Active Directory Fundamentals Thomas Lee Chief Technologist QA

What we will cover:  Domain, Trees, Forests  Domain Controllers, Sites  The Domain Naming Service  Replication  Operations Masters  Lots of demos….

Prerequisite Knowledge  Understanding of what a directory service is  Networking skills! Level 200+

Agenda  Active Directory Logical Concepts  Active Directory Physical Concepts  DNS  Replication  Operations Masters

Active Directory Logical Concepts Domains  Boundary of Security  NOT!!!  Boundary of Authentication  Boundary of Replication  Domain NC Replication  Boundary of DNS Namespace  Boundary of Administration KAPOHO.NET

Active Directory Logical Concepts Trees  Hierarchy of Domains forming a contiguous DNS namespace  Transitive Trust Relationships between domains  All domains in a Tree share:  Schema  Configuration  Global Catalog KAPOHO.NET EUROPE.KAPOHO.NET HAWAII.KAPOHO.NET MAUI.HAWAII.KAPOHO.NET

 Hierarchy of Domains forming a contiguous or disjoint namespace  Transitive Trust Relationships  All Domains in a Forest share:  Schema  Configuration  Global Catalog PSP.CO.UK KAPOHO.NET HAWAII.KAPOHO.NET Active Directory Logical Concepts Forests

 Containers within Domains  Distinct Units of Administration  Unique to Domains  Two main uses:  Delegation  Policies Active Directory Logical Concepts Organizational Units

Agenda  Active Directory Logical Concepts  Active Directory Physical Concepts  DNS  Replication  Operations Masters

Active Directory Physical Concepts Domain Controllers Primary Domain Controller (PDC) Backup Domain Controller (BDC) Domain Controllers (DC)

 What is a Site?  A set of well-connected IP subnets  Site Usage  Locating Services (e.g. Logon, DFS)  Replication  Group Policy Application  Sites are connected with Site Links  Connects two or more sites Active Directory Physical Concepts Sites

Active Directory Physical Concepts Site Topology Company.com america.company.com europe.company.com DC Site A Site B Site C DC GC DC DC = Domain Controller GC = Global Catalog

 Partial Replica of all Objects in the Forest  Configurable subset of Attributes  Fast Forest-wide searches  Required at Logon for Universal Group Membership  Win2k3 – Universal Group Caching Active Directory Physical Concepts Global Catalog

Agenda  Active Directory Logical Concepts  Active Directory Physical Concepts  DNS  Replication  Operations Masters

DNS  DNS is fundamental to AD  No DNS == No AD  Even on a single server!  You have options over:  DNS Topology  DNS Namespace  DNS Server

 SRV Records to locate services (req’d.)  DDNS for Dynamic Update (desired)  Windows 2000 and up, DNS also provides:  Incremental Zone Transfer  Active Directory Integrated  Single replication topology  Multi-master replication  Secure Dynamic update Tip: Use the latest version of BIND! DNS DNS

DNS DNS Implementations  No existing DNS infrastructure  Deploy Microsoft DNS  Existing DNS meets requirements  Existing DNS not adequate:  Choice 1: Update Server  Choice 2: Migrate to Microsoft DNS  Choice 3: Delegate a subdomain to Microsoft DNS

Agenda  Active Directory Logical Concepts  Active Directory Physical Concepts  DNS  Replication  Operations Masters

 Naming Contexts that are replicated  Schema Naming Context  Configuration Naming Context  Domain Naming Context  Multi-Master Replication  Intra-site Bi-directional Ring Topology  Inter-site Spanning Tree Topology  Synchronous RPC over TCP/IP  Asynchronous SMTP Replication Replication Details

 Schema  Definitions of attributes  Replicated to all DCs in the forest  Configuration  AD Structure (domains, sites, and where the DCs are)  Replicated to all DCs in the forest  Domain  Domain specific objects (users, groups, computers, and OUs)  Replicated to all DCs in its domain Replication Naming Contexts

 Intra-Site Replication: AD replication between DCs within a Site  Inter-site Replication: AD replication between Sites Replication Replication Topologies

 RPC Replication in a Site  No compression  Assumes good network connections  Uses notification process  5 minutes-2k  Less – 2k3  KCC Generates a bi-directional Ring with extra edges Tip: Always let KCC generate the intra-site replication topology when possible Replication Intra-Site Replication

