Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend

functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2. Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services. Active Directory is a technology created by Microsoft that provides a variety of network services, including:

Lightweight Directory Access Protocol LDAP Kerberos-based authentication DNS-based naming and other network information Central location for network administration and delegation of authority Information security and single sign-on for user access to networked based resources The ability to scale up or down easily Central storage location for application data Synchronization of directory updates amongst several servers Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Using the same database, for use primarily in Windows environments.

Structure Objects Everything that Active Directory tracks is considered an object. An object is any user, system, computer, resource, or service tracked within Active Directory. The generic term object is used because Active Directory is capable of tracking a variety of items, and many objects can share common attributes. An Active Directory structure is a hierarchical framework of objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are Active Directory objects that are assigned unique security identifiers (SIDs) used to control access and set security. Sites A Site object in Active Directory represents a geographic location in that hosts networks. Sites contain objects called subnets.[2] Sites can be used to assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.

Forests, trees, and domains All objects inside a common directory database is known as domain. Each domain stores information only about the objects that belong to that domain. A tree consists of a single domain or multiple domains in a contiguous namespace. A forest is a collection of Trees and represents the outermost boundary within which users, computers, groups, and other objects exist. The forest is the security boundary for Active Directory. The Active Directory framework that holds the objects can be viewed at a number of levels. At the top of the structure is the forest. A forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest, tree, and domain are the logical parts in an Active Directory network. The Active Directory forest contains one or more transitive, trust-linked trees. A tree is a collection of one or more domains and domain trees in a contiguous namespace, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. Flat-filed, simulated hierarchy The objects held within a domain can be grouped into containers called Organizational Units (OUs). OUs give a domain a hierarchy, ease its administration, and can give a resemblance of the structure of the organization in organizational or geographical terms. OUs can contain OUs indeed, domains are containers in this sense and can hold multiple nested OUs. Microsoft recommends as few domains as possible in Active Directory and a reliance on OUs to produce structure and improve the implementation of policies and administration. The OU is the common level at which to apply group policies, which are Active Directory objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly FSMO Roles Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as operations master roles. Although the AD domain controllers operate in a multi-master model, i.e. updates can occur in multiple places at once, there are several roles that are necessarily single instance: Trust To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

One-way trust One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust Two domains allows access to users on both domains. Trusting domain The domain that allows access to users from a trusted domain. Trusted domain The domain that is trusted; whose users have access to the trusting domain. Transitive trust A trust that can extend beyond two domains to other trusted domains in the tree. Intransitive trust A one way trust that does not extend beyond two domains. Explicit trust A trust that an admin creates. It is not transitive and is one way only. Cross-link trust An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 Server supports the following types of trusts:

Two-way transitive trusts. One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be:

Shortcut

Windows Server 2003 offers a new trust type the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.

ADAM/AD LDS Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers. Like Active Directory, ADAM provides a Data Store, which is a hierarchical datastore for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.

In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services).[17] Understanding Active Directories Active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory. Within the Forest structure are trees, these structures usually hold one or more domains. Going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example. A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data and system, among others. Within these objects are even more objects which can then be controlled and categorized. How are Active Directories used? If you are a computer administrator for a large corporation or organization, you can easily update all end users computers with new software, patches and files simply by updating one object in a forest or tree. Because each object fits into a set schema and has specific attributes, a network administrator can easily clear a person on a set tree or instantly give or deny access to select users for certain applications. The Microsoft servers use trust to determine whether or not access should be allowed. Two types of trusts that Microsoft active directories incorporate are transitive trusts and one way non transitive trusts. A transitive trust is when there is a trust that goes further than two domains in a set tree, meaning two entities are able to access each other's domains and trees. A one way transitive trust is when a user is allowed access to another tree or domain; however, the other domain does not allow access to the further domains. This can be summed up as a network administrator and end user. The network administrator can access most trees in the forest including a specific end user's domain. However, the end user, while able to access his or her own domain, cannot access other trees. It is important to note that active directories are a great way to organize a large organization or corporation's computers' data and network. Without an active directory, most end users would have computers that would need to be updated individually and would not have access to a larger network where data can be processed and reports can be created. While active directories can be technical to a good extent and require considerable expertise to navigate, they are essential to storing information and data on networks.

What do we need in order to successfully install Active Directory on a Windows 2000 or Windows Server 2003 server? Here is a quick list of what you must have:

An NTFS partition with enough free space An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) Brains (recommended, not required...)

After you have all the above go ahead and read How to Install Active Directory on Windows 2000 and How to Install Active Directory on Windows 2003. An NTFS Partition The NTFS partition is required for the SYSVOL folder. Free space on your disk You need at least 250mb of free space on the partition you plan to install AD on. Of course you'll need more than that if you plan to create more users, groups and various AD objects. Local Administrator's username and password Only a local Administrator (or equivalent) can install the first domain and thus create the new forest. If you plan to create another Domain Controller for an existing domain - then you must have Domain Admin right in the domain you're planning to join. If you want to create a child domain under an existing domain, or another tree in an existing forest - you must have Enterprise Admin rights. IP Configuration You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.

The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues. To configure your IP configuration, use the following steps: 1. Right-click My Network Places, and then click Properties. 2. Right-click Local Area Connection, and then click Properties.

