LEARNING UNIT 2 - PROMOTE THE SERVER TO A DOMAIN CONTROLLER

Learning 2.1.Describe active directory services

Outcomes: 2.2.Install active directory
2.3.Manage user, group, and organization unit
Learning hours: 15 Hours

Learning Outcome 2.1: Describe active directory services

2.1.1 Describe active directory

2.1.1.1Define an Active Directory.

The Active Directory service is a distributed database that stores and manages information
about network resources, as well as application-specific data from directory-enabled
applications. Active Directory allows administrators to organize objects of a network (such as
users, computers, and devices) into a hierarchical collection of containers known as the logical
structure. The top-level logical container in this hierarchy is the forest. Within a forest are
domain containers, and within domains are organizational units.

Active Directory (AD) is a distributed database that stores objects in a hierarchical, structured,
and secure format. AD's objects typically represent users, computers, peripheral devices, and
network services. Each object is uniquely identified by its name and attributes. The domain,
the forest, and the tree represent logical divisions of an AD infrastructure.

Active directory is a technology that has information about all the objects in an organization’s
network.

It is a software to arrange, store information, provides access and permission based on those
information.

Active directory information is used to authenticate, authorize the users, computers, resources
which are part of a network.

In Windows 2000 Server and Windows Server 2003, the directory service is named Active
Directory. InWindows Server 2008 and Windows Server 2008 R2, the directory service is

1|Page Year 2 A&B, IPRC Tumba By Delphine B.

named Active Directory Domain Services (AD DS). The rest of this topic refers to Active
Directory, but the information is also applicable to Active Directory Domain Services.

2.1.1.2 What is an object?

An object is physical entities of a network. Like users, computers, resources like printers,
shared folders and files etc.

ADS object can be described by a subset of attributes. Object are explained by their attributes
like Name, location, Department etc.

2.1.1.3Advantages of an active directory

Highly secure: using an active Directory it is possible to have layered security this means to
have policies and permission for security at different levels.

Centralized auditing makes it easier to track important security events.

Easy to deploy: objects can be located anywhere physically yet can securely access domain
and network’s resources

Effective and efficient: easy and efficient search mechanism to locate an object. With a
centralized storage for user information this makes process of backup and restore a lot more
efficient.

Scalable: millions of users can be added to a single domain this make ADS highly scalable
and readily extensible.

Flexible: Ability to create trust relationships with external networks running previous versions
of Active Directory and even UNIX.

2.1.2 Active directory Roles

Active Directory is the central repository in which all objects in an enterprise and their
respective attributes are stored. It's a hierarchical, multi-master enabled database that can store
millions of objects. Changes to the database can be processed at any given domain controller
(DC) in the enterprise, regardless of whether the DC is connected or disconnected from the
network.

2|Page Year 2 A&B, IPRC Tumba By Delphine B.

Multi-master model

Active directory provide a flexibility to allow change in Domain controller in the organization
.but this may create problem when there is a data replication. Windows provide a conflict
resolution called algorithm handle by checking the last change or written last which is the last
writer wins and all the change is discarded.

There is a possibility that this methods can’t work properly. That is why they have introduced
single- master model

For certain types of changes, Windows incorporates methods to prevent conflicting Active
Directory updates from occurring.

Single-master model

To prevent conflicting updates in Windows, the Active Directory performs updates to certain
objects in a single-master fashion. In a single-master model, only one DC in the entire directory
is allowed to process updates. It's similar to the role given to a primary domain controller (PDC)
in earlier versions of Windows, such as Microsoft Windows NT 3.51 and 4.0. In earlier versions
of Windows, the PDC is responsible for processing all updates in a given domain.

Active Directory extends the single-master model found in earlier versions of Windows to
include multiple roles, and the ability to transfer roles to any DC in the enterprise. Because an
Active Directory role isn't bound to a single DC, it's referred to as a Flexible Single Master O
operation role (FSMO). Currently in Windows there are five FSMO roles:

There are five active directory roles.

• Schema Master – one per forest

• Domain Naming Master – one per forest
• Relative ID (RID) Master – one per domain
• Primary Domain Controller (PDC) Emulator – one per domain
• Infrastructure Master – one per domain

3|Page Year 2 A&B, IPRC Tumba By Delphine B.

The Schema Master role manages the read-write copy of your Active Directory schema. The
AD Schema defines all the attributes – things like employee ID, phone number, email address,
and login name – that you can apply to an object in your AD database.

