William Stanek’s Windows Server 2008 Administrator’s Pocket Consultant, Second Edition (ISBN: 9780735627116, 720 pages), updated for R2, is now available.
Get fast facts to:
In this post we’d like to share some excerpts from the book. First, from its Introduction (and then from Chapter 7, “Using Active Directory”):
Welcome to Windows Server 2008 Administrator’s Pocket Consultant, Second
Edition. Over the years, I’ve written about many different server technologies
and products, but the one product I like writing about the most is Windows Server.
From top to bottom, Windows Server 2008 Release 2 (R2) is substantially different
from earlier releases of Windows Server. For starters, many of the core components
of Windows Server 2008 R2 are built off the same code base as Windows 7 rather
than Windows Vista. This means that you can apply much of what you know about
Windows 7 to Windows Server 2008 R2. That’s good news, but you still need to
learn how Windows Server 2008 R2 is different from previous releases of Windows
Server, and while some of these differences are small, others are very important.
Because I’ve written many top-selling Windows Server books, I was able to
bring a unique perspective to this book—the kind of perspective you gain only
after working with technologies for many years. Long before there was a product
called Windows Server 2008 Release 2, I was working with the beta product. From
these early beginnings, the final version of Windows Server 2008 R2 evolved until it
became the finished product that is available today.
As you’ve probably noticed, a great deal of information about Windows Server
2008 R2 is available on the Web and in other printed books. You can find tutorials,
reference sites, discussion groups, and more to make using Windows Server 2008 R2
easier. However, the advantage of reading this book is that much of the information
you need to learn about Windows Server 2008 R2 is organized in one place and presented
in a straightforward and orderly fashion. This book has everything you need
to customize Windows Server 2008 R2 installations, master Windows Server 2008 R2
configurations, and maintain Windows Server 2008 R2 servers.
In this book, I teach you how features work, why they work the way they do,
and how to customize them to meet your needs. I also offer specific examples of
how certain features can meet your needs, and how you can use other features to
troubleshoot and resolve issues you might have. In addition, this book provides
tips, best practices, and examples of how to optimize Windows Server 2008 R2. This
book won’t just teach you how to configure Windows Server 2008 R2, it will teach
you how to squeeze every last bit of power out of it and make the most from the
features and options it includes.
Unlike many other books about administering Windows Server 2008 R2, this
book doesn’t focus on a specific user level. This isn’t a lightweight beginner book.
Regardless of whether you are a beginning administrator or a seasoned professional,
many of the concepts in this book will be valuable to you, and you can apply them
to your Windows Server 2008 R2 installations.
Who Is This Book For?
Windows Server 2008 Administrator’s Pocket Consultant, Second Edition covers the
Foundation, Standard, Enterprise, Web, Datacenter, and Itanium-based editions of
Windows Server 2008 R2. The book is designed for the following readers:
- Current Windows system administrators
- Accomplished users who have some administrator responsibilities
- Administrators upgrading to Windows Server 2008 R2 from previous versions
- Administrators transferring from other platforms
To pack in as much information as possible, I had to assume that you have basic
networking skills and a basic understanding of Windows Server. With this in mind,
I don’t devote entire chapters to explaining Windows Server architecture, Windows
Server startup and shutdown, or why you want to use Windows Server. I do, however,
cover Windows server configuration, Group Policy, security, auditing, data
backup, system recovery, and much more.
I also assume that you are fairly familiar with Windows commands and procedures
as well as the Windows user interface. If you need help learning Windows basics, you
should read other resources (many of which are available from Microsoft Press).
Note This book has been completely updated for Windows Server 2008 R2. If
you are using Windows Server 2008 RTM, features and procedures will vary slightly.
However, you can still use this book to help you with Windows Server 2008 RTM.
How This Book Is Organized
Rome wasn’t built in a day, and this book wasn’t intended to be read in a day, in
a week, or even in a month. Ideally, you’ll read this book at your own pace, a little
each day as you work your way through all the features Windows Server 2008 R2
has to offer. This book is organized into 20 chapters. The chapters are arranged in a
logical order, taking you from planning and deployment tasks to configuration and
Speed and ease of reference are essential parts of this hands-on guide. This
book has an expanded table of contents and an extensive index for finding answers
to problems quickly. Many other quick reference features have been added to the
book as well, including quick step-by-step procedures, lists, tables with fast facts,
and extensive cross references.
