Goals: Lesson 1: Introducing Active Directory Services in Windows Server 2003

Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure

Lesson 1: Introducing Active Directory Services in Windows Server 2003
Goals
 Introduce Active  Examine the logical and
Directory physical structure of Active
Directory
 Identify the functions
and features of Active  Examine more Active
Directory Directory concepts
 Plan a domain structure
 Introduce Active
Directory architecture  Plan a domain
namespace
 Introduce Active  Examine guidelines for
Directory objects planning a site structure
© 2004 Pearson Education, Inc.

1.1
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory

Active Directory database
 Stores information about users, groups, domains,
and objects on a network
 Allows you to centrally access and administer the
information
 Provides an unique identity for each object called a
Security ID (SID)

1.2
Introducing Active Directory (2)

Active Directory database
 Allows you to access and administer the directory
service globally, unlike decentralized network models
 Reduces the effort required to complete day-to-day
administrative tasks, such as managing users and
resources

1.3
Figure 1-1 Active Directory

1.4

Windows NT
 Introduced the concept of a directory service based on
domains that provide a single point of authentication for
all users on a network
 Limitations prevent it from being used effectively in
large networks
 Has only one writable copy of the database, which leads to a
single point of failure for Write operations
 Trust relationships between domains must be built manually

1.5

 Active Directory’s advantages over Windows NT
 Most trust relationships within a single forest are
created automatically
 Makes it possible for Active Directory to provide
scalability in large business organizations

1.6
Identifying the Functions and Features

of Active Directory
 Active Directory features make it a reliable and secure
directory service
 Policy-based administration
Active Directory makes network administration easier by
using Group Policies
Using this feature, an administrator can make complex
modifications to the user’s environment, assign rights,
configure network security, and install software to
collections of users or computers

1.7

of Active Directory (2)
directory service
 Increased security of information
Windows Server 2003 supports protection of both stored
data and network data
Stored data can be protected using Encrypting File
System (EFS) and permissions

1.8

directory service
 Integration with Domain Name System (DNS)
DNS is a naming service that translates host names into
numeric IP addresses
Active Directory uses standard DNS naming conventions
for domains

1.9

directory service
 Extensibility
Active Directory allows nearly any type of information to
be added to the database because it has an extensible
schema
Schema contains a list of all possible object types (object
classes), their attributes, and relationships allowed
between objects

1.10

directory service
 Scalability
Active Directory can store anywhere from a small number to
millions of objects
An object automatically inherits the permissions of the
container into which it is placed

1.11

directory service
 Information replication
Active Directory automatically replicates the contents of its
database across every domain controller in the domain
 Compatibility with other directory services
Active Directory is based on protocols, such as LDAP,
HTTP, and NSPI, so it is compatible with other directory
services that use these protocols

1.12

directory service
 Mutual authentication
Active Directory utilizes Kerberos as the default
authentication mechanism
Kerberos is an industry-standard, high-security mutual
authentication mechanism that provides increased security
for logon information

1.13
Introducing Active Directory Architecture
 Windows Server 2003 architecture has two

primary layers
 User mode
 Kernel mode

1.14
Introducing Active Directory Architecture (2)
 User mode layer

 The interface between applications and the kernel
mode layer
 Accepts requests from an application and forwards
them to the kernel for processing

1.15
 Components of the user mode layer

 Environment subsystems
Provide interfaces for applications to interact with the
kernel and integral subsystems
The environment subsystem components make
applications run by providing Application Programming
Interfaces (APIs)

1.16
 Components of the user mode layer

 Integral subsystems
Perform important operating system functions such as
security and session management
Security subsystem receives logon requests and
initiates logon authentication
Workstation Service enables a client computer to
access the network
Server Service allows a Windows Server 2003 to share
network resources

1.17
Figure 1-2 Location of Active Directory within the

Windows Server 2003 architecture
1.18
 Kernel mode layer

 Communicates with system data and hardware to
process any input/output requests made by a user
 Operates in a protected area of memory
 Is responsible for executing I/O requests
 Prioritizes hardware and software interrupts based on
the precedence of the application or service making
the request

