Essential Active Directory Design

Page 1

v1.2.1 | January 2013

Essential Active Directory Design Self-paced Technical Training

Student Guide and Lab Exercises

| Level 2


Essential Active Directory Skills for Polycom Solutions (Design)

Disclaimer Š 2013 Polycom, Inc. All rights reserved. Polycom, Inc. 4750 Willow Road Pleasanton, CA 94588-2708 USA No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Polycom, Inc. Under the law, reproducing includes translating into another language or format. As between the parties, Polycom, Inc., retains title to and ownership of all proprietary rights with respect to the software contained within its products. The software is protected by United States copyright laws and international treaty provision. Therefore, you must treat the software like any other copyrighted material (e.g., a book or sound recording). Every effort has been made to ensure that the information in this manual is accurate. Polycom, Inc., is not responsible for printing or clerical errors. Information in this document is subject to change without notice.

Page 2 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Contents Course Objectives ................................................................................................................... 5 Course Flow ............................................................................................................................. 6 Active Directory Overview ....................................................................................................... 9 Why is this important for Polycom Solutions? ........................................................................10 Schema ....................................................................................................................................11 Lab 1: AD Schema ..................................................................................................................12 Lab Architecture ....................................................................................................................13 Exercise 1.1: AD Schema .....................................................................................................14 Global Catalog (GC) ................................................................................................................18 Overview ...............................................................................................................................18 Advantages ...........................................................................................................................19 Activating the Global Catalog Service ....................................................................................20 Global Catalog Server Placement..........................................................................................20 Operations Masters.................................................................................................................22 Overview ...............................................................................................................................22 Schema Master .....................................................................................................................22 Domain Naming Master .........................................................................................................22 RID Master ............................................................................................................................23 Infrastructure Master .............................................................................................................23 PDC Emulator .......................................................................................................................23 Functional-Levels ...................................................................................................................24 Lab 2: Add a Second Domain Controller in to a Domain......................................................26 Lab Architecture ....................................................................................................................27 Exercise 2.1: Adding a second Domain Controller .................................................................29 Exercise 2.2: Review the Active Directory Domain components and applications ..................32 Exercise 2.3: Demonstrate resilience using multiple Domain Controllers ...............................34 Exercise 2.4: Add the Global Catalog service to a Domain Controller ....................................38 Sites .........................................................................................................................................40 Overview ...............................................................................................................................40 Advantages ...........................................................................................................................40 Joining a Site .........................................................................................................................41 Lab 3: Configuring Sites in AD...............................................................................................42 Lab Architecture ....................................................................................................................43 Page 3 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 3.1: Configuring Active Directory Sites ....................................................................45 Exercise 3.2: Demonstrate Site-Affinity for Computers in a Domain ......................................47 Directory Partitions .................................................................................................................49 Overview ...............................................................................................................................49 Domain Directory Partition .....................................................................................................50 Configuration Directory Partition ............................................................................................50 Schema Directory Partition ....................................................................................................50 Global Catalog Partition .........................................................................................................51 Application Directory Partitions ..............................................................................................51 Lab 4: Investigate Directory Partitions using the ADSI Edit Tool ........................................52 Lab Architecture ....................................................................................................................53 Exercise 4.1: Using the ADSI Edit utility ...............................................................................54 Trust Relationships.................................................................................................................56 Overview ...............................................................................................................................56 Resource Forest Model .........................................................................................................57 Lab 5: Configuring Active Directory Forests ........................................................................58 Lab Architecture ....................................................................................................................59 Exercise 5.1: Configuring Active Directory Forest Trusts .......................................................61 Types of Trust Relationships .................................................................................................71 Types ....................................................................................................................................71 Lab 6: Configuring Active Directory Sub-Domains ..............................................................74 Lab Architecture ....................................................................................................................75 Exercise 6.1: Configuring Active Directory Child domain .......................................................77 Exercise 6.2: Using trusts to configure permissions for a user in the na.a.com domain to access a resource in the a.com domain.................................................................................82 Course Summary ....................................................................................................................86 What's Next .............................................................................................................................87

Page 4 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Course Objectives

Course Objectives • On completion of the training students will be able to:− To explain the key elements of Microsoft Active Directory design − To explain how Active Directory design impacts upon integration with Polycom solutions

©

Polycom, Inc. All rights reserved.

2

In the first course in this series Essential Active Directory Skills for Polycom Solutions – Overview and Management students learned how to:  

To explain Microsoft Active Directory concepts, functions and features To understand key Active Directory components and services To the nature of the Active Directory user, group and computer objects which can be integrated with Polycom solutions

This course build on the skills learned in the first part. On completion of the training students will be able to understand how the design of a customers’ Active Directory environment can affect the deployment of a Polycom solution.

Page 5 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Course Flow

Course Flow • Active Directory Overview • Active Directory Schema • Global Catalog (GC) • Operations Masters • Functional Levels • Active Directory Sites • Directory Partitions • Trust Relationships

©

Polycom, Inc. All rights reserved.

2

Page 6 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Question #1

Question #1

• What terms have you heard about that relate to Microsoft Windows Active Directory?

Š

Polycom, Inc. All rights reserved.

4

Write a list of terms which you have heard of that relate to Microsoft Windows Active Directory. Note: These may include components of an Active Directory environment as well as the services it provides.

Page 7 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Answer #1

Answer #1

• What terms have you heard about that relate to Microsoft Windows Active Directory?

©

Polycom, Inc. All rights reserved.

5

This course will cover many of the Active Directory terms with which you may be familiar including: • • • • • • • • • • • •

Domain Controllers Domain Name Service (DNS) Domains Forests Schema Organisational Units and Containers Active Directory Users, Computers and Groups Sites Directory Partitions Trust Relationships Types of Trust Relationships Lightweight Directory Access Protocol (LDAP)

Page 8 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Active Directory Overview

Active Directory Overview • Active Directory (AD) is Microsoft's Directory Service • AD capabilities: − Centralized system administration − Storage of network objects such as users, groups and computers − Management of permissions on resources

• Active Directory relies on several services which are provided by standardsbased protocols: − Location services (DNS) − Directory services (LDAP) − Authentication and Authorization (Kerberos)

©

Polycom, Inc. All rights reserved.

6

Active Directory (AD) is a Directory Service (DS) created by Microsoft for Windows domain based networks. It provides centralized system administration for user/computer/group management, security configuration and resource access. AD utilizes a number of standards based services: • • •

Domain Name Service (DNS) – to provide a location mechanism for the various AD roles Lightweight Directory Access Protocol (LDAP) – to provide object management and directory services Kerberos - authentication and authorization services for users and computers in a domain-based network

Page 9 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Why is this important for Polycom Solutions? Polycom products can use information (such as users and groups) that already exist in Active Directory instead of requiring objects to be created. As a result Polycom software integrates with the client’s existing network directory service. This means that an engineer designing, deploying or supporting a Polycom solution needs to understand how Active Directory works. The information that Polycom uses from Active Directory includes: • • • •

Administrator credentials User Authentication for endpoints AD Search capabilities Utilization of existing users and groups

For example, the CMA Desktop application can take advantage of the user authentication facility. A user who is logged on to the domain and has been assigned privileges to use the CMA server can automatically sign into the application. CMA Desktop even prompts the user the first time they open the application to offer this option (see figure below):

Other examples of Polycom solutions take advantage of AD integration including: • • •

Polycom Distributed Media Application (DMA) - for the generation of Virtual Meeting Rooms Polycom RSS 4000 – for specifying permissions to archived recordings based AD User or Group Polycom RealPresence Media Manager (PRMM) – the Media Manager does not allow users to see items unless they have been given appropriate privileges

Page 10 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Schema

Schema • One schema per forest • Defines every class and attribute that can be stored in AD DS (e.g. user class) • Classes define groups of attributes that have something in common (e.g. user class includes the logon name, first name and last name attributes) • Some attributes are defined as mandatory others may be optional • Hierarchy rules determine possible parents

©

Polycom, Inc. All rights reserved.

17

The Schema is a set of rules that describe the types of objects and attributes which can be created in AD DS. It specifies the rules about each type of object (e.g. an attribute is mandatory and has a generalized time data type). In addition, the schema has hierarchy rules that determine the possible parents in the directory tree of an object. For example, a computer object may only be created in a container such as Computers, a DNS zone or an Organisational Unit (OU). In order to support applications that need to store information in AD DS, the schema was designed to be extensible (i.e. it may be modified or extended to support new classes and attributes that are required by an enterprise). One of the most common reasons for extending the schema is to support the needs of an AD enabled application such as Microsoft Exchange Server or Lync Server. All changes to the schema must be made on the schema master by a member of the schema admins group. These changes are then replicated to all other Domain Controllers.

Page 11 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab 1: AD Schema

Lab 1 • Exercise 1.1: AD Schema

©

Polycom, Inc. All rights reserved.

