are available for use.

! Windows 2003 interim This functional level is a special functional level that supports Windows NT 4.0 and the Windows 2003 Server domain controllers. For information about this functional level, see �Upgrading from a Windows NT domain� in Help and Support.

Introduction

What is domain functionality?


The following table describes some of the domain-wide features that are enabled for the corresponding domain functional level:

Domain feature Windows 2000 mixed Windows 2000 native Windows Server 2003 Domain controller rename tool

Disabled Disabled Enabled

Universal Groups

Enabled for distribution groups.

Disabled for security groups.

Enabled

Allows both security and distribution groups.

Enabled

Allows both security and distribution groups.

Group Nesting

Enabled for distribution groups.

Disabled for security groups, except for domain local security groups that can have global groups as members.

Enabled

Allows full group nesting.

Enabled

Allows full group nesting.

SID history Disabled Enabled

Allows migration of security principals from one domain to another.

Enabled

Allows migration of security principals from one domain to another.

Converting groups Disabled

No group conversions allowed.

Enabled

Allows migration of security principles from one domain to another.

Enabled

Allows migration of security principles from one domain to another.

For a complete list of the features that are enabled for each domain functional level, see �Domain and forest functionality� in online Help and Support.

Forest functionality enables features across all the domains within your forest. Two forest functional levels are available: Windows 2000 and Windows Server 2003. By default, forests operate at the Windows 2000 functional level. You can raise the forest functional level to Windows Server 2003. Raising the forest functional level to Windows Server 2003 enables features such as forest trusts, and improved replication features, which are not available at the Windows 2000 functional level.

For a complete list of the features that are enabled for each forest functional level, see �Domain and forest functionality� in online Help and Support.

You cannot lower the functional level of the domain or forest once it has been raised.

What is forest functionality?

Note


Requirements for Enabling New Windows Server 2003 Features

In addition to the basic Active Directory features on individual domain controllers, new domain-wide and forest-wide Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003.

To enable the new domain-wide features, all domain controllers in the domain must be running Windows Server 2003, and the domain functional level must be raised to Windows Server 2003. You must be a Domain Administrator to raise the domain functional level.

To enable new forest-wide features, all domain controllers in the forest must be running Windows Server 2003, and the forest functional level must be raised to Windows Server 2003. Domains that are not set to the domain functional level of Windows Server 2003 will automatically be raised to Windows Server 2003 at the same time the forest functional level is raised to Windows Server 2003. You must be an Enterprise Administrator to raise the forest functional level.

Introduction

Requirements for enabling new domain-wide features

Requirements for enabling new forest-wide features


How to Raise the Functional Level

Raising the forest and domain functionality to Windows Server 2003 enables certain features, such as forest trusts, that are not available at other functional levels. You can raise forest and domain functionality by using the Active Directory Domains and Trusts console.

To raise the domain functional level, perform the following steps:

1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the node for the domain whose functional

level is to be raised, and then click Raise Forest Functional Level. 3. In Select an available domain functional level dialog box, select the

functional level, and then click Raise.

To raise the forest functional level, perform the following steps:

1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the Active Directory Domains and Trusts

node, and then click Raise Forest Functional Level. 3. In Select an available forest functional level dialog box, select

Windows .NET Server 2003, and then click Raise.

You must raise the functional level of all domains in a forest to Windows Server 2003 before you can raise the forest functional level.

Introduction

Procedure to raise the domain functional level

Procedure to raise the forest functional level

Note


Practice: Raising the Domain Functional Level

In this practice you will raise the domain functional level from Windows mixed to Windows 2000 native.

You have just created a child domain by installing Active Directory on your Windows Server 2003 server. Your new domain requires nested security groups, which means that you must raise the functional level of your domain.

To raise the functional level of your domain controller from Windows mixed to Windows 2000 native, perform the following steps:

1. Log on to your child domain as Administrator with a password of P@ssw0rd.

2. Examine the forest and domain functional level in the classroom forest. 3. Create a distribution group and a security group based on the current

domain functional level (Windows 2000 mixed). 4. Create a nested security group and observe the result. 5. Raise the domain functional level of your domain to Windows Server 2003. 6. Verify the domain functional level. 7. Create a nested security group, and convert the distribution group created in

step 2, to a security group.