1.19
Introduce Active Directory Architecture (6)
 Components of the kernel mode layer

 Executive
Performs I/O functions, object management, and
security functions
Has a number of subcomponents
Provides security guidelines for the user mode layer

1.20
 Components of the kernel mode layer

 Microkernel, which manages the computer’s
processors
 Kernel mode drivers, which take requests from
applications and translate them into hardware
functions
 Hardware Abstraction Layer (HAL), which provides the
interface between the other software layers and the
core hardware

1.21

 Active Directory is made up of three service layers
and the underlying Data Store
 Directory System Agent (DSA)
Provides the interface for application calls made to
the directory
Supports the protocols that enable clients to gain
access to the Active Directory
 LDAP/ADSI
 SAM
 MAPI
 REPL
1.22
 Database Layer
Access calls to the database go through the Database
Layer
Acts as an abstraction layer between the applications that
make the access calls and the database
 Extensible Storage Engine (ESE)
Has direct contact with the records in the directory data
store
Based on an object’s relative distinguished name attribute

1.23
 Data Store (Ntds.dit)

 Contains the records that make up the Active Directory
database
 Stored by default in the \%systemroot%\NTDS folder on
the domain controller
 Administered from Active Directory Restore Mode using
Ntdsutil.exe, located in the system32 folder in the
%systemroot% folder

1.24
Figure 1-3 Active Directory architecture

1.25
Introducing Active Directory Objects
 Active Directory
 Treats each domain resource as an object
 Each object is represented by distinct characteristics
known as attributes

1.26
Introducing Active Directory Objects (2)
 Types of Active Directory objects

 User accounts
Store the logon information for the users in a domain
A domain acts as a security boundary: assuming no
trusts are in place, users can only access objects within
their own domains

1.27
Figure 1-4 Objects and their attributes

1.28

 Contacts
Used to store information about any person or
organization that has business relations with your
organization
Contacts information includes name, address,
telephone number, and e-mail address

1.29

 Computers
Computer objects store information about computers
that are members of a domain
Information includes computer name, description,
and other attributes

1.30

 Groups
Used to apply permissions across large numbers of
users, computers, and groups
They are not strictly containers, but have
membership lists that define which objects are
members of the group

1.31

 Published folders
Shared folders that have been listed in Active
Directory
When you publish a folder in Active Directory, you
create an object that stores a pointer to the folder

1.32

 Printers
A printer is represented by a printer object that contains
a pointer to the printer on a computer
A Windows Server 2003 print server automatically
detects and publishes printers to Active Directory

1.33

 Domain controllers
A Windows Server 2003 computer that authenticates user
logon attempts and exchanges the directory information
with other domain controllers
Exchanging directory information is called replication
 In Active Directory, domain controllers use multimaster
replication to exchange directory information with other
domain controllers in a domain
 No single domain controller is responsible for replication and
all of the domain controllers act as peers

1.34

 Domain controllers
Each domain controller is represented by a Domain
Controller object in Active Directory
You can store the Domain Name System (DNS) name,
pre-Windows Server 2003 name, operating system
version, location, and name of the administrator in this
object
Domain controllers also handle a user’s interactions with
a domain such as locating objects and logon requests
1.35
Introduce Active Directory Objects (10)

 Organizational units (OUs)
Container objects that can store groups, users, computers,
and other OUs
Used to organize the objects in the domain, to delegate
control over a small portion of the domain, and to apply
Group Policy to a select group of objects
Only one OU exists by default
It is recommended that you create additional OUs based on
your administrative needs
1.36
Figure 1-5 A typical Active Directory hierarchy

1.37
Figure 1-6 Active Directory objects

1.38
 In Active Directory, you use names to locate objects

in a network
 Naming conventions that Active Directory supports
 Distinguished name (DN)
A unique name for every object in a network
It includes the name of the domain that holds the object
and the complete path to the object through the container
hierarchy

1.39

 Relative distinguished name (RDN)
Derived from the DN
The RDN of an object is simply the object’s name
 Globally unique identifier (GUID)
A unique 128-bit number assigned to an object at the time
of its creation
The GUID for an object does not change even when you
move or rename the object
1.40

