Transcript Module 2 - ID College

Microsoft Official Course
®
Module 2
Advanced Deployment and
Administration of AD DS
Module Overview
• Deploying AD DS
• Deploying and Cloning Virtual Domain Controllers
• Deploying Domain Controllers in Windows Azure
• Administering AD DS
Lesson 1: Deploying AD DS
• Overview of AD DS Deployment
• Remote Deployment of AD DS
• Demonstration: Remote Deployment of Domain
Controllers
• Upgrading and Migrating to Windows
Server 2012 R2 AD DS
Overview of AD DS Deployment
Information required before deploying an AD DS domain controller:
AD DS and DNS infrastructure:
• AD DS structure
• New domain/forest or existing domain
• DNS infrastructure information
Windows Server installation options:
•
•
•
•
•
Server Core installation
Server with a GUI
Server Core with Minimal Server Interface
Change using Windows PowerShell
Feature on demand to minimize installation binaries
Physical, virtual, or cloud installation:
• Not many reasons not to go virtual
• Must not have single point of failure
• Some scenarios benefit from cloud deployment
Deployment options:
• Local deployment
• Remote deployment
Remote Deployment of AD DS
• When you install AD DS in Windows Server 2012 R2, you must use:
• The Windows PowerShell cmdlet Install-ADDSDomainController
• Server Manager, which provides a GUI and runs Windows PowerShell in the
background
• Dcpromo.exe is used only for unattended installations to support legacy
processes:
• Role must be added to install binaries, and then AD DS must be configured
• Active Directory Domain Services Configuration Wizard performs:
• Collection of data
• Prerequisite checks
• Preparation of schema and domain if required
• Promotion of domain controller
• Runs the same either locally or remotely
• Consider using RODC when remote locations are unsecure
• Consider using IFM where there is low bandwidth
Demonstration: Remote Deployment of Domain
Controllers
• In this demonstration, you will see how to deploy
an AD DS domain controller remotely when you:
•
Add LON-SVR1 to Server Manager on LON-DC1
•
Add the AD DS role on a remote server
•
Configure AD DS remotely by using Server Manager
Upgrading and Migrating to Windows
Server 2012 R2 AD DS
• Migrations are preferred to in-place upgrades of domain
controllers and are only possible with Windows
Server 2008 SP2 or newer
• When you promote the Server Managers’ domain, you are
performing the forest and domain preparations:
• These can be done separately using Adprep.exe
• Adprep.exe runs on domain member servers and is only available in a 64bit version
• Test your preparation and migration in a test lab with
production schema
• Verify applications and plan for the first domain controller
• Clean up your infrastructure and consider new features
and functionality after the migration is finished
Lesson 2: Deploying and Cloning Virtual Domain
Controllers
• Virtual Domain Controller Deployment
Considerations
• How Snapshots Affect Domain Controllers
• Domain Controller Virtualization in Windows
Server 2012
• AD DS Domain Controller Cloning
• Demonstration: Domain Controller Cloning
• Domain Controller Virtualization Best Practices
Virtual Domain Controller Deployment
Considerations
• Virtualization benefits for domain controllers:
• Scalable
• Independent of hardware
• Quicker recovery
• Windows Server 2012 is cloud-ready and
virtualization safe
• Considerations for virtualization include:
•
Time synchronization
•
Domain membership of the virtualization host
•
Single point of failure
•
Going to the cloud
How Snapshots Affect Domain Controllers
•
•
•
•
Domain Controller Virtualization in
Windows Server 2012
To support safe virtualization of domain controllers:
• Hypervisor needs to support Virtual Machine Generation Identifier, such as
Hyper-V on Windows Server 2012
• Virtual guest domain controller needs to be on Windows Server 2012 or
newer
Compares stored Virtual Machine Generation Identifier against Virtual Machine
Generation Identifier provided by the Hypervisor
Safeguards are triggered when:
• Snapshot is restored during guest shutdown
• Snapshot is restored while machine is running
Guest employs virtualization safeguards by:
• Invalidating the local RID pool
• Setting as a new invocation ID for the domain controller database, effectively
presenting itself as new domain controller and verifying all objects and
attributes
AD DS Domain Controller Cloning
• Domain controllers can be cloned for:
• Rapid deployment
• Private clouds
• Recovery strategies
• To clone a source domain controller:
• Add the domain controller to the Cloneable Domain
Controllers group
• Verify application and service compatibility
• Create a DCCloneConfig.xml file
• Export once and create as many clones as needed
• Start the clones
AD DS Domain Controller Cloning
Virtual Machine
Generation Identifier Exists?
No
Start
No
DCCloneConfig
exists?
Yes
Virtual Machine Generation
Identifier changed?
No
No
Yes
Yes
Rename
DDCloneConfig
Normal
Start
Yes
Yes
Fail
Restart in
DSRM
Clone
Succeed
Restart
Yes
Rename
DDCloneConfig
Virtualizations
safeguards
triggered
DCCloneConfig
Exists?
Normal
Start
No
Restart in
DSRM
No
Duplicate IP?
