Active Directory Infrastructure Domain Services Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Active Directory Domain Services (AD DS) act as a database used to store directory data (such as users, computer and other resource on a network) and manages communication between users and domain. Whereas domain controller is a server or single computer that controls Active Directory. There are typically more than one domain controllers that host Active Directory. Active Directory helps administrators to centrally manage access to company's resources (such as users, group and printer) and control users account from one location.

Chapter 1 : Configure a forest or a domain

Active Directory planning and designing are critical part of deploying Active Directory Infrastructure in an organization. Poor planning may lead to the increase the maintenance cost and network traffic. This is because an organization needs to pay high cost if small correction is required. For instance, renaming a root domain name may require entire Active Directory in forest to rollback completely.

Forest topology, domain or domain tree topology, site topology and organization unit topology are four basic topological components make up the Active Directory structure. Hence, a great deal of planning of AD infrastructure is done in four stages.

Create a forest plan

This stage requires us to determine the number of forests is required to implement in an organization. Multiple forests should only create if the organization has more than one separate group that does not trust each other and all of the groups must be managed separately. This is due to multiple forest may increase the labor cost by requiring multiple administrators and maintenance cost by maintaining multiple trusts, global catalogs and schemas.

Create a domain plain for the forest

In this stage we need to determine the number of domains for the forest and consider the characteristic of the domain. Since each additional domain may lead to increase the hardware cost, therefore, it is vital to plan the number of domains carefully. Besides, it is difficult to delete a domain once a domain is created.

This stage also required us to determine the number of domain trees, sub domains as well as naming domains in the hierarchy.

After determine the number of domains that need in new forest, administrator need to define the forest root domain. The root domain is the first domain created in the forest. If a domain is a critical part of organization's operation and organization cannot afford to lose this domain, then this existing domain must be selected as forest root domain. Whereas, dedicated domain is selected as forest root domain if this type of domain serves solely as the root. An additional domain is created for this purpose only. It is recommended implementing dedicated forest root domain because it provides better security and scalability.

Planning the Organization Units

In this stage administrators required to determine the number of OU required. OU planning must satisfied the requirement of delegating administration and administering Group Policy.

Developing the site topology

In order to optimize the network traffic in organization, we must define the sites and determine the best way to physically group the computers on the network.

Furthermore, the site topology routes query and replicate traffic efficiently and also help us to determine where to place domain controllers within out structure.

Before we can install Active Directory Domain Service for our Windows Server 2008, several consideration and prerequisites should be considered. Example, we need to make sure that domain name, DNS configuration method, location of database log file and location of shared system folder must be decided carefully. We first make sure we are read and fully understand the Active Directory Installation Requirements. We will not be able to set up AD for a computer if we do not comply with all the required requirements as below:

Windows Server 2008 or Windows Server 2008 R2 install in our machine.

We must make sure that Domain Name Server (DNS) infrastructure is in place on our network before we can create domain or forest through AD DS. When we install AD DS, we can include DNS server installation. During the installation process, DNS delegation is created automatically. If DNS infrastructure is not in place, then the option to install DNS server is not available while we attempt to install an additional domain controller in a domain.

TCP/IP (included IP address, default gateway and subnet mask) and DNS Server addresses must configured properly. It is possible for us to install Active Directory on a server which has dynamic IP address. Problem such as DNS registrations may not work and functionality of Active Directory may be lost if we do not use dedicated IP address.

In order to successfully install AD, we must have at least one NTFS formatted partition with enough free space. Therefore, it is good to configure server with a manual and dedicated IP address.

All the log file, database and SYSVOL folder for AD DS must be stored in drive that placed on a local fixed volume and is formatted with NTFS (New Technology File System) file system.

It is much better that all client computers using NAT devices to connect to the internet. Administrators of an organization can isolate the clients on the local network through NAT. In order to ensure proper DNS connectivity, all client computers are configured to point to the domain's internal DNS server. Hence, internal DNS server will allow clients to access DNS addresses on the internet.

Steps to Install AD DS

Install new forest

In order to install AD DS on Windows Server 2008 machine and configure it to act as domain controller, there have additional steps need to be performed before running DCPROMO.

