Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory Fundamentals

Published byKari Majanlahti Modified over 5 years ago

Similar presentations

Presentation on theme: "Active Directory Fundamentals"— Presentation transcript:

1 Active Directory Fundamentals
Network Administration Set 3 Tatiana Balikhina KEY MESSAGE: Introduce yourself and then the session title SLIDE BUILDS: None SLIDE SCRIPT: Hello and Welcome to this TechNet session on Active Directory Fundamentals My name is {state your name and title} SLIDE TRANSITION: What are we going to cover ADDITIONAL INFORMATION FOR PRESENTER:

2 What we will cover: Domains, Trees, Forests Domain Controllers, Sites
KEY MESSAGE: What are we going to cover? SLIDE BUILDS: None SLIDE SCRIPT: So in today’s session, we will be looking at what makes up Active Directory directory service and covering the terms you will hear when people talk about the service. Some of these components are logical in nature, such as Domains, Domain trees, and Forests; some physical in nature, such as Domain Controllers and sites. We will also cover the Domain Naming Service (DNS) and how that plays a part in the Active Directory operations. As well, we will look at site communication and how information is replicated around so that everyone has the same view of the directory. Finally, we cover the Operations Masters. SLIDE TRANSITION:

3 Agenda Active Directory Logical Concepts
Active Directory Physical Concepts KEY MESSAGE: Today’s Agenda SLIDE BUILDS: None SLIDE SCRIPT: So as we mentioned in what we will be covering, the agenda divides into the Physical and Logical components of Active Directory. The Domain Naming Service (DNS), Replication, which will include sites and finally the Operations Masters. SLIDE TRANSITION: So let’s start with the Logical Concepts. ADDITIONAL INFORMATION FOR PRESENTER:

4 Active Directory Active Directory (AD) is a database to handle large number of read and search operations and smaller number of changes and updates. Data in AD is hierarchical, replicated and extensible. E.g. of data are: users accounts, computers, printers and security principals. The AD is located in one or more clusters of computers known as domain controllers. Domain Controller is a windows server that manages security related aspects between user and domain controller.

5 Active Directory When a user login to a computer that is part of a windows domain, AD checks submitted password and determines whether the user is system administrator or normal user. An AD structure is an arrangement of information about objects. Objects are of two categories: resources (e.g. printer) or security principals ( user or computer accounts or groups). Security principals are assigned unique security identifiers. An object is uniquely identified by its name and has a set of attributes A database schema is its structure described in a formal language.

6 Active Directory AD framework can be viewed at a number of levels.
The forest, tree and domain are the logical divisions in an AD network Objects are grouped into domains. The objects for a single domain are stored in a single database. Domains are identified by their DNS name structure. A domain is defined as a logical group of network objects (users, computers, devices) that share the same active directory database.

7 Active Directory Logical Concepts Domains
A domain is the core unit of logical structure in Active Directory. Domains represent a logical partition within the Active Directory for both security and directory replication. Each domain stores information only about the objects it contains. KEY MESSAGE: Define what a Domain is. SLIDE BUILDS: None SLIDE SCRIPT: A domain is the core unit of logical structure in Active Directory. Domains represent a logical partition within the Active Directory for both security and directory replication. Each domain stores information only about the objects it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is the supported (tested) limit. Domains function in several capacities. They serve as boundaries of authentication, replication, namespace, and security policies. Domains are manifested from domain controllers. There is also a one-to-one correspondence between Active Directory Domains and DNS Domains. Since all users in a domain must log on to a domain controller for that domain, a domain is also: A boundary of authentication. Domain controllers are responsible for authenticating users and groups. A boundary of security policies. Certain security policies are applied exclusively at the domain level, including Password Length, Account Lockout, and Kerberos Ticket Lifetime. Security policies that are defined in one Domain are not extended to any other Domain. In addition, access to domain objects is controlled by Discretionary Access Control Lists (DACLs), which are populated with Access Control Entries (ACEs). All security polices and settings, such as administrative rights and Discretionary Access Control Lists (DACLs), do not cross from one domain to another. The domain administrator has the right to set policies only within that domain. So, domains are also boundaries of administration because privileges that are granted in one Domain do not extend to any other Domain. A boundary of replication. All objects that reside in a Domain are fully replicated to all Domain Controllers for that Domain. The Domain Controllers for a Domain each have a complete writeable replica of that Active Directory Partition (i.e. Domain). A unique namespace. An Active Directory Domain is identified by a unique DNS domain name, as well as a downlevel NetBIOS name for downlevel client and server access. A boundary of administration. Administrative privileges that are granted in one Domain do not extend to any other Domain. Domains are manifested in the form of domain controllers. In Windows Server 2003, there are no longer PDCs and BDCs. Instead, every Domain Controller maintains a writeable copy of the domain database (directory information tree: ntds.dit). There are various function levels that a domain can operate in: mixed (default), native or Windows 2003: Mixed. When a Domain is in mixed mode, the Active Directory Domain Controllers in the Domain can coexist and replicate with Domain Controllers in the same Domain that are running previous versions of Windows NT Server (downlevel domain controllers). When a Domain is in mixed mode, it is subject to the restrictions of the downlevel SAM (Security Accounts Manager) database (40MB size, 40,000 account objects), you want to begin operating in Native mode or Windows Server 2003 mode as soon as possible. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Domain serve as: Boundary of Security Authentication Security Policies Boundary of Replication Domain Replication Boundary of DNS Namespace Boundary of Administration KAPOHO.NET

