Identify the features of Active Directory

1
Goals

• Identify the features of Active Directory
• Understand Active Directory architecture
• Examine underlying Active Directory concepts
• Understand the basic elements of Active Directory
• Plan the implementation of Active Directory
• Install Active Directory
• Work with Microsoft Management Console (MMC) and
  snap-ins
• Create organizational units
• Manage Active Directory objects

2
(Skill 1)
Identifying the Features of Active Directory

• Active Directory is the directory service for
  Windows Server 2003
• Active Directory includes the following features
• Centralized management
• Security
• Object-oriented storage
• Hierarchical organization
• Multi-master replication
• Integration with DNS
• Lightweight Directory Access Protocol (LDAP)
• Standard name formats
• Scalability

3
(Skill 1)
Identifying the Features of Active Directory
Figure 3-1 Active Directory
4
(Skill 1)
Identifying the Features of Active Directory
Figure 3-2 Replication
All Windows Server 2003 Domain Controllers
contain a writable copy of the Active Directory
Database. If changes are made to the database on
one domain controller, the changes are replicated
to all other domain controllers in the domain.
5
(Skill 2)
Introducing Active Directory Architecture

• Active Directory is built in a layered
  architecture in which the layers represent
  processes that provide directory services to
  client applications
• Active Directory includes three service layers,
  several interfaces and protocols, and the
  underlying Data Store.
• Service layers of Active Directory
• Directory System Agent (DSA) Layer process that
  provides access to the Data Store
• Database Layer provides an object view of
  database information
• Extensible Storage Engine Layer has direct
  contact with records in the Data Store
• The Data Store stores the records that make up
  Active Directorys database.

6
(Skill 2)
Introducing Active Directory Architecture
Figure 3-3 Active Directory Architecture
7
(Skill 3)
Examining Underlying Active Directory Concepts

• In order to understand Active Directory, you must
  understand the concepts of schema, global catalog
  and namespaces.
• Schema
• The Active Directory schema contains formal
  definitions of every object class that can be
  created in an Active Directory forest.
• The schema also contains formal definitions of
  every attribute that can exist in an Active
  Directory object.
• The schema is the database design, which can be
  extended by adding new object classes or new
  attributes.
• Also called the directory information tree (DIT)

8
(Skill 3)
Examining Underlying Active Directory Concepts
Figure 3-4 Schema
9
(Skill 3)
Examining Underlying Active Directory Concepts
(2)

• Global catalog
• The global catalog stores a full Read-Write
  replica of all object attributes in the directory
  for its host domain, and a partial replica of all
  object attributes contained in the directory for
  every domain in the forest, along with universal
  groups and group members.
• This gives the global catalog the ability to
  search the entire forest, but also keeps its
  database relatively light, allowing for improved
  replication.

10
(Skill 3)
Examining Underlying Active Directory Concepts
(3)

• Namespace
• The resolution of names through the use of Domain
  Name System (DNS) is central to the operation of
  Windows networks.
• Without proper name resolution, users cannot
  locate resources on the network.
• Namespaces define the domain structure in Active
  Directory.
• Domains with contiguous namespaces are members of
  the same tree.
• A forest is a collection of domains sharing the
  same schema, configuration and global catalog.

11
(Skill 3)
Examining Underlying Active Directory Concepts
Figure 3-6 Contiguous namespaces (tree)
12
(Skill 3)
Examining Underlying Active Directory Concepts
Figure 3-7 Disjointed namespaces (multiple trees)
13
(Skill 3)
Examining Underlying Active Directory Concepts
(4)

• Active Directory identifies each object in the
  following ways
• Globally Unique Identifier (GUID) a unique 128
  bit number that defines the identity of an object
• Distinguished Name (DN) used to uniquely name
  an object
• Relative Distinguished Name (RDN) the portion
  of the Distinguished Name that uniquely
  identifies an object within the objects parent
  container
• User Principal Name (UPN) name of a system user
  in an e-mail address format

14
(Skill 3)
Examining Underlying Active Directory Concepts
Figure 3-8 Naming conventions
15
(Skill 4)
Introducing the Basic Elements of Active Directory

• The basic elements of Active Directory include
  objects, domains, organizational units, trees,
  forests, and sites.
• Object
• An object is any thing, either tangible or
  abstract, about which data is stored.
• It can be a network resource, such as a user,
  group, printer, or a virtual object such as a
  forest, tree, domain, or OU.
• Each object is defined by a set of attributes
  related to its properties.
• When you create an object, the Active Directory
  is populated with some of the attributes for the
  object.

