3- Manage AD DS domain controllers and FSMO roles
First step of the domain controller deployment process
. First, you install the binaries necessary to implement the domain controller role. For this purpose, you can use Windows Admin Center or Server Manager. At the end of the initial installation process, you have installed the AD DS files, but not yet configured AD DS on the server
Install a domain controller on a Server Core installation of Windows Server
. You can use Windows Admin Center, Server Manager, Windows PowerShell, or Remote Server Administration Tools (RSAT) installed on any supported version of Windows Server that has the Desktop Experience feature, or any supported Windows client such as Windows 10.
global catalog
a partial, read-only, searchable copy of all the objects in a forest. The global catalog can help speed up searches for objects that might be stored on domain controllers in a different domain in the forest.
Authoritative restore
allows you to restore a known good copy of AD DS objects, which replaces the current version of these objects in the AD DS database. In an authoritative restore, you start with the same sequence of steps as the nonauthoritative restore. However, before you restart the domain controller, you mark the restored objects that you want to persist as authoritative, so they will replicate from the restored domain controller outbound to its replication partners.
Why are global catalogs needed?
A query within a domain only returns results form within that domain. Not from any other domain in the forest. That is where global catalogs come in
How does recycling bin work
After you enable Active Directory Recycle Bin, the Deleted Objects container displays in Active Directory Administrative Center. Deleted objects persist in this container until their deleted object lifetime expires. For new AD DS deployments, that lifetime is set to 180 days, but you have the option to change it. You can choose to restore the objects either to their original location or to an alternate location within AD DS.
IP addressing
All Azure VMs receive Dynamic Host Configuration Protocol (DHCP) addresses by default, but you can configure static addresses that will persist across restarts and shutdowns.
What questions will you need to answer as part of ADS role config?
Are you installing a new forest, a new tree, or an additional domain controller for an existing domain? What is the Domain Name System (DNS) name for the AD DS domain? Which level will you choose for the forest functional level? Which level will you choose for the domain functional level? Will the domain controller be a DNS server?
Site topology.
As with a physical site, you should define and configure an AD DS site that corresponds to the IP address space of your Azure Virtual Network.
DNS
Azure's built-in DNS does not meet the requirements of AD DS, such as Dynamic DNS and service (SRV) resource records. To provide DNS functionality for an AD DS environment in Azure, you can use the Windows Server DNS server role or other DNS solutions available in Azure, such as Azure private DNS zones.
Object defined by schema process
Each time the directory manages data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data.
Nonauthoritative restore
By default, you restore an AD DS backup as of a known good date. Essentially, you roll the domain controller back in time. When AD DS restarts on the domain controller, the domain controller contacts its replication partners and requests all subsequent updates. In other words, the domain controller catches up with the rest of the domain by using standard replication mechanisms.
How does AD DS manage to store and retrieve info from a wide variety of applications and serviceS?
By standardizing how AD DS uses data
Domain Controllers best practice
Domain controllers use a multi-master replication process to copy data from one domain controller to another. As a best practice, an AD DS domain should have at least two domain controllers per AD DS site. This makes the AD DS database more available and spreads the authentication load during peak sign-in times.
A forest has two operation master rpoles
Domain naming master. This is the domain controller that you must contact when you add or remove a domain or make domain name changes. Schema master. This is the domain controller in which you make all schema changes.
How are the operation master roles distributed?
Each forest has one schema master and one domain naming master. Each AD DS domain has one relative ID (RID) master, one infrastructure master, and one primary domain controller (PDC) emulator. You can place all five on a DC or distribute them across several DCs
RID master
Every object has a unique security ID. RID master allocates blocks of RID to each DC within the domain to ensure no two DCs assign the same SID twice
What happens if the PDC emulator is unavailable?
If the PDC emulator master is unavailable, users might have trouble signing in until their password changes have replicated to all the domain controllers.
What are the default settings of the role
The first domain controller installed in a forest holds all five roles by default. You can transfer them after deploying additional domain controllers
Multi-master replication
a method of database replication which allows data to be stored by a group of computers, and updated by any member of the group. AD DS uses this to copy data between domain controllers
Plan for AD DS backup and restore
Maintaining the reliability of the Active Directory data is important. Performing regular backups can play a part in this process but knowing how to restore or recover data after a failure is vital.
Does a global catalgo contain all the attributes for each object?
No, only the attributes that may be useful in cross domain searches like givenname, displayname, etc
What are the options you can use when you deploy a DC in an insecure branch office>
One option is to deploy an RODC. The RODC contains a read-only copy of the AD DS database, and by default, it doesn't cache any user passwords. However, you can configure the RODC to cache the passwords for users in the branch office. If an RODC is compromised, the potential loss of information risk is much lower than with a full read/write domain controller.
Who can manage the AD DS schema
Only members of the Schema Admins group in the root domain of the AD DS forest. Use the Active Directory Schema snap-in. AD DS schema does not support deletions.
A domain has the following operation master roles
RID master Infrastructure master PDC emulator master
Restoring deleted AD DS objects by using Recycle Bin
Restoring Objects using traditional backup metods involves downtime. Active Directory Recyclinh Bin provides a straightforward restoration method with no downtime
What snap ins(app) helps you change the role for each role?
Schema master Active Directory Schema Domain-naming master Active Directory Domains and Trusts Infrastructure master Active Directory Users and Computers RID master Active Directory Users and Computers PDC emulator master Active Directory Users and Computers
What are the five Operation master roles?