5

Objective During this lab, you will use the AD Schema (ADS) snap-in to investigate and modify the AD schema for the a.com forest. Duration Estimated time to complete this lab: 20 minutes What You Will Learn After completing the exercises you will be able to: • •

Discuss the structure of the AD Schema including Classes and Attributes Install and use the AD Schema snap-in to view and modify the AD schema for the a.com forest

Page 12 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab Architecture

Page 13 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 1.1: AD Schema Task 1.1.1 – Install the Active Directory Schema (ADS) snap-in 1. Connect to LON-SRV01 using the A.COM credentials 2. On LON-SRV01, Start, Command Prompt 3. Enter the command: regsvr32 schmmgmt.dll 

Note: This command will register Schmmgmt.dll on your computer. Until registration has completed, the Schema snap-in will not be available in the MMC.

4. Click OK to confirm that the registration succeeded 5. Close the Command Prompt 6. Click Start, Run... 7. Enter the command: mmc 8. Click OK 9. From the File menu, choose the Add/Remove Snap-in option 10. Under Available Snap-ins, double-click Active Directory Schema 11. Click OK 12. From the File menu, select the Save option 13. Enter a File Name as follows: Active Directory Schema 14. Click Save 15. Close the Active Directory Schema MMC

Page 14 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 1.1.2 – Review Active Directory Schema (ADS) snap-in 1. On LON-SRV01, click Start, All Programs, Administrative Tools, Active Directory Schema 2. In the left hand pane, expand the Active Directory Schema container 3. Expand the Classes container 4. In the left hand pane, scroll-down and highlight the User entry 5. In the right hand pane, review the Attributes list associated with the User entry 6. Specify below the number of Mandatory Attributes for the User class: 

_____ Hint: Order the list by Attribute Type column.

7. Minimize ADS Task 1.1.3 – Modify the Active Directory Schema for the a.com Forest Note: In this task you will add a new attribute to the schema and associate it with the User class object. The new attribute will be called EmployeeStartDate. Important: During this lab you may see errors relating to the MMC not working properly. If you experience this problem, please ignore these errors and continue to use the MMC. 1. On LON-SRV01, restore Active Directory Schema 2. In the left hand pane, expand the Active Directory Schema container 3. Right-click on the Attributes container and select the Create Attribute... option 4. Click Continue to the warning regarding permanent schema modification 5. Complete the Create New Attribute dialog using the values shown below: Parameter

Value

Common Name

employeeStartDate

Unique X500 Object ID

1.2.840.5555.12

Description

Employee Start Date

Syntax

Generalized Time

Page 15 of 87


Essential Active Directory Skills for Polycom Solutions (Design)



Note: For publically available applications, it is necessary to apply to the International Standards Organization (ISO) or Microsoft to obtain a unique X.500 Object ID or OID.bv In this environment a dummy value will be used for demonstration purposes.

6. Leave the other parameters blank 7. Click OK 8. In the left hand pane, expand the Classes container 9. Right-click on the User entry and choose the Properties option 10. Click on the Attributes tab 11. Click the Add button 12. Highlight the employeeStartDate entry in the Select schema object list 13. Click OK 14. Specify why only Optional Attributes can be added? 

_____________________________________________________

15. Click OK 16. Close ADS 17. If prompted to save the console, choose No

Page 16 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 1.1.4 – Use Active Directory User and Computers (ADUC) snap-in to specify an EmployeeStartDate for the Administrator 1. On the LON-SRV01, click Start, Administrative Tools, Active Directory Users and Computers 2. In the View menu, select the Advanced Features option 

Note: This provides access to the Attribute Editor tab for Objects in ADUC

3. In the left hand pane, expand the a.com container 4. Highlight the Users container 5. In the right hand pane, double-click the Administrator entry 6. Select the Attribute Editor tab 7. In the Attributes list, double-click the employeeStartDate entry 8. In the Date section, click the drop-down arrow and specify a start date of 01/01/2012 9. Click OK 10. Click OK 11. Close ADUC Summary In this lab you have installed and used the AD Schema snap-in to view and modify the schema of the a.com forest.

Page 17 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Global Catalog (GC)

Global Catalog (GC) • Additional domain controller service • A partial, read-only replica of all other domain directory partitions in the forest • Only a limited set of attributes is included for each object − Typically those attributes most used for searching

• Every object in every domain in the forest is represented in the Global Catalog database

©

Polycom, Inc. All rights reserved.

20

Overview The Global Catalog service may be added to Domain Controllers and provides the ability to efficiently locate objects from any domain even if the forest contains multiple domains and domain trees. Every domain must have at least one Domain Controller running the Global Catalog service. As a consequence, the first Domain Controller installed in a domain is automatically configured with the service activated. Domain Controllers configured as Global Catalog servers not only have a full replica of the domain directory partition for their own domain but, in addition, they have a partial replica of the domain directory partition for every other domain in the forest. As a result GCs provide the ability to view and search for resources across an entire forest of domains. This ability to provide forest wide information makes the Global Catalog service essential to many applications. As well as Polycom examples such as CMA, DMA, RSS and PRMM, the GC is also an essential service for applications such as Microsoft Exchange and Lync server. For example, a feature such as the Global Address Book in Outlook would be provided by a Global Catalog Server.

Page 18 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Partial Attribute Set (PAS) For practical reasons Global Catalog servers cannot store the full set of attributes contained in the domain directory partition for every domain in a forest. For example, the user object attribute Display Name is included in the GC data set by default whilst the Department attribute is not. The attributes that are included in the Global Catalog partition are identified in the schema as the Partial Attribute Set. The PAS is identified by the isMemberOfPartialAttributeSet property; if this property for the attribute is set to true then that attribute will be included in the Global Catalog. Advantages More Efficient AD DS Searches Any search query for an object in a different domain which is received by a Domain Controller must be referred to a Domain Controller in the same domain as the object for an answer. By performing the search using a Global Catalog server, the search will be much faster since it does not involve referrals to other Domain Controllers, assuming that the attributes required by the search request are replicated in the Global Catalog. Determine Universal Group Membership As we will examine later in the course, Universal groups can contain user and group accounts from any domain in a particular forest. As a consequence, whenever a user logs on to a domain, a Global Catalog server is contacted to determine the universal group memberships for that user. User Principal Name (UPN) Logon A Global Catalog server is also required to process a user login with the credentials supplied in a UPN (e.g. administrator@a.com) format. The UPN must be resolved by the Global Catalog service in order to identify the domain of the user.

Page 19 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Activating the Global Catalog Service It is possible to add the service to any Domain Controller by using Active Directory Sites and Services application (see figure below).

Global Catalog Server Placement In a multi-domain environment Global Catalog servers are a critical part of the environment so careful planning is required to ensure that they are positioned to provide redundancy and minimize network traffic. The main limitation on the number of Global Catalog Servers that should be deployed is the replication traffic that it will generate. For a large active directory environment with frequent changes to users and computers the volume of traffic required to update forest-wide information will be significant. In a single-domain forest, all Domain Controllers should be configured as Global Catalog servers. Every Domain Controller will already have the single domain directory partition so configuring it as a Global Catalog server does not significantly increase the load on the server.

Page 20 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

In multiple-domain forests, Global Catalog servers provide significant advantages (e.g. facilitate forest-wide searches) which must be balanced with the issue of increased replication traffic. Typical reasons for deciding whether or not to place a Global Catalog server in a particular location are as follows: • • • •

An application running in the location requires access to a Global Catalog Server (e.g. Polycom CMA, DMA and RSS) The location contains 100+ users. Under these circumstances the requirement for a GC to provide Universal Group lookups and UPN resolution become significant Bandwidth issues to the remote-site mean that replication traffic would be an issue so lookups passed to a remote Global Catalog are preferred A Global Catalog service should not be activated on a Domain Controller that hosts the infrastructure operations master role in the domain unless all Domain Controllers in the domain are Global Catalog servers or the forest has only one domain. The Infrastructure Master role works on the principle of updating when it discovers new information. As a GC the Domain Controller will already have knowledge of all objects in the forest so it will not consider an update necessary. If all Domain Controllers in a domain are GCs then all have current data and it is not important which of them holds the infrastructure master role

Polycom Note: When integrating CMA and DMA servers with Active Directory, there are two configuration options: • •

Specify a Global Catalog server by host name or IP address - this option is not recommended because of the lack of redundancy Auto-discover the server by querying the DNS for the closest Global Catalog server - this option requires the user to specify the Active Directory domain in which the GC should be located. This can be any domain in the Active Directory forest but it is recommended that you enter the forest root DNS domain name

In addition, when configured to auto-discover the GC, the server will typically determine the Active Directory site in which it is located and then query the DNS to locate a SRV record for a Global Catalog server within the same site to optimize network bandwidth. It is recommended in the Admin guides that these systems be pointed to a GC server. This allows the systems to gain visibility of all the objects (e.g. users) in the AD forest.

Page 21 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Operations Masters

Operations Masters • Some DS operations require a single authoritative server • Ensures consistency and eliminates the possibility of conflicting entries in the AD database • Domain controllers that perform specific roles are known as operations masters • Five key roles: − − − − −

©

Schema master Domain naming master RID master Infrastructure master PDC emulator

Polycom, Inc. All rights reserved.