Introduction

Scenario

Practice


Lesson: Creating Trust Relationships

Active Directory provides security across multiple domains and forests, through domain and forest trusts. This lesson covers the types of trusts; how trusts work; and how to create, verify, and revoke trust relationships.


! Describe the types of trusts that can be established between domains. ! Describe how trusts work within a forest. ! Describe how trusts work across forests. ! Create a trust. ! Verify and revoke a trust.

Introduction

Lesson objectives


Types of Trusts

Trusts are the mechanism that ensures that a user who is authenticated in his home domain can access resources in any trusted domain. In Windows Server 2003, there are two categories of trusts�transitive trusts and non-transitive trusts.

A transitive trust is one in which the trust relationship extended to one domain is automatically extended to all other domains that trust that domain. For example, domain C directly trusts domain D. Domain D directly trusts domain E. Because both trusts are transitive, domain C indirectly trusts domain E. Transitive trusts are automatic. An example of transitive trust is a parent/child trust. Non-transitive trusts are not automatic and must be setup explicitly. An example of a non-transitive trust is an external trust.

In Windows Server 2003 there are three trust directions: one-way incoming, one-way outgoing, and two-way trusts. If a one-way incoming trust is set up between domain B and domain Q, users in domain B can be authenticated in domain Q. If a one-way outgoing trust is set up between domain B and domain Q, users in domain Q can be authenticated in domain B. A two-way trust means that there are two trust paths going in both directions between two domains.

Introduction

Transitive vs. Non transitive trusts

Trust direction


Windows Server 2003 supports the following types of trusts, in the transitive and non-transitive categories:

Type Transitivity When to use Short cut Transitive Use to reduce Kerberos authentication hops.

Forest Transitive Use to enable authentication between forests.

External Non-transitive Use to set up a trust relationship between a domain in one forest with a domain in another forest.

Realm Transitive or non-transitive user choice

Use to trust an external Kerberos realm

A realm is a set of security principles in a non-Windows environment that are subject to Kerberos authentication. For more information about Kerberos realms see �Interoperability with RFC-1510 Kerberos implementations� in Help and Support.

Types of Trusts

Note


What Are Trusted Domain Objects

When you set up trusts between domains within the same forest, across forests, or with an external realm, information about these trusts is stored in Active Directory so that, when required, the information can be retrieved.

Each trust relationship within a domain is represented by an object known as the trusted domain object (TDO). The TDO stores information about the trust, such as the trust transitivity and trust type. Whenever a trust is created, a new TDO is created and stored (in the System container) in its domain.

Forest trust TDOs store additional information to identify all of the trusted namespaces from its partner forest. When a forest trust is established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. This information includes the domain tree names, service principal name (SPN) suffixes, and security ID (SID) namespaces. SPNs are structures that help identify the computer on which a service is running.

When a workstation requests a service and the service cannot be located in the domain or the forest in which the workstation is a member, TDOs are used to locate the service in all trusted forests.

Introduction

Trusted domain objects


How Trusts Work Within a Forest

Trusts allow users from one domain access to resources in another domain. Trust relationships can be transitive or non-transitive.

When a user attempts to gain access to a resource in another domain, the Kerberos V5 protocol must determine whether the trusting domain, which is the domain containing the resource to which the user is trying to gain access, has a trust relationship with the trusted domain, which is the domain to which the user is logging on. To determine this relationship, the Kerberos V5 security protocol travels the trust path between the domain controller in the trusting domain to the domain controller in the trusted domain.

When a user in the trusted domain attempts to gain access to a resource in another domain, the user�s computer first contacts the domain controller in its domain to get authentication to the resource. If the resource is not in the user�s domain, the domain controller uses the trust relationship with its parent and refers the user�s computer to a domain controller in its parent domain. This attempt for locating a resource continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy until contacting a domain controller in the domain where the resource is located. The path that is taken from domain to domain is the trust path, and it is the shortest path following the trust hierarchy.

Introduction

How trusts allow users to access resources within a forest


How Trusts Work Across Forests

Windows Server 2003 supports cross-forest trusts, so that users in one forest can access resources in another forest. When a user attempts to access a resource in a trusted forest, the resource must first be located. Once the resource is located, the user can be authenticated and allowed to access the resource. Understanding how this process works will help you troubleshoot problems that may arise with cross-forest trusts.

