Chapter 6 Introducing Active Directory

Slides:



Advertisements
Similar presentations
Chapter 4 Chapter 4: Planning the Active Directory and Security.
Advertisements

Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 1: Introduction to Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008
Vikram Thakur Introduction to Active Directory Structure.
Chapter 4: Active Directory Design and Security Concepts
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Overview of Active Directory Domain Services Lesson 1.
Overview of Active Directory Domain Services Lesson 1.
Nassau Community College
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Directory services Unit objectives
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Exploring Directory Services. Need for DS Multiple servers, multiple services in single network –Multiple servers for reliability, security, optimizing.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
Windows Server 2008 Chapter 4 Last Update
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Working with domains and Active Directory
Designing Active Directory for Security
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Maintaining Active Directory Domain Services
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 7 Active Directory and Account Management.
Session 7 Windows Platform Eng. Dina Alkhoudari. Learning Objectives Active Directory review Managing users and groups Single Master Operations Delegation.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Introduction to Active Directory Domain Services
By Rashid Khan Lesson 6-Building a Directory Service.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Active Directory Infrastructure Microsoft Windows 2003 Active Directory Infrastructure MCSE Exam
Installing a Domain Controller
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 1: Introduction to Active Directory
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.
Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516.
Unit 4 NT1330 Client-Server Networking II Date: 1/13/2016
11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Overview of Active Directory Domain Services Lesson 1.
Overview of Active Directory Domain Services
Implementing Active Directory Domain Services
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Overview of Active Directory Domain Services
(ITI310) SESSIONS 6-7-8: Active Directory.
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Presentation transcript:

Chapter 6 Introducing Active Directory MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410 MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410 Chapter 6 Introducing Active Directory Chapter 6 Introducing Active Directory

Objectives Describe the role of a directory service Install Active Directory Describe objects found in Active Directory Work with forests, trees, and domains Configure group policies Objectives Describe the role of a directory service Install Active Directory Describe objects found in Active Directory Work with forests, trees, and domains Configure group policies MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

