Windows Server 2012 R2 (70-412) Configure Active Directory – Study Guide

Posted on by

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics and2012GregShieldscmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

  1. Introduction
    1. Not about the basics, this is 412 training so the basics should be in place
    2. Multiple Forests, multiple domains
    3. Configure a Forest or Domain
    4. Configure Trusts
    5. Configure Sites (remember from an era when WAN connectivity and site replication was expensive)
    6. Manage Active Directory and SYSVOL Replication
      1. RODC
  1. Configure a Forest or Domain
    1. implement multi domain and multi forest AD, with interoperability with previous versions of AD.
    2. Upgrading existing domains and forests, including preparation and functional levels
    3. Configure multiple UPN suffixes
    4. Used to require contiguous namespace; contoso.com, denver.contoso.com, paris.contoso.com.
      1. now we can use DISJOINTED namespaces. can have a forest with the following domains;
        1. contoso.com
        2. denver.contoso.com
        3. widget.com
        4. This is called a TREE DOMAIN (as in “forest”, “trees” I suppose….) vs. the old
          2012TreeDomain

          TREE (disjointed) domain

          CHILD DOMAIN

    5. When would you want to use a multi domain structure (desired state now is to minimize)?
      1. habit essentially
      2. political or organizational
      3. Autonomy (separation)
      4. Data isolation
      5. Segregation for replication /authentication /authorization
      6. SECURITY is not one of the reasons as part of the same forest.
    6. Multi Forest structure
      1. when two forests merge (purchase a company, etc.)
      2. two forests connected by a TRUST of some sort.
      3. Trusts require MANUAL creation
      4. Different requirements for AD Schema can dictate multiple Forests
      5. Exchange Organizations (In Exchange, only allowed one, so if your Exchange needs require more, then you are multi forest)
    7. Permissions required for creation
      1. To build a new forest, Local Admin on first DC (there is no AD yet)
      2. To build a new domain tree or child domain, you must be Enterprise Admin
      3. To add additional DCs, you must be a Domain Admin
    8. Upgrade Process for Domain or Forest (know this process)
      1. get healthy (make sure everything is working right)
      2. extend the schema (essentially adding columns to AD database, or new characteristics or fields) (ADPREP)
      3. upgrade DCs to new OS (all DCs need to be upgraded prior to raising functional level). Hopefully you don’t have hundreds of DCs.
      4. relocate FMSO roles if needed
      5. raise domain/forest functional level
    9. DEMO – extend schema
      1. adprep (link above)2012_adprep_cmd
      2. uses the stack of .ldf files where adprep resides
      3. remember you can view these attributes in the ad database using ADSI Edit.
      4. adprep
        1. first use /forestprep
        2. then /domain prep
        3. optionally /gpprep, and /rodcprep
      5. now raise the functional level
        1. ad domains and trusts
        2. cannot go backwords, this is a one way road.
      6. What’s new in the functional levels
      7. Creating new UPN suffix
        1. AD Domains and Trusts, UPN suffixes
        2. add what you want in AD D and T
        3. then in ADUC you can use them in the user account tab
  2. Configure Trusts
    1. Configure External, Forest, Shortcut, Realm
    2. Configure trust authentication
      1. Forest wide, or “selective”
    3. Configure SID filtering
      1. Get-ADUser  -filter * | select SAMAccountName,sid (returns SIDS for users)
      2. SID filtering is on my default in external trusts.
      3. used in domain object migrations (from domain to another)
      4. has to be turned OFF to migrate (only time you would do this)
      5. SID history has to be ENABLED to migrate objects, which requires turning off SID filtering. Example; move a user to different domain, if you don’t do this properly a new SID is created and they lose access to printers they used prior. With SID history ENABLED, user object retains a history of both SIDs
      6. Detailed explanation and example of disabling SID filtering, enabling SID history here.
    4. Configure Name Suffix Routing
      1. determine what name suffixes get passed / routed to other side of trust
