Module 1: Introduction to Active Directory
Overview Introduction to Active Directory Active Directory Logical Structure Role of DNS in Active Directory Active Directory Physical Structure Methods for Administering a Windows 2000 Network
Introduction to Active Directory What Is Active Directory? Active Directory Objects Active Directory Schema Lightweight Directory Access Protocol (LDAP)
What Is Active Directory? Directory Service Functionality Centralized Management Organize Manage Control Single point of administration Full user access to directory resources by a single logon Resources
Active Directory Objects Attributes First Name Last Name Logon Name Printer Name Printer Location Active Directory Printers Printer1 Printer2 Suzan Fine Users Don Hall Attribute Value Objects Printer3 Objects Represent Network Resources Attributes Store Information About an Object
Active Directory Schema Objects Class Examples Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs Attribute Examples Computers Attributes of Users Might Contain: List of Attributes accountExpires department distinguishedName middleName accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … Users Printers
DNS and Active Directory Namespaces DNS Namespace Internet “.” (DNS root domain) com. Active Directory Namespace microsoft microsoft.com training sales training. microsoft.com sales. microsoft.com computer1 = DNS node (domain or computer) = Active Directory domain
Lightweight Directory Access Protocol (LDAP) LDAP Provides a Way to Communicate with Active Directory by Specifying Unique Naming Paths for Each Object in the Directory LDAP Naming Paths Include: Distinguished names Relative distinguished names CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft Suzan Fine
Active Directory Logical Structure Domains Organizational Units Trees and Forests Global Catalog
Domains A Domain Is a Security Boundary A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains A Domain Is a Unit of Replication Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain Windows 2000 Domain Replication User1 User2 User1 User2
Network Administrative Model Organizational Structure Organizational Units Network Administrative Model Organizational Structure Sales Vancouver Users Sales Computers Repair Use OUs to Group Objects into a Logical Hierarchy That Best Suits the Needs of Your Organization Delegate Administrative Control over the Objects Within an OU by Assigning Specific Permissions to Users and Groups
Two-Way Transitive Trust Two-Way Transitive Trusts Trees and Forests contoso.msft (root) Two-Way Transitive Trust Two-Way Transitive Trusts au. nwtraders.msft asia. Forest Tree au. contoso.msft asia. Tree
Subset of the Attributes of All Objects Global Catalog Domain Subset of the Attributes of All Objects Domain Global Catalog Server Global Catalog Queries Group membership when user logs on
Introduction to the Role of DNS in Active Directory Name Resolution DNS translates computer names to IP addresses Computers use DNS to locate each other on the network Naming Convention for Windows 2000 Domains Windows 2000 uses DNS naming standards for domain names DNS domains and Active Directory domains share a common hierarchical naming structure Locating the Physical Components of Active Directory DNS identifies domain controllers by the services they provide Computers use DNS to locate domain controllers and global catalog servers
DNS Host Names and Windows 2000 Computer Names DNS host record and Active Directory object represent the same physical computer DNS allows computers to locate domain controllers within Active Directory “.” com. Active Directory microsoft training.microsoft.com Builtin Computers Computer1 Computer2 sales training computer1 FQDN = computer1.training.microsoft.com Windows 2000 Computer Name = Computer1
DNS Requirements for Active Directory DNS Requirements to Support Active Directory Support for SRV records (mandatory) Support for the dynamic update protocol (recommended) Support for incremental zone transfers (recommended)
What Is a Tree? Parent Domain contoso.msft Child Domain Tree Root Domain Parent Domain contoso.msft Child Child Domain sales.contoso.msft New Domain Contiguous Namespace sales.contoso.msft
What Is a Forest? Forest Tree Tree A Forest is One or More Trees Trees in a Forest Do Not Share a Contiguous Namespace contoso.msft Forest nwtraders.msft sales. contoso.msft Tree marketing. nwtraders.msft sales. nwtraders.msft All of The Domains in a Forest Share a Common Configuration, Schema, and Global Catalog Tree
What Is the Forest Root Domain? The Forest Root Domain Is the First Domain Created in a Forest contoso.msft Forest Forest Root Domain nwtraders.msft Tree Tree Root Domain Global Catalog Configuration and Schema Enterprise Admins Schema Admins marketing.nwtraders.msft sales.contoso.msft