The Role of a Directory Service A network directory service stores information about a computer network and offers features for retrieving and managing that information. Generally considered to be an administrative tool, but users make use of directory services to find resources Directory services provide a centralized management tool, but due to complexity, requires careful planning prior to setup The Role of a Directory Service A network directory service stores information about a computer network and offers features for retrieving and managing that information. Generally considered to be an administrative tool, but users make use of directory services to find resources Directory services provide a centralized management tool, but due to complexity, requires careful planning prior to setup MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Windows Active Directory X.500 is the basis for its hierarchical structure Lightweight Directory Access Protocol (LDAP) is based on the X.500 Directory Access Protocol Uses the more efficient TCP/IP protocol Integrating other OSs, such as Linux and UNIX into an Active Directory network requires using LDAP Windows Active Directory was first used in Windows 2000 Server Windows Active Directory X.500 is the basis for its hierarchical structure Lightweight Directory Access Protocol (LDAP) is based on the X.500 Directory Access Protocol Uses the more efficient TCP/IP protocol Integrating other OSs, such as Linux and UNIX into an Active Directory network requires using LDAP Windows Active Directory was first used in Windows 2000 Server MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Windows Active Directory Active Directory offers the following features: Hierarchical organization Centralized but distributed database Scalability Security Flexibility Policy-based administration Windows Active Directory Active Directory offers the following features: Hierarchical organization Centralized but distributed database Scalability Security Flexibility Policy-based administration MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Overview of the Active Directory Structure Physical structure Consists of sites and servers configured as domain controllers Logical structure Makes it possible to pattern the directory service’s look and feel after the organization in which it runs Overview of the Active Directory Structure Physical structure Consists of sites and servers configured as domain controllers Logical structure Makes it possible to pattern the directory service’s look and feel after the organization in which it runs MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory’s Physical Structure An Active Directory site is simply a physical location in which domain controllers communicate and replicate information regularly Each domain controller contains a full replica of the objects that make up the domain and is responsible for: Storing a copy of the domain data and replicating changes to that data to all other domain controllers in the domain Providing data search and retrieval functions for users attempting to locate objects in the directory Providing authentication and authorization services for users who log on to the domain and attempt to access network resources Active Directory’s Physical Structure An Active Directory site is simply a physical location in which domain controllers communicate and replicate information regularly Each domain controller contains a full replica of the objects that make up the domain and is responsible for: Storing a copy of the domain data and replicating changes to that data to all other domain controllers in the domain Providing data search and retrieval functions for users attempting to locate objects in the directory Providing authentication and authorization services for users who log on to the domain and attempt to access network resources MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory’s Logical Structure Four organizing components of Active Directory: Organizational Units (OUs) Domains Trees Forests The organizational unit (OU) is an Active Directory container used to organize a network’s users and resources into logical administrative units Active Directory’s Logical Structure Four organizing components of Active Directory: Organizational Units (OUs) Domains Trees Forests The organizational unit (OU) is an Active Directory container used to organize a network’s users and resources into logical administrative units MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory’s Logical Structure An OU contains Active Directory objects, such as: User accounts Groups Computer accounts Printers Shared folders Applications Servers Domain controllers Active Directory’s Logical Structure An OU contains Active Directory objects, such as: User accounts Groups Computer accounts Printers Shared folders Applications Servers Domain controllers MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory’s Logical Structure Domain - The core structural unit of an Active Directory Contains OUs and represents administrative, security, and policy boundaries Small to medium companies usually have one domain; larger companies may have several domains to separate geographical regions or administrative responsibilities Active Directory’s Logical Structure Domain - The core structural unit of an Active Directory Contains OUs and represents administrative, security, and policy boundaries Small to medium companies usually have one domain; larger companies may have several domains to separate geographical regions or administrative responsibilities MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory’s Logical Structure A tree is a grouping of domains that share a common naming structure Can consist of a parent domain and possibly one or more child domains Forest - A collection of one or more Active Directory trees that provide a common Active Directory environment All domains in all trees can communicate and share information Can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains Active Directory’s Logical Structure A tree is a grouping of domains that share a common naming structure Can consist of a parent domain and possibly one or more child domains Forest - A collection of one or more