Active Directory

Introduction &
Installation
Introduction
What is Active Directory?
Active Directory or A.D. is the antithesis of NT 4.0's LanManager. It is essentially a
database of network resources(known as objects) and information about each of
these objects. This is not a new concept as Novell and Banyan have used directory
services for years. Familiarity with Novell 4.11 will greatly improve the time it takes to
become comfortable with this new network management system as many of AD's
features and terminology are very similar to that of Novell Directory Services(NDS).

Directory Architecture
First let's introduce the concept of "Sites". Sites are used to define the boundaries of
high-speed links on a network containing Active Directory Servers. Sites are based on
IP subnets and are defined as a "well-connected subnet or subnets". Do not confuse
this term with the concept of domains which are discussed next.

One thing that hasn't changed from NT 4.0 is the use of domains. A domain is still the
centerpiece of a Windows 2000 network, however, it is set up differently. Domain
controllers are no longer separated into PDCs and BDCs. Now there are simply
DCs(Domain Controllers). By default, all Win2K servers are installed as Standalone
Member Servers. DCPROMO.EXE is the Active Directory Installation Wizard and is
used to promote a non-domain controller to a DC and vice versa. The wizard prompts
for all of the required information to install Active Directory under the conditions that
you have asked it to run Knowledge Consistency Checker(KCC) - This is a service
created in order to ensure that the Active Directory service in the Windows 2000
operating system can replicate properly, runs on all DCs and automatically establishes
connections between individual computers in the same site. These are known as
Active Directory connection objects. An administrator can establish additional
connection objects or remove connection objects, but at any point where replication
within a site becomes impossible or has a single point of failure, the KCC steps in and
establishes as many new connection objects as necessary to resume Active Directory
replication.

Each domain controller in a domain is capable of accepting requests for changes to

the domain database and replicating that information with the other DCs in the
domain. The first domain that is created is referred to as the "root domain" and is at
the top of the directory tree. All subsequent domains will live beneath the root domain
and are referred to as child domains. The child domain names must be unique. As you
are viewing the items below, pay attention to how Windows 2000 now supports
internet naming conventions.
 When a root domain and at least 1 child domain have been created, a "tree" is
formed. Remember and understand this term as you will hear it often when working
with a directory service.

You can see that the structure begins to take the shape of a tree with branches and sub-
branches. Now what if we are a company like Microsoft or DuPont that owns several other
corporations. Typically, each company would have its own tree and these would be aggregated
together via trusts to create a "forest".

Trusts Overview:
Trusts are much more easily managed in Windows 2000 than in NT 4.0. There are 2 main
reasons that this is the case.
1. When a new domain is added, trust relationships are automatically configured.
2. Trusts are now commutative 2-way trusts. This means that if domain A trusts domain
B then the reverse is automatically true. In Windows NT 4.0 trusts had to be
administered as a series of 1 way trusts and could be quite cumbersome.
 3. Trusts are automatically transitive which means that if domain A trusts domain B and
domain B trusts domain C, then domain A trusts domain C and vice versa.

These changes save an adminstrator some of the time consuming administration

efforts spent creating and maintaining trusts that were required in NT 4.0. 1-way
trusts can still be created when necessary.

Directory Components:
Now that we have looked at the big picture, it is time to take a look at what happens inside a
domain. To get started, the first concept that you will need to understand what the directory is
made of. A common analogy for a directory is a phonebook. Both contain listings of various
objects and information and properties about them. Within the directory are several other
terms that you must know to gain even an entry level understanding as to how it all works.
 Objects - Objects in the database can include printers, users, servers, clients, shares,
services, etc. and are the most basic component of the directory.
 Attributes - An attribute describes an object. For example, passwords and names are
attributes of user objects. Different objects will have a different set of attributes that
define them, however, different objects may also share attributes. For example, a
printer and Windows 2000 Professional Workstation may both have an IP address as
an attribute.
 Schema - A schema defines the list of attributes that describe a given type of object.
For example, let's say that all printer objects are defined by name, PDL type and
speed attributes. This list of attributes comprises the schema for the object class
"printers". The schema is customizable, meaning that the attributes that define an
object class can be modified.
 Containers - A container is very similar to the folder concept in Windows. A folder
contains files and other folders. In Active Directory, a container holds objects and
other containers. Containers have attributes just like objects even though they do not
represent a real entity like an object. The 3 types of containers are Domains, Sites and
Organizational Units and are explained in more detail below.
o Domains - We have already discussed this concept in the preceding
paragraphs.
o Sites - A site is a location. Specifically, sites are used to distinguish between
local and remote locations. For example, company XYZ has its headquarters in
San Fransisco, a branch office in Denver and an office that uses DUN to
connect to the main network from Portland. These are 3 different sites.
o Organizational Units - Organizational units are containers into which you can
place users, groups, computers, and other organizational units. An
organizational unit cannot contain objects from other domains. The fact that
organizational units can contain other OUs, a hierarchy of containers can be
created to model your organization's structure and hierarchy within a domain.
Organizational units should be used to help minimize the number of domains
required for a network.