21

Overview There are certain directory operations which require a single authoritative server rather than a multi-master mechanism used in most AD operations. This approach is necessary to ensure consistency and to eliminate the potential for conflicting entries in the AD DS database. Domain controllers which perform any of the five specific roles are known as operations masters. The roles are as follows: Schema Master The Domain Controller with this per-forest role is the only DC with write permissions to the AD schema. An administrator wishes to make any change to the schema must be connected to the schema master and also must be a member of the Schema Admins universal security group. Any changes to the schema are subsequently replicated to all the other Domain Controllers in the forest. By default, the first Domain Controller installed in a forest assumes the schema master role. Domain Naming Master The Domain Controller with this per-forest role manages the addition and removal of all directory partitions in the forest hierarchy. Examples of when this role is required include: • • •

Domain addition or removal Application directory partitions addition or removal Domain rename validation

Page 22 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

RID Master The Domain Controller with this per-domain role is used to manage the creation of new security principals (e.g. users, groups and computers) throughout the domain. Each security principal is uniquely identified by a security identifier (SID). The SID is formed of two parts: • •

A domain identifier – this is the same for all objects in the domain A relative identifier (RID) – this is unique for each security principal in the domain

Since security principals may be created on any Domain Controller, the RID master is used to ensure the same RID is not issued by two different Domain Controllers. Infrastructure Master The Domain Controller with this per-domain role is responsible for updating and maintaining the list of all cross-domain group-to-user references. This is necessary because users and groups from one domain may be added to groups in another domain. It replicates this information to all other Domain Controllers in the domain. PDC Emulator The Domain Controller with this per-domain role operates as a primary Domain Controller (PDC) for pre-Windows 2000 operating systems. Older NT systems require communication with a PDC to process password changes. Password Updates Even for domains without older NT systems this role still provides a service by maintaining a list of password updates. All password changes on other Domain Controllers in the domain are sent by urgent replication to the PDC emulator. Whenever a user authentication is unsuccessful on a Domain Controller, the authentication is retried on the PDC emulator in case it has a record of a recent password change.

Page 23 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Functional-Levels

Functional-Levels • Determines features available in an AD environment • Level is specified using the operating system of a supporting domain controller • Configurable at both forest and domain levels

©

Polycom, Inc. All rights reserved.

22

The selection of a Functional-Level determines the features which are available in the Active Directory environment. The levels are defined for both the AD Forest and AD Domain by specifying the operating system versions. In most cases, the highest domain and forest functional level should be implemented based on the Domain Controller operating systems that you have deployed or plan to deploy. For example, in a situation where a new Windows Server 2008 forest has been deployed and there are no plans to ever deploying Windows Server 2003 Domain Controllers in the forest then the domain and forest functional levels should be set to Windows Server 2008. The Functional-Levels are designed to provide backward compatibility. For example, in a situation where an existing domain is being upgraded to Windows 2008, the domain level may be raised once the last Domain Controller running an older Windows operating system has been removed. Also, once all domains in the forest have been upgraded to Windows Server 2008 functional level, it is possible to raise the forest functional level to the same level.

Page 24 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

The table below shows some examples of features which have been introduced in later operating systems: Feature

Functional-Level

Notes

Domain rename

Domain at Windows Server This requires the forest 2003 functional-Level to be at this level as well

Forest trust

Forest at Windows Server 2008

AES 128 and 256 support for Domain at Windows Server the Kerberos protocol 2008

Page 25 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab 2: Add a Second Domain Controller in to a Domain

Lab 2 • Add a Second Domain Controller in to a Domain • Lab Architecture • Exercise 2.1: Adding a second Domain Controller • Exercise 2.2: Review the Active Directory Domain components and applications • Exercise 2.3: Demonstrate resilience using multiple Domain Controllers

• Exercise 2.4: Add the Global Catalog service to a Domain Controller

©

Polycom, Inc. All rights reserved.

9

Objective During this lab, you will promote the NYC-SRV01 server to become a second Domain Controller for the a.com domain. Subsequently, you will investigate the advantages of multiple Domain Controllers in a domain including resilience and load balancing. Duration Estimated time to complete this lab: 60 minutes What You Will Learn After completing the exercises you will be able to: • •

Add a Domain Controller to an existing domain Show the advantages of multiple Domain Controllers for a domain including resilience and load-balancing

Page 26 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab Architecture Before

Page 27 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

After

Page 28 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 2.1: Adding a second Domain Controller In this exercise, you will add a second Domain Controller for the a.com domain to show the advantages of this topology. Challenge 2.1.1: Add a second Domain Controller to the a.com domain Using similar procedures to those described in Active Directory Essentials – Overview and Management, attempt to promote NYC-SRV01 to become a Domain Controller for the a.com domain. If you would prefer to follow instructions then turn to the next page for the Challenge 2.1.1 Solution. During this challenge a number of questions must be answered, use the table below to determine the required configuration settings: Parameter

Value

Forest

Using existing

Domain

Using existing root domain (i.e. a.com)

User with privileges to add Active Domain <A.COM credentials> Directory Services and Password Site

Default-First-Site-Name

DNS

Add DNS Service

Global Catalog

Do not add a GC Service

Read-Only Domain Controller (RODC)

Do not add a RODC

Infrastructure Master Role

Move to this Domain Controller

Directory Services Restore Mode password

Password123

Page 29 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Solution 2.1.1 – Add a second Domain Controller to the a.com domain Task 2.1.1.1 – Configure DNS Server settings for NYC-SRV01 1. Connect to the NYC-SRV01 using the NYC-SRV01 credentials 2. On NYC-SRV01, click Start, Control Panel, Network and Sharing Center, Change adapter settings 3. Right-click on Local Area Connection and choose the Properties option 4. Highlight the Internet Protocol Version 4 entry and click the Properties button 5. In the Use the following DNS Server addresses section, specify a Preferred DNS Server address of 172.16.1.12 

Note: This address allows SRV01 to use the DNS installed on LON-SRV01.

6. Click OK 7. Click Close 8. Close the Network Connections dialog 9. Minimize the connection to NYC-SRV01 Task 2.1.1.2 – Install the Active Directory Domain Services role 1. Restore the connection to NYC-SRV01 2. On NYC-SRV01, click Start, Administrative Tools, Server Manager 3. In the left hand pane, highlight the Roles container 4. In the right hand pane, click the Add Roles link 5. Click Next at the Before You Begin dialog 6. Tick the entry for Active Directory Domain Services 7. Click Add Required Features button to specify that the .NET Framework 3.5.1 Features should be installed to support the AD Domain Services role 8. Click Next 9. Click Next at the Active Directory Domain Services dialog 10. Click Install 

Note: If a prompt is displayed regarding enabling Windows Automatic Update then please ensure that this feature remains disabled. Page 30 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

11. Confirm that both installations completed successfully and click the Close button 12. Close Server Manager 13. Minimize the connection to NYC-SRV01 Task 2.1.1.3 – Configure the Active Directory Domain Services role and Install a DNS Service 1. Restore the connection to NYC-SRV01 2. On the NYC-SRV01, click Start, Run 3. Enter the command: dcpromo 4. Click OK 5. When the wizard activates, click Next at the Welcome screen 6. Click Next at the Operating System Comparability message 7. Specify to Existing forest 8. Specify Add a Domain Controller to an Existing Domain and click Next 9. Enter a.com as the forest root domain 10. Click the Set... button 11. Specify the A.COM Credentials and click OK 12. Click Next 13. Verify the domain entry for a.com (forest root domain) and click Next 14. Verify the site entry for Default-First-Site-Name and click Next 15. In the Additional Domain Controller Options dialog, specify the following selection: Parameter

Value

DNS server

<checked>

Global Catalog (GC)

<unchecked>

Read-only Domain Controller (RODC)

<unchecked>

Note: The Global Catalog has been de-selected to allow for a subsequent exercise. Under Page 31 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

normal circumstances it would be good practice to keep the GC option selected. 16. Click Next 17. Choose to Transfer the Infrastructure master role to this domain controller option 18. Click Yes to confirm a delegation of this DNS Server cannot be created because there is no authoritative parent domain 19. Review the paths to the Database, Log and SYSVOL folders and click Next 20. Specify a Directory Services Restore Mode password of Password123 and click Next 21. Click Next at the Summary dialog 

Note: The installation could take several minutes to perform

22. When the installation completes, click Finish 23. Click the Restart Now button 

Note: The VM will take a several minutes to restart.