The following is a description of how a resource in another forest is located and accessed. The assumption is that the computers involved are running Windows 2000 Professional, Windows XP Professional, Windows 2000 Server, or Windows Server 2003.

1. A user logged on to the domain vancouver.nwtraders.msft attempts to access a shared resource such as a shared folder located in the Contoso.msft forest. The computer the user is working on contacts the Key Distribution Center (KDC) on a domain controller in its domain vancouver.nwtraders.msft and requests a service ticket by using the SPN of the computer on which the resource is available. An SPN can be one of the following: the DNS name of a host, the DNS name of a domain, or the distinguished name of a service connection point object.

2. Because the resource is not located in vancouver.nwtraders.msft, the domain controller for vancouver.nwtraders.msft queries the global catalog to see if the resource is located in any of the other domains in the forest.

3. Because a global catalog is limited to its own forest, the SPN is not found. The global catalog then checks its database for information about any forest trusts that are established with its forest, and, if found, it compares the name suffixes listed in the forest trust TDO to the suffix of the target SPN to find a match. Once a match is found, the global catalog provides routing information about how to locate the resource to the domain controller in the Vancouver domain.

4. The domain controller Vancouver sends a referral for its parent domain nwtraders.msft to the user�s computer.

Introduction

How a resource is accessed


5. The user�s computer contacts a domain controller in nwtraders.msft for a referral to a domain controller in the forest root domain of the Contoso.msft forest.

6. Using the referral returned by the domain controller in the nwtraders.msft domain, the user�s computer contacts a domain controller in the Contoso.msft forest for a service ticket to the requested service.

7. Because the resource is not located in the forest root domain of the Contoso.msft forest, the domain controller contacts its global catalog to find the SPN.

8. The global catalog finds a match for the SPN and sends it back to the domain controller.

9. The domain controller sends the referral to seattle.contoso.msft to the user�s computer.

10. The user�s computer contacts the KDC on the domain controller Seattle and negotiates a ticket for the user to gain access to the resource in the domain seattle.contoso.msft.

11. The user�s computer sends the server service ticket to the computer on which the shared resource is located, which reads the user�s security credentials and constructs an access token, which gives the user access to the resource.


How to Create Trusts

You can use Active Directory Domains and Trusts to set up trust relationships between forests or between domains in the same forest. You can also use it to set up shortcut trusts.

Before you create a forest trust, you must create a secondary lookup zone on the DNS server in each forest that points to the DNS server in the other forest. This ensures that the domain controller in the forest from where you are creating the forest trust can locate a domain controller in the other forest and complete the setup of the trust relationship.

To create a trust, perform the following steps:

1. Open Active Directory Domains and Trusts. 2. In the console tree, perform one of the following steps:

• If you are creating a forest trust, right-click the domain node for the forest root domain, and then click Properties.

• If you are creating a shortcut trust, right-click the domain node for the domain that you want to establish a shortcut trust with, and then click Properties.

• If you are creating an external trust, right-click the domain node for the domain that you want to establish a trust with, and then click Properties.

• If you are creating a realm trust, right-click the domain node for the domain you want to administer, and then click Properties.

3. On the Trust tab, click New Trust, and then click Next. 4. The New Trust Wizard is started. 5. On the Welcome page click Next.

Introduction

Procedure


6. On the Trust Name page, perform one of the following steps:

• If you are creating a forest trust, type the DNS name of the second forest, and then click Next.

• If you are creating a shortcut trust, type the DNS name of the domain, type and confirm the trust password, and then click Next.

• If you are creating an external trust, type the DNS name of the domain, and then click Next.

• If you are creating a realm trust, type the realm name for the target realm, and then click Next.

7. On the Trust Type page, perform one of the following steps:

• If you are creating a forest trust, click Forest trust, and then click Next.

• If you are creating a shortcut trust, skip to step 8.

• If you are creating an external trust, click External trust, and then click Next.

• If you are creating a realm trust, select the Realm trust option, and then click Next. On the Transitivity of Trust page, do one of the following:

• To form a trust relationship with the domain and the specified realm, click Nontransitive, and then click Next.

• To form a trust relationship with the domain and the specified realm and all trusted realms, click Transitive, and then click Next.

8. On the Direction of Trust page, perform one of the following steps:

• To create a two-way trust, click Two-way, and then follow the wizard instructions.

