Active Directory Sites & Services in Windows 2000 & Server Video CBT Lab 16

Windows 2000/Server 2003

MEGA LAB SERIES

www.trainsignal.com

Active Directory Sites & Services in

Windows 2000 & Server 2003

Computer Name: DC1 Static IP: 200.200.201.1 Computer Name: DC2 Static IP: 200.200.201.2 Switch Active Directory

Lab Setup

Computer Name: ROUTER Static IP: 200.200.201.254

200.200.202.254

Computer Name: DC3 Static IP: 200.200.202.1

Active Directory Sites & Services in

Windows 2000 & Server 2003

Video CBT Lab 16

Part 3 of 3 in the Advanced Active Directory in

Windows 2000 & Server 2003 Series

About the Author

Obaid Chhatriwala (MBA, MCSE, Security+, CNA) is an experienced technology

consultant and trainer. He has designed and administered networks for a variety of industries, including healthcare and financial companies. He also has over 9 years’ experience of teaching a variety of computer courses in Windows NT, Windows 2000/2003, Windows XP, Novell Netware, Cisco Routing and Switching, Network Security and Computer Hardware. You will greatly benefit from Obaid’s true passion for education and the amount of detail that he covers whenever he undertakes computer networking training.

Train Signal, Inc. 400 West Dundee Road Suite #106

Buffalo Grove, IL 60089 Phone - (847) 229-8780 Fax – (847) 229-8760 www.trainsignal.com

Copyright and other Intellectual Property Information

© Train Signal, Inc., 2002. All rights are reserved. No part of this publication, including written work, videos, and on-screen demonstrations (together called “the Information” or “THE INFORMATION”), may be reproduced or distributed in any form or by any means without the prior written permission of the copyright holder.

Products and company names, including but not limited to, Microsoft, Novell and Cisco, are the trademarks, registered trademarks, and service marks of their respective owners.

Disclaimer and Limitation of Liability

Although the publishers and authors of the Information have made every effort to ensure that the information within it was correct at the time of publication, the publishers and the authors do not assume and hereby disclaim any liability to any party for any loss or damage caused by errors, omissions, or misleading information.

TRAINSIGNAL,INC.PROVIDESTHEINFORMATION"AS-IS." NEITHER TRAIN SIGNAL, INC. NOR ANY OF ITS SUPPLIERS MAKES ANY WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. TRAIN SIGNAL, INC. AND ITS SUPPLIERS SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION OF THE INFORMATION WILL BE UNINTERRUPTED, ERROR-FREE, OR VIRUS-FREE, OR THAT THE INFORMATION WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. YOU ASSUME THE ENTIRE RISK OF SELECTION, INSTALLATION AND USE OF THE INFORMATION.

IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL TRAIN SIGNAL, INC. OR ANY OF ITS SUPPLIERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER MALFUNCTION, OR ANY OTHER KIND OF DAMAGE, EVEN IF TRAIN SIGNAL, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL TRAIN SIGNAL, INC. BE LIABLE FOR DAMAGES IN EXCESS OF TRAIN SIGNAL, INC.'S LIST PRICE FOR THE INFORMATION.

To the extent that this Limitation is inconsistent with the locality where you use the Software, the Limitation shall be deemed to be modified consistent with such local law.

Choice of Law:

You agree that any and all claims, suits, or other disputes arising from your use of the Information shall be determined in accordance with the laws of the State of Illinois, in the event Train Signal, Inc. is made a party thereto. You agree to submit to the jurisdiction of the state and federal courts in Cook County, Illinois for all actions, whether in contract or in tort, arising from your use or purchase of the Information.

TABLE OF CONTENTS

INTRODUCTION... 7

LAB SETUP... 9

SETTING UP THE LAB... 10

COMPUTER1... 12

COMPUTER2... 12

COMPUTER3... 12

COMPUTER4... 12

LAB 1... 15

SCENARIO – PART ONE ... 16

ACTIVE DIRECTORY ... 18

INSTALLING ACTIVE DIRECTORY ... 18

CREATING THE ANSWER FILE FOR ACTIVE DIRECTORY INSTALLATION... 19

INSTALLING ACTIVE DIRECTORY ... 20

CREATING AN ADDITIONAL DOMAIN CONTROLLER FOR BENANDBRADY.COM.. 22

DOMAIN AND SITE VERIFICATION AND REPLICATION ... 24

INSTALLING A ROUTER IN THE BENANDBRADY.COM NETWORK... 27

TESTING ROUTING IN THE BENANDBRADY.COM NETWORK ... 31

INSTALLING AN ADDITIONAL DOMAIN CONTROLLER IN THE 200.200.202.0 SUBNET... 32

LAB 2... 33

SCENARIO – PART TWO ... 34

WHAT IS A SITE?... 35

CONFIGURING SITES ... 35

STEP4:DESIGNATEASITELICENSESERVERFORTHENCSITE ... 39

TESTING ACTIVE DIRECTORY REPLICATION ... 40

LAB 3... 41

SCENARIO – PART THREE... 42

REPLICATION TYPES IN ACTIVE DIRECTORY... 43

CONFIGURING INTERSITE REPLICATION... 43

STEP1:CREATESITELINKS... 44

STEP2:CONFIGURESITELINKATTRIBUTES... 45

STEP3:CONFIGUREABRIDGEHEADSERVER ... 47

STEP4:CREATESITELINKBRIDGES ... 48

STEP5:CREATEANDCONFIGURECONNECTIONOBJECTS ... 49

GLOBAL CATALOG SERVERS ... 50

UNIVERSAL GROUP CACHING ... 50

LAB 4... 55

SCENARIO – PART FOUR... 56

INSTALLING THE ACTIVE DIRECTORY SUPPORT TOOLS ... 57

ACTIVE DIRECTORY REPLICATION MONITOR (REPLMON.EXE)... 58

REPLICATION DIAGNOSTICS TOOL (REPADMIN.EXE) ... 63

DIRECTORY SERVICES UTILITY (DSASTAT.EXE) ... 65

DOMAIN CONTROLLER DIAGNOSTIC TOOL (DCDIAG.EXE) ... 66

ACTIVE DIRECTORY SIZER ... 67

LAB 5... 71

SCENARIO – PART FIVE... 72

DOMAIN FUNCTIONAL LEVELS ... 73

FOREST FUNCTIONAL LEVELS ... 77

Introduction

Welcome to Train Signal!

This series of labs on Windows 2003 is designed to give you detailed, hands-on experience working with Windows 2003. Train Signal’s Audio-Visual Lab courses are targeted towards the serious learner, those who want to know more than just the answers to the test questions. We have gone to great lengths to make this series appealing to both those who are seeking Microsoft certification and to those who want an excellent overall knowledge of Windows 2003.

