Overview of Active Directory

Domain Services
Lesson 1

Chapter Objectives
Identify Active Directory
functions and Benefits.
Identify the major components
that make up an Active Directory
structure.
Identify how DNS relates to
Active Directory.
Identify Forest and Domain
Functional Levels.

Directory Service
A network service that identifies
all resources on a network and
makes those resources accessible
to users and applications.
The most common directory
service standards are:
X.500
Lightweight Directory Access
Protocol (LDAP)

X.500
Uses a hierarchical approach in
which objects are organized in a
similar way to the files and
folders on a hard drive.

Lightweight Directory Access Protocol

(LDAP)
Industry standard.
Slim-down version of X.500
modified to run over the TCP/IP
network.

Active Directory
A directory service that uses the
tree concept for managing
resources on a Windows network.
Stores information about the network
resources and services, such as user
data, printer, servers, databases,
groups, computers, and security
policies.
Identifies all resources on a network
and makes them accessible to users
and applications.

Active Directory
Used in:
Windows 2000
Windows Server 2003
Windows Server 2008

Subsequent versions of Active

Directory have introduced new
functionality and security
features.

Active Directory
Windows Server 2008 provides
two directory services:
Active Directory Domain Services
(AD DS)
Active Directory Lightweight
Directory Services (AD LDS)

Active Directory Domain Services (AD

DS)
Provides the full-fledged
directory service that is referred
to as Active Directory in
Windows Server 2008 and
previous versions of Windows
Server.

Active Director Lightweight Directory

Services (AD LDS)
Provides a lightweight, flexible
directory platform that can be
used by Active Directory
developers without incurring the
overhead of the full-fledged
Active Directory DS directory
service.

Domain Controller (DC)

Server that stores the Active Directory
database and authenticates users
with the network during logon.
Stores database information in a file
called ntds.dit.
Active Directory is a multimaster
database.
Information is automatically replicated
between multiple domain controllers.

Active Directory Functions and Benefits

Centralized resource and
security administration.
Single logon for access to global
resources.
Fault tolerance and redundancy.
Simplified resource location.

Centralizing Resources and Security

Administration

Active Directory provides a single

point from which administrators can
manage network resources and their
associates security objects:
MMC Consoles found in
Administrator Tools:
Active Directory Users and Computers
Active Directory Sites and Services
Active Directory Domains and Trusts
ADSI Edit

Fault Tolerance and Redundancy

Active Directory uses a multimaster
domain controller design.
Changes made on one domain
controller are replicated to all other
domain controllers in the
environment.
It is recommended to have two or
more domain controllers for each
domain.

Read-Only Domain Controller (RODC)

Introduced with Windows Server
2008.
A domain controller that
contains a copy of the ntds.dit
file that cannot be modified and
that does not replicate its
changes to other domain
controllers with Active Directory.

Simplifying Resource Location

Allows file and print resources to
be published within Active
Directory.
Examples include:
Shared folders
Printers

Active Directory Components

Forests One or more domain
trees, with each tree having its
own unique name space.
Domain trees One or more
domains with contiguous name
space.
Domains A logical unit of
computers and network resources
that defines a security boundary.

Active Directory Components

Some of these common
attributes are as follows:
Unique name
Globally unique identifier (GUID)
Required object attributes
Optional object attributes

Understanding the Schema

Defines the objects stored within
Active Directory the properties
(attributes) associated within
each object.
User has different properties,
which has different properties
than a group, which has different
properties of a computer.

Active Directory Naming Standard

Example:
cn=JSmith, ou=sales,
dc=lucernepublishing, dc=com

Domain Name System (DNS)

Provides name resolution for a
TPC/IP network.
Active Directory requires DNS as
the default name resolution
method.
Example Resource Records (RR):
Host (A) Host name to IP.
Pointer (PTR) IP to Host name.
Service (SRV) Locator service for
LDAP/Domain controllers services.

Functional Levels
Allows interoperability with prior
versions of Microsoft Windows.
Higher levels of functional level
will not allow older versions of
Windows to function but will add
additional functionality or
features.
Raising functional level is a oneway process.

Domain Functional Levels

Forest Functional Levels

Using Forest Functional Levels

To raise the functional level of a
forest, you must be logged on as
a member of the Enterprise
Admins group.
The functional level of a forest
can be raised only on a server
that holds the Schema Master
role.

Trust Relationships
Active Directory uses trust
relationships to allow access between
multiple domains and/or forests,
either within a single forest or across
multiple enterprise networks.
A trust relationship allows
administrators from a particular
domain to grant access to their
domains resources to users in other
domains.

Trust Relationships
When a child domain is created,
it automatically receives a twoway transitive trust with its
parent domain.
Trusts are transitive:
If domain A trusts domain B
And domain B trusts C
Then domain A trusts domain C

Chapter Summary
Active Directory is a database of objects
that are used to organize resources
according to a logical plan.
These objects include containers such as
domains and OUs in addition to resources
such as users, computers, and printers.

The Active Directory schema includes

definitions of all objects and attributes
within a single forest.
Each forest maintains its own Active
Directory schema.

Chapter Summary
Active Directory requires DNS to
support SRV records.
Microsoft recommends that DNS
support dynamic updates.

Chapter Summary
Domain and forest functional levels
are new features of Windows Server
2008.
The levels defined for each of these are
based on the type of server operating
systems that are required by the
Active Directory design.
The Windows Server 2003 forest
functional level is the highest
functional level available and includes
support for all Windows Server 2003
features.

Chapter Summary
Two-way transitive trusts are
automatically generated within the
Active Directory domain structure.
Parent and child domains form the
trust path by which all domains in
the forest can traverse to locate
resources.
The ISTG is responsible for this
process.

Chapter Summary
Cross-forest trusts are new to
Windows Server 2003, and they
are only available when the
forest functionality is set to
Windows Server 2003.
They must be manually created
and maintained.