• To create a one-way incoming trust, click One-way: incoming, and then follow the wizard instructions.

• To create a one-way outgoing trust, click One-way: outgoing, and then follow the wizard instructions.


How to Verify and Revoke a Trust

If you create non-transitive trusts, you will sometimes need to verify and revoke the trust paths you created. You verify a trust to make sure it is working correctly and can validate authentication requests from other domains. You revoke a trust to prevent that authentication path from being used during authentication. You can use Active Directory Domains and Trusts or the netdom command to verify and revoke trust paths.

To verify a trust by using Active Directory Domains and Trusts, perform the following steps:

1. In Active Directory Domains and Trusts, in the console tree, right-click one of the domains involved in the trust that you want to verify, and then click Properties.

2. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.

3. Click Validate. 4. Repeat steps 1 through 3 to verify the trust for the other domain involved in

the relationship.

To verify a trust by using netdom, perform the following steps:

1. Open a command prompt window. 2. Type the following command, and then press ENTER.

NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Verify

Introduction

Procedure to verify Trusts


To revoke a trust by using Active Directory Domains and Trusts, perform the following steps:

1. In Active Directory Domains and Trusts, in the console tree, right-click one of the domains involved in the trust that you want to revoke, and then click Properties.

2. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be removed, and then click Remove.

3. Repeat steps 1 and 2 to revoke the trust for the other domain involved in the relationship.

To revoke a trust by using netdom, perform the following steps:

1. Open a command prompt window. 2. Type the following command, and then press ENTER.

NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Remove

Procedure to revoke trusts


Practice: Creating a Shortcut Trust

In this practice you will create a shortcut trust between your domain and another domain in your forest, and validate the trust.

You have created a child domain for your location within the forest domain nwtraders.msft. Sales managers at another location need access to sales resources in your location and vice versa. You need to set up a two-way shortcut trust between your domain and the domain that represents the other location.

You will work with a partner, who will be assigned to you by your instructor. You will create the two-way shortcut trust between your domain and your partner�s domain. Your partner will also set up a two-way shortcut trust with your domain.

Introduction

Scenario

Instructions


To create a shortcut trust, perform the following steps:


2. Open Active Directory Domains and Trusts. 3. In the console tree, right-click the domain node for the domain that you

want to establish a shortcut trust with, and then click Properties. 4. On the Trusts tab, click New Trust, and then click Next. 5. On the Trust Name and Password page, type the DNS name of the

domain, type and confirm the trust password, and then click Next. 6. On the Direction of Trust page, click Two-way, and then click Next. 7. On the Sides of trust page, select This domain only, and then click Next. 8. Type P@ssw0rd as the trust password, and then click Next. 9. If you do not enter P@ssw0rd as the password, ensure that both you and

your partner use the same trust password. 10. Click Next on the Trusts Selections Complete page, and click Next again. 11. On the Confirm Outgoing Trust page, select No, do not confirm the

outgoing trust, and then click Next. 12. On the Confirm Incoming Trust page, select No, do not confirm the

incoming trust, and then click Next. 13. On the Completing the New Trust Wizard page, click Finish.

To validate a shortcut trust, perform the following steps:

1. On the Trust tab of the Properties page, click the trust that you want to validate, and then click Properties.

2. On the Properties page, click Validate. 3. Select No, do not validate the incoming trust, and then click OK.

If the trust is valid, a validation message appears. If you perform the validation test before your partner sets up a two-way shortcut trust with your domain, you will receive an error message.

Procedure to create a shortcut trust

Procedure to validate a shortcut trust


Lesson: Securing Trusts by Using SID Filtering

To ensure that only users of trusted domains are allowed access to a domain�s resources, Windows Server 2003 provides the SID filtering feature. This lesson discusses SID history and SID filtering, and explains how to increase security by using SID filtering.


! Describe the purpose of SID history. ! Describe the purpose of SID filtering. ! Use SID filtering to secure resources.

Introduction

Lesson objectives


What Is SID History?

Windows uses a data structure known as a Security ID (SID) to identify users, computers and groups. SIDs have two components. The first part uniquely identifies a domain; the second part uniquely identifies a user account, computer account, or group managed by that domain. Windows uses SIDs to identify users and groups in access control lists (ACLs) and group memberships.

