ad-2k3 training
TRANSCRIPT
Active Directory – 2003
A/NZ – Intel Pool - 5 13/02/2010 © 2007 IBM Corporation
Active Directory 2003
Dominic
Active Directory – 2003
© 2007 IBM Corporation
Motto of this day
Learn Fundamentals of Active Directory 2K3. Experience the learning. Learn from other’s Questions
Active Directory – 2003
© 2007 IBM Corporation
Today’s Roadmap
A Little History – Before AD Introduction to Active Directory Active Directory Components Installation of AD DNS Physical & Logical structure of AD Active Directory Database FSMO FRS Group Tools
Active Directory – 2003
© 2007 IBM Corporation
A Little History – Before AD
Microsoft Client and Server History
Active Directory – 2003
© 2007 IBM Corporation
Introduction to Active Directory
NT - SAM Novell - NDS NTDS.dit
Scalability, Extensibility, Security , Policy-based administration Integration with the Domain Name System (DNS) ,Centralized data store
Active Directory – 2003
© 2007 IBM Corporation
What is Active directory? Why we need AD?
The Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups.
Active Directory is an essential and inseparable part of the Windows 2000 and above network architectures. It improves on the domain architecture of the Windows NT® 4.0 operating system to provide a directory service designed for distributed networking environments.
Active Directory allows for logical grouping of user & computer accounts AD provides a single point of administration across the enterprise Form a security boundary for divisions and groups Control over other applications – MS Mail system, Citrix etc. Package deployments and System controls.
Active Directory – 2003
© 2007 IBM Corporation
Active Directory Components
Physical Components - DCs , Sites Eg. Logical Components - OUs , Domains , Tree, Forest Eg. Basic components - User accounts , Computer accounts, Printers,
Groups, Files Etc.
Active Directory – 2003
© 2007 IBM Corporation
Installation of AD
Install Active Directory in Existing Windows 2003 server. Post Installation checks - Ports, Dcdiag, Sysvol, Replication, Site
and OU, Connections, Active Directory Files
Ex: Edb.log, Edb.chk,Res1.log, Res2.log
Understand the AD control consoles - Dsa.msc , Dssite.msc, Domain.msc
Experience the components of AD.
Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation
AD Integrated DNS
DNS server converts DNS names like www.Westpac.com to an IP address.
DNS is significant for several reasons, but here’s the main one: DNS is now the central namerepository for Active Directory, replacing WINS’s role in NT 4.
With Active Directory–based networks, all of that changes. The heart of naming in AD isDNS.
Active Directory–integrated zones offer two features:– They secure dynamic DNS by keeping unwanted outsiders from registering dynamic DNS
records. Only machines that are members of an associated Active Directory domain candynamically register records with an AD-integrated zone.
– AD-integrated also means that only domain controllers can be DNS servers.
Active Directory – 2003
© 2007 IBM Corporation
Physical & Logical structure of AD
Physical structure - Domain controllers , Sites Logical Structure - OUs, Domains, Tree, Forest
Active Directory – 2003
© 2007 IBM Corporation
Physical structure - Domain controllers , Sites
Domain controllers and GCs
DC Functions : Stores the AD databaseLoad balancing Authentication ReplicationEtc.
GC Functions :The global catalog is the central repository of information about objects in a tree or forest. By default, a global
catalog is created automatically on the initial domain controller in the first domain in the forest.
It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
It enables finding directory information regardless of which domain in the forest actually contains the data.
Sites and concepts:
A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).
Active Directory – 2003
© 2007 IBM Corporation
Logical structure of AD
Forest : A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees.
Tree : A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain.
Domain : The core unit of logical structure in Active Directory is the domain, which can store millions of objects.
OUs: An OU is a container used to organize objects within a domain into a logical administrative group.
Other objects : Groups, USN , GUID
Trusts: Tree – root, Parent – child , Shortcut, External , Realm.
Active Directory – 2003
© 2007 IBM Corporation
Logical structure of AD
Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation
Active Directory Database
NTDS.DIT – Located in c:\windows\NTDS\ ESE
Tables : Schema tableLink TableData table
Configuration Table Partitions:
Schema Configuration
Domain
Application
Active Directory – 2003
© 2007 IBM Corporation
Managing NTDS.DIT
NTDSUtil.exe Metadata cleanup Tombstone objects , Lingering objects Online and offline Defragmentation
Active Directory – 2003
© 2007 IBM Corporation
FSMO Roles
Forest-wide Operation Master Roles:• Schema master• Domain naming master
Domain-Wide Operations Master Roles
• Relative ID master• Primary domain controller (PDC) emulator• Infrastructure master
Active Directory – 2003
© 2007 IBM Corporation
These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.
Schema Master Role
The domain controller assigned the schema master role controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.
Domain Naming Master Role
The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest at any time.
Active Directory – 2003
© 2007 IBM Corporation
These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.
RID Master Role The domain controller assigned the RID master role allocates sequences of relative IDs to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object
PDC Emulator If the domain contains computers operating without Windows Server 2003 client soft-ware or if it contains
Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the forest
Infrastructure masterIt is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one domain controller acting as the
infrastructure master in each domain.
Active Directory – 2003
© 2007 IBM Corporation
Manage FSMO Roles
Seize and transferring the roles How to fetch the role holders – GUI and Command
line. Regsrv32 Schmmgmt.dll
Active Directory – 2003
© 2007 IBM Corporation
FRS
Inter site Replication Intra site Replication Push and Pull Replication Bridge head servers , topologies Protocols : RPC-IP and SMTP over IP Compression – 10 to 20 % Manual Scheduling Managing and Trouble shooting Site links
Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation
Groups
Types of Groups
New to Windows 2000/Windows Server 2003 are two types of group objects, each used for a specific
Security Groups These are used to grant permissions to resources. Computers, users, and other groups can be members of a security group.
Distribution Groups These groups are used for nonsecurity functions, such as e-mail. Distribution groups cannot be assigned permissions or rights.
Active Directory – 2003
© 2007 IBM Corporation
Scopes of GroupsWindows 2000/Windows Server 2003 provides the ability to limit the area of influence for a group.A group can be one of the following three types:
Domain Local Groups Limited to a single domain. They can be used to grant permissions toresources only within that domain, but can have members from any domain. These groups shouldbe used when the permissions are to be granted specifically within a domain: domain local groupsare not visible outside of their own domain.
Global Groups Used to grant permissions to objects in multiple domains and are visible to alltrusted domains. Global groups, though, can have as members only users and groups from withintheir own domain. If your AD database is configured for native-mode operation, global groups canbe nested; in other words, a global group can contain other global groups.
Universal Groups Similar to global groups in that they can be used to grant permissions across
multiple domains. The big difference is that universal groups can contain any combination of user
Active Directory – 2003
© 2007 IBM Corporation
TOOLS & AD Backup
TOOLS to Manage AD Dsadd, Dsmod,Dsget,Dsquery, Netdom,
Dcdiag,Netdiag…
AD Backup and Restore Methods Ntbackup Authoritative and Non-Authoritative
Active Directory – 2003
© 2007 IBM Corporation
Things to Know !!!!
1 . Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.
2.There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain.
3.Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups.
4.Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.).
5.The file system that Windows operating systems uses limits file name lengths (including the path to the file name) to 260 characters.
6.The maximum length for the name of an organizational unit (OU) is 64 characters. 7.There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user
account or computer account. 8.For Windows 2000 Server, the recommended maximum number of domains in a
forest is 800. 2 k3 - 1200.
Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation