1

Chapter 1

OVERVIEW OF
ACTIVE DIRECTORY
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 2

ACTIVE DIRECTORY FUNCTIONS

Directory Services
Used to define, manage, access, and secure network
resources.
Resources include: files, printers, groups, people,
and applications.
Active Directory
Stored as NTDS.dit on a domain controller.
Used by domain controllers to authenticate users.
Domain controllers store, maintain, and replicate.
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 3

ACTIVE DIRECTORY BENEFITS

Centralized administration
Single point of access
Fault tolerance and redundancy
Multiple domain controllers are used
Multi-master replication
Simplified resource location
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 4

CENTRALIZED ADMINISTRATION

Hierarchical organization for ease of

administration
Common Microsoft Management Console (MMC)
tool set
Active Directory Users And Computers (DSA.MSC)
Active Directory Domains And Trusts (DOMAIN.MSC)
Active Directory Sites And Services (DSSITE.MSC)
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 5

SINGLE POINT OF AUTHENTICATION

Before directory services

Server1

Server2

Server3

After directory services

Active Directory
Single sign-on
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 6

MULTI-MASTER REPLICATION

Active Directory Domain

Replication Process 1. A change occurs on DC2.
2. DC2 notifies DC1 and DC3 that there
is a change to Active Directory.
3. At the next replication interval, DC1
DC1
and DC3 request the new database
information.
4. DC2 replicates the changes to DC1
and DC3.
5. DC1 and DC3 update their Active
Directory database.
DC3 DC2
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 7

SIMPLIFIED RESOURCE LOCATION

Search features available on Microsoft Windows

2000, Microsoft Windows XP, and Microsoft
Windows Server 2003.
Search Active Directory to find:
Shared folders
Printers
People (user accounts)
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 8

ACTIVE DIRECTORY SCHEMA

Object classes
User accounts
Computer accounts
Printers
Groups
Object Attributes
Name
Globally unique identifier (GUID)
Location (for printer)
E-mail address (for users)
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 9

ACTIVE DIRECTORY COMPONENTS

IP Site

Forest Root Domain

cohowinery.com

IP Site
Child Domain
north.cohowinery.com
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 10

ORGANIZATIONAL UNITS

Container objects
Look like a folder with a book icon in Active
Directory Users And Computers
Security is applied to OUs
Inherited by child OUs
Used to control access to that OU or hide
subordinate OUs
Allows for the delegation of administrative rights
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 11

DOMAINS

Logical grouping of resources.

Form security and replication boundaries.
Individual access control lists (ACLs) for each
domain.
Group Policies are typically assigned and inherited
within a domain only, not from the forest.
Domain replication is independent of global catalog
and schema replication.
Multiple domains may be used by a single
organization.
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 12

DOMAINS, TREES, AND A FOREST

Forest root
and tree root ou Domain tree
parent root
ou

contoso.com tailspintoys.com

child child

west.contoso.com east.contoso.com
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 13

SITES

Used to reflect the physical network structure

Usually local area network (LAN) versus wide area
network (WAN)
Optimize replication
Knowledge Consistency Checker (KCC) creates and
maintains this structure
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 14

NAMING STANDARDS

Lightweight Directory Access Protocol (LDAP)

Standard naming structure and hierarchy
Established by the Internet Engineering Task Force
(IETF)
Domain Name System (DNS)
Uniform Resource Locator (URL)
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 15

LDAP NAMES

cohowinery.com

Jeffrey Smith

Sales
Guy Gilbert

Accounting
Color Printer
Cn=jsmith,ou=sales,dc=cohowinery,dc=com
jsmith@cohowinery.com
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 16

PLANNING FOR ACTIVE DIRECTORY

Logical and physical structure

DNS and Active Directory integration and naming
Functional levels of domains and forests
Trust relationships and models
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 17

STRUCTURING ACTIVE DIRECTORY

Security and administrative goals are important

when defining the logical structure.
Group Policy application and inheritance
Delegating administrative control
Permission inheritance
Logical structure often reflects the business or
administrative model.
Sites are used to reflect the physical structure of
the network.
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 18

ROLE OF DNS

Resolves friendly names to Internet Protocol (IP)

addresses.
Required by Active Directory.
Domain members use service locator (SRV)
records to find domain controllers.
Dynamic DNS (DDNS) is supported and
recommended.
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 19

