A/NZ Intel Pool - 5 13/02/2010 Active Directory 2003
Dominic Active Directory 2003 2007 IBM Corporation Motto of this day Learn Fundamentals of Active Directory 2K3. Experience the learning. Learn from others Questions
Active Directory 2003 2007 IBM Corporation Todays Roadmap A Little History Before AD Introduction to Active Directory Active Directory Components Installation of AD DNS Physical & Logical structure of AD Active Directory Database FSMO FRS Group Tools Active Directory 2003 2007 IBM Corporation A Little History Before AD
Microsoft Client and Server History Active Directory 2003 2007 IBM Corporation Introduction to Active Directory NT - SAM Novell - NDS NTDS.dit
Scalability, Extensibility, Security , Policy-based administration Integration with the Domain Name System (DNS) ,Centralized data store Active Directory 2003 2007 IBM Corporation What is Active directory? Why we need AD? The Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. Active Directory is an essential and inseparable part of the Windows 2000 and above network architectures. It improves on the domain architecture of the Windows NT 4.0 operating system to provide a directory service designed for distributed networking environments.
Active Directory allows for logical grouping of user & computer accounts AD provides a single point of administration across the enterprise Form a security boundary for divisions and groups Control over other applications MS Mail system, Citrix etc. Package deployments and System controls.
Active Directory 2003 2007 IBM Corporation Active Directory Components Physical Components - DCs , Sites Eg. Logical Components - OUs , Domains , Tree, Forest Eg. Basic components - User accounts , Computer accounts, Printers, Groups, Files Etc.
Active Directory 2003 2007 IBM Corporation Installation of AD Install Active Directory in Existing Windows 2003 server. Post Installation checks - Ports, Dcdiag, Sysvol, Replication, Site and OU, Connections, Active Directory Files Ex: Edb.log, Edb.chk,Res1.log, Res2.log Understand the AD control consoles - Dsa.msc , Dssite.msc, Domain.msc Experience the components of AD. Active Directory 2003 2007 IBM Corporation Active Directory 2003 2007 IBM Corporation AD Integrated DNS DNS server converts DNS names like www.Westpac.com to an IP address.
DNS is significant for several reasons, but heres the main one: DNS is now the central name repository for Active Directory, replacing WINSs role in NT 4.
With Active Directorybased networks, all of that changes. The heart of naming in AD is DNS.
Active Directoryintegrated zones offer two features: They secure dynamic DNS by keeping unwanted outsiders from registering dynamic DNS records. Only machines that are members of an associated Active Directory domain can dynamically register records with an AD-integrated zone. AD-integrated also means that only domain controllers can be DNS servers. Active Directory 2003 2007 IBM Corporation Physical & Logical structure of AD Physical structure - Domain controllers , Sites Logical Structure - OUs, Domains, Tree, Forest
Active Directory 2003 2007 IBM Corporation Physical structure - Domain controllers , Sites Domain controllers and GCs
DC Functions : Stores the AD database Load balancing Authentication Replication Etc. GC Functions : The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest.
It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
It enables finding directory information regardless of which domain in the forest actually contains the data.
Sites and concepts:
A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).
Active Directory 2003 2007 IBM Corporation Logical structure of AD Forest : A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. Tree : A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain. Domain : The core unit of logical structure in Active Directory is the domain, which can store millions of objects. OUs: An OU is a container used to organize objects within a domain into a logical administrative group. Other objects : Groups, USN , GUID Trusts: Tree root, Parent child , Shortcut, External , Realm. Active Directory 2003 2007 IBM Corporation Logical structure of AD Active Directory 2003 2007 IBM Corporation Active Directory 2003 2007 IBM Corporation Active Directory Database NTDS.DIT Located in c:\windows\NTDS\ ESE Tables : Schema table Link Table Data table Configuration Table Partitions: Schema Configuration Domain Application
Active Directory 2003 2007 IBM Corporation Managing NTDS.DIT NTDSUtil.exe Metadata cleanup Tombstone objects , Lingering objects Online and offline Defragmentation Active Directory 2003 2007 IBM Corporation FSMO Roles Forest-wide Operation Master Roles: Schema master Domain naming master
Domain-Wide Operations Master Roles
Relative ID master Primary domain controller (PDC) emulator Infrastructure master
Active Directory 2003 2007 IBM Corporation These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.
Schema Master Role
The domain controller assigned the schema master role controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.
Domain Naming Master Role
The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest at any time.
Active Directory 2003 2007 IBM Corporation
These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.
RID Master Role The domain controller assigned the RID master role allocates sequences of relative IDs to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object
PDC Emulator If the domain contains computers operating without Windows Server 2003 client soft-ware or if it contains Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the forest
Infrastructure master It is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one domain controller acting as the infrastructure master in each domain. Active Directory 2003 2007 IBM Corporation Manage FSMO Roles Seize and transferring the roles How to fetch the role holders GUI and Command line. Regsrv32 Schmmgmt.dll
Active Directory 2003 2007 IBM Corporation FRS Inter site Replication Intra site Replication Push and Pull Replication Bridge head servers , topologies Protocols : RPC-IP and SMTP over IP Compression 10 to 20 % Manual Scheduling Managing and Trouble shooting Site links
Active Directory 2003 2007 IBM Corporation Active Directory 2003 2007 IBM Corporation Groups Types of Groups
New to Windows 2000/Windows Server 2003 are two types of group objects, each used for a specific
Security Groups These are used to grant permissions to resources. Computers, users, and other groups can be members of a security group.
Distribution Groups These groups are used for nonsecurity functions, such as e-mail. Distribution groups cannot be assigned permissions or rights.
Active Directory 2003 2007 IBM Corporation Scopes of Groups Windows 2000/Windows Server 2003 provides the ability to limit the area of influence for a group. A group can be one of the following three types:
Domain Local Groups Limited to a single domain. They can be used to grant permissions to resources only within that domain, but can have members from any domain. These groups should be used when the permissions are to be granted specifically within a domain: domain local groups are not visible outside of their own domain.
Global Groups Used to grant permissions to objects in multiple domains and are visible to all trusted domains. Global groups, though, can have as members only users and groups from within their own domain. If your AD database is configured for native-mode operation, global groups can be nested; in other words, a global group can contain other global groups.
Universal Groups Similar to global groups in that they can be used to grant permissions across multiple domains. The big difference is that universal groups can contain any combination of user
Active Directory 2003 2007 IBM Corporation TOOLS & AD Backup
TOOLS to Manage AD Dsadd, Dsmod,Dsget,Dsquery, Netdom, Dcdiag,Netdiag AD Backup and Restore Methods Ntbackup Authoritative and Non-Authoritative Active Directory 2003 2007 IBM Corporation Things to Know !!!!
1 . Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime. 2.There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain. 3.Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups. 4.Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.). 5.The file system that Windows operating systems uses limits file name lengths (including the path to the file name) to 260 characters. 6.The maximum length for the name of an organizational unit (OU) is 64 characters. 7.There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user account or computer account. 8.For Windows 2000 Server, the recommended maximum number of domains in a forest is 800. 2 k3 - 1200.
Active Directory 2003 2007 IBM Corporation Active Directory 2003 2007 IBM Corporation