20411B-ENU-TrainerHandbook
.pdf
|
Administering Windows Server® 2012 2-33 |
|
Exercise 4: Troubleshooting DNS |
MCT |
|
|
|
|
Scenario |
|
After implementing the new server, you need to test and verify the configuration by using standard DNS |
|
troubleshooting tools. |
USE |
|
|
The main tasks for this exercise are as follows:
1.Test simple and recursive queries.
2.Verify start-of-authority (SOA) resource records with Windows PowerShell.
1.On LON-DC1, in DNS Manager, open the LON-DC1 properties. ONLY
2.On the Monitoring tab, perform a simple query against the DNS server. This is successful.
3.Perform simple and recursive queries against this and other DNS servers. The recursive test fails
because there are no forwarders configured. .
4.Stop the DNS service, and then repeat the previous tests. They fail because no DNS server is available.
5.Restart the DNS service, and then repeat the tests. The simple test is successful. STUDENT
6.Close the LON-DC1 Properties dialog box.
To prepare for the next module USE
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following steps:
1. |
On the host computer, start Hyper-V Manager. |
PROHIBITED |
|
2. |
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert. |
||
|
|||
3. |
In the Revert Virtual Machine dialog box, click Revert. |
|
|
4. |
Repeat steps 2 and 3 for 20411B-LON-SVR1 and 20411B-LON-CL1. |
|
2-34 Configuring and Troubleshooting Domain Name System
Module Review and Takeaways
Review Questions
Question: You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure is resistant to single points of failure. What must you consider while planning the DNS configuration?
Question: What is the difference between recursive and iterative queries?
Question: What must you configure before a DNS zone can be transferred to a secondary DNS server?
Question: You are the administrator of a Windows Server 2012 DNS environment. Your company recently acquired another company. You want to replicate their primary DNS zone. The acquired company is using Bind 4.9.4 to host their primary DNS zones. You notice a significant amount of traffic between the Windows Server 2012 DNS server and the Bind server. What is one possible reason for this?
Question: You must automate a DNS server configuration process so that you can automate the deployment of Windows Server 2012. What DNS tool can you use to do this?
Tools
Tool |
Use for |
Where to find it |
|
|
|
|
|
Dnscmd.exe |
Configure DNS server role |
Command-line |
|
|
|
|
|
Dnslint.exe |
Test DNS server |
Download from the Microsoft website |
|
|
|
and then use from the command-line |
|
|
|
|
|
Nslookup.exe |
Test DNS name resolution |
Command-line |
|
|
|
|
|
Ping.exe |
Simple test of DNS name resolution |
Command-line |
|
|
|
|
|
Ipconfig.exe |
Verify and test IP functionality and view |
Command-line |
|
|
or clear the DNS client resolver cache |
|
|
|
|
|
PROHIBITED USE STUDENT .ONLY USE MCT
|
|
3-1 |
|
|
|
|
|
|
|
Module 3 |
|
MCT |
||
|
USE |
|||
Maintaining Active Directory Domain Services |
|
|||
Contents: |
|
|||
|
.ONLY |
|||
Module Overview |
3-1 |
|||
Lesson 1: Overview of AD DS |
3-2 |
|||
Lesson 2: Implementing Virtualized Domain Controllers |
3-7 |
|||
Lesson 3: Implementing Read-Only Domain Controllers |
3-11 |
|||
Lesson 4: Administering AD DS |
3-15 |
|||
Lesson 5: Managing the AD DS Database |
3-23 |
|||
|
|
|||
Lab: Maintaining AD DS |
3-32 |
|
|
|
Module Review and Takeaways |
3-38 |
|
|
|
Module Overview
Active Directory® Domain Services (AD DS) is the most critical component in a Windows Server® 2012 domain-based network. AD DS contains important information about authentication, authorization, and resources in your environment. This module focuses on explaining why you implement specific AD DS
features, how important components integrate with each other, and how you can ensure that your |
STUDENT |
||
domain-based network functions properly. |
|||
You will learn about new features, such as virtualized domain controller cloning, recent features like read- |
|||
only domain controllers (RODCs), and a host of other features and tools that you can use in the AD DS |
USE |
||
environment. |
|||
Objectives |
|||
After completing this module, you will be able to: |
|||
PROHIBITED |
|||
• Explain the general structure of AD DS. |
|||
• Implement virtualized domain controllers. |
|||
• |
Implement RODCs. |
||
• |
Administer AD DS. |
||
• |
Manage the AD DS database. |
||
|
|||
3-2 Maintaining Active Directory Domain Services
Lesson 1
Overview of AD DS
The AD DS database stores information on user identity, computers, groups, services, and resources. AD DS domain controllers also host the service that authenticates user and computer accounts when
they sign in to the domain. AD DS stores information about all of the domain’s objects, and all users and computers must connect to AD DS domain controllers when signing into the network. Therefore, AD DS is the primary means by which you can configure and manage user and computer accounts on your network.