8 Boundary of Security (Authentication)
A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It is a server on a Microsoft Windows network that is responsible for allowing host access to Windows domain resources. Domains are manifested in the form of domain controllers. Since all users in a domain must log on to a domain controller for that domain, a domain is also: A boundary of authentication. Domain controllers are responsible for authenticating users and groups.

9 Boundary of Security (security policies)
Certain security policies are applied exclusively at the domain level, including Password Length, Account Lockout, and Kerberos Ticket Lifetime. Security policies that are defined in one Domain are not extended to any other Domain. In addition, access to domain objects is controlled by Access Control Lists (ACLs), which are populated with Access Control Entries (ACEs). All security polices and settings, such as administrative rights and Access Control Lists (ACLs), do not cross from one domain to another.

10 Boundary of Administration, Replication,
DNS Namespace The domain administrator has the right to set policies only within that domain. So, domains are also boundaries of administration because privileges that are granted in one Domain do not extend to any other Domain. A boundary of replication. All objects that reside in a Domain are fully replicated to all Domain Controllers for that Domain. The Domain Controllers for a Domain each have a complete writeable replica of that Active Directory Partition (i.e. Domain). A unique namespace. An Active Directory Domain is identified by a unique DNS domain name.

11 Active Directory Logical Concepts
Trees Tree is a Hierarchy of Domains forming a contiguous namespace. A contiguous namespace links a child container to its parent by adding one and only one more identifier to the beginning of the DNS name. KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: The next two logical concepts we will address are ways to group domains to form different structures. The first topic is trees. A tree is a hierarchical grouping of Domains that form a contiguous namespace. A contiguous namespace links a child container to its parent by adding one and only one more identifier to the beginning of the DNS name. For example, if the parent Domain was named COMPANY and the child Domain was named AMERICA.COMPANY, then these two domains would form a contiguous namespace. In an Active Directory Tree, transitive trust relationships link Domains such that they can be administered as a single logical unit. With bi-directional Kerberos transitive trusts, permissions can be applied to security principals throughout the Active Directory Tree. Every time a new domain is added to the tree, a transitive trust is formed. If domain “A” trusts domain “B,” then domain “A” trusts all domains that “B” trusts. The name of an Active Directory Tree is the name of the Domain that is highest in the hierarchy. In the example shown here, the name of the Tree is COMPANY, and is referred to as the Root of the Domain Tree. All Domains in an Active Directory Tree share the following: Configuration. A single configuration container exists and applies to all Domains in the Active Directory Tree. The configuration container includes information about the Active Directory as a whole, including what Domains exist, what physical Sites are defined, what Domain Controllers are running in what Domains and in what Sites, what Services are available, and so forth. The configuration container is replicated to all Domain Controllers in all Domains in the Active Directory Tree in order to allow Domain Controllers to determine replication partners and develop a replication topology. Global Catalog. The Global Catalog – or GC – contains a partial replica of all objects in the Active Directory Tree (i.e. every object in every Domain in the Tree is represented in the Global Catalog). All GCs in an Active Directory Tree share exactly the same partial replica. Schema. The schema is the formal definition for all Active Directory objects, including the object classes and object attributes. The schema also defines things such as whether attributes are required for particular object classes and the relationship between object classes. The schema is stored within the Active Directory and is extensible, meaning that new object classes and attributes can be added to the Active Directory. A single schema container exists and applies to all Domains in the Active Directory Tree. The schema is replicated to all Domain Controllers in all Domains in the Active Directory Tree in order to ensure consistency in the object types across the enterprise. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: The name of an Active Directory Tree is the name of the Domain that is highest in the hierarchy. In the example shown here, the name of the Tree is KAPOHO.NET, and is referred to as the Root of the Domain Tree. KAPOHO.NET HAWAII.KAPOHO.NET EUROPE.KAPOHO.NET MAUI.HAWAII.KAPOHO.NET