Each of our courses put you in the driver’s seat, working for different fictitious companies, deploying complex configurations and then modifying them as your company grows. They are not designed to be a “cookbook lab,” where you follow the steps of the “recipe” until you have completed the lab and have learned nothing. Instead, we recommend that you perform each step and then analyze the results of your actions in detail.

To complete these labs yourself, you will need three computers equipped as described in the Lab Setup section. You also need to have a foundation in Windows 2003 and TCP/IP concepts. You should be comfortable with installing Windows XP Professional or Windows Server 2003 and getting the basic operating system up and running. Each of the labs in this series will start from a default installation of Windows 2000 and will then run you through the basic configurations and settings that you must use for the labs to be successful. It is very important that you follow these guidelines exactly, in order to get the best results from this course.

The course also includes a CD-ROM that features an audio-visual walk-through of all of the labs in the course. In the walk-through, you will be shown all of the details from start to finish on each step, for every lab in the course. During the instruction, you will also benefit from live training that discusses the current topic in great detail, making you aware of many of the fine points associated with the current topic.

Thanks for choosing Train Signal!

Scott Skinger Owner

Setting up the Lab

1. Computer Equipment Needed

Item

Minimum

Recommended

Computers (4) Pentium I 133 MHz (4) Pentium II 300MHz or greater

Memory 256 MB 512 MB

Hard Drive 4 GB 10 GB or larger NIC 1 NIC card for each server (3)

2 NIC cards for Router(1)

1 NIC card for each server (3) 2 NIC cards for Router(1)

Switch or Hub 1 1

Network Cable (5) Category 5 cables (5) Category 5 cables

You are strongly urged to acquire all of the recommended equipment in the list above. It can all be easily purchased from eBay or another source, for around $500 (less if you already have some of the equipment). This same equipment is used over and over again in all of Train Signal’s labs and will also work great in all sorts of other network configurations that you may want to set up in the future. It will be an excellent investment in your education. You may also want to look into a disk-imaging product such as Norton Ghost. Disk imaging software will save you a tremendous amount of time when it comes to reinstalling Windows 2000/Server 2003 for future labs. Many vendors offer trial versions or personal versions of their products that are very inexpensive.

2. Computer Configuration Overview

Computer

Number

1

2

3

4

Computer Name DC1 DC2 DC3 ROUTER IP Address 200..200.201.1/24 200..200.201.2/ 24 200..200.202.1/24 200..200.201.254 200..200.202.254 /24 OS Windows Server

2003 Windows Server 2003 Windows Server 2003 Windows Server 2003 Additional

Configurations

***Important Note***

3. Detailed Lab Configuration

Computer 1

Computer 1 will be named DC1 and the operating system on this computer will be Windows Server 2003. If you do not have a copy of Windows Server 2003 you can obtain an evaluation copy within the Microsoft Press series of books or through Microsoft’s website. DC1 will have a static IP address of 200.200.201.1 with a 255.255.255.0 subnet mask. The default gateway will be 200.200.201.254 and you should enter this computer’s own IP address for the Preferred DNS field 200.200.201.1. The alternate DNS Server field can be left blank. See figure 1, next page.

Computer 2

Computer 2 will be named DC2 and Windows Server 2003 will be installed on this computer. DC2 will have a static IP address of 200.200.201.2 with a 255.255.255.0 subnet mask. The default gateway will be 200.200.201.254 and the DNS server will be

200.200.201.1. You can leave the alternate DNS setting blank. See figure 1, next page. Computer 3

Computer 3 will be named DC3 and Windows Server 2003 will be installed on this computer. DC3 will have a static IP address of 200.200.202.1 with a 255.255.255.0 subnet mask. The default gateway will be 200.200.202.254 and DNS server will be 200.200.201.1. You can leave the alternate DNS setting blank. See figure 1, next page.

Computer 4

Computer 4 will be named ROUTER and Windows Server 2003 will be installed on this computer. ROUTER will have 2 NIC cards. The first NIC card will be labeled CA and will have a static IP address of 200.200.201.254 with a 255.255.255.0 subnet mask. The second NIC card will be labeled NC and will have an IP address of 200.200.202.254 with a subnet mask of 255.255.255.0. You should configure the preferred DNS server setting to point to DC1, 200.200.201.1, and leave the alternate DNS setting blank. See figure 1, next page.

Computer Name: DC1 Static IP: 200.200.201.1 Computer Name: DC2 Static IP: 200.200.201.2 Switch Active Directory

Lab Setup

Computer Name: ROUTER Static IP: 200.200.201.254 200.200.202.254 Computer Name: DC3 Static IP: 200.200.202.1 (Figure 1) ***Important Note***

This lab should NOT be performed on a live production network. You should only use computer equipment that is not part of a business network AND is not connected to a business network. Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of liability which appears at the beginning of this document and on our Website at:

Lab 1

Unattended Active Directory

Installation of

Benandbrady.com

You will learn how to:

• Perform an unattended installation of Active Directory

• Add additional domain controllers

• Test Active Directory replication between domain controllers

• Install and configure a router for benandbrady.com

Scenario – Part One

Ben & Brady’s Ice Cream Corp., is a manufacturer of gourmet ice cream products that are sold internationally. They are in the process of migrating their network from Novell to Windows Server 2003 as well as replacing all of their current servers with new equipment. Their main headquarters is located in San Francisco and they have a manufacturing facility in Charlotte, North Carolina. The San Francisco office is connected to the Internet with a full T1 (1.544 Mbps) and Microsoft’s ISA Server (firewall) will protect the internal network. The facility in Charlotte is used to manufacture ice cream and to ship to Ben & Brady’s East Coast distributors. The San Francisco office has just purchased five servers and 25 workstations. The servers will be running Windows Server 2003 and the 25 workstations will be running Windows XP Professional. The Charlotte location also has five new servers that were recently purchased, all running Windows Server 2003 and 45 workstations, all running Windows XP Professional. Charlotte is connected to the Internet with a Fractional T1 (768 Kbps) and they also use ISA Server to protect their internal network. The two locations will be connected together through a VPN that will be formed between the two ISA Servers over the Internet.

Ben & Brady’s Ice Cream Co. has hired you on a contract basis, to help with the implementation of a new pristine Windows 2003 domain. You have been given the task of installing the first domain controller on the network at the San Francisco office, which will install Active Directory and create a new domain for Ben & Brady’s Ice Cream Co. You are also in charge of making sure that all of the installed client computers are able to join the new domain. The Operations Manager, Jill, also mentions that there is an opportunity for you to become a full time Administrator with the company, if the project goes well.

