Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 5

Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 5

25. Deploy Read-Only Domain Controllers (RODCs)

Now I’d like to show you a couple of different ways that we could set up a Rothesay. All right, a read only to make sure the first myth that I’m going to show you is known as disparate staging. A-Rod, sister, now this the way you would do things if you’re you have not set up a server yet, that’s going to be your Rothesay server, but you plan on setting up a server that’s going to be your Rozzie server in the future.

OK, so perhaps you are located in New York, but you got a office in Birmingham, Alabama, that’s really small. It’s only got 10 people, and you’re going to be maybe sending a server down there or shipping a server down there, and you just want to be able to plug it in and have it and have somebody to step through configuring it real quick. Then you could do that. You wouldn’t even have to be present when this promotion occurs if you do what’s called pre staging.

So let me show you how pre staging works. All right, here we are on NYC DC one. This our domain controller and we’re going to open up server manager. Of course, you can click start and go to Server Manager if you don’t know how to get in there.

OK, from there, we’re going to go to the tools menu and we’re going to go to Active Directory users and computers. Okay, So, we’re going to bring up Active Directory users and computers now. And from there, you’ll notice you have the 0U, the organizational unit, which is a folder here that’s going to contain domain controllers and currently we only have one domain.

So, if we wanted to do what’s called pre staging a Rothesay, we can right click that container. And you’ll see an option says pre create a read only domain for now, remember you can’t just right click anything. It’s got to be that container domain controllers.

OK, So, we’re going to click to pre create Rothesay account.

OK. We’re going to click next on the welcome screen. This OK, are you? Which are privileges which are credentials? Are you going to use to do this? So, I’m going to use my administrator credentials in order to do this. All right. Specify the account credentials to use in the installation.

OK, So, it’s going to be my admin credentials. You could specify some alternative credentials if you wanted to. All right. But we’re going to use the ones that we have signed in. All right.

So, we’re going to click next, says, OK, what do you want the computer name to me? I would just I’ll name it. I’m going to call it Rod C test. This just a demo in case a Radzi test. All right, I’m going to click next. It’s going to verify there’s not already a computer out there named Rod sits. There cannot be a computer out there with this name right now. You have to remember this your pre staging this.

So you’re setting this up before you even have a server configured yet.

OK, then it says, which site do you want to go with them? Not explaining Active Directory sites right now? So, we’re just going to go with this default site.

OK? Not explaining sites at the moment. This would be the location technically. I’ll say that if you had a location in Birmingham, Alabama, you might have a Birmingham site. You would specify that, but not going to explain that right now. And it next.

OK, it’s going to check DNS information. All right. And essentially just verifying if there’s a DNS name out there, there’s a certain IP address or something that goes with this, then at that point it will it will pop pop that up. Of course, you can also speed this process up by disabling your network adapter card. It won’t take as long, which sometimes I get annoyed by it taken so long.

So, if I want to, if I want to call this to get done quickly, what I’ll do is I’ll go right here to Ethernet Change Adapter options, and I’ll just disable the NIC real quick and then re-enable it. And that will trigger it to finish a little quicker. As you can see, it didn’t. It’s done now.

Sometimes it can take like five minutes for it to finish, and this way it just kind of gets it to skip searching DNS a whole lot.

OK, do you want put DNS on the road so you can? Do you want it to be global catalog server? You can. I’m not going to make it be a DNS, but I will allow it to be global catalog.

OK, I’m going to go ahead and click next. All right. And so sorry.

So this important right here, this very important. This says the user agreed that, you specify, will be able to attach a server to the Rozzie account that you are creating now and complete the Rozi installation. They will also have local administrator privileges.

OK, so, Imagine if I was if somebody in Birmingham, Alabama, I’m in New York City, OK, we have Birmingham, Alabama, and we just have like 10 people that work in that office and they’re all salespeople.

So, they’re not like I.T. savvy people. However, I could specify one of their names. Let’s say it’s the sales manager, whoever that is, and I could give them admin privileges just locally on this server so, they can help me configure this server. Once we have the server in that, then that office is literally what I’m wanting to happen is I want somebody to basically just be able to plug the server in and they can they’ll be able to install ads with these admin privileges and it’s going to finish doing everything. They’re not going to have to configure anything. All they got to do is a couple of clicks and it’s going to finish.

So that’s what this going to do. This going to give an account the authority to do that. All right.

Now, in my case, I’m just going to put myself in there, so, I’m just going to choose myself. But in the real world, if you had somebody in that office you wanted to point to, you could. All right. At that point, I’m going to click next and we’re going to click next again. And we’ve officially created a little pre-staged Rossi Rozzie account.

OK, so at that point, you would be able to set up a server and as long as you named it Rod C test rods, he -tests and you joined the domain, that person in that office could could log in with their credentials and they could finish the setup. All they got to do is a couple of clicks and it’s officially set up. This was, you know, in the earlier in the in the earlier 2000s, this was, you know, considered beneficial for, you know, to have this kind of connection set up, to be honest with you. Almost nobody ever uses this anymore to set up a Rothesay. Most everybody, if they’re going to set up a Rothesay, they can do it remotely using remote desktop. Or they would just install the Rothesay locally, and they would just ship the server down to the office. And that would be an easy way to deal with it.

OK.

Now, alternatively, something else I want to show you here, you’ll notice the little black arrows pointing down. That’s just to indicate that currently there has been no server that has occupied this year. You’ll notice it says unoccupied, so the server hasn’t gotten control of it yet. But the other thing I want to show you if we right click this object and we go to properties here. You’re going to see the password replication policy.

OK, so this where I can go and I can specify which accounts it’s going to cache for password authentication in that office. Currently, you’re going to say it’s going to deny all everybody except for one group.

So, if I had a salesperson, I could put that salesperson into this allowed Rozzie password group and that anybody that’s in that group, it’s going to synchronize their password unless they’re an admin, unless there’s a deny.

OK, so. I don’t have any additional users, but I’ll show you like, I’ll just create one real quick. We’ll call this see John Smith. Log on name is going to be just John Smith. All right. We put a password in for the user.

OK. And we’ll make the user change password right now. We’re going to put John Smith in that group.

So, if you’ll notice you have, you have that group. Let’s go right here to John Smith, we’re going to click member of we’re going to do a quick search for the word password. Oops. Actually. Easiest thing to do, let’s just say find a nail. All right, and you’ll see the allowed rod pass replication replications, we’re going to double click on that, click OK. And he’s now a member of that group.

So John Smith, who maybe John Smith is, you know, he’s he’s in that office. The Birmingham office. All right. And he is maybe like a sales manager or something, so he’s, you know, he’s in that group was going to cash his credentials.

So that is how you configure Rod S.

So that it will cash some of his credentials.

OK.

So the other way that you could have done this just to go straight over to the server.

OK, so, I have NYC server one right now, and I could jump over to that server. Let’s jump over. Here we are. This NYC server one. He is not a domain controller, OK? I could go ahead and say manage, add roles and features. Next, next. Next. And we’re going to install Active Directory just like we would a normal domain controller.

OK, so next, next, next and install. We’ll give that a moment and let it install.

OK, once AIDS is done installing, you can just click OK to that. At that point, we’re going to go up to this little warning symbol. We’re going to click promote the server to a domain controller. All right. And it’s going to say add a domain controller to an existing domain rod, see, of course, is going to be joined to an existing domain.

So that is definitely going to be the object or the option that we go with. All right. From there, we’re going to go ahead and click next. All right.

Now warning if you get an error message, if you use, you’re doing this with me and you get an error message is trying this out. It usually means that your computer is no longer pointing to the domain controller for DNS.

So what you need to do is you need to jump over to the domain controller. You need to go to a command prompt, you need to do an IP config and find out what the address is of your domain controller. Jump back over to the server you go up here to local. Local server.

OK, go back over here to your Ethernet assigned by the HP. Just click on that. Go to the properties of your adapter. And verify that you’ve got the correct address in right here. It’s very important, if you don’t, you’re going to get an error, OK? That’s if you’re doing this with me.

OK, So, we’re just going to we could have a DNS installed on this machine could global catalog and this where we can choose Rod see right here.

So at that point, we could choose Rothesay Directory Services Restore Mode password, just like we’ve done before, we can click next. All right. We can specify his account, so be allowed to replicate. Go ahead and specify the account passwords that are going to be replicated and cached. We can specify those if we want. All right.

So, OK, you want to replicate with any domain controller? That’s fine, by the way, you can. If you have a backup copy of Active Directory, you can do install from media to let you specify the backup copy of Active Directory. That’s a great way to save time if you’re replicating a large, you know, big database across a slow connection. If you had a copy of Active Directory on flat on a flash drive, even if it’s an out-of-date copy, it’ll update once once it’s done.