Exercise 2.2: Review the Active Directory Domain components and applications 1. Connect to the NYC-SRV01 using the A.COM credentials 2. If the Server Manager starts, select the Do not show me this console at logon option and close the Manager Task 2.2.1 – Review Active Directory User and Computers (ADUC) snap-in 3. On NYC-SRV01, click Start, Administrative Tools, Active Directory Users and Computers 4. In the left hand pane, expand the a.com container 5. Highlight the Domain Controllers sub-container to verify that both LON-SRV01 and NYC-SRV01 are shown and determine the following information: Computer LON-SRV01

Parameter DC Type Site

NYC-SRV01

DC Type Site

Page 32 of 87

Value


Essential Active Directory Skills for Polycom Solutions (Design)

6. Close ADUC Task 2.2.2 – Review DNS Records created to support the AD Domain 1. On NYC-SRV01, click Start, Administrative Tools, DNS 2. In the left hand pane, expand NYC-SRV01, Forward Lookup Zones 3. Highlight the _msdcs.a.com zone, right-click the highlighted entry and choose Properties 4. Select the General tab and complete the following table using information displayed in this dialog: Parameter

Value

Type Replication

5. Select the Name Servers tab and specify the FQDNs of any Name Servers listed below: 

________________________________________________

6. Click Cancel 7. Expand the _msdcs.a.com zone 8. Expand the dc container 9. Highlight the _tcp entry 10. From the right hand pane, record the details of any _ldap SRV records in the table below: Host Offering Service

Priority

Weight

Timestamp

Note: It may be necessary to double-click on the SRV records to determine some of the required information.

11. If necessary, in the left hand pane, expand the _msdcs.a.com zone 12. Expand the gc container 13. Highlight the _tcp entry Page 33 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

14. From the right hand pane, record the details of any _ldap SRV records in the table below: Host Offering Service

Priority

Weight

Timestamp

Note: It may be necessary to double-click on the SRV records to determine some of the required information.

15. Close DNS Manager 16. Minimize the connection for NYC-SRV01 Exercise 2.3: Demonstrate resilience using multiple Domain Controllers In this task, you will demonstrate the additional resilience for authentication provided by multiple Domain Controllers in a domain Task 2.3.1 – Determine the Logon Server used by CLI01 1. If connected to CL101, click Start, Log off 2. Connect to CL101 using the A.COM credentials 3. Click Start, Command Prompt 4. Enter the following command: set logonserver 5. Record the current Logon Server shown in the output from the above command: 

<First Logon Server> = __________________________

Note: The <First Logon Server> value will be used later in this lab. 6. Enter the following command: nltest /dsgetdc:a.com

Page 34 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

7. From the output returned, record the following: Parameter

Value

DC DC Site Name Our Site Name 8. Close the Command Prompt Task 2.3.2 – Re-configure CLI01 to use an Alternate DNS Server 1. On CLI01, click Start, Control Panel 2. From the Category drop-down list, choose the Large icons option 3. Click the Network and Sharing Center 4. Click the Change adapter settings link 5. Right-click on the Local Area Connection icon and choose the Properties option 6. Highlight the Internet Protocol Version 4 entry and click the Properties button 7. Enter an Alternate DNS Server entry of 172.16.2.11 8. Click OK 9. Click Close 10. Close the Network Connections dialog 11. Click Start, Log off Task 2.3.3 – Disable the current Logon Server 1. Connect to the <First Logon Server> (as determined above in Task 2.1.3.1) using the A.COM credentials 2. Click Start, Control Panel 3. From the Category drop-down list, choose the Large icons option 4. Click the Network and Sharing Center 5. Click the Change adapter settings link 6. Right-click on the Local Area Connection icon and choose the Disable option 

Note: The Remote Desktop Connection will immediately freeze since it can no Page 35 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

longer connect to the VM and a message may be displayed indicating that the connection has been lost. 7. Close the Remote Desktop connection using the Close button (i.e. the cross icon) which is located top-right of the dialog Task 2.3.4 – Logon to CLI01 and determine the Logon Server used 1. If connected to CL101, click Start, Log off 2. Connect to CLI01 using the A.COM credentials 

Note: The logon may take a few minutes whilst the client attempts to locate a working authentication server.

3. Click Start, Command Prompt 4. Enter the following command: set logonserver 5. Record the current Logon Server shown in the output from the above command: <Second Logon Server> = __________________________ 6. Enter the following command: nltest /dsgetdc:a.com 7. From the output returned, record the following: Parameter

Value

DC DC Site Name Our Site Name

8. Close the Command Prompt

Page 36 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 2.3.5 – Start-up the Logon Server In this task, you will re-enable the network connection for the <First Logon Server>. 1. Switch to the CloudShare landing page (see figure below) using the web browser:

2. Choose the tab for the <First Logon Server> 3. Logon by pressing the Send Ctrl-Alt-Del button (see figure below) and specifying the A.COM credentials

4. The Network Connections dialog should be immediately displayed, however, if not then perform the following steps: 5. Click Start, Control Panel 6. From the Category drop-down list, choose the Large icons option 7. Click the Network and Sharing Center 8. Click the Change adapter settings link 9. Right-click on the Local Area Connection icon and choose the Enable option

Page 37 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

10. Verify connectivity has been re-established by clicking Start, Command Prompt and entering the command: ping 172.16.1.13 11. When the ping command generates a reply from the SRV01 then minimize the browser window Exercise 2.4: Add the Global Catalog service to a Domain Controller In this task, you will add the Global Catalog component to the new a.com Domain Controller. Task 2.1.4.1 – Check the LON-SRV01 Domain Controller is reachable 1. Connect to NYC-SRV01 using the A.COM credentials 2. On NYC-SRV01, click Start, Command Prompt 3. Enter the following command: ping 172.16.1.12 4. Verify that LON-SRV01 responds successfully before continuing to the next task 5. Close the Command Prompt Task 2.4.2 – Activate the Global Catalog service on the NYC-SRV01 Domain Controller Note: It is possible to add or remove the Global Catalog service using this same procedure. Also, it is important to note that the Domain Controller does not advertise itself in the Domain Name System (DNS) as a Global Catalog server until all partial domain directory partitions have been received. 1. On NYC-SRV01, click Start, Administrative Tools, Active Directory Sites and Services (ADSS) 2. In the left hand pane, expand Sites 3. Expand Default-First-Site-Name, Servers, NYC-SRV01 4. Right-click on the NTDS Settings entry and select the Properties option 5. Select the Global Catalog check box to add the Global Catalog 6. Click OK 7. Review the message regarding the Infrastructure Master and click Yes 

Note: All Domain Controllers in the a.com domain will now have the Global Catalog service. Page 38 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

8. Close ADSS Task 2.4.3 – Verify that the Global Catalog service is activated on the NYC-SRV01 Domain Controller 1. On NYC-SRV01, click Start, Command Prompt 2. Enter the following command: nltest /dsgetdc:a.com 

Verify that the results for NYC-SRV01 indicate GC in the Flags section

Note: It can take approximately 10mins before the flag is updated.

3. Close the Command Prompt 4. Minimize the connection to NYC-SRV01 Summary The addition of a second Domain Controller for an AD domain provides additional redundancy and resilience. In addition, the authentication workload can be spread across the multiple Domain Controllers.

Page 39 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Sites

Sites • Provide a mapping between logical AD components and the physical network infrastructure • Defined as an area of the network where all domain controllers are connected by a fast and reliable network connection • Based on IP subnets • Default site called Default-First-Site-Name

• Advantages of using sites: − Manage Replication and Authentication traffic (i.e. limit WAN utilization) − “Site-Aware” Network Applications

©

Polycom, Inc. All rights reserved.

28

Overview The AD DS logical components covered so far are almost completely independent of the physical infrastructure of the network. Sites provide a connection between the logical AD DS components and the physical network infrastructure. A site can be defined as an area of the network where all Domain Controllers are connected by a fast and reliable network connection. The sites are based on one or more Internet Protocol (IP) subnets. The default site is called Default-First-Site-Name and all computers in the forest will be assigned to that site unless additional sites are created. Advantages There are a number of advantages to using sites in AD: Replication The main reason for creating sites is to be able to control the network traffic that must use slow network connections (e.g. wide area network links). A replication schedule between sites can be used to manage the replication traffic so that it will either occur less frequently or during nonworking hours. In addition, by default, replication traffic traversing sites is compressed to conserve bandwidth.

Page 40 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Authentication Whenever a user logs on to a client computer, the workstation will always try to connect a Domain Controller in the same site as itself in order to conserve bandwidth and speed-up the process. Every Domain Controller registers site-specific service locator (SRV) records with the DNS so that the client, where possible, can keep authentication traffic within the same site. “Site-aware� Network Applications It is possible for site-aware applications to use knowledge of the site topology to improve the service provided. Examples of the site-aware applications include: Microsoft Exchange Server Messages sent between Exchange Servers in the same site will always be sent directly from the source Exchange Server to the destination Exchange Server, even if the several copies of the same message needs to be sent to different servers in the same site. Only single copies of messages are sent between Exchange Servers in different sites, even if the messages are intended for users on several different Exchange Servers in the destination site. Polycom Notes: The Polycom RealPresence Media Manager (RPMM) application can utilize site-awareness in order that client connections should receive the best possible bandwidth. Polycom CMA and DMA use site topologies (i.e. sites and site links) to control maximum bit rate for calls and bandwidth. Sites also help to determine which video resources should be used. The AD sites used by a customer may give a good starting point for defining the Polycom topology. Joining a Site AD uses different mechanisms to determine the site for a Domain Controller compared with a member server or workstation. Domain Controller When a server is promoted to become a Domain Controller, it is automatically assigned to a site that corresponds with the server's IP address (i.e. IP subnet). Member Servers and Workstations These computers are allocated to a site when they first start-up and logon to the domain. As part of the initial logon process, the Domain Controller will inform the computer in which site it is located and the client will cache that information for subsequent log-ons. Polycom Note: The Polycom RealPresence Media Manager (RPMM) can take advantage of site-awareness in order that streaming of video can be accessed for the local site if possible.