In this lab, you will create a new domain for Ben & Brady’s Ice Cream Co., called benandbrady.com, by building the first domain controller on the network using the Active Directory installation program. Once your domain controller is working properly, you will install a second Windows Server 2003 as an additional Domain Controller. These two Domain Controllers will be located in California. At the North Carolina location, you will install a third Domain Controller. A Windows 2003 server configured as a Router will connect the two locations.

CA

200.200.201.0

Domain Controller

NC

200.200.202.0

DC1 Domain Controller DC2 Domain Controller DC3 Router

Active Directory

Active Directory is a feature in Windows Server 2003 domains that allows users to logon and access resources from anywhere in the network. It is a central, hierarchical database that allows administrators to manage the network from a single location and makes network security much easier to manage. Resources include users, groups, computers, printers and shared folders, to name just a few. A directory, much like a telephone book, is essentially a store of information. When Active Directory is installed on a Windows 2003 server, that server is then called a domain controller. All of the domain controllers within a domain hold the same copy of the Active Directory database in a file named NTDS.DIT. Windows 2003 domain controllers are multi-master replication partners, all replicating data back and forth to each other.

Installing Active Directory

There are four methods of installing Active Directory in Windows Server 2003:

1. Active Directory Installation Wizard – to follow a step by step method, answer questions and complete the installation.

2. Answer file - to perform an unattended installation for automation and remote installation.

3. Backup and restore - to install Active Directory on additional domain controllers in the network using backup media or remote share.

4. Configure Your Server Wizard - an additional way to install the first domain controller in a network only.

We will be using the Answer file method to install Active Directory and to create a domain called benandbrady.com.

Creating the answer file for Active Directory installation

An answer file is a text file that has answers to questions that the Active Directory Installation Wizard asks when creating a domain. The section of the answer file must start with [DCInstall]. This section takes a number of parameters – some are mandatory and others are optional. The parameters required also depend on the type of domain controller you are installing – i.e. the first domain controller in a new forest, an additional domain controller in an existing domain and so on.

The following box lists the parameters and the operations to which they apply when creating a new domain in a new forest:

Parameter Applies to:

RebootonSuccess All operations

DatabasePath LogPath SYSVOLPath UserName Password UserDomain All installations ReplicaorNewDomain = Domain TreeorChild = Tree CreateorJoin = Create NewDomainDNSName DNSonNetwork DomainNetbiosName AutoInstallAndConfigDNS SiteName

Installation of a new Tree in a new Forest

If you would like to learn about additional parameters, please refer to the deploy.chm and ref.chm files in the Support folder of the Windows Server 2003 CD.

To use the answer file you type dcpromo /answer:answerfile – where answerfile is the file name and location of the text file created.

Installing Active Directory

1. Log on as Administrator to DC1. Click Start Æ Run and then type notepad to start creating the answer file. Type the following code:

[DCInstall] RebootOnSuccess = No DatabasePath = %SYSTEMROOT%\NTDS LogPath = %SYSTEMROOT%\NTDS SysVolPath = %SYSTEMROOT%\Sysvol UserName = administrator Password = Password1 ReplicaorNewDomain = Domain TreeOrChild = Tree CreateOrJoin = Create NewDomainDNSName = benandbrady.com DNSOnNetwork = No DomainNetBiosName = BENANDBRADY AllowAnonymousAccess = No AutoConfigDNS = Yes SiteName = Default-First-Site-Name SafeModeAdminPassword = rainbow

Now, save the file in the C:\ drive as dcinfo.txt.

2. From the desktop click on Start Æ Run then type in dcpromo /answer:C:\dcinfo.txt click OK.

This command starts the Active Directory installation wizard. The wizard will now look for answers to its questions in the answer file.

3. The following screen will appear informing you about the progress of the Active Directory installation. Ensure that the Windows Server 2003 CD is inserted so that the wizard can copy the necessary files.

4. The parameter DNSOnNetwork = No forces the installation of DNS in our network. Finally, the parameter RebootOnSuccess = No forces you to click on the Restart button. Click Restart Now to finish the setup process.

Next, log in as Administrator to the benandbrady.com domain. You have successfully created a domain in the unattended mode.

Creating an additional Domain Controller for benandbrady.com

1. Log in as Administrator on the computer DC2. Ensure that the IP address is

200.200.201.2 and the DNS address is 200.200.201.1 by typing ipconfig/all in the

command prompt. We are now ready to make DC2 an additional Domain Controller. Click Start Æ Run Æ dcpromo. Click OK.

2. The Active Directory installation wizard will now start. Click Next. Click Next again on the O.S. Compatibility screen. Then, select Additional domain controller for an

3. In the Network Credentials screen, enter administrator, Password1,

benandbrady.com (for the User name, Password, and Domain fields respectively).

Click Next. In the next screen, click Browse to select the benandbrady.com domain. Click Next.

4. Click Next for the Database and Log folder screen and click Next again for the SYSVOL screen. In the Directory Services Restore Mode screen, enter the password

rainbow. Click Next. Finally click Next in the Summary screen. The wizard is now

5. When the process finishes, click Finish and then Restart Now. DC2 is now an additional domain controller in the benandbrady.com domain.

Domain and site verification and replication

1. Log in as Administrator on the computer DC1. Click Start Æ Administrative Tools Æ

Active Directory Users and Computers. Expand benandbrady.com and click on the Domain Controllers object. In the right hand pane, verify that DC1 and DC2 are listed

2. Click Start Æ Administrative Tools Æ DNS. Expand DC1 in the left hand pane. Expand Forward Lookup Zones and click on benandbrady.com. Verify that DC1 and DC2 are listed with their IP addresses. Close DNS.

3. Click Start Æ Administrative Tools Æ Active Directory Sites and Services. In the left hand pane, expand Sites, Default-First-Site-Name and select Servers. Verify that DC1 and DC2 both belong to the same site.

4. We will now change the name of the site to CA. Select Default-First-Site-Name, right click and select Rename, and then type CA. The site is now called CA and has two Domain Controllers, DC1 and DC2.

5. We will now replicate the Active Directory database. Expand CA, Servers, DC1 in the left hand pane. Select NTDS settings. In the right hand pane, select automatically

generated, right click and select Replicate Now. Click OK in the Replicate Now box.

You have successfully replicated from DC2 to DC1.

Installing a router in the benandbrady.com network

We will now use the third computer, Router, and make it a router for the benandbrady.com network. This router will connect the CA and NC sites.