When a user account is migrated to a different domain, it is assigned a new SID, which results in the loss of group memberships based on the old account SID. SID history is an attribute on user and group objects in Active Directory and is used to hold the previous SID of a migrated user account. If a user account is migrated multiple times, SID history stores a list of all the SIDs the user was assigned. SID history provides a migrated user with continuity of access to resources, until all the necessary groups or ACLs can be updated using the new account SID.

When a Windows Server 2003 domain controller authenticates a user, it computes group memberships using both the current user account SID, and any SIDs in SID history. If the user account has been migrated, access to resources based on the previous account is maintained.

Introduction

The purpose of SID History


What Is SID Filtering?

SIDs can be maliciously added to a user�s SID history, so that the user account may gain unauthorized access to resources in a domain that trusts the user�s account domain. This is known as an elevation-of-privilege attack. To mitigate this risk, SID history is well-protected against unauthorized access or modification. Trusting domains can set up SID filtering to ensure that only users of the trusted domain are allowed access to its resources.

SID filtering is a mechanism the removes any SIDs in a user�s authorization data that are not related to the domain that is directly trusted. The trusted domain that is targeted for SID filtering is considered to be quarantined. This modifies the processing of authentication requests when users from the quarantined domain log on.

Any domain controller in the trusting domain can positively determine the correct domain SID for the quarantined domain, and filter the SIDs in the authorization data to remove any that are not belong to that domain. While a given domain can be quarantined only by another domain that directly trusts it, the effect is inherited by any domain further along the trust path in the trusting direction. All domain controllers in the trusting domain are configured to filter SIDs in any authorization data received from the trusted domain.

Introduction

How SID filtering works


How to Increase Security by Using SID Filtering

On Windows Server 2003-based domains, SID filtering can be enabled, verified, and disabled by using the Netdom.exe utility.

You use Netdom with the /filtersids switch to configure SID filtering.

To configure SID filtering, perform the following steps:

1. Run the following command on a domain controller in the domain (in this example, the RESDOM domain is filtering the ACCDOM domain): netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD:adminpwd /UO:RESDOM\Administrator /PO: adminpwd /filtersids:yes

Active Directory replication causes the setting to be propagated to all domain controllers in the domain.

2. Verify the SID filtering settings on the domain by running the following command on one of the domain controllers in the domain: netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD: adminpwd /UO:RESDOM\Administrator /PO:adminpwd /filtersids

To disable SID filtering, run the following command on one of the domain controllers in the domain:

netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD:adminpwd /UO:RESDOM\Administrator /PO:"" /filtersids:no

Introduction

Procedure to configure SID filtering


Lab A: Implementing Active Directory

After completing this lab, you will be able to:

! Install Active Directory ! Create a forest root ! Verify an Active Directory installation ! Verify the forest and domain functional level ! Raise the functional level of the forest and the domain ! Create a child domain in an existing forest ! Create forest trusts ! Verify forest trusts

This lab focuses on the concepts in this module and as a result may not comply with Microsoft security recommendations.

Before working on this lab, you must have must have:

! Knowledge about the components that make up the logical and physical structure of Active Directory.

! The knowledge and skills to install Active Directory and create a forest root domain, and a child domain.

! Knowledge about how Active Directory integrated DNS works. ! The knowledge and skills to raise the functional level of a forest. ! The knowledge and skills to create a trust relationship between two forests.

Objectives

Note

Prerequisites


You are a Systems Engineer for Northwind Traders. In response to a series of mergers with a several smaller companies, Northwind Traders has decided to consolidate its Active Directory infrastructure. The individual organizations must maintain their Active Directory structure yet also be able to communicate among all the subsidiaries. You will provide the infrastructure necessary to support this goal by using multiple forests and trusts as appropriate between them.

Scenario

Estimated time to complete this lab: 60 minutes


Exercise 1 Removing a Child Domain from Active Directory In this exercise, you will remove Active Directory from your domain controller to prepare for the creation of an Active Directory forest and domain structure.

Scenario Northwind Traders must implement Active Directory in several locations. The IT management team has asked the engineering group to implement Active Directory by using separate forests. You will work independently as the local administrator of the office to which you have been assigned. You will use the servers at your site to create a new Active Directory forest root and child domain. In preparation for this event, you must first demote your domain controller.

