Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory Fundamentals

Published bySharada Gokhale Modified over 5 years ago

Similar presentations

Presentation on theme: "Active Directory Fundamentals"— Presentation transcript:

1 Active Directory Fundamentals
Thomas Lee Chief Technologist QA KEY MESSAGE: Introduce yourself and then the session title SLIDE BUILDS: None SLIDE SCRIPT: Hello and Welcome to this TechNet session on Active Directory Fundamentals My name is {state your name and title} SLIDE TRANSITION: What are we going to cover ADDITIONAL INFORMATION FOR PRESENTER:

2 What we will cover: Domain, Trees, Forests Domain Controllers, Sites
The Domain Naming Service Replication Operations Masters Lots of demos…. KEY MESSAGE: What are we going to cover? SLIDE BUILDS: None SLIDE SCRIPT: So in today’s session, we will be looking at what makes up the Active Directory and covering the terms you will hear when people talk about the service. Some of these components are logical in nature, such as Domain, Domain trees, and Forests; some physical in nature, such as Domain Controllers and sites. We will also cover the Domain Naming Service and how that plays a part in the Active Directory Operations. As well, we will look at site communication and how information is replicated around so that everyone has the same view of the directory. Finally, we cover the Operations master. SLIDE TRANSITION:

3 Prerequisite Knowledge
Understanding of what a directory service is KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: Since this is a fundamentals session, there are not really product-specific requirements. However, an understanding of what a directory service is will come in handy. SLIDE TRANSITION: Level 200+

4 Agenda Active Directory Logical Concepts
Active Directory Physical Concepts DNS Replication Operations Masters KEY MESSAGE: Today’s Agenda SLIDE BUILDS: None SLIDE SCRIPT: So as we mentioned in what we will be covering, the agenda divides into the Physical and Logical parts of the Active Directory. The Domain Name Server, Replication, which will include sites and finally the Operations Masters. SLIDE TRANSITION: So let’s start with the Logical Concepts. ADDITIONAL INFORMATION FOR PRESENTER:

5 Active Directory Logical Concepts Domains
Boundary of Security NOT!!! Boundary of Authentication Boundary of Replication Domain NC Replication Boundary of DNS Namespace Boundary of Administration KEY MESSAGE: Define what Domains mean. SLIDE BUILDS: None SLIDE SCRIPT: A domain is the core unit of logical structure in Active Directory. Domains represent a logical partition within the Active Directory for both security and directory replication. Each domain stores information only about the objects it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is the supported (tested) limit. Domains function in several capacities. They serve as boundaries of authentication, replication, namespace, and security policies. Domains are manifested from DCs. There is also a one-to-one correspondence between Active Directory Domains and DNS Domains. Since all users in a domain must log on to a domain controller for that domain, domains are also: Boundaries of authentication. Domain controllers are responsible for authenticating users and groups. Boundary of security policies. Certain security policies are applied exclusively at the domain level, including Password Length, Account Lockout, and Kerberos Ticket Lifetime. Security policies that are defined in one Domain are not extended to any other Domain. In addition, access to domain objects is controlled by Access Control Lists (ACLs), which are populated with Access Control Entries (ACEs). All security polices and settings, such as administrative rights and Access Control Lists (ACLs), do not cross from one domain to another. The domain administrator has the right to set policies only within that domain. So, domains are also boundaries of administration because privileges that are granted in one Domain do not extend to any other Domain. Boundary of replication. All objects that reside in a Domain are fully replicated to all Domain Controllers for that Domain. The Domain Controllers for a Domain each have a complete writeable replica of that Active Directory Partition (i.e., Domain). Unique Namespace. An Active Directory Domain is identified by a unique DNS domain name, as well as a downlevel NetBIOS name for downlevel client and server access. Boundary of administration. Administrative privileges that are granted in one Domain do not extend to any other Domain. Domains are manifested in the form of a domain controllers. In Windows 2000, there are no longer PDCs and BDCs. Instead, every DC maintains a writeable copy of the domain database (directory information tree: .dit). There are two modes that a domain can operate in, native or mixed mode: Mixed Mode. When a Domain is in mixed mode, the Active Directory Domain Controllers in the Domain can coexist and replicate with Domain Controllers in the same Domain that are running previous versions of Windows NT Server (downlevel domain controllers). When a Domain is in mixed mode, it is subject to the restriction of the downlevel SAM (40MB size, 40,000 users limitation). Native Mode. When all domain controllers in the domain are running Windows 2000 and there are no downlevel domain controllers in the domain, you can switch the Domain mode from mixed mode to native mode. To take full advantage of Windows 2000, you want to begin operating in Native mode as soon as possible. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: KAPOHO.NET

6 Active Directory Logical Concepts Trees
Hierarchy of Domains forming a contiguous namespace Transitive Trust Relationships All Domains in a Tree share: Schema Configuration Global Catalog KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: The next two logical concepts we will address are ways to group domains to form different structures. The first topic is trees. A tree is a hierarchical grouping of Domains that form a contiguous namespace. A contiguous namespace links a child container to its parent by adding one and only one more identifier to the beginning of the DNS name. For example, if the parent Domain was named COMPANY and the child Domain was named AMERICA.COMPANY, then these two domains would form a contiguous namespace. In an Active Directory Tree, transitive trust relationships link Domains such that they can be administered as a single logical unit. With bi-directional Kerberos transitive trusts, permissions can be applied to security principals throughout the Active Directory Tree. Every time a new domain is added to the tree, a transitive trust is formed. If domain “A” trusts domain “B,” then domain “A” trusts all domains that “B” trusts. The name of an Active Directory Tree is the name of the Domain that is highest in the hierarchy. In the example shown here, the name of the Tree is COMPANY, and is referred to as the Root of the Domain Tree. All Domains in an Active Directory Tree share the following: Schema. The schema is the formal definition for all Active Directory objects, including the object classes and object attributes. The schema also defines things such as whether attributes are required for particular object classes and the relationship between object classes. The schema is stored within the Active Directory and is extensible, meaning that new object classes and attributes can be added to the Active Directory. A single schema container exists and applies to all Domains in the Active Directory Tree. The schema is replicated to all Domain Controllers in all Domains in the Active Directory Tree in order to ensure consistency in the object types across the enterprise. Configuration. A single configuration container exists and applies to all Domains in the Active Directory Tree. The configuration container includes information about the Active Directory as a whole, including what Domains exist, what Physical Sites are defined, what Domain Controllers are running in what Domains and in what Sites, what Services are available, and so forth. The configuration container is replicated to all Domain Controllers in all Domains in the Active Directory Tree in order to allow Domain Controllers to determine replication partners and develop a replication topology. Global Catalog. The Global Catalog – or GC – contains a partial replica of all objects in the Active Directory Tree (i.e., every object in every Domain in the Tree is represented in the Global Catalog). All GCs in an Active Directory Tree share exactly the same partial replica. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: KAPOHO.NET HAWAII.KAPOHO.NET EUROPE.KAPOHO.NET MAUI.HAWAII.KAPOHO.NET

7 Active Directory Logical Concepts Forests
Hierarchy of Domains forming a contiguous or disjoint namespace Transitive Trust Relationships All Domains in a Forest share: Schema Configuration Global Catalog KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: A forest is composed of one or more trees. First, let’s define what a forest is. A Forest is an extension of the Domain Tree concept in that the only difference is that a set of Domains in a Forest may form either a contiguous or disjoint namespace. An example of a disjoint namespace is DIV1.COM and DIV2.COM (the namespace does not form a contiguous hierarchy). A Forest is named the same as the first Tree that is installed in the Forest. In addition to the transitive trust relationships that exist between parent and child domains, in a Forest there are also bi-directional transitive trust relationships between peer top-level domains. A Domain Tree is a specific example of a Domain Forest (in which all of the Domains in that Tree form a contiguous namespace). An enterprise directory that consists of a single Domain is another example of a Forest. In a Forest, all Domains still share a common Schema, Configuration, and Global Catalog. Do not present these details now, they are here in case you need them: Why would we want to create multiple forests? An organization may require multiple Directory Schemas. For example, an organization may have a quasi-official relationship with a joint venture. Although the level of trust between the two organizations is high, thereby warranting some type of relationship between their Windows 2000 deployments, each organization may have unique schema requirements. In this case, multiple Windows 2000 forests can be deployed, each with its own schema, and perhaps with manual trusts established between the forests. Another reason derives from the fact that the initial release of Windows 2000 does not support forest merge— largely because of the complexity of merging schemas. If a grassroots implementation of Windows 2000 exists within an organization (separate from the officially sanctioned Windows 2000 implementation), then it is not possible to merge these forests. They can, however, be logically linked with NT4 style trusts. Again, since forest merge is not supported in the initial release of Windows 2000, if an organization that has already deployed Windows 2000 acquires another organization that also has Windows 2000 already deployed, these forests must remain separate. Finally, a reason that is not recommended results from politics. “Enterprise Admins” and “Schema Admins” have special permissions in a forest, by default. There are “span of control” political implications to this, which can be mitigated by the implementation of separate forests. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: PSP.CO.UK KAPOHO.NET HAWAII.KAPOHO.NET

8 Active Directory Logical Concepts Organizational Units
Containers within Domains Distinct Units of Administration Unique to Domains KEY MESSAGE: Describe Organizational Units SLIDE BUILDS: None SLIDE SCRIPT: Organizational Units – or OUs – are containers that are used to organize objects within a Domain. For example, OUs can contain Users, Computers, Groups, Printers, Applications, File Shares, and other OUs. OUs can be logically structured into a hierarchy that models the business. They are distinct logical administrative units that can be used to: 1.) delegate administration within a domain. 2.) apply policy to objects (such as Users or Computers) as a group. The OU hierarchy within a particular Domain is independent of the OU hierarchy in any other Domain. Each Domain can implement its own OU hierarchy. OUs are represented by circles within a Domain. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

9 Agenda Active Directory Logical Concepts
Active Directory Physical Concepts DNS Replication Operations Masters KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: So lets move onto the Physical concepts. SLIDE TRANSITION: Lets start with the Security Model.

