1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory

2. The world before the Active Directory
The overwhelming majority of network today run without any single unified directory service. Many companies store information in various disconnected system. For example:
Companies record data about its employees in a human resource database.
While network account reside on a Windows NT 4 domain controller.
Other information such as security setting for applications- reside within various other systems.
And there’s always the classic: paper-based forms!

3. Windows NT to the rescue!
Windows NT is a NOS (Networking Operating System)
Goal of Windows NT was to bring security, organization, and accessibility to information throughout a company’s network.
GUI interface got rid of cryptic command-line interfaces and it simplified management.
Windows NT offered reliability, scalability, performance, and flexibility and compatibility with a large installed base of current software products.

4. Domain Model in Windows NT 4
1 Domain Controller per network (PDC)
Several Backup Domain Controller (BDC)
All network security accounts are stored within PDC. To improve performance and reliability the database is replicated to BDC.
There can only be one master copy of the account databases. This copy resides in the PDC. All user and security account changes must be recorded by the PDC.
This model only works well for small – to – medium sized organizations.

5. Domain Model in Windows NT 4

6. Limitations of Windows NT 4
Multiple Domain are complicated and management intensive.
Trust relationship can grow out of control!
Flat entities, cannot be organized in hierarchical fashion (using sub domain for admin purposes)
No allowing of nesting of users and groups.
Extremely tedious and error prone when setting permissions. (because above bullet item)

7. Limitations of Windows NT 4 (Cont.)
Security allowed for complete control over the domain controller. Some users had too much permissions. (This poses several potential problems – both business and technical)
Nevertheless, Windows NT 4 provided an excellent solution to many business. But as with almost any technical solution, there were areas which improvements could be made.

8. Active Directory Design
Before setting up a server environment, you must design a suitable Active Directory. Several choices need to be made and many consideration to take into account:
Political Issues
How does current business operate – as single, independent business or centralized environment? Who will be responsible for administering portions of network?
Network Issues
Types of connections between remote offices? How reliable are connections? What are domain name requirements?
Organizational Issues
How are the areas of the business structured? For example, do the department operate individually, with separate networks administrators for each department? Or is the environment much more centralized?

9. Planning and Implementing an Active Directory Infrastructure
Most crucial step
Poor planning may cause poor performance
Must consider pre-existing network, hardware, etc.

10. Managing and Maintaining an Active Directory Infrastructure
Small changes are constantly required
Upgrades involve changes
Regular maintenance ensures good performance
Troubleshooting required when problems occur

11. Planning and Implementing User, Computer, and Group Strategies
Authentication
Identifying user to network
Password is most common method
Authorization
Determines what resources user can access
Users are typically grouped together for authorization

12. Planning and Implementing Group Policy
Used to manage the way workstations, servers, and user environments behave
Examples:
Require all communications between clients and servers to be encrypted
Control how user’s desktop appears
Perform maintenance tasks

13. Planning and Implementing Group Policy (continued)
Examples:
Deploy applications to computers or users throughout the network
Influenced by:
User requirements
Corporate policies
Network design
Who manages policies

14. Managing and Maintaining Group Policy
Changes to policies and troubleshooting result of policies may be required.
Updates can be applied to computers that had applications installed via group.
Example. Older version of antivirus on machines installed can be upgraded via group policy to newer version.

15. Windows Networking Concepts Overview
Network models:
Domain
Workgroup
Windows Server 2003 system roles:
Standalone server
Member server
Domain controller

16. Workgroups Logical group of computers
Characterized by decentralized security and administration model
Every computer holds own security database
Known as Security Accounts Manager (SAM) database
Each computer must authenticate users independently

17. Workgroups (continued)
Benefits
Simple
Does not explicitly require a server
Drawbacks:
Time consuming to manage
Windows 2003 server participates as standalone server

18. Workgroup Security Model

19. Domains Logical group of computers
Characterized by centralized authentication and administration
All domain computers use centralized security database
Domain controllers (DC)
Special server
Responsible for managing security database
Responsible for authenticating users on domain

20. Domains (continued) Active Directory
Stored on one or more computers configured as domain controllers
DC can be:
Windows 2000 Server
Windows Server 2003

21. Domain Security Model

22. Domains Other domain computers:
“domain members"
“member servers”
Can authorize access to a particular resource based on the domain authentication
Highly recommended in environment that consists of more than 10 users or workstations

23. Domains (continued)
Requires at least one server configured as domain controller
Additional expense
Minimum of two domain controllers preferred
Provides fault tolerance
Load balancing