Page 41 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab 3: Configuring Sites in AD

Lab 3 • Exercise 3.1: Configuring Sites in Active Directory

©

Polycom, Inc. All rights reserved.

11

Objective During this lab, you will configure sites on the a.com domain and demonstrate the Site-Affinity mechanism Duration Estimated time to complete this lab: 35 minutes What You Will Learn After completing the exercises you will be able to: • •

Configure Sites Show Site-Affinity

Page 42 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab Architecture Before

Page 43 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

After

Page 44 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 3.1: Configuring Active Directory Sites In this exercise, you will configure two sites for the a.com domain to demonstrate site affinity. Task 3.1.1 – Rename the Default Site to EMEA 1. If required, connect to LON-SRV01 using A.COM credentials 2. On LON-SRV01, click Start, Administrative Tools, Active Directory Sites and Services (ADSS) 3. In the left hand pane, expand Sites 4. Right-click the Default-First-Site-Name container and choose the Rename option 5. Change the name to EMEA and press the <Enter> key on the keyboard 6. Right-click on the EMEA entry and choose Properties 7. In the Description field, enter the following text: EMEA Site for A Corp. 8. Click OK Task 3.1.2 – Create a second site called NA 1. Using the ADSS application on the LON-SRV01 2. Right-click the Sites container and choose the New Site... option 3. Enter a Name of NA 4. Highlight the DEFAULTIPSITELINK listed as a Site Link and click OK 5. Review the Finish Configuration message and click OK 6. Right-click on the NA entry and choose Properties 7. In the Description field, enter the following text: NA Site for A Corp 8. Click OK

Page 45 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 3.1.3 – Create subnets for the different sites 1. Using the ADSS application on the LON-SRV01 2. Expand the Sites container, right-click on the Subnets container and choose the New Subnet... option 3. Enter a Prefix of 172.16.2.0/24, highlight NA in the Site Name list and click OK 4. Repeat this procedure to specify a Prefix of 172.16.1.0/24 for EMEA Task 3.1.4 – Move the NYC-SRV01 Domain Controller from the EMEA site to the NA Site 1. Using the ADSS application on the LON-SRV01 2. Expand the Sites container, expand the EMEA container, expand the Servers container 3. Right-click on the NYC-SRV01 entry and choose the Move... option 4. Highlight NA as the Site Name and click OK Task 3.1.5 – Verify the configuration of the Site Link between the EMEA and NA Sites 1. Using the ADSS application on the LON-SRV01 2. Expand the Sites container, expand the Inter-Site Transports container, highlight the IP container 3. In the right hand pane, double-click on the DEFAULTIPSITELINK entry 4. Determine the following information from the dialog: Parameter

Value

Sites in the Site Link Replicate Every (mins)

5. Leave the DEFAULTIPSITELINK dialog open for the next task

Page 46 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 3.2: Demonstrate Site-Affinity for Computers in a Domain Task 3.2.1 – Determine the current Site for CLI02 1. Connect to the CL102 using the CLI02 credentials 2. Click Start, Command Prompt 3. Enter the following command: nltest /dsgetsite 4. Verify that the site is NA Task 3.2.2 – Review Site-specific DNS records using the Nslookup utility 1. On CLI02, restore Command Prompt 2. Enter the command: nslookup 3. Specify which type of record to request by entering the command: set q=SRV 4. Enter the DNS record names specified in the table below and complete the blanks in the table below: DNS Record Name

SVR Hostname(s)

_ldap._tcp.dc._msdcs.a.com

_ldap._tcp.emea._sites.dc._msdcs.a.com _ldap._tcp.na._sites.dc._msdcs.a.com

5. Leave the nslookup session by entering the command: exit 6. Enter the command: nltest /dsgetdc:a.com

Page 47 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

7. From the output returned, record the following: Parameter

Value

DC DC Site Name Our Site Name

8. Close the Command Prompt 9. Minimize the CLI02 connection Summary In this lab you have used the AD Sites and Services application to view the default Site configuration and modified the configuration to configure two sites called EMEA and NA with associated IP subnets. In addition, you have placed the CLI01 machine in the NA subnet and demonstrated site-affinity working (i.e. the CLI01 machines tries to use the NYC-SRV01 Domain Controller for authentication).

Page 48 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Directory Partitions

Directory Partitions • Physical structure of Active Directory • Information stored in database divided into logical partitions: − − − − −

©

Domain Directory Partition Configuration Directory Partition Schema Directory Partition Global Catalog Partition Application Directory Partitions

Polycom, Inc. All rights reserved.

30

Overview An earlier section described the logical structure of AD; this topic considers the physical structure. The information stored in the Active Directory database is divided into several logical segments called partitions. Each partition is responsible for storing different types of information. The partitions are also known as naming contexts.

Page 49 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Domain Directory Partition

This partition, also known as the Default Naming Context, contains all of the domain object information including users, contacts, groups and computers. It essentially holds the objects which are accessible through the Active Directory Users and Computers administrative tool. The figure above shows the use of ADSI Edit tool to display the contents of the Default Naming Context for the a.com domain. Each domain has a separate domain directory partition and it is automatically replicated to all Domain Controllers in the domain. Consequently, all Domain Controllers in the same domain share a full writeable copy of this partition whilst Domain Controllers in any other domain do not hold a copy of this information. Configuration Directory Partition This partition contains details of the configuration for the entire forest. For example, all of the topology information about domains, sites, site links and replication. It is possible for other applications to use the configuration partition to also store information (e.g. Microsoft Exchange Server). This partition is replicated forest-wide (i.e. to every Domain Controller for any domain in the forest). Schema Directory Partition This partition contains the schema for the entire forest. The schema holds the definitions for all objects and attributes that can be configured forest-wide. This partition is also replicated to all Domain Controllers in the entire forest. However, unlike the Configuration Directory Partition, schema updates are only allowed on a single Domain Controller which is known as the schema operations master.

Page 50 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Global Catalog Partition This partition is a read-only partition which is constructed from the contents of all domain databases in the forest. It holds a representation of every object in every domain in the forest but with only a partial attribute set. A copy of the partition is held on all Domain Controllers in the forest with the Global Catalog service enabled. Application Directory Partitions These partitions are used to store application-specific information. The advantage of storing information here rather than in one of the other partitions, is that the replication scope can be controlled more finely (i.e. it is possible to choose the particular Domain Controllers that should receive a replica of this partition and they can be located in any domain or site in the forest) and consequently the amount of replication traffic limited. By default, there are no application directory partitions created. An example of the use of this type of partition would be choosing to install a Domain Name Server (DNS) on the first Domain Controller, in the forest when you install AD DS. The DNS service uses two application directory partitions named ForestDnsZones and DomainDnsZones to allow storage and replication of DNS records.

Page 51 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab 4: Investigate Directory Partitions using the ADSI Edit Tool

Lab 4 • Exercise 4.1: Investigate Directory Partitions using the ADSI Edit Tool

©

Polycom, Inc. All rights reserved.

13

Objective During this lab, you will investigate the various Directory Partitions in the AD Directory Service (DS) database using the ADSI Edit utility. Duration Estimated time to complete this lab: 15 minutes What You Will Learn After completing the exercises you will be able to: • •

Use the ADSI Edit tool Utilize this tool to determine the contents of the various Directory Partitions in the AD DS database

Page 52 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab Architecture

Page 53 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 4.1: Using the ADSI Edit utility In this exercise, you will investigate the various Directory Partitions in the AD Directory Service (DS) database using the ADSI Edit utility. Task 4.1.1 – Use the ADSI Edit utility to investigate the Domain Directory Partition 1. If required, connect to the LON-SRV01 using the A.COM credentials 2. On LON-SRV01, click Start, Administrative Tools, ADSI Edit 3. Highlight ADSI Edit in the left-hand pane 4. From the Action menu, select the Connect To... option 5. Ensure that the Default naming context entry from the Select a well-known Naming Context drop-down list is selected 6. Click OK 7. In the left-hand pane, expand the Default naming context container 8. Expand the DC=a,DC=com container 9. In the left-hand pane, highlight the CN=Computers container 10. Right-click the CN=SRV01 entry in the right-hand pane and choose the Properties option 11. Scroll-down through the Attributes list to Description 12. Verify this is the same description (i.e. Main File Server for a.com) as entered using ADUC in an earlier exercise 13. Click the Cancel button 14. Minimize ADSI Edit Task 4.1.2 – Use the ADSI Edit utility to investigate the Configuration Partition 1. Restore ADSI Edit 2. In the left-hand pane, right-click on the Default Naming Context container and select the Settings... option 3. Choose the Configuration entry in the Select a well-known naming context drop-down list 4. Click OK 5. In the left-hand pane, expand the Configuration container

Page 54 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

6. Expand the CN=Configuration,DC=a,DC=com container 7. Expand the CN=Sites container 8. Highlight the CN=EMEA container 9. Right-click the entry and choose the Properties option 10. Scroll-down through the Attributes list to Description 11. Verify this is the same description (i.e. EMEA Site for A Corp.) entered using ADSS in a previous exercise 12. Click the Cancel button 13. Minimize ADSI Edit Task 4.1.3 – Use the ADSI Edit utility to investigate the Schema Partition 1. Restore ADSI Edit 2. In the left-hand pane, right-click on the Configuration container and select the Settings option 3. From the Select a well-known naming context drop-down list, choose the Schema entry 4. Click OK 5. In the left-hand pane, expand the Schema container 6. Expand the CN=Schema,CN=Configuration,DC=a,DC=com container 7. In the right-hand pane, scroll-down to the CN=EmployeeStartDate entry 8. Right-click the entry and choose the Properties option 9. Scroll-down through the Attributes list to whenCreated 10. Verify this is the same Attribute created using ADS in a previous exercise 11. Click the Cancel button 12. Close ADSI Edit Summary In this lab you have utilzed the ADSIEdit tool to investigate the Directory Partitions which partition the ADDS database.