10 Active Directory Physical Concepts Domain Controllers
Primary Domain Controller (PDC) Domain Controllers (DC) KEY MESSAGE: In an Active Directory world, we have moved away from the Primary Domain Controller into the Multi-master environment of Domain Controllers SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 0] No matter what type of domain structure you run, there is a Domain Controller, and more than likely there is more than one of them. These Domain controllers hold a copy of the directory. In NT3.51 and 4.0 there are two types, a Primary Domain Controller (PDC) and Backup Domain Controllers (BDCs). The copies of the Directory database these machines hold, usually referred to as the SAM database, allows users to be authenticated in the domain. This design is a single master system because only the PDC holds a read/write copy of the directory. What this means is that, if a user wants to change his or her password, that change is performed on the PDC, regardless of which machine authenticated the user. In the case were a user is authenticated by a BDC, that BDC sends the change to the PDC to update the SAM, and the SAM is then replicated back to the BDC’s. The BDCs never write the their copy of the SAM outside the replication process. [BUILD 1] In an Active Directory environment there is no single “PDC” and no “BDC.” All machines that participate in the authentication process are simply called Domain Controllers. They all hold copies of the Directory, they can all write to that copy, and they all replicate with each other. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Backup Domain Controller (BDC)

11 Active Directory Physical Concepts Sites
What is a Site? A set of well-connected IP subnets Site Usage Locating Services (e.g. Logon, DFS) Replication Group Policy Application Sites are connected with Site Links Connects two or more sites KEY MESSAGE: Describe the Site Concept. SLIDE BUILDS: None SLIDE SCRIPT: So what is a site? An Active Directory Site is a set of TCP/IP subnets that are considered to be “well-connected”. Well-connected generally implies high-bandwidth LAN (10MB minimum) connectivity, possibly involving several hops through routers. Sites are used in the Active Directory as follows: Sites (a physical construct) are not part of the Active Directory namespace (a logical construct). Sites may span multiple Domains. Similarly, Domains may span multiple Sites. Sites serve three main purposes. Sites are used to locate services such as logon and DFS services. When a client requests a connection to a DC (and Global Catalog for Universal Group membership info) Login, sites are used to preferentially allow the client to connect to a Domain Controller within the same site. If there are no Domain Controllers in a site with clients, then another site that does have Domain Controllers can provide “coverage” for the client site. Site links each have a logical cost assigned to them. If a user is searching for the closest DC to log on, they will first look for a DC (and GC) in their site. If none exists, they will search for a DC in the site with the lowest logical cost assigned to the site link. When a client requests a connection to a Service, such as a Dfs Replica, sites are used to preferentially allow the client to locate and connect to a Replica within the same site. Sites are also used to control and replication throughout an enterprise. The Active Directory automatically creates more replication connections between Domain Controllers in the same site than between Domain Controllers in different sites. This results in lower replication latency within a site, and lower replication bandwidth between sites. Replication between Domain Controllers in different sites is compressed 10-15%, resulting in less network bandwidth utilization over the slower links between sites. Finally, Policy objects can be applied to Sites (or, more specifically, to Computer objects that reside in Sites) as a group. Sites are connected using Site Links. Active Directory Site Links are used to define connections between Sites, and together they represent the physical network. A Site Link represents a set of Sites that can communicate with one another. For example, two Sites that are connected with one another with a point-to-point T1 might be represented by a single Site Link. On the other hand, a set of buildings (each in their own Site) that are connected to each other over an ATM backbone might be represented by a Site Link that contains all of those buildings (i.e. Sites). Similarly, a full mesh Frame Relay network might be represented with a single Site Link, assuming each of the Sites had equal cost connectivity to every other Site. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

12 Active Directory Physical Concepts Site Topology
DC = Domain Controller GC = Global Catalog DC KEY MESSAGE: Explain how sites and Domain interact SLIDE BUILDS: None SLIDE SCRIPT: Because Sites are a physical construct, there can be overlap with domains, which are a logical construct. A Site can therefore contain an entire domain, or only part of a domain, or even multiple domains. As we see here. Site A. Contains a DC from the root domain company and a DC from the child domain america.company. Site B. Contains a DC only from america.company. Site C. Contains DCs from europe.company and the root company. This is one of the main concepts to remember and one people get confused on: Domains are logical structures, sites are physical structures. SLIDE TRANSITION: On the example here, we have this box call GC, which stands for Global Catalog. The Global Catalog is an important part of the Active Directory, so let me explain what they are. ADDITIONAL INFORMATION FOR PRESENTER: GC Site A Company.com Site C DC DC GC Site B DC america.company.com europe.company.com

13 Active Directory Physical Concepts Global Catalog
Partial Replica of all Objects in the Forest Configurable subset of Attributes Fast Forest-wide searches Required at Logon for Universal Group Membership KEY MESSAGE: Explain the Global Catalog. SLIDE BUILDS: None SLIDE SCRIPT: You will often here the Term Global Catalog, most likely abbreviated to GC, bandied around. When people talk about Active Directory, you’ll here it in two contexts, either as the GC or a GC. What’s the difference? Well, “a GC” is the server, where the catalog is held. “The GC” is the catalog itself. In its basic terms, a Global Catalog server is simply a Domain Controller that is also configured to act as a Global Catalog. Global Catalog servers are identified as such in DNS and can be located by clients using DNS. The Global Catalog contains a partial replica (i.e., a subset of attributes) of all objects in the Forest. This means that some attributes of every object in every domain database in the forest are maintained in the Global Catalog. For example, a domain database may contain many attributes for each user object. It may contain the user’s name, alias, address, office location, position, manager, phone number, etc., while the Global Catalog might only contain a few of these attributes (i.e., name, , and phone number). The set of attributes for each object class published in the Global Catalog is configurable. The Global Catalog is used for fast forest-wide searches of enterprise objects. The Global Catalog is also used during logon to determine Universal Group Membership, since Universal Groups do not reside within any particular Domain. SLIDE TRANSITION: So lets move on to look at sites and GC’s  ADDITIONAL INFORMATION FOR PRESENTER:

14 Agenda Active Directory Logical Concepts
Active Directory Physical Concepts DNS Replication Operations Masters KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: So we’ve covered the logical and physical. Let move on to the Domain Name Service, more commonly called DNS. SLIDE TRANSITION: Lets start with the Security Model.

15 DNS DNS SRV Records to locate services (req’d.)
DDNS for Dynamic Update (desired) Windows 2000 and up, DNS also provides: Incremental Zone Transfer Active Directory Integrated Single replication topology Multi-master replication Secure Dynamic update KEY MESSAGE: What is DNS? SLIDE BUILDS: None SLIDE SCRIPT: Active Directory requires DNS. This is the way that Active Directory find services and resources. It does this through the use of Service records or SRV records. Therefore, the DNS Server(s) that manage an Active Directory Domain must support the SRV record (RFC 2052). The SRV record allows specific services to be registered in DNS. For example, Domain Controllers and Global Catalogs are explicitly registered in DNS with those specific roles. So, when a client is looking for a DC or GC (e.g., for logon), it can locate an appropriate server that is providing that service. The DNS Server(s) that manage an Active Directory Domain should support the Dynamic Update Protocol (RFC 2136). Windows 2000 DNS clients (for A records), as well as DHCP Servers (for PTR records), will dynamically update the Microsoft DNS Server with mappings. Think of this in the same terms as how WINS has always worked: clients dynamically update their own information in a WINS database. Well, now DNS allows them to register their IP information in the same way. In addition, Windows 2000 servers will register multiple records in DNS based on roles and other criteria. If Dynamic Update were not used, then every time any of the following were modified, the DNS would have to be manually updated: DC name, Roles, Sites, IP Addresses, Promotion/Demotion. If your DNS server does not support dynamic updates, you will have a difficult time maintaining the DNS database. It is like trying to manually maintain your WINS today. Windows 2000 and up also provides: Incremental Zone Transfers. The Microsoft DNS server also supports Incremental Zone Transfers (RFC 1995). With standard DNS, full zone transfers between Primary and Secondary must be performed whenever there are any changes made to the database. Management of a single replication topology. Both DNS and AD have databases that are replicated amongst computers. With AD integration of the DNS database, only a single replication topology needs to be managed. Multi-master update. With standard DNS, changes to the DNS database may only be performed on the Primary master. Secondary masters always get their copies of the DNS database from a Primary master (or another secondary master). With AD integration, changes to the DNS database can be performed on any DNS server that manages that zone. Secure dynamic update (RFC 2137). Allows authentication of hosts that are dynamically registering their names. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Tip: Use the latest version of BIND!

16 DNS DNS Implementations
No existing DNS infrastructure Deploy Microsoft DNS Existing DNS meets requirements Existing DNS not adequate: Choice 1: Update Server Choice 2: Migrate to Microsoft DNS Choice 3: Delegate a subdomain to Microsoft DNS KEY MESSAGE: So how do you go about implementing this? SLIDE BUILDS: None SLIDE SCRIPT: How to go about implementing DNS for AD … As I just mentioned, if there is no pre-existing DNS infrastructure, then the answer is easy. Implement Microsoft DNS (for all of the benefits on the previous slide) and because it’s well-tested with AD and because it’s FREE. If there is a pre-existing DNS infrastructure in the organization, it must be BIND or higher. This version of BIND supports SRV (a must) and DDNS (a really important feature to have). The next step is to understand the impact of Dynamic updates on the DNS traffic in your infrastructure. If all of this is fine, then use your existing DNS. If your current DNS does not support these features, then you have three choices: 1. Upgrade your existing DNS servers to a version that supports the items outlined above. 2. Migrate to Microsoft DNS (which supports all of this and more). 3. Delegate a sub-domain to Microsoft DNS. For example, if you have company being managed by DNS servers that don’t meet the requirements, and you don’t want to upgrade or migrate, then create a child domain such as “windows.company” and delegate that zone to Microsoft DNS servers. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

17 Agenda Active Directory Logical Concepts
Active Directory Physical Concepts DNS Replication Operations Masters KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