As with all Pocket Consultants, Windows Server 2008 Administrator’s Pocket
Consultant, Second Edition is designed to be a concise and easy-to-use resource
for managing Windows servers. This is the readable resource guide that you’ll want
on your desktop at all times. The book covers everything you need to perform the
core administrative tasks for Windows servers. Because the focus is on giving you
maximum value in a pocket-size guide, you don’t have to wade through hundreds of
pages of extraneous information to find what you’re looking for. Instead, you’ll find
exactly what you need to get the job done, and you’ll find it quickly.
In short, the book is designed to be the one resource you turn to whenever
you have questions regarding Windows Server administration. To this end, the
book zeroes in on daily administration procedures, frequently performed tasks,
documented examples, and options that are representative while not necessarily
inclusive. One of my goals is to keep the content so concise that the book remains
compact and easy to navigate while at the same time ensuring that it is packed with
as much information as possible. This means you get a valuable resource guide that
can help you quickly and easily perform common tasks, solve problems, and implement
advanced Windows technologies.
And here’s the excerpt from Chapter 7:
Using Active Directory
- Introducing Active Directory 211
- Working with Domain Structures 215
- Working with Active Directory Domains 221
- Understanding the Directory Structure 227
- Using the Active Directory Recycle Bin 233
Active Directory Domain Services (AD DS) is an extensible and scalable directory
service that you can use to efficiently manage network resources. As an
administrator, you need to be deeply familiar with how Active Directory technology
works, and that’s exactly what this chapter is about. If you haven’t worked
with Active Directory technology before, you’ll notice immediately that the
technology is fairly advanced and has many features. To help manage this complex
technology, I’ll start with an overview of Active Directory and then explore its
Introducing Active Directory
Since Windows 2000, Active Directory has been the heart of Windows-based
domains. Just about every administrative task you perform affects Active Directory
in some way. Active Directory technology is based on standard Internet protocols
and is designed to help you clearly define your network’s structure.
Active Directory and DNS
Active Directory uses Domain Name System (DNS). DNS is a standard Internet
service that organizes groups of computers into domains. DNS domains are
organized into a hierarchical structure. The DNS domain hierarchy is defined
on an Internet-wide basis, and the different levels within the hierarchy identify
computers, organizational domains, and top-level domains. DNS is also used to
map host names, such as zeta.microsoft.com, to numeric TCP/IP addresses, such
as 192.168.19.2. Through DNS, an Active Directory domain hierarchy can also be
defined on an Internet-wide basis, or the domain hierarchy can be separate from the
Internet and private.
When you refer to computer resources in a DNS domain, you use a fully qualified
domain name (FQDN), such as zeta.microsoft.com. Here, zeta represents the name
of an individual computer, microsoft represents the organizational domain, and com
is the top-level domain. Top-level domains (TLDs) are at the base of the DNS hierarchy.
TLDs are organized geographically by using two-letter country codes, such as
CA for Canada; by organization type, such as com for commercial organizations; and
by function, such as mil for U.S. military installations.
Normal domains, such as microsoft.com, are also referred to as parent domains
because they’re the parents of an organizational structure. You can divide parent
domains into subdomains, which you can then use for different offices, divisions,
or geographic locations. For example, the FQDN for a computer at Microsoft’s
Seattle office could be designated as jacob.seattle.microsoft.com. Here, jacob is the
computer name, seattle is the subdomain, and microsoft.com is the parent domain.
Another term for a subdomain is a child domain.
DNS is an integral part of Active Directory technology—so much so that you
must configure DNS on the network before you can install Active Directory. Working
with DNS is covered in Chapter 20, “Optimizing DNS.”
With Windows Server 2008 R2, you install Active Directory in a two-part process.
First you use the Add Roles Wizard to add the Active Directory Domain Services role
to the server. Then you run the Active Directory Installation Wizard (click Start, type
dcpromo in the Search field, and then press Enter). If DNS isn’t already installed, you
are prompted to install it. If no domain exists, the wizard helps you create a domain
and configure Active Directory in the new domain. The wizard can also help you add
child domains to existing domain structures. To verify that a domain controller is
installed correctly, you can:
- Check the Directory Service event log for errors.
- Ensure that the SYSVOL folder is accessible to clients.
- Verify that name resolution is working through DNS.
- Verify the replication of changes to Active Directory.
