Manage Active Directory Infrastructure - Part 3

Practice Labs Module
Time
1 hour
Difficulty
Intermediate

Welcome to the "Manage Active Directory Infrastructure - Part 3" Practice Lab. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Overview

Introduction

Welcome to the Manage Active Directory Infrastructure - Part 3 Practice Lab. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Learning Outcomes

In this module, you will complete the following exercises:

  • Exercise 1 - Install Additional Domain Controller
  • Exercise 2 - Manage Operation Master Roles
  • Exercise 3 - Install Child Domain

After completing this lab, you will be able to:

  • Create an additional domain controller in an existing domain
  • Verify domain controller holding the operation master roles
  • Transfer operation master roles to another domain controller
  • Create a child domain controller in an existing domain

Exam Objectives

The following exam objectives are covered in this lab:

  • Understand Active Directory Infrastructure - Child domains, operation master roles

Lab Duration

It will take approximately 60 minutes to complete this lab.

Exercise 1 - Install Additional Domain Controller

Active Directory Domain Services (AD DS) is one of the roles that can be added and configured in Windows Server 2016. When AD DS is successfully installed, the server assumes the role of an Active Directory Services server or a domain controller. This directory service maintains a database of network objects such as users, groups, computers, subnets, sites among others and collectively organized in an administrative boundary called domain.

You will notice that this exercise is a repeat of Module 10 where you will add a new domain controller. The installation of an additional domain controller in the existing domain is essential to be able to illustrate the concept of flexible single master operations (FSMO) roles that will be covered in Exercise 2 of this module.

Exercise 2 - Manage Operation Master Roles

Active Directory Domain Services (AD DS) in Windows Server follows the multi-master replication model. This means changes in the directory database such as the addition or removal of an AD object like users, computers, groups among others can be performed on any domain controller in the enterprise. These changes are replicated to other domain controllers in the entire AD forest to ensure consistency in the directory database.

There are updates however in the Active Directory that can occur only on one domain controller and this happens in a single-master fashion. An example of this update is the installation of AD-aware application like Exchange Server. This messaging server creates new object types in the AD schema like user mailboxes. To prevent conflicts on this type of update, Windows Server use Flexible Single Master Operations or FSMO (fizz-mo) where the change occurs only on a domain controller that holds the Schema master FSMO role. The Schema master role is assigned to the first domain controller installed in the AD forest.

Another example of an update is when a new child domain is installed or removed in the domain tree, this calls for a change to be made in the Domain Naming Master role. Likewise, this role is assigned in the first domain controller installed in the forest domain.

In a multi-domain environment, an Infrastructure Master tracks the reference of another object in a different domain where group nesting is enabled. This role is found in the first domain controller installed in each domain, either root or child domain type.

The Relative ID master is responsible for processing RID pool requests from a domain controller when a new AD object is created such as a user or group. RID associates a security identifier (SID) to uniquely identify the object within the domain. Similarly, this role is found in the first domain controller installed in each domain, either root or child domain type.

The Primary Domain Controller (PDC) emulator is used for synchronizing the time in a domain enterprise. The authentication protocol Kerberos relies on time synchronization to ensure successful user logins. Likewise, this FSMO role is assigned to the first domain controller installed in the domain, either root or child domain type.

This exercise will demonstrate how to transfer a FSMO role to another domain controller server in the same domain.

Exercise 3 - Create Child Domain

A domain tree is a collection of Windows domains beginning with a parent (root) domain with child domains created below it. Most companies can get by with a single domain to host the Active Directory objects in the organization. However, if the organization expands to include geographical entities that require a distinct security policy from the parent domain, the creation of child domain may provide the solution.

A child domain is linked to a parent through a two-way transitive trust relationship known as parent-child trust. The child domain shares a common namespace with the parent. For example, a child domain can be called northamerica.practicelabs.com, northamerica is the child domain name, while practicelabs.com is the name of the parent domain.

Learning Partner
Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.