Download - Active directory installation windows 2003 1
Active Directory Installation
Windows 2003
ContentsHistoryActive directoryObjectives of ADFramework of ADLogical StructureForestDomain TreeDomainsDomain Controllers
Contents
Organizational UnitsTrust RelationshipGroup PoliciesNaming in ADAD DatabaseActive Directory installation
HISTORY
Active Directory (AD) is a technology created by Microsoft
Active Directory was previewed in 1996
First release with Windows 2000 Server edition
Revised to extend functionality in Windows Server 2003.
Active DirectoryAn 'Active Directory' (AD) structure is a
hierarchical framework of objects.
Object:
represents a single entity, has a unique name and a set of attributes — whether a user, a computer, a printer, or a group — and its attributes.
All objects have an ID
Active Directory stores information and settings in a central database.
Active Directory
Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization.
Administrator can easily update all end users computers with new software, patches, files, etc simply by updating one object
A network administrator can easily clear a person on a set tree or instantly give access to some users for certain applications or deny access to certain users for others.
Logical Structure
The forest, tree, and domain are the logical parts in an AD network.
Forest:At the top of the structure is the forest.
The forest is a collection of every object, its attributes, and rules.
Domain Tree:is a collection of one or more domains.A tree structure is formed by adding child
domains.
DomainsComputer systems and network resources
that share a common logical security boundary.
Maintains their own security policies and security relationships with other domains.
Sometimes created to define functional boundaries such as an administrative unit (e.g., marketing verses engineering).
Domains cont..
Domains are identified by their DNS name structure
Physically the Active Directory information is held on one or more equal peer domain controllers (DCs)
Domain controllers (DCs)Each DC has a copy of the AD; changes
on one computer being synchronized (converged) between all the DC computers by multi-master replication.
Each domain controller has the following information as part of its Active Directory:Data on every object within the particular
domain.A listing of all domains in the tree and
forest.
Organizational Units
The objects held within a domain can be grouped into containers called Organizational Units (OUs).
It is used for ease of administration and to create an AD structure in the company’s geographic or organizational terms
Trust RelationshipsTo allow users in one domain to access
resources in another, AD uses trusts.
Within a single forest, implicit trusts are created when a domain is created. By default, domains have an implicit two-way transitive trust created.A user in domain A can access resources permitted
to him in domain B while a user in domain B can access resources permitted to her in domain A
Groups PoliciesThe OU is the common level at which
to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs)
Applied to domain , organizational units, users.
Administrator can control all the users ,computer , and the delivery of applications.
ComputerComputer Starts Starts
User Logs OnUser Logs On
When Does Group Policy Get Applied?
Windows 2003:
Applies Computer Settings from Group Policies
Windows 2003:Applies User Settings
from Group Policies
DomainDomain
OUOU
11
22
Where Does My Policy Come From?
for user/computerPolicy is inherited“Closer" settings override “farther” ones
OUOU 33
Naming in AD
Every object has a Distinguished name (DN)
So a printer object called HPLaser3 in the OU Marketing and the domain foo.org, would have the DN:
CN(Comon name)=HPLaser3, OU=Marketing, DC=foo, DC=org
The object can also have a Canonical name, foo.org/Marketing/HPLaser3.
Each object also has a Globally Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD for search and replication.
FSMO Roles
Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as operations master roles. Although the AD domain controllers operate in a multi-master model, i.e. updates can occur in multiple places at once, there are several roles that are necessarily single instance:
Role Scope Description
Schema Master 1 per forest Controls and handles updates/modifications to the Active Directory schema.
Domain Naming 1 per forest Controls the addition and removal of domains from the master forest if present in root domain
PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCs also run domain specific processes such as the
Security Descriptor Propagator (SDPROP), and is the master time server within the domain.
RID Master 1 per domain Allocates pools of unique identifier to domain controllers for use when creating objects
Infrastructure 1 per domain Synchronizes cross-domain grouup membership
Master changes. The infrastructure master cannot run on a global catalog server (GCS) (unless all DCs are aslo GCs)