 User principal name (UPN)
Consists of the first name and last name attributes for a
user
Consists of the UPN suffix, which is usually the DNS
name of the domain where the user is located

1.41
Figure 1-7 Examples of naming conventions

1.42
Examining the Logical and Physical

Structure of Active Directory
 Objects in Active Directory can be organized
logically and physically
 Logical structure
Consists of domains, trees, and forests
Besides being Active Directory objects, OUs are also
part of the logical structure
 Physical structure
Consists of sites
Domain controllers are also part of the physical
structure, as well as being Active Directory objects
1.43

Structure of Active Directory (2)
 Components of the logical structure
 Domains
In Active Directory, domains represent the core unit of the
logical structure
Used to represent the administrative boundaries of your
organization
Store information only about the objects they contain
Can span multiple physical locations

1.44
Figure 1-8 A domain structure in an organization

1.45

 Trees
Formed when you add one or more child domains to the
top-level domain (also known as the root of the tree)
Follows a contiguous naming scheme where every child
domain (subdomain) in the tree derives its name from the
root domain
Implicit two-way transitive trust exists between the parent
domains and the child domains in a domain tree, which is
a type of a logical link, automatically established between
domains
1.46
Figure 1-9 A tree structure in Active Directory

1.47

 Forests
Collection of domains that share a common schema,
global catalog, and configuration
All domains in a forest share a common schema and a
common global catalog, which allows all domains within a
forest to contain uniform information
Although domains in a forest operate independently, they
communicate with each other because all domain trees in
a forest share a common schema
1.48
Examine the Logical and Physical

 Forests
All domains in a forest share a common global catalog
Forests allow a disjointed naming scheme where the
names of domain trees may not be related to one
another
In a forest, an implicit two-way transitive trust exists
between the root domains of domain trees and the root
of the forest

1.49
Figure 1-10 A forest structure in Active Directory

1.50

 Sites
Logical representations of a physical location within
Active Directory
Subnets are always associated with sites
 Allows clients to determine the site to which they belong
 Allows clients to use a domain controller located in its
physical site

1.51

 Sites
Used to control replication traffic between physical
locations
Logical structure of Active Directory is different from the
physical structure
 A site can span multiple domains
 A domain can span multiple sites

1.52
Figure 1-11 Structure of a site

1.53
Examining More Active Directory Concepts
 Global catalog
 Stores information about all objects in a forest
 By default, the global catalog is created on the first
domain controller in a forest, known as a global
catalog server
 Whenever object information is updated, a global
catalog server exchanges this information with other
global catalog servers in a forest

1.54
Examining More Active Directory Concepts (2)
 Global catalog
 In a single domain, the global catalog stores information
about all of the objects in that domain
 In multiple domains, the global catalog stores a full
replica of information about objects belonging to its
domain and a partial replica of information for objects
belonging to other domains
 You can add global catalog servers to a forest to
provide backup for the default global catalog server

1.55
Figure 1-12 The function of the global catalog

1.56
 Global catalog
 Global catalog servers also participate in logons in
Windows 2000 native mode
Perform Universal Principal Name (UPN) lookups
Provide universal group storage
 Handles user and program-related queries about
objects
 Can quickly resolve a query about an object anywhere
in the forest
1.57
 Trust relationships
 A trust is a connection between domains allowing users
from one or both domains to be granted access to
resources in the opposing domain
 In a multi-domain environment, trusts allow users to
access resources in other domains without the need to
log on to each domain separately
 Trusts allow users to log on to their own domain on
computers that are members of a different domain

1.58
 Trusts come in four basic forms

 One-way trusts allow a domain to access another
domain’s resources, but not vice-versa
 Two-way trusts allow both domains to access each
other’s resources
 Transitive trusts follow through, meaning they pass from
domain to domain
 Non-transitive trusts do not follow through, so each
domain must explicitly trust the other domains
1.59
Figure 1-13 Simple one-way trusts