Before we can install AD DS, we must log in as the local administrator for the machine. Initially, the local administrators password might be blank or it also has possibilities that password might not be required. Therefore, before we start install AD DS, we must run the following command at command prompt:

Net user administrator <password>/passwordreq:yes

Replace <password> with our desired password.

There have three methods to install Active Directory Domain Service on the server.

Method 1: Window interface to install a new forest:

Open Server Manager by clicking Start menu, point to Administrative Tools, and choose Server Manager.

Choose Add Roles link in Roles Summary.

Click Next in the Before You Begin window.

In Select Server Roles page, select the Active Directory Domain Services and then click Next.

Read the information in the Active Directory Domain Service window and then click Next.

Click Install on the Confirm Installation Selections page. Click Close after installation process is completed.

Open Server Manager again and select the Active Directory Domain Services link. Since we have not yet run the DCPROMO command, therefore there is no information linked to it.

Now, we run the Active Directory Domain Services Installation Wizard (dcpromo.exe).

Click Next in the Welcome to the Active Directory Domain Services Installation Wizard window. In order to get additional installation, we choose the Use advanced mode installation.

Click Next in the Operating System Compatibility page.

Type the full DNS name for the forest root domain on the Name the Forest Root Domain window, and then click Next.

Type the NetBIOS name of the domain or accept the default name in the Domain NetBIOS Name page. This page only appears when Use advanced mode installation on Welcome page is selected. Then, click Next.

Select appropriate forest functional level on the Set Forest Functional Level window and then click Next.

Select appropriate domain functional level on the Set Domain Functional Level window and then click Next.

DNS server is selected by default on the Additional Domain Controller Option window. Click Next if we wish to use Active Directory Integrated DNS. However, we clear the DNS server check box and then click Next, if we have an existing DNS infrastructure and do not want our domain controller to be DNS server.

A warning message box might appear if the network adapters do not have static IPv4 and IPv6. It is to advise us to set static addresses for both the protocols before we can proceed to next steps. If an organization do not have static IPv6 and the network adapters is assigned to static IPv4 address, then we can ignore this message and choose Yes, the computer will use a dynamically assigned IP address (not recommended).

Click Yes to create the delegation for DNS server manually if the wizard cannot create the delegation.

Browse to the volume and folder locations to locate the database files, log files and the SYSVOL files on the Location for Database, Log Files and SYSVOL window. Then, click Next.

Type the restore mode password in the Directory Services Restore Mode Administrator Password window.

We review our selection on the Summary page. If necessary, click Back to change selections. After we are sure that all the installation settings are correct, click Export settings to save all the installation settings to an answer file, and then click Save. Lastly, click Next to install AD DS.

We can select the Reboot on completion to restart the server automatically or we can restart server when we are prompted to do so.

Method 2 : Using Command Line to install a new forest

We type options and parameter values directly at the command line if we want to use a list of unattended options and parameter values to create new forest. Besides, additional unattended installation and an answer file can be used at the same command line. Command line parameters will be installed additionally to parameters which are listed in answer file. Value in answer file will be overwritten by the value that we type at command-line when both answer file and command line have different value for the same option.

Following procedure install a new forest by using command line:

Type the following command at a command prompt and press Enter :

dcpromo /unattend /<unattendOption> : <value> /<unattendOption>:<value>….

Option in Promotion Operation table

Configuration instruction for the option

Note: Type dcpromo /?:Promotion at command prompt or refers to Promotion table to view

the list of unattended installation options.

Example: dcpomo /unattend /installDNS : yes /newDomain: forest

Method 3 : Using answer files to install a new forest

Before we can perform unattended installation, we must create an answer file with configuration values.

Following procedure is used to create an answer file and then perform unattended installation:

Open any text editor such as notepad.

Type [DCINSTALL] and press Enter.

Type the required entries and its configuration value at notepad. Each line for one entry.

Save the answer file to the location called Dcpromo, or save it into network shared folder or removable media.

Type the following command at the command line to perform unattended installation.

dcpromo /unattend : "<path lead to the answer file>"

Install a child domain in an existing forest

There have three methods to install a child domain on the Active Directory. This is important to keep in mind that only member of the Enterprise Admin group have the privilege to install a new domain.