So, I’m going to go ahead and click next now. We expect our database log location. And at that point, we’re now officially ready to pull the trigger. It would do the prerequisite check when you click install. We’ve got ourselves a run. See, I’m not actually going to do that to this server because I have other usage for this other other usage for this server that I want to, I want to use it for. But now you’ve seen exactly how you can set up a Rothesay server.

26. Deploy an additional domain controller to a domain

I’d now like to convert NYC Server one to a domain controller, and even though I did call it NYC Server one, I’m going to leave the name the same, but it is going to now be promoted to an additional domain controller in my exam land practice .com domain.

Now, if I open up server manager, OK, open up server manager from there. I’ve actually already installed AIDS. And if you don’t know how to do that, you just do that through manage ADM’s and features. Next, next, next. And then you choose actor, director, domain services and then it’s going to install, OK. Once that’s done well.

So once you’ve done that, at that point, we’re going to promote.

So, we’re going to go here, we’re going to say promote the server to a domain controller. We’re going to say, add a domain controller to an existing domain. All right. Keep in mind, if I wanted to set up another child domain in the forest, I could or a whole new forest I could.

OK, so, I’m going to go with that option.

OK, from there to specify to make sure capabilities and site formation, if I want, I could install this as a DNS server. I’m not going to do that. I’m just going to point to NYC DC one as my DNS, so, I’m going to turn that off. And if I want to make this a global catalog server, I can. I’ll just leave that selected. I’m not going to make this a Rothesay.

OK. It is. There’s only one site that all this belongs to him not really explaining sites a whole lot right now that’s going to represent the geographical location of where this at, but not getting into sites at this very moment.

OK, going to put it in the directory services or storm mode password. This the password that we would use to recover Active Directory if we needed to. Going to click next says, OK, you’re going to set up to make sure you’re going to replicate from any domain or from Inmarsat. Well, there’s only one other domain controller, so really doesn’t matter what option I choose here now, I can do install for media. If I had a backup copy of Active Directory, like on a USB drive or something I could install for media, and again, that’s the reason why this good is in a situation where perhaps your you had a really slow connection and you had a copy of directory backed up and you had a very large Active Directory database and you don’t want it to replicate across that slow connection. The whole thing you can install for media, that’s not an option that’s used very often, but it could come in handy in certain circumstances.

So from there, will click next. I’m going to leave the database log in to this file folder in the in the default location. We’re going to review options. We could look at our our PowerShell command here, as you can see. And then from there, I’m going to click next. It’s going to check the prerequisites and everything is clear. We’re going to go ahead and click install and all Paul’s video while it’s happening and finish up.

OK, so now Active Directory is officially set up on this machine has been promoted now to a domain controller. Keep in mind, when the wizard finished, it did a reboot.

So, if you do this along with me, you’ll notice that you’ll have to reboot your domain controller and then you can log back on and you’ll be where I’m at.

So at that point, I now should be able to click tools. I should be able to go into Active Directory users and computers, and I can view Active Directory just like I can on NYC DC one. All right, there we go. Instead of only seeing one domain controller in the domain.

So you, you guys can see that I now have two I have in ICDC one and I have N.Y.C. server one.

OK.

So, we officially have our domain controller set up on this other machine and NYC server. One is now officially a domain controller.

27. Remoting with PowerShell

So our next lesson on PowerShell is what’s known as promoting. All right.

So the first thing to understand about PowerShell promoting is that there is a service that must be running in order for you to do PowerShell promoting, and that service is called Win Aughrim. All right.

So, if we right click our Start button here and we go to, we’ll go to computer management and will expand or is the services and services click on that? Scroll down. You have the Windows remote management services you can see is running.

OK. Of course, if we want to do that in PowerShell, which is right click, the Start button will go to Windows PowerShell admin and we’re going to type get service. From there, you can see that it is running.

OK? Of course, you can also say get service in the in—name and then when our in and you can see just that specific service if you want.

Now the other thing to understand is that when Iram uses Port 59 85 over HTTP connections and there is a way you can set up a digital certificate and do encryption, and it will use 59 86, which is HTTPS for PowerShell.

