Active directory installation windows 2003 1
- 1. Active Directory Installation Windows 2003
- 2. Contents History Active directory Objectives of AD Framework of AD Logical Structure Forest Domain Tree Domains Domain Controllers
- 3. Contents Organizational Units Trust Relationship Group Policies Naming in AD AD Database Active Directory installation
- 4. HISTORY Active Directory (AD) is a technology created by Microsoft Active Directory was previewed in 1996 First release with Windows 2000 Server edition Revised to extend functionality in Windows Server 2003.
- 5. Active Directory An 'Active Directory' (AD) structure is a hierarchical framework of objects. Object: represents a single entity, has a unique name and a set of attributes — whether a user, a computer, a printer, or a group — and its attributes. All objects have an ID Active Directory stores information and settings in a central database.
- 6. Active Directory Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Administrator can easily update all end users computers with new software, patches, files, etc simply by updating one object A network administrator can easily clear a person on a set tree or instantly give access to some users for certain applications or deny access to certain users for others.
- 7. Logical Structure The forest, tree, and domain are the logical parts in an AD network. Forest: At the top of the structure is the forest. The forest is a collection of every object, its attributes, and rules. Domain Tree: is a collection of one or more domains. A tree structure is formed by adding child domains.
- 8. Domains Computer systems and network resources that share a common logical security boundary. Maintains their own security policies and security relationships with other domains. Sometimes created to define functional boundaries such as an administrative unit (e.g., marketing verses engineering).
- 9. Domains cont.. Domains are identified by their DNS name structure Physically the Active Directory information is held on one or more equal peer domain controllers (DCs)
- 10. Domain controllers (DCs) Each DC has a copy of the AD; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication . Each domain controller has the following information as part of its Active Directory: Data on every object within the particular domain. A listing of all domains in the tree and forest.
- 11. Organizational Units The objects held within a domain can be grouped into containers called Organizational Units (OUs). It is used for ease of administration and to create an AD structure in the company’s geographic or organizational terms
- 12. Trust Relationships To allow users in one domain to access resources in another, AD uses trusts. Within a single forest, implicit trusts are created when a domain is created. By default, domains have an implicit two-way transitive trust created. A user in domain A can access resources permitted to him in domain B while a user in domain B can access resources permitted to her in domain A
- 14. Groups Policies The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs) Applied to domain , organizational units, users. Administrator can control all the users ,computer , and the delivery of applications.
- 15. When Does Group Policy Get Applied? Windows 2003: Applies Computer Settings from Group Policies Windows 2003: Applies User Settings from Group Policies Computer Starts User Logs On
- 16. Where Does My Policy Come From? for user/computer Policy is inherited “ Closer" settings override “ farther” ones Domain OU 1 2 OU 3
- 17. Naming in AD Every object has a Distinguished name (DN) So a printer object called HPLaser3 in the OU Marketing and the domain foo.org, would have the DN: CN(Comon name)=HPLaser3, OU=Marketing, DC=foo, DC=org The object can also have a Canonical name , foo.org/Marketing/HPLaser3. Each object also has a Globally Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD for search and replication.
- 18. FSMO Roles Flexible Single Master Operations ( FSMO , sometimes pronounced "fizz-mo") roles are also known as operations master roles. Although the AD domain controllers operate in a multi-master model, i.e. updates can occur in multiple places at once, there are several roles that are necessarily single instance:
- 19. Role Scope Description Schema Master 1 per forest Controls and handles updates/modifications to the Active Directory schema. Domain Naming 1 per forest Controls the addition and removal of domains from the master forest if present in root domain PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCs also run domain specific processes such as the Security Descriptor Propagator (SDPROP), and is the master time server within the domain. RID Master 1 per domain Allocates pools of unique identifier to domain controllers for use when creating objects Infrastructure 1 per domain Synchronizes cross-domain grouup membership Master changes. The infrastructure master cannot run on a global catalog server (GCS) (unless all DCs are aslo GCs)
Editor's Notes
- #16: Key Talking Point: In Windows 2000, policies can be applied to a computer, or they can be applied to a user. The policy will be run at different times for each group. A computer policy will be processed when the system is turned on. Per-computer settings are stored in HKLM, and are common to all users. When a user logs into a computer all of his user policies are processed before he can work on the system. User policies are applied to HKCU in the registry, are will vary depending on the user account.
- #17: Segue: Group Policy Objects are applied to users based on their membership in the Active Directory. Key Talking Points: A user or computer object in Active Directory can have more than one policy apply to it. Group Policy Objects can be created at the site, domain, and OU level, and all of these settings are applied together to the user or computer. Policy settings are inherited from higher level containers to lower level ones. The settings are cumulative, except when two policy settings contradict each other. When settings from two policy objects contradict each other, then the settings from the most specific policy “wins”. For instance, if a domain-level policy says to hide the “Run” command from the start menu, but a policy object created for marketing users says specifically to show it, then the run menu will be shown.