Page 55 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Trust Relationships

Trust Relationships • Authentication connection between domains • Automatically configured between all domains in a forest • Two-way, incoming and outgoing trusts

©

Polycom, Inc. All rights reserved.

32

Overview A Trust can be defined as an authentication connection between two domains. If a user or application is authenticated by one domain, its authentication is accepted by all other domains that trust the authenticating domain. As discussed earlier in the course, the domain is the boundary of resource access in an enterprise. If they have sufficient permissions, a user can access any shared resource in the same domain. In order for the same user to access shared resources on another domain, an AD DS trust relationship must be utilized. Within a forest, this is handled by default with the automatic creation of transitive two-way trusts between all the domains. Note: Automatically configured trusts cannot be removed or re-configured. Forest Trusts By default there is no trust relationship between two separate forests. However, a forest trust can be used to provide security principals (e.g. users) in one forest with access to resources in a domain in a different forest. In addition, this type of trust allows users to provide the same UPN in order to log on to any domain in either forest. Note: A forest functional level of Windows Server 2003 or higher is required to support forest trusts. Limitations There are some limitations with the use of a forest trust: • •

No transitivity (i.e. credentials cannot be forwarded on to another forest) No replication between the two forests Page 56 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

This lack of replication means that the Global Catalog only includes records for the single forest unless another application is configured to provide replication (e.g. Microsoft Meta-directory Services and Microsoft Identity Integration Server). Polycom Note: In a multi-forest environment Polycom servers will only be able to search for users and groups in a single forest. External An external trust relationship is typically created between an AD DS domain and a Windows NT 4.0 or earlier domain. Resource Forest Model It is common for service providers to utilize a resource forest model when providing services to customers. In this model, a separate forest is used to manage resources with only a few user accounts required for service administration. Forest trusts are established so that users from other forests can access these resources. This model provides service isolation to protect areas of the network that need to maintain a high state of availability.

Page 57 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab 5: Configuring Active Directory Forests

Lab 5 • Configuring a New Active Directory Forests • Create a Forest Trust Relationship

©

Polycom, Inc. All rights reserved.

15

Objective During this lab, you will re-configure the environment to show a multi-forest situation and subsequently you will configure and investigate Forest Trusts. Duration Estimated time to complete this lab: 60 minutes What You Will Learn After completing the exercises you will be able to: • •

Configure a multi-forest environment Configure and investigate Forest Trusts

Page 58 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab Architecture Before

Page 59 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

After

Page 60 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 5.1: Configuring Active Directory Forest Trusts In this exercise, you will configure trusts between two Active Directory Forests to investigate the advantages and disadvantage of this arrangement. Note: This is a common initial scenario when two enterprises merge operations. Task 5.1.1 – Demote the NYC-SRV01 from the a.com domain Note: This task demotes the NYC-SRV01 Domain Controller for a.com to make it available to become a Domain Controller for the b.com domain. This step is necessary in the training environment because of limited server resources. 1. If required, connect to the NYC-SRV01 using the A.COM credentials 2. On NYC-SRV01, click Start, Run... 3. Enter the command: dcpromo 4. Click OK 5. When the wizard activates, click Next at the Welcome screen 6. Click OK to acknowledge the message regarding the requirement for Global Catalog services 7. Leave the Delete Domain option unchecked and click Next 

Note: This is not the last Domain Controller in the domain.

8. Initially the dialog does not appear to update, however, wait ~30s and then specify a password of Polycom!24 for the new Administrator account and click Next 9. Review the Summary and click Next 10. When the process completes after a few minutes, click Finish 

Note: The AD DS binaries can remain on the system.

11. Click the Restart Now button 

Note: It may take a few minutes for the VM to restart.

Page 61 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 5.1.2 – Promote the NYC-SRV01 to be the Domain Controller for the b.com domain 1. Connect to the NYC-SRV01 using the NYC-SRV01b credentials 2. If Server Manager starts, tick the Do not show me this console at logon option and close the application. 3. On NYC-SRV01, click Start, Run... 4. Enter the command: dcpromo 5. Click OK 6. When the wizard activates, click Next at the Welcome screen 7. Click Next at the Operating System Compatibility message 8. Choose to Create a new domain in a new forest and click Next 9. Enter b.com as the forest root domain 10. Click Next 

Note: The wizard checks whether the FQDN is already in use and also whether the NetBIOS alternative is in use before proceeding.

11. Keep the Forest Functional Level at Windows Server 2003 and click Next 12. Keep the Domain Functional Level at Windows Server 2003 and click Next 13. In the Additional Domain Controller Options dialog, review the suggested selection (i.e. existing DNS Server and add Global Catalog component) and click Next 14. Click Yes to confirm a delegation of this DNS Server cannot be created because there is no authoritative parent domain 15. Review the paths to the Database, Log and SYSVOL folders. Click Next 

Note: These database and log files are discussed in the further on in the Student Guide.

16. Specify a Directory Services Restore Mode password of Password123 and click Next 17. Click Next at the Summary dialog – the promotion now commences 18. Click OK to acknowledge computer has been removed from the domain but Computer Account still exists 19. When the process has completed, click Finish Page 62 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

20. Click the Restart Now button 

Note: The VM will take a couple of minutes to restart.

Challenge 5.1.3 – Use the ADSI Edit tool to verify whether the employeeStartDate attribute exists in the Schema of the b.com Domain Note: Using similar procedures to those described in previous tasks, attempt to verify whether the EmployeeStartDate attribute is present in the b.com domain schema. If the attribute is not present in the schema then describe below why this is to be expected?

______________________________________________________________________

Page 63 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Solution 5.1.3 – Use the ADSI Edit tool to verify whether the employeeStartDate attribute exists in the Schema of the b.com Domain 1. Connect to the NYC-SRV01 using the B.COM credentials 2. On NYC-SRV01, click Start, Administrative Tools, ADSI Edit 3. Highlight ADSI Edit in the left-hand pane 4. From the Action menu, select the Connect To... option 5. Ensure that the Schema entry from the Select a well-known naming context dropdown list is selected 6. Click OK 7. In the left-hand pane, expand the Schema container 8. Expand the CN=Schema,CN=Configuration,DC=a,DC=com container 9. In the right-hand pane, scroll-down the list and verify that the CN=EmployeeStartDate entry is not present 10. Close ADSI Edit Challenge 5.1.4 – Join the CLI01 into the b.com domain Note: Using similar procedures to those described in previous tasks, attempt to make CLI01 a member of the b.com domain. If you would prefer to follow instructions then turn to the next page for the Challenge 8.1.4 Solution.

Page 64 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Solution 5.1.4 – Join the CLI01 into the b.com domain Sub-Task 5.1.4.1 – Modify the DNS settings to use the correct DNS 1. Connect to CLI01 using the A.COM credentials 2. On CLI01, click Start, Control Panel 3. Choose Large icons from the Category drop-down list 4. Click the Network and Sharing Center applet 5. Click the Change adapter settings link in the left-hand pane 6. Right-click on the Local Area Connection and select Properties 7. Highlight Internet Protocol Version 4 and click the Properties button 8. Specify a Preferred DNS Server of 172.16.2.11 and ensure that the Alternate entry is left blank 9. Click OK 10. Click Close 11. Close the Network Connections dialog Sub-Task 5.1.4.2 – Join the CLI01 into the b.com domain 1. If required, connect to the CLI01 using the A.COM credentials 2. On CLI01, click Start, Control Panel, System 3. Click on the Change settings link 4. Click the Change... button 5. Modify the Domain from a.com to b.com and click OK 6. If prompted, click OK to acknowledge the error 7. In the Windows Security dialog, specify B.COM credentials 8. Click OK 9. Click OK to acknowledge successfully joining the b.com domain 10. Click OK to acknowledge a restart is required 11. Click Close 12. Click Restart Now Page 65 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Note: The restart may take approximately 5-10mins.

