To get the best foundation for the rest of this chapter, much as we did in Chapter 4, let's actually build an AD DS forest, tree, and domain. In this section, I'll walk you through the process of creating a domain, promoting a domain controller, adding another domain controller to the domain, adding a second child domain, and then adding a few users and groups to the mix.
The first domain in an AD DS setup is special for a few reasons. For one, the setup process for a new domain automatically adds the first domain controller to that domain—the machine on which you run the Active Directory Domain Services Installation Wizard becomes the first domain controller for the new domain. Second, this new domain becomes the root of the entire forest, meaning that it has special powers over other domains you create within the forest, even if their names aren't the same. We'll go over that in a bit.
To start the process, from the machine you want to become the first domain controller for the new domain, select Run from the Start menu, type DCPROMO, and click OK. You might also access this screen after adding the AD DS role within Server Manager; there is a link on the final screen to launch wizard.
The Active Directory Domain Services Installation Wizard starts, as shown in Figure 5-2.
Click Next, and you'll see the Choose a Deployment Configuration screen. Here, you can choose whether to install this machine as a domain controller in an existing forest by adding it to an existing domain or creating a new domain inside an existing forest, or to install this machine in a new domain in a new forest. For this example, select the latter option, and click Next.
You then see the Name the Forest Root Domain screen. Here, you type the fully qualified domain name of the forest root's domain. We'll use corp.windowsservernet.com here and click Next. The wizard will check to see whether the forest name is in use; if not, DCPROMO will continue.
The Set Forest Functional Level screen appears. Here, you can choose the compatibility level at which this new forest will function. There are several choices:
- Windows 2000 forest functional level
This mode supports all types of domain controllers (NT, 2000, Windows Server 2003, and Windows Server 2008), supports only 5,000 members to a single, individual group, and only offers improved global catalog replication benefits when all domain controllers in the domain are running Windows Server 2003 or Windows Server 2008.
- Windows Server 2003 forest functional level
In this level, you lose support for Windows NT and Windows 2000 domain controllers, but you gain support for renaming existing domains, more efficient AD DS replication, and transitive forest trusts.
- Windows Server 2008 forest functional level
Curiously, this level doesn't actually provide any additional features over the Windows Server 2003 forest functional level, but it allows new domains in this forest to operate at the Windows Server 2008 domain functional level, which is indeed equipped with new capabilities.
Choose the option you desire; for our purposes, let's create a forest at the Windows Server 2008 level, so select the third option from the drop-down box and click Next.
DCPROMO will trundle for a while and look at the current machine's DNS configuration. If it doesn't detect a DNS service, it will prompt you to install one on the next screen you see, the Additional Domain Controller Options page. You can choose to install the DNS server, a global catalog server (more on this soon), and a read-only domain controller option (see later in the chapter for more on this option). DNS is required, and as this is the first server in a new forest, it is required to be a global catalog server and cannot be a read-only domain controller. Let's install DNS, so make sure the first box is selected and then click Next.
Tip
You may get a couple of warnings after moving to the next phase. First, Windows Server 2008 will alert you if your machine is currently configured to use a dynamic IP address. For best results, DNS servers should use static IP addresses, so it gives you a chance to use a static IP address. Next, you may get a warning about DNS not being able to find an authoritative parent zone. This is only relevant to you if you are installing a domain controller in an environment where DNS is already set up. Since we're installing DNS from scratch in this procedure, we can ignore it (as the message implies).
The Database and Log Folders screen appears, prompting you to choose where you want the AD DS database (recall that this is the NTDS.DIT file on all domain controllers' hard drives) and where you want the transaction log that keeps track of changes to the directory. If possible, place the database on one drive and the logfile on another drive. This ensures the best performance in production environments. You can use the Browse buttons to choose a location on the physical filesystem, or you can simply type a path into the boxes. Once you've finished choosing a location, click Next to continue.
The Directory Services Restore Mode Administrator Password screen appears. On this screen you can choose the password that will be required of anyone attempting to access the AD DS restore mode tools before Windows boots. Set this password to something that is secure and different from all your other administrator passwords, and then lock it away in a safe place. You probably won't need it very often. Once you've set the password, click Next.
Tip
Let me explain a bit about this special password. The AD DS Restore Mode password is actually a password that is stored in the SAM database for a domain controller, accessible only through specific methods, one being AD DS Restore Mode. Even more interesting, Directory Services Restore Mode is in fact a single-user mode of Windows Server 2008. So, the password for a directory services restore is not stored in the directory at all, meaning it is not replicated to other domain controllers.
Click Next to continue, and finally, the Summary screen appears. Ensure the choices you selected are the ones you wanted, and then click Next to begin the procedure to install AD DS and promote the current machine to a domain controller within your new domain. The installation process will trundle along, until you receive the success notification pictured in Figure 5-3.
