What is Active Directory?

 

What is Active Directory?
What is Active Directory?
What is Active Directory? 1

 

 

 An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 2000.

 

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

 

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

 

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schemas.

 

Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schemas can not be deleted, they can only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object can not be deleted.

 

When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.

 

Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

 

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.

 

How are Active Directories used?

 

If you are a computer administrator for a large corporation or organization, you can easily update all end users computers with new software, patches, files, etc simply by updating one object in a forest or tree.

 

Because each object fits into a set schema and has specific attributes, a network administrator can easily clear a person on a set tree or instantly give access to some users for certain applications or deny access to certain users for others. The Microsoft servers use trust to determine whether or not access should be allowed. Two types of trust that Microsoft active directories incorporate are transitive trusts and one way non transitive trusts. A transitive trust is when there is a trust that goes further than two domains in a set tree, meaning two entities are able to access each others domains and trees.

 

A one way transitive trust is when a user is allowed accessed to another tree or domain, however, the other domain does not allow access to the other domains. This can be summed up as a network administrator and end user. The network administrator can access most trees in the forest including a specific end user’s domain. However the end user, while able to access his or her own domain, can not access other trees.

 

It is important to note that active directories are a great way to organize a large organization or corporation’s computers data and network. Without an active directory, most end users would have computers that would need to be updated individually and would not have access to a larger network where data can be processed and reports can be created. While active directories can be extremely technical and require lots of expertise to navigate, they are essential to storing information and data on networks.
 
  
 

 How do I install Active Directory on my Windows Server 2003 server?
First make sure you read and understand Active Directory Installation Requirements. If you don’t comply with all the requirements of that article you will not be able to set up your AD (for example: you don’t have a NIC or you’re using a computer that’s not connected to a LAN).
Note: This article is only good for understanding how to install the FIRST DC in a NEW AD Domain, in a NEW TREE, in a NEW FOREST. Meaning – don’t do it for any other scenario, such as a new replica DC in an existing domain. In order to install a Windows Server 2003 DC in an EXISTING Windows 2000 Domain follow the Windows 2003 ADPrep tip.
 