1. Log in as Administrator to the computer called Router. This computer has two NIC cards. Right click My Network Places Æ Properties Æ select first NIC card Æ

right click Æ Rename Æ CA. If My Network Places is not displayed by default you

will need to right click on the Start Button Æ Properties Æ Customize Æ click the

Advanced tab Æ check My Network Places radio box Æ OK Æ Apply Æ OK. Now

My Network places will be displayed on the start menu. To set the IP address right click

CA Æ Properties Æ TCP/IP Æ Properties. Set up the IP as 200.200.201.254, mask

as 255.255.255.0, DNS as 200.200.201.1. Click OK and close all boxes.

2. Using the above procedure, change the name of the second NIC card to NC. Change the IP configuration to 200.200.202.254/24 and the DNS to 200.200.201.1.

The CA interface is now configured for the CA site who’s Network ID is 200.200.201.0 and the NC interface is now configured for the NC site who’s Network ID is 200.200.202.0. We have just one DNS server 200.200.201.1 for both locations.

3. Let us now join this computer as the member server to the benandbrady.com domain. Right click My Computer Æ Properties Æ Computer Name tab Æ Change Æ

Member of Domain Æ benandbrady Æ OK. Enter administrator as the username

and Password1 as the password when prompted. Restart the computer and log on as administrator to the benandbrady domain.

4. We will now configure the Routing and Remote Access Service on the router. Click Start Æ Administrative Tools Æ Routing and Remote Access. Right click Router Æ

Configure and Enable Routing and Remote Access. Click Next on the Welcome

screen.

5. In the Configuration page, select Secure connection between private networks and click Next. Select No for Demand Dial connection and click Next.

6. In the Summary screen click Finish. You have successfully enabled the routing service on the Router.

Testing routing in the benandbrady.com network

We will now use the fourth computer. We will set up this computer, initially as a member server for the benandbrady.com domain.

1. Log on to DC3 as the Administrator. Ensure that TCP/IP properties are set as IP:

200.200.202.1, Subnet mask as 255.255.255.0, Default Gateway as 200.200.202.254,

DNS as 200.200.201.1.

2. Go to the command prompt. Type ping 200.200.201.1. If you get replies, you have successfully reached DC1. DC3 first contacted the NC interface of Router, which forwarded the packet to the CA interface of Router. This interface then forwarded the packets to DC1. Hence you are able to ping from the 200.200.202.0 network to the 200.200.201.0 network.

3. Type tracert 200.200.201.1 to trace the route taken from DC3 to DC1.

Next, close the command prompt. Join DC3 as a Member Server to the benandbrady.com domain. Right click My Computer Æ Properties Æ Computer

Name tab Æ Change Æ Member of Domain Æ benandbrady.com Æ OK. Enter administrator as the username and Password1 as the password when prompted.

Restart the computer and log on as administrator to the benandbrady.com domain.

Installing an additional Domain Controller in the 200.200.202.0 subnet

We will now promote DC3 to an additional domain controller in the benandbrady.com domain. The steps will be the same as those used in DC2. However, this time, our Domain Controller is in the second subnet (200.200.202.0). Router is now forwarding all information between DC1/DC2 in the 200.200.201.0 subnet and DC3 in the 200.200.202.0 subnet. 1. Click Start Æ Run Æ dcpromo. Follow the wizard to create an additional domain

controller. Use Password1 as the password for the Directory Services Restore Mode. 2. Click Finish and restart DC3.

Network Infrastructure Summary

Network ID Computers Function

200.200.201.0 DC1

DC2 First Domain Controller of the Forest Additional Domain Controller 200.200.202.0 DC3 Additional Domain Controller 200.200.201.0

Lab 2

Creating New Sites and Subnets

for Benandbrady.com

You will learn how to:

• Map the logical domain to a physical network

• Create new site objects

• Create new subnets

• Associate sites with subnets

• Designate a licensing server at each site

• Replicate Active Directory between sites

Scenario – Part Two

The installation of the servers for benandbrady.com has been accomplished. You have installed three Domain Controllers and a Router. The Router is configured to route traffic between the 200.200.201.0 and 200.200.202.0 networks.

Now it is time to associate the physical subnets into Active Directory. You set up a meeting with the Operations Manager and explain the next phase of the project. You will be setting up two sites, CA and NC, in the benandbrady.com domain. You will then associate these sites with the appropriate subnets for each location. You explain to the Operations Manager that setting up the Active Directory in this manner improves the efficiency of network connections and reduces logon time. The Operations Manager immediately gives you the approval.

The next task in this phase is to set up a Licensing Server. You explain to the Operations Manager that the Licensing Server at each site will keep track of the client and server licenses used. This will also help in determining accurately the number of licenses needed at each site. Finally, you will test replication between the domain controllers to ensure that the router is routing packets between CA and NC.

What is a site?

A site is a grouping of one or more TCP/IP subnets that defines the physical structure of a network. A geographical location (branch) of a company is considered a site for practical purposes. All devices in a site are well connected by means of a high-speed network link (10 Mbps or greater). Since all devices in a physical LAN are connected usually by Ethernet cable – 10/100 Mbps – a LAN is considered a site.

The Ben and Brady Ice Cream Corp., has two locations, CA and NC. Each location is connected by a T1 (1.54 Mbps) line. Hence, we have two sites - the CA site with a subnet of 200.200.201.0 and the NC site with a subnet of 200.200.202.0.

Configuring Sites

To configure a site you must complete the following tasks: 1. Create a site.

2. Create a subnet and associate it with the site.

3. Create or move a domain controller object into the site. 4. Designate a site license server for the site.

All of these tasks can be accomplished by using the Active Directory Sites and Services console in the Administrative Tools section.

Creating sites

When you install Active Directory on the first domain controller in a domain, a site object named Default-First-Site-Name is automatically created in the Sites container on the Active Directory Sites and Services console. All Domain Controller objects are created in this site by default. You must rename the site to better describe your network location.

Sites will be defined for:

• Each LAN or set of LANs that are connected by a high-speed backbone (T3 or better).

• Each location that does not have direct connectivity to the rest of the network and is reachable only by SMTP mail.

• Networks that are separated by links that are heavily used during some parts of the day and idle during other parts of the day.

In benandbrady.com we have 2 sites – CA and NC. DC1 and DC2 are the Domain Controllers in the CA site. DC3 is the Domain Controller in the NC site. Currently, we have only 1 site in our domain CA. Let’s create a 2nd _{site and associate it with a subnet.}

Step 1: Create a new site called NC

1. Log in to DC1 as Administrator. Click Start Æ Administrative Tools Æ Active

Directory Sites and Services. Select Sites then right click and select New Site. In the

Name field type NC, select DEFAULTIPSITELINK, and click OK. The next window reminds you about the additional steps you need to perform. Click OK again.

