Microsoft Windows Server 2012

Chapter 2-
Active directory, configuring domain
controller and domain clients

1
 Microsoft Windows Server 2012

Outline:-

 Logical Topologies
 ADDS
 Creating Users
 Installing Active Directory
 Promoting Active Directory as DC
 Adding Client to Active Directory Domain

2
 Logical Topologies

Workgroup Vs. Domain Model

3
 Workgroup Model vs Domain Model

WorkGroup Model: Workgroup is a

peer-to-peer windows computer
network, where a user can use his
login credentials only on his system
and not others. It holds a distributed
administration wherein each user
can manage his machine
independently. Most storage is
distributed. Each device has its own
dedicated storage.

4
 Logical Topologies

Domain Model: This is a client/server

network where users can log in from
any device in the office. Also known as
Remote login. It has a centralized
administration and all devices can be
managed from a centralized device. It
prefers centralized storage and all the
user’s data is stored at a centralized
storage device which can be NAS or
SAN.

5
What is an Active Directory / ADDS ???

6
 Active Directory Domain Services (ADDS)
Active Directory (AD) is a proprietary directory service developed by Microsoft
to manage the authentication and authorization of users and machines on a
Windows domain network. Active Directory was first released in 2000 and runs
on Windows Server.

Active Directory stores data as objects. An object is a single element, such as a

user, group, application or device, such as a printer. Objects are normally defined
as either resources -- such as printers or computers -- or security principals --
such as users or groups.

Active Directory allows network administrators to create and manage domains,

users, and objects within a network. For example, an admin can create a group
of users and give them specific access privileges to certain directories on the
server. As a network grows, Active Directory provides a way to organize a large
number of users into logical groups and subgroups, while providing access
control at each level.
7
 Active Directory Domain Services (AD DS)
Active Directory categorizes objects by name and attributes. For example, the
name of a user might include the name string, along with information
associated with the user, such as passwords and Secure Shell (SSH) keys.

The Active Directory structure includes three main tiers: 1) domains, 2) trees,
and 3) forests. Several objects (users or devices) that all use the
same database may be grouped into a single domain. Multiple domains can be
combined into a single group called a tree. Multiple trees may be grouped into a
collection called a forest. Each one of these levels can be assigned specific
access rights and communication privileges.

8
 Active Directory Domain Services (AD DS)

Active Directory provides several different services, which fall under the umbrella of
"Active Directory Domain Services," or AD DS. These services include:

• Domain Services – stores centralized data and manages communication between

users and domains; includes login authentication and search functionality
• Certificate Services – creates, distributes, and manages secure certificates
• Lightweight Directory Services Protocol (LDAP) - provides a common language
for clients and servers to speak to one another.
• Directory Federation Services – provides single-sign-on (SSO) to authenticate a
user in multiple web applications in a single session
• Rights Management – protects copyrighted information by preventing
unauthorized use and distribution of digital content

9
Structures of Active Directory
Domain
• Is a logical grouping of users, computers and group
objects for the purpose of management and security
• Domain should have at least one Domain Controller.

Tree
• Is made of one or more domains with contiguous name
space.

Forest
• Is made of one or more trees. A forest differs from a
tree because it uses disjointed namespaces between
the trees.
For example, in a forest, you could have microsoft.com
as the root for one tree. Say that Microsoft then
purchases another company called Acme (acme.com),
and acme.com then becomes the root of another tree.
Both trees could be combined into a forest, yet each
tree’s identity could be kept separate.

10
 Domain Controller
What is a Domain Controller?

• A domain controller (DC) is a server that responds to security authentication requests

within a Windows Server domain.
• It is a server on a Microsoft Windows network that is responsible for allowing host
access to Windows domain resources.
• A DC is the centerpiece of the Windows Active Directory service. It authenticates users,
stores user account information and enforces security policy for a Windows domain.
• It allows hierarchical organization and protection of users and computers operating on
the same network.
• In simpler terms, when a user logs into their domain, the DC authenticates and validates
their credentials (usually in the form of username, password and/or IP location) and
then allows or denies access.

11
 Domain Controller

Why is a Domain Controller Important?

• Domain controllers contain the data that determines and validates access to your network,
including any group policies and all computer names. Everything an attacker could possibly
need to cause massive damage to your data and network is on the DC, which makes a DC a
primary target during a cyberattack.

Domain Controller vs. Active Directory

• ACTIVE DIRECTORY : DOMAIN CONTROLLER :: car : engine
• Active Directory is a type of domain, and a domain controller is an important server on that
domain. Kind of like how there are many types of cars, and every car needs an engine to
operate. Every domain has a domain controller, but not every domain is Active Directory.

12
AD DS Installation

13
 Installation Prerequisites

This step by step tutorial will guide you to set up active directory on your
Windows Server 2012 R2 machine. The article has been divided into
following two parts:

1. Installing active directory on a machine

2. Promoting that machine to act as a domain controller

Prerequisites

Administrator’s account must have strong password

Static IP is configured
Latest windows updates are installed
Firewall is turned off
Administrator’s Log on is required 14
 AD DS Installation

In Windows Server 2012,

you can use the Server
Manager to install AD DS
roles. To install the AD
DS role here, simply click
the Manage menu and
click Add Roles and
Features.