    5. Fundamentals
      1. trusts have direction – trusting, vs. trusted
      2. the direction is opposite of the direction of access
      3. remember by “wing it” is ‘eng -> ‘ed.   From trustING to trustED.
      4. most are bi-directional
      5. can be transitive (if A trusts B, and B trusts C, then A trusts C)
      6. different types
        1. External from one domain in one forest to domain in a different forest
        2. Shortcut – literally a shortcut to another domain in same complex forest. Not common as AD simplifies
        3. Forest – between two forest roots; everything in forest is trusted. Transitive. Most common type of trust. Acquisitions. Always transitive. Can configure rules of authentication.
          1. Need name resolution to set up. Can be done by consolidating nameservices. In larger environment, conditional forwarders.
          2. create from AD Domains and Trusts
          3. can create both halves of trust from one side (one server)
        4. Realm trust – to non-AD Kerberos realm / Linux
  3. Configure Sites
    1. Created for AD replication across geographical locations
    2. Associated with subnets (VYOS router for lab)
    3. KCC (knowledge consistency checker)
    4. Configure Sites and Subnets
      1. rename “Default-First-Site-Name”, use it and create additional as needed
      2. create subnets and associate to sites
    5. Create and Configure Site Links
      1. Inter-Site transports
      2. most of the time is IP, NOT SMTP
      3. all sites are added to IP default site link
      4. absolute value of the cost is meaningless, only the RELATIVE value (compared to other links) has meaning
      5. A lot of this had more meaning when network connectivity was expensive and low capacity
    6. Manage Site Coverage
      1. you need a DC in each site
      2. are the DCs Global Catalogs (old times was limited due to processing power, bandwidth)
      3. now best practices are simply make every DC a GC
      4. if multiple DCs in a site, define a preferred BridgeHead server. Or leave this alone and leave it to KCC.
      5. best practice is leave it to KCC
    7. Manage Registration of SRV Records
      1. determines what DC site computers use
      2. ipconfig -registerdns make the DC set srv records
    8. Move DCs Between Sites
  4. Manage AD Replication and SYSVOL replication
    1. Upgrade SYSVOL replication to DFS-R (Distributed File System Replication)
      1. If you have an old, upgraded, AD, you might not be on DFS-R and still on the old FRS (File Replication Service)
      2. upgrading to DFSR
        1. three steps after get healthy, migrate to prepared state, migrate to redirected state, migrate to eliminated state
        2.  dfsrmig /?  (powershell for DFSR migration)
        3. dfsrmig /getglobalstate
        4. results will be “prepared”, “redirected”, or “eliminated”
        5. only do one step at a time then WAIT
        6. Some health check commands
          1. gwmi – class win32_logicaldisk – ComputerName yourcomputername (shows drive space)
          2.   repadmin /syncall /force /aped (forces domain sync and ignore all schedules)
          3. update-DfsrConfigurationFromAD
    2. Configure replication to RODCs
      1. single use case; unsecure branch location. only contains passwords and content for that branch
      2. never log onto RODC with privileged  account
      3. delegated RODC administrator (the selected group can administer the RODC (“managed by” tab)
    3. Configure password policy replication for RODCs
      1. set policy for which PWs you want to cache on RODC (password replication TAB)
      2. you can see what users/computers are replicated to RODC on “advanced” tab.
    4. Monitor and manage replication
      1. sites and services – right click and “replicate now” from AD Sites and Services
      2. repadmin /replicate server1 server2
      3. repadmin /showrepl
      4. repadmin /kcc
      5. repadmin /prp view servername reveal (shows RODC replication)
      6. in GPMC, look at a domain, you can see replication status
      7. dfsdiag
      8. nltest (tests if you can locate a DC)
      9. AD Change Notification (replicates to all sites instantly)
        1. ADSI edit
        2. sites
        3. “options”, from blank to “1”, now replicates across sites at same replication as intrasite replication.

 

 

Leave a Reply