Congratulations! You've built a new domain and promoted your machine to a domain controller. You'll need to restart your machine to continue.
Before we go any further, I'd like to discuss the three most common tools you will find yourself using as an AD DS administrator. All of these tools, of course, can be found in Server Manager under the appropriately named role.
The first of these tools is Active Directory Users and Computers, the tool that allows you to create your AD DS structure within a domain, add users and groups, adjust account properties, and generally administer the day-to-day operations of your directory. Figure 5-4 shows the default screen for Active Directory Users and Computers.
Next, there's Active Directory Domains and Trusts, a utility you can use to create trusts between domains and to eventually raise the domain functional level to enable new features for Active Directory. Figure 5-5 shows the default screen for Active Directory Domains and Trusts.
Finally, let's glance at Active Directory Sites and Services, a graphical tool that allows you to design your AD DS structure around how your business is geographically dispersed, making AD DS replication traffic go across links that cost the least and are the fastest. You can also delineate how your organization's computers are addressed via outlining different subnets, thereby increasing the likelihood that clients will log on to domain controllers that are the closest to them. Figure 5-6 shows the default screen for Active Directory Sites and Services.
We'll use each tool in time as we proceed through the remainder of this chapter. For now, let's move on.
Promoting another machine to domain controller status within an existing domain is even easier than promoting the first machine in a new domain. You can use the DCPROMO Wizard to do the job for you in this case, as well.
To begin, start up DCPROMO as before, and on the screen asking you what action you want to perform, select "Additional domain controller for an existing domain," and click Next. The Network Credentials screen will appear, asking you to type in the username and password for a domain administrator account. Do so, and then click Next. Enter the full DNS canonical name of the domain for which you want this machine to become a domain controller, and then click Next. From there, proceed through the wizard starting from the Database and Log Files screen as indicated in the previous section. Once the wizard is finished and your machine has restarted, it is an official domain controller for your domain.
Adding a child domain is equally simple: you use DCPROMO and you tell it to create a new domain, but not a new forest. This will add a subdomain to the existing domain tree. Then the Network Credentials screen will appear, asking for a domain administrator account for any domain located in the forest within which you want to set up the new domain. After that, the Name the New Domain screen will appear, as shown in Figure 5-7.
Here, you need to tell AD DS which domain you want to add on to, and then the name of the child domain to add on to the parent tree. You can use the Browse button to scroll around the directory or simply type the name in. In the second box, enter just the first portion of the new child domain's name. The box at the bottom will adjust automatically to show the full name of the new child domain. Click Next when finished.
Next, you might receive an error depending on the type of forest into which you are trying to install this new domain controller (see Figure 5-8). You may need to run the Active Directory preparation tool, which you can find on the Windows Server 2008 DVD in the \sources\adprep folder. Simply run adprep /forestprep at the command line and the script will automatically take care of any needed forest changes. Once the script completes, you can rerun DCPROMO, re-enter the domain information and new settings, and proceed through the wizard.
Now you can proceed through the wizard, as shown in the previous section. One note of interest, though: if the domain has a lot of information to replicate out to its new domain controller, this promotion process can take a long time. An option is available on the final screen of this wizard that allows you to finish replication later, and you might be tempted to take advantage of it. Although this option does decrease the amount of time it takes to bring a new domain controller in an existing domain online, I prefer to let replication happen immediately. The only instance in which I wouldn't want to do this is if I were bringing up a new domain controller in a branch office with a very slow connection to the home office. In that case, it's OK to wait until off hours and let the replication happen then. In all other cases, I recommend moving ahead with replication and simply waiting it out.
Of course, critical to a multiuser system are user accounts and groups, which you can create within AD DS using the Active Directory Users and Computers tool and which we previewed two sections ago. (In this section, I'll use the acronym ADUC to save me from having to type out Active Directory Users and Computers over and over.) Within ADUC, you can create, change, and delete user accounts; manage groups and their members; and configure Group Policies. The latter is a topic I'll save for Chapter 6.
Let's look at creating users and groups within ADUC. It's a simple process. First, you decide on a username or group name. You can select almost any username or group name for a particular person or group in Windows Server 2008, but you must keep these restrictions in mind:
The name must be unique within a domain (if you are creating a domain user) or on a machine (if you are creating a local user)
The name can be a maximum of 20 characters
The name cannot contain any of the following characters: " / \ [ ] : ; | = , + * ? < >
The name cannot consist of all spaces or all periods, though individual spaces or periods within a name are acceptable
Tip
Group names have the same restrictions.
Follow these steps to create a user:
Open ADUC.