18 Replication Replication Details
Naming Contexts that are replicated Schema Naming Context Configuration Naming Context Domain Naming Context Multi-Master Replication Intra-site Bi-directional Ring Topology Inter-site Spanning Tree Topology Synchronous RPC over TCP/IP Asynchronous SMTP KEY MESSAGE: Describe the Replication Details SLIDE BUILDS: None SLIDE SCRIPT: There are several replication concepts introduced with Active Directory. The first of these is Naming Contexts. A Naming Context is a partition of Data within the Active Directory. The Active Directory is partitioned up to help reduce what information each Domain Controller holds and therefore what information it has to replicate around. The three predefined naming contexts are: The Schema Naming Context, which is a Forest-wide Naming Context, is replicated among all Domain Controllers in the Forest. Configuration NC. This is a Forest-wide Naming Context and is therefore replicated among all Domain Controllers in the Forest. Domain NC. This is a Domain-wide Naming Context (one per Domain) and is therefore fully replicated to all Domain Controllers in the Domain. In addition, each Domain Naming Context is partially replicated to all Global Catalogs in the Forest. Multi-Master Replication. This occurs within each Domain, where each Domain Controller maintains and replicates a complete writeable copy of the domain database. This is a big change from NT 4, where all changes to the Domain database had to be made on the PDC. Now, any DC can makes those changes and the information will work its way around the Domain. The Knowledge Consistency Checker (KCC) automatically generates a replication topology based on the definition of Sites and Site Links. Intra-site Ring Topology. Within a Site, the KCC automatically generates a bi-directional ring topology for all Domain Controllers in the same Domain. The KCC also ensures that there are no more than three hops from any Domain Controller in a Site to any other Domain Controller in a Site (by adding additional replication partners where necessary). Intra-site replication is RPC-based, and not compressed, so good network connectivity is assumed. Between Sites, the KCC automatically generates a spanning tree replication topology. For the Inter-site replication topology, the KCC takes into account whether a Domain Controller has been identified as a Bridgehead Sever as well as the “cost” of each Site Link. Inter-site replication can be scheduled and is compressed significantly. Two transports can be used for Inter-Site replication: Synchronous RPC over TCP/IP. This transport can be used to replicate any naming context (Schema, Configuration, Full Domain). Asynchronous over SMTP. This transport can be used to replicate the Schema, Configuration and Partial Domain (i.e. Global Catalog) information. The SMTP transport cannot be used to replicate a complete Domain database (i.e., it cannot be used for Inter-Site Intra-Domain replication). Inter-site replication is compressed significantly. Down to 10-15% of original volume for RPC and 20-30% for SMTP. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

19 Replication Naming Contexts
Schema Definitions of attributes Replicated to all DCs in the forest Configuration AD Structure (domains, sites, and where the DCs are) Domain Domain specific objects (users, groups, computers, and OUs) Replicated to all DCs in its domain KEY MESSAGE: So let’s just spend a bit of time and flesh out Naming Contexts. SLIDE BUILDS: None SLIDE SCRIPT: We’ll start with the Schema Context. The Schema Context contains objects that represent all the classes and attributes that the Active Directory Supports. Because the Schema is a forest-wide definition, it is replicated to every Domain Controller in the forest. The Configuration Naming Context contains all the configuration for the forest. This includes all the information about domains, sites, and where Domain controllers reside. This also is considered forest-wide and replicated to all Domain Controllers. Finally, the Domain Context. This contains only domain-specific information, such as users, groups, OUs, computers, etc. Each Domain has it’s own context and replicates it only to domain controllers within that domain. SLIDE TRANSITION: We’ve mentioned the replication a lot so far, let talk about replication topologies. ADDITIONAL INFORMATION FOR PRESENTER: The script for this slide was taken in part from O’Reilly’s Active Directory 2nd Edition.

20 Replication Replication Topologies
Intra-Site Replication: AD replication between DCs within a Site Inter-site Replication: AD replication between Sites KEY MESSAGE: Introduce the 2 topologies SLIDE BUILDS: None SLIDE SCRIPT: We have two replication topologies available in AD. The first one is the Intra-Site Replication. All DCs present in a site, and which therefore are well connected, replicate using this method. The second one is the Inter-Site Replication. DCs between two sites replicate using this method. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

21 Replication Intra-Site Replication
RPC Replication in a Site No compression Assumes good network connections Uses notification process 5 minutes -2k Less – 2k3 KCC Generates a bi-directional Ring with extra edges KEY MESSAGE: Go into more detail about Intra Site. SLIDE BUILDS: None SLIDE SCRIPT: Replication within a site is done using RPC. Since connectivity between DCs in a site is good, no compression of replication data is done. Intra-Site replication also uses notification. However, after being notified, replication starts only after a 5 minute pause. This is done for optimization purposes: gather all changes during this interval since the first change and replicate. How does each DC know from which DC to replicate? On each DC, it is the job of the Knowledge Consistency Checker or the KCC to generate the appropriate topology based on many factors. For intra-site, it generates a bi-directional ring but with extra edges to minimize hops. One may create connection objects manually to construct the topology. However, it is best left to the KCC to generate the topology. SLIDE TRANSITION: Let’s look at Inter Site. ADDITIONAL INFORMATION FOR PRESENTER: Tip: Always let KCC generate the intra-site replication topology when possible

