AD-2k3 Training

Active Directory 2003
2007 IBM Corporation

A/NZ Intel Pool - 5
13/02/2010

Dominic
Motto of this day
Learn Fundamentals of Active Directory 2K3.
Experience the learning.
Learn from others Questions

Todays Roadmap
A Little History Before AD
Introduction to Active Directory
Active Directory Components
Installation of AD
DNS
Physical & Logical structure of AD
Active Directory Database
FSMO
FRS
Group
Tools
A Little History Before AD

Microsoft Client and Server History
Introduction to Active Directory
NT - SAM Novell - NDS NTDS.dit

Scalability, Extensibility, Security , Policy-based administration Integration
with the Domain Name System (DNS) ,Centralized data store
What is Active directory? Why we need AD?
The Active Directory is a network-based object store and service that
locates and manages resources, and makes these resources available to
authorized users and groups.
Active Directory is an essential and inseparable part of the Windows 2000
and above network architectures. It improves on the domain architecture of
the Windows NT 4.0 operating system to provide a directory service
designed for distributed networking environments.

Active Directory allows for logical grouping of user & computer accounts
AD provides a single point of administration across the enterprise
Form a security boundary for divisions and groups
Control over other applications MS Mail system, Citrix etc.
Package deployments and System controls.

Active Directory Components
Physical Components - DCs , Sites Eg.
Logical Components - OUs , Domains , Tree, Forest Eg.
Basic components - User accounts , Computer accounts, Printers,
Groups, Files Etc.

Installation of AD
Install Active Directory in Existing Windows 2003 server.
Post Installation checks - Ports, Dcdiag, Sysvol, Replication, Site
and OU, Connections,
Active Directory Files
Ex: Edb.log, Edb.chk,Res1.log, Res2.log
Understand the AD control consoles - Dsa.msc , Dssite.msc,
Domain.msc
Experience the components of AD.
AD Integrated DNS
DNS server converts DNS names like www.Westpac.com to an IP address.

DNS is significant for several reasons, but heres the main one: DNS is now the central name
repository for Active Directory, replacing WINSs role in NT 4.

With Active Directorybased networks, all of that changes. The heart of naming in AD is
DNS.

Active Directoryintegrated zones offer two features:
They secure dynamic DNS by keeping unwanted outsiders from registering dynamic DNS
records. Only machines that are members of an associated Active Directory domain can
dynamically register records with an AD-integrated zone.
AD-integrated also means that only domain controllers can be DNS servers.
Physical & Logical structure of AD
Physical structure - Domain controllers , Sites
Logical Structure - OUs, Domains, Tree, Forest

Physical structure - Domain controllers , Sites
Domain controllers and GCs

DC Functions :
Stores the AD database
Load balancing
Authentication
Replication
Etc.
GC Functions :
The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog
is created automatically on the initial domain controller in the first domain in the forest.

It enables a user to log on to a network by providing universal group membership information to a domain controller
when a logon process is initiated.

It enables finding directory information regardless of which domain in the forest actually contains the data.

Sites and concepts:

A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much
network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).

Logical structure of AD
Forest : A forest is a grouping or hierarchical arrangement of one or
more separate, completely independent domain trees.
Tree : A tree is a grouping or hierarchical arrangement of one or more
Windows Server 2003 domains that you create by adding one or more child
domains to an existing parent domain.
Domain : The core unit of logical structure in Active Directory is the
domain, which can store millions of objects.
OUs: An OU is a container used to organize objects within a domain
into a logical administrative group.
Other objects : Groups, USN , GUID
Trusts: Tree root, Parent child , Shortcut, External , Realm.
Logical structure of AD
Active Directory Database
NTDS.DIT Located in c:\windows\NTDS\
ESE
Tables : Schema table
Link Table
Data table
Configuration Table
Partitions:
Schema
Configuration
Domain
Application

Managing NTDS.DIT
NTDSUtil.exe
Metadata cleanup
Tombstone objects , Lingering objects
Online and offline Defragmentation
FSMO Roles
Forest-wide Operation Master Roles:
Schema master
Domain naming master

Domain-Wide Operations Master Roles

Relative ID master
Primary domain controller (PDC) emulator
Infrastructure master

These roles must be unique in the forest. This means that throughout the entire forest there
can be only one schema master and one domain naming master.