In the left pane, select the container in which you want the new user to reside. Right-click it and select User from the New menu.
The New Object - User screen appears, as shown in Figure 5-9. Enter the user's first name, middle name, and last name in the appropriate boxes, and the Full name field will populate automatically. Enter the user's preferred logon name in the "User logon name" box, and then click Next.
The next screen is where you enter the user's initial password and a few properties for his account. This is shown in Figure 5-10. Enter and confirm the password, and then decide whether the new user will be prompted to change this password when he logs on, whether he can change his password at all, whether the password will follow the domain's expiration policy, and finally, whether the account is disabled. (Disabled accounts cannot log in.) Click Next.
Confirm the information you have just entered, and click OK to create the user.
To create a new group, follow these steps:
Open ADUC.
In the left pane, select the container in which you want the new user to reside. Right-click it and select Group from the New menu.
The New Object - Group screen appears, as shown in Figure 5-11. Enter a name from the group, its scope as a domain local, global, or universal group, and the type of group (either security or distribution). Click OK.
That's it! You've created a new group.
If you are creating a user, your work is not done yet. You need to configure several additional properties before the user account is ready for use. Right-click the new user within ADUC and select Properties from the context menu. Here's a rundown of each option on the Properties sheet's various tabs.
- General
On the General tab, you can input information such as the user's first, middle, and last name; a description of the user; and her office location, main telephone number, email address, and home page. The General tab is shown in Figure 5-12.
- Address
The Address tab allows you to enter the user's postal service address information and his geographic location. Figure 5-13 shows the Address tab.
- Account
On the Account tab, you can modify the user's logon name, the suffix for her principal name (a concept which I'll explain in a bit), logon hours, and the workstations she is permitted to use. To set logon hours, click the Logon Hours button and then select the block of time you want to either permit or deny. To set permitted workstations, click the Logon To button—but note that you need to have the NetBIOS protocol on your network for that restriction to be enforced.
You also see several options. You can specify that a user must change her password the next time she logs in, that she cannot change her password, that her password never expires, that Windows should store her password using a weaker, reversible encryption scheme, that her account is disabled, that a smart card must be used in conjunction with her password to log on, that the account is to be used for a software service such as Exchange and ought to be able to access other system resources, that the account is not trusted, that DES encryption should be used for the account, or that an alternate implementation of the Kerberos protocol can be used.
The Account tab is shown in Figure 5-14.
- Profile
On the Profile tab, you can specify the path to the user's profile. A user's profile contains the contents of his Desktop and Start menu and other customizations (such as wallpaper and color scheme). You can specify where that profile is stored with the Profile Path option. You also can designate the path to the user's home folder, which is the default location within most Windows applications for a particular user's data to be stored. Plus, you can choose to automatically map a specific drive letter to the user's home folder that you have set up. Figure 5-15 shows the Profile tab.
- Telephones
On the Telephones tab, you can enter different numbers corresponding to this particular user's home, pager, mobile, fax, and IP telephones. The Telephones tab is shown in Figure 5-16.
- Organization
The Organization tab gives you a place to specify the user's official title, the department in which he works, the name of the company where he works, his direct reports, and his manager's name. The Organization tab is shown in Figure 5-17.
- Remote control
This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The "Remote control" tab is shown in Figure 5-18.
- Terminal Services Profile
This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The Terminal Services Profile tab is shown in Figure 5-19.
- COM+
On the COM+ tab, you can assign users to applications on COM+ partitions that you have set up on different servers. The COM+ tab is shown in Figure 5-20.
- Member Of
The Member Of tab shows a user's group memberships. By default, all users are members of the Domain Users group. You can click the Add button to add groups to which a user is a member. To remove a user from a current group membership, click Remove. The Member Of tab is shown in Figure 5-21.
- Dial-in
The Dial-in tab is where you configure several remote access options and properties for the user. Routing and remote access are covered in detail in Chapter 11. The Dial-in tab is shown in Figure 5-22.
- Environment
This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The Environment tab is shown in Figure 5-23.
- Sessions
This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The Sessions tab is shown in Figure 5-24.
You have fewer properties to configure when you create a new group. Those group-specific properties are profiled in the next section.
- General
On the General tab, you can specify the name of the group, a friendly description of it, its email address, its scope and type, and any notes you want to write to yourself or to other administrators. Figure 5-25 shows the General tab.
- Members
The Members tab shows the current members of the group. Click the Add and Remove buttons to add and remove members from the group, respectively. Figure 5-26 shows the Members tab.