The schema master FSMO role holder is the DC responsible for performing updates to the
directory schema, that is, the schema naming context or
LDAP://cn=schema,cn=configuration,dc=<domain>. This DC is the only one that can process
updates to the directory schema. Once the Schema update is complete, it's replicated from the
schema master to all other DCs in the directory. There's only one schema master per forest.

Initial replication and connectivity requirements

This FSMO role holder is only active when the role owner has inbound replicated the
schema NC successfully since the Directory Service started.

DCs and members of the forest only contact the FSMO role when they update the schema.

Domain Naming Master: The Domain Naming Master makes sure that you don’t create a
second domain in the same forest with the same name as another. It is the master of your domain
names. Creating new domains isn’t something that happens often, so of all the roles, this one
is most likely to live on the same DC with another role.

The domain naming master FSMO role holder is the DC responsible for making changes
to the forest-wide domain name space of the directory, that is, the
Partitions\Configuration naming context or LDAP://CN=Partitions, CN=Configuration,
DC=<domain>. This DC is the only one that can add or remove a domain from the
directory. It can also add or remove cross references to domains in external directories.

Initial replication and connectivity requirements

This FSMO role holder is only active when the role owner has inbound replicated the
configuration NC successfully since the Directory Service started.

Domain members of the forest only contact the FSMO role holder when they update the
cross-references. DCs contact the FSMO role holder when:

Domains are added or removed in the forest.

4|Page Year 2 A&B, IPRC Tumba By Delphine B.

 New instances of application directory partitions on DCs are added. For example, a DNS
server has been enlisted for the default DNS application directory partitions.

RID Master: The Relative ID Master assigns blocks of Security Identifiers (SID) to different
DCs they can use for newly created objects. Each object in AD has an SID, and the last few
digits of the SID are the Relative portion. In order to keep multiple objects from having the
same SID, the RID Master grants each DC the privilege of assigning certain SIDs.

The RID master FSMO role holder is the single DC responsible for processing RID Pool
requests from all DCs within a given domain. It's also responsible for removing an object from
its domain and putting it in another domain during an object move.

When a DC creates a security principal object, such as a user or group, it attaches a unique
Security ID (SID) to the object. This SID consists of:

A domain SID that's the same for all SIDs created in a domain.

A relative ID (RID) that's unique for each security principal SID created in a domain.

Each Windows DC in a domain is allocated a pool of RIDs that it's allowed to assign to the
security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC
issues a request for additional RIDs to the domain's RID master. The domain RID master
responds to the request by retrieving RIDs from the domain's unallocated RID pool, and assigns
them to the pool of the requesting DC. There's one RID master per domain in a directory.

Initial replication and connectivity requirements

This FSMO role holder is active only when the role owner has inbound replicated the
domain NC successfully since the Directory Service started.

DCs contact the FSMO role holder when they retrieve a new RID pool. The new RID
pool is delivered to DCs through AD replication.

PDC (primary domain Controller) emulator FSMO role The PDC emulator is necessary to
synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time
service that is required by the Kerberos authentication protocol. All Windows-based computers
within an enterprise use a common time. The purpose of the time service is to ensure that the

5|Page Year 2 A&B, IPRC Tumba By Delphine B.

Windows Time service uses a hierarchical relationship that controls authority. It doesn't permit
loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root
of the forest becomes authoritative for the enterprise, and should be configured to gather the
time from an external source. All PDC FSMO role holders follow the hierarchy of domains in
the selection of their in-bound time partner.

In a Windows domain, the PDC emulator role holder retains the following functions:

Password changes done by other DCs in the domain are replicated preferentially to the
PDC emulator. When authentication failures occur at a given DC because of an incorrect
password, the failures are forwarded to the PDC emulator before a bad password failure
message is reported to the user.

Account lockout is processed on the PDC emulator.

The PDC emulator performs all of the functionality that a Windows NT 4.0 Server-based
PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary under the following situation:
All workstations, member servers, and domain controllers (DCs) that are running Windows NT
4.0 or earlier are all upgraded to Windows 2000.

The PDC emulator still does the other functions as described in a Windows 2000 environment.

Initial replication and connectivity requirements

This FSMO role holder is always active when the PDC emulator finds the
fSMORoleOwner attribute of the domain NC head points to itself. There is no inbound
replication requirement.