22 Replication Inter-Site Replication
Replication between Sites DS-RPC (RPC over IP) or SMTP Transports SMTP can be used only between GCs across Sites DCs of different domains and in different sites Compression 10%-20% of original size Scheduled KEY MESSAGE: Go into More details about Inter Site. SLIDE BUILDS: None SLIDE SCRIPT: The DCs between sites use Inter-Site replication. One has two options to use, either the DS-RPC protocol or the SMTP transport for inter-site replication. However, SMTP can only be used for replication between GCs in different sites and between DCs of two different domains in different sites—in other words, only for configuration and schema NCs. The reason is that there are other critical NT services like FRS which cannot replicate by mail. Since any DCs in two different sites are not well connected, compression is used in inter-site replication. Inter-site replication is also scheduled, unlike the notification process used in intra-site. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

23 Replication Site-Links, Bridges and Bridgehead Servers
Site Links link two or more sites Cost and schedules can be specified Transitive (can be disabled) Site-Link Bridges Bridge two or more site links Bridgehead servers KCC generates a minimum cost spanning tree KEY MESSAGE: What connects sites so that replication can take place? SLIDE BUILDS: None SLIDE SCRIPT: Inter-Site replication is configured using site-links, site-link-bridges, and bridgehead servers. In our next demo, we will show you how to configure all these, but here is a brief description of these. Site-Links link two or more sites. You can associate a cost factor to each site link. This is used by the KCC to generate a replication topology. Site-Links are also associated with schedules. Schedules open one or many windows when replication is allowed. Site-Links are transitive. If there is a link connecting sites A and B, and another link connecting sites B and C, then replication is possible from site A to site C. This is the case if the entire network is IP-routed. Site-Link-Bridges are not necessary if site-links are transitive. They are useful if transitiveness of Site-Links is disabled and mist used in some complex scenarios. They work like bridges or routers in a partitioned network. You can designate one or more DCs in a site to be a bridgehead server for that site. All inter-site replication traffic would then be chaneled through that DC. Based on all this configuration, KCC generates a minimum-cost spanning tree for inter-site replication topology. You can manually add connection objects to construct a topology, but it is always better to let the KCC generate the topology. SLIDE TRANSITION: Let’s have a quick look at replication in action. ADDITIONAL INFORMATION FOR PRESENTER: Tip: Always let KCC generate the replication topology

24 Agenda Active Directory Logical Concepts
Active Directory Physical Concepts DNS Replication Operations Masters KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: Let’s tackle our last topic: Operations Masters. SLIDE TRANSITION: So let’s start with the Security Model.

25 Operations Masters Schema and Domain
Perform updates to schema Sends updates to all DCs One per forest Default is the first DC installed Domain Performs add/remove of domains and cross-references to external DS KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: We mentioned earlier that the Active Directory is a Multi-Master Directory service; all domain controllers can write to the database. However, there are still times when this ability for anyone to write to the database is not ideal, and the best way to handle this situation is in a single master mode. The way this is handled within the Active Directory is via Operation Masters, or, put another way, one or more servers nominated to perform the operation exclusively. There are five such functions within the Active Directory that require that only one server can perform that function. These functions are collectively call Flexible Single Master Operations, or FIZMO’s for short. As with Naming Contexts, some FSMO’s are domain-wide and some forest-wide. The first two on the slide here are the forest-wide functions. The DC nominated as the Schema Master is the only machine in the forest allowed to make changes to the schema, i.e., to add classes or attributes. If you go from here to work with Exchange 2000 or 2003, you will know the schema master well because the first part of an Exchange install must be performed on the Schema master to extend the schema. The default schema master is the first DC installed. The other Forest Wide FMSO role owner is the Domain Master. This DC is allows to make changes to the namespace, in other words, adding or removing domains. This, like the Schema master, is usually the first DC that was installed. SLIDE TRANSITION: What are the Domain wide roles? ADDITIONAL INFORMATION FOR PRESENTER:

26 Operations Masters PDC, RID and Infrastructure
Primary Domain Controller (PDC) Acts as a PDC for requests from NT clients One per domain Relative Identifier (RID) Generates pools of security identifiers to be distributed to DCs in the domain Infrastructure updates SIDs and domains that are moved in and out of the domain KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: The first Domain-wide FSMO is the PDC Emulator. This DC acts as the PDC for NT clients. If, for example, you upgrade an NT 4 domain that has a number of BDCs, the PDC emulator is the connection between the BDCs and the Active Directory. Changes such as password changes, account lockouts, etc., are replicated to these downlevel clients. To a BDC, this DC looks like and acts like a PDC. The Relative Identifier, or RID Master, generates pools of Security Identifiers or SIDs. Whenever a security enabled object is created in a domain, it needs an SID so it can be uniquely identified. Because there can be any number of domain controllers, a system of ensuring that only unique SIDs are allocated was needed. The RID Master creates a pool of unique identifiers and passes them out to each DC in blocks of 512. The DCs then use this pool to assign SIDs to objects. When a DC starts to get low in its pool— below 100 — it asks the RID Master for more. The final Single Master Function is the Infrastructure Master. This master is used to maintain references to objects in other domains. It is the Infrastructure Master’s responsibility to ensure reference for objects across domains are maintained and always up to date. One final thing about Operation Masters: If the machine that holds FMSO role goes offline, another machine is not automatically promoted. This is a manual operation that can be done using tools like NTDSUTIL. NTDSUTIL is the only tool that can forcibly move a role around. At any other time, you can use Active Directory Users and Computers, Active Directory Domains and Trust, or Active Directory Schema to move roles. The Active Directory will function for some time if all the roles are offline, but it is not recommended and you should always be aware of your FSMO role owner’s state. SLIDE TRANSITION: So lets wrap up. ADDITIONAL INFORMATION FOR PRESENTER:

27 Summary There are Logical and Physical concept DNS
Plenty of Information KEY MESSAGE: So these are the topics we’ve covered in today’s session. SLIDE BUILDS: None SLIDE SCRIPT: That brings us to the end of session. I’d like to round off with a couple of things for you to remember. The Active Directory has two main concept types: there are logical concepts and there are physical, and each in their way is treated separately. Because Active Directory is a Directory Service, it needs a lookup system. That system is DNS, so if you are unfamiliar with that system, it would be good to read up on it. And finally, don’t be scared of it. It may seem daunting now, especially if NT 4 is your only experience with a directory service. But there is a wealth of information out there about Active Directory and lots of people who have been working with it for a long time who can help and pass on information that will help you. SLIDE TRANSITION: So, to help with that last point here are some place to start mining that information.

28 For More Information… www.microsoft.com/technet/tnt1-98
Main TechNet Web site at Additional resources to support this Session page can be found at KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: TechNet has it’s own Active Directory section under the Products and Technologies section. We’ve also put some of the more key links on this sessions resource page at that mail URL on the bottom. SLIDE TRANSITION: If you want physical material, we have both MS Press books and also publications from other authors and vendors.

29 MS Press Inside information for IT Professionals
Key Message: Talk about MS Press books and introduce the build-your-own-book feature. SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] (Add book script here) SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER: To find the latest IT Professional related titles visit

30 Third Party Publications Supplementary Publications for IT Pros
Key Message: Talk about the third Party books to show we do provide a balanced view in areas where our publications are diluted or we do not cover. SLIDE BUILDS: None SLIDE SCRIPT: [BUILD 1] (Add book script here) SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER: These books can be found and purchased at all good book stores and on-line retailers

31 Microsoft Learning Training Resources for IT Professionals
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Course Number: 2279 Availability: Now Detailed Syllabus: Microsoft Learning (formerly MS Training & Certification and MS Press, the book division) develops the courseware called Microsoft Official Curriculum (MOC), including MSDN Training courses, eLearning, MS Press Books, Workshops, Clinics, and Microsoft Skills Assessment. MOC is offered in instructor-led environments; it offers comprehensive training courses for both IT professionals and developers who build, support, and implement solutions using Microsoft products and technologies. Please be sure to tell the audience that these training courses are related to the subject that was just covered in the slides, but they do not necessarily provide in-depth coverage of this exact subject as it may include other topics. Anyone interested in more information about the course(s) listed should visit the Microsoft Training & Certification Web site at and review the syllabus. All MOC courses are delivered by Microsoft’s premier training channel, Microsoft Certified Technical Education Centers (CTEC) and classes are taught by Microsoft Certified Trainers (MCT). To locate a training provider, please access Microsoft Certified Technical Education Centers are Microsoft’s premier partners for training services

32 Assess your Readiness Microsoft Skills Assessment
What is Microsoft Skills Assessment? Self-study learning tool to evaluate readiness for product and technology solutions, instead of job-roles (certification) Windows Server 2003, Exchange Server 2003, Windows Storage Server 2003, Visual Studio .NET, Office 2003 Free, online, unproctored, and available to anyone Answers, “Am I ready?” Determines skills gaps, provides learning plans with Microsoft Official Curriculum courses, plus more Microsoft learning content suggestions such as TechNet resources Post your High Score to see how you stack up visit OPENING TRANSITION: And now, for an exciting, new product also from Microsoft Learning… KEY MESSAGE: Microsoft Skills Assessment SLIDE SCRIPT: Microsoft Skills Assessment is a free online learning tool. It’s an easy way for IT professionals, developers, and trainers to check your skills. You can quickly check your skills for implementing or managing Microsoft product or business solutions. Just take a short, 30 question assessment and see how well you know your stuff. Benefits include a Personalized Learning Plan, which includes links to Microsoft Official Curriculum, specific TechNet articles, Press books, and other Microsoft learning content. There’s also a way to measure how well you did compared with others who took the same assessment. Microsoft Skills Assessment is an expanding learning platform. Available now are assessments for Windows Server 2003 including security and patch management, Exchange Server 2003, Windows Storage Server, Office 2003, and Visual Studio .NET. SLIDE TRANSISTION: TechNet can also help prepare for Exams as well as a lot more, so what it is? ADDITIONAL INFORMATION FOR PRESENTER:

33 Become a Microsoft Certified Systems Administrator (MCSA)
What is the MCSA certification? For IT professionals who manage and maintain networks and systems based on the Microsoft Windows Server operating system How do I become an MCSA on Microsoft Windows 2000? Pass 3 core exams Pass 1 elective exam or 2 CompTIA certifications Where do I get more information? For more information about certification requirements, exams, and training, visit KEY MESSAGE: Explain the MCSA program SLIDE BUILDS: None SLIDE SCRIPT: The Microsoft Certified Systems Administrator (MCSA) certification is designed for professionals who implement, manage, and troubleshoot existing network and system environments based on Microsoft Windows® Server Implementation responsibilities include installing and configuring parts of the systems. Management responsibilities include administering and supporting the systems. For more information about the MCSA certification, please visit: TYPICAL JOB TITLES FOR MCSA Network Administrator, Systems Administrator, Information Technology Engineer, Information Systems Administrator, Network Technician UPGRADE PATH FROM MCSA ON WINDOWS 2000 One exam required: Exam : Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 SLIDE TRANSISTION: That’s it. Signoff in you own way.