Schema master Domain-naming master Infrastructure master RID master PDC emulator master
Relationships among objects, rules, attributes, and classes
Schema objects consists of attributes that are grouped together into classes. ach class has rules that define which attributes are mandatory and which are optional.
Infrastructure master wartning
The infrastructure master role should not reside on the domain controller that's hosting the global catalog role unless every domain controller in the forest is configured to serve as a global catalog. In this case, the infrastructure master role is not necessary because every domain controller knows about every object in the forest.
Philosophy of maintaining Domain Controllers
There are operational aspects applicable to every AD DS environment that focus on maintaining business continuity of the authentication services. This includes backup and recovery of domain controllers, and the AD DS objects they host.
When is a nonauthoritative restore useful
This type of restore is useful when the directory on a domain controller has been damaged or corrupted, but the problem has not spread to other domain controllers. However, in some scenarios, this approach is not suitable. For example, this will not enable you to recover an object you deleted after the backup took place, if that deletion has replicated to other domain controllers. If you restore a known good version of AD DS and restart the domain controller, the deletion that happened after the backup took place will simply replicate back to the domain controller.
Considerations when implementing AD DS in Azure
To meet AD DS requirements, you must create an Azure Virtual Network and attach your VMs to it. If you intend to join an existing on-premises AD DS infrastructure, you can extend network connectivity to your on-premises environment. You can achieve this through hybrid connectivity methods such as a virtual private network (VPN) connection or an Azure ExpressRoute circuit, depending on the speed, reliability, and security that your organization requires.
AD DS backup and restore
To restore AD DS, a backup must explicitly include system state data. System state is a collection of critical OS and server role files that include the AD DS database and the registry. To perform an AD DS restore, you must have full access to the files on the domain controller. This requires restarting the domain controller in DSRM. If you're restarting a domain controller locally, open the advanced startup options and choose the DSRM from the menu. When you start a domain controller in DSRM, you will sign in as Administrator with the DSRM password. You then can use Windows Server Backup to restore the directory database. After completing the restore process, you must restart the server you are recovering. The domain controller will ensure that its database is consistent with the rest of the domain by pulling from its replication partners the changes to the directory that have occurred since the date of the backup.
Objects
Units of storage. All defined by the schema
Upgrade DC rom previous version
Upgrade the OS on existing domain controllers that are running Windows Server 2012 R2 or later. Add servers running Windows Server 2022 as domain controllers in a domain that already has domain controllers running earlier Windows Server versions. Latter method recommended
seizing the role
When the role is swapped during an emergency when one of the holders ins unavbailable
transferring the role.
When you swap roles between domain controllers.
Whata re the other questions you will need to answeR?
Will the domain controller host the global catalog? Will the domain controller be a read-only domain controller (RODC)? What will be the Directory Services Restore Mode (DSRM) password? What is the NetBIOS name for the AD DS domain? Where will the database, log files and SYSVOL folders be created?
Install a domain controller from media
YOu can install from a USB
How do you seize a role?
You cannot use AD DS snap ins to do it. You must use either ntdsutil.exe sommand line tool or powershell
Disks
You have control of caching Azure VM disk configurations. When you install AD DS to an Azure VM, you should place the NTDS.DIT and SYSVOL files on one of its data disks, and set the Host Cache Preference setting of that disk to NONE.
When should you change the schema
You should change the schema only when necessary because the schema controls the storage of information. Additionally, any changes made to the schema affect every domain controller. Before you change the schema, you should review the changes and implement them only after you've performed testing. This will help ensure that the changes Won't adversely affect the rest of the forest or any applications that use AD DS.
How many global catalogs should you have in a single domain
You should configure all domain controllers to have a copy of the global catalgo
What do object definitions specify
both the types of data that the objects can store and the data syntax. You can only create objects that the schema defines. Because objects store data in a rigidly defined format, AD DS can store, retrieve, and validate the data that it manages, regardless of which application supplies it.
Second step
configure AD DS role. The simplest way to perform this configuration is by using the Active Directory Domain Services Configuration Wizard. You start the wizard by selecting the AD DS link in Server Manager.
Infrastructure master
maintains interdomain object references, such as when a group in one domain has a member from another domain. In this situation, the infrastructure master manages maintaining the integrity of this reference. If the infrastructure master is unavailable, domain controllers that are not global catalogs will not be able to perform translation of SIDs security principal names.
AD DS operation master roles
responsible for performing operations that are not suitable for a multiple-master model. A domain controller that has one of these roles is an operations master. An operations master role is also known as a Flexible Single Master Operation (FSMO) role.
PDC emulator master
serves as the time source for the domain. The PDC emulator master in each domain in a forest synchronizes their time with the PDC emulator master in the forest root domain. You set the PDC emulator master in the forest root domain to synchronize with a reliable external time source. Additionally, by default, changes to Group Policy Objects (GPOs) are by default written to the PDC Emulator master. The PDC emulator master is also the domain controller that receives urgent password changes.
Schema
the component that defines all the object classes and attributes that AD DS uses to store data. All domains in a forest contain a copy of the schema that applies to that forest. Any change in the schema replicates to every domain controller in the forest via their replication partners. However, changes originate at the schema master.
Structural class
the only type of class that can have objects in an AD DS database. To modify the schema, you can create an auxiliary class with its own attributes, and then reference it in the definition of a structural class.
Examples of this relationship
the user class consists of more than 400 possible attributes, including cn (the common name attribute), givenName, displayName, objectSID, and manager. Of these attributes, the cn and objectSID attributes are mandatory.