Step 2: Create a subnet and associate it with a site

We will now create the 200.200.202.0 subnet and associate it with the NC site.

1. In Active Directory Sites and Services, select Subnets then right click and select New

Subnet. In the Address field type 200.200.202.0 and in the Mask field type 255.255.255.0. In the Select a site object for this subnet box select NC and click OK.

2. We must now create the 200.200.201.0 subnet and associate it with the CA site. In Active Directory Sites and Services, select Subnets then right click and select New

Subnet. In the Address field type 200.200.201.0 and in the Mask field type 255.255.255.0. In the Select a site object for this subnet box select CA and click OK.

Sites and subnets for benandbrady.com should now appear as shown in the following figure.

Step 3: Move a Domain Controller object to the NC site

We must now move DC3 from CA to NC. This will optimize performance since all user logon activities will be performed against a local Domain Controller.

1. In the Servers link in Active Directory Sites and Services, select DC3 Æ Move then select NC and click OK.

We have now successfully moved DC3 to the NC site.

Step 4: Designate a site license server for the NC site

A license server is used to ensure legal compliance for the Windows Server 2003 operating system by monitoring license usage and requirements. You must designate a license server at each site for optimal performance.

1. In Active Directory Sites and Services, click CA site in the left hand pane. In the right hand pane, select Licensing Site Settings then right click, select Properties, click

Change button, type DC1 and click OK to select the licensing server. Click OK to close

the box.

Testing Active Directory replication

We’re now going to test the Active Directory replication to ensure that we have both the logical domain, benandbrady.com, and the physical network between the two sites, CA and NC, are working properly.

1. In DC1, use Active Directory Users and Computers to create a new user – Michelle

Wong (Logon Name: MWong, Password: Password1) in the Users container.

We will now replicate Active Directory and verify that the user object appears in the Active Directory database of both DC2 and DC3. In Active Directory Sites and Services, click select NTDS Settings under DC1. In the right-hand pane, select the

<automatically generated> DC3 to NC link, right click and select Replicate Now.

You will see a message informing you about the impending replication across the sites. Click OK.

2. In a similar manner, replicate the <automatically generated> DC2 to CA link. This replication is within the same site since DC2 is in CA. Hence, you will see the message box shown below. Click OK.

Log in to DC2 and DC3 and verify that the user Michelle Wong appears in the Users container in Active Directory Users and Computers. Close all windows.

Lab 3

Controlling Inter-site Replication

Using Site Links and Bridgehead Servers

You will learn how to:

• Create and configure site links

• Create backup replication mechanisms

• Schedule inter-site replication

• Optimize replication using bridgehead servers

• Create site link bridges and connection objects

• Designate a Global Catalog & a Universal Group Caching

server

Scenario – Part Three

Ben & Brady’s Ice Cream Corp’s domain is now fully functional at the two sites. The Operations Manager is very pleased with the network and is eager to move on to the next phase of the project.

In this phase you will optimize the traffic between the two sites. In the next meeting with the Operations Manager you will determine the best time to exchange traffic between the domain controllers of the two sites. You explain to the Operations Manager that different types of network traffic cross the WAN link between CA and NC. Some of these transfers can be scheduled during non-business hours so that maximum bandwidth is available during hours of operations thereby improving network speed.

You will also configure a dial-up connection as a Backup Replication line. This connection will be set up in such a way that it will only be used if the T1 line becomes unavailable. Finally, you will also be setting up Global Catalog and Universal Group Caching servers. The Operations Manager suddenly becomes concerned about the cost of additional servers. You explain that these are features within Server 2003 and will not increase any hardware or licensing costs. Global Catalog will be set up so that directory searches will be local and fast. It is time to convert these plans into action.

Replication types in Active Directory

1. Intra-site Replication – replication within the same site 2. Inter-site Replication – replication between sites.

Configuring inter-site replication

To configure inter-site replication you must complete the following tasks: 1. Create site links.

2. Configure site link attributes.

3. Designate a preferred bridgehead server. 4. Create site link bridges (optional).

Step 1: Create site links

The Active Directory Installation Wizard automatically created an object named DEFAULTIPSITELINK in the IP container for the first default site (CA site). You can rename the DEFAULTIPSITELINK to the name you want to use for the site link. We will call it the CA-NC site link. You can create additional site links and associate sites with it. 1. Click Start Æ Administrative Tools Æ Active Directory Sites and Services Æ

Inter-Site Transports Æ IP Æ New Site Link.

2. In the Name field, type Backup CA-NC Link, ensure that both the CA and the NC sites are selected and click OK. This is the backup link we created so that if the main link goes down, we can replicate across this link.

Let us now rename the DEFAULTIPSITELINK to CA-NC link. Right click

Step 2: Configure site link attributes

To ensure efficient replication and fault tolerance, you must configure site link cost, replication frequency and replication availability information for all site links.

Link cost: Active Directory always chooses the connection on a per-cost basis, so the least

expensive connection is used as long as it is available. You will configure the T1 connection with a lower cost than Dial-up. If both connections are available, T1 will always be used.

Replication frequency: Configure site link replication frequency for site links by providing

an integer value that tells Active Directory how many minutes it should wait before using a connection to check for replication updates. Values range from 15 minutes to 10,080 minutes (1 week)

Configuring site link replication availability: Configure site link replication availability to

determine when a site link will be available for replication. This is also known as the replication schedule.

Let us now configure the attributes of the CA-NC Backup link.

1. In Active Directory Sites and Services, select IP in the Inter-Site Transports. In the right hand pane, right click Backup CA-NC Link and select Properties.

2. In the Cost box, type 200. The default cost is 100. Since the CA-NC link has a cost of 100 it will always be used first. Leave the replication interval to 180 minutes. Click on

Change Schedule.

3. By default, replication occurs 7 days a week, at any time. We would like to ensure, that the backup replication occurs during non-business hours. Select All and then click

Replication Not Available. This clears the schedule. Now select the column 12 am to 8

am and then 8 pm to 12 am. Click Replication Available. Click OK twice to complete the process.

Step 3: Configure a bridgehead server

Replication occurs between bridgehead servers in different sites. When two sites are connected by a site link, the Knowledge Consistency Checker (KCC) automatically selects bridgehead servers - one in each site for each domain that has domain controllers in the site. In this manner, replication traffic crosses the WAN link only once. Each bridgehead server will then replicate with other domain controllers within their site.