Procedures below are used to install a child domain in the forest by using Window interface.

Open Server Manager by clicking Start menu, point to Administrative Tools, and choose Server Manager.

Choose Add Roles link in Roles Summary.

Click Next in the Before You Begin window.

In Select Server Roles page, select the Active Directory Domain Services and then click Next.

Read the information in the Active Directory Domain Service window and then click Next.

Click Install on the Confirm Installation Selections page  click Close on the Installation Results page.

Open Server Manager again and select the Active Directory Domain Services link. Since we have not yet run the DCPROMO command, therefore there is no information linked to it.

Now, we run the Active Directory Domain Services Installation Wizard (dcpromo.exe).

Click Next in the Welcome to the Active Directory Domain Services Installation Wizard window. In order to get additional installation, we choose the Use advanced mode installation.

Click Next in the Operating System Compatibility page.

Click Existing forest and Create a new domain in an existing forest on the Choose a Deployment Configuration page click Next.

Type the name of existing domain where we want to install a new domain on Network Credential window. For Specify the account credentials to use to perform the installations, we can either choose My current logged on credentials or choose Alternate credentials. Provide the username and password that can be used to install new domain tree on the Windows Security message box and then click Next.

Type the FQDN of the parent domain and single-label name of the child domain on the Name the New Domain window  click Next.

Type the NetBIOS name of the domain or accept the default name in the Domain NetBIOS Name page. Then, click Next.

Select appropriate domain functional level on the Set Domain Functional Level window and then click Next.

Select appropriate a site from list on the Select a Site window and then click Next.

Select additional option for domain controller on Additional Domain Controller Options server window and then click Next.

In order to enable domain controller to acts as DNS server, DNS server option is selected by default. Whereas the Global Catalog option is not selected by default. This is due to global server that host the infrastructure master role might cause problem in child domain.

A warning message box might appear if the network adapters do not have static IPv4 and IPv6. It is to advise us to set static addresses for both the protocols before we can proceed to next steps. If an organization do not have static IPv6 and the network adapters is assigned to static IPv4 address, then we can ignore this message and choose Yes, the computer will use a dynamically assigned IP address (not recommended).

Specify a domain controller that can be used to replicate configuration and schema directory partition by select This specific domain controller or select Any writable domain controller in Source Domain Controller window. This window will only appears if the Use advanced mode installation option is selected on the Welcome page.

Browse to the volume and folder locations to locate the database files, log files and the SYSVOL files on the Location for Database, Log Files and SYSVOL window. Then, click Next.

Type the restore mode password in the Directory Services Restore Mode Administrator Password window.

We review our selection on the Summary page. If necessary, click Back to change selections. After we are sure that all the installation settings are correct, click Export settings to save all the installation settings to an answer file, and then click Save. Lastly, click Next to install AD DS.

Click Finish on Completing the Active Directory Domain Services Installation Wizard window.

We can select the Reboot on completion to restart the server automatically or we can restart server when we are prompted to do so.

Install an additional domain controller in existing domain

Before we can install a new domain controller, we must log in as the local administrator for the machine. Initially, the local administrators password might be blank or it also has possibilities that password might not be required. Therefore, before we start install additional domain controller, we must run the following command at command prompt:

Net user administrator <password>/passwordreq:yes

Replace <password> with our desired password.

Procedures below are used to install new domain controller by using Windows Interface:

Open Server Manager by clicking Start menu, point to Administrative Tools, and choose Server Manager.

Choose Add Roles link in Roles Summary.

Click Next in the Before You Begin window.

In Select Server Roles page, select the Active Directory Domain Services and then click Next.

Read the information in the Active Directory Domain Service window and then click Next.

Click Install on the Confirm Installation Selections page  click Close on the Installation Results page.

Open Server Manager again and select the Active Directory Domain Services link. Since we have not yet run the DCPROMO command, therefore there is no information linked to it.

Now, we run the Active Directory Domain Services Installation Wizard (dcpromo.exe).