DCs contact the FSMO role holder when they have a new password, or the local password
verification fails. No error occurs when the PDC emulator can't be reached or the
AvoidPdcOnWan registry value is set to 1.

6|Page Year 2 A&B, IPRC Tumba By Delphine B.

Infrastructure Master: When an object in one domain is referenced by another object in
another domain, it represents the reference as a dsname. There is one Infrastructure FSMO role
per domain and application NC in a directory.

When the Recycle Bin optional feature is not enabled, the Infrastructure FSMO role owner is
the DC responsible for updating a cross-domain object reference in the event that the referenced
object is moved, renamed, or deleted. In this case, the Infrastructure Master role must be held
by a domain controller that is not a GC server. If the Infrastructure Master runs on a GC server,
it will not update object information, because it does not contain any references to objects that
it does not hold. This is because a GC server holds a partial replica of every object in the forest.

When the Recycle Bin optional feature is enabled, every DC is responsible for updating its
cross-domain object references in the event that the referenced object is moved, renamed, or
deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is
not important which domain controller owns the Infrastructure Master role.

When an object in one domain is referenced by another object in another domain, it represents
the reference by:

• The GUID
• The SID (for references to security principals)
• The DN of the object being referenced

The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.

If all the domain controllers in a domain also host the GC, then all the domain controllers have
the current data, and it is not important which domain controller owns the Infrastructure Master
(IM) role.

2.1.3Active Directory components

There two main components logical components and physical components

7|Page Year 2 A&B, IPRC Tumba By Delphine B.

Logical components are structures that you use to implement an AD DS design that is
appropriate for an organization.

Below are logical components

✓ A partition, or naming context, is a portion of the AD DS database. Although the

database consists of one file named Ntds.dit, different partitions contain different data.
For example, the schema partition contains a copy of the Active Directory schema. The
configuration partition contains the configuration objects for the forest, and the domain
partition contains the users, computers, groups, and other objects specific to the domain.

Active Directory stores copies of partitions on multiple domain controllers and updates
them through directory replication.

✓ A schema is the set of definitions of the object types and attributes that you use to
define the objects created in AD DS.
✓ A domain is a logical administrative container for objects such as users and computers.
A domain maps to a specific partition and you can organize the domain with parent-
child relationships to other domains. There is no limit of number of object that can be
contained in a domain.it is no necessary for an object to be in a same physical location.
Domain controller is the domain supreme authority; domain controller is responsible
for all the authentication, authorization, additions, deletions, edits, modification inside
a domain.

8|Page Year 2 A&B, IPRC Tumba By Delphine B.

 ✓ A domain tree is a hierarchical collection of domains that share a common root domain
and a contiguous Domain Name System (DNS) namespace.
✓ Forest: is a top level, it has the highest level of security boundary, it is a complete AD
instance. A forest contains object like domain, users, computers, Printers and other
network resources. Forest can contain one or more domains or combination of domains
or domain tree. The schema or design of an AD is consistent throughout the forest.
✓ An Organization Unit (OU) is a container object for users, groups, and computers that
provides a framework for delegating administrative rights and administration by linking
Group Policy Objects (GPOs).
✓ A container is an object that provides an organizational framework for use in AD DS.
You can use the default containers, or you can create custom containers. You can't link
GPOs to containers.

Physical component:

Physical components in AD DS are those objects that are tangible, or that described
tangible components in the real world.

✓ A domain controller contains a copy of the AD DS database. For most operations,

each domain controller can process changes and replicate the changes to all the other
domain controllers in the domain.
✓ Data store: A copy of the data store exists on each domain controller. The AD DS
database uses Microsoft Jet database technology and stores the directory information in
the Ntds.dit file and associated log files. The C:\Windows\NTDS folder stores these
files by default.
✓ A global catalog server is a domain controller that hosts the global catalog, which is a
partial, read-only copy of all the objects in a multiple-domain forest. A global catalog
speeds up searches for objects that might be stored on domain controllers in a different
domain in the forest.
✓ Read-only domain controller (RODC): An RODC is a special, read only installation
of AD DS. RODCs are common in branch offices where physical security is not
optimal, IT support is less advanced than in the main corporate centers, or line-of-
business applications need to run on a domain controller.

9|Page Year 2 A&B, IPRC Tumba By Delphine B.