Active Directory trees that provide a common Active Directory environment All domains in all trees can communicate and share information Can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Figure 6-4 An Active Directory forest MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Installing Active Directory The Windows Active Directory service is commonly referred to as Active Directory Domain Services (AD DS) To install AD DS, use Server Manager If DNS is not already present on the network, you must install the DNS Server Role. After role is installed, you must configure Active Directory Click the notifications flag in Server Manager and click “Promote this server to a DC” Installing Active Directory The Windows Active Directory service is commonly referred to as Active Directory Domain Services (AD DS) To install AD DS, use Server Manager If DNS is not already present on the network, you must install the DNS Server Role. After role is installed, you must configure Active Directory Click the notifications flag in Server Manager and click “Promote this server to a DC” MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Installing Active Directory In the Deployment Configuration window, select from these options: Add a domain controller to an existing domain Add a new domain to an existing forest Add a new forest (choose this if it is the first DC in the network) Next, you’re prompted for the fully qualified domain name (FQDN) for the new forest root An FQDN is a domain name that includes all parts of the name Installing Active Directory In the Deployment Configuration window, select from these options: Add a domain controller to an existing domain Add a new domain to an existing forest Add a new forest (choose this if it is the first DC in the network) Next, you’re prompted for the fully qualified domain name (FQDN) for the new forest root An FQDN is a domain name that includes all parts of the name MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Installing Active Directory In the Domain Controller Options window you will: Choose the forest and domain functional levels Select domain controller capabilities Domain Name System (DNS) server Global Catalog (GC) Read only domain controller (RODC) Enter a password for Directory Services Restore Mode (DSRM) A boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are deleted accidentally Installing Active Directory In the Domain Controller Options window you will: Choose the forest and domain functional levels Select domain controller capabilities Domain Name System (DNS) server Global Catalog (GC) Read only domain controller (RODC) Enter a password for Directory Services Restore Mode (DSRM) A boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are deleted accidentally MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Figure 6-6 Choosing the forest and domain functional levels MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Installing Active Directory In the DNS options window, you must: Create the DNS delegation, which allows Windows to create the necessary records on the DNS server for the new domain In the Path window, you: Specify the location of the Active Directory database, log files, and SYSVOL folder Next, review your selections in the Review Options window Windows then does a prerequisite check before starting the Active Directory installation Installing Active Directory In the DNS options window, you must: Create the DNS delegation, which allows Windows to create the necessary records on the DNS server for the new domain In the Path window, you: Specify the location of the Active Directory database, log files, and SYSVOL folder Next, review your selections in the Review Options window Windows then does a prerequisite check before starting the Active Directory installation MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Figure 6-8 The Prerequisites Check window MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Installing Additional Domain Controllers in a Domain Microsoft recommends at least two DCs in every domain For fault tolerance and load balancing Installing additional DC in an existing domain is not unlike installing the first DC Biggest difference is that you select “Add a domain controller to an existing domain” instead of “Add a new forest” Installing Additional Domain Controllers in a Domain Microsoft recommends at least two DCs in every domain For fault tolerance and load balancing Installing additional DC in an existing domain is not unlike installing the first DC Biggest difference is that you select “Add a domain controller to an existing domain” instead of “Add a new forest” MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Installing Additional Domain Controllers in a Domain When a new DC is added, you need to know the answers to the following questions: Should you install DNS? Should the DC be a global catalog (GC) server? Should this be a read only domain controller (RODC)? In which site should the DC be located? Installing Additional Domain Controllers in a Domain When a new DC is added, you need to know the answers to the following questions: Should you install DNS? Should the DC be a global catalog (GC) server? Should this be a read only domain controller (RODC)? In which site should the DC be located? MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Installing a New Domain in an Existing Forest Two variations to adding a domain to an existing forest: Add a child domain - you’re adding a domain that shares at least the top-level and second-level domain name structure as an existing domain in the forest Add a new tree - you’re adding a new domain with a separate naming structure from any existing domains in the forest Installing a New Domain in an Existing Forest Two variations to adding a domain to an existing forest: Add a child domain - you’re adding a domain that shares at least the top-level and second-level domain name structure as an existing domain in the forest Add a new tree - you’re adding a new domain with a separate naming structure from any existing domains in the forest MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Figure 6-9 Adding a new child domain in an existing forest MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