Click Next in the Welcome to the Active Directory Domain Services Installation Wizard window. In order to get additional installation, we choose the Use advanced mode installation.

Click Next in the Operating System Compatibility page.

Click Existing forest and Add a domain controller to an existing domain on the Choose a Deployment Configuration page click Next.

Type the name of existing domain where we want to install a new domain on Network Credential window. For Specify the account credentials to use to perform the installations, we can either choose My current logged on credentials or choose Alternate credentials. Provide the username and password that can be used to install new domain tree on the Windows Security message box and then click Next.

Select the for the domain controller on the Set a Domain window and then click Next.

Select appropriate a site from list on the Select a Site window and then click Next.

Select additional option for domain controller on Additional Domain Controller Options server window and then click Next.

In order to enable domain controller to acts as DNS server, DNS server option is selected by default. Clear DNS server option if do not want domain controller acts as DNS server. Global Catalog option also selected by default. This option is to add the global catalog and read only directory partitions to the domain controller. Whereas, Read-only domain controller option is not selected by default. This is to ensure that the new domain controller can only be read.

A warning message box might appear if the network adapters do not have static IPv4 and IPv6. It is to advise us to set static addresses for both the protocols before we can proceed to next steps. If an organization do not have static IPv6 and the network adapters is assigned to static IPv4 address, then we can ignore this message and choose Yes, the computer will use a dynamically assigned IP address (not recommended).

Specify a domain controller that can be used for replication to create the additional domain controller by select Let the wizard choose an appropriate domain controller or select Use this specific domain controller in Source Domain Controller window. This window will only appears if the Use advanced mode installation option is selected on the Welcome page.

Browse to the volume and folder locations to locate the database files, log files and the SYSVOL files on the Location for Database, Log Files and SYSVOL window. Then, click Next.

Type the restore mode password in the Directory Services Restore Mode Administrator Password window  click Next.

We review our selection on the Summary page. If necessary, click Back to change selections. After we are sure that all the installation settings are correct, click Export settings to save all the installation settings to an answer file, and then click Save. Lastly, click Next to install AD DS.

Click Finish on Completing the Active Directory Domain Services Installation Wizard window.

We can select the Reboot on completion to restart the server automatically or we can restart server when we are prompted to do so.

Verify an AD DS installation

After we install AD DC successfully, we need to perform several procedures to verify that the entire functionality can performed well. If domain controllers are running Windows Server 2008, Microsoft IT Environment Health Scanner is used to diagnostic test the entire directory.

Use the following procedures to verify the installation of AD DS:

Procedure to determine whether Child NTDS Setting Object is present

Click Start menu, point to Administrative Tools, and open Active Directory Sites and Services. Provide credentials if User Account Control dialog box is prompt out and click Continue.

Expand the site of the server object in the Sites container at console tree.

Expand the server object in the Servers container to view child objects.

Note that member in Domain Users or equivalent has privilege to perform procedure above.

Procedure to verify the IP address maps with Subnet address

Log in locally or remote to the server for which we want to determine the IP address.

Click View Network Connections in Server Manager  right click the connection of the server that use to attach to the network  click Properties.

Click TCP/IPv4 or TCP/IPv6 in the Connection Properties dialog box.

Calculate subnet address by using values of IP address and subnet mask. Then click OK twice.

Click Start menu, point to Administrative Tools, and open Active Directory Sites and Services. Provide credentials and click Continue if User Account Control dialog box is prompt out, and then click Continue.

Click the Subnet container in the Sites container at console tree.

Find the subnet object in the Name column. The subnet object must match with the subnet address for the server.

In Site column shows that the site which the subnet address is associated. Contact Site administrator or determine whether the server object should move to a new site if the site appeared in Site Column is not the correct site.

Note that member in Domain Admins or equivalent has privilege to perform procedure above.

Procedure to Move a server object to new site

Click Start menu, point to Administrative Tools, and open Active Directory Sites and Services. Provide credentials if User Account Control dialog box is prompt out and click Continue.

Expand the site of the server object in the Sites container at console tree.

Expand the Servers container  right click server object that want to move  click Move.

Click the destination site in Site Name page  click OK.