16
(Skill 4)
Introducing the Basic Elements of Active
Directory (2)

• The common types of objects that can be created
  in Active Directory are as follows
• Computer
• User
• Group
• Shared Folder
• Printer

17
(Skill 4)
Introducing the Basic Elements of Active
Directory (3)

• Domain
• A domain is a group of computers and devices on a
  network that constitute a single security
  boundary within Active Directory, but can span
  more than one physical location.
• Every domain has its own security policies and
  security relationships with other domains.
• Domains create a security boundary
• Domains co-existing under the same namespace form
  a single tree.
• When multiple domains are connected by trust
  relationships and share a common schema,
  configuration, and global catalog, they
  constitute a forest.

18
(Skill 4)
Introducing the Basic Elements of Active
Directory (5)

• A domain includes the following types of
  computers in a Windows Server 2003 network
• Domain controller A computer that stores a
  replica of the directory database.
• Member server A Windows NT 4.0, 2000,or Server
  2003 computer that is part of a domain but does
  not store a replica of the directory database.
• Client computers Computers running operating
  systems that can communicate with the Active
  Directory for user authentication and resource
  access.

19
(Skill 4)
Introducing the Basic Elements of Active Directory
Figure 3-10 Hierarchical structure of Active
Directory
20
(Skill 4)
Introducing the Basic Elements of Active
Directory (7)

• Organizational unit (OU)
• An OU is a container object for organizing
  objects within a domain.
• OUs can contain users, groups, resources, and
  other OUs.
• An OU enables the delegation of administration to
  distinct segments of the directory, which
  provides more flexibility in managing the objects
  in a business unit, department, or other
  organizational division.
• Grouping objects into OUs allows for the
  following object administration
• Creation and organization of child OUs.
• Delegation of permissions within specific OUs.
• Assignment of Group Policy links.

21
(Skill 4)
Introducing the Basic Elements of Active
Directory (9)

• Tree
• A tree consists of a set of one or more domains
  in a hierarchical structure.
• The first domain created in the forest is called
  the forest root and this is where the forest name
  is specified.
• All domain trees in a forest share the same
  forest root. If a new tree is created after the
  forest root, the first domain that is added to
  this tree is called the root domain.
• The domains under the root domain are called
  child domains, and any domain immediately above
  another domain is called the parent domain.

22
(Skill 4)
Introducing the Basic Elements of Active Directory
Figure 3-11 Multiple domains in a tree
23
(Skill 4)
Introducing the Basic Elements of Active
Directory (10)

• Forest
• A forest consists of a group of one or more
  Active Directory domains that share a common
  schema, configuration, global catalog, and
  two-way, transitive trusts.
• All trees in a given forest trust each other
  through transitive two-way trust relationships.
• A forest exists as a set of cross-referenced
  objects and trust relationships known to the
  member trees.
• Trees in a forest form a hierarchy for the
  purposes of trust.

24
(Skill 4)
Introducing the Basic Elements of Active Directory
Figure 3-12 Forest
25
(Skill 4)
Introducing the Basic Elements of Active
Directory (11)

• Sites
• A site is a location in a network holding Active
  Directory servers.
• A site is defined as one or more well connected
  TCP/IP subnets, meaning that network connectivity
  is highly reliable and fast.

26
(Skill 4)
Introducing the Basic Elements of Active Directory
Figure 3-13 Site
27
(Skill 5)
Planning the Implementation of Active Directory

• Before implementing Active Directory, you need to
  first
• Understand the business requirements of your
  organization
• Plan the namespace
• Design the site
• Combine subnets that run over high bandwidth
  network connections so they are economical and
  reliable.
• Create one or more sites for domains that spread
  over two or more far-reaching geographic
  locations.
• Plan the domain structure

28
(Skill 6)
Installing Active Directory

• After you have planned the structure of the
  namespace, sites, and domains, you can install
  Active Directory on the Windows Server 2003 using
  the Active Directory Installation Wizard
  (Dcpromo.exe).
• When you create a domain, by default, the domain
  is configured to run in Windows 2000 mixed mode.
• This mode allows the coexistence of Windows NT,
  Windows 2000, and Windows Server 2003 domains.
• If your domain consists of only Windows 2000
  domain controllers, you can switch to Windows
  2000 native mode. This mode supports Windows 2000
  and Windows Server 2003 domains.

