Professional Documents
Culture Documents
Active Directory is the information hub of the Windows Server 2003 operating system. The
following figure shows Active Directory as the focal point of the Windows Server 2003 network
used to manage identities and broker relationships between distributed resources so they can
work together.
Active Directory is built around Domain Name System (DNS) and lightweight directory access
protocol (LDAP) — DNS because it is the standard on the Internet and is familiar, LDAP
because most vendors support it. Active Directory clients use DNS and LDAP to locate and
access any type of resource on the network. Because these are platform-independent
protocols, Unix, Macintosh, and other clients can access resources in the same fashion as
Windows clients.
DIRECTORY ARCHITECTURE:
First let's introduce the concept of "Sites". Sites are used to define the boundaries
of high-speed links on a network containing Active Directory Servers. Sites are
based on IP subnets and are defined as a "well-connected subnet or subnets". Do
not confuse this term with the concept of domains which are discussed next.
One thing that hasn't changed from NT 4.0 is the use of domains. A domain is still
the centerpiece of a Windows 2000 network, however, it is set up differently.
Domain controllers are no longer separated into PDCs and BDCs. Now there are
simply DCs(Domain Controllers). By default, all Win2K servers are installed as
Standalone Member Servers. DCPROMO.EXE is the Active Directory Installation
Wizard and is used to promote a non-domain controller to a DC and vice versa.
The wizard prompts for all of the required information to install Active Directory
under the conditions that you have asked it to run Knowledge Consistency
Checker(KCC) - This is a service created in order to ensure that the Active
Directory service in the Windows 2000 operating system can replicate properly,
runs on all DCs and automatically establishes connections between individual
computers in the same site. These are known as Active Directory connection
objects. An administrator can establish additional connection objects or remove
connection objects, but at any point where replication within a site becomes
impossible or has a single point of failure, the KCC steps in and establishes as
many new connection objects as necessary to resume Active Directory replication.
When a root domain and at least 1 child domain have been created, a "tree" is
formed. Remember and understand this term as you will hear it often when
working with a directory service.
You can see that the structure begins to take the shape of a tree with branches
and sub-branches. Now what if we are a company like Microsoft or DuPont that
owns several other corporations. Typically, each company would have its own
tree and these would be aggregated together via trusts to create a "forest". Let's
look at an example using our site.
So let's say that our company owns techtutorials.net(actually that is true) and
xyzabc. You can see that the individual trees are organized just like the root
domain(mcmcse).
TRUSTS OVERVIEW:
Trusts are much more easily managed in Windows 2000 than in NT 4.0. There are
2 main reasons that this is the case.
DIRECTORY COMPONENTS:
Now that we have looked at the big picture, it is time to take a look at what
happens inside a domain. To get started, the first concept that you will need to
understand what the directory is made of. A common analogy for a directory is a
phonebook. Both contain listings of various objects and information and
properties about them. Within the directory are several other terms that you
must know to gain even an entry level understanding as to how it all works.
Now that we know what these concepts mean, let's take a visual look at what is
going on inside a domain.
The folder symbols represent Organizational Unit(OU) containers and within each
of these we find objects such as printers, servers, computers, users, etc. Instead
of objects directly located inside these OUs, there could be more OU containers.
OBJECT NAMES:
Most of us are used to the 15 character NetBIOS naming conventions of NT 4.0.
Things are quite different now as Windows 2000 uses Lightweight Directory
Access Protocol(LDAP) to supply the naming convention. This is a fairly
complicated naming system for those of you without experience with Novell's
context concept. The 2 basic concepts that you need to know are distiguished
names and common names. Distinguished names are the complete "path"
through the hierarchical tree structure to a specific object. This is similar to
specifying the complete path to a file from a DOS prompt. This "path" points to
the location of an object in the hierarchy. Let's take a look in more detail.
REPLICATION:
Windows 2000 networks will rely heavily on AD, and thus, it will be very
important that the service is running, fast and accessible at all times. In order to
accomplish this, the AD database must exist on multiple servers so that if one
server fails, a client can contact a server with duplicate services and information.
This not only creates redundancy, but reduces the load on individual servers. All
that needs to be done for a domain controller to become a replication partner is
to add it to the AD domain.
One of the most complex parts of making redundant servers work properly is
replicating the information and ensuring that all servers have the most up-to-date
content. Active Directory uses multimaster replication, which is another way of
stating that updates can occur on any Active Directory server. This also means
that there is not a master domain controller and all DCs work together in a peer
relationship. Each server keeps track of which updates it has received from which
servers, and can intelligently request only necessary updates in case of a failure.
This is accomplished via the use of unique sequence numbers(USN). Every time
an update is made, it is assigned a unique sequence number from a counter that
is incremented whenever a change is made.
SECURITY:
There are now three types of groups in Windows 2000:
• Domain Local(similar to a local group)
• Global
• Universal groups
The rules remain the same for Local and Global groups, except that you can now
nest groups in Native mode. Universal groups can have membership from any
domain and can be used to assign access to any resource in any domain.
Accounts go into Global Groups which then go into local groups that are assigned
permissions to use a resource.
Each group can have one of two functions in Native mode - distribution or
security. Security groups are the ones we are familiar with in NT4 while
distribution groups will be used primarily with Exchange 2000 or any other Active
Directory mail application.