24. Logging on to a Domain

25. Domains Member servers:
Windows Server 2003 system that has computer account in a domain
Not configured as a domain controller
Used for wide variety of functions including:
File server
Print server
Application server

26. Domains (continued) Member servers: Domain controller:
Commonly host network services such as:
Domain Name Service (DNS)
Dynamic Host Configuration Protocol (DHCP)
Domain controller:
Windows Server 2003 system
Explicitly configured to store copy of Active Directory database
Responsible for servicing user authentication requests and queries about domain objects

27. Introduction to Windows Server 2003 Active Directory
Native directory service included with Windows Server 2003 operating systems
Provides:
Central point for:
Storing
Organizing
Managing
Controlling network objects
Single point of administration of objects

28. Introduction to Windows Server 2003 Active Directory (continued)
Provides:
Logon and authentication services for users
Delegation of administration
Each domain controller has writeable copy of directory database
Make Active Directory changes to any domain controller
Changes are replicated to all other domain controllers

29. Introduction to Windows Server 2003 Active Directory (continued)
Multi-master replication
Provides form of fault tolerance
DNS:
Used maintain domain-naming structures
Locate network resources

30. Active Directory Objects
Represents network resources such as:
Users
Groups
Computers
Printers
Various attributes are assigned to objects
Examples: 1st name, last name, user logon, etc.

31. User Object

32. Active Directory Schema
Defines all of objects and attributes available in Active Directory
Only one schema for each Active Directory implementation
Consists of two main definitions:
Object classes
example: users, printers
Attributes
example: description to maintain consistency.

33. Active Directory Logical Structure and Components
Logical components:
Domains and Organizational Units
Trees and Forests
Trusts

34. Domains and Organizational Units
Logically structured organization of objects
Part of a network
Share common directory database
Has unique name
Organized in levels
Administered as a unit with common rules and procedures
Provides administrative benefits

35. Domains and Organizational Units (continued)
Organizational unit (OU)
Logical container
Used to organize objects within a single domain
Stores objects such as:
Users
Groups
Computers
Other organizational units
Ability to delegate administrative control over OU
Example: Organize users based on department in which they work! Delegate admin rights / permissions to add and remove users within OU

36. Domains and Organizational Units (continued)

37. Trees and Forests Reasons for multiple domains: Forest root domain
Geographic separation
Different password policies.
Large number of objects
Replication performance
Forest root domain
First domain defined in deployment

38. Trees and Forests (continued)
Hierarchical collection of domains
Share contiguous DNS namespace
Forest
Collection of trees
Do not share contiguous DNS naming structure

39. Trees

40. Forests

41. Trusts Two-way, transitive trust relationship
Automatically created for child domain
Transitive trust
All other trusted domains implicitly trust one another

42. Activity 1-4: Creating a Child Domain in an Existing Domain Tree
Objective: Promote a member server to a domain controller for a new child domain in an existing domain tree
Use the Active Directory Installation Wizard or the Configure Your Server Wizard to create a domain

43. Child Domain Installation Window

44. Active Directory Communications Standards
DNS naming standard
Hostname resolution
Provides information on location of network services and resources
Lightweight Directory Access Protocol (LDAP)
Used to query or update Active Directory database
Naming paths:
Distinguished name
Relative distinguished name

45. Active Directory Physical Structure
Make sure any modification to database is replicated as quickly as possible
Design topology so that replication does not saturate available network bandwidth
Control logon traffic
See page 25: Logical vs. Physical Structure.

46. Active Directory Physical Structure (continued)
Site
Combination of one or more Internet Protocol (IP) subnets
Connected by high-speed connection
Site link
Configurable object
Represents connection between sites

47. Site Structure

48. Global Catalog Used primarily for:
Finding Active Directory information from anywhere in forest
Universal group membership information
Authentication services
Directory lookup requests from Exchange 2000/2003
First domain controller in Active Directory automatically becomes Global Catalog server

49. New Active Directory Features in Windows Server 2003
Windows Server 2003 brings new features and capabilities
Primary benefits:
Flexibility
Lower the total cost of ownership (TCO)

50. Deployment and Management
Active Directory Migration Tool (ADMT) 2.0
Domain Rename
Schema Redefine

51. Security Cross-forest Trust Credential Manager
Software Restriction Policies

52. Performance and Dependability
Universal Group Caching
Application Directory Partitions
Install Replica from Media