This lesson covers the core logical components of an AD DS deployment.
Lesson Objectives
After completing this lesson, you will be able to:
•Describe AD DS components.
•Explain AD DS forest and schema structure.
•Explain AD DS domain structure.
Overview of AD DS Components
AD DS is composed of both physical and logical components. You need to understand the way the components of AD DS work together so that you can maintain your AD DS environment effectively.
Physical Components
AD DS information is stored in a single file on each domain controller’s hard disk. The following table lists some physical components and their storage locations.
Physical component |
Description |
|
|
Domain controllers |
Contain copies of the AD DS database. |
Data store |
The file on each domain controller that stores the AD DS information. |
Global catalog servers |
Host the global catalog, which is a partial, read-only copy of all the objects in |
|
the forest. A global catalog speeds up searches for objects that might be |
|
stored on domain controllers in a different domain in the forest. |
Read-only domain |
A special AD DS install in read-only format. You typically use these in branch |
controllers (RODC) |
offices where security and IT support may be less advanced than in an |
|
enterprise’s main corporate centers. |
|
|
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 |
MCT |
|
3-3 |
|
|
Logical Components
AD DS logical components are structures that you use to implement an Active Directory design that is appropriate for an organization. The following table describes some of the types of logical structures that an Active Directory database might contain.
Logical component |
Description |
|
|
||
|
|
||||
|
|
|
|
|
|
Partition |
A section of the AD DS database. Although the database actually is just one |
USE |
|||
|
file named NTDS.DIT, users view, manage, and replicate it as if it consists of |
||||
|
|
|
|||
|
distinct sections or instances. These are partitions, or naming contexts. |
|
|
||
|
|
|
|||
Schema |
Defines the list of object types and attributes that all AD DS objects can have. |
||||
|
|
|
|
||
Domain |
A logical, administrative boundary for users and computers. |
|
|
||
|
|
|
|
||
Domain tree |
A collection of domains that share a common root domain and a Domain |
ONLY. |
|||
|
Name System (DNS) namespace. |
||||
Forest |
A collection of domains that share a common AD DS. |
||||
|
|
||||
|
|
|
|
||
Site |
A collection of users, groups, and computers, which are defined by their |
|
|
||
|
physical locations. Sites are useful in planning administrative tasks such as |
|
|
||
|
replication of changes to the AD DS database. |
|
|
||
|
|
|
|||
OU |
Organizational units (OUs) are containers in AD DS that provide a framework |
||||
|
for delegating administrative rights and for linking Group Policy Objects |
|
|
||
|
(GPOs). |
|
|
||
|
|
|
|
||
Understanding AD DS Forest and Schema Structure |
STUDENT |
||||
In AD DS forest and schema structure are |
|
||||
|
|
|
|||
|
USE |
||||
important for the defining the functionality and |
|
||||
scope of your environment. |
|
||||
AD DS Forest Structure |
|
||||
A forest is a collection of one or more domain |
|
||||
trees. A tree is a collection of one or more |
|
||||
|
|
|
|||
domains. The first domain that is created in the |
|
|
|
||
forest is called the forest root domain. The forest |
|
|
|
||
root domain contains a few objects that do not |
|
|
|
||
exist in other domains in the forest. For example, |
|
|
|
||
the forest root domain contains two special roles, |
|
|
|
||
|
PROHIBITED |
||||
the schema master and the domain naming |
|||||
master. In addition, the Enterprise Admins group and the Schema Admins group exist only in the forest |
|||||
root domain. The Enterprise Admins group has full control over every domain within the forest. |
|||||
|
|
|
|||
The AD DS forest is a security boundary. This means that, by default, no users from outside the forest can access any resources inside the forest. It also means that administrators from outside the forest have no administrative access within the forest. One of the primary reasons why organizations deploy multiple forests is because they need to isolate administrative permissions between different parts of the organization.
3-4 Maintaining Active Directory Domain Services
The AD DS forest is also the replication boundary for the configuration and schema partitions in the |
MCT |
|
AD DS database. This means that all domain controllers in the forest must share the same schema. A |
||
second reason why organizations deploy multiple forests is because they must deploy incompatible |
||
|
||
schemas in two parts of the organization. |
|
The AD DS forest is also the replication boundary for the global catalog. This makes most forms of collaboration between users in different domains easier. For example, all Microsoft® Exchange Server 2010
recipients are listed in the global catalog, making it easy to send mail to any of the users in the forest, |
USE |
|
even those users in different domains. |
||
|
||
By default, all the domains in a forest automatically trust the other domains in the forest. This makes it |
|
|
easy to enable access to resources such as file shares and websites for all users in a forest, regardless of |
|
|
the domain in which the user account is located. |
|
AD DS Schema Structure
The AD DS schema is the AD DS component that defines all object types and attributes that AD DS uses to
store data. It is sometimes referred to as the blueprint for AD DS. |
ONLY. |
|
AD DS stores and retrieves information from a wide variety of applications and services. AD DS |
||
|
||
standardizes how data is stored so that it can store and replicate data from these various sources. By |
|
|
standardizing how data is stored, AD DS can retrieve, update, and replicate data, while ensuring that the |
|
|
integrity of the data is maintained. |
|
|
AD DS uses objects as units of storage. All object types are defined in the schema. Each time that the |
|
|
directory handles data, the directory queries the schema for an appropriate object definition. Based on |
|
|
the object definition in the schema, the directory creates the object and stores the data. |
|
|
Object definitions control both the types of data that the objects can store, and the syntax of the data. |
|
|
Using this information, the schema ensures that all objects conform to their standard definitions. As a |
|
|
result, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that |
|
|
is the original source of the data. Only data that has an existing object definition in the schema can be |
|
|
stored in the directory. If a new type of data needs to be stored, a new object definition for the data must |
||
first be created in the schema. |
STUDENT |
|
|
||
In AD DS, the schema defines the following: |
USE |
|
• Objects that are used to store data in the directory |
||
• Rules that define what types of objects you can create, what attributes must be defined (mandatory) |
||
when you create the object, and what attributes are optional |
||
• Structure and content of the directory itself |
PROHIBITED |
|
You can use an account that is a member of the Schema Administrators to modify the schema |
||
|
||
components in a graphical form. Examples of objects that are defined in the schema include user, computer, group, and site. Among the many attributes are location, accountExpires, buildingName, company, manager, and displayName.
The schema master is one of the single master operations domain controllers in AD DS. Because it is a single master, you must make changes to the schema by targeting the domain controller that holds the schema master operations role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest from the schema operations master role holder, typically the first domain controller in the forest.
Administering Windows Server® 2012 |
MCT |
|
3-5 |
|
|
Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, changes to the schema should be made only when necessary.
Before making any changes, you should review the changes through a tightly-controlled process, and |
|
then implement them only after you have performed testing to ensure that the changes will not adversely |
|
affect the rest of the forest and any applications that use AD DS. |
USE |
|
|
Although you might not make any change to the schema directly, some applications make changes to the schema to support additional features. For example, when you install Exchange Server 2010 into your AD DS forest, the installation program extends the schema to support new object types and attributes.
accounts. User accounts provide a mechanism that you can use to authenticate and then authorize users to access resources on the network. Each domain-joined computer must
have an account in AD DS. This enables domain administrators to use policies that are defined in the
domain to manage the computers. The domain also stores groups, which are the mechanism for grouping together objects for administrative or security reasons; for instance, user accounts and computer accounts.