1. Click Internet Protocol (TCP/IP), and then click Properties.

1. Make sure you have a static and dedicated IP address. If you don't need Internet connectivity through this specific NIC you can use a Private IP range such as 192.168.0.0 with a Subnet Mask of 255.255.255.0.

1. Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:

Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if you are not going to configure a dedicated DNS server. If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list. Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name. Make sure that the Register this connection's addresses in DNS check box is selected.

Active Network Connection Required During Installation The installation of Active Directory requires an active network connection. When you attempt to use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain controller, you may receive the following error message: Active Directory Installation Failed The operation failed with the following error The network location cannot be reached. For further information about network troubleshooting, see Windows Help. This problem can occur if the network cable is not plugged into a hub or other network device.

(Sample of a disconnected or un-plugged network cable)

(Screenshot of a connected NIC) To resolve this problem, plug the network cable into a hub or other network device. If network connectivity is not available and this is the first domain controller in a new forest, you can finish Dcpromo.exe by installing Microsoft Loopback Adapter. The Microsoft Loopback adapter is a tool for testing in a virtual network environment where access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts with a network adapter or a network adapter driver. Network clients, protocols, and so on, can be bound to the Loopback adapter, and the network adapter driver or network adapter can be installed at a later time while retaining the network configuration information. The Loopback adapter can also be installed during the unattended installation process. To manually install:

1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Hardware. 2. Click Add/Troubleshoot a device, and then click Next. 3. Click Add a new device, and then click Next. 4. Click No, I want to select the hardware from a list, and then click Next. 5. Click Network adapters, and then click Next. 6. In the Manufacturers box, click Microsoft. 7. In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next. 8. Click Finish. After the adapter is installed successfully, you can configure its options manually, as with any other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the adapter will eventually use an autonet APIPA address (169.254.x.x/16) because it is not actually connected to any physical media. "Always On" Internet Connection (recommended) An "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended (but not required) to enable clients to obtain Internet access. If you do not use an "always on" connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet. This is really not a requirement for AD, but if you later want to install and configure Exchange 2000 or other Internet-aware applications or services you'll need an Internet connection. DNS Configuration A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. Read Create a New DNS Server for AD for more info. You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network: Root Zone entries and DNS Forwarders.

Root zone entries

External DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones. To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the "dot" zone exists, delete it. For additional information about the root zone entry, see 260371 . You can also read my No Forwarding or Root Hints on DNS server? tip.

DNS forwarders (recommended)

If you plan to have full Internet connectivity then DNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider's DNS server and that computers on your network will be able to resole Internet addresses correctly. You can only configure DNS forwarders if no root zone entry is present. To configure forwarders on the DNS server: 1. Start the DNS Management console. 2. Right-click the name of the server, and then click Properties.

1. On the Forwarders tab, click to select the Enable Forwarders check box. 2. Type the appropriate IP addresses for the DNS servers that may be accepting forwarded requests from this DNS server. The list reads top-down in order, so place a preferred DNS server at the top of the list.

1. It is recommended that you have all the Root Hints (Top Level DNS server) listed in the Root Hints tab.

1. If not, copy the Cache.dns file from the %systemroot%\system32\dns\samples folder to the %systemroot%\system32\dns\ folder and restart the DNS service. 2. Click OK to accept the changes. You can also read Configure DNS Forwarding on Windows 2000. For additional information about DNS issues go to 237675 .

Client Connections When you have a scenario in which clients on the LAN connect directly to the Internet and not through a NAT device, the clients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain's DNS server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clients to access DNS addresses on the Internet. Do not use ICS (recommended) Use NAT instead. ICS (Internet Connection Sharing) will break down all the DHCP and DNS functionality on your LAN. Try to avoid ICS at all costs. If you must, make the Domain Controller itself the ICS server, and let all clients obtain their IP configuration automatically. This of course is not a good security decision, because you will expose your Domain Controller to potential Internet threats. Again, and I cannot stress this more, avoid ICS on your corporate LAN and use NAT instead. NetBIOS Over TCP/IP A common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources. To disable NetBIOS on the NIC that is connected to the Internet, use the following steps: 1. Right-click My Network Places, and then click Properties. 2. Right-click the icon of the NIC that is connected to the Internet, and then click Properties. 3. Un-check the File and Print Sharing for Microsoft Networks check box.

1. Click TCP/IP and then Properties. 2. Click Advanced and go to the WINS tab. 3. Select the Disable NetBIOS Over TCP/IP radio box.

1. Click Ok all the way out. Do not use Single-Label domain names As a general rule, Microsoft recommends that you register DNS domain names for internal and external namespaces with Internet authorities. This includes the DNS names of Active Directory domains, unless such names are sub-domains of names that are registered by your organization name, for example, "corp.example.com" is a sub-domain of "example.com". When you register DNS names with Internet authorities, it prevents possible name collisions should registration for the same DNS domain be requested by another organization, or if your organization merges, acquires or is acquired by another organization that uses the same DNS names. DNS names that don't include a period ("dot", ".") are said to be single-label (for example, com, net, org, bank, companyname) and cannot be registered on the Internet with most Internet authorities.