Windows Lesson 03 - Installing and Managing Active Directory


In this lesson we're going to learn how to install Active Directory on a server, and how to use the Active Directory Users and Computers tool.

Installing Active Directory Domain Services

In Windows 2000 Server through Windows Server 2003 R2 Active Directory Domain Services were preinstalled and you could promote a server to a Domain Controller by starting the promotion wizard.  Since Windows Server 2008 Active Directory Domain Services were not installed by default.  Before we can promote our server we have to install the role.

You can install Active Directory Domain Services using the Add Roles and Features wizard.  You can start the wizard using the Server Manager.  Click Manage at the top, and select Add Roles and Features from the drop down wizard.  
Installing Active Directory Domain Services

Promoting a Server to a Domain Controller

Once you have installed the Active Directory Domain Services Role on a server you can promote it to be a Domain Controller.  When you promote a server to a Domain Controller you have three options.

Add a domain controller to an existing domain - Builds redundancy in an already existing domain.

Add a new domain to an existing forest - Allows you to add either a child domain or a new tree.

Add a new forest - Allows you to create a new domain where no infrastructure exists.

In lesson 2 we learned the terms forest and tree.  We can see the three options above would allow us to create a forest, or make it larger by add domains to existing trees, or build new tree's in your forest.  This video below shows the process of creating a new forest.
Promoting a Server to a Domain Controller

When installing Active Directory you are asked to supply a password for Directory Services Restore Mode (DSRM).  DSRM is a mode that lets you log in and perform maintenance tasks on the Active Directory database.  If something happens with your database you can log into DSRM and attempt to repair it.  In a live environment make sure you remember your DSRM password.

When the server is promoted to a Domain Controller we'll see the appropriate tiles have been added to Server Manager.

Active Directory Users and Computers

Once you promote a server to a Domain Controller you'll see some new tools listed in the Tools drop down menu.  We will be using Active Directory Users and Computers.

In Active Directory Users and Computers we see something that looks like a folder structure.  We see our domain listed at the top with folders underneath.  There are two types of folders, we can have containers or organizational units.  You can tell the difference by the icon on the folder.  An organizational unit has an icon on it that looks like a book, where a container has no icon on the folder.  In a Windows NT domain all your users were in one large list.  The Users container is this list carried over.  Since Windows 2000 Server we have been able to organize our domain objects into OU's creating a logical structure to our network.

The containers are there for system objects and legacy support and have limited functionality.  If we view the properties of a container and compare it to an organizational unit we'll see a lot of missing things.  The main difference between a container and an OU is you can not apply a group policy to a container.  We are going to learn more about group policies in a later lesson.

Organizing Active Directory

You can create your own OUs in Active Directory to organize your infrastructure.  There are many ways to design our OU infrastructure and what you choose will depend on your organization. Below is an example of organizing based on physical location.  We see two OUs at the top level for each of our physical locations, Queensbury and Wilton.  Under each OU we have OUs for Computers and Users, and under each we break it down even farther.  You would put your user and computer objects in the correct OU's.

Another method for organizing your OUs would be by object type.  At the top level we would create an OU for computers, and a separate for users.  

Creating OUs and Users

You can create OU's and Users using Active Directory Users and Computers.  First you select where you want the OU or user to be created in the Active Directory tree on the left side, then you start the new OU or new user wizard to create each.  You can see each object type being created in the video below.
Create an OU and a User

User Properties

We can see the relationship between objects and attributes when we view the properties of a user in Active Directory.  The properties window shows many of the different attributes for the user object.  They are sorted into categories separated by tabs at the top.  Below are a some screenshots of a few of the tabs.