Expand site object that we move server into it  expand Server container verify that the server that we moved just now existsexpand server objectverify that NTDS child setting object exists.

Note that only member in Enterprise Admins or equivalent has privilege to perform procedure above.

Verify Active Directory Replication

Right click command promptclick Run as administrator. Provide Domain Admin credentials if User Account Control dialog box is prompt out and click Continue.

Type following command :

dcdiag /test:replications

Press Enter.

Open Event Viewer if the test fails  check errors in Directory Service log Troubleshoot problem by using the details in ActiveDirectory_DomainServiece replication events.

Note that only member in Domain Admins or equivalent has privilege to perform procedure above.

Scenarios for AD DS installation

Install new forest

Before we install AD DS to create first domain controller in new forest, several consideration should be considered.

Firstly, we need to decide forest and domain function level. We determine whether domain controller that runs Window Server 2003 or Window Server 2008 or Window Server 2008 R2 can exist in the forest. Domain controllers running Window Server 2008 or Window Server 2008 R2 does not support server that running Window NT Server 4.0. Besides, the first domain controller in forest must be configured as global catalog server and it cannot be RODC.

Install a new domain in existing forest

Before we install a new domain Window Server 2008 or Window Server 2008 R2 in Windows 2000 Server or Window Server 2003 forest, we must running adprep /forestprep to extend the schema.

Besides, we need to decide domain functional level. We determine whether domain controllers that run Windows 2000 Server or Window Server 2003 or Window Server 2008 or Window Server 2008 R2 can exist in the domain.

Install a new domain controller in existing domain

Before we install a new domain controller that is the first domain controller that running Window Server 2008 or Window Server 2008 R2 in the forest, we must running adprep /forestprep to extend the schema on the schema operations master.

We must run adprep /domainprep /gprep when the first Windows Server 2008 or Windows Server 2008 R2 domain controller is planning to install in Window 2000 Server domain.

We must run adprep /domainprep when the first Windows Server 2008 or Windows Server 2008 R2 domain controller is planning to install in Window 2003 Server domain.

Only additional Window Server 2008 or Window Server 2008 R2 domain controller in an existing Windows 2000 Server or Window Server 2003 domain can be configured as RODC.

Steps for Removing Domain Controller from a Domain

Procedures below are used to removing Windows Server 2008 domain controller from a domain by using Windows Interface:

Click Start  Click Run  type dcpromo  press Enter.

Click Next on the Welcome to the Active Directory Domain Services Installation Wizard window.

A message will be prompt out if the domain controller is global catalog server. Then click OK.

Make no selection on the Delete the Domain window  click Next.

Click Next in the Application Directory Partition page if we do not want to retain the application directory partitions that stored on domain controller.

Whereas, If we want wish to retain the application directory partition, we remove the partition by using the application that created it and then click Refresh to refresh the list.

Choose the option to delete all application directory partitions if the Confirm Deletion page displays click OK.

Type and confirm password for local administrator on the Administrator Password window  click Next.

We review our selection on the Summary page. If necessary, click Back to change selections. After we are sure that all the installation settings are correct, click Export settings to save all the installation settings to an answer file, and then click Save. Lastly, click Next to install AD DS.

Click Finish on Completing the Active Directory Domain Services Installation Wizard window.

We can select the Reboot on completion to restart the server automatically or we can restart server when we are prompted to do so.

Open Server Manager  click Remove Roles in Roles Summary click Next on the Before You Begin window.

Clear the Active Directory Domain Services check box on Remove Server Roles window click Next.

Click Remove on the Confirm Removal Selections window.

Click Close on the Removal Results window  click Yes to restart server.

Chapter 2: Configure Trust

2.1 Managing Trust

Trust is a relationship that allows users in one domain to access resources in other domain, without requiring user account on the other domain. All trust in Windows Server 2008 forest is two way and transitive trust. In other words, all users from both domains can be given access to resource in the other domain. If one domain trust another domain and that domain trust a third domain, then the first domain has a transitive trust with the third domain.