You can accomplish a couple of neat tricks using ADUC on multiple accounts at once, reducing some of the tedium involved in making repetitive changes. For one, you can select multiple accounts within ADUC by clicking one account and either:
Holding down the Shift key and selecting another account to completely select the range of accounts within your two initial selections
Holding down the Ctrl key and clicking individual accounts to select them independently
Then you can right-click the group of accounts and perform actions such as changing common properties or sending email. When you right-click multiple accounts and select Properties, the screen in Figure 5-27 appears.
On this screen, you can make changes to multiple accounts at the same time. A subset of the options available on individual accounts is accessible, but such common tasks as changing the UPN suffix of an account, specifying that a user must change her password, or requiring a smart card for logon are easy to accomplish with this screen.
LDAP is the foundation protocol for accessing and modifying the contents of AD DS. You can use LDAP-style strings in conjunction with a couple of command-line tools to automate the creation of users and groups.
First let's look at what makes an LDAP identifier. For instance, let's say my full name is Jonathan Hassell, and I'm in the container SBSUsers within the hasselltech.local domain. My LDAP name, therefore, is:
Cn="Jonathan Hassell",cn=SBSUsers,dc=hasselltech,dc=local
The abbreviation CN refers to the container, and DC refers to the components of a domain name. Likewise, Lisa Johnson in the Marketing container within the Charlotte container of enterprise.com would have an LDAP name of:
Cn="Lisa Johnson",cn=Marketing,cn=Charlotte,dc=enterprise,dc=com
Usernames in the directory are represented by a user principal name, or UPN. UPNs look like email addresses, and in some cases actually can be email addresses, but within the context of LDAP they serve to identify and select a specific user in the directory. So, if my username were jhassell, my UPN would be:
jhassell@hasselltech.local
And if Lisa Johnson's username were ljohnson, her UPN would be:
ljohnson@hasselltech.local
Now that we know how to specify some properties in LDAP, we can use the DSADD utility to create users from the command line. The advantage to using DSADD is that you can script these commands to automate the creation and provision of user accounts.
DSADD adds a user to AD DS. For example, to add a computer named JH-WXP-DSK to the Admin OU while authenticating as the domain administrator account, enter the following:
dsadd computer CN=JH-WXP-DSK,OU=Admin,DC=hasselltech,dc=local -u administrator -p
You will be prompted for a password.
Here's another example: to add user sjohnson (for Scott Johnson, email address sjohnson@hasselltech.local with initial password "changeme") to the Sales OU and make him a member of the Presales group, use the following command:
dsadd user cn=sjohnson,ou=sales,dc=hasselltech,dc=local -upnsjohnson@hasselltech.local-fn Scott -ln Johnson -display "Scott Johnson" -password changeme -emailsjohnson@hasselltech.local-memberof cn=presales,ou=sales,dc=hasselltech,dc=local
Again you will be prompted for a password.
You're getting the picture now. You can also add OUs with DSADD. To add an OU called "support," use this command:
dsadd ou cn=support,dc=hasselltech,dc=local
One of the absolute best features within AD DS is the ability to allow other users to take partial administrative control over a subset of your directory—a process known as delegation. By delegating administrative authority, you can take some of the IT person's burden and place it elsewhere. For example, you might want to give one person in your department the power to reset passwords for other employees in a department. Or you might want to employ some part-time college students to staff a helpdesk and you want to give them the ability to create new users and to help other employees with lost passwords. You can accomplish this easily through AD DS delegation.
There's even a wizard to help you do it. The entire process works something like this:
Let's get started. Within ADUC, select the organizational unit over which you want to delegate powers to others. Right-click it, and select Delegate Control from the pop-up context menu. The Delegation of Control Wizard appears. Click Next off the introductory screen, and the Users or Groups screen appears, as shown in Figure 5-28.
On this screen, click Add, and identify the users or groups to which you want to have the powers assigned. Click Next when you've added the users, and the Tasks to Delegate screen appears, as shown in Figure 5-29.
This screen lists the most common tasks you want to delegate, including such options as managing user accounts, resetting passwords, managing groups, and administering GP. For our example, let's select the second option (to reset user passwords), and click Next.
On the final screen of the wizard, you're asked to confirm your choices. Click Finish to do so, and the delegation is complete.
Warning
Unfortunately, there is no mechanism to log what delegations have been configured. Be sure to keep a very detailed and accurate journal of the delegations you create, as there is no way to track this within the user interface.
However, the new DSREVOKE tool can offer a bit of assistance. This tool can report all permissions for a particular user or group on a set of OUs and, optionally, remove all permissions for that user or group from the ACLs on those OUs. This effectively provides the ability to revoke delegated administrative authority, although it's not as intuitive as a graphical utility might be. You can find more information at http://download.microsoft.com/download/b/1/f/b1f527a9-5980-41b0-b38e-6d1a52a93da5/Dsrevoke.doc.