Windows 2000 Note: If you plan to install a new Windows 2000 DC please read How to Install Active Directory on Windows 2000.
Windows Server 2003 Note: If you plan to install a new Windows Server 2003 DC in an existing AD forest please read the  page BEFORE you go on, otherwise you’ll end up with the following error:
Here is a quick list of what you must have:
  • An NTFS partition with enough free space
  • An Administrator’s username and password
  • The correct operating system version
  • A NIC
  • Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
  • A network connection (to a hub or to another computer via a crossover cable)
  • An operational DNS server (which can be installed on the DC itself)
  • A Domain name that you want to use
  • The Windows Server 2003 CD media (or at least the i386 folder)
  • Brains (recommended, not required…)
This article assumes that all of the above requirements are fulfilled.
Step 1: Configure the computer’s suffix
(Not mandatory, can be done via the Dcpromo process).
  1. Right click My Computer and choose Properties.
  2. Click the Computer Name tab, then Change.
  1. Set the computer’s NetBIOS name. In Windows Server 2003, this CAN be changed after the computer has been promoted to Domain Controller.
  2. Click More.
  1. In the Primary DNS suffix of this computer box enter the would-be domain name. Make sure you got it right. No spelling mistakes, no “oh, I thought I did it right…”. Although the domain name CAN be changed after the computer has been promoted to Domain Controller, this is not a procedure that one should consider lightly, especially because on the possible consequences. Read more about it on my Windows 2003 Domain Rename Tool page.
  1. Click Ok.
  2. You’ll get a warning window.
  1. Click Ok.
  2. Check your settings. See if they’re correct.
  1. Click Ok.
  2. You’ll get a warning window.
  1. Click Ok to restart.
Step 2: Configuring the computer’s TCP/IP settings
You must configure the would-be Domain Controller to use it’s own IP address as the address of the DNS server, so it will point to itself when registering SRV records and when querying the DNS database.
Configure TCP/IP
  1. Click Start, point to Settings and then click Control Panel.
  2. Double-click Network and Dial-up Connections.
  3. Right-click Local Area Connection, and then click Properties.
  1. Click Internet Protocol (TCP/IP), and then click Properties.
  1. Assign this server a static IP address, subnet mask, and gateway address. Enter the server’s IP address in the Preferred DNS server box.
Note: This is true if the server itself will also be it’s own DNS server.
If you have another operational Windows 2000/2003 server that is properly configured as your DNS server (read my Create a New DNS Server for AD page) – enter that server’s IP address instead:
  1. Click Advanced.
  2. Click the DNS Tab.
  3. Select “Append primary and connection specific DNS suffixes”
  4. Check “Append parent suffixes of the primary DNS suffix”
  5. Check “Register this connection’s addresses in DNS”. If this Windows 2000/2003-based DNS server is on an intranet, it should only point to its own IP address for DNS; do not enter IP addresses for other DNS servers here. If this server needs to resolve names on the Internet, it should have a forwarder configured.
  1. Click OK to close the Advanced TCP/IP Settings properties.
  2. Click OK to accept the changes to your TCP/IP configuration.
  3. Click OK to close the Local Area Connections properties.
Step 3: Configure the DNS Zone
(Not mandatory, can be done via the Dcpromo process).
This article assumes that you already have the DNS service installed. If this is not the case, please read Create a New DNS Server for AD.
Furthermore, it is assumed that the DC will also be it’s own DNS server. If that is not the case, you MUST configure another Windows 2000/2003 server as the DNS server, and if you try to run DCPROMO without doing so, you’ll end up with errors and the process will fail.
Creating a Standard Primary Forward Lookup Zone
  1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS Manager. You see two zones under your computer name: Forward Lookup Zone and Reverse Lookup Zone.
  2. Right click Forward Lookup Zones and choose to add a new zone.
  1. Click Next. The new forward lookup zone must be a primary zone so that it can accept dynamic updates. Click Primary, and then click Next.
  1. The name of the zone must be the same as the name of the Active Directory domain, or be a logical DNS container for that name. For example, if the Active Directory domain is named “lab.dpetri.net”, legal zone names are “lab.dpetri.net”, “dpetri.net”, or “net”.
Type the name of the zone, and then click Next.
  1. Accept the default name for the new zone file. Click Next.
  1. To be able to accept dynamic updates to this new zone, click “Allow both nonsecure and secure dynamic updates”. Click Next.
  1. Click Finish.
You should now make sure your computer can register itself in the new zone. Go to the Command Prompt (CMD) and run “ipconfig /registerdns” (no quotes, duh…). Go back to the DNS console, open the new zone and refresh it (F5). Notice that the computer should by now be listed as an A Record in the right pane.
If it’s not there try to reboot (although if it’s not there a reboot won’t do much good). Check the spelling on your zone and compare it to the suffix you created in step 1. Check your IP settings.
Enable DNS Forwarding for Internet connections (Not mandatory)
  1. Start the DNS Management Console.
  2. Right click the DNS Server object for your server in the left pane of the console, and click Properties.
  1. Click the Forwarders tab.
  2. In the IP address box enter the IP address of the DNS servers you want to forward queries to – typically the DNS server of your ISP. You can also move them up or down. The one that is highest in the list gets the first try, and if it does not respond within a given time limit – the query will be forwarded to the next server in the list.