Unlike legacy NT domain, Windows Server 2008 domain is automatically transitive. Kerberos version 5 and NTLM are two trust protocols for domain controllers running Windows Server 2008. Basically, Kerberos version 5 is the default protocol for a domain controller. However, NTLM will be used if the machine does not support the Kerberos version 5 protocols. The ticket granting service that provided by Kerberos creates a distributed security network. Kerberos tickets issued by one domain can be as good currency in another domain. The Kerberos ticket is like a passport that allows the bearer to gain access to any territory that accepts it.

Active Directory Domains and Trusts service allow us to create four type of trust: shortcut trust, external trust, realm trust and forest trust. Only member of the Domain Admins group, Enterprise Admins or equivalent are allow managing trust relationship. Moreover, it is important to note that the default transitive trust and two-way trust between domains in a forest cannot be revoked. Procedure that used to verify trust only available for external trust, shortcut trust and shortcut trusts.

Procedure to create shortcut trust by using Windows interface

Click Start  click Administrator Tools  select Active Directory Domains and Trusts.

Right click the domain that we want to establish a shortcut trust  click Properties.

Click New Trust on Trusts tab  click Next.

Type the DNS name of the domain on the Trust Name window  click Next.

In the Direction of Trust page, Then, perform either one of the following :

To create two-way shortcut trust that allows users in the domain and users in specified domain to use the path to access any resource in either domain. Click Two-way.

To create one-way incoming shortcut trust that disable users in specified domain to use this path to access any resources in this domain. Click One-way: incoming.

To create one-way outgoing shortcut trust that disables users in this domain to use this path to access any resources in specified domain. Click One-way: outgoing.

Procedure to create external trust by using Windows interface

Click Start  click Administrator Tools  select Active Directory Domains and Trusts.

Right click the domain that we want to establish a shortcut trust  click Properties.

Click New Trust on Trusts tab  click Next.

Type the DNS name of the domain on the Trust Name window  click Next.

Click External trust on Trust Type window  click Next.

In the Direction of Trust page, Then, perform either one of the following :

To create two-way external trust that allow users in the domain and users in specified domain use this path to access resources in either domain. Click Two-way.

To create one-way incoming external trust that disable users in specified domain to use this path to access any resources in this domain. Click One-way: incoming.

To create one-way outgoing external trust that disables users in this domain to use this path to access any resources in specified domain. Click One-way: outgoing.

Click Both this domain and the specified domain on Sides of Trusts window to create both sides of an external trust at the same time.

If each domain belongs to same organization, then select Allow authentication for all resources option on the Outgoing Trust Properties window in order to allow users from specified domain to access all resource in this domain.

If each domain belongs to separate organization, then select Allow authentication only for selected resources in the local domain option on the Outgoing Trust Properties window in order to restrict users from specified domain to access any resource in this domain.

Procedure to create realm trust by using Windows interface

Click Start  click Administrator Tools  select Active Directory Domains and Trusts.

Right click the domain that we want to establish a shortcut trust  click Properties.

Click New Trust on Trusts tab  click Next.

Type the realm name of the target realm on the Trust Name window  click Next.

Click Realm trust on Trust Type window  click Next.

In the Transitivity of Trust window, perform either one of the following :

Select Nontransitive to establish a relationship between domain and specified realm.

Select Transitive to establish a relationship between domain and specified realm and all trusted realms.

In the Direction of Trust page, perform either one of the following :

To create two-way realm trust that allows users in the domain and users in specified realm to use the path to access resources in either realm or domain. Click Two-way.

To create one-way incoming realm trust that disable users in specified realm to use this path to access any resources in this domain. Click One-way: incoming.

To create one-way outgoing realm trust that disables users in this domain to use this path to access any resources in specified realm. Click One-way: outgoing.

Procedure to removing a trust by using Windows interface

Click Start  click Administrator Tools  select Active Directory Domains and Trusts.

Right click the domain that contains trust to be removed  click Properties.

On Trusts tab, select trust to be removed under Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts) field click Remove.

Then, perform either one of the following :

If No, remove the trust from the local domain only option is selected, then it is recommended to repeat this procedure for reciprocal domain.

If Yes, remove the trust from both the local domain and the other domain option is selected, then user account and password for the reciprocal domain must be provided.