12 Trusts Trusts make it possible for users in one domain to be authenticated by domain controllers in a separate domain. For example, if there is a bidirectional trust relationship between the domains contoso.local and adatum.remote, users with accounts in the contoso.local domain are able to authenticate in the adatum.remote domain. By configuring a trust relationship, it’s possible to allow users in one domain to access resources in another, such as being able to use shared folders and printers or being able to sign on locally to machines that are members of a different domain than the one that holds the user’s account.

13 Windows server 2012 r2 trust creation
Some trusts are created automatically. For example, domains in the same forest automatically trust each other. Other trusts, such as external trusts, realm trusts, shortcut trusts, and forest trusts must be created manually. Trusts use the Kerberos V5 authentication protocol by default, and they revert to NTLM if Kerberos V5 is not supported. You configure and manage trusts using the Active Directory Domains And Trusts console or the netdom.exe command-line utility with the /trust switch.

14 Transitive Trust Relationships
In an Active Directory Tree, transitive trust relationships link Domains such that they can be administered as a single logical unit. With bi-directional Kerberos transitive trusts, permissions can be applied to security principals throughout the Active Directory Tree. Every time a new domain is added to the tree, a transitive trust is formed. If domain “A” trusts domain “B,” then domain “A” trusts all domains that “B” trusts. A B C

15 Configuration. Global Catalog. Schema
All Domains in an Active Directory Tree share these three features: Configuration. A single configuration container exists and applies to all Domains in the Active Directory Tree. The configuration container includes information about the Active Directory as a whole, including what Domains exist, what physical Sites are defined, what Domain Controllers are running in what Domains and in what Sites, what Services are available, and so forth. The configuration container is replicated to all Domain Controllers in all Domains in the Active Directory Tree in order to allow Domain Controllers to determine replication partners and develop a replication topology.

16 In a multidomain Active Directory® Domain Services (AD DS) forest, the global catalog provides a central repository of domain information for the forest by storing partial replicas of all domain directory partitions. These partial replicas are distributed by multimaster replication to all global catalog servers in a forest. The global catalog makes the directory structure within a forest transparent to users who perform a search. For example, if you search for all printers in a forest, a global catalog server processes the query in the global catalog and then returns the results. Without a global catalog server, this query would require a search of every domain in the forest. During an interactive domain logon, the domain controller authenticates the user by verifying the user’s identity, and also provides authorization data for the user’s access token by determining all groups of which the user is a member. Because the global catalog is the forestwide location of the membership of all universal groups, access to a global catalog server is a requirement for authentication in a multidomain forest

17 The schema is the formal definition for all AD objects, including the object classes and object attributes. The schema also defines things such as whether attributes are required for particular object classes and the relationship between object classes. The schema is stored within the AD and is extensible, meaning that new object classes and attributes can be added to the AD. A single schema container exists and applies to all Domains in the AD Tree. The schema is replicated to all Domain Controllers in all Domains in the AD Tree in order to ensure consistency in the object types across the enterprise.

