Microsoft INF200.1x, Windows Server 2012 Fundamentals: Infrastructure - Domain and Domain Tree

What is a domain?

A domain is a logical grouping

An AD DS domain is a logical grouping of user, computer, and group objects for the purposes of management and security. All of these objects are stored in an AD DS database, and a copy of this database is stored on every domain controller in the AD DS domain. A domain is created when you promote a server to a domain controller.

There is always at least one domain, but you could have more

Most organizations could deploy only a single domain and ensure that all domain controllers contain all the domain information. However, organizations that have decentralized administrative structures, or that are distributed across multiple locations, might consider implementing multiple domains in the same forest to accommodate the administrative needs of their environment.

A single domain can contain approximately 2 billion objects, so most organizations do not need to deploy multiple domains due to object limitations. Organizations that have decentralized administrative structures, or that are distributed across multiple locations, might instead implement multiple domains in the same forest.

A domain is a replication, administrative, and authentication boundary

A domain is a replication boundary

When changes are made to any object in the domain, the domain controller where the change was made replicates that information to other domain controllers in the domain. This is referred to as a multi-master replication model and allows every domain controller in the domain to make changes to objects in the domain.

The domain is an administrative boundary

The domain contains an Administrator account and a Domain Admins group. By default, the Administrator account is a member of the Domain Admins group, and the Domain Admins group is a member of every local Administrators group of domain-joined computers. Also, by default, the Domain Admins group members have full control over every object in the domain.

The domain is an authentication boundary

An AD DS domain is an administrative center. It contains an Administrator account and a Domain Admins group, which both have full control over every object in the domain. Unless they are in the forest root domain, however, their range of control is limited to the domain. Password and account rules are managed at the domain level by default. The AD DS domain also provides an authentication center. All user accounts and computer accounts in the domain are stored in the domain database, and users and computers must connect to a domain controller to authenticate.

Domains do not provide security boundaries, because all domains in the forest trust each other.

What is a domain tree?

A domain tree is contiguous

A domain tree is a collection of one or more domains that share a contiguous name space and have a parent/child relationship. A tree can be a single tree or it can be multiple trees. The idea is that a tree is the fully qualified domain name (FQDN) of the domain and all its children. A tree serves no administrative purpose. In other words, there is no tree administrator as there is for a forest or domain.

What are the flexible single master operation (FSMO) roles for the domain?

Only one domain controller in the domain performs each role. By default, the first domain controller in a domain fulfills all of these roles. Optionally, you can change the role holder to another domain controller within the same domain.

Relative ID (RID) Master role 

The RID master plays an integral part in the generation of SIDs for security principals such as users, groups, and computers. The SID of a security principal must be unique. Because any domain controller can create accounts, SIDs, a mechanism is necessary to ensure that the SIDs generated by a domain controller are unique. Active Directory domain controllers generate SIDs by appending a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Therefore, each domain controller can be confident that the SIDs that it generates are unique.

Infrastructure Master role 

In a multiple domain environment, it is common for an object to reference objects in other domains. For example, a group can include members from another domain. Its multivalued member attribute contains the distinguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the references

PDC Emulator role

The PDC Emulator role performs the following crucial functions for a domain:

·         Participates in special password update handling for the domain. When a user's password is reset or changed, the domain controller that makes the change replicates the change immediately to the PDC Emulator. This special replication ensures that the domain controllers know about the new password as quickly as possible.

·         Manages Group Policy updates within a domain. If you modify a GPO on two domain controllers at approximately the same time, there could be conflicts between the two versions that could not be reconciled as the GPO replicates. To avoid this situation, the PDC Emulator acts as the default focal point for all Group Policy changes.

·         Provides a master time source for the domain. Many Windows components and technologies rely on time stamps, so synchronizing time across all systems in a domain is crucial. By default, the PDC Emulator in the forest root domain is the time master for the entire forest. The PDC Emulator in each domain synchronizes its time with the forest root PDC Emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC Emulator. All other domain members synchronize their time with their preferred domain controller.

·         Acts as the domain master browser. When you open the network node in File Explorer, you see a list of workgroups and domains, and when you open a workgroup or domain, you see a list of computers. The browser service creates these two lists, called browse lists. In each network segment, a master browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The domain master browser serves to merge the lists of each master browser so that browse clients can retrieve a comprehensive browse list.

Microsoft: INF200.1x Microsoft Windows Server 2012 Fundamentals: Windows Server Basics

What is Server Manager?
Server Manager is the primary graphical tool used to manage both local and remote servers. With Server Manager you can create groups of servers. This enables you to perform administrative tasks quickly across multiple servers that perform the same role, or are members of the same group.  Additionally, Server Manager provides access to many administrative tools.

What are Windows Server Roles?

Windows Server 2012 roles describe a server's primary function. For example, a server role might be deploying files, accessing web content, or centrally printing a file. You can select to install one or more roles on a Windows Server 2012 environment.

The Add Roles and Features Wizard and the Remove Roles and Features Wizard in Server Manager modifies the roles that are installed.

Note: When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s configuration, such as firewall settings, to support the role. Windows Server 2012 also automatically and simultaneously deploys role dependencies. For example, when you install the Windows Server Update Services (WSUS) role, the Web Server (IIS) role components that are required to support the WSUS role are automatically installed.

General Questions:

• Which server role enables you to centrally configure, manage, and provide temporary IP addresses and related information for client computers?

Show Answer

Dynamic Host Configuration Protocol (DHCP) Server. The DHCP server enables you to centrally configure, manage, and provide temporary IP addresses and related information for client computers. IP addresses are used to uniquely identify the client computers on your network.