Tasks Special instructions

1. Remove Active Directory from your domain controller.

2. Verify that Active Directory has been removed from your server.

a. Log on to NWTraders as Administrator with a password of P@ssw0rd to perform this task.

b. Verify that the NETLOGON and SYSVOL shares no longer exist.


Exercise 2 Creating an Active Directory Forest Root Domain In this exercise, you will work with a partner to create your own Active Directory forest. One of you will create the forest root domain and the other will create a child domain in the newly created forest root.

Scenario You are creating a new Active Directory forest that will eventually be merged into a comprehensive administrative environment. As one of the regional locations for Northwind Traders, you must coordinate your efforts with a sister location in your country. One of the locations will establish the forest root domain and the other will create a child domain in the newly created forest. The forest root domain must be created before the child domain can join the forest. You must coordinate your effort with your sister location to ensure that the appropriate steps are taken at the correct time.


1. Create a new forest root domain.

a. Your instructor will assign the name of your forest root domain.

b. Log on to your local server as Administrator with a password of P@ssw0rd if you are not already logged on.

You must install DNS by using the Active Directory Installation Wizard. The root domain controller�s DNS resolver must be pointed to London.

2. Verify the creation of the new forest.


Exercise 3 Creating an Active Directory Child Domain In this exercise, you will complete the creation of the Active Directory forest by creating a child domain within the forest root.

Scenario As the sister location to the newly created forest root, you will complete the forest by creating the first child domain. Do not complete this step until you have verified with your partner that the forest root domain has been configured and is running.


1. Create a new child domain. ! Log on to your local server as Administrator with a password of P@ssw0rd

The child domain controller must have its DNS resolver pointed to the partner�s forest root domain controller.

2. Verify the installation of the new child domain.


Exercise 4 Raising Domain and Forest Functional Level In this exercise, you will raise the domain and forest functional levels to Windows Server 2003.

Scenario Northwind Traders is preparing their environment for cross forest trusts which will be implemented at a later stage. To achieve this, domains and forests must have their functional level raised to support the forest trust feature.


1. Raise the domain functional level.

! Log on to your domain as Administrator with a password of P@ssw0rd.

2. Raise the forest functional level.

! This action must be performed by only one member of the forest.


Exercise 5 Creating a Forest Trust

Important For this exercise, your instructor will configure the LONDON server as a root hints server and will delegate your domain from this root server. Do not perform this exercise until your instructor asks you to do so. If the root server has not been configured for this exercise, you will be unable to create the forest trusts required.

In this exercise, you will create a trust with the following forests, forming a two-way forest trust. If your domain name ends with an even number, replace the letters in the exercise with an odd number of your choice. If your domain name ends in an odd number, replace the letters in the exercise with an even number of your choice.

" Nwtraders_u.msft " Nwtraders_v.msft " Nwtraders_w.msft " Nwtraders_x.msft " Nwtraders_y.msft " Nwtraders_z.msft

Scenario The Northwind Traders conglomerate is growing quickly. You must support the increase in connectivity requirements between the various organizations. To accomplish this, you will create a series of trusts between forests that require communications and resource access.


1. Configure DNS forwarding. ! This task must be performed in the classroom environment on all forest root domain controllers because there is no access to the Internet root hints servers. Your instructor has configured the LONDON server as a root server for this exercise and has delegated your zone to your server.

2. Create trusts between the classroom forest and your assigned forests, and then verify that the trusts have been created.

! This step must be performed from the domain controller that established the forest root domain.


Exercise 6 Securing Trusts by Using SID Filtering In this exercise, you will configure SID filtering on your domain.

Scenario Northwind Traders, like many companies, experiences some employee turnover as well as internal employee movement. The organization would like to ensure that when users move between domains that they do not maintain access rights to resources in their former position. You have been asked to enable SID filtering to prevent unwanted access.


1. Configure SID filtering on your domain controller.

a. Log on to your domain as Administrator with a password of P@ssw0rd if you are not already logged on.

b. At the command prompt, type netdom <your_domain_name> /domain:<trusted_domain_name> /quarantine:yes, and then press ENTER.

Lab 2A: Implementing Active Directory

Exercise 1 Removing a Child Domain from Active Directory

In this exercise, you will remove Active Directory from your domain controller to prepare for the creation of an Active Directory forest and domain structure.