18 Active Directory stores and retrieves information from a wide variety of applications and services. So that it can store and replicate data from a potentially infinite variety of sources, Active Directory standardizes how data is stored in the directory. By standardizing how data is stored, the directory service can retrieve, update, and replicate data while ensuring that the integrity of the data is maintained. The directory service uses objects as units of storage. All objects are defined in the schema. Each time that the directory handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data. Object definitions control the types of data that the objects can store, as well as the syntax of the data. Using this information, the schema ensures that all objects conform to their standard definitions. As a result, Active Directory can store, retrieve, and validate the data that it manages, regardless of the application that is the original source of the data. Only data that has an existing object definition in the schema can be stored in the directory. If a new type of data needs to be stored, a new object definition for the data must first be created in the schema.

19 Active Directory Logical Concepts Forests
A forest is composed of one or more trees. A set of Domains in a Forest may form either a contiguous or disjoint namespace. Transitive Trust Relationships between peer top- level domains All Domains in a Forest share: Schema Configuration Global Catalog KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: A forest is composed of one or more trees. First, let’s define what a forest is. A Forest is an extension of the Domain Tree concept in that the only difference is that a set of Domains in a Forest may form either a contiguous or disjoint namespace. An example of a disjoint namespace is DIV1.COM and DIV2.COM (the namespace does not form a contiguous hierarchy). A Forest is named after the first Domain installed in the Forest (the Forest Root Domain). In addition to the transitive trust relationships that exist between parent and child domains, in a Forest there are also bi-directional transitive trust relationships between peer top-level domains. A Domain Tree is a specific example of a Domain Forest (in which all of the Domains in that Tree form a contiguous namespace). An enterprise directory that consists of a single Domain is another example of a Forest. In a Forest, all Domains still share a common Schema, Configuration, and Global Catalog. If the Forest is in the highest forest function level, Windows 2003, then cross-forest trusts can be established to facilitate administration or resource access between domains in different forests. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: PSP.CO.UK KAPOHO.NET HAWAII.KAPOHO.NET

20 Active Directory Logical Concepts Organizational Units
Organizational Units – or OUs – are containers that are used to organize objects within a Domain. For example, OUs can contain Users, Computers, Groups, Printers, File Shares and other OUs. OUs can be logically structured into a hierarchy that models the business. They are distinct logical administrative units that can be used to: 1.) delegate administration within a domain. 2.) apply policies to objects (such as Users or Computers) as a group. The OU hierarchy within a particular Domain is independent of the OU hierarchy in any other Domain (unique to domain). Each Domain can implement its own OU hierarchy. OUs are represented by circles within a Domain. KEY MESSAGE: Describe Organizational Units SLIDE BUILDS: None SLIDE SCRIPT: Organizational Units – or OUs – are containers that are used to organize objects within a Domain. For example, OUs can contain Users, Computers, Groups, Printers, File Shares and other OUs. OUs can be logically structured into a hierarchy that models the business. They are distinct logical administrative units that can be used to: 1.) delegate administration within a domain. 2.) apply policies to objects (such as Users or Computers) as a group. The OU hierarchy within a particular Domain is independent of the OU hierarchy in any other Domain. Each Domain can implement its own OU hierarchy. OUs are represented by circles within a Domain. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

21 Agenda Active Directory Logical Concepts
Active Directory Physical Concepts KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: So lets move onto the Physical concepts. SLIDE TRANSITION: Lets start with the Security Model.

22 Active Directory Physical Concepts Domain Controllers
b) Primary Domain Controller (PDC) Domain Controllers (DCs) KEY MESSAGE: In an Active Directory world, we have moved away from the Primary Domain Controller into the Multi-master environment of Domain Controllers SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 0] No matter what type of domain structure you run, there is a Domain Controller, and more than likely there is more than one of them. These Domain controllers hold a copy of the directory. In NT3.51 and 4.0 there are two types, a Primary Domain Controller (PDC) and Backup Domain Controllers (BDCs). The copies of the Directory database these machines hold, usually referred to as the SAM (Security Accounts Manager) database, allows users to be authenticated in the domain. This design is a single master system because only the PDC holds a read/write copy of the directory. What this means is that, if a user wants to change his or her password, that change is performed on the PDC, regardless of which machine authenticated the user. In the case were a user is authenticated by a BDC, that BDC sends the change to the PDC to update the SAM, and the SAM is then replicated back to the BDCs. The BDCs never write to their copy of the SAM outside the replication process. [BUILD 1] In an Active Directory environment there is no single “PDC” and no “BDC.” All machines that participate in the authentication process are simply called Domain Controllers. They all hold copies of the Directory, they can all write to that copy, and they all replicate with each other. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Backup Domain Controllers (BDCs) Read-Only Domain controllers(RODC) in windows server 2008