We will now designate DC1 (the CA site) and DC3 (the NC site) as preferred bridgehead servers.

1. In Active Directory Sites and Service, select DC1 under the CA site, right click and select

Properties. Select IP in the Transports column and click on the Add button to move it

to the preferred bridgehead server column. Click OK to finish the process.

Using the same procedure, designate DC3 as a preferred bridgehead server in the NC site. DC1 and DC3 will now replicate changes in the Active Directory. DC1 and DC2 will replicate with each other within the same site. DC2 will never replicate with DC3 thereby optimizing how the WAN link is utilized.

Step 4: Create site link bridges

This is an optional procedure. By default, if two sites use the same transport mechanism (IP), then site transitivity is enabled. If one link is unavailable, another link can be used. Let’s create a new site link bridge in our network.

1. In Active Directory Sites and Services, select IP under Inter-Site Transports, right click and select New Site Link Bridge.

Step 5: Create and configure connection objects

This is also an optional component. KCC automatically creates connection objects between those domain controllers across which replication occurs.

Although you can create or configure connection objects manually to force replication over a particular connection, normally you should allow replication to be automatically optimized by the KCC based on the information you provide in the Active Directory Sites and Services console about your deployment. Create connection objects manually only if the connections that are automatically configured by the KCC do not connect specific domain controllers that you want to connect.

1. Let us observe the connection objects created, by selecting the NTDS Settings of DC1.

KCC automatically created these objects. You can create your own but it is absolutely unnecessary.

Global Catalog servers

The Global Catalog is the central database of information about objects in a tree or forest. The first domain controller in a forest automatically becomes the global catalog server. A Global catalog server stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. This storage strategy provides efficient searches without unnecessary referrals to other domain controllers.

The global catalog performs three key functions:

1. It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.

2. It enables finding directory information regardless of which domain in the forest actually contains the data.

3. It resolves user principal names (UPNs) when the authenticating domain controller does not have knowledge of the account.

Universal Group caching

If you do not have a Global Catalog at a site, the universal group membership caching feature can optimize the login process. Universal group membership caching allows a domain controller to process user logon requests without contacting a global catalog server. The cache is refreshed periodically as is determined in the replication schedule. This feature eliminates the need to deploy global catalog servers into smaller remote office locations in order to avoid logon failures in the event that the network link connecting the remote site to the rest of the organization is disconnected.

The universal group membership caching feature must be set for each site and requires a domain controller to run a Windows Server 2003 operating system. When a user attempts to log on the first time after a Windows Server 2003 domain controller has been configured to enable the universal group membership caching feature, the domain controller obtains the universal group membership information for the user from a global catalog. The universal group membership information is then cached on the domain controller for the site indefinitely and is periodically refreshed.

The next time the user attempts to log on, the authenticating Windows Server 2003 domain controller obtains the universal group membership information from its local cache without contacting a global catalog. We will now observe that DC1 is already a Global Catalog server. We will now create DC3 as the Global Catalog server for the NC site.

1. Click Start Æ Administrative Tools Æ Active Directory Sites and Services. Expand

Servers and select the NTDS Settings for DC1, right click and select Properties.

Observe that the Global Catalog checkbox is already selected. DC1 was the first Domain Controller in the forest, so it automatically became the Global Catalog server. 2. Using this procedure, make DC3 the Global Catalog server in the NC site. Expand

Servers and select the NTDS Settings for DC3, right click and select Properties. Select

3. We will now designate DC3 as the Universal Group caching server. Select the NC site and, in the right hand pane, right click NTDS Site Settings and select Properties.

4. Select the Enable Universal Group Membership Caching checkbox. Click OK. Close all windows to finish this lab.

Let’s summarize what we have accomplished so far:

• Ben and Brady Ice Cream Corp., has 2 sites, CA and NC. • CA has two Domain Controllers, DC1 and DC2.

• NC has one Domain Controller, DC3.

• The subnet for CA is 200.200.201.0 and the subnet for NC is 200.200.202.0. • A Windows Server 2003 server configured as a router connects the two networks. • DC1 and DC3 are bridgehead servers and inter-site replication will take place

between these 2 servers.

• DC1 and DC3 are also Global Catalog servers. • DC3 is the Universal Group caching server.

Lab 4

Monitoring Active Directory

Replication

You will learn how to:

• Install Active Directory support tools

• Use Replication Monitor to monitor and troubleshoot

• Use Active Directory command-line tools for

generating reports and troubleshooting

• Create a batch file to automate domain wide replication

• Use Active Directory Sizer to plan the number of servers

Scenario – Part Four

The Operations Manager would now like to move on to the Monitoring and Reporting phase of the project. He inquires if the system set up could monitor the replication traffic and generate weekly reports so that he is assured the system continues to work as designed. Your answer is to set up Replication Monitor and other tools for monitoring, reporting and automating replication between domain controllers. To begin with, you will configure Active Directory support tools to monitor the network and will then train the Operations Manager in how to generate and analyze the reports created by Replication Monitor.

You will then create a script that the Operations Manager can run by simply double clicking on an icon on his desktop that will trigger replication between all domain controllers at all sites. The Operations Manager is very excited about this.

Finally, you will also set up the Active Directory Sizer tool so that the Operations Manager can determine the number of servers required to optimize the network as the company grows.

The Operations Manager is now ecstatic and inquires how soon all this can be delivered. You get to work immediately.

Installing the Active Directory support tools

We will now install additional tools from the Windows Server 2003 CD. These tools will help us monitor and troubleshoot Active Directory services.

1. Log in to DC1 as Administrator. Insert the Windows Server 2003 CD. When the CD runs, select Perform additional tasks and then select Browse this CD. Double click

Support, double click Tools, and then double click the SUPTOOLS.MSI file to start

the installation of the support tools.

2. In the Welcome screen click Next, Agree to the Agreement, enter your name on the next screen and click Install Now to start the installation. Note that a new folder called Support Tools will be created in the Program Files folder. Click Finish.

Active Directory Replication Monitor (Replmon.exe)

ReplMon is used to view the status of Active Directory replication, to force synchronization between domain controllers, to monitor replication and to view the network topology in a graphical format.

You can use ReplMon for the following important tasks: • See when a replication partner fails.

• View the history of successful and failed replication changes for troubleshooting purposes.

• View the properties of directory replication partners.

• Find all direct and transitive replication partners on the network. • Display replication topology.

• Force replication.

• Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication topology.

• Display changes that have not yet replicated from a given replication partner.

• Display a list of the trust relationships maintained by the domain controller being monitored.