 ✓ A site is a container for AD DS objects, such as computers and services that are specific
to a physical location. This is in comparison to a domain, which represents the logical
structure of objects, such as users and groups, in addition to computers.
✓ A subnet is a portion of the network IP addresses of an organization assigned to
computers in a site. A site can have more than one subnet.

Other components

✓ User component
Contains information about users like their first, middle and last names, login
credentials etc. For example say Aroma, Paul and Alex are employees of an
organization, then a user object can be created for each one of them, This object will
store various properties of the user like their name, the manager they report to, their
sub-ordinates etc.
✓ Contact component
Contains contact info about any person associated with the organization like a
supplier’s telephone number, mail address etc. For example an organization might want
to store details of people who are not directly associated with the organization such as
people who help in network maintenance or suppliers etc. These people usually do not
need to be given access to AD; only their details need to be stored which in this case is
their name and contact information, this can be done using a contact object.
✓ Group component: is a collection of Active Directory objects. The group can include
users, computers, other groups and other AD objects. Administrators can manage the
group as a single object that helps to simplify network maintenance and administration

2.1.4 Active directory structure

What Are Domains and Forests? Define AD DS forests and domains - Learn | Microsoft
Docs

Understanding domains and forests requires understanding the possible relationships

they might have in Active

10 | P a g e Year 2 A&B, IPRC Tumba By Delphine

B.
 Directory. The relationships between these logical containers might be based on
administrative requirements, such as delegation of authority, or they might be
defined by operational requirements, such as the need to provide for data
isolation. Service administrators can use domain and forest containers to meet a
number of specific requirements, including:

• Implementing an authentication and authorization strategy for sharing resources

across a network

• Providing a mechanism for centralizing management of multiple domains and

forests

• Providing an information repository and services to make information available

to users and applications

• Organizing objects of a network (such as users, computers, devices,

resources, and application specific data from directory-enabled
applications) into a non-physical hierarchical structure

To learn more about domains and forests, you must first understand the logical and
physical structures of ActiveDirectory. This section describes how those structures
differ, and defines domains and forests in terms of the logical structure.

The Logical Structure of Active Directory

Active Directory stores network object information and implements the services that
make this information available and usable to users. Active Directory presents this
information through a standardized, logical structure that helps you establish and
understand the organization of domains and domain resources in a useful way. This
presentation of object information is referred to as the logical structure because it is
independent of the physical aspects of the Active Directory infrastructure, such as
the domain controllers required for each domain in the network.
Benefits of the Logical Structure

The logical structure provides a number of benefits for deploying, managing, and

11 | P a g e Year 2 A&B, IPRC Tumba By Delphine

B.
 securing network services andresources. These benefits include:

• Increased network security. The logical structure can provide security

measures such as autonomy forindividual groups or complete isolation of
specific resources.

• Simplified network management. The hierarchical nature of the logical

structure simplifies configuration,control, and administration of the network,
including managing user and group accounts and all network resources.

• Simplified resource sharing. The logical structure of domains and

forests and the relationships established between them can
simplify the sharing of resources across an organization.

• Low total cost of ownership. The reduced administration costs for network
management and the reducedload on network resources that can be achieved
with the Active Directory logical structure can significantly lower the total
cost of ownership.

An efficient Active Directory logical structure also facilitates the system integration
of features such as Group Policy, enabling desktop lockdown, software distribution,
and administration of users, groups, workstations, and servers. In addition, the
logical structure can facilitate the integration of services such as Exchange 2000,
public key infrastructure (PKI), and domain-based distributed file system (DFS).
Components of the Logical Structure

The logical structure consists of leaf object and container object components that
must conform to the hierarchical structure of an Active Directory forest. Leaf
objects are objects that have no child objects, and arethe most basic component of
the logical structure. Container objects store other objects and occupy a specific
level within the forest hierarchy.
The relationships among the components of the logical structure control access to
stored data and determine howthat data is managed across one or more domains

12 | P a g e Year 2 A&B, IPRC Tumba By Delphine

B.
 within a single forest.
The components that make up the ActiveDirectory logical structure are described
in the following table.

Components of the Active Directory Logical Structure

The logical structure of Active Directory is flexible and provides a method for designing a
directory hierarchy that makes sense to both its users and those who manage it.