23 No matter what type of domain structure you run, there is a Domain Controller, and more than likely there is more than one of them (b) approach windows server 2000 to 2003). These Domain controllers hold a copy of the directory. In NT3.51 and 4.0 (old examples) there are two types, a Primary Domain Controller (PDC) and Backup Domain Controllers (BDCs) (a) approach). The copies of the Directory database these machines hold allows users to be authenticated in the domain. This design is a single master system because only the PDC holds a read/write copy of the directory. What this means is that, if a user wants to change his or her password, that change is performed on the PDC, regardless of which machine authenticated the user. In the case were a user is authenticated by a BDC, that BDC sends the change to the PDC what is then replicated back to the BDCs. Read-Only Domain controllers(RODC) is a new name for BDC since windows server 2008 and they cannot originate changes in AD (again approach a).

24 Domain Controller Roles
A domain controller is a server that is running a version of the Windows Server® operating system and has Active Directory® Domain Services installed. When you install Windows Server on a computer, you can choose to configure a specific server role for that computer. When you want to create a new forest, a new domain, or an additional domain controller in an existing domain, you configure the server with the role of domain controller by installing AD DS. By default, a domain controller stores one domain directory partition consisting of information about the domain in which it is located, plus the schema and configuration directory partitions for the entire forest.  There are also specialized domain controller roles that perform specific functions in an AD DS environment. These specialized roles include global catalog servers and operations masters.

25 1) The global catalog makes it possible for clients to search AD DS without having to be referred from server to server until a domain controller that has the domain directory partition storing the requested object is found. By default, AD DS searches are directed to global catalog servers. The first domain controller in a forest is automatically created as a global catalog server. Thereafter, you can designate other domain controllers to be global catalog servers if they are needed. 2) Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. AD DS defines five operations master roles: the schema master, domain naming master, relative identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master.

26 Active Directory Physical Concepts Sites
What is a Site? A set of well-connected IP subnets Site Usage Locating Services (e.g. Logon) Replication Group Policy Application Sites are connected with Site Links Connects two or more sites KEY MESSAGE: Describe the Site Concept. SLIDE BUILDS: None SLIDE SCRIPT: So what is a site? An Active Directory Site is a set of TCP/IP subnets that are considered to be “well-connected”. Well-connected generally implies high-bandwidth LAN (10MB minimum) connectivity, possibly involving several hops through routers. Sites are used in the Active Directory as follows: Sites (a physical construct) are not part of the Active Directory namespace (a logical construct). Sites may span multiple Domains. Similarly, Domains may span multiple Sites. Sites serve three main purposes. Sites are used to locate services such as logon and DFS services. When a client requests a connection to a DC (and Global Catalog for Universal Group membership info) Login, sites are used to preferentially allow the client to connect to a Domain Controller within the same site. If there are no Domain Controllers in a site with clients, then another site that does have Domain Controllers can provide “coverage” for the client site. Site links each have a logical cost assigned to them. If a user is searching for the closest DC to log on, they will first look for a DC (and GC) in their site. If none exists, they will search for a DC in the site with the lowest logical cost assigned to the site link. When a client requests a connection to a Service, such as a DFS Replica, sites are used to preferentially allow the client to locate and connect to a Replica within the same site. Sites are also used to control replication throughout an enterprise. The Active Directory automatically creates more replication connections between Domain Controllers in the same site than between Domain Controllers in different sites. This results in lower replication latency within a site, and lower replication bandwidth between sites. Replication between Domain Controllers in different sites is compressed 10-15%, resulting in less network bandwidth utilization over the slower links between sites. Finally, Group Policy objects can be linked to Sites (or, more specifically, to Computer objects that reside in Sites) as a group. Sites are connected using Site Links. Active Directory Site Links are used to define connections between Sites, and together they represent the physical network. A Site Link represents a set of Sites that can communicate with one another. For example, two Sites that are connected with one another with a point-to-point T1 might be represented by a single Site Link. On the other hand, a set of buildings (each in their own Site) that are connected to each other over an ATM backbone might be represented by a Site Link that contains all of those buildings (i.e. Sites). Similarly, a full mesh Frame Relay network might be represented with a single Site Link, assuming each of the Sites had equal cost connectivity to every other Site. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

