Windows Lesson 3 - Installing and Managing Active Directory
In this lesson we're going to learn how to install Active Directory on a server, and how to use the Active Directory Administrative Center.
Installing Active Directory Domain Services
In Windows 2000 Server through Windows Server 2003 R2 Active Directory Domain Services were preinstalled and you could promote a server to a Domain Controller by starting the promotion wizard. Since Windows Server 2008 Active Directory Domain Services were not installed by default. Before we can promote our server we have to install the Active Directory Domain Services role.
You can install Active Directory Domain Services using the Add Roles and Features wizard in Server Manager. Click Manage at the top, and select Add Roles and Features from the drop down wizard.
During the wizard you'll select Active Directory Domain Services role.
When you select the role the wizard will recommend a list of features that will help you manage Active Directory.
Once the install's done Server Manager will provide a shortcut to promote the server to a domain controller.
Promoting a Server to a Domain Controller
Once you have installed the Active Directory Domain Services Role on a server you can promote it to be a Domain Controller. When you promote a server to a Domain Controller you have three options.
1:) Add a domain controller to an existing domain - Builds redundancy in an already existing domain.
2a:) Add a new domain to an existing forest - Allows you to add a child domain. i.e. sales.gotohull.com
2a:) Add a new domain to an existing forest - Allows you to add a new tree domain. i.e. cis232.com
3:) Add a new forest - Allows you to create a new domain where no infrastructure exists.
In lesson 2 we learned the terms forest and tree. We can see the three options above would allow us to create a forest, or make it larger by add domains to existing trees, or build new tree's in your forest.
When installing Active Directory you are asked to supply a password for Directory Services Restore Mode (DSRM). DSRM is a mode that lets you log in and perform maintenance tasks on the Active Directory database. If something happens with your database you can log into DSRM and attempt to repair it. In a live environment make sure you remember your DSRM password.
DNS is required to for Active Directory. If you don't have DNS installed on your server it will automatically install it for you.
When the server is promoted to a Domain Controller we'll see the appropriate tiles have been added to Server Manager.
Active Directory Administrative Center
Once you promote a server to a Domain Controller you'll see some new tools listed in the Tools drop down menu. We will be using Active Directory Administrative Center.
In Active Directory Administrative Center when in tree mode we see something that looks like a folder structure. We see our domain listed at the top with folders underneath. There are two types of folders, we can have containers and organizational units. You can tell the difference by the icon on the folder. An organizational unit has a square in the corner, where a container has no icon on the folder. In a Windows NT domain all your users were in one large list. The Users container is this list carried over. Since Windows 2000 Server we've been able to organize our domain objects into OUs creating a logical structure to our network.
The containers are there for system objects and legacy support and have limited functionality. If we view the properties of a container and compare it to an organizational unit we'll see a lot of missing things. The main difference between a container and an OU is you can not apply a group policy to a container. We are going to learn more about group policies in a later lesson.
Organizing Active Directory
You can create your own OUs in Active Directory to organize your infrastructure. There are many ways to design our OU infrastructure and what you choose will depend on your organization. Below is an example of organizing based on physical location. We see two OUs at the top level for each of our physical locations, Queensbury and Wilton. Under each OU we have OUs for Computers and Users, and under each we break it down even farther. You would put your user and computer objects in the correct OUs.
Another method for organizing your OUs would be by object type. At the top level we would create an OU for computers, and a separate for users. Then we would create sub OUs for the sites.
Creating OUs and Users
You can create OUs and Users using Active Directory Administrative Center. First you select where you want the OU or user to go in the Active Directory tree on the left side which can be accessed by clicking the triangle next to the domain.
Once you're in the correct location you can create a new OU by clicking New in the Tasks list and select Organizational Unit.
You need to provide a name for the OU at the very least. But you can also set other attributes for the OU at the same time.
Creating a user is done using the same method. You can click New in the Tasks section and select User.
You need to provide at least a full name and a username. But you can populate other attributes at this time too. As you fill out the first and last name fields it will generate the full name for you. Same thing with the UPN (User Principal Name) login, when you type that in it will automatically populate the SamAccountName username.
If you scroll down you'll see more attributes you can set during the creation process.
We can see the relationship between objects and attributes when we view the properties of a user in Active Directory. The properties window shows many of the different attributes for the user object. They are sorted into categories separated by tabs at the side. As you scroll on the right side you switch between the different sections.
At the bottom you can see the attributes that haven't made it to the new Administrative Center including a tab that includes a list of all the attributes for this object type.