! Remove Active Directory from your domain controller

1. Click Start, click Run, in the Open box, type dcpromo and then click OK to start the Active Directory Installation Wizard.

2. On the Welcome to the Active Directory Installation Wizard page, click Next.

3. On the Remove Active Directory page, click the checkbox labeled This server is the last domain controller in the domain, and then click Next.

4. On the Network Credentials page, type Administrator as the username and P@ssw0rd as the password, and then click Next.

5. On the Administrator Password page, type P@ssw0rd in both fields, and then click Next.

6. On the Summary page, click Next. 7. On the Completing the Active Directory Installation Wizard page, click

Finish. The Active Directory Installation Wizard removes components from the Active Directory database, and then prompts you to restart Windows.

8. Click Restart Now.

! Verify that Active Directory has been removed from your server

1. Log on as the local Administrator with a password of P@ssw0rd. 2. Click Start, and then click Run. 3. In the Open box, type %systemroot% and then click OK. 4. Verify that the sysvol and ntds folders are no longer present. 5. Open a command prompt window, type net share and then press ENTER. 6. Verify that the NETLOGON and SYSVOL shares no longer exist.

Task 1

Task 2


Exercise 2 Creating an Active Directory Forest Root Domain

In this exercise, you will work with a partner to create your own Active Directory forest. One of you will create the forest root domain and the other will create a child domain in the newly created forest root.

! Create a new forest root domain

1. Log on as the local Administrator with a password of P@ssw0rd if you are not already logged on.

2. Click Start, click Run, in the Open box, type dcpromo and then click OK. 3. On the Welcome to the Active Directory Installation Wizard page, click

Next. 4. On the Operating System Compatibility page, click Next. 5. On the Domain Controller Type page, click Domain Controller for a

New Domain radio button, and then click Next. 6. On the Create New Domain page, click Domain in a new forest, and then

click Next. 7. On the New Domain Name page, type your assigned domain name as given

to you by your instructor. 8. On the NetBIOS Domain Name page, click Next to accept the default

settings. 9. On the Database and Log Folders page, click Next to accept the default

settings. 10. On the Shared System Volume page, click Next to accept the default

settings. 11. On the DNS Registration Diagnostics page, ensure that Install and

configure the DNS server on this computer and set the computer to use this DNS server as its preferred DNS server is selected, then click Next.

12. On the Permissions page, click Next to accept the default settings. 13. On the Directory Services Restore Mode Administrator Password page,

type P@ssw0rd in both fields, and then click Next. 14. On the Summary page, click Next. 15. On the Completing the Active Directory Installation Wizard page, click

Finish. 16. When prompted to restart Windows, click Restart Now.

! Verify the creation of the new forest

1. Log on as your domain Administrator with a password of P@ssw0rd. 2. Click Start, click All Programs, click Administrative Tools, and then

click Active Directory Users and Computers. 3. Verify that the only domain listed is the newly created forest root domain.

Task 1

Task 2


Exercise 3 Creating an Active Directory Child Domain

In this exercise, you will complete the creation of the Active Directory forest by creating a child domain within the forest root.

! Create a new child domain

1. Log on as the local Administrator with a password of P@ssw0rd. The child domain controller must have its DNS resolver pointed to the partner�s forest root domain controller.

2. Click Start, click Run, in the Open box, type dcpromo and then click OK. 3. On the Welcome to the Active Directory Installation Wizard page, click

Next. 4. On the Operating System Compatibility page, click Next. 5. On the Domain Controller Type page, click Domain Controller for a

New Domain, and then click Next. 6. On the Create New Domain page, click Child domain in an existing

domain tree, and then click Next. 7. On the Network Credentials page, type Administrator as the user name,

P@ssw0rd as the password, and your partner�s forest root domain name in the domain field, and then click Next.

8. On the Child Domain Installation page, in the Parent domain box, type your partner�s newly created domain name, in the Child domain box, type your domain, and then click Next.

9. On the NetBIOS Domain Name page, click Next to accept the default settings.

10. On the Database and Log Folders page, click Next to accept the defaults settings.

11. On the Shared System Volume page, click Next to accept the default settings.

12. On the DNS Registration Diagnostics page, click Next. 13. On the Permissions page, click Next to accept the default settings. 14. On the Directory Services Restore Mode Administrator Password page,

type P@ssw0rd in both fields, and then click Next. 15. On the Summary page, click Next. 16. On the Completing the Active Directory Installation Wizard page, click

Finish. 17. When prompted to restart Windows, click Restart Now.

