Monday, February 13, 2012

Chapter 2

Chapter 2 covered implementing AD on a network. First, the chapter went through Server Manager again, and how to do the initial config tasks (change the time and date). The next portion went through the minimum requirements for installing AD on the server. The forest root domain is the first of the domains installed on an AD server. According to the chapter, the root domain (unlike in a Linux machine) cannot be deleted, though any child domain within it can be once it is installed. The first domain controller installed will contain all the FSMO, or flexible single master operations roles which all function as a unit to allow the server to function in a multimaster capacity required by AD. Once AD is installed, the book advises you to a check on some systems to verify it installed and was configured correctly. These include application partition directory partition creation, aging & scavenging for zones, Forward lookup zones and SRV records and reverse lookup zones. The book described that the functional level of the AD domain is able to be raised to incorporate acquisitions as the structure of an organization changes, though the transition is one-way and can't be lowered again without reinstalling an entire domain. The book mentioned that the admin should install a second domain controller for fault tolerance, and to lessen the workload on the first controller. Read-only domain controllers (RODC's) can be hosted in an AD server in order to enhance network security where there is minimal security on a server. It also allows the server to be configured with a password replication policy, which keeps the passwords for that site's accounts and no others. If that specific server is stolen or hacked, it will not have passwords cashed from other sites in it. RODC's can be partially installed by an administrator, then installed the rest of the way by site admins. If a RODC server is taken or hacked, the admin can set the users' accounts on the affected server to reset, allowing the admin to then reset the passwords for those whose accounts were on the RODC. Modifying an AD schema is considered to be a potentially disruptive task on a server, and should be done on an outside network before implementing it network-wide. Trust relationships were covered next. These allow cross or out-of-network access to others while maintaining security in a system.

No comments:

Post a Comment