The logical structure of your organization is represented by the following Active Directory
components:

1. Organizational units

2. Domains

3. Trees

4. Forests

5. Objects

Component Description

Organization Organizational units are container objects. You use these container objects to arran
alUnits objects in a manner that supports your administrative purposes. By arranging o
organizational units, you make it easier to locate and manage them. You can also
the authority to manage an organizational unit. Organizational units can be nested
organizational units.
You can arrange objects that have similar administrative and security requirem
organizational units. Organizational units provide multiple levels of administrative a
so that you can apply Group Policy settings and delegate administrative control.

13 | P a g e Year 2 A&B, IPRC Tumba By Delphine

B.
 This delegation simplifies the task of managing these objects and enables you to structure
Active Directory to fit your organization’s requirements.

Domains Domains are container objects. Domains are a collection of administratively defined objects
that share a common directory database, security policies, and trust relationships with other
domains. In this way, each domain is an administrative boundary for objects. A single domain
can span multiple physical locations or sites and can contain millions of objects.
A domain is a collection of computers & servers that are part of the same centralized
database.
Many domains are available like: Single Domain, Parent Domain, Child Domain, Domain
tree, and Forest domain.

Single domain two site

• Parent domain - One domain above another in a domain tree.

• Child domain - One domain below another in a domain tree. The child inherits the
domain nameof its parent in a DNS hierarchical naming convention. Example:
"iprctumba.rp.ac.rw”

Current forest

14 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 Domain Trees Domain trees are collections of domains that are grouped together in hierarchical structures.
When you add a domain to a tree, it becomes a child of the tree root domain. The domain to
which a child domain is attached is called the parent domain.
A child domain might in turn have its own child domain. The name of a child domain is
combined with the name of its parent domain to form its own unique Domain Name System
(DNS) name such as Corp.nwtraders.msft. In this manner, a tree has a contiguous namespace.

In Windows, a domain can be a child of another domain (e.g., iprctumba.rp.ac.rw is a child

of.rp.ac.rw). A child domain name always includes the complete parent domain name. A child
domainand its parent share a two-way transitive trust. A domain tree exists when one domain
is the child of another domain that we called Domain tree. A domain tree must have a
contiguous names pace.

Forests A forest is a complete instance of Active Directory. Each forest acts as a top-level container
in that it houses all domain containers for that particular Active Directory instance. A forest
can contain one or more domain container objects, all of which share a common logical
structure, global catalog, directory schema, and directory configuration, as well as automatic
two-way transitive trust relationships. The first domain in the forest is called the forest root
domain. The name of that domain refers to the forest, such as Nwtraders.msft.
By default, information in Active Directory is shared only within the forest. In this way, the
forest is a security boundary for the information that is contained in that instance of Active
Directory.

15 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 You might have several domain trees in your organization that you need to share resources.
To solve thisproblem, you can join the trees to form a forest.

A forest is a collection of trees that do not necessarily form a contiguous namespace

(although each treemust be contiguous)

Site Objects Sites are leaf and container objects. The sites container is the topmost object in the hierarchy
of objects that are used to manage and implement Active Directory replication. The sites
container stores the hierarchy of objects that are used by the Knowledge Consistency Checker
(KCC) to effect the replication topology. Some of the objects locatedin the sites container
include NTDS Site Settings objects, subnet objects, connection objects, server objects, and
site objects (one site object for each site in the forest). The hierarchy is displayed as the
contents of the Sites container, which is a child of the Configuration container

16 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 By understanding the purpose and hierarchical structure of these components, you can
complete a variety of tasks, including installing, configuring, managing, and troubleshooting
Active Directory. Although the logical structure of Active Directory is a hierarchical
organization of all users, computers, and other physical resources,the forest and domain form
the basis of the logical structure.
Forests, which are the security boundaries of the logical structure, can be structured to
provide data and service autonomy and isolation in an organization in ways that can
both reflect site and group identities and remove dependencies on the physical
topology. Domains can be structured within a forest to provide data and service
autonomy (but not isolation) and to optimize replication with a given region.
This separation of logical and physical structures improves manageability and reduces
administrative costs because the logical structure is not impacted by changes in the
physical structure, such as the addition, removal,or reorganization of users and groups.

Note

• You can view and manage components of the logical structure by using the
Active Directory Users and Computers, Active Directory Domains and Trusts,
and Active Directory Schema Microsoft ManagementConsole (MMC) snap-ins,
and other tools.

17 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Learning Outcome 2.2: Install active directory

2.2.1. Proper installation of active directory Domain Service based on windows server
version.

2.2.1.1 Using Windows PowerShell.

2.2.1.1.2. Installing Active Directory Domain Services and promoting the server to a domain
controller

Note: Before installing Active directory first change name server and configure static IP address.