The AD DS domain is also a replication boundary. When changes are made to any object in the domain,
There are several types of objects that can be ONLY.STUDENT stored in the AD DS database, including user
that change is replicated automatically to all other domain controllers in the domain. |
USE |
|
An AD DS domain is an administrative center. It contains an Administrator account and a Domain |
||
|
||
Admins group, which both have full control over every object in the domain. Unless they are in the forest |
||
root domain, however, their range of control is limited to the domain. Password and account rules are |
|
|
managed at the domain level by default. The AD DS domain also provides an authentication center. All |
|
|
user accounts and computer accounts in the domain are stored in the domain database, and users and |
PROHIBITED |
|
computers must connect to a domain controller to authenticate. |
||
|
||
A single domain can contain more than 1 million objects, so most organizations need to deploy only a single domain. Organizations that have decentralized administrative structures, or that are distributed across multiple locations, might instead implement multiple domains in the same forest.
A domain controller is a server that you can configure to store a copy of the AD DS directory database (NTDS.DIT) and a copy of the System Volume (SYSVOL) folder. All domain controllers except RODCs store a read/write copy of both NTDS.DIT and the SYSVOL folder. NTDS.DIT is the database itself, and the SYSVOL folder contains all the template settings for GPOs.
Changes to the AD DS database can be initiated on any domain controller in a domain except for RODCs. The AD DS replication service then synchronizes the changes and updates to the AD DS database to all other domain controllers in the domain. Additionally, either the file replication service (FRS), or the newer Distributed File System Replication (DFS-R), replicates the SYSVOL folders.
3-6 Maintaining Active Directory Domain Services
An AD DS domain should always have a minimum of two domain controllers. This way, if one of the domain controllers fails, there is a backup to ensure continuity of the AD DS domain services. When you decide to add more than two domain controllers, consider the size of your organization and the performance requirements.
Organization Units
An OU is a container object within a domain that you can use to consolidate users, groups, computers, and other objects. There are two reasons to create OUs:
USE MCT
• To configure objects contained within the OU. You can assign GPOs to the OU, and the settings apply
to all objects within the OU. GPOs are policies that administrators create to manage and configure ONLY computer and user accounts. The most common way to deploy these policies is to link them to OUs.
• To delegate administrative control of objects within the OU. You can assign management permissions on an OU, thereby delegating control of that OU to a user or group within AD DS other than the administrator.
.
•Domain container. Serves as the root container to the hierarchy.
•Users container. The default location for new user accounts and groups that you create in the domain. The users container also holds the administrator and guest accounts for the domain, and some default groups.
•Computers container. The default location for new computer accounts that you create in the domain.
•Domain Controllers OU. The default location for the computer accounts for domain controller computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have GPOs linked to them, except for the default Domain Controllers OU and the domain itself. All the other containers are just folders. To link GPOs to apply configurations and restrictions, create a hierarchy of OUs, and then link GPOs to them.
PROHIBITED USE STUDENT
|
Administering Windows Server® 2012 |
|
MCT |
||
|
3-7 |
|
|||
Lesson 2 |
|
|
|
||
Implementing Virtualized Domain Controllers |
|
USE |
|||
Virtualization is a common practice in IT departments. The consolidation and performance benefits that |
|||||
|
|
||||
virtualization provides are great assets to any organization. Windows Server 2012 AD DS and domain |
|
|
|
||
controllers are now more aware of virtualization. In this lesson, you will learn the considerations for |
|
|
|
||
implementing virtualized domain controllers in Windows Server 2012, and how you can deploy and |
|
|
|
||
manage these domain controllers in the AD DS environment. |
|
.ONLY |
|||
Lesson Objectives |
|
||||
|
|
|
|||
After completing this lesson, you will be able to: |
|
|
|
||
• Identify considerations for implementing cloned virtualized domain controllers. |
|
|
|
||
• Explain how to deploy a cloned virtualized domain controller. |
|
|
|
||
• Describe how to manage virtualized domain controller snapshots. |
|
STUDENT |
|||
Understanding Cloned Virtualized Domain Controllers |
|
||||
|
|
|
|||
Windows Server 2012 introduces virtualized |
|
|
|
|
|
|
|
|
|
||
domain-controller cloning. In previous Windows |
|
|
|
||
Server versions, domain controllers that were |
|
|
|
||
running within a virtual machine were unaware of |
|
|
|
||
their virtual state. This made performing processes |
|
|
|
||
like cloning and restoring virtual machine |
|
|
|
||
snapshots potentially dangerous, because changes |
|
|
|
||
could occur to the operating-system environment |
|
|
|
||
that the domain controller did not expect. For |
|
|
|
||
example, two domain controllers cannot coexist in |
|
USE |
|||
the same forest with the same name, invocation |
|
||||
|
|
|
|||
ID, and directory system agent (DSA) globally
unique identifier (GUID). In earlier Windows versions prior to Windows Server 2012, you created virtualized domain controllers by deploying a Sysprepped base server image, and then promoting it manually to be a domain controller. Windows Server 2012 provides specific virtualization capabilities to AD DS Virtualized Domain Controllers (VDCs) to resolve those issues.