Characteristics of Multiple Domains Reduce Replication Traffic Maintain Separate and Distinct Security Policies Between Domains Preserve the Domain Structure of Earlier Versions of Windows NT Separate Administrative Control
Active Directory Physical Structure Domain Controllers Sites
Domain Controllers Domain Controllers: Participate in Active Directory replication Perform single master operations roles in a domain Domain Controller Domain Replication User1 User2 = A Writeable Copy of the Active Directory Database
Sites Site Sites: Optimize replication traffic Los Angeles Seattle Chicago New York Site IP subnet Sites: Optimize replication traffic Enable users to log on to a domain controller by using a reliable, high-speed connection
Introduction to Active Directory Replication Domain Controller B Domain Controller C Domain Controller A Multimaster Replication with a Loose Convergence
Replication Components and Processes How Replication Works Replication Latency Resolving Replication Conflicts Optimizing Replication
How Replication Works Active Directory Update Replication Add Modify Originating Update Domain Controller A Domain Controller B Domain Controller C Replicated Update Add Modify Move Delete
Replication Latency Default Replication Latency (Change Notification) = 5 minutes When No Changes, Scheduled Replication = One Hour Urgent Replication = Immediate Change Notification Replicated Update Change Notification Domain Controller B Replication Originating Update Domain Controller A Change Notification Replicated Update Domain Controller C
Resolving Replication Conflicts Domain Controller A Domain Controller B Stamp Stamp Originating Update Originating Update Conflict Conflict Version Number Timestamp Server GUID Stamp Conflicts Can Be Due to: Attribute Value Adding/Moving Under a Deleted Container Object or the Deletion of a Container Object Sibling Name
Optimizing Replication Domain Controller B GUID USN Up-To-Dateness Vector GUID USN Update Replicated Update Originating Update Domain Controller A Update GUID USN Domain Controller C Replicated Update
Replication Topology Directory Partitions What Is Replication Topology? Global Catalog and Replication of Partitions
Active Directory Database Directory Partitions Directory Partitions Schema Contains definitions and rules for creating and manipulating all objects and attributes Forest Configuration Contains information about Active Directory structure contoso.msft Holds information about all domain-specific objects created in Active Directory Domain Active Directory Database
What Is Replication Topology? Domain Controllers from the Same Domains Domain A Topology Schema/Configuration Topology B2 A2 A1 B1 B3 A4 A3 Domain Controllers from Different Domains Domain A Topology Domain B Topology Schema/Configuration Topology
What Is Replication Topology? B2 B1 A3 A3 A4 A4 B3 Domain Controllers from Different Domains Domain Controllers from the Same Domains Domain A Topology Domain B Topology Schema/Configuration Topology Domain A Topology Schema/Configuration Topology
Global Catalog and Replication of Partitions Partial Directory Partition Replica Global Catalog Server contoso.msft Configuration Schema Holds read only copy of all domain directory partitions namerica.contoso.msft
Global Catalog and Replication of Partitions Domain A Topology Domain B Topology Schema/Configuration Topology
Automatic Replication Topology Generation KCC A2 A1 A8 A4 A5 A6 A7 Automatic Replication Topology Generation A3 KCC A2 A1 A4 A5 A6 A7 A8 KCC Domain Topology Schema/Configuration Topology
Methods for Administering a Windows 2000 Network Using Active Directory for Centralized Management Managing the User Environment Delegating Administrative Control
Using Active Directory for Centralized Management OU1 Domain Computers Users OU2 Printers Computer1 User1 Printer1 User2 Search Active Directory: Enables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to group objects into OUs Uses Group Policy to specify policy-based settings
Managing the User Environment Windows 2000 Enforces Continually Apply Group Policy Once 1 2 3 Domain OU1 OU2 OU3 Use Group Policy to: Control and lock down what users can do Centrally manage software installation, repairs, updates, and removal Configure user data to follow users whether they are online or offline
Delegating Administrative Control Domain Admin1 Admin2 Admin3 OU2 OU3 OU1 Assign Permissions: For specific OUs to other administrators To modify specific attributes of an object in a single OU To perform the same task in all OUs Customize Administrative Tools to: Map to delegated administrative tasks Simplify interface design
Review Introduction to Active Directory Active Directory Logical Structure Role of DNS in Active Directory Active Directory Physical Structure Methods for Administering a Windows 2000 Network