Task 5.1.5 – Verify an Unsuccessful attempt to access the Files share on SRV01 from CLI01 1. Connect to the CLI01 short-cut using the B.COM credentials 2. If Server Manager starts, tick the Do not show me this console at logon option and close the application. 3. On CLI01, click Start, Run... 4. Enter the following command: \\172.16.1.13\files 5. Click OK 6. When prompted with the Windows Security dialog, click the Cancel button 

Note: This connection attempt was unsuccessful.

Task 5.1.6 – Configure an incoming Forest Trust for a.com on the Domain Controller for b.com 1. Connect to NYC-SRV01 short-cut using the B.COM credentials 2. On NYC-SRV01, click Start, Administrative Tools, Active Directory Domains and Trusts (ADDT) 3. In the left-hand pane, right-click b.com and choose the Properties option 4. Click the Trusts tab 5. Click the New Trust... button 6. When the wizard launches, click Next at the New Trust Welcome screen 7. Enter a.com for the name of the forest and click Next 8. Choose a Forest trust and click Next 9. Specify a One-way: incoming and click Next 10. Choose This domain only and click Next 11. Specify a trust password of Secret1, confirm the password and click Next 12. Click Next to create the trust 13. Click Next to verify the trust was created successfully Page 66 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

14. Specify, No do not confirm the incoming trust and click Next 

Note: The trust has not been configured on the a.com domain and consequently cannot yet be verified.

15. Click Finish 16. Review the configured trust settings and click OK 17. Close ADDT 18. Minimize the NYC-SRV01 connection Task 5.1.7 – Verify an Unsuccessful Configuration of an outgoing Forest Trust for b.com on the Domain Controller for a.com 1. If required, connect to the LON-SRV01 short-cut using the A.COM credentials 2. On LON-SRV01, click Start, Administrative Tools, Active Directory Domains and Trusts (ADDT) 3. In the left-hand pane, right-click a.com and choose the Properties option 4. Click the Trusts tab 5. Click the New Trust... button 6. When the wizard launches, click Next at the New Trust Welcome screen 7. Enter b.com for the name of the forest and click Next 8. After a period, a dialog is displayed indicating that the name specified is not a valid Windows domain name 9. Record below why this error is displayed?  _________________________________________________________________ 10. Click Cancel 11. Click Cancel 12. Minimize ADDT

Page 67 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 5.1.8 – Add DNS Forwarder record to the DNS on LON-SRV01 Note: An error was displayed in the previous task because the DNS server on LON-SRV01 which was used to resolve the b.com domain has no records for that AD entity, since it is in a different forest. This problem can be resolved by adding a DNS Forwarder record to the DNS on LON-SRV1 which allows requests which cannot be resolved to another DNS. In this case, the Forwarder will point to the DNS on NYC-SRV01 which should be able to resolve the query for b.com. 1. On LON-SRV01, click Start, Administrative Tools, DNS 2. In the left-hand pane, right-click on the LON-SRV01 container and choose the Properties option 3. Select the Forwarder tab 4. Click the Edit... button 5. Type 172.16.2.11 (i.e. the IP address of the NYC-SRV01) and press the <Enter> key on the keyboard 6. After about 30s the record should be successfully validated 7. Click OK 8. Click OK 9. Close DNS Manager Task 5.1.9 – Verify Successful Configuration of an outgoing Forest Trust for b.com on the Domain Controller for a.com 1. If required, connect to LON-SRV01 short-cut using the A.COM credentials 2. Restore ADDT 3. In the left-hand pane, right-click a.com and choose the Properties option 4. Click the Trusts tab 5. Click the New Trust... button 6. When the wizard launches, click Next at the New Trust Welcome screen 7. Enter b.com for the name of the forest and click Next 8. Choose a Forest trust and click Next 9. Specify a One-way: outgoing and click Next 10. Choose This domain only and click Next Page 68 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

11. Choose Forest-wide and click Next 12. Specify a trust password of Secret1, confirm the password and click Next 13. Click Next to create the trust 14. Click Next to verify the trust was created successfully 15. Specify, Yes, confirm the outgoing trust and click Next 

Note: The trust has been configured on the b.com domain and consequently can be verified.

16. Click Finish 17. Review the configured trust settings and click OK 18. Minimize ADDT 19. Minimize the LON-SRV01 connection Task 5.1.10 – Verify Successful access to the Files share on SRV01 from CLI01 1. If required, connect to the CLI01 short-cut using the B.COM credentials 2. On CLI01, click Start, Run... 3. Enter the following command: \\SRV01\files 4. Click OK 5. Verify the files can be viewed in the files share on SRV01 6. Close the Files Share window 7. Minimize the CLI01 connection

Page 69 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 5.1.11 – Delete the forest trust Note: In this task you will remove the Forest Trust in preparation for a future exercise. 1. If required, connect to the LON-SRV01 short-cut using the A.COM credentials 2. On LON-SRV01, restore ADDT 3. In the left-hand pane, right-click a.com and choose the Properties option 4. Click the Trusts tab 5. In the Domains Trusted by this Domain (Outgoing Trusts) section, highlight the entry for b.com and click the Remove button 6. Specify the No, remove the trust from the local domain only option and click OK 7. Click Yes to confirm the action 8. Click OK 9. Close ADDT 10. Minimize the LON-SRV01 connection Summary In this exercise, you have configured a trust relationship between the a.com and b.com Active Directory Forests. The advantage of this arrangement is that users in a.com can gain access to resources in the b.com forest and vice-versa. The main disadvantage of this arrangement is that the schema changes in a.com are not reflected in the b.com forest. The isolated schema means that applications such as Microsoft Exchange Server which utilize the schema for storing configuration data cannot operate under these conditions (i.e. spanning multiple-forests).

Page 70 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Types of Trust Relationships

Types of Trust Relationship • Inter-domain trusts − Parent/Child − Tree Root − Transitive

• Forest and external trusts • Resource forest model

©

Polycom, Inc. All rights reserved.

34

Types There are many different types of trust relationships including the following: Parent-Child and Tree Root Trusts The figure below shows several examples of parent-child trusts. For example, the relationship between the a.com domain and the na.a.com domain.

Page 71 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

The figure also shows an example of a tree root trust between the a.com and the c.com domains. Outgoing/Incoming/Two-Way Trusts When a domain is added to a forest, it is automatically configured with a transitive two-way trust between itself and any child, parent or peer domains. This means that this domain trusts the other domains and also the other domains trust this domain. However, when a trust is explicitly defined it may be configured as a one-way trust: Outgoing Trust Another domain is trusted by this domain. Incoming Trust Another domain trusts this domain. Note: It is necessary to configure both sides of these one-way trusts (i.e. incoming for one domain and outgoing for the other domain). Transitive This concept is best explained with an example based on the figure above. If the a.com domain trusts the na.a.com domain, and the emea.a.com domain trusts the a.com domain, then transitivity means that the emea.a.com domain also trusts the na.a.com domain. Consequently, Page 72 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

assuming it is a two-way trust, users in the na.a.com domain can access resources in the emea.a.com domain and vice versa. The transitive trusts concept also applies to the tree root trusts.

Page 73 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab 6: Configuring Active Directory Sub-Domains

Lab 6 • Exercise 6.1: Configuring Active Directory Sub-Domains

©

Polycom, Inc. All rights reserved.

17

Objective During this lab, you will re-configure the environment to show a multi-domain scenario and subsequently, you will configure and investigate Parent-Child Trusts. Duration Estimated time to complete this lab: 45 minutes What You Will Learn After completing the exercises you will be able to: • •

Configure a multi-domain environment Configure and investigate Parent-Child trusts

Page 74 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Lab Architecture Before

Page 75 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

After

Page 76 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Exercise 6.1: Configuring Active Directory Child domain Objective In this exercise, you will configure a multi-domain Active Directory environment to investigate the advantages of the Parent-Child trusts which are configured automatically. Note: This is a common scenario when two enterprises have initially merged operations and now would like to integrate more closely. Task 6.1.1 – Demote the NYC-SRV01 from the b.com domain Note: This task provides a server which can be used as the Domain Controller for the na.a.com child domain. It is required only in the training environment due to limited server resources. 1. If required, connect to the NYC-SRV01 using the B.COM credentials 2. On NYC-SRV01, click Start, Run... 3. Enter the command: dcpromo 4. Click OK 5. When the wizard launches, click Next at the Welcome screen 6. Click OK to acknowledge that a Global Catalog server is required to process logon attempts 7. Tick the Delete Domain option and click Next 

Note: Since this is the last Domain Controller in the domain.

8. After about 30s, click Next to remove all the directory partitions 9. Tick the Delete all Application Directory partitions option and click Next 10. Specify a password of Polycom!24 for the new Administrator account and click Next 11. Review the Summary and click Next 12. When the process completes after a few minutes, click Finish 13. Click the Restart Now button

Page 77 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 6.1.2 – Promote the NYC-SRV01 to be the Domain Controller for the na.a.com Child Domain in the a.com Root Domain/Forest 1. Connect to the NYC-SRV01 using the NYC-SRV01b credentials Note: If you cannot connect then complete the following steps to see whether the NYC-SRV01 machine has restarted: 

Select the Machines tab in the CloudShare web interface

.Scroll down to NYC-SRV01

Click the View Machine button. This will display the console connection to the server.