Windows Server 2012 VDCs provide two significant benefits:
•You can clone domain controllers safely to deploy additional capacity and save configuration time.
•Accidental restoration of domain controller snapshots does not disrupt the AD DS environment.
Cloning VDCs in Windows Server 2012
In Windows Server 2012, cloning virtual machines that act as domain controllers provides the ability
to deploy domain controllers rapidly in your environment. For example, you may need to increase your environment’s domain controllers to support increased AD DS usage. You can deploy additional domain controllers quickly with the following process:
PROHIBITED
1.Run the cloning operation on an existing VDC.
2.Shut down the existing VDC, and then use Hyper-V to export the virtual machine files.
3-8 Maintaining Active Directory Domain Services |
MCT |
|
|
|
|
|
|
|
3.Start the existing VDC (if it’s intended to continue in production usage).
4.Use Hyper-V to import the virtual machine files as a new virtual machine, and then start the virtual machine, which now contains the new domain controller.
Virtual domain controller cloning provides the following benefits in Windows Server 2012: |
USE |
||
• Rapid domain-controller deployment in a new forest or domain. |
|||
• Scalable provisioning of domain controllers to handle increased load. |
|||
|
|
||
• Quick replacement or recovery of domain controllers for business continuity. |
|
|
|
• Fast provisioning of test environments. |
.ONLY |
||
Safe Cloning |
|||
Domain controllers have unique characteristics that make unmanaged cloning detrimental to the AD DS |
|||
database-replication process. Domain controllers that are simply cloned end up with the same name, |
|||
which is unsupported within the same domain or forest. In previous Windows Server versions, you had |
|||
to prepare a domain controller for cloning by using sysprep. After the cloning process, you then had to |
|||
promote the new server to a domain controller manually. |
USESTUDENT |
||
With Safe Cloning in Windows Server 2012, a cloned domain controller automatically runs a subset of the |
|||
sysprep process, and promotes with the existing local AD DS data as installation media. |
|||
Safe Backup and Restore |
|||
Rolling back to a previous snapshot of a VDC is problematic because AD DS uses multimaster replication |
|||
that relies on transactions being assigned numeric values called Update Sequence Numbers (USNs). The |
|||
VDC tries to assign USNs to prior transactions that have already been assigned to valid transactions. This |
|||
|
|
||
causes inconsistencies in the AD DS database. Windows Server 2003 and newer implements a process that |
|||
is known as USN rollback protection. With this in place, the VDC does not replicate, and you must demote |
|||
it forcibly or manually restore it. |
|
|
|
Windows Server 2012 now detects the snapshot state of a domain controller, and synchronizes or |
|
|
|
replicates the delta of changes, between a domain controller and its partners for AD DS and the SYSVOL. |
|
|
|
You now can use snapshots without risk of permanently disabling domain controllers and requiring |
|
|
|
manually forced demotion, metadata cleanup, and repromotion. |
|
|
|
Deploying a Cloned Virtualized Domain Controller |
|
|
|
When deploying a VDC, consider the following |
|
|
|
|
|
|
|
regarding installation: |
|
|
PROHIBITED |
• All Windows Server 2012 computers support |
|
|
|
|
|
|
|
VDC cloning automatically. |
|
|
|
• The following requirements must be met to |
|
|
|
support VDC cloning: |
|
|
|
o The primary domain controller (PDC) |
|
|
|
Emulator FSMO role must be located on |
|
|
|
a Windows Server 2012 domain |
|
|
|
controller. |
|
|
|
|
|
|
|