active dir of windows server 2000 series

Editor's Notes

• #2: Active Directory’s Logical Structure Domain - The core structural unit of an Active Directory Contains OUs and represents administrative, security, and policy boundaries Small to medium companies usually have one domain; larger companies may have several domains to separate geographical regions or administrative responsibilities
• #3: Active Directory’s Logical Structure A tree is a grouping of domains that share a common naming structure Can consist of a parent domain and possibly one or more child domains Forest - A collection of one or more Active Directory trees that provide a common Active Directory environment All domains in all trees can communicate and share information Can consist of a single tree with a single domain, or it can contain several trees, each with a hierarchy of parent and child domains
• #4: Figure 6-4 An Active Directory forest
• #5: Installing Active Directory The Windows Active Directory service is commonly referred to as Active Directory Domain Services (AD DS) To install AD DS, use Server Manager If DNS is not already present on the network, you must install the DNS Server Role. After role is installed, you must configure Active Directory Click the notifications flag in Server Manager and click “Promote this server to a DC”
• #6: Installing Active Directory In the Deployment Configuration window, select from these options: Add a domain controller to an existing domain Add a new domain to an existing forest Add a new forest (choose this if it is the first DC in the network) Next, you’re prompted for the fully qualified domain name (FQDN) for the new forest root An FQDN is a domain name that includes all parts of the name
• #7: Installing Active Directory In the Domain Controller Options window you will: Choose the forest and domain functional levels Select domain controller capabilities Domain Name System (DNS) server Global Catalog (GC) Read only domain controller (RODC) Enter a password for Directory Services Restore Mode (DSRM) A boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are deleted accidentally
• #8: Figure 6-6 Choosing the forest and domain functional levels
• #9: Installing Active Directory In the DNS options window, you must: Create the DNS delegation, which allows Windows to create the necessary records on the DNS server for the new domain In the Path window, you: Specify the location of the Active Directory database, log files, and SYSVOL folder Next, review your selections in the Review Options window Windows then does a prerequisite check before starting the Active Directory installation
• #10: Figure 6-8 The Prerequisites Check window
• #11: Installing Additional Domain Controllers in a Domain Microsoft recommends at least two DCs in every domain For fault tolerance and load balancing Installing additional DC in an existing domain is not unlike installing the first DC Biggest difference is that you select “Add a domain controller to an existing domain” instead of “Add a new forest”
• #12: Installing Additional Domain Controllers in a Domain When a new DC is added, you need to know the answers to the following questions: Should you install DNS? Should the DC be a global catalog (GC) server? Should this be a read only domain controller (RODC)? In which site should the DC be located?
• #13: Installing a New Domain in an Existing Forest Two variations to adding a domain to an existing forest: Add a child domain - you’re adding a domain that shares at least the top-level and second-level domain name structure as an existing domain in the forest Add a new tree - you’re adding a new domain with a separate naming structure from any existing domains in the forest
• #14: Figure 6-9 Adding a new child domain in an existing forest
• #15: What’s Inside Active Directory Explore Active Directory using the Active Directory Administrative Center (ADAC) or Active Directory Users and Computers MMC Use ADAC to perform the following AD tasks: Create and manage users, group, and computer accounts Manage OUs Connect to other domain controllers in the same or a different domain Change the domain’s functional level and enable the AD Recycle Bin
• #16: Figure 6-15 The Active Directory Users and Computers MMC
• #17: The Active Directory Schema An object is a grouping of information that describes a network resource The schema defines the type, organization, and structure of data stored in the AD database Schema classes define the types of objects that can be stored in Active Directory Schema attributes define what type of information is stored in each object The information stored in each attribute is called the attribute value
• #18: Figure 6-16 Schema classes, schema attributes, and Active Directory objects
• #19: Active Directory Container Objects A container object contains other objects Used to organize and manage users and resources on the network Can also act as administrative and security boundaries Three container objects are found in AD: Organizational Units Folder Objects Domain objects
• #20: Organizational Units An OU is a primary container object for organizing and managing resources in a domain OUs can organize multiple objects into logical administrative groups that can be configured with specific policies relevant to that group Authority of an OU can be delegated Nesting OUs can build a hierarchical Active Directory structure that mimics the corporate structure for easier object management
• #21: Folder Objects Five are created by default: Builtin - houses default groups created by Windows Computers - default location for computer accounts created when a new computer or server becomes a domain member Foreign Security Principals - contains user accounts from other domains added as members of the local domain’s groups Managed Service Accounts - created specifically for services to access domain resources Users - Stores two default users (Administrator and Guest) and several default groups
• #22: Domain Objects Core logical structure in AD, contains OU and folder container objects, as well as leaf objects Larger companies may use multiple domains to separate administration, define security boundaries, and define policy boundaries Each domain object has a default GPO linked to it that can affect all objects in the domain
• #23: Active Directory Leaf Objects A leaf object doesn’t contain other objects and usually represents one of the following: Security account Network resource GPO Security account objects include users, groups, and computers Network resource objects include servers, domain controllers, file shares, printers, etc.
• #24: User Accounts User account object contains information such as group memberships, account restrictions, profile path, and dial-in permissions Authentication confirms a user’s identity The account is then assigned permissions and rights Local user account - authorized to access resources only on that computer Domain user account - provides a single logon for users to access all resources in the domain Windows creates two built-in user accounts Administrator and Guest
• #25: Groups A group object represents a collection of users with common permissions or rights Permissions - define which resources users can access and what level of access they have Right - specifies what types of actions a user can perform on a computer or network Groups are used to assign members permissions and rights More efficient than assigning permissions and rights to each user separately
• #26: Computer Accounts A computer account object represents a computer that’s a domain controller or domain member Used to identify, authenticate, and manage computers in the domain Computer accounts are created automatically when AD is installed on a server The computer account object’s name must match the name of the computer that the account represents
• #27: Other Leaf Objects Other leaf objects commonly created in AD: Contact - a person associated with the company but not a network user Printer - represents a shared printer in the domain Shared folder - represents a shared folder on a computer in the network
• #28: Locating Active Directory Objects Active Directory objects can be searched for using the Find Users, Contacts, and Groups dialog box You can search a single domain or an entire directory (all domains) Not all objects are available to all users Depends on the object’s security settings and its container
• #29: Working with Forests, Trees, and Domains Smaller organizations most likely focus on OUs and their child objects Larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests The first domain controller creates more than just a new domain, it also creates a new tree and the root of a new forest May eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structure
• #30: Active Directory Replication Replication is the process of maintaining a consistent database of information when the database is distributed among several locations Intrasite replication - replication between domain controllers in the same site Intersite replication- occurs between two or more sites Multimaster replication - used by AD for replacing AD objects Knowledge Consistency Checker (KCC) runs on all DCs to determine the replication topology Defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCs
• #31: Directory Partitions Directory partition - each section of an Active Directory database There are five directory partition types in the AD database: Domain directory partition - contains all objects in a domain, including users, groups, computers, OUs, and so forth Schema directory partition - contains information needed to define AD objects and object attributes Global catalog partition - holds the global catalog, which is a partial replica of all objects in the forest Application directory partition - used by applications and services to hold information that benefits from Configuration partition - holds configuration information that can affect the entire forest
• #32: Operations Master Roles Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function The first domain controller in the forest generally takes on the role of the operations master If necessary, responsibility for these roles can be transferred to another domain controller
• #33: Operations Master Roles 5 operations master roles referred to as Flexible Single Master Operation (FSMO) roles: Schema Master Infrastructure master Domain Naming master RID master PDC Emulator master When removing DCs from a forest, be careful that these roles are not removed from the network accidentally