In this article we will review the subject area “Configure a forest or a domain” from the Microsoft 70-640 certification exam objective.
In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.
Microsoft Exam 70-640 – Configure a forest or a domain / Domain 2, Subobjective 1
For each exam domain, I will give you two blog posts. One blog post represents a nutshell summary of the content underlying a particular subobjective from the 70-640 certification exam blueprint. The second blog post presents a representative practice exam question that covers one topic from that content domain.
The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) forest and domains.
Whereas in the first objective domain was centered squarely on DNS, the second domain requires us to understand the planning, deployment, maintenance and troubleshooting of Active Directory Domain Services in Windows Server 2008.
Before you register to take the 70-640 exam, please ensure that you are very comfortable with all technologies referenced in this subobjective:
- Removing a domain
- Performing an unattended installation of AD DS
- Active Directory Migration Tool (ADMT)
- Changing domain and forest functional levels
- Interoperability with previous version of Active Directory
- Multiple UPN suffixes
- Forestprep, domainprep
Removing a domain ^
Removing a domain involves (a) uninstalling AD DS from every domain controller in a given domain, thereby demoting the machines to member servers; (b) “unjoining” each demoted member server from the domain, which renders the boxes as stand-alone servers; and (c) removing the final domain controller in the domain and thereby eradicating the domain itself.
As you know, we use the Active Directory Domain Services Installation Wizard (dcpromo.exe) to both install as well as uninstall Active Directory.
TIP: Before you take any of the Windows Server 2008 exams, make sure you are familiar with the most common Active Directory-related PowerShell cmdlets and their syntax.
- Removing a Domain Controller from a Domain
- Remove a Domain
- Active Directory Administration with Windows PowerShell
Performing an unattended AD DS installation ^
In Microsoft parlance, an unattended installation of AD DS involves crafting a plain text answer file and then feeding that answer file into the Dcpromo utility as an argument. We can use answer files to automate both the installation as well as the removal of Active Directory.
The following screenshot, taken from the Microsoft TechNet site, shows the basic format of a Dcpromo answer file:
Dcpromo answer file format
To launch an unattended answer file in this context, open an elevated command prompt and use the basic statement dcpromo /unattend:<path to the answer file>.
- How to use unattended mode to install and remove Active Directory Domain Services on Windows Server 2008-based domain controllers
Active Directory Migration Tool (ADMT) ^
As a single-domain forest grows into a multi-forest, multi-domain enterprise, then need arises for method to assist in restructuring domain assets. For instance, we may want to migrate user and group accounts from one domain to another within a forest. By contrast, we may want to move an entire domain from one forest to another.
Microsoft thankfully gives us the Active Directory Migration Tool (ADMT) to help us in our forest and domain restructuring needs. Be advised that despite the installer’s small 4MB footprint, you must have a SQL Server database instance installed and online so ADMT has a place to store its data and metadata.
Once installed, you can work with ADMT either with its graphical interface, or by using the Admt command-line utility.
Active Directory Migration Tool (ADMT)
Changing domain and forest functional levels; Interoperability with previous versions of Active Directory ^
I decided to put both of these subobjectives together because they deal with the same concept; namely the functional level.
In Windows Server, a functional level defines essentially a domain controller compatibility level within a forest or domain. The notion of functional levels is particularly important when our domain includes domain controllers that are running different versions or editions of Windows Server.
Back in “the day,” when Microsoft first gave us Active Directory in Windows 2000 Server, the term “mixed mode” was used to denote a mix of Active Directory and non-Active Directory (read: Windows NT Server 4.0) domain controllers within one domain. The term “native mode” was used to denote a domain in which all domain controllers were “on board” with Active Directory.
The difficult method to raise functional levels is by accessing LDAP directly by using the Adsiedit.msc or Ldp.exe tools. The easier method is to use Active Directory Users and Computers (for domain functional level) or Active Directory Domains and Trusts (for forest functional level).
Recall that we also set a default domain functional level during the AD DS installation process.
NOTE: Microsoft stresses that the raising of a domain or forest functional level is an irreversible process.
- Understanding Active Directory Domain Services (AD DS) Functional Levels
- How to Raise Active Directory Domain and Forest Functional Levels
Multiple UPN suffixes ^
First of all, a User Principal Name (UPN) is an alternate way to represent a domain user account. UPNs are often confused with e-mail addresses because they have the same format: firstname.lastname@example.org. In a multidomain environment, you want to ensure that you have UPN suffixes defined for all your domains to give users the ability to log on using those UPN names.
To add UPN suffixes to a forest, we can use the Active Directory Domains and Trusts MMC console.
Adding UPN Suffixes
ForestPrep, DomainPrep ^
As it happens, forestprep and domainprep are not Windows Server 2008 command-line utilities, but are rather arguments (also called switches) that you pass into the adprep command-line tool. Confusing, huh?
We run adprep /forestprep from an elevated command prompt when we want to prepare a so-called “downlevel” Active Directory forest (namely, a forest whose domains run Windows Server 2003 or Windows 2000 Server) for the addition of one or more Windows Server 2008-based domain controllers.
We run adprep /domainprep within each domain to prepare a downlevel domain for the inclusion of one or more Windows Server 2008 domain controllers.
The adprep utility is a sort of “Swiss Army knife” inasmuch as you can perform many Active Directory-related tasks with it, such as preparing a domain for Read-Only Domain Controllers (RODC), etc.
I hope that you found this approach to 70-640 exam preparation beneficial. Please feel free to leave your questions, comments, and exam experiences (no braindumps, please).
In the next post in this series I will provide a sample practice question for the “Configure a forest or a domain” topic.