 Replication between Sites  DS-RPC (RPC over IP) or SMTP Transports  SMTP can be used only between  GCs across Sites  DCs of different domains and in different sites  Compression  10%-20% of original size  Scheduled Replication Inter-Site Replication

 Site Links link two or more sites  Cost and schedules can be specified  Transitive (can be disabled)  Site-Link Bridges  Bridge two or more site links  Bridgehead servers  KCC generates a minimum cost spanning tree Tip: Always let KCC generate the replication topology Replication Site-Links, Bridges and Bridgehead Servers

Agenda  Active Directory Logical Concepts  Active Directory Physical Concepts  DNS  Replication  Operations Masters

 Schema  Perform updates to schema  Sends updates to all DCs  One per forest  Default is the first DC installed  Domain  Performs add/remove of domains and cross-references to external DS  One per forest  Default is the first DC installed Operations Masters Schema and Domain

 Primary Domain Controller (PDC)  Acts as a PDC for requests from NT clients  One per domain  Relative Identifier (RID)  Generates pools of security identifiers to be distributed to DCs in the domain  One per domain  Infrastructure  updates SIDs and domains that are moved in and out of the domain Operations Masters PDC, RID and Infrastructure

Summary  There are Logical and Physical concept  DNS  Plenty of Information

For More Information…  Main TechNet Web site at  Additional resources to support this Session page can be found at

MS Press Inside information for IT Professionals To find the latest IT Professional related titles visit

Third Party Publications Supplementary Publications for IT Pros These books can be found and purchased at all good book stores and on-line retailers

Microsoft Learning Training Resources for IT Professionals  Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure  Course Number: 2279  Availability: Now  Detailed Syllabus: To locate a training provider, please access Microsoft Certified Technical Education Centers are Microsoft’s premier partners for training services QA Special Offer on ALL IT Professional Training 50% off – all QA courses running 1 st Week in January % off all other courses running in January

Assess your Readiness Microsoft Skills Assessment What is Microsoft Skills Assessment?  Self-study learning tool to evaluate readiness for product and technology solutions, instead of job-roles (certification)  Windows Server 2003, Exchange Server 2003, Windows Storage Server 2003, Visual Studio.NET, Office 2003  Free, online, unproctored, and available to anyone  Answers, “Am I ready?”  Determines skills gaps, provides learning plans with Microsoft Official Curriculum courses, plus more Microsoft learning content suggestions such as TechNet resources  Post your High Score to see how you stack up  visit

Become a Microsoft Certified Systems Administrator (MCSA)  What is the MCSA certification?  For IT professionals who manage and maintain networks and systems based on the Microsoft Windows Server operating system  How do I become an MCSA on Microsoft Windows 2000?  Pass 3 core exams  Pass 1 elective exam or 2 CompTIA certifications  Where do I get more information?  For more information about certification requirements, exams, and training, visit

Become A Microsoft Certified Systems Engineer (MCSE)  What is the MCSE certification?  Premier certification for IT professionals who analyze the business requirements and design, plan, and implement the infrastructure for business solutions based on the Microsoft Windows Server System integrated server software.  How do I become an MCSE on Microsoft Windows 2003?  Pass 6 core exams  Pass 1 elective exams from a comprehensive list  Where do I get more information?  For more information about certification requirements, exams, and training options, visit

Demonstrate Your Security or Messaging Specialization  What are MCSA/MCSE specializations?  MCSA and MCSE specializations allow IT professionals to highlight specific expertise or technical focus within their job role.  What specializations are available?  MCSA: Security  MCSA: Messaging  MCSE: Security  MCSE: Messaging  Where do I get more information?  For more information about MCSA and MCSE specialization requirements, exams, and training options, visit or

What is TechNet?  Put the right answers at your fingertips  TechNet is the comprehensive collection of resources to help IT implementers plan, deploy, and manage Microsoft products successfully  Monthly updates delivered on DVD or CD  The definitive resource to help you evaluate, deploy and maintain Microsoft products TechNet Subscription  Accessible at  Online resources and community  Subscriber-only Online Services TechNet Web Site  Bi-weekly e-newsletter  Security updates, new resources, and special offers TechNet Flash  Briefings on the latest Microsoft products and technologies  Hands-on, “how to” information TechNet Events and Web Casts  User Groups  Managed Newsgroups TechNet Communities

Where Can I Get TechNet?  Visit TechNet Online at  Register for the TechNet Flash  Join the TechNet Online forum at  Become a TechNet Subscriber at  Attend More TechNet Events or view on-line