Server Manager Dashboard

15
 AD DS Installation

Before you continue,

make sure you have
a strong
administrator
password, static IP is
configured and
security updates are
installed on your
machine. Click Next

16
 AD DS Installation

Always leave the default

selection in place when
installing AD DS: Role-
based or Feature-based
Installation and click
next button

Installation Type

17
 AD DS Installation

The Server Selection dialog

enables you to choose from
one of the servers
previously added to the
pool, as long as it is
accessible. The local server
running Server Manager is
automatically available.
Click Next.

Server Selection
18
 AD DS Installation

Select the Active Directory

Domain Services role if
you intend to promote a
domain controller. All
Active Directory
administration features
and required services
install automatically, even
if they are ostensibly part
of another role or do not
appear selected in the
Server Manager interface.

Server Roles and Features

19
 AD DS Installation
Click Add Features and then Click Next

Add Features

20
 AD DS Installation

The Active Directory

Domain Services dialog
provides limited
information on
requirements and best
practices. It mainly acts as
a confirmation that you
chose the AD DS role " if
this screen does not
appear, you did not select
AD DS’’.

Active Directory Domain Services

21
 AD DS Installation

The Confirmation dialog is the

final checkpoint before role
installation starts. It offers an
option to restart the computer
as needed after role
installation, but AD DS
installation does not require a
reboot.

By clicking Install, you confirm

you are ready to begin role
installation. You cannot cancel
a role installation once it
begins.
Confirmation

22
 AD DS Installation

The Results dialog shows the

current installation progress
and current installation status.
Role installation continues
regardless of whether Server
Manager is closed.
When an installation
completes, click Close

Results

23
 AD DS Installation

Task Notification
Verifying the installation results
is still a best practice. If you
close the Results dialog before
installation completes, you can
check the results using the
Server Manager notification
flag. Server Manager also
shows a warning message for
any servers that have installed
the AD DS role but not been
further configured as domain
controllers.
24
How to Promote a Server to a
Domain Controller

25
 DC Promotion

After installing the Active Directory Domain Services feature on

your server, you can promote the server to a domain controller.
If you have just finished the feature installation, the AD DS
Configuration Wizard begins automatically.

However, if the feature installation has already been closed, you

can start the Active Directory Domain Services Configuration
Window by clicking the Tasks icon along the top of Server
Manager.

26
 DC Promotion

In the server manager,

you can see the post
deployment actions,
needed to promote this
server to a domain
controller
Click the option :
Promote this server to
a domain controller

27
 DC Promotion

To create a new Active

Directory forest, click Add a
new forest. You must provide a
valid root domain name; the
name cannot be single-labeled
(for example, the name must
be contoso.com or similar and
not just contoso) and must
use allowed DNS domain
naming requirements.

When selecting the Root

domain, don’t forget to give an
extension !

28
 DC Promotion

Directory Services Restore Mode

(DSRM) is a safe mode boot option for
Windows Server domain controllers.
DSRM allows an administrator to
repair or recover an Active
Directory database.

When Active Directory is installed, the

install wizard prompts the
administrator to choose a DSRM
password. This password provides the
administrator with a back door to the
database in case something goes
wrong later on, but it does not
provide access to the domain or to
any services. In the event a DSRM
password is forgotten, it can be
changed by using the command-line
tool NTDSUtil.
29
 DC Promotion

Ignore warnings in DNS options window and Click Next

30
 DC Promotion

In additional options window, verify NetBIOS name of domain and click Next
31
 DC Promotion

Note down the Database, Log files and SYSVOL folder paths and click Next
32
 DC Promotion

In review options window, review your choices including domain name,

NetBIOS name, and Global catalog etc. Click Next
33
 DC Promotion

Click Install because all prerequisite have been successfully passed

34
DC Promotion

35
STEP-BY-STEP: ADD CLIENT TO ACTIVE
DIRECTORY DOMAIN
• Connect Client To Domain
Open Network and Sharing Center. Click Change adapter settings on the
left.
Right-click on Local Area Connection, select Properties. In the Local Area
Connection Properties window,
Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Under General tab, make sure that Obtain an IP address automatically is
checked.
Check Use the following DNS server addresses and key in the server’s IP
address. Click OK when done.
 Con…….
• Right-click My Computer, select Properties.
• Under Computer name, domain, and workgroup settings,
click Change settings and System Properties window will pop up.
• Under Computer Name tab, click Change and Computer
Name/Domain Changes window will pop up. Give a recognizable
name for the PC.
 Con…….
• Check Domain and key in the domain created earlier and click OK.
• User will be prompt to key in a username and password to join the
domain. Key in the user account that is registered to the active
directory domain.
• After successfully joining the domain, user will be prompt to restart
the PC.
Conclusion
• Congratulations on setting up an active directory on your Windows
Server 2012 R2 machine. Before you join your client machine to this
new domain, you should be able to ping the domain from server
command prompt.
Any Question

LAB