Module 1: Introduction to Active Directory

Overview
Introduction

to Active Directory Active Directory Logical Structure Role of DNS in Active Directory Active Directory Physical Structure Methods for Administering a Windows 2000 Network

Introduction to Active Directory

What

Is Active Directory? Active Directory Objects Active Directory Schema Lightweight Directory Access Protocol (LDAP)

What Is Active Directory?

Directory Service Functionality

Centralized Management

Organize

Single point of administration

Manage
Control

Resources

Full user access to directory resources by a single logon

Active Directory Objects

Objects Attributes Printer Name Printer Location Users Don Hall Suzan Fine Active Directory Printers Printer1 Printer2 Printer3 Attribute Value

Printers

Users

Attributes First Name Last Name Logon Name

Objects

Represent Network Resources Attributes Store Information About an Object

Active Directory Schema

Objects Class Examples Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs
Attribute Examples
Attributes of Users Might Contain:
accountExpires department distinguishedName middleName

Computers

List of Attributes
accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName

Users

Printers

DNS and Active Directory Namespaces

DNS Namespace Internet

.
com.

(DNS root domain)

Active Directory Namespace

microsoft training microsoft.com

sales computer1 sales. microsoft.com

training. microsoft.com

= DNS node (domain or computer)

= Active Directory domain

Lightweight Directory Access Protocol (LDAP)

LDAP

Provides a Way to Communicate with Active Directory by Specifying Unique Naming Paths for Each Object in the Directory LDAP Naming Paths Include:

Distinguished names

CN=Suzan Suzan Fine,OU=Sales,DC=contoso,DC=msft Fine

Relative distinguished names

Active Directory Logical Structure

Domains
Organizational

Units Trees and Forests Global Catalog

Domains
A

Domain Is a Security Boundary

A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains

Domain Is a Unit of Replication

Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain
Replication

Windows 2000

Organizational Units
Network Administrative Model Organizational Structure

Sales Users Computers

Use

Vancouver Sales Repair

OUs to Group Objects into a Logical Hierarchy That Best Suits the Needs of Your Organization Delegate Administrative Control over the Objects Within an OU by Assigning Specific Permissions to Users and Groups

Trees and Forests

Two-Way Transitive Trust
contoso.msft

Forest Tree
nwtraders.msft asia. contoso.msft au. contoso.msft

Tree
asia. nwtraders.msft au. nwtraders.msft

Two-Way Transitive Trusts

Global Catalog
Subset of the Attributes of All Objects
Domain Domain

Domain

Domain
Domain Domain

Global Catalog

Queries Group membership when user logs on

Global Catalog Server

Introduction to the Role of DNS in Active Directory

Name

Resolution

DNS translates computer names to IP addresses Computers use DNS to locate each other on the network

Naming

Convention for Windows 2000 Domains

Windows 2000 uses DNS naming standards for domain names DNS domains and Active Directory domains share a common hierarchical naming structure

Locating

the Physical Components of Active

Directory

DNS identifies domain controllers by the services they provide Computers use DNS to locate domain controllers and global catalog servers

DNS Host Names and Windows 2000 Computer Names

.
com. microsoft sales training computer1

DNS host record and Active Directory object represent the same physical computer

DNS allows computers to locate domain controllers within Active Directory

Active Directory
training.microsoft.com Builtin Computers Computer1 Computer2

FQDN = computer1.training.microsoft.com Windows 2000 Computer Name = Computer1

DNS Requirements for Active Directory

DNS Requirements to Support Active Directory Support for SRV records (mandatory) Support for the dynamic update protocol (recommended) Support for incremental zone transfers (recommended)

What Is a Tree?
Tree Root Domain

Parent Domain

Parent

contoso.msft

Child

Child Domain

sales.contoso.msft
New Domain

Contiguous Namespace sales.contoso.msft

What Is a Forest?
A Forest

is One or More Trees Trees in a Forest Do Not Share a Contiguous Namespace

Forest

contoso.msft

Tree
sales. contoso.msft

nwtraders.msft

Tree
marketing. nwtraders.msft sales. nwtraders.msft

All

of The Domains in a Forest Share a Common Configuration, Schema, and Global Catalog

What Is the Forest Root Domain?