29
(Skill 6)
Installing Active Directory (2)

• If your domain has only Windows NT 4.0 servers,
  and you upgrade a server to Windows Server 2003,
  you can use Windows Server 2003 interim mode.
• This level is used when there are no Windows 2000
  servers and you upgrade a Windows NT PDC (primary
  domain controller) to Windows Server 2003.
• If your domain consists of only Windows Server
  2003 domain controllers, you can switch the
  domain to Windows Server 2003 mode, which
  supports the full Windows Server 2003 Active
  Directory implementation.

30
(Skill 6)
Installing Active Directory
Figure 3-15 Detecting Local Area network settings
31
(Skill 6)
Installing Active Directory
Figure 3-16 The Server Role screen
32
(Skill 6)
Installing Active Directory
Figure 3-17 The Operating System Compatibility
screen
33
(Skill 6)
Installing Active Directory
Figure 3-18 The Domain Controller Type screen
34
(Skill 6)
Installing Active Directory
Figure 3-19 The Create New Domain screen
35
(Skill 6)
Installing Active Directory
Figure 3-20 Specifying the full DNS domain name
36
(Skill 6)
Installing Active Directory
Figure 3-21 The NetBIOS Domain Name screen
37
(Skill 6)
Installing Active Directory
Figure 3-22 The Permissions screen
38
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins

• Microsoft Management Console (MMC) is an ISV
  (Independent Software Vendor)-extensible, common
  console framework for management applications.
• MMC provides a common host environment for
  snap-ins, which provide the actual management
  behavior MMC does not provide any management
  functionality by itself.

39
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins (2)

• Using MMC snap-ins, administrators can do the
  following
• Edit multiple user objects.
• Save queries.
• Quickly select objects using the improved object
  picker component.
• Snap-ins in an MMC are used to perform
  administrative tasks such as managing computers,
  services, and networks.

40
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins (3)

• There are two types of snap-ins Stand-alone and
  Extension.
• A stand-alone snap-in (often referred to simply
  as a snap-in) provides management functionality
  without requiring support from another snap-in
  and is used to perform administrative tasks even
  if no other snap-in is present in the console.
• Extension snap-ins (often referred to simply as
  an extension) require a parent snap-in above it
  in the console tree. Extension snap-ins extend
  the functionality provided by other snap-ins.

41
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins
Figure 3-23 An empty console window
42
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins
Figure 3-25 The Add Standalone Snap-in dialog box
43
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins
Figure 3-26 Using a snap-in to manage the local
computer
44
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins
Figure 3-27 Removing snap-in extensions
45
(Skill 7)
Working with Microsoft Management Console (MMC)
and Snap-Ins
Figure 3-28 Console Root with selected extensions
46
(Skill 8)
Creating Organizational Units

• You use the Active Directory Users and Computers
  console to create an organizational unit (OU) and
  to add objects to OUs.
• You can create an OU in a domain, in a domain
  controller object, or in another OU if you have
  been delegated permission to do so.
• By default, Windows Server 2003 grants permission
  to members of the Administrators group to create
  an OU.

47
(Skill 8)
Creating Organizational Units
Figure 3-29 Creating an Organizational Unit (OU)
48
(Skill 8)
Creating Organizational Units
Figure 3-30 The Marketing OU added to the domain
49
(Skill 9)
Managing Active Directory Objects

• Manage objects involves several tasks, including
  the following
• Searching for objects in Active Directory
• Delegating administrative control
• Modifying objects in Active Directory
• Moving objects within Active Directory

50
(Skill 9)
Managing Active Directory Objects
Figure 3-33 The Find Users, Contacts, and Groups
dialog box
51
(Skill 9)
Managing Active Directory Objects
Figure 3-34 Finding a user in Active Directory
52
(Skill 9)
Managing Active Directory Objects (2)

• After you have created domains and OUs and added
  objects to the OUs, you need to secure the
  resources in Active Directory from unauthorized
  access. Active Directory provides
• Object security Active Directory provides a set
  of security descriptors for each object called a
  Discretionary Access Control List (DACL). The
  DACL defines how that object can be accessed.
  Each file or folder on an NTFS drive has a DACL,
  and that DACL contains entries known as Access
  Control Entries (ACEs) that contain the SID of
  the user or group and the permissions associated
  with that user or group.
• Account logon security Account logon security
  protects a computer and its resources from
  unauthorized access by restricting the ability of
  users to access a computer or a domain.