You are on page 1of 4

AD DS Configuration Chapter 1 -Directory Service: Allows businesses to define, manage, access, and secure network resources.

Including, files, printers, people, and applications. - Active Directory Domain Services (AD DS): provides the full fledged directory service that was referred to as Active Directory in windows server 2003 and windows 2000. -Active Directory Lightweight Directory Services (AD LDS): provides a lightweight, flexible directory platform that can be used by Active Directory developers without incurring the overhead of the full fledged AD DS directory service - Domain Controller (DC): Is a server that stores the AD Data base and authenticates users with the network during logon. Each domain controller actively participates in a storing, modifying, and maintaining the AD database information that is stored on each domain controller in a file called NTDS.DIT. - Multimaster Database: Administrators can update the ntds.dit from any domain controller. - Replication: The process of keeping each domain controller synced. - Outbound Replication: When a domain controller transmits replication information to other domain controllers on the network. - Inbound Replication: Conversely when a domain controllers receives updates to the AD database form other domain controllers on the network. - Functional levels: Determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest. - Read-Only Domain Controller (RODC): A domain controller that contains a copy of the NTDS.DIT file that cannot be modified and that does not replicate its changes to other domain controllers within AD. -Publishing: An object allows users to access network resources by searching the AD database for the desired resource. - Container and Leaf Objects: A leaf object is an object that has no child objects. The term "container" refers to one of two things: An object of the container structural class. An object that has child objects. Container is a structural class of object, which means that container objects can be created in Active Directory. In the schema, structural classes define objects that can be created as instances of the class in Active Directory. Other objects can be "container" objects in the general sense of the word (that is, they can have child objects), but they do not belong to the container class. For example, an organizational unit is a container object, although its class is organizational Unit, not container. An organizational unit object has many attributes that provide functionality that an ordinary container does not have.

Forest: The largest container object in AD. The forest container defines the fundamental security boundary within AD. Which mean a user can access resources across an entire AD forest using a single logon/password combination. - Naming Context: Multiple Partitions. Schema Partition: The schema partition contains the class Schema and attribute Schema objects that define the types of objects that can exist in the forest. Every domain controller in the forest has a replica of the same schema partition. Configuration Partition: The configuration partition contains replication topology and other configuration data that must be replicated throughout the forest. Every domain controller in the forest has a replica of the same configuration partition. Domain Partition: The domain partition contains the directory objects, such as users and computers, associated with the local domain. A domain can have multiple domain controllers and a forest can have multiple domains. Each domain controller stores a full replica of the domain partition for its local domain, but does not store replicas of the domain partitions for other domains. Domain Tree: is a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship. Organization Units: Contain Users, Groups, Contacts, Printers, Shared Folders, Computers, OUs, InetOrgPerson. Delegation: helps you optimize the productivity of the IT department by letting non-administrative users (e.g. department managers or Help Desk operators) perform certain administrative activities in Active Directory. Application Partition: Provide fine control. Administrators can direct where information is replicated to a domain or forest. This results in greater flexibility and better control over replication performance. Object: Every resource in AD is represented as an Object, and each object has a set of ATTRIBUTES that are associated with it. Schema: is a master database that contains definitions of all objects in the AD. In a way it defines what AD is. Unique Name: this name identifies the object in the database. A unique name is given to the object upon its creation and includes references to its location within the directory database. Globally Unique Identifier (GUID): is a 128-bit hexadecimal number that is assigned to every object in the AD forest upon its creation. This number does not change, even when the object itself is renamed. Required Objects Attributes: These attributes are required for the object to function. In particular, the user account must have a unique name and a password entered upon creation.

Optional Object Attributes: These attributes add information that is not critical to the object in terms of functionality. This type of information is nice to know as opposed to need to know. Example would be a phone number or street address. Knowledge Consistency Checker (KCC): automatically creates and maintains the replication topology. Operates based on the information provided by an administrator in the AD sites and services snap-in, which is located in the administrative tools folder on a domain controller or an administrative workstation that has had the administrative tools installed. Distinguished Name (DN): This references an object in the AD directory structure using its entire hierarchical path, starting with the object itself including all parent objects up to the root of the domain. Locator Services: This locator service provides direction for clients that need to know which server performs what function. SRV Records: are the locator records within the DNS that allows clients to locate an AD domain controller or global catalog. Without the ability to resolve SRV records, clients will be unable to authenticate against AD. Rolling Upgrades: Upgrade strategy based on functional levels that allows enterprises to migrate their Active Directory domain controllers gradually, based on the need and desire for the new functionality. Once you upgrade you cannot reverse it. Windows 2000 Native: this level allows backwards compatibility with Microsoft windows 2000. It allows windows 2000, Windows server 2003, and windows server 2008 domain controllers. Windows Server 2003: This functional level allows windows server 2003 and windows server 2008 domain controllers only. It does not allow the presence of windows 2000 domain controllers. Windows Sever 2008: This functional level allows no backward compatibility. Only Windows server 2008 domain controllers are supported. Install from Media: introduced in Windows server 2003, allows you to promote a server to a domain controller status from a backup from an existing DC. Application partitions: As you already learned, application partitions allow you to exert greater control over how application information is replicated throughout AD. Drag and drop user interface: this allows you to drag and drop objects from one container to another within tools, such as AD Users and Computers as well as AD sites and services. Not available in Windows 2000. Global Group nesting and Universal Security groups: This allows greater flexibility in creating AD groups objects. SIDHistory: each AD user, group, and computer possesses a security Identifier (SID) that is used to grant or deny access to resources within AD file servers, and AD aware applications. Allows a user to retain access to these SIDs when a object is migrated from one domain to another.

LastLogon Timestamp attribute: An attribute of the user class that allows admin to keep track of logon times for computers and users within the domain. Passwords for inetOrgPerson Object: Windows server 2003 introduced support for this, which can be used for interoperability with other directory services, such as openLDAP. Domain rename: Allows you to rename a domain. SYSVOL replication using DFSR instead of NTFRS: SYSVOL is a file share that is created on every AD DC, the contents of which are replicated to every DC in the domain. Additional encryption mechanisms for AD authentication: This includes support for 256-bit Advanced Encryption Services (AES) encryption for the Kerberos authentication protocol. Improved auditing of user logon information: This includes recording a users last successful logon and which computer they logged into, as well as recording the number of failed logon attempts for a user and the time of the last failed logon attempt. Multiple Password Policies per Domain: Allows you to configure multiple password policies within a single domain. Read Only Domain Controller (RODC): Windows Server 2008 introduces the concept of the RODC, a special type of domain controller that maintains a read only copy of the AD database and does not perform any outbound replication of its own.