Note In the rest of this chapter, I’ll use the terms directory and domains to refer to
Active Directory and Active Directory domains, respectively, except when I need to
distinguish Active Directory structures from DNS or other types of directories.
Read-Only Domain Controller Deployment
As discussed in Chapter 1, “Windows Server 2008 R2 Administration Overview,”
domain controllers running Windows Server 2008 R2 can be configured as readonly
domain controllers (RODCs). When you install the DNS Server service on an
RODC, the RODC can act as a read-only DNS (RODNS) server. In this configuration,
the following conditions are true:
- The RODC replicates the application directory partitions that DNS uses,
including the ForestDNSZones and DomainDNSZones partitions. Clients can
query an RODNS server for name resolution. However, the RODNS server
does not support client updates directly because the RODNS server does not
register resource records for any Active Directory–integrated zone that it
- When a client attempts to update its DNS records, the server returns a referral.
The client can then attempt to update against the DNS server that is
provided in the referral. Through replication in the background, the RODNS
server then attempts to retrieve the updated record from the DNS server
that made the update. This replication request is only for the changed DNS
record. The entire list of data changed in the zone or domain is not replicated
during this special request.
The first Windows Server 2008 R2 domain controller installed in a forest or
domain cannot be an RODC. However, you can configure subsequent domain controllers
as read-only. For planning purposes, keep the following in mind:
- Prior to adding AD DS to a server that is running Windows Server 2008 R2 in
a Windows Server 2003 or Windows 2000 Server forest, you must update the
schema on the schema operations master in the forest by running adprep
- Prior to adding AD DS to a server that is running Windows Server 2008 R2 in
a Windows Server 2003 or Windows 2000 Server domain, you must update
the infrastructure master in the domain by running adprep /domainprep
- Prior to installing AD DS to create your first RODC in a forest, you must prepare
the forest by running adprep /rodcprep.
New Active Directory Features
Active Directory Domain Service in Windows Server 2008 R2 has many new features
that give administrators additional options for implementing and managing Active
Directory. When you are using Windows Server 2008 R2 and have deployed the
operating system on all domain controllers throughout the domains in your Active
Directory forest, your domains can operate at the Windows Server 2008 R2 domain
functional level, and the forest can operate at the Windows Server 2008 R2 forest
functional level. These operating levels allow you to take advantage of Active Directory
enhancements that improve manageability, performance, and supportability,
including the following:
- Active Directory Recycle Bin Allows administrators to undo the accidental
deletion of Active Directory objects in much the same way as they can
recover deleted files from the Windows Recycle Bin. For more information,
see “Using the Active Directory Recycle Bin” later in this chapter.
- Managed service accounts Introduces a special type of domain user
account for managed services that reduces service outages and other issues
by having Windows manage the account password and related Service Principal
Names (SPNs) automatically. For more information, see “Implementing
Managed Accounts” in Chapter 10.
- Managed virtual accounts Introduces a special type of local computer
account for managed services that provides the ability to access the network
with a computer identity in a domain environment. For more information,
see “Using Virtual Accounts” in Chapter 10.
Real World Technically, you can use managed service accounts and managed
virtual accounts in a mixed-mode domain environment. However, you must update
the Active Directory schema for Windows Server 2008 R2 and you have to manually
manage SPNs for managed service accounts.
- Authentication Mechanism Assurance Improves the authentication process
by allowing administrators to control resource access based on whether
a user logs on using a certificate-based logon method. Thus, an administrator
can specify that a user has one set of access permissions when logged on
using a smart card and a different set of access permissions when not logged
on using a smart card.
Other improvements don’t require that you raise domain or forest functional
levels, but they do require that you use Windows Server 2008 R2. These include:
- Offline domain join Allows administrators to preprovision computer
accounts in the domain to prepare operating systems for deployment. This
allows computers to join a domain without having to contact a domain
- Active Directory module for Windows PowerShell Provides cmdlets for
managing Active Directory when you are working with Windows PowerShell.
A related option is on the Administrative Tools menu.
- Active Directory Administrative Center Provides a task-orientated interface
for managing Active Directory. A related option is on the Administrative
- Active Directory Web Services Introduces a Web service interface for
Active Directory domains.
These features are discussed in more detail in Chapter 8, “Core Active Directory
Administration.” Also keep in mind that you must prepare Active Directory schema
for the Active Directory Recycle Bin. The preparation procedures are the same as
those discussed for RODCs in the previous section.
We hope you find this book very useful!