1. On DC1, click Start Æ Command prompt Æ type replmon and press Enter. Right click Monitored Servers and then click Add Monitored Server to start the Wizard.

2. Click Add the server explicitly by name and click Next.

3. Select Enter the name of the server to monitor explicitly and type DC1. Click

4. Using the same steps, add DC2 and DC3 as monitored servers. Your screen should now look the same as in the following figure. Observe that each Domain Controller is listed in the appropriate site. DC1 and DC3 have the symbol of the globe since they are Global Catalog servers.

5. Expand DC1. Note that each partition (component) of Active Directory is represented by the symbol of a book. Select CA\DC2. The right hand pane shows details of the replication between DC1 and DC2 such as the USN and the last successful date and time of replication. Also note that NC\DC3 has a symbol of a telephone connection. This means that it is a bridgehead server.

6. Right click DC1 and select Generate Status Report. Type Stat1 for the file name and click Save. Click OK to select all the report options. Click OK in the report status box.

7. To view the report, click File Æ Open Log Æ Stat1.log Æ Open. The report will open in Notepad and can be printed. Navigate to see the major sections of the report. It has every detail about the site, domain, FSMO roles, replication and so on. This report is extremely useful in documentation and troubleshooting. We will now create and modify objects in the Active Directory. Ensure that DC2 is unavailable by shutting it down. On DC1, use Active Directory Users and Computers to create an Organizational Unit called CA. Also, in the properties for the user Michelle Wong, enter Headquarters in the Office field and 800-555-1212 in the Telephone Number field. Next, log on to DC3. Create an OU called NC. Now log on to DC1. In the Application Directory Replication Monitor console (replmon.exe), right click DC1 and select Synchronize Each

Directory Partition with All Servers. Click OK and then Yes for the messages that tell

8. DC1 and DC3 will now replicate. DC1 will be unable to replicate with DC2.

9. Use Active Directory Users and Computers to verify that CA, NC and changes to

Michelle Wong are available on both Domain Controllers. Create another status report and save it as Stat2. Open the status report.

Restart DC2. Use Active Directory Sites and Services to replicate. Run the status

report again and note the success this time. Also, verify the results in Active Directory

Users and Computers. Close all programs.

DC1/DC2 unsuccessful

DC1/DC3 successful

Replication Diagnostics tool (Repadmin.exe)

Repadmin is a command-line tool used to view the replication topology from the perspective of each domain controller. You can also use repadmin to force replication and to find out how up-to-date each domain controller is.

1. On DC1, go to the command prompt and type repadmin /showrepl DC1 and press Enter. This command displays all the replication partners for DC1.

2. At the command prompt type repadmin /showconn DC1 and press Enter. This command displays all the connection objects for DC1.

3. At the command prompt type repadmin /replicate dc1 dc2

dc=benandbrady,dc=com and press Enter. This command replicates DC1 and DC2.

Note that the replication is from DC2 to DC1.

4. Let us now create a batch file that will replicate all connections. Open Notepad and type the following:

Save this file to the desktop as Domain Replication.bat. Note that we do not replicate between DC2 and DC3. DC1 and DC3 are bridgehead servers that participate in Inter-site Replication.

To synchronize the benandbrady.com domain, you no longer have to use any GUI based tools. Let’s double click on the file Domain Replication.bat. You will see a Command Prompt window pop up in which the batch file will run and synchronize the domain.

Directory Services utility (Dsastat.exe)

Dsastat.exe can be used to compare two directory trees across replicas within the same domain or, in the case of a global catalog, across different domains. The tool retrieves capacity statistics such as megabytes per server, objects per server and megabytes per object class and also performs comparisons of the attributes of replicated objects.

1. On DC1, go to the command prompt and type

dsastat /s:dc1;dc2 /b:”CN=Domain Controllers,DC=benandbrady,DC=com”

and press Enter. This command compares the objects in the Domain Controllers container on DC1 and DC2. Check the last section of the report: Server sizes are equal. PASS.

Domain Controller Diagnostic tool (Dcdiag.exe)

This command-line tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting.

1. On DC1, go to the command prompt and type dcdiag /s:dc1 and press Enter. This command performs a series of tests and gives you a report showing if the Domain Controller passed or failed each test. To capture the output in a text file type dcdiag

/s:dc1 >dc1.txt and press Enter. In the C:\ drive, double click on the file dc1.txt to

Active Directory Sizer

Active Directory Sizer is a capacity planning tool to help an organization size for their Active Directory deployment. It should be used after the design phase and before the actual deployment of servers.

The Active Directory Sizer estimates the hardware required for deploying Active Directory in your organization depending on your organization's usage profile. Based on your answers to the Active Directory Sizer wizard, the tool will calculate the total workload and estimate the following for you:

• Number of domain controllers (including Global Catalog servers and bridgehead servers).

• Number and type of processor(s) per machine.

• Number of disks needed for the Active Directory database. • Memory required.

• Network bandwidth utilization.

1. Download the Active Directory Sizer from Microsoft’s web site. Locate and run the

setup.exe file to begin installation. Follow the prompts to install the application. Next,

2. In the Active Directory Sizer console, right click Domain Configuration and select

Add Domain. Type benandbrady.com in the domain name. Click Next. Type 100 for

the Number of Users and click Next.

3. Type 10 for the Average number of groups and the Interactive Logon fields. Click Next. Type 100 for the Windows computers, 10 for Other computers and 10 for other objects. Click Next for next two screens to accept the default values. In the Administration screen, type 5 for Add, 1 for Delete, 10 for Modify. Select Interval Weekly. Click Finish.

4. You will see a report for benandbrady.com showing the size of the Active Directory database, including both the Domain Database and the Global Catalog. In our example, the database is 24 MB.

In a large network, with several hundred users and computers, the size of the database will be extremely large. The size increases exponentially with the number of computers, users and groups. Hence, it is extremely important to design the sites and services carefully, such as the placement of domain controllers, Global Catalog servers and DNS servers.

The following is a sample report showing a large network of 500,000 users and 400,100 workstations and servers. You will need 68 servers – 33 Domain Controllers, 34 Global Catalog servers, and 1 bridgehead server.

As you can see, ADSizer gives you a very accurate estimate of hardware requirements based on the size of your network.

Lab 5

Upgrading the Domain & Forest Functional

Levels and Changing Single Master

Operations Roles in Benandbrady.com

You will learn how to:

• Determine the appropriate domain & forest functional role

• Upgrade domain and forest functional roles

• Verify the operations master roles

• Transfer the operations master role

Scenario – Part Five

In the final phase of this project, you will be upgrading the domain and forest functional level of benandbrady.com so that it can use all the features available in Server 2003.