27 Active Directory Physical Concepts Site Topology
DC = Domain Controller GC = Global Catalog DC KEY MESSAGE: Explain how Sites and Domains interact SLIDE BUILDS: None SLIDE SCRIPT: Because a Site is a physical construct, there can be overlap with domains, which are a logical construct. A Site can therefore contain an entire domain, or only part of a domain, or even multiple domains. As we see here: Site A. Contains a DC from the root domain company.com and a DC from the child domain america.company.com. Site B. Contains a DC only from america.company.com Site C. Contains DCs from europe.company.com and the root company.com. This is one of the main concepts to remember and one people get confused on: Domains are logical structures, sites are physical structures. SLIDE TRANSITION: On the example here, we have this box call GC, which stands for Global Catalog. The Global Catalog is an important part of the Active Directory, so let me explain what it is. ADDITIONAL INFORMATION FOR PRESENTER: GC Site A Company.com Site C DC DC GC Site B DC america.company.com europe.company.com

28 Understanding Sites, Subnets, and Site Links
So what is a site? An Active Directory Site is a set of TCP/IP subnets that are considered to be “well-connected”. Well- connected generally implies high-bandwidth LAN connectivity, possibly involving several hops through routers. Sites are used in the Active Directory as follows: Sites (a physical construct) are not part of the Active Directory namespace (a logical construct). Sites may span multiple Domains. Similarly, Domains may span multiple Sites. Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object.

29 Sites help facilitate several activities, including:
Replication . AD DS balances the need for up-to-date directory information with the need for bandwidth optimization by replicating information within a site whenever data is updated and between sites according to a configurable schedule. Authentication . Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections. Service location . Other services, such as Active Directory Certificate Services (AD CS), Exchange Server, and Message Queuing, use AD DS to store objects that can use site and subnet information that make it possible for clients to locate the nearest service providers more easily. Group Policy objects can be linked to Sites (or, more specifically, to Computer objects that reside in Sites) as a group.

30 Associating sites and subnets
A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses to the site. When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default- First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default- First-Site-Name as well as to all additional sites.

31 Assigning computers to sites
Server objects are created in AD DS by applications or services, and they are placed into a site based on their IP address. When you add the Active Directory Domain Services server role to a server, a server object is created in the AD DS site that contains the subnet to which the server's IP address maps. If the domain controller's IP address does not map to any site in the forest, the domain controller's server object is created in the site of the domain controller that provides the replication source for AD DS. For a client, site assignment is determined dynamically by its IP address and subnet mask during logon.

32 Locating domain controllers by site
Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify their site names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses. When a client requests a domain controller, it provides its site name to DNS. DNS uses the site name to locate a domain controller in that site (or in the next closest site to the client). DNS then provides the IP address of the domain controller to the client for the purpose of connecting to the domain controller. For this reason, it is important to ensure that the IP address that you assign to a domain controller maps to a subnet that is associated with the site of the respective server object. Otherwise, when a client requests a domain controller, the IP address that is returned might be the IP address of a domain controller in a distant site. When a client connects to a distant site, the result can be slow performance and unnecessary traffic on expensive WAN links.

33 Connecting sites with site links
Active Directory Site Links are used to define connections between Sites, and together they represent the physical network. Networks usually consist of a set of local area networks (LANs) that are connected by WANs. In AD DS, site link objects represent the WAN connections between sites. Whereas replication within a site is triggered automatically when a directory update occurs, replication between sites (over slower, more expensive WAN links) is scheduled to occur every 3 hours. You can change the default schedule to occur during the periods that you specify, and at the intervals that you specify, so that you can control WAN link traffic.

Download ppt "Active Directory Fundamentals"

Similar presentations

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory

Introduction to Active Directory
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google