1.60
Figure 1-14 An additional trust from domain A to domain C

1.61
Figure 1-15 Trusting and trusted domains

1.62
Figure 1-16 Two-way trusts

1.63

 Five basic names for describing the type of trust
 Default trust
Automatically established between the forest root domain
and the root of each tree in the forest, as well as between
each child domain and each parent domain
Are always two-way and transitive
 Inter-forest trust
Established between two Windows Server 2003 forest
root domains
Either one-way or two-way, and always transitive

1.64

 Shortcut trust
Established to reduce the normal Kerberos trust
resolution path between domains when there are a
large number of domains that are widely
geographically dispersed
Can be one-way or two-way, are always transitive
Can only be established within a single forest

1.65
Figure 1-17 Use of shortcut trusts

1.66

 External trust
Established between different Windows 2000 forests,
between Windows Server 2003 and Windows 2000
forests, and between Windows NT and Windows 2000 or
Server 2003 domains
Are always an NT trust; that is, an external trust is always
one-way and non-transitive
Used to connect Windows 2000 domains and Unix
Kerberos realms

1.67

 Realm trust
Established between a Windows Server 2003 domain
and a Unix Kerberos realm
A Kerberos realm is similar to a domain in Active
Directory
Can either be one-way or two-way
Can be transitive or non-transitive

1.68
 Domain Name System (DNS)

 Active Directory uses DNS as its name resolution
service
 The computer running this service is known as a DNS
name server
 DNS helps computers to locate other computers on a
network
 DNS organizes domains in a hierarchical structure
using a naming scheme called the domain namespace

1.69
 Domain Name System (DNS)

 Computers in a domain use this service to locate
domain controllers in the domain
 DNS zones
A DNS server typically holds a copy of the DNS zone
for a given domain or collection of contiguous domains
The DNS zone is contained in a file known as the zone
database file, typically called the zone file

1.70
Planning Domain Structure
 In Active Directory, domain structure is primarily

dependent on administrative needs
 In Windows Server 2003
 Domains are simply administrative boundaries
 Best to use a single domain model if at all possible
 Domain models are broadly classified into two
categories
 Single domain model
 Multiple domain model
1.71
Planning Domain Structure (2)
 Single domain model

 Easy to manage and administer because the
administrative boundary is clearly defined
 Suitable for any organization that follows a truly
centralized administrative model
 Easy to set up because only a single domain must
be configured

1.72
Planning Domain Structure (3)
 Multiple domain model

 Typically only appropriate in three specific situations
To separate domain-level administrative privileges
To separate account policies
To control localized traffic

1.73
Figure 1-18 Domain models

1.74
Figure 1-19 Account Policies

1.75
Planning a Domain Namespace
 Choose a unique domain name for your organization

 Register it with an organization that manages Internet
DNS namespaces
 This organization adds an entry pointing to the
authoritative name servers for your domain on the top-
level name servers on the Internet
 Use this domain name to host the Web site for your
organization on the Internet

1.76
Planning a Domain Namespace (2)
 DNS namespace types

 Internal
 External
 Hybrid

1.77
 Internal namespace
 Is not resolvable by hosts who are using public
(Internet) DNS servers
 Only used for internal clients
 Is well-suited for hosting Active Directory due to
increased security

1.78
 External namespace
 Is resolvable from any client on the Internet
 Is required for Internet-accessible resources, such as
Web sites
 Is typically a poor choice for hosting Active Directory
due to the potential lack of security it provides

1.79
 Hybrid namespace
 One design method provides the best of both
worlds by dividing your namespace into two zones
One for public access
One for private access
 One design method involves delegating a DNS
subdomain as the root of your internal structure

1.80
Figure 1-20 Hybrid namespace with DNS sub-domain

1.81

 Hybrid namespace
 Another design method involves creating two
disconnected zones for the same name
Create two separate zones for your domain on two
separate servers
Place the publicly accessible records on the external
server, which is outside of the firewall
Place both the public and private records on the
internal server, which is behind the firewall
This solution reduces naming convention confusion
for users
1.82
Figure 1-21 Hybrid namespace with two disconnected zones

1.83
 Naming guidelines
 All Active Directory domain names should be static
 Keep it short, simple, and easy to remember
 Use standard DNS characters
 Limit it to 63 characters including the periods
 The Fully Qualified Domain Name (FQDN) can be up
to 255 characters