Now that we know what these concepts mean, let's take a visual look at what is going on
inside a domain.
 The folder symbols represent Organizational Unit(OU) containers and within each of
these we find objects such as printers, servers, computers, users, etc. Instead of
objects directly located inside these OUs, there could be more OU containers.

Security:
There are now three types of groups in Windows 2000:
 Domain Local(similar to a local group)
 Global
 Universal groups

The rules remain the same for Local and Global groups, except that you can now nest
groups in Native mode. Universal groups can have membership from any domain and
can be used to assign access to any resource in any domain. Accounts go into Global
Groups which then go into local groups that are assigned permissions to use a
resource.

Each group can have one of two functions in Native mode - distribution or security.
Security groups are the ones we are familiar with in NT4 while distribution groups will
be used primarily with Exchange 2000 or any other Active Directory mail application.

Group Policy:
Group Policy in Windows 2000 is one of it's largest administrative enhancements and
is designed to enable administrators to control the environment with minimal effort.
Group Policy is administered through the Group Policy Microsoft Management
Console(MMC) snap-in. Group policies are not applied to "groups", but we can apply
them to OUs. There are five major categories that group policies can be configured
for:

 Folder redirection: Store users' folders (my documents, my pictures) on the

network.

 Security: Similar to account policies under user manager in NT4 - includes

settings for the local computer, the domain, and network security.

 Administrative Templates - NT4 administrators will recognize this section as

system policies - in a much more convenient and flexible configuration.
Included are desktop, application, and system settings.
  Software Installation - Completely new - enables an administrator to have
software installed automatically at the client machine - or removed
automatically.

Scripts - similar to logon scripts in NT4, but we can now specify a startup and a
shutdown script for the computer as well as a logon and a logoff script for the user.

An administrator can create several Group Policy Objects (GPO) in a given Group
Policy Container (GPC) and assign the appropriate GPO to the computers or users that
need the settings contained in that GPO. If you want to exclude certain users or
computers from processing the GPO assigned to the Site/Domain/OU that they belong
to, you can simply remove the users' or groups' "apply group policy" permissions. This
effectively creates a filter. You can also delegate control over GPOs so that a manager
can change what a GPO does for his or her department, but can't create any new
GPOs or change the scope of a GPO.

It is also possible to disable group policy objects without deleting them. If you do this
(from Group Policy - Options) it will only disable it for that container and any sub-
containers that inherit the settings. If another administrator "linked" to that GPO from
another container, then the GPO is still active in that container.

Software can be efficiently deployed, updated and removed using Group Policies.
Requirements The computer must be Windows 2000 Server, Advanced Server or
Datacenter Server.

 At least one volume on the computer must be formatted with NTFS.

 DNS must be active on the network prior to AD installation or be installed during AD
installation. DNS must support SRV records and be dynamic.
 The computer must have IP protocol installed and have a static IP address.
 The Kerberos v5 authentication protocol must be installed.
 Time and zone information must be correct. Simple Network Time Protocol (SNTP)
(RFC 1769) synchronizes time on network computers (nodes)
Step By Step Installation Of
Active Directory
First Configure the computer's suffix
(Not mandatory, can be done via the Dcpromo process).
1. Right click My Computer and choose Properties.
2. Click the Network Identification tab, then Properties.

Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use it's own IP address as the
address of the DNS server, so it will point to itself when registering SRV records and
when querying the DNS database.
1. Click Start, point to Settings and then click Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection, and then click Properties.
4. Click Internet Protocol (TCP/IP), and then click Properties.

5. Assign this server a static IP address, subnet mask, and gateway address. Enter
the server's IP address in the Preferred DNS server box.
6. Click Advanced.
7. Click the DNS Tab.
8. Select "Append primary and connection specific DNS suffixes"
9. Check "Append parent suffixes of the primary DNS suffix".

Running DCPROMO

1. Click Start, point to Run and type "Dcpromo".

2. The wizard windows will appear. Click Next.

3. Choose Domain Controller for a new domain and click Next .

4. Choose Create a new domain tree and click Next.

5. Choose Create a new forest of domain trees and click Next.

6. Choose full DSN name like here we have used Domain-Controller.Net

This step might take some time because the computer is searching for the
DNS server and checking to see if any naming conflicts exist.
7. Accept the the down-level NetBIOS domain name, & Click Next.
8. Accept the Pre-Windows 2000 compatible permissions.

9. Enter the Restore Mode administrator's password. You can leave it blank
but whatever you do - remember it! Without it you'll have a hard time
restoring the AD if you ever need to do so. Click Next.
10. Review your settings and if you like what you see - Click Next.

11. See the wizard going through the various stages of installing AD.
Whatever you do - NEVER click Cancel!!! You'll wreck your computer if
you do. If you see you made a mistake and want to undo it, you'd better
let the wizard finish and then run it again to undo the AD.
12. If all went well you'll see the final confirmation window. Click Finish.

13. You must reboot in order for the AD to function properly. Click Restart
now.