• Which server role provides the services that you can use to create and manage virtual machines and their resources?

Show Answer

Hyper-V Server. The Hyper-V Server provides services to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously. etwork.

• Which server role provides a reliable, manageable, and scalable Web application infrastructure?

Show Answer

Web Server (IIS). The Web Server provides a reliable, manageable, and scalable Web application infrastructure. IIS supports hosting of Web content in production environments.etwork.

• Which server role stores information about objects on the network and makes this information available to users and network administrators?

Show Answer

Active Directory Domain Services (AD DS) Server. The AD DS server stores information about objects on the network and makes this information available to users and network administrators. Servers that run the AD DS Server role are called Domain Controllers. These servers provide network users access to resources through a single logon process.

• Which server role allows network administrators to specify the Microsoft updates that should be installed on different computers?

Show Answer

Windows Server Update Services (WSUS) Server. The WSUS server allows network administrators to specify the Microsoft updates that should be installed on different computers. Keeping your computers updated with the latest updates is an important part of securing the network. With WSUS you can automate this process and create different update schedules for your computers.

• Which server feature allows multiple servers to work together to provide high availability of server roles?

Show Answer

Failover Clustering. Failover clustering is often used for File Services, virtual machines, database applications, and mail applications.
 

• Which server feature includes snap-ins and command line tools for remotely managing roles and features?

Show Answer

Remote Server Administration Tools (RSAT). RSAT Tools are divided into Feature Administration Tools and Role Administration Tools. Feature Administration Tools include Failover Clustering Tools, IPAM Client, and Network Load Balancing Tools. Role Administration Tools include Hyper-V Management Tools, DHCP Server Tools, and Remote Access Management Tools.

• Which server feature distributes network traffic across several servers, using the TCP/IP protocol?

Show Answer

Network Load Balancing (NLB). NLB is particularly useful for ensuring stateless applications, such as Web Servers running IIS, are scalable by adding additional services as the load increases.

• Which server feature includes Windows PowerShell cmdlets that facilitate migration of server roles, operating system settings, files, and shares from computers that are running earlier versions of Windows Server?

Show Answer

Windows Server Migration Tools. Windows Server Migration Tools can also facilitate migration from one computer that is running Windows Server 2012 to another server that is running Windows Server 2012. For example when you are creating a backup server.

• Which server feature provides a central framework for managing your IP address space and DHCP and DNS servers?

Show Answer

IP Address Management Server (IPAM). IPAM supports automated discovery of DHCP and DNS servers in the Active Directory forest. IPAM can also track and monitor IPv4 and IPv6 addresses, as well as providing utilization tools.

Microsoft: INF200.1x Microsoft Windows Server 2012 Fundamentals: Infrastructure

What you will learn in this course:

• How to install Windows Server 2012 including upgrades, editions, roles, features, and server core.
• How to identify and use the physical and logical components of AD DS, such as forests, domains, and domain controllers.
• How to perform day to day system administrator tasks such as backup and restore, and implementing the Recycle Bin.
• How to create and configure user, group, and computer accounts.
• How to implement Group Policy Objects to enforce standard processes in your organization.

Course Prerequisites:

• Learners should have some general understanding of Windows Server and how it is used.
• Windows PowerShell will be the tool of choice when implementing the features in this course. Learners should have a good foundation in accessing and using simple Windows PowerShell commands. To help in this area the course includes an Appendix on Windows PowerShell Basics.

 There are many resources available for learning the skills necessary to be successful in this course. For example,Microsoft Virtual Academy.

Module 1 – Windows Server Basics
Module 2 – AD DS Logical Components
Module 3 – AD DS Physical Components
Module 4 - Administering AD DS
Module 5 - User Accounts
Module 6 - Group Accounts
Module 7 - Computer Accounts
Module 8 - Group Policy         

Where can you take this course?
Follow this link

Is this course for you?

This course is designed to help you understand Active Directory Domain Services in Windows Server 2012 and Windows Server 2012 R2.

You may already have some familiarity and real world experience with this technology. What follows are some sample

Questions that you would be expected to answer after completing this course. You can use these Questions to decide if the course content will be appropriate for you.  

• If you answer all of these Questions correctly, you may already know the course material.
• If you miss a few Questions, this course will fill in the gaps in your knowledge.
• If you struggle to answer the Questions, this course will definitely help you gain a better understanding of how to use these concepts and technologies.
• If you don't understand the Questions at all, you probably are not ready for this course. We suggest you review the recommended prerequisite knowledge and return to the course after additional self-study.

After completing the course, you should return to this topic and ensure you can easily answer the

Questions. Real world practice will be needed to master these skills, but this course will provide a step in the right direction.

1. What is an Organizational Unit (OU) and why would you create additional OUs?
2. What are the five flexible single master operations (FSMO) roles and where do they exist?
3. What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
4. Which optional AD DS feature enables you to quickly restore objects that have been deleted?
5. What is Server Core and what are some advantages of using it?
6. Which feature can you use to define different password policies and account lockout settings in a domain?
7. Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
8. What is the global catalog and when is it used?
9. What is the global catalog and when is it used?
10. What is an AD DS site and when should you consider creating a site?
11. When should you use an authoritative restore?
12. How are Group Policy settings and a Group Policy preferences different?

 
Answers:

1. An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.
2. FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.
3. Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.
4. The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.
5. Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.
6. Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.
7. Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.
8. The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
9. The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
10. An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.
11. An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.
12. Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.