In your next meeting with the Operations Manager, you explain about the default levels of the domain and forest. The default levels do not permit the use of certain features but do allow backward compatibility with Windows NT Server and Windows 2000 Server.

After determining that only Windows Server 2003 will be running on benandbrady.com, you decide to raise the forest and domain functional levels to Server 2003.

The next phase is to document the flexible single master operations roles so that they can be distributed across your network. You explain to the Operations Manager that even though all Domain Controllers are peers of each other, there are some Domain Controllers that perform specific roles.

The Operations Manager would like to have a one-on-one session with you so that he can document all the steps required to change roles.

The Management of Ben and Brady Ice Cream Corp. has been getting regular reports from the Operations Manager about the progress of the network. They are extremely happy with the professionalism and attention to details you have demonstrated in setting up the benandBrady.com domain. There was little to no interruption to normal operations. The domain is performing up to the expectation of the users and the Management.

The Management has offered you a monthly retainer to act as a Consultant and Technical Support person for the company. Your hard work has finally been rewarded with a lucrative consulting contract and lots of referrals.

Domain functional levels

Domain functional levels provide a way to enable domain-wide Active Directory features within the network environment. Windows Server 2003 has a lot of new features, some of which are not compatible with Windows 2000 and Windows NT networks. You must activate the appropriate domain functional level to benefit from the features available in Active Directory.

There are four domain functional levels:

Windows 2000 Mixed (Default): When you first install or upgrade a domain controller to

a Windows Server 2003 operating system, the domain controller is set to run in Windows 2000 mixed functionality. The Windows 2000 mixed functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the domain running Microsoft Windows NT 4, Windows 2000, or Windows Server 2003.

Windows 2000 Native: The Windows 2000 native functional level allows a domain

controller running the Windows Server 2003 operating system to interact with domain controllers in the domain running Windows 2000 or Windows Server 2003. You can raise the functional level of a domain to Windows 2000 native if the domain controllers in the domain are all running Windows 2000 Server or later.

Windows Server 2003 Interim: The Windows Server 2003 interim functional level allows a

domain controller running the Windows Server 2003 operating system to interact with domain controllers in the domain running Windows NT 4 or Windows Server 2003. The Windows Server 2003 interim functional level is an option only when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. This functional level does not support domain controllers running Windows 2000.

Windows Server 2003: The Windows Server 2003 functional level allows a domain

controller running the Windows Server 2003 operating system to interact only with domain controllers in the domain running Windows Server 2003. You can raise the functional level of a domain to Windows Server 2003 only if all domain controllers in the domain are running Windows Server 2003.

Since all the domain controllers in benandbrady.com are Windows Server 2003, we will upgrade to the Windows Server 2003 domain functional level. To do this, we will be using the Active Directory Domains and Trusts console.

1. Log in to DC1 as Administrator. Click Start Æ Administrative Tools Æ Active

Directory Users and Computers. Right click benandbrady.com and select Properties. Note that the current level is set at Windows 2000 mixed. Click Ok.

2. Right click the Users container, select New and then Group. Notice that the Universal Group scope is unavailable. This feature is not compatible with Windows NT. You must upgrade the domain mode to create Universal Groups. Click Cancel and close Active

3. Click Start Æ Administrative Tools Æ Active Directory Domains and Trusts. Right click benandbrady.com and select Raise Domain Functional Level.

4. In Select an available domain functional level, click the drop down box and select

Windows Server 2003. Click Raise. Click OK to the warning message that the process

is irreversible. Click OK again to complete the process. Close all windows.

Note that you have changed the domain functional level, not the level of the Domain Controller. This process can be done at any domain controller. All domain controllers will now reflect that the domain is in the Windows Server 2003 level. Let us now verify this.

5. On DC3 log in as Administrator. Click Start Æ Administrative Tools Æ Active

Directory Users and Computers. Right click benandbrady.com and select Properties. Now the level is set at Windows Server 2003.

6. Right click the Users container, select New and then Group. Notice that the Universal Group scope is now available. It may be grayed out until the servers have replicated. You can force replication by running domain replication.bat or through Active Directory Sites and Services.

Forest functional levels

Forest functional levels provide a way to enable forest-wide Active Directory features within the network environment. The forest functional levels control the type of interaction between domain controllers in a forest.

There are three forest functional levels:

Windows 2000: When you first install or upgrade a domain controller to a Windows Server

2003 operating system, the forest is set to run in the Windows 2000 functional level. The Windows 2000 functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the forest running Windows NT 4, Windows 2000, or Windows Server 2003.

Windows Server 2003 Interim: The Windows Server 2003 interim functional level allows a

domain controller running the Windows Server 2003 operating system to interact with domain controllers in the domain running Windows NT 4 or Windows Server 2003. The Windows Server 2003 interim functional level is an option only when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. This functional level does not support domain controllers running Windows 2000.

Windows Server 2003: The Windows Server 2003 functional level allows a domain

controller running the Windows Server 2003 operating system to interact only with domain controllers in the domain running Windows Server 2003.

You can raise the functional level of a forest to Windows Server 2003 only if all domain controllers in the forest are running Windows Server 2003 and all domain functional levels in the forest have been raised to Windows Server 2003.

Some of the significant features available in Windows Server 2003 forest level are improved Active Directory & Global Catalog replication and the flexibility of renaming domains.

We will be using the Active Directory Domains and Trusts console to upgrade the forest functional level.

1. Click Start Æ Administrative Tools Æ Active Directory Domains and Trusts. Right click Active Directory Domains and Trusts and select Raise Forest

Functional Level.

2. Windows Server 2003 is already selected. Click Raise. Click OK on the informational message box. Click OK to finish the upgrade.

3. Start Active Directory Users and Computer, right click benandbrady.com and select

Properties. Notice that both the Domain functional level and Forest functional level are

Operations master roles

Active Directory supports multimaster replication of the Active Directory database between all domain controllers in the domain. All Domain Controllers are considered as peers of each other. Some changes are impractical to perform in multi-master fashion, so one or more domain controllers can be assigned to perform operations that are single-master (not permitted to occur at different places in a network at the same time).

In any Active Directory forest, five operations master roles must be assigned to one or more domain controllers. Two roles are forest wide and three roles are domain wide.

Forest-wide operations master roles

• Schema master

• Domain naming master

These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.

Schema master role

The domain controller assigned the schema master role controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master.

Domain naming master role

The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. This is like the Registrar of the forest. You cannot add or remove domains if this role is unavailable.