What’s Inside Active Directory Explore Active Directory using the Active Directory Administrative Center (ADAC) or Active Directory Users and Computers MMC Use ADAC to perform the following AD tasks: Create and manage users, group, and computer accounts Manage OUs Connect to other domain controllers in the same or a different domain Change the domain’s functional level and enable the AD Recycle Bin What’s Inside Active Directory Explore Active Directory using the Active Directory Administrative Center (ADAC) or Active Directory Users and Computers MMC Use ADAC to perform the following AD tasks: Create and manage users, group, and computer accounts Manage OUs Connect to other domain controllers in the same or a different domain Change the domain’s functional level and enable the AD Recycle Bin MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Figure 6-15 The Active Directory Users and Computers MMC MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

The Active Directory Schema An object is a grouping of information that describes a network resource The schema defines the type, organization, and structure of data stored in the AD database Schema classes define the types of objects that can be stored in Active Directory Schema attributes define what type of information is stored in each object The information stored in each attribute is called the attribute value The Active Directory Schema An object is a grouping of information that describes a network resource The schema defines the type, organization, and structure of data stored in the AD database Schema classes define the types of objects that can be stored in Active Directory Schema attributes define what type of information is stored in each object The information stored in each attribute is called the attribute value MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Figure 6-16 Schema classes, schema attributes, and Active Directory objects MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory Container Objects A container object contains other objects Used to organize and manage users and resources on the network Can also act as administrative and security boundaries Three container objects are found in AD: Organizational Units Folder Objects Domain objects Active Directory Container Objects A container object contains other objects Used to organize and manage users and resources on the network Can also act as administrative and security boundaries Three container objects are found in AD: Organizational Units Folder Objects Domain objects MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Organizational Units An OU is a primary container object for organizing and managing resources in a domain OUs can organize multiple objects into logical administrative groups that can be configured with specific policies relevant to that group Authority of an OU can be delegated Nesting OUs can build a hierarchical Active Directory structure that mimics the corporate structure for easier object management Organizational Units An OU is a primary container object for organizing and managing resources in a domain OUs can organize multiple objects into logical administrative groups that can be configured with specific policies relevant to that group Authority of an OU can be delegated Nesting OUs can build a hierarchical Active Directory structure that mimics the corporate structure for easier object management MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Folder Objects Five are created by default: Builtin - houses default groups created by Windows Computers - default location for computer accounts created when a new computer or server becomes a domain member Foreign Security Principals - contains user accounts from other domains added as members of the local domain’s groups Managed Service Accounts - created specifically for services to access domain resources Users - Stores two default users (Administrator and Guest) and several default groups Folder Objects Five are created by default: Builtin - houses default groups created by Windows Computers - default location for computer accounts created when a new computer or server becomes a domain member Foreign Security Principals - contains user accounts from other domains added as members of the local domain’s groups Managed Service Accounts - created specifically for services to access domain resources Users - Stores two default users (Administrator and Guest) and several default groups MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Domain Objects Core logical structure in AD, contains OU and folder container objects, as well as leaf objects Larger companies may use multiple domains to separate administration, define security boundaries, and define policy boundaries Each domain object has a default GPO linked to it that can affect all objects in the domain Domain Objects Core logical structure in AD, contains OU and folder container objects, as well as leaf objects Larger companies may use multiple domains to separate administration, define security boundaries, and define policy boundaries Each domain object has a default GPO linked to it that can affect all objects in the domain MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory Leaf Objects A leaf object doesn’t contain other objects and usually represents one of the following: Security account Network resource GPO Security account objects include users, groups, and computers Network resource objects include servers, domain controllers, file shares, printers, etc. Active Directory Leaf Objects A leaf object doesn’t contain other objects and usually represents one of the following: Security account Network resource GPO Security account objects include users, groups, and computers Network resource objects include servers, domain controllers, file shares, printers, etc. MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