Once it displays the message “Press CTRL + ALT + DEL to log on” you should return to the Entry Machine and use the Remote Desktop connection to NYCSRV01

2. If Server Manager starts, tick the Do not show me this console at logon option and close the application. 3. On NYC-SRV01, click Start, Run... 4. Enter the command: dcpromo 5. Click OK 6. When the wizard activates, click Next at the Welcome screen 7. Click Next at the Operating System Compatibility message 8. Choose the Existing forest option 9. Specify Create a new domain in an existing forest and click Next 10. Enter a FQDN for the forest root domain of: a.com 11. Click the Set button and specify the A.COM credentials 12. Click OK 13. Click Next 14. In the FQDN of the parent domain field enter the following: a.com Page 78 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

15. In the Single label DNS name of child domain field enter: na 16. Click Next 

Note: The wizard checks whether the FQDN is already in use and also whether the NetBIOS alternative is in use before proceeding.

17. Keep the Domain Functional Level at Windows Server 2003 and click Next 18. Specify below, why does the Wizard not ask about the Forest Functional Level?  _________________________________________________________________ 19. Verify that the selected site corresponds to the IP address and is NA based 20. Click Next 21. In the Additional Domain Controller Options dialog, modify the suggested selection to include a Global Catalog component and click Next 22. Review the paths to the Database, Log and SYSVOL folders. Click Next 23. Specify a Directory Services Restore Mode password of Password123 and click Next 24. Click Next at the Summary dialog – the promotion now commences 25. When the process has completed, click Finish 

Note: This process may take several minutes to complete.

26. Click the Restart Now button 

Note: The VM will take a couple of minutes to restart.

Challenge 6.1.3 – Join the CLI01 into the na.a.com domain Note: Using similar procedures to those described in previous tasks, attempt to join the CLI01 into the na.a.com domain. If you would like to follow instructions for this challenge then see the next page.

Page 79 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Solution 6.1.3 – Join the CLI01 into the na.a.com domain 1. If required, connect to the CLI01-NA short-cut using the CLI01 credentials Sub-Task 6.1.3.1 – Verify the DNS settings are valid 1. On CLI01, click Start, Command Prompt 2. Enter the command: ping 172.16.2.11 3. Verify a response is received from NYC-SRV01 before proceeding with the next step 4. Close Command Prompt 5. Click Start, Control Panel 6. Choose Large icons from the Category drop-down list 7. Click the Network and Sharing Center applet 8. Click the Change adapter settings link in the left-hand pane 9. Right-click on the Local Area Connection and select Properties 10. Highlight Internet Protocol Version 4 and click the Properties button 11. Verify a Preferred DNS Server entry of 172.16.2.11 and ensure that the Alternate entry is left blank 12. Click Cancel 13. Click Close 14. Close the Network Connections dialog Sub-Task 6.1.3.2 – Join the na.a.com domain 1. On CLI01, click Start, Control Panel, System applet 2. Click on the Change settings link 3. Click the Change... button 4. Modify the Domain from b.com to na.a.com and click OK 5. In the Windows Security dialog, specify the NA.A.COM credentials 6. Click OK 7. Click OK to acknowledge successfully joining the na.a.com domain Page 80 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

8. Click OK to acknowledge a restart is required 9. Click Close 10. Click Restart Now 

Note: If prompted, ignore any message stating that other users may be logged on.

Task 6.1.4 – Verify a Successful Attempt to access the Files share on SRV01 from CLI01 1. Connect to the CLI01 short-cut using the NA.A.COM credentials 2. If Server Manager starts, tick the Do not show me this console at logon option and close the application 3. On CLI01, click Start, Run... 4. Enter the following command: \\172.16.1.13\files 5. Click OK 6. Verify that the files can be viewed in the SRV01 share 7. Close the Files share window 8. Minimize the CLI01 connection Task 6.1.5 – Verify that trusts have automatically been created between a.com and na.a.com 1. If required, connect to the NYC-SRV01 short-cut using the NA.A.COM credentials 2. If Server Manager starts, tick the Do not show me this console at logon option and close the application 3. On NYC-SRV01, click Start, Administrative Tools, Active Directory Domains and Trusts (ADDT) 4. In the left-hand pane, right-click on a.com and select Properties 5. Select the Trusts tab and complete the following table: Section

Domain Name

Domain Trusted by this Domain Domains that Trust this Domain

Page 81 of 87

Trust Type

Transitive


Essential Active Directory Skills for Polycom Solutions (Design)

6. Click Cancel 7. In the left-hand pane, right-click on na.a.com and select Properties 8. Select the Trusts tab and complete the following table: Section

Domain Name

Trust Type

Transitive

Domain Trusted by this Domain Domains that Trust this Domain

9. Click Cancel 10. Close ADDT 11. Minimize the NYC-SRV01 connection Exercise 6.2: Using trusts to configure permissions for a user in the na.a.com domain to access a resource in the a.com domain In this exercise, you will demonstrate that it is possible to configure permissions for a user in a child domain to access a recourse located in the parent domain. Task 6.2.1 – Re-configure Share on SRV01 1. If required, connect to the SRV01 using the A.COM credentials 2. If Server Manager starts, tick the Do not show me this console at logon option and close the application 3. On SRV01, click Start, Computer and double-click the Local Disk (C:) icon 4. Right-click on the Files folder and select Properties 5. Choose the Sharing tab 6. Click the Advanced Sharing... button 7. Click the Permissions button 8. Click the Add button 9. In the Enter the Object Name to Select field, enter the name: Administrator@a.com 10. Click the Check Names button 11. When the entry is validated (i.e. underlined) click OK Page 82 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

12. In the Group or username field, highlight the Authenticated Users entry and click the Remove button 13. In the Group or Username field, highlight the Administrator entry and tick the Full Control option of the Allow column in the permissions section 14. Click OK 15. Click OK 16. Click Close 17. Close Local Disk(C:) dialog 18. Minimize the connection window for SRV01 Task 6.2.2 – Verify unsuccessful share access to the Files share on SRV01 using CLI01 1. Connect to the CLI01-NA, using the NA.A.COM credentials 2. Before proceeding further, verify the desktop shows: 

Logged on user: na\administator

If the correct user is not displayed then logout and re-connect to CLI01-NA as specified above

3. On CLI01, click Start, Run 4. Enter the following command and click OK: \\SRV01\Files 5. Verify the share is not accessible and record the title of the prompt displayed: 

________________________________________________

6. Explanation: The logon credentials supplied (i.e. administrator@na.a.com) do not match an entries in the access control list for the Files share on SRV01 and so access to the share is denied 7. Click Close Task 6.2.3 – Re-configure Share on SRV01 to include the administrator@na.a.com 1. If required, connect to the SRV01 using the A.COM credentials 2. On SRV01, click Start, Computer and double-click the Local Disk (C:) icon 3. Right-click on the Files folder and select Properties Page 83 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

4. Choose the Sharing tab 5. Click the Advanced Sharing... button 6. Click the Permissions button 7. In the Group or Usernames field, highlight the Administrator (A\Administrator) entry and click the Remove button 8. Click the Add button 9. Click the Advanced... button 10. Click the Locations... button 11. Expand the entry for a.com 12. Highlight the entry for na.a.com and click the OK button 

Note: The search should now be limited to objects in the na.a.com domain. Also, the object types are now limited to User and Groups only.

13. In the Name field, enter the name: Administrator 14. Click the Find Now button 15. In the Search results section, highlight the entry for Administrator, verify the In Folder column indicates na.a.com/Users/ and click OK 16. Click OK 17. In the Group or Usernames field, highlight the Administrator (NA\Administrator) entry and tick the Full Control option of the Allow column in the permissions section 18. Click OK 19. Click OK 20. Click Close 21. Close Local Disk(C:) dialog 22. Minimize the connection window for SRV01

Page 84 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Task 6.2.4 – Verify successful share access to the Files share on SRV01 using CLI01 1. If required, connect to the CLI01-NA, using the NA.A.COM credentials 2. On CLI01, click Start, Run 3. Enter the following command and click OK: \\SRV01\Files 4. Verify the share is now accessible 5. Click Close Summary During this lab, you have re-configured the environment to show a multi-domain scenario. You have investigated the Parent-Child trusts which are configured automatically for domains in the same forest and determined that users in na.a.com have access to resources in a.com and vice-versa.

Page 85 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

Course Summary

Course Summary • This course has covered:− The key elements of Microsoft Active Directory design − How Active Directory design impacts upon integration with Polycom solutions

©

Polycom, Inc. All rights reserved.

18

Page 86 of 87


Essential Active Directory Skills for Polycom Solutions (Design)

What's Next

What’s Next • There are other courses available in the Essentials series including: − Essential Communication Security Skills for Polycom Solutions − Essential Network Infrastructure Security Skills for Polycom Solutions

• Our RealPresence Platform Series currently includes: − RealPresence Resource Manager Overview

©

Polycom, Inc. All rights reserved.

19

©

c

c c

of

c of

No purpose

or c

or of

Page 87 of 87

c for


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.