! Verify the installation of the new child domain


click Active Directory Domains and Trusts. 3. Verify that the child domain is listed in the newly created forest root

domain.

Task 1

Task 2


Exercise 4 Raising Domain and Forest Functional Level

In this exercise, you will raise the domain and forest functional levels to Windows Server 2003.

! Raise the domain functional level


click Active Directory Domains and Trusts. 3. Right-click your assigned domain name, select the Raise Domain

Functional Level option, select the Windows .NET Server 2003 functional level, and then click Raise.

4. On the Raise Domain Functional Level window, click OK in response to the message indicating that this choice cannot be reversed.

5. Click OK to confirm that the functional level was raised successfully.

! Raise the forest functional level

This action must be performed by only one member of the forest.

1. From Active Directory Domains and Trusts, right-click the Active Directory Domains and Trusts node, and then click Raise Forest Functional Level.

2. On the Raise Forest Functional Level page, select Windows .NET Server 2003 from the dropdown list, and then click Raise.

3. Click OK to confirm the message that this action will affect the entire forest.

Task 1

Task 2


Exercise 5 Creating a Forest Trust

For this exercise, your instructor will configure the LONDON server as a root hints server and will delegate your domain from this root server. Do not perform this exercise until your instructor asks you to do so. If the root server has not been configured for this exercise, you will be unable to create the forest trusts required.

In this exercise, you will create a trust with the following forests, forming a two-way forest trust. If your domain name ends with an even number, replace the letters in the exercise with an odd number of your choice. If your domain name ends in an odd number, replace the letters in the exercise with an even number of your choice.

! Nwtraders_u.msft ! Nwtraders_v.msft ! Nwtraders_w.msft ! Nwtraders_x.msft ! Nwtraders_y.msft ! Nwtraders_z.msft

! Configure DNS forwarding

This task must be performed in the classroom environment on all forest root domain controllers because there is no access to the Internet root hints servers. Your instructor has configured the LONDON server as a root server for this exercise and has delegated your zone to your server.

1. Click Start, click Administrative Tools, and then click DNS. 2. In the DNS management MMC, expand and right-click your server name,

and then click Properties. 3. Click the Forwarders tab. 4. In the Selected domain�s forwarder IP address list box, type the

LONDON server�s IP address, click ADD, and then click OK.

Important

Task 1


! Create trusts between the classroom forest and your assigned forests, and then verify that the trusts have been created

This step must be performed from the domain controller that established the forest root domain.

1. Log on as Administrator with a password of P@ssw0rd. 2. Click Start, click All Programs, click Administrative Tools, and then

click Active Directory Domains and Trusts. 3. Right-click the forest root domain for your forest, and then click Properties. 4. On the Properties page for the forest, click the Trusts tab. 5. Click the New Trust button. 6. On the Welcome to the New Trust Wizard page, click Next. 7. On the Trust Name page, type the NetBIOS name or DNS name of the

classroom forest root domain, nwtraders or nwtraders.msft, and then click Next.

8. On the Direction of Trust page, select Two-way as the trust direction, and then click Next.

9. On the Side of Trust page, click Both this domain and the specified domain, then click Next.

10. On the User Name and Password page, enter Administrator as the user name and P@ssw0rd as the password, and then click Next.

11. On the Trust Selection Complete page, click Next. 12. On the Trust Creation Complete page, click Next. 13. On the Confirm Outgoing Trust page, click Next. 14. On the Completing the New Trust Wizard page, click Finish. 15. Verify the trust by viewing the Domain Properties window and locating the

trust that has been established, and then click OK to close the window.

Task 2


Exercise 6 Securing Trusts by Using SID Filtering

In this exercise, you will configure SID filtering on your domain.

! Configure SID filtering on your domain controller

1. Log on as your domain Administrator with a password of P@ssw0rd if you are not already logged on.

2. Click Start, click Run, type cmd, and then click OK. 3. At the command prompt, type netdom <your_domain_name>

/domain:<trusted_domain_name> /quarantine:yes and then press ENTER.

Task 1

THIS PAGE INTENTIONALLY LEFT BLANK

Documents

Microsoft Active Directory