User Accounts User account object contains information such as group memberships, account restrictions, profile path, and dial-in permissions Authentication confirms a user’s identity The account is then assigned permissions and rights Local user account - authorized to access resources only on that computer Domain user account - provides a single logon for users to access all resources in the domain Windows creates two built-in user accounts Administrator and Guest User Accounts User account object contains information such as group memberships, account restrictions, profile path, and dial-in permissions Authentication confirms a user’s identity The account is then assigned permissions and rights Local user account - authorized to access resources only on that computer Domain user account - provides a single logon for users to access all resources in the domain Windows creates two built-in user accounts Administrator and Guest MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Groups A group object represents a collection of users with common permissions or rights Permissions - define which resources users can access and what level of access they have Right - specifies what types of actions a user can perform on a computer or network Groups are used to assign members permissions and rights More efficient than assigning permissions and rights to each user separately Groups A group object represents a collection of users with common permissions or rights Permissions - define which resources users can access and what level of access they have Right - specifies what types of actions a user can perform on a computer or network Groups are used to assign members permissions and rights More efficient than assigning permissions and rights to each user separately MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Computer Accounts A computer account object represents a computer that’s a domain controller or domain member Used to identify, authenticate, and manage computers in the domain Computer accounts are created automatically when AD is installed on a server The computer account object’s name must match the name of the computer that the account represents Computer Accounts A computer account object represents a computer that’s a domain controller or domain member Used to identify, authenticate, and manage computers in the domain Computer accounts are created automatically when AD is installed on a server The computer account object’s name must match the name of the computer that the account represents MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Other Leaf Objects Other leaf objects commonly created in AD: Contact - a person associated with the company but not a network user Printer - represents a shared printer in the domain Shared folder - represents a shared folder on a computer in the network Other Leaf Objects Other leaf objects commonly created in AD: Contact - a person associated with the company but not a network user Printer - represents a shared printer in the domain Shared folder - represents a shared folder on a computer in the network MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Locating Active Directory Objects Active Directory objects can be searched for using the Find Users, Contacts, and Groups dialog box You can search a single domain or an entire directory (all domains) Not all objects are available to all users Depends on the object’s security settings and its container Locating Active Directory Objects Active Directory objects can be searched for using the Find Users, Contacts, and Groups dialog box You can search a single domain or an entire directory (all domains) Not all objects are available to all users Depends on the object’s security settings and its container MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Working with Forests, Trees, and Domains Smaller organizations most likely focus on OUs and their child objects Larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests The first domain controller creates more than just a new domain, it also creates a new tree and the root of a new forest May eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structure Working with Forests, Trees, and Domains Smaller organizations most likely focus on OUs and their child objects Larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests The first domain controller creates more than just a new domain, it also creates a new tree and the root of a new forest May eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structure MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Active Directory Replication Replication is the process of maintaining a consistent database of information when the database is distributed among several locations Intrasite replication - replication between domain controllers in the same site Intersite replication- occurs between two or more sites Multimaster replication - used by AD for replacing AD objects Knowledge Consistency Checker (KCC) runs on all DCs to determine the replication topology Defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCs Active Directory Replication Replication is the process of maintaining a consistent database of information when the database is distributed among several locations Intrasite replication - replication between domain controllers in the same site Intersite replication- occurs between two or more sites Multimaster replication - used by AD for replacing AD objects Knowledge Consistency Checker (KCC) runs on all DCs to determine the replication topology Defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCs MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Directory Partitions Directory partition - each section of an Active Directory database There are five directory partition types in the AD database: Domain directory partition - contains all objects in a domain, including users, groups, computers, OUs, and so forth Schema directory partition - contains information needed to define AD objects and object attributes Global catalog partition - holds the global catalog, which is a partial replica of all objects in the forest Application directory partition - used by applications and services to hold information that benefits from Configuration partition - holds configuration information that can affect the entire forest Directory Partitions Directory partition - each section of an Active Directory database There are five directory partition types in the AD database: Domain directory partition - contains all objects in a domain, including users, groups, computers, OUs, and so forth Schema directory partition - contains information needed to define AD objects and object attributes Global catalog partition - holds the global catalog, which is a partial replica of all objects in the forest Application directory partition - used by applications and services to hold information that benefits from Configuration partition - holds configuration information that can affect the entire forest MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Operations Master Roles Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function The first domain controller in the forest generally takes on the role of the operations master If necessary, responsibility for these roles can be transferred to another domain controller Operations Master Roles Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function The first domain controller in the forest generally takes on the role of the operations master If necessary, responsibility for these roles can be transferred to another domain controller MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Operations Master Roles 5 operations master roles referred to as Flexible Single Master Operation (FSMO) roles: Schema Master Infrastructure master Domain Naming master RID master PDC Emulator master When removing DCs from a forest, be careful that these roles are not removed from the network accidentally Operations Master Roles 5 operations master roles referred to as Flexible Single Master Operation (FSMO) roles: Schema Master Infrastructure master Domain Naming master RID master PDC Emulator master When removing DCs from a forest, be careful that these roles are not removed from the network accidentally MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Trust Relationships In Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domain Trust relationships are established automatically between all domains in the forest Trusts do not equal permissions Permissions are still required to access resources, even if a trust relationship exists When there is no trust between domains, no access across domains is possible Trust Relationships In Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domain Trust relationships are established automatically between all domains in the forest Trusts do not equal permissions Permissions are still required to access resources, even if a trust relationship exists When there is no trust between domains, no access across domains is possible MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

The Role of Forests All domains in a forest share some common characteristics: A single schema Forest-wide administrative accounts Operations masters Global Catalog Trusts between domains Replication between domains The Role of Forests All domains in a forest share some common characteristics: A single schema Forest-wide administrative accounts Operations masters Global Catalog Trusts between domains Replication between domains MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