Yes
Restart in
DSRM
Normal
Start
Demonstration: Domain Controller Cloning
• In this demonstration, you will learn how to:
• Prepare a source domain controller to be cloned
• Export the source virtual machine
• Create and start the cloned domain controller
Domain Controller Virtualization Best Practices
• Avoid single points of failure
• Time service
• Use virtualization technology with the Virtual Machine Generation
Identifier feature
• Use Windows Server 2012 or Windows Server 2012 R2 as
virtualization guests
• Avoid or disable snapshots
• Be aware of security
• Consider taking advantage of cloning in your deployment or recovery
strategy
• Start a maximum number of 10 new clones at the same time
• Consider using virtualization technologies that allow virtual machine
guests to move between sites
• Adjust your naming strategy to allow domain controller clones
Lesson 3: Deploying Domain Controllers in
Windows Azure
• Running AD DS Domain Controllers in Windows
Azure
• Considering Domain Controllers in the Cloud
• Deploying Domain Controllers in the Cloud
Running AD DS Domain Controllers in
Windows Azure
Extending AD DS to the Windows Azure Virtual
Machine clouds provides new scenarios, including:
• Cloud-only deployments, to enable a new forest in the
cloud to:
•
Support applications in the cloud that are accessible from the intranet and
Internet
•
Run applications and AD DS isolated from the corporate directory
•
Support extranet applications
• Hybrid deployments, to extend an existing domain to the
cloud to:
•
Support corporate applications in the cloud
•
Business-to-business authentication by using AD FS out of the cloud
•
Support high availability and disaster recovery scenarios
Considering Domain Controllers in the Cloud
Technical considerations:
•
Treat domain controllers in Windows Azure as virtual domain controllers
•
Put core AD DS data on data disks, not operating system disks
•
Optimize your deployment for traffic and costs
•
Design your sites and services with the cloud in mind
•
Use dynamic TCP/IP settings
•
Consider using RODCs
•
Design your naming resolution
Deployment considerations:
•
Move an existing virtual domain controller to Windows Azure
•
Create a new virtual machine, and then connect and promote it to your corporate
network
•
Use Install from Media to reduce costs
Servicing and maintaining domain controllers in Windows Azure:
•
Extend your processes and plan for monitoring and updating
Deploying Domain Controllers in the Cloud
Verify Prerequisites by:
•
Creating a Windows Azure in the Virtual Network
•
Creating a cloud service in the virtual network
•
Deploying a virtual machine in the cloud service, Size L or greater,
and attaching a data disk, not an operating system disk
•
Verifying the on-premises infrastructure
•
Creating subnets and sites for the cloud
•
Configuring the cloud-based virtual machine to use on-premises
DNS
•
Deploying the domain controller
•
Installing an additional domain controller in the cloud
•
Validating the installation
Lesson 4: Administering AD DS
• Overview of AD DS Management Tools
• What Is Active Directory Administrative Center?
• Demonstration: Using Active Directory
Administrative Center to Administer and Manage
AD DS
• What is the Active Directory Module for Windows
PowerShell?
• Using Windows PowerShell ISE for AD DS
Administration
• Demonstration: Administering AD DS with
Windows PowerShell
Overview of AD DS Management Tools
You typically will perform AD DS management by
using the following tools:
• Active Directory Administrative Center
• Active Directory Users and Computers
• Active Directory Sites and Services
• Active Directory Domains and Trusts
• Active Directory Schema snap-in
• Active Directory module for Windows PowerShell
What Is Active Directory Administrative Center?
Active Directory Administrative Center is a task-oriented
tool that is based on Windows PowerShell
Demonstration: Using Active Directory Administrative
Center to Administer and Manage AD DS
• In this demonstration, you will learn how to:
•
Navigate within Active Directory Administrative Center
•
Perform an administrative task within Active Directory
Administrative Center
•
Create objects
•
View all object attributes
•
Use the Windows PowerShell History Viewer in Active
Directory Administrative Center
What is the Active Directory Module for
Windows PowerShell?
The Active Directory module is the foundation of
management for AD DS:
•
GUIs such as Server Manager and Active Directory Administrative
Center rely on Windows PowerShell
•
Requires ADWS
• Provides 147 cmdlets for management and 10 cmdlets for
deployment in Windows Server 2012 R2
Exploring cmdlets for AD DS:
•
Get-Command –Module ActiveDirectory
•
Get-Command –Module ADDSDeployment
•
Get-Help New-ADUser
•
Get-Help New-ADUser -Examples
Using Windows PowerShell ISE for AD DS
Administration
Windows PowerShell ISE helps you run commands and write,
edit, run, test, and debug scripts an environment that
displays syntax coloring and supports Unicode
Demonstration: Administering AD DS with
Windows PowerShell
• In this demonstration, you will see how to
administer AD DS by using Windows PowerShell to:
•
Search for all users in the Marketing department
•
Change the user properties of all users with a last name beginning
with L through Z to the Marketing2 department
•
Query OUs not protected from accidental deletion
•
Mark all OUs to protect from accidental deletion
Lab: Deploying and Administering AD DS
• Exercise 1: Deploying AD DS
• Exercise 2: Deploying Domain Controllers by
Performing Domain Controller Cloning
• Exercise 3: Administering AD DS
Logon Information:
Virtual machines:
User name:
Password:
10969A-LON-DC1
10969A-LON-SVR1
Adatum\Administrator
Pa$$w0rd
Estimated Time: 45 minutes
Lab Scenario
You are an IT administrator at A. Datum
Corporation. The company is expanding its
business with several new locations. The AD DS
administration team currently is evaluating the
methods available in Windows Server 2012 for
rapid and remote domain controller deployment.
Also, the team is looking for a way to automate
certain AD DS administrative tasks. The team
wants fast and seamless deployment of new
domain controllers for new locations, and it also
wants to promote servers to domain controllers
from a central location.
Lab Review
• In the lab, you used Active Directory
Administrative Center and the Active Directory
module for Windows PowerShell. Which tool
would you prefer to use for each tasks?
• In which scenarios can domain controller cloning
be useful?
Module Review and Takeaways
• Review Questions
• Tools
• Best Practice