  1. Click OK.
Creating a Standard Primary Reverse Lookup Zone
You can (but you don’t have to) also create a reverse lookup zone on your DNS server. The zone’s name will be the same as your TCP/IP Network ID. For example, if your IP address is 192.168.0.200, then the zone’s name will be 192.168.0 (DNS will append a long name to it, don’t worry about it). You should also configure the new zone to accept dynamic updates. I guess you can do it on your own by now, can’t you?
Step 4: Running DCPROMO
After completing all the previous steps (remember you didn’t have to do them) and after double checking your requirements you should now run Dcpromo.exe from the Run command.
  1. Click Start, point to Run and type “dcpromo”.
  1. The wizard windows will appear. Click Next.
  1. In the Operating System Compatibility windows read the requirements for the domain’s clients and if you like what you see – press Next.
  1. Choose Domain Controller for a new domain and click Next.
  1. Choose Create a new Domain in a new forest and click Next.
  1. Enter the full DNS name of the new domain, for example – kuku.co.il – this must be the same as the DNS zone you’ve created in step 3, and the same as the computer name suffix you’ve created in step 1. Click Next.
This step might take some time because the computer is searching for the DNS server and checking to see if any naming conflicts exist.
  1. Accept the the down-level NetBIOS domain name, in this case it’s KUKU. Click Next
  1. Accept the Database and Log file location dialog box (unless you want to change them of course). The location of the files is by default %systemroot%NTDS, and you should not change it unless you have performance issues in mind. Click Next.
  1. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location of the files is by default %systemroot%SYSVOL, and you should not change it unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you’ll create, and will be replicated to all other Domain Controllers. Click Next.
  1. If your DNS server, zone and/or computer name suffix were not configured correctly you will get the following warning:
This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the name of the future domain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok.
You have an option to let Dcpromo do the configuration for you. If you want, Dcpromo can install the DNS service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings for the DNS server IP address.
To let Dcpromo do the work for you, select “Install and configure the DNS server…”.
Click Next.
Otherwise, you can accept the default choice and then quit Dcpromo and check steps 1-3.
  1. If your DNS settings were right, you’ll get a confirmation window.
Just click Next.
  1. Accept the Permissions compatible only with Windows 2000 or Windows Server 2003 settings, unless you have legacy apps running on Pre-W2K servers.
  1. Enter the Restore Mode administrator’s password. In Windows Server 2003 this password can be later changed via NTDSUTIL. Click Next.
  1. Review your settings and if you like what you see – Click Next.
  1. See the wizard going through the various stages of installing AD. Whatever you do – NEVER click Cancel!!! You’ll wreck your computer if you do. If you see you made a mistake and want to undo it, you’d better let the wizard finish and then run it again to undo the AD.
  1. If all went well you’ll see the final confirmation window. Click Finish.
  1. You must reboot in order for the AD to function properly.
  1. Click Restart now.
Step 5: Checking the AD installation
You should now check to see if the AD installation went well.
  1. First, see that the Administrative Tools folder has all the AD management tools installed.
  1. Run Active Directory Users and Computers (or type “dsa.msc” from the Run command). See that all OUs and Containers are there.
  1. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name, and that in it your server is listed.
  1. Open the DNS console. See that you have a zone with the same name as your AD domain (the one you’ve just created, remember? Duh…). See that within it you have the 4 SRV record folders. They must exist.
= Good
If they don’t (like in the following screenshot), your AD functions will be broken (a good sign of that is the long time it took you to log on. The “Preparing Network Connections” windows will sit on the screen for many moments, and even when you do log on many AD operations will give you errors when trying to perform them).
= Bad
This might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you.
Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the DNS server (see steps 1 through 3).
To try and fix the problems first see if the zone is configured to accept dynamic updates.
1.      Right-click the zone you created, and then click Properties.
2.      On the General tab, under Dynamic Update, click to select “Nonsecure and secure” from the drop-down list, and then click OK to accept the change.
You should now restart the NETLOGON service to force the SRV registration.
You can do it from the Services console in Administrative tools:
Or from the command prompt type “net stop netlogon“, and after it finishes, type “net start netlogon“.
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you’ll now see the 4 SRV record folders.
If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be exactly the same as the AD Domain name. Also check the computer’s suffix (see step 1). You won’t be able to change the computer’s suffix after the AD is installed, but if you have a spelling mistake you’d be better off by removing the AD now, before you have any users, groups and other objects in place, and then after repairing the mistake – re-running DCPROMO.
  1. Check the NTDS folder for the presence of the required files.
  1. Check the SYSVOL folder for the presence of the required subfolders.
  1. Check to see if you have the SYSVOL and NETLOGON shares, and their location.
If all of the above is ok, I think it’s safe to say that your AD is properly installed.