The Importance of the Global Catalog Server The first DC installed in a forest is automatically designated as a Global Catalog server, but additional global catalog servers can be configured Global Catalog servers perform the following vital functions: Facilitates domain and forest-wide searches Facilitates logon across domains - Users can log on to computers in any domain by using their user principal name (UPN) Hold universal group membership information The Importance of the Global Catalog Server The first DC installed in a forest is automatically designated as a Global Catalog server, but additional global catalog servers can be configured Global Catalog servers perform the following vital functions: Facilitates domain and forest-wide searches Facilitates logon across domains - Users can log on to computers in any domain by using their user principal name (UPN) Hold universal group membership information MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Forest Root Domain The first domain is the forest root and is referred to as the forest root domain Imperative to the functionality of AD; if it disappears, the entire structure ceases to operate Functions the forest root domain usually handles: DNS server Global catalog server Forest-wide administrative accounts Operations masters Forest Root Domain The first domain is the forest root and is referred to as the forest root domain Imperative to the functionality of AD; if it disappears, the entire structure ceases to operate Functions the forest root domain usually handles: DNS server Global catalog server Forest-wide administrative accounts Operations masters MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Figure 6-30 The forest root domain MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Understanding Domains and Trees Organizations operating under a single name internally An AD forest with only one tree is best When two companies merge or a large company splits into separate business units A multiple tree structure makes sense Understanding Domains and Trees Organizations operating under a single name internally An AD forest with only one tree is best When two companies merge or a large company splits into separate business units A multiple tree structure makes sense MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Designing the Domain Structure Most small and medium businesses choose a single domain for the following reasons: Simplicity Lower costs Easier management Easier access to resources A single-domain structure is usually easier and less expensive than a multidomain structure May not always be a better solution Designing the Domain Structure Most small and medium businesses choose a single domain for the following reasons: Simplicity Lower costs Easier management Easier access to resources A single-domain structure is usually easier and less expensive than a multidomain structure May not always be a better solution MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Designing the Domain Structure Using more than one domain makes sense or even necessity in the following circumstances: Need for differing account policies Need for different name identities Replication control Need for internal versus external domains Need for tight security Designing the Domain Structure Using more than one domain makes sense or even necessity in the following circumstances: Need for differing account policies Need for different name identities Replication control Need for internal versus external domains Need for tight security MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Summary A directory service is a database that stores network resource information and can be used to manage users, computers, and resources throughout the network Active Directory is based on the X.500 standard and LDAP Use Server Manager to install the Active Directory Domain Services role Installing the first DC in a network creates a new forest and the domain is called the forest root domain The data in Active Directory is organized as objects Summary A directory service is a database that stores network resource information and can be used to manage users, computers, and resources throughout the network Active Directory is based on the X.500 standard and LDAP Use Server Manager to install the Active Directory Domain Services role Installing the first DC in a network creates a new forest and the domain is called the forest root domain The data in Active Directory is organized as objects MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Summary There are two types of objects in Active Directory: container objects and leaf objects Leaf objects generally represent security accounts, network resources, and GPOs The AD Recycle Bin can be enabled in ADAC, but after it’s enabled, it can’t be disabled Active Directory objects can be located easily with search functions in Active Directory Users and Computers and Windows Explorer Large organizations might require multiple domains, trees, and forests Summary There are two types of objects in Active Directory: container objects and leaf objects Leaf objects generally represent security accounts, network resources, and GPOs The AD Recycle Bin can be enabled in ADAC, but after it’s enabled, it can’t be disabled Active Directory objects can be located easily with search functions in Active Directory Users and Computers and Windows Explorer Large organizations might require multiple domains, trees, and forests MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410

Summary Directory partitions are sections of the Active Directory database that holds varied types of data and are managed by different processes The forest is the broadest logical Active Directory component A domain is the primary identifying and administrative unit of Active Directory Summary Directory partitions are sections of the Active Directory database that holds varied types of data and are managed by different processes The forest is the broadest logical Active Directory component A domain is the primary identifying and administrative unit of Active Directory GPOs are lists of settings that enable administrators to configure user and computer environments remotely Policies defined in the Computer Configuration node affect all computers in the Active Directory container to which the GPO is linked MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410