Module 3

Advanced AD DS infrastructure
management
Module Overview

Overview of advanced AD DS deployments

Deploying a distributed AD DS environment
• Configuring AD DS trusts
Lesson 1: Overview of advanced AD DS deployments

Overview of domain and forest boundaries in an

AD DS structure
Why implement multiple domains?
Why implement multiple forests?
Deploying a domain controller in Azure IaaS
• Managing objects in complex AD DS deployments
Overview of domain and forest boundaries in an
AD DS structure

AD DS object Boundary type

Domain Domain partition replication
  Administrative permissions
  Group Policy application
  Auditing
  Password and account policies
  Domain DNS zone replication
Forest Security
  Schema partition replication
  Configuration partition replication
  Global catalog replication
Forest DNS zone replication
Why implement multiple domains?

Organizations might choose to deploy multiple

domains to meet:
• Domain replication requirements
• DNS namespace requirements
• Distributed administration requirements
• Forest administrative group security requirements
• Resource domain requirements
Why implement multiple forests?

Organizations might choose to deploy multiple forests to

meet:
• Security isolation requirements:
• PAM in Windows Server 2016 AD DS uses a separate
bastion forest to isolate privileged accounts in order to
protect against credential theft techniques
• Incompatible schema requirements
• Multinational requirements
• Extranet security requirements
• Business merger or divestiture requirements
Deploying a domain controller in Azure IaaS

• Scenarios in which you might deploy AD DS on

an Azure virtual machine:
• Disaster recovery
• Geo-distributed domain controllers
• Isolated applications

• Considerations during deployment include:

• Network topology
• Site topology
• Service healing
• IP addressing
• DNS
• Hard disk read/write caching
Managing objects in complex AD DS deployments

• Potential issues include:

• User and group management
• User self-service
• Certificate management
• Identity syncing

• MIM 2016 provides:

• Cloud-ready identities for Azure Active Directory
• Powerful user self-service features with multi-factor
authentication
• PAM
Lesson 2: Deploying a distributed AD DS environment

AD DS domain functional levels

AD DS forest functional levels
Deploying new AD DS domains
Demonstration: Installing a domain controller in a
new domain in an existing forest
Upgrading a previous version of AD DS to Windows
Server 2016
Migrating to Windows Server 2016 AD DS from a
previous version
• Considerations for implementing complex AD DS
environments
AD DS domain functional levels
New functionality requires that domain controllers are
running a particular version of the Windows operating
system:
• Windows Server 2003
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016

• You cannot raise the functional level while domain

controllers are running previous Windows Server versions

• You cannot add domain controllers that are running

previous Windows Server versions after raising the
functional level
AD DS forest functional levels
• Windows Server 2003:
• Forest trusts
• Domain rename
• Linked-value replication
• Improved Knowledge Consistency Checker
• Support for RODCs
• Conversion of inetOrgPerson objects to user objects
• Deactivation and redefinition of attributes and object classes
• Windows Server 2008:
• No new features; sets minimum level for all new domains
• Windows Server 2008 R2:
• Active Directory Recycle Bin
• Windows Server 2012 and Windows Server 2012 R2:
• No new features; sets minimum level for all new domains
• Windows Server 2016:
• No new features; sets minimum level for all new domains
Deploying new AD DS domains

• Forest root domain:

• Is automatically created with a new forest
• Is the base of an AD DS infrastructure
• Can be the only domain in an AD DS deployment

• Child domain:
• Is a child of a parent domain
• Shares the same namespace with the parent domain

• Tree domain:
• Creates a new domain tree and a new namespace
• Are commonly used in merger and acquisition scenarios
Demonstration: Installing a domain controller in a new
domain in an existing forest

In this demonstration, you will see how to:

• Install AD DS binaries on TOR-DC1
• Configure TOR-DC1 as an AD DS domain controller
by using the Active Directory Domain Services
Configuration Wizard
Upgrading a previous version of AD DS to Windows
Server 2016

Methods to upgrade AD DS to Windows Server 2016:

• In-place upgrade from Windows Server 2012 R2 or
Windows Server 2012
• Introduce a new Windows Server 2016 server into the
domain, and then promote it to be a domain controller
(recommended method)

• Both methods require that the schema is at the

Windows Server 2016 functional level:
• The Active Directory Domain Services Configuration
Wizard will upgrade the schema automatically when
run with appropriate permissions
• Adprep is available
Migrating to Windows Server 2016 AD DS from a
previous version