34 Become A Microsoft Certified Systems Engineer (MCSE)
What is the MCSE certification? Premier certification for IT professionals who analyze the business requirements and design, plan, and implement the infrastructure for business solutions based on the Microsoft Windows Server System integrated server software. How do I become an MCSE on Microsoft Windows 2003? Pass 6 core exams Pass 1 elective exams from a comprehensive list Where do I get more information? For more information about certification requirements, exams, and training options, visit KEY MESSAGE: Explain the MCSE program SLIDE BUILDS: None SLIDE SCRIPT: The Microsoft® Certified Systems Engineer (MCSE) credential is the premier certification for professionals who analyze the business requirements and design, plan, and implement the infrastructure for business solutions based on the Microsoft Windows Server System integrated server software. Implementation responsibilities include installing, configuring, and troubleshooting network systems. For more information about the MCSE certification, please visit: MCSE candidates should have at least one year of experience planning, implementing, and analyzing business solutions with Microsoft products and technologies UPGRADE FROM MCSE ON WINDOWS 2000 Two exams required These 2 exams satisfy the core networking exams. Exam : Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 Exam : Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 SLIDE TRANSISTION: That’s it. Signoff in you own way. ADDITIONAL INFORMATION FOR PRESENTER:

35 Demonstrate Your Security or Messaging Specialization
What are MCSA/MCSE specializations? MCSA and MCSE specializations allow IT professionals to highlight specific expertise or technical focus within their job role. What specializations are available? MCSA: Security  MCSA: Messaging MCSE: Security  MCSE: Messaging Where do I get more information? For more information about MCSA and MCSE specialization requirements, exams, and training options, visit or KEY MESSAGE: Explain the MCSE and MCSA Security and Messaging Specialization program SLIDE BUILDS: None SLIDE SCRIPT:The Microsoft® Certified Systems Engineer and Systems Administrator specializations allow IT professionals to highlight specific expertise or technical focus within their job role. Which Specializations are available? There are two types of specializations available: Security and Messaging for Windows Server 2003. SLIDE TRANSISTION: That’s it. Signoff in you own way. ADDITIONAL INFORMATION FOR PRESENTER:

36 What is TechNet? Put the right answers at your fingertips
TechNet is the comprehensive collection of resources to help IT implementers plan, deploy, and manage Microsoft products successfully TechNet Subscription While the monthly subscription software is the most obvious component of TechNet, there’s also much more. The TechNet website gives subscribers access to valuable information as well as threaded discussion pages and online seminars. Many subscribers use the Web as frequently as they use the software. In the subscribers-only section, subscribers can access the Online Concierge Chat Support service—a Microsoft support special that can help them locate technical information quickly and easily. TechNet Plus subscribers also get access to our Managed Newsgroup Support Service. You can post questions in over 90 IT-related public newsgroups, and Microsoft will ensure that you get a response within 72 hours TechNet Flash is a bi-weekly newsletter subscribers can register for. It gives them up-to-date information on the latest postings to the website TechNet Events—TechNet subscribers have access to free events that explain how to use Microsoft products and technologies at a technical level TechNet Communities ????? Monthly updates delivered on DVD or CD The definitive resource to help you evaluate, deploy and maintain Microsoft products TechNet Web Site Accessible at Online resources and community Subscriber-only Online Services TechNet Flash Bi-weekly e-newsletter Security updates, new resources, and special offers TechNet Events and Web Casts Briefings on the latest Microsoft products and technologies Hands-on, “how to” information TechNet Communities User Groups Managed Newsgroups

37 Where Can I Get TechNet? Visit TechNet Online at Register for the TechNet Flash Join the TechNet Online forum at Become a TechNet Subscriber at Attend More TechNet Events or view on-line KEY MESSAGE: Purpose of this slide is to educate IT Pros on where to go and how to be a part of TechNet. SLIDE BUILDS: None SLIDE SCRIPT: There is one place you should go to start: WW.MICROSOFT.COM/TECHNET. There is one communication you should subscribe to: TechNet Flash. Published every other week for the IT Pro community, it focuses on news, information, resources and events. Post questions on the discussion forum. Subscribe online. Look for TechNet branded events – feature. SLIDE TRANSITION: Last slide in the deck. Round off however you like. ADDITIONAL INFORMATION FOR PRESENTER:

38

Download ppt "Active Directory Fundamentals"

Similar presentations

Microsoft Active Directory

Microsoft Active Directory
Active Directory Fundamentals

Active Directory Fundamentals
Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
Active Directory Fundamentals Thomas Lee Chief Technologist QA

Active Directory Fundamentals Thomas Lee Chief Technologist QA
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory

Introduction to Active Directory
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

Similar presentations

Ads by Google