Procedure to validate a trust by using Windows interface

Click Start  click Administrator Tools  select Active Directory Domains and Trusts.

Right click the domain that contains trust to be removed  click Properties.

On Trusts tab, select trust to be verified under Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts) field click Properties click Validate.

Then, perform either one of the following :

If No, do not validate the incoming trust option is selected, then it is recommended to repeat this procedure for reciprocal domain.

If Yes, validate the incoming trust option is selected, then user account and password for the reciprocal domain must be provided.

Click Both this domain and the specified domain on Sides of Trusts window to create both sides of an external trust at the same time.

If each domain belongs to same organization, then select Allow authentication for all resources option on the Outgoing Trust Properties window in order to allow users from specified domain to access all resource in this domain.

If each domain belongs to separate organization, then select Allow authentication only for selected resources in the local domain option on the Outgoing Trust Properties window in order to restrict users from specified domain to access any resource in this domain.

2.2 Managing Forest Trust

2.2.1 Install forest trust

If we create a forest trust between two forests, Windows Server 2008 by default creates a transitive relationship between every domain residing in the forest. Trusts are created only between the forest root in one directory and the forest root of another directory. Before creating a forest trust, we need to ensure that all our domain controller is running Windows Server 2008. The functional level must be set to Windows Server 2008 and we must verify that we have correct DNS structure in place. Only member of the Domain Admins group, Enterprise Admins or equivalent are allow managing trust relationship.

Procedure to create forest trust by using Windows interface:

Click Start  click Administrator Tools  select Active Directory Domains and Trusts.

Right click the domain that we want to establish a shortcut trust  click Properties.

Click New Trust on Trusts tab  click Next.

Type the DNS name of the domain on the Trust Name window  click Next.

Click Forest trust on Trust Type window  click Next.

In the Direction of Trust page, perform either one of the following :

To create two-way forest trust that allows users in the forest and users in specified forest to use the path to access resources in either forest. Click Two-way.

To create one-way incoming forest trust that disable users in specified forest to use this path to access any resources in this forest. Click One-way: incoming.

To create one-way outgoing forest trust that disables users in this forest to use this path to access any resources in specified forest. Click One-way: outgoing.

Click Both this domain and the specified domain on Sides of Trusts window to create both sides of a forest trust at the same time.

If each domain belongs to same organization, then select Forest-wide authentication option on the Outgoing Trust Properties window in order to allow users from specified forest to access all resource in local forest.

If each domain belongs to separate organization, then select Selective authentication option on the Outgoing Trust Properties window in order to restrict users from specified forest.

2.2.2 Change the routing status of name suffix

Name suffix routing is a way to manage how authentication request are routed across two forests. All name suffixes are routed by default when a forest trust is created. Active Directory Domain and Trusts service also allow us to modify the routing status of name suffixes. Only member of the Domain Admins group, Enterprise Admins or equivalent are allow modifying the routing status of name suffix.

Procedure to modify the routing status of name suffix:

Click Start  click Administrator Tools  select Active Directory Domains and Trusts.

Right click the domain that we want to establish a shortcut trust  click Properties.

On Trusts tab, select forest trust to be managed under Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts) field  click Properties.

On Name Suffix Routing tab, select suffix to be modify under Name suffixes in the x.x forest field click Edit.

Select suffix to be modified on Existing name suffixes in the x.x page click Enable or Disable.

Appendix

Select Active Directory Domain Service option in Select Server Roles, and then click Next.

Install AD DS.

 Since we have not yet run the DCPROMO command, therefore a message: "This server is not yet running as a domain controller: Run Active Directory Domain Services Installation Wizard ( dcpromo.exe)" will displayed on the window.

 Select Create a new domain in a new forest check box and click Next.

Select appropriate forest functional level then click Next.

Select appropriate domain functional level then click Next.

choose DNS server if DNS is not yet installed. The first domain controller in forest must be configured as global catalog server, and then click Next.

 A warning message box might appear if the network adapters do not have static IPv4 and IPv6.

 Browse the folder locations to locate the database files, log files and the SYSVOL files, and then click Next.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.