 

 The basics of Active Directory

What is Active Directory? Active Directory is Microsoft’s trademarked directory service, an integral part of the Windows architecture. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security and distributed resources and enables interoperation with other directories. Active Directory is designed especially for distributed networking environments.

Active Directory was new to Windows 2000 Server and further enhanced for Windows Server 2003, making it an even more important part of the operating system. Windows Server 2003 Active Directory provides a single reference, called a directory service, to all the objects in a network, including users, groups, computers, printers, policies and permissions.

For a user or an administrator, Active Directory provides a single hierarchical view from which to access and manage all of the network’s resources.

Why implement Active Directory?

There are many reasons to implement Active Directory. First and foremost, Microsoft Active Directory is generally considered to be a significant improvement over Windows NT Server 4.0 domains or even standalone server networks. Active Directory has a centralized administration mechanism over the entire network. It also provides for redundancy and fault tolerance when two or more domain controllers are deployed within a domain.

Active Directory automatically manages the communications between domain controllers to ensure the network remains viable. Users can access all resources on the network for which they are authorized through a single sign-on. All resources in the network are protected by a robust security mechanism that verifies the identity of users and the authorizations of resources on each access.

Even with Active Directory’s improved security and control over the network, most of its features are invisible to end users; therefore, migrating users to an Active Directory network will require little re-training. Active Directory offers a means of easily promoting and demoting domain controllers and member servers. Systems can be managed and secured via Group Policies. It is a flexible hierarchical organizational model that allows for easy management and detailed specific delegation of administrative responsibilities. Perhaps most importantly, however, is that Active Directory is capable of managing millions of objects within a single domain.

Basic divisions of Active Directory

Active Directory networks are organized using four types of divisions or container structures. These four divisions are forests, domains, organizational units and sites.

·  Forests: The collection of every object, its attributes and attribute syntax in the Active Directory.

 

·  Domain: A collection of computers that share a common set of policies, a name and a database of their members.

 

·  Organizational units: Containers in which domains can be grouped. They create a hierarchy for the domain and create the structure of the Active Directory’s company in geographical or organizational terms.

 

·  Sites: Physical groupings independent of the domain and OU structure. Sites distinguish between locations connected by low- and high-speed connections and are defined by one or more IP subnets.

 

Forests are not limited in geography or network topology. A single forest can contain numerous domains, each sharing a common schema. Domain members of the same forest need not even have a dedicated LAN or WAN connection between them. A single network can also be the home of multiple independent forests. In general, a single forest should be used for each corporate entity. However, additional forests may be desired for testing and research purposes outside of the production forest.

Domains serve as containers for security policies and administrative assignments. All objects within a domain are subject to domain-wide Group Policies by default. Likewise, any domain administrator can manage all objects within a domain. Furthermore, each domain has its own unique accounts database. Thus, authenticationis on a domain basis. Once a user account is authenticated to a domain, that user account has access to resources within that domain.

Active Directory requires one or more domains in which to operate. As mentioned before, an Active Directory domain is a collection of computers that share a common set of policies, a name and a database of their members. A domain must have one or more servers that serve as domain controllers (DCs) and store the database, maintain the policies and provide the authentication of domain logons.

With Windows NT, primary domain controller (PDC) and backup domain controller (BDC) were roles that could be assigned to a server in a network of computers that used a Windows operating system. Windows used the idea of a domain to manage access to a set of network resources (applications, printers and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network.

One server, known as the primary domain controller, managed the master user database for the domain. One or more other servers were designated as backup domain controllers. The primary domain controller periodically sent copies of the database to the backup domain controllers. A backup domain controller could step in as primary domain controller if the PDC server failed and could also help balance the workload if the network was busy enough.

With Windows 2000 Server, while domain controllers were retained, the PDC and BDC server roles were basically replaced by Active Directory. It is no longer necessary to create separate domains to divide administrative privileges. Within Active Directory, it is possible to delegate administrative privileges based on organizational units. Domains are no longer restricted by a 40,000-user limit. Active Directory domains can manage millions of objects. As there are no longer PDCs and BDCs, Active Directory uses multi-master replication and all domain controllers are peers.

Organizational units are much more flexible and easier overall to manage than domains. OUs grant you nearly infinite flexibility as you can move them, delete them and create new OUs as needed. However, domains are much more rigid in their existence. Domains can be deleted and new ones created, but this process is more disruptive of an environment than is the case with OUs and should be avoided whenever possible.

By definition, sites are collections of IP subnets that have fast and reliable communication links between all hosts. Another way of putting this is a site contains LAN connections, but not WAN connections, with the general understanding that WAN connections are significantly slower and less reliable than LAN connections. By using sites, you can control and reduce the amount of traffic that flows over your slower WAN links. This can result in more efficient traffic flow for productivity tasks. It can also keep WAN link costs down for pay-by-the-bit services.

The Infrastructure Master and Global Catalog

Among the other key components within Active Directory is the Infrastructure Master. The Infrastructure Master (IM) is a domain-wide FSMO (Flexible Single Master of Operations) role responsible for an unattended process that “fixes-up” stale references, known as phantoms, within the Active Directory database.

Phantoms are created on DCs that require a database cross-referencebetween an object within their own database and an object from another domain within the forest. This occurs, for example, when you add a user from one domain to a group within another domain in the same forest. Phantoms are deemed stale when they no longer contain up-to-date data, which occurs because of changes that have been made to the foreign object the phantom represents, e.g., when the target object is renamed, moved, migrated between domains or deleted. The Infrastructure Master is exclusively responsible for locating and fixing stale phantoms. Any changes introduced as a result of the “fix-up” process must then be replicated to all remaining DCs within the domain.

The Infrastructure Master is sometimes confused with the Global Catalog (GC), which maintains a partial, read-only copy of every domain in a forest and is used for universal group storage and logon processing, among other things. Since GCs store a partial copy of all objects within the forest, they are able to create cross-domain references without the need for phantoms.

Active Directory and LDAP

Microsoft includes LDAP(Lightweight Directory Access Protocol) as part of Active Directory. LDAP is a software protocol for enabling anyone to locate organizations, individuals and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

In a network, a directory tells you where in the network something is located. On TCP/IP networks (including the Internet), the domain name system (DNS) is the directory system used to relate the domain name to a specific network address (a unique location on the network). However, you may not know the domain name. LDAP allows you to search for individuals without knowing where they’re located (although additional information will help with the search).

An LDAP directory is organized in a simple “tree” hierarchy consisting of the following levels:

·  The root directory (the starting place or the source of the tree), which branches out to

 

·  Countries, each of which branches out to

 

·  Organizations, which branch out to

 

·  Organizational units (divisions, departments and so forth), which branch out to (include an entry for)

 

·  Individuals (which include people, files and shared resources, such as printers)

 

An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically.

It is important for every administrator to have an understanding of what LDAP is when searching for information in Active Directory and to be able to create LDAP queries is especially useful when looking for information stored in your Active Directory database. For this reason, many admins go to great lengths to master the LDAP search filter.

Group Policy management and Active Directory

It’s difficult to discuss Active Directory without mentioning Group Policy. Admins can use Group Policies in Microsoft Active Directory to define settings for users and computers throughout a network. These setting are configured and stored in what are called Group Policy Objects (GPOs), which are then associated with Active Directory objects, including domains and sites. It is the primary mechanism for applying changes to computers and users throughout a Windows environment.

Through Group Policy management, administrators can globally configure desktop settings on user computers, restrict/allow access to certain files and folders within a network and more.

It is important to understand how GPOs are used and applied. Group Policy Objects are applied in the following order: Local machine policies are applied first, followed by site policies, followed by domain policies, followed by policies applied to individual organizational units. A user or computer object can only belong to a single site and a single domain at any one time, so they will receive only GPOs that are linked to that site or domain.

GPOs are split into two distinct parts: the Group Policy Template (GPT) and the Group Policy Container (GPC). The Group Policy Template is responsible for storing the specific settings created within the GPO and is essential to its success. It stores these settings in a large structure of folders and files. In order for the settings to apply successfully to all user and computer objects, the GPT must be replicated to all domain controllers within the domain.

The Group Policy Container is the portion of a GPO stored in Active Directory that resides on each domain controller in the domain. The GPC is responsible for keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to software installation packages, and other referential aspects of the GPO. The GPC does not contain a wealth of information related to its corresponding GPO, but it is essential to the functionality of Group Policy. When software installation policies are configured, the GPC helps keep the links associated within the GPO. The GPC also keeps other relational links and paths stored within the object attributes. Knowing the structure of the GPC and how to access the hidden information stored in the attributes will pay off when you need to track down an issue related to Group Policy.

For Windows Server 2003, Microsoft released a Group Policy management solution as a means of unifying management of Group Policy in the form of a snap-inknown as the Group Policy Management Console (GPMC). The GPMC provides a GPO-focused management interface, thus making the administration, management and location of GPOs much simpler. Through GPMC you can create new GPOs, modify and edit GPOs, cut/copy/paste GPOs, back up GPOs and perform Resultant Set of Policy modeling.

Introduction The Microsoft Active Directory service is a central component of the Windows platform, providing the means to manage the identities and relationships that make up network environments.
Expanding on the foundation of the Windows 2000 operating system, the Windows Server 2003 family improves the manageability of Active Directory as well as eases migration and deployment of directory-enabled applications.

Active Directory has been enhanced to reduce total cost of ownership (TCO) and operation within your business. New features and enhancements have been provided at all levels of the product to extend versatility, simplify management, and increase dependability. With Windows Server 2003, organizations can benefit from further reductions in cost while increasing the efficiency in which they share and manage the various elements of their business.

New features and improvements for Active Directory in the Windows Server 2003 family: • Integration and productivity.
• Performance and scalability.
• Administration and configuration management.
• Group Policy features.
• Security enhancements.

Active Directory BasicsActive Directory is the directory service for Windows .NET Standard Server, Windows .NET Enterprise Server, and Windows .NET Datacenter Server. (Active Directory cannot be run on Windows .NET Web Server but it can manage any computer running Windows .NET Web Server.) Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

Directory Data StoreThis data store is often simply referred to as the directory. The directory contains information about objects such as users, groups, computers, domains, organizational units (OUs), and security policies. This information can be published for use by users and administrators.

The directory is stored on servers known as domain controllers and can be accessed by network applications or services. A domain can have one or more domain controllers. Each domain controller has a writeable copy of the directory for the domain in which it is located. Changes made to the directory are replicated from the originating domain controller to other domain controllers in the domain, domain tree, or forest. Because the directory is replicated, and because each domain controller has a writeable copy of the directory, the directory is highly available to users and administrators throughout the domain.

Directory data is stored in the Ntds.dit file on the domain controller. It is recommended that this file is stored on an NTFS partition. Some data is stored in the directory database file, and some data is stored in a replicated file system, like logon scripts and Group Policies.

There are three categories of directory data replicated between domain controllers:

Domain data. The domain data contains information about objects within a domain. This is the information typically thought of as directory information such as e-mail contacts, user and computer account attributes, and published resources that are of interest to administrators and users.
For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your organization’s directory objects occur, such as object creation, deletion, or attribute modification, this data is stored in the domain data.

Configuration data. The configuration data describes the topology of the directory. This configuration data includes a list of all domains, trees, and forests, and the locations of the domain controllers and global catalogs.

Schema data.The schema is the formal definition of all object and attribute data that can be stored in the directory. Windows Server 2003 includes a default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies. Administrators and programmers can extend the schema by defining new object types and attributes, or by adding new attributes for existing objects. Schema objects are protected by access control lists (ACLs), ensuring that only authorized users can alter the schema.

Active Directory and SecuritySecurity is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.

Active Directory provides protected storage of user account and group information by using access control on objects and user credentials. Because Active Directory stores not only user credentials but also access control information, users who log on to the network obtain both authentication and authorization to access system resources. For example, when a user logs on to the network, the security system authenticates the user with information stored in Active Directory. Then, when the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service.

Because Active Directory allows administrators to create group accounts, administrators can manage system security more efficiently. For example, by adjusting a file’s properties, an administrator can permit all users in a group to read that file. In this way, access to objects in Active Directory is based on group membership.

Active Directory SchemaThe Active Directory Schema is the set of definitions that defines the kinds of objects—and the types of information about those objects—that can be stored in Active Directory. Because the definitions are themselves stored as objects, Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.

ClassesClasses, also referred to as object classes, describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class.

The Role of the Global CatalogA global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. In addition, the global catalog stores each object’s most common searchable attributes. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, which provides efficient searches without unnecessary referrals to domain controllers.

A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller.

A global catalog performs the following directory roles:

Finds objects. A global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest are performed with maximum speed and minimum network traffic.

When you search for people or printers from the Start menu or choose the Entire Directory option within a query, you are searching a global catalog. Once you enter your search request, it is routed to the default global catalog port 3268 and sent to a global catalog for resolution.

Supplies user principal name authentication.A global catalog resolves user principal names when the authenticating domain controller does not have knowledge of the account. For example, if a user’s account is located in example1.microsoft.com and the user decides to log on with a user principal name of user1@example1.microsoft.com from a computer located in example2.microsoft.com, the domain controller in example2.microsoft.com will be unable to find the user’s account and will then contact a global catalog server to complete the logon process.