Schema Master Role

The domain controller assigned the schema master role controls all updates and
modifications to the schema. To update the schema of a forest, you must have access to the
schema master. At any time, there can be only one schema master in the entire forest.

Domain Naming Master Role

The domain controller holding the domain naming master role controls the
addition or removal of domains in the forest. There can be only one domain naming master
in the entire forest at any time.


These roles must be unique in each domain. This means that each domain in the forest can have only one
RID master, PDC emulator master, and infrastructure master.

RID Master Role
The domain controller assigned the RID master role allocates sequences of relative IDs to each of the
various domain controllers in its domain. At any time, there can be only one domain controller acting as
the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique
security ID. The security ID consists of a domain security ID (that is the same for all security IDs created
in the domain) and a relative ID that is unique for each security ID created in the domain.
To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must
initiate the move on the domain controller acting as the RID master of the domain that currently contains
the object

PDC Emulator
If the domain contains computers operating without Windows Server 2003 client soft-ware or if it contains
Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator role
acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the
BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain
in the forest

Infrastructure master
It is responsible for updating the group-to-user references whenever the members of groups are
renamed or changed. At any time, there can be only one domain controller acting as the
infrastructure master in each domain.
Manage FSMO Roles
Seize and transferring the roles
How to fetch the role holders GUI and Command
line.
Regsrv32 Schmmgmt.dll

FRS
Inter site Replication
Intra site Replication
Push and Pull Replication
Bridge head servers , topologies
Protocols : RPC-IP and SMTP over IP
Compression 10 to 20 %
Manual Scheduling
Managing and Trouble shooting
Site links

Groups
Types of Groups

New to Windows 2000/Windows Server 2003 are two types of group objects, each used for a
specific

Security Groups These are used to grant permissions to resources. Computers, users, and
other groups can be members of a security group.

Distribution Groups These groups are used for nonsecurity functions, such as e-mail.
Distribution groups cannot be assigned permissions or rights.

Scopes of Groups
Windows 2000/Windows Server 2003 provides the ability to limit the area of influence for a group.
A group can be one of the following three types:

Domain Local Groups Limited to a single domain. They can be used to grant permissions to
resources only within that domain, but can have members from any domain. These groups should
be used when the permissions are to be granted specifically within a domain: domain local groups
are not visible outside of their own domain.

Global Groups Used to grant permissions to objects in multiple domains and are visible to all
trusted domains. Global groups, though, can have as members only users and groups from within
their own domain. If your AD database is configured for native-mode operation, global groups can
be nested; in other words, a global group can contain other global groups.

Universal Groups Similar to global groups in that they can be used to grant permissions
across
multiple domains. The big difference is that universal groups can contain any combination of user

TOOLS & AD Backup

TOOLS to Manage AD
Dsadd, Dsmod,Dsget,Dsquery, Netdom,
Dcdiag,Netdiag
AD Backup and Restore Methods
Ntbackup
Authoritative and Non-Authoritative
Things to Know !!!!

1 . Each domain controller in an Active Directory forest can create a little bit less than
2.15 billion objects during its lifetime.
2.There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a
domain.
3.Security principals (that is, user, group, and computer accounts) can be members of
a maximum of approximately 1,015 groups.
4.Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64
characters in total length, including hyphens and periods (.).
5.The file system that Windows operating systems uses limits file name lengths
(including the path to the file name) to 260 characters.
6.The maximum length for the name of an organizational unit (OU) is 64 characters.
7.There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user
account or computer account.
8.For Windows 2000 Server, the recommended maximum number of domains in a
forest is 800. 2 k3 - 1200.


AD-2k3 Training

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AD-2k3 Training

Uploaded by

Copyright:

Available Formats

Active Directory 2003

2007 IBM Corporation

You might also like