FUNCTIONAL LEVELS

Designed to support downlevel compatibility

Increasing functional level allows for use of new
features
Two types of functional level
Domain functional level
Forest functional level
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 20

DOMAIN FUNCTIONAL LEVELS

Windows 2000 mixed

Windows 2000 native
Windows Server 2003 interim
Windows Server 2003
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 21

WINDOWS 2000 MIXED FUNCTIONAL LEVEL

Domain controllers can run on the following

operating systems:
Windows NT Server 4.0
Windows 2000 Server
Windows Server 2003
Features at this functional level include:
Install from media
Application directory partitions
Enhanced user interface (UI)
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 22

WINDOWS 2000 NATIVE FUNCTIONAL LEVEL

Domain controllers can run on the following

operating systems:
Windows 2000 Server
Windows Server 2003
Features at this functional level include:
Group nesting
Universal groups
Security Identifier History (siDHistory)
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 23

WINDOWS SERVER 2003 INTERIM

FUNCTIONAL LEVEL

Designed for organizations that have not upgraded

to Windows 2000 Active Directory.
Only Windows Server 2003 and Windows NT
Server 4.0 domain controllers are supported.
Windows 2000 Server domain controllers are NOT
allowed.
No extra features over any other functional level.
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 24

WINDOWS SERVER 2003 FUNCTIONAL LEVEL

Only Windows Server 2003 domain controllers

Features at this functional level include:
Replicated last logon timestamp
Key Distribution Center (KDC) version numbers
User password on inetOrgPerson objects
Domain renaming
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 25

RAISING THE DOMAIN FUNCTIONAL LEVEL

Must be logged on as a member of the Domain

Admins group.
Performed using the Primary Domain Controller
(PDC) emulator.
All domain controllers must support the new level.
Irreversible.
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 26

FOREST FUNCTIONAL LEVELS

Windows 2000
Windows Server 2003 interim
Windows Server 2003
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 27

WINDOWS 2000 FOREST FUNCTIONAL LEVEL

All domain controllers must be Windows 2000

Server or Windows Server 2003 domain
controllers.
Features supported at this functional level include:
Install from media
Universal group caching
Application directory partitions
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 28

WINDOWS 2003 INTERIM FOREST

FUNCTIONAL LEVEL

Only Windows Server 2003 and Windows NT

Server 4.0 domain controllers are supported.
Windows 2000 Server domain controllers are NOT
allowed.
Features at this level include:
Improved inter-site topology generator (ISTG)
Improved linked value replication
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 29

WINDOWS SERVER 2003 FOREST

FUNCTIONAL LEVEL

Only Windows Server 2003 domain controllers are

supported.
Features at this level include:
Dynamic auxiliary class objects
User objects can be converted to inetOrgPerson
objects
Schema redefinitions permitted
Domain renames permitted
Cross-forest trusts permitted
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 30

RAISING THE FOREST FUNCTIONAL LEVEL

Must be logged on as a member of the Enterprise

Administrators group.
Must be connected to the Schema Operations
Master.
All domain controllers must support the new
functional level.
Irreversible.
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 31

ACTIVE DIRECTORY TRUST MODELS

Transitivity: If A trusts
B and B trusts C, then
A trusts C
Forest Root Domain

Child Domain A Child Domain C

Child Domain B Child Domain D

 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 32

SHORTCUT TRUST

Forest Root Domain

Child Domain A Child Domain C

Shortcut Trust

Child Domain B Child Domain D

 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 33

WINDOWS NT SERVER 4.0 TRUST MODEL

Domain A

Domain
Domain B
C

Domain
D
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 34

CROSS-FOREST TRUST

New in Windows Server 2003

Trusts between two forests
Requires Windows Server 2003 forest functional
level
Uses Kerberos as do all Windows 2000 and
Windows Server 2003 intra-forest trust
relationships
 Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 35

SUMMARY
Active Directory is a database (NTDS.dit).
DNS is required by Active Directory.
Schema defines object types and attributes.
Domain and forest functional levels provide a balance
between backward compatibility and new
functionality.
Active Directory allows for two-way transitive
(Kerberos) trusts.
Trusts allow domain hierarchies to be created.
Cross-forest trusts are a new feature for Windows
Server 2003 Active Directory.