Supplies universal group membership information in a multiple domain environment. Unlike global group memberships, which are stored in each domain, universal group memberships are only stored in a global catalog. For example, when a user who belongs to a universal group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the global catalog provides universal group membership information for the user’s account.

If a global catalog is not available when a user logs on to a domain running in Windows 2000 native or higher, the computer will use cached credentials to log on the user if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can only log on to the local computer.

Efficient Search ToolsAdministrators can use the advanced Find dialogs in the Active Directory Users and Computers snap-in to perform management tasks with greater efficiency and to easily customize and filter data retrieved from the directory. In addition, administrators can add objects to groups quickly and with minimal network impact by utilizing browse-less queries to help find likely members.

Active Directory Replication Replication provides information availability, fault tolerance, load balancing, and performance benefits for the directory. Active Directory uses multimaster replication, enabling you to update the directory at any domain controller, rather than at a single, primary domain controller. The multimaster model has the benefit of greater fault tolerance, since, with multiple domain controllers, replication continues, even if any single domain controller stops working.

A domain controller stores and replicates:• Schema information. This defines the objects that can be created in the directory and what attributes those objects can have. This information is common to all domains in the forest. Schema data is replicated to all domain controllers in the forest.

• Configuration information.This describes the logical structure of your deployment, containing information such as domain structure or replication topology. This information is common to all domains in the forest. Configuration data is replicated to all domain controllers in the forest.

• Domain information. This describes all of the objects in a domain. This data is domain-specific and is not distributed to any other domains. For the purpose of finding information throughout the domain tree or forest, a subset of the properties for all objects in all domains is stored in the global catalog. Domain data is replicated to all domain controllers in the domain.

• Application information.Information stored in the application directory partition is intended to satisfy cases where information needs to be replicated, but not necessarily on a global scale. Application data can be explicitly rerouted to administrator-specified domain controllers within a forest to prevent unnecessary replication traffic, or it can be set to replicate to all domain controllers in the domain.

The Role of Sites in ReplicationSites streamline replication of directory information. Directory schema and configuration information is replicated throughout the forest and domain data is replicated among all domain controllers in the domain and partially replicated to global catalogs. By strategically reducing replication, the strain on your network can be similarly reduced.

Domain controllers use sites and replication change control to optimize replication in the following ways:
• By occasionally re-evaluating which connections are used, Active Directory uses the most efficient network connections.

• Active Directory uses multiple routes to replicate changes, providing fault tolerance.

• Replication costs are minimized by only replicating changed information.

SummaryBuilding on the foundation established in Windows 2000, Active Directory in Windows Server 2003 emphasizes simplified management, versatility, and unmatched dependability. More than ever, Active Directory has become a solid foundation for building enterprise networks unsurpassed in its ability to:

• Take advantage of existing investments and consolidation management of directories.
• Extend administrative control and reduce redundant management tasks.
• Simplify remote integration and use network resources more efficiently.
• Provide a robust development and deployment environment for directory-enabled applications.
• Reduce TCO and improve the leverage of IT resources.

 

  Re: What are FSMO Roles? List them
Answer
#
1
Flexible Single-Master Operation (FSMO) roles,manage an
aspect of the domain or forest, to prevent conflicts
 
1.Domain Naming Master, If you want to add a domain to a
forest, the domain?s name must be verifiably unique. The
forest?s Domain Naming Master FSMOs authorize the domain
name operation. 
 
2.Infrastructure Master, When a user and group are in
different domains, a lag can exist between changes to the
user (e.g., a name change) and the user?s display in the
group. The Infrastructure Master of the group?s domain fixes
the group-to-user reference to reflect the change. The
Infrastructure Master performs its fixes locally and relies
on replication to bring all other replicas of the domain up
to date.
 
3.PDC Emulator,For backward compatibility, one DC in each
Win2K domain must emulate a PDC for the benefit of Windows
NT 4.0 and NT 3.5 DCs and clients.
 
4.RID Master,The RID Master must be available for you to use
the Microsoft Windows 2000 Resource Kit?s Movetree utility
to move objects between domains.
 
5.Schema Master,At the heart of Active Directory (AD) is the
schema, which is like a blueprint of all objects and
containers. Because the schema must be the same throughout
the forest, only one machine can authorize schema modifications

 

 
Spread iiQ8

January 21, 2015 3:59 PM

58 total views, 0 today