1.84
Guidelines for Planning a Site Structure

 Sites
 Map to the physical structure of an organization
 Participate actively in the user logon and
authentication process
 Play an important role in the directory replication
process

1.85
Guidelines for Planning a Site Structure (2)

 Directory replication
 Can take place within a site or between sites
 Within a site, Active Directory automatically generates
a replication topology
 You can disable Active Directory’s automatic creation
of connection objects by manually creating connection
objects, and thus control intra-site replication

1.86
Figure 1-22 Replication within a site using a ring topology

1.87
 Site planning guidelines

 Decide which domain controller the computers on a
given subnet should use
 To optimize logon traffic, ensure the availability of at
least one domain controller per site
 To optimize inter-site replication, configure replication
so that it occurs when network traffic is light

1.88
 Site planning guidelines

 Configure a powerful server as the preferred
bridgehead server for inter-site replication
The bridgehead server is the only server in a site that is
allowed to replicate to other sites
Reduces the amount of replication traffic between sites,
because all servers are not attempting to replicate with all
other servers

1.89
Figure 1-23 Using a bridgehead server for inter-site replication

1.90
 Site planning site guidelines

 Place your domain controllers in the correct sites
By default, clients will choose the correct site each time
they get a new IP address
Domain controllers only choose a site when they are
first created, and must be manually moved thereafter

1.91

Goals: Lesson 1: Introducing Active Directory Services in Windows Server 2003

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Goals: Lesson 1: Introducing Active Directory Services in Windows Server 2003

Uploaded by

Copyright:

Available Formats

Exam 70-294 Planning, Implementing, and Maintaining

a Microsoft Windows Server 2003 Active Directory Infrastructure

© 2004 Pearson Education, Inc.

Introducing Active Directory

© 2004 Pearson Education, Inc.

Introducing Active Directory (2)

© 2004 Pearson Education, Inc.

Figure 1-1 Active Directory

© 2004 Pearson Education, Inc.

Introducing Active Directory (3)

© 2004 Pearson Education, Inc.

Introducing Active Directory (4)

© 2004 Pearson Education, Inc.

Identifying the Functions and Features

© 2004 Pearson Education, Inc.

Identifying the Functions and Features

© 2004 Pearson Education, Inc.

Identifying the Functions and Features

© 2004 Pearson Education, Inc.

Identifying the Functions and Features

© 2004 Pearson Education, Inc.

Identifying the Functions and Features

© 2004 Pearson Education, Inc.

Identifying the Functions and Features

© 2004 Pearson Education, Inc.

Identifying the Functions and Features

© 2004 Pearson Education, Inc.

Introducing Active Directory Architecture

 Windows Server 2003 architecture has two

© 2004 Pearson Education, Inc.

Introducing Active Directory Architecture (2)

 User mode layer

© 2004 Pearson Education, Inc.

Introducing Active Directory Architecture (3)

 Components of the user mode layer

© 2004 Pearson Education, Inc.

Introducing Active Directory Architecture (4)

 Components of the user mode layer

© 2004 Pearson Education, Inc.

Figure 1-2 Location of Active Directory within the

Introducing Active Directory Architecture (5)

 Kernel mode layer

© 2004 Pearson Education, Inc.

Introduce Active Directory Architecture (6)

 Components of the kernel mode layer

© 2004 Pearson Education, Inc.

Introducing Active Directory Architecture (7)

 Components of the kernel mode layer

© 2004 Pearson Education, Inc.

Introducing Active Directory Architecture (8)

Introducing Active Directory Architecture (9)

© 2004 Pearson Education, Inc.

Introducing Active Directory Architecture (10)

 Data Store (Ntds.dit)

© 2004 Pearson Education, Inc.

Figure 1-3 Active Directory architecture

© 2004 Pearson Education, Inc.

Introducing Active Directory Objects

© 2004 Pearson Education, Inc.

Introducing Active Directory Objects (2)

 Types of Active Directory objects

© 2004 Pearson Education, Inc.

Figure 1-4 Objects and their attributes