Fabrikam.net Adatum.com

Interforest migration

Security principals that Accounts get new SIDs,

migrate: but resource access is
• User accounts maintained by using
• Managed service accounts SID-History
• Computer accounts
• Groups
 Migrating to Windows Server 2016 AD DS from a
previous version

Department IT
CN=April
distinguishedName Reagan,OU=IT,DC=fabrikam,DC=net
givenName April
name April Reagan
Fabrikam.net
S-1-5-21-322346712-1256085132-
objectSID 1900709958-1375

Department IT
CN=April
distinguishedName Reagan,OU=IT,DC=fabrikam,DC=net
givenName April
Adatum.com name April Reagan
S-1-5-21-433467823-2367196243-
objectSID NEW 2011810069-2486
SID-History S-1-5-21-322346712-1256085132-
1900709958-1375
Considerations for implementing complex AD DS
environments
• DNS considerations:
• Centralized versus decentralized
• Verify the DNS client configuration and name resolution
• Optimize DNS name resolution:
• Conditional forwarders and stub zones
• DNS name devolution and DNS suffix search order
• Deploy a GlobalNames zone
• Use Active Directory-integrated zones
• Extending AD DS to Azure

• UPN considerations:
• UPN suffixes
• Global catalog
• Federated authentication scenarios
Lesson 3: Configuring AD DS trusts

Overview of different AD DS trust types

How trusts work in a forest
How trusts work between forests
Configuring advanced AD DS trust settings
• Demonstration: Configuring a forest trust
Overview of different AD DS trust types
Engineering (Kerberos realm)
E
F
R

P/C P/C
P/C
P/C Contoso
(Windows NT 4.0 domain)
S E
Separate forest

Trust type Transitive? Color

P/C - Parent-child Yes Purple
R - Tree root Yes Black
E - External (domain or Kerberos realm) No Red/Dashed
S - Shortcut Yes Green/Dotted
F - Forest (complete or selective) Yes Blue
How trusts work in a forest

adatum.com fabrikam.com

3
2

Shortcut trust

1 4
CL1 D
EU.adatum.com ESP.fabrikam.com
Client computer CL1 requests access to a file on file server D
 How trusts work between forests

A forest trust is a one-way or two-way trust relationship

between the forest root domains of two forests

Tailspintoys.com Wideworldimporters.com

Asia.tailspintoys.com Europe.tailspintoys.com Sales.wideworldimporters.com

Configuring advanced AD DS trust settings

• Security considerations in forest trusts include:

• SID filtering
• Selective authentication
• Name suffix routing

• An incorrectly configured trust can allow

unauthorized access to resources
Demonstration: Configuring a forest trust

In this demonstration, you will see how to:

• Configure DNS name resolution by using a
conditional forwarder
• Configure a two-way selective forest trust
Lab: Domain and trust management in AD DS

Exercise 1: Implementing forest trusts

• Exercise 2: Implementing child domains in AD DS

Logon Information
Virtual machines: 20742B-LON-DC1
20742B-TOR-DC1
20742B-LON-SVR2
20742B-TREY-DC1
User name: Adatum\Administrator
Password: Pa55w.rd

Estimated Time: 45 minutes

Lab Scenario

A. Datum has deployed a single AD DS domain with all the domain

controllers located in its London datacenter. As the company has
grown and added branch offices with a large numbers of users, it has
become increasingly apparent that the current AD DS environment
does not meet company requirements. The network team is concerned
about the amount of AD DS–related network traffic that is crossing
WAN links, which are becoming highly utilized.
The company has also become increasingly integrated with partner
organizations, some of which need access to shared resources and
applications that are located on the A. Datum internal network. The
Security department at A. Datum wants to ensure that access for these
external users is as secure as possible.
As one of the senior network administrators at A. Datum, you are
responsible for implementing an AD DS infrastructure that meets
company requirements. You are responsible for planning an AD DS
domain and forest deployment that provides optimal services for
internal and external users while addressing the security requirements
at A. Datum.
Lab Review

When creating the forest trust between

Adatum.com and TreyResearch.net, DNS stub zones
were created to enable name resolution between
the two forests. What alternative could you have
used in place of a DNS stub zone?
• When you are creating a forest trust, why would
you create a selective trust instead of a complete
trust?
Module Review and Takeaways

Review Question
• Common Issues and Troubleshooting Tips