The

Forest Root Domain Is the First Domain Created in a Forest Forest

Tree Root Domain

Forest Root Domain

Global Catalog
Configuration and Schema

nwtraders.msft

contoso.msftTree

Tree
marketing.nwtraders.msft

Enterprise Admins
Schema Admins
sales.contoso.msft

Characteristics of Multiple Domains

Reduce Replication Traffic

Maintain Separate and Distinct Security Policies Between Domains Preserve the Domain Structure of Earlier Versions of Windows NT

Separate Administrative Control

Active Directory Physical Structure

Domain
Sites

Controllers

Domain Controllers
Domain Controllers:
Participate in Active Directory replication Perform single master operations roles in a domain

Replication
Domain Controller Domain Controller

Domain

= A Writeable Copy of the Active Directory Database

Sites
Seattle Chicago Los Angeles New York

IP subnet

Site Sites:
Optimize Enable

IP subnet

replication traffic

users to log on to a domain controller by using a reliable, high-speed connection

Introduction to Active Directory Replication

Multimaster Replication with a Loose Convergence
Domain Controller B

Replication
Domain Controller A Domain Controller C

Replication Components and Processes

How

Replication Works Replication Latency Resolving Replication Conflicts Optimizing Replication

How Replication Works

Active Directory Update

Add Modify

Move Delete

Domain Controller B
Replicated Update

Originating Update Domain Controller A

Replication

Domain Replicated Update Controller C

Replication Latency

Default Replication Latency (Change Notification) = 5 minutes

When No Changes, Scheduled Replication = One Hour Urgent Replication = Immediate Change Notification
Change Notification Replicated Update Domain Controller B Originating Update Domain Controller A

Replication

Change Notification

Replicated Update

Domain Controller C

Resolving Replication Conflicts

Domain Controller A Stamp Originating Update Conflict Stamp Domain Controller B Stamp Originating Update Conflict

Version Number

Timestamp

Server GUID

Conflicts Can Be Due to: Attribute Value Adding/Moving Under a Deleted Container Object or the Deletion of a Container Object Sibling Name

Replication Topology
Directory

Partitions What Is Replication Topology? Global Catalog and Replication of Partitions

Directory Partitions
Directory Partitions

Forest

Schema
Configuration

Contains definitions and rules for creating and manipulating all objects and attributes Contains information about Active Directory structure Holds information about all domain-specific objects created in Active Directory

Domain

contoso.msft
Active Directory Database

What Is Replication Topology?

A1 A2 B2

B1

A3

A4

B3

Domain Controllers Controllers Domain from Different from the SameDomains Domains

Domain A Topology Domain A Topology Domain B Topology Schema/Configuration Topology Schema/Configuration Topology

What Is Replication Topology?

A1 A2 B2

B1

A3

A4

B3

Domain Domain Controllers Controllers from Domains fromDifferent the Same Domains

Domain A Topology Domain A Topology Domain B Topology Schema/Configuration Topology Schema/Configuration Topology

Global Catalog and Replication of Partitions

Partial Directory Partition Replica

Schema Configuration

contoso.msft
namerica.contoso.msft
Global Catalog Server

Holds read only copy of all domain directory partitions

Global Catalog and Replication of Partitions

A1 A2 B2

B1

A3

A4

B3

Domain A Topology Domain B Topology Schema/Configuration Topology

Methods for Administering a Windows 2000 Network

Using

Active Directory for Centralized Management Managing the User Environment Delegating Administrative Control

Using Active Directory for Centralized Management

Domain

Search
OU1 Domain OU2

OU1 Computers Computer1 Users User1 OU2

User1 Computer1 User2 Printer1

Users User2 Printers Printer1

Active Directory:

Enables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to group objects into OUs Uses Group Policy to specify policy-based settings

Managing the User Environment

12 3
Windows 2000 Enforces Continually Domain OU1 OU2 OU3

Apply Group Policy Once

1 2

Use Group Policy to:

Control

and lock down what users can do

Centrally

manage software installation, repairs, updates, and removal user data to follow users whether they are online or offline

Configure

Delegating Administrative Control

Domain OU1

Admin1

Assign Permissions: For specific OUs to other administrators To modify specific attributes of an object in a single OU To perform the same task in all OUs
Map

OU2

Admin2 OU3

Admin3

Customize Administrative Tools to: to delegated administrative tasks

Simplify

interface design

Review
Introduction

to Active Directory Active Directory Logical Structure Role of DNS in Active Directory Active Directory Physical Structure Methods for Administering a Windows 2000 Network