OK. Which I’m not getting into right now, but you got to make sure that you don’t your firewall on your computers are not blocking that port. You can make sure that the winner M is listening for connections. There’s a there’s a simple command you can run to make sure that when our M is running on a machine and that it’s listening for connections and that command is called winner in quick config. If you type that this needs to be ran on the computer you’re connecting into as opposed to connecting from.

So mean hit Enter, you’ll see that it’s already running.

OK. And then if I’m currently sitting at NYC CDK1 one, but if I wanted to do this on NYC Server one, I could do it on NYC Server one as well.

OK. And then so from there. From there, I can just right click start, go to PowerShell admin and then just simply type winner in quick config.

So win our em quick config and you can see that everything’s running on that machine as well.

OK? And just so you guys know it is possible to turn the winner room service on on all the machines in your environment, you can do that through a group policy of not going to get it and how to do that right now. But if you’re interested in turning on, win Aughrim for a lot of computers in your environment. You can keep in mind too, that in order for a computer to be able to connect into a winner, room service authentication is going to be required.

So there is going to be authentication that’s going to happen. All right.

OK.

So from there, we’ve got we’ve got Wynn Aughrim running on both the machines, So, we’re good to go. Here I am on NYC DC one and I’m wanting to remote and run a command.

So let me show you very simply how I can remote in and in see things that are running on another machine.

So, let’s say I want to look at and get processed.

Now, if I just hit in a right now, it’s going to show get process is just for my machine, but I’m going to hit space. I’m going to type -computer name and then I’m going to put in the name of that server NYC -SVR one.

So, I’m going to hit Enter, and at that point I can see the services that are running on that machine.

OK. The process is, I’m sorry, the processes that are running on that machine. If I wanted to stop a process, I could. I can use the stop -process command and I can stop a process. If you want to know how to do that, just go to look up to help. Article it’ll show you. But anyway, I can see the processes that are running on that machine. If I wanted to view the services that are running on that machine, I could get Computer NYC SVR. One is going to show me the services that are running on that machine after it processes the command. The server doesn’t have a lot of memory, so you might notice that it’s a little bit sluggish and takes a little bit of time before you actually get a response.

OK, so there it is. All the services that are running on that screen now, something else you can do that’s that’s that’s really neat is. You can type. Invoke -Command Computer, and we’ll say NYC SVR one. And then we’re going to do -Script Block and then we’re going to do the little curly curly brace here now. The little curly brace is going to be a command that you want to run.

So this another way we can run a command against that machine. If we had a script and we wanted to run against that machine, we could specify the name of the script and we could run the script. But so, I could say get -event log -log name will say is the security log -newest. Five results, Amanda Kirk closing curly brace hit Enter in, there you go.

OK, so, invoked -command. And then finally, something else I can do, I can type into -obsession, -computer name NYC SVR one, and I can connect directly into it kind of like you would with Telnet or S-H, and I can run commands that way.

So, for example, I’m going to CD back, slash the air, and I can see the folders listed on CD-ROMs is going to say in CD-R. Jesse was here, hit Enter. I just created a folder on the NYC server once. If I jump over now to that NYC server one, let’s look and see in File Explorer. Here we are in NYC server one. As you can see, if we look at the C Drive, we should see that folder. And there it is.

OK, so, it did work. Let’s jump back over now. All right. If I want to exit out of that server, I can type exit and I’m now out of that server. By the way, you can also run commands against multiple servers at a time like I could say, get -service, -computer name, or actually, let’s do get -process. It’s a little quicker computer name, and I’ll say NYC -DC one comma NYC -Server one, it’s going to run the command. It gets both servers at the same time now. The downside of that is that by default, it’s going to just wrap all the servers services up into one list and it’s not going to separate those. I’m not going to be getting into how to do that, but it is possible to have a list separated by computer name.

OK. But ultimately. As you can see, it does show the different services that are running between the machines.

OK, so very cool. There’s there’s a lot you can do with PowerShell. This course is giving you a foundation in what you need to know in order to proceed in all that. But you can get into a lot of the advanced techniques and there are PowerShell courses out there and all that to get a lot, lot deeper. But this foundation.

OK. All right.

So those are your main fundamentals for promoting into computers using PowerShell, and this something that will help you with your server, administration and and all of that. And I’m not getting into the to the remote in the cloud in this particular video, but you can obviously remote into the cloud as well and managed services through the cloud also.