ad-2k3 training

Active Directory – 2003

A/NZ – Intel Pool - 5 13/02/2010 © 2007 IBM Corporation

Active Directory 2003

Dominic


© 2007 IBM Corporation

Motto of this day

Learn Fundamentals of Active Directory 2K3. Experience the learning. Learn from other’s Questions



Today’s Roadmap

A Little History – Before AD Introduction to Active Directory Active Directory Components Installation of AD DNS Physical & Logical structure of AD Active Directory Database FSMO FRS Group Tools



A Little History – Before AD

Microsoft Client and Server History



Introduction to Active Directory

NT - SAM Novell - NDS NTDS.dit

Scalability, Extensibility, Security , Policy-based administration Integration with the Domain Name System (DNS) ,Centralized data store



What is Active directory? Why we need AD?

The Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups.

Active Directory is an essential and inseparable part of the Windows 2000 and above network architectures. It improves on the domain architecture of the Windows NT® 4.0 operating system to provide a directory service designed for distributed networking environments.

Active Directory allows for logical grouping of user & computer accounts AD provides a single point of administration across the enterprise Form a security boundary for divisions and groups Control over other applications – MS Mail system, Citrix etc. Package deployments and System controls.



Active Directory Components

Physical Components - DCs , Sites Eg. Logical Components - OUs , Domains , Tree, Forest Eg. Basic components - User accounts , Computer accounts, Printers,

Groups, Files Etc.



Installation of AD

Install Active Directory in Existing Windows 2003 server. Post Installation checks - Ports, Dcdiag, Sysvol, Replication, Site

and OU, Connections, Active Directory Files

Ex: Edb.log, Edb.chk,Res1.log, Res2.log

Understand the AD control consoles - Dsa.msc , Dssite.msc, Domain.msc

Experience the components of AD.



AD Integrated DNS

DNS server converts DNS names like www.Westpac.com to an IP address.

DNS is significant for several reasons, but here’s the main one: DNS is now the central namerepository for Active Directory, replacing WINS’s role in NT 4.

With Active Directory–based networks, all of that changes. The heart of naming in AD isDNS.

Active Directory–integrated zones offer two features:– They secure dynamic DNS by keeping unwanted outsiders from registering dynamic DNS

records. Only machines that are members of an associated Active Directory domain candynamically register records with an AD-integrated zone.

– AD-integrated also means that only domain controllers can be DNS servers.



Physical & Logical structure of AD

Physical structure - Domain controllers , Sites Logical Structure - OUs, Domains, Tree, Forest



Physical structure - Domain controllers , Sites

Domain controllers and GCs

DC Functions : Stores the AD databaseLoad balancing Authentication ReplicationEtc.

GC Functions :The global catalog is the central repository of information about objects in a tree or forest. By default, a global

catalog is created automatically on the initial domain controller in the first domain in the forest.

It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.

It enables finding directory information regardless of which domain in the forest actually contains the data.

Sites and concepts:

A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).



Logical structure of AD

Forest : A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees.

Tree : A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain.

Domain : The core unit of logical structure in Active Directory is the domain, which can store millions of objects.

OUs: An OU is a container used to organize objects within a domain into a logical administrative group.

Other objects : Groups, USN , GUID

Trusts: Tree – root, Parent – child , Shortcut, External , Realm.



Logical structure of AD



Active Directory Database

NTDS.DIT – Located in c:\windows\NTDS\ ESE

Tables : Schema tableLink TableData table

Configuration Table Partitions:

Schema Configuration

Domain

Application



Managing NTDS.DIT

NTDSUtil.exe Metadata cleanup Tombstone objects , Lingering objects Online and offline Defragmentation



FSMO Roles

Forest-wide Operation Master Roles:• Schema master• Domain naming master

Domain-Wide Operations Master Roles

• Relative ID master• Primary domain controller (PDC) emulator• Infrastructure master



These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.

Schema Master Role

The domain controller assigned the schema master role controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.

Domain Naming Master Role

The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest at any time.



These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.

RID Master Role The domain controller assigned the RID master role allocates sequences of relative IDs to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object

PDC Emulator If the domain contains computers operating without Windows Server 2003 client soft-ware or if it contains

Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the forest

Infrastructure masterIt is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one domain controller acting as the

infrastructure master in each domain.



Manage FSMO Roles

Seize and transferring the roles How to fetch the role holders – GUI and Command

line. Regsrv32 Schmmgmt.dll



FRS

Inter site Replication Intra site Replication Push and Pull Replication Bridge head servers , topologies Protocols : RPC-IP and SMTP over IP Compression – 10 to 20 % Manual Scheduling Managing and Trouble shooting Site links



Groups

Types of Groups

New to Windows 2000/Windows Server 2003 are two types of group objects, each used for a specific

Security Groups These are used to grant permissions to resources. Computers, users, and other groups can be members of a security group.

Distribution Groups These groups are used for nonsecurity functions, such as e-mail. Distribution groups cannot be assigned permissions or rights.



Scopes of GroupsWindows 2000/Windows Server 2003 provides the ability to limit the area of influence for a group.A group can be one of the following three types:

Domain Local Groups Limited to a single domain. They can be used to grant permissions toresources only within that domain, but can have members from any domain. These groups shouldbe used when the permissions are to be granted specifically within a domain: domain local groupsare not visible outside of their own domain.

Global Groups Used to grant permissions to objects in multiple domains and are visible to alltrusted domains. Global groups, though, can have as members only users and groups from withintheir own domain. If your AD database is configured for native-mode operation, global groups canbe nested; in other words, a global group can contain other global groups.

Universal Groups Similar to global groups in that they can be used to grant permissions across

multiple domains. The big difference is that universal groups can contain any combination of user



TOOLS & AD Backup

TOOLS to Manage AD Dsadd, Dsmod,Dsget,Dsquery, Netdom,

Dcdiag,Netdiag…

AD Backup and Restore Methods Ntbackup Authoritative and Non-Authoritative



Things to Know !!!!

1 . Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.

2.There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain.

3.Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups.

4.Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.).

5.The file system that Windows operating systems uses limits file name lengths (including the path to the file name) to 260 characters.

6.The maximum length for the name of an organizational unit (OU) is 64 characters. 7.There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user

account or computer account. 8.For Windows 2000 Server, the recommended maximum number of domains in a

forest is 800. 2 k3 - 1200.

ad-2k3 training

Documents