Step 1.Install the role

Run command prompt (cmd) as an administrator. If you are on Server Core this is likely already
open. If it is not, hold Ctrl+Alt+Del and select Task Manager. Then choose File -> Run new
task, type cmd, select Run with administrative privileges and click OK or hit Enter.

Step2. Enter PowerShell: Type the word PowerShell and hit Enter

Step 3. Install the Active Directory Domain Services Feature:

Type Install-WindowsFeature AD-Domain-Services -IncludeManagementTools and hit Enter

Step 4. You will see a progress bar as pictured below

18 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Step 5. You should see the following output when the install is complete

Configuring Active Directory

Step1. Install an Active Directory Forest

Type Install-ADDSForest -DomainName YOURDOMAINHERE -InstallDNS and hit Enter

19 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Step2. Enter a password you would like to use for Directory Services Restore Mode (DSRM)
and hit Enter

Step3. Type y and hit Enter (assuming the server can be rebooted at this time)

20 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 Step4 The forest will be installed with the domain you specified; when this is complete the server
will reboot

Step5. Confirm the New Domain was Created Successfully

21 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 After the server reboots, log in Enter PowerShell again by typing PowerShell into Command
Prompt and hitting enter

Then type Get-AdDomain and hit Enter .This will show you information about your new
Domain

Step 6 .You can also open Active Directory Users and Computers and you will see your new
domain listed.

22 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

2.2.2 Install AD DS on Windows Server 2016 using Server Manager

Prerequisites

Before installing, there are a few prerequisites that our server must meet:

Rename your server.

Set a static IP address.

Have a DNS server installed on your network (or, while setting up your AD Forest, the setup
wizard will ask you to add the role to the same server where you are installing ADDS)

Step 1. Install ADDS (Active Directory Domain Services)

a) Open “Server Manager”.

b) Click on Start and then “Server Manager”, as shown below:

23 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 c) Click on “Add roles and features”.

d) Press “Next”

e) Select “Role-based or feature-based installation” and press “Next”

24 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 d) Leave the selection as default and press “Next”

e) Check “Active Directory Domain Services”.

The wizard will let you know that some additional features are required for Active
Directory.
Check the “Include management tools (if applicable)” checkbox and press” Add
Features”.
Press “Next”.

25 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 f) At the next screen press “Next”.

g) Press “Next”.

26 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 h) Finally, press “Install”.

Promote to Domain Controller

27 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 Wait for the installation to finish.
Now it’s time to promote the server to a Domain Controller and setup our AD forest.
From “Server Manager” select “Promote this server to a domain controller”.

Choose “Add a new forest” and choose your “Root domain name”.

28 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Set the “Directory Services Restore Mode” password and press “Next”.

Press “Next”. You can safely ignore the DNS server message.

29 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Choose the Netbios Domain Name and press “Next”.

Press “Next” at the following screen.

30 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Review your options and press “Next”.

The warning messages can be safely ignored. Press “Install”.

31 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Verifying

After the installation completed, you can now logon as the Domain Admin of the newly created
AD Forest.

32 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

And, as you can see, we have a few newly installed consoles:

33 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Learning Outcome 2.3: Manage user, group, and organization unit

2.3.1 Create user

Add User Accounts on Active Directory

1. Server Manager>click tools>Active Directory Users and Computers.

2. Right-click Users on left tree and select new>User.

34 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 1. Input Username and Logon name for a new user.

2. Set initial password for a new User.

35 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 3. Check contents you set and click finish button

4. A new user is added

36 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 Enabling or disabling a user account

In the left pane of ADUC, expand the folder containing the user account to be enabled/disabled.

Right click the user account and click Enable or Disable to enable/disable the user account.

Resetting a user account password

In the left pane of ADUC, expand the folder containing the user account whose password is to be
reset.

Right click Reset password.

Type and confirm the password in the appropriate fields. Select other password related options if
needed.

37 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 2.3.2Creating a new group account

In the left pane of ADUC, right click the folder where the group account is to be created.

Click New and then click Group.

Type in a suitable name for the group. For group scope, select one among domain local, global,
and universal. For group type, select either security or distribution.

Click Apply and OK.

2.3.2.1Adding a member to a group

In the left pane of ADUC, right click the folder containing the group account to which you want
to add a member.

Right click the group and click Properties.

Click the Members tab and then click Add.

Type in the name of the objects you want to add to the group.

Click OK.

2.3.2.2 Changing the group type or group scope

In the left pane of ADUC, right click the folder containing the group whose type or scope is to be
modified.

Right click the group and click Properties.

Select the required scope or type for the group.

Click Apply and OK.

38 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 2.3.2.3 Creating a new computer account

In the left pane of ADUC, right click the folder where the computer account is to be created.

Click New and then click Computer.

Type in a suitable name for the computer.

2.3.2.4 Resetting a computer account

In the left pane of ADUC, right click the folder where the computer account is to be created.

Click New and then click Computer.

Type in a suitable name for the computer.

2.3.3 Creating a new organizational unit (OU)

In the left pane of ADUC, right click the domain name.

Click New and then click Organizational Unit.

Type in a suitable name for the OU.

2.3.3.1 Deleting, copy, Move a user’s, computers, and OUs

In the left pane of ADUC, right click the folder where the object is located.

Right-click and select Delete, Copy, and Move.

2.3.4. Permission and Right

2.3.4.1 Assigning logon hours permission
1. To open Active Directory Users and Computers, click Start, click Control Panel, double-
click Administrative Tools, and then double-click Active Directory Users and
Computers.

2. In the console tree, click Users.

39 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

 Active Directory Users and Computers\domain node\Users

3. Right-click the user account, and then click Properties.

4. On the Account tab, click Logon Hours, and then set the permitted or denied logon
hours for the user.

Additional considerations

To perform this procedure, you must be a member of the Account Operators group, Domain
Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you
must have been delegated the appropriate authority. As a security best practice, consider using Run
as to perform this procedure.

Another way to open Active Directory Users and Computers is to click Start, click Run, and then
type dsa.msc.

To modify the logon hours for multiple users, press and hold down CTRL, and then click each
user. Right-click the selected users, and then click Properties. On the Account tab, click Logon
Hours, and then set the permitted or denied logon hours for the user.

2.3.4.2. Deny a user to change password

1. Open the Active Directory Users and Computers snap-in.

2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user you want to modify and click Find Now.
5. In the Search Results, double-click on the user.
6. Click the Account tab.
7. Under Account options, check the box beside User cannot change password.
8. Click OK.

40 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Using a command-line interface

> dsmod user <UserDN> -canchpwd no

2.3.4.3. Set a password to never expire date

By default, domain users are required to change their passwords every 42 days, as defined by
domain password policy.

If you find those password expiry notices annoying, you can set password to never expire for
domain accounts in Windows Server 2016, 2012, 2008, 2003.

Before getting started, you can check when your domain account password is going to expire.

Just open the Command Prompt as administrator, type the following command and press Enter.

net user domain_account_name /domain

This will display your account information, including when you last changed your password, and
when it expires.

Method 1: Set Domain Account Password to Never Expire via GUI

41 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

Press the Windows logo key + R, type dsa.msc and press Enter to open Active Directory Users
and Computers Snap-in. Expand your domain and click Users in the left pane, you’ll see a list of
domain accounts on your server. Double-click on the user you would like to update.

In the Properties dialog, click the Account tab and check “Password never expires” under the
Account options section.

Click Apply and then OK.

Method 2: Set Domain Account Password to Never Expire via PowerShell. Click Start, click
Administrative Tools, and then click Active Directory Module for Windows PowerShell. After

42 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.

importing Active Directory module in PowerShell, you can type the following script to set your
domain password to never expire.

Replace pcunlocker with the name of your domain account. Set-LocalUser -Name "pcunlocker"
-PasswordNeverExpires 1

2.3.4.5. Store a password using Reversible Encryption

The Store password using reversible encryption policy setting provides support for applications
that use protocols that require the user's password for authentication. Storing encrypted passwords
in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable
attacker who is able to break this encryption can then log on to network resources by using the
compromised account. For this reason, never enable Store password using reversible encryption
for all users in the domain unless application requirements outweigh the need to protect password
information

Best practices

Set the value for Store password using reversible encryption to Disabled. If you use CHAP
through remote access or IAS, or Digest Authentication in IIS, you must set this value to Enabled.
This presents a security risk when you apply the setting by using Group Policy on a user-by-user
basis because it requires opening the appropriate user account object in Active Directory Users
and Computers.

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password

Policy\

43 | P a g e Year 2 A&B, IPRC Tumba By Delphine B.