GROUP POLICY:
Group Policy in Windows 2000 is one of it's largest administrative enhancements
and is designed to enable administrators to control the environment with minimal
effort. Group Policy is administered through the Group Policy Microsoft
Management Console(MMC) snap-in. Group policies are not applied to "groups",
but we can apply them to OUs. There are five major categories that group policies
can be configured for:
You want to create a new domain that may be part of an existing domain tree or the
root of a new domain tree.
2.3.2 Solution
On a Windows 2000 domain controller, select "Domain controller for a new domain"
and then you can select one of the following:
• Create a new domain tree Place this new domain tree in an existing forest
• Create a new child domain in an existing domain tree
On a Windows Server 2003 domain controller, select "Domain controller for a new
domain" and then you can select one of the following:
dcpromo can also be run in unattended mode. See Recipe 3.4 for more details.
2.3.3 Discussion
The two options dcpromo offers to create a new domain are adding the domain to an
existing domain tree or starting a new domain tree. If you want to create a new
domain that is a subdomain (contained within the same namespace) of a parent
domain, you are creating a domain in an existing domain tree. If you are creating the
first domain in a forest or a domain outside the namespace of the forest root, you are
creating a domain in a new domain tree.
Each domain increases the support costs of Active Directory due to the need for
maintaining additional domain controllers and time spent configuring and maintaining
the domain. When designing an Active Directory forest, your goal should be to keep
the number of domains that are necessary to a minimum.
Creating a Trust Between a Windows NT Domain and an AD
Domain
2.15.1 Problem
2.15.2 Solution
3.1.1 Problem
You want to promote a server to a domain controller. You may need to promote a
domain controller to either initially create a domain in an Active Directory forest or
add additional domain controllers to the domain for load balancing and failover.
3.1.2 Solution
Run dcpromo.exe from a command line or via Start Run and answer the
questions according to the forest and domain you want to promote the server into.
3.1.3 Discussion
Promoting a server to a domain controller is the process where the server becomes
authoritative for an Active Directory domain. When you run the dcpromo program, a
wizard interface walks you through a series of screens that collects information about
the forest and domain to promote the server into. There are several options for
promoting a server:
Organisational Units
Introduction
Creating an OU
5.1.1 Problem
5.1.2 Solution
Moving an OU
5.7.1 Problem
You want to move an OU and all its child objects to a different location in the
directory tree.
5.7.2 Solution
User Accounts
Introduction
User accounts are one of the most frequently used types of objects in Active
Directory. Because Windows 2000 and Windows 2003 systems manage users through
Active Directory, many key issues that system administrators have to deal with are
covered in this chapter. In particular, Active Directory manages all the information
regarding passwords, group membership, the disabling or expiration of accounts, and
when users have logged in.
Creating a User
6.1.1 Problem
6.1.2 Solution
6.5.1 Problem
6.5.2 Solution
6.27.1 Problem
You want to determine the last time a user logged into a domain.
6.27.2 Solution
If you install the AcctInfo.dll extension to Active Directory Users and Computers,
you can view the last logon timestamp.
6.28.2 Solution
Groups
Introduction
A group is a simple concept that has been used in many different types of systems
over the years. In generic terms, a group is just a collection of things. Groups are used
most frequently in a security context whereby you set up a group of users and apply
certain permissions or rights to that group. Using a group is much easier when
applying security than using individual users because you have to apply the security
only once instead of once per user.
In Active Directory, groups are flexible objects that can contain virtually any other
type of object as a member. Active Directory groups can be used for many different
purposes including controlling access to resources, defining a filter for the application
of group policies, and as an email distribution list.
The scope and type of a group defines how the group can be used in a forest. The type
of a group can be either security or distribution. Security groups can be used to restrict
access to resources whereas distribution groups can be used only as a simple grouping
mechanism. Both group types can be used as email lists. The scope of a group
determines where members of the group can be located in the forest and where in the
forest you can use the group in ACLs. The supported group scopes include universal,
global, and domain local. Universal groups and domain local groups can have
members that are part of any domain in the forest. Global groups can only have
members that are part of the same domain the group is in.
Creating a Group
7.1.1 Problem
7.1.2 Solution
Introduction
As far as Active Directory is concerned, computers are very similar to users. In fact,
computer objects inherit directly from the user object class, which is used to
represent user accounts. That means computer objects have all of the attributes of
user objects and then some. Computers need to be represented in Active Directory
for many of the same reasons users do, including the need to access resources
securely, utilize GPOs, and have permissions granted or restricted on them.
Creating a Computer
8.1.1 Problem
8.1.2 Solution
8.3.1 Problem
You want to join a computer to a domain after the computer object has already been
created in Active Directory.
8.3.2 Solution
1. Log onto the computer you want to join and open the Control Panel.
2. Open the System applet.
3. Click the Computer Name tab.
4. Click the Change button.
5. Under Member of, select Domain.
6. Enter the domain you want to join and click OK.
7. You may be prompted to enter credentials that have permission to join the
computer.
8. Reboot the computer.
9. Note that the tabs in the System applet vary between Windows 2000,
Windows XP, and Windows Server 2003.
Group Policy
Introduction
Active Directory group policy objects (GPOs) can customize virtually any aspect of a
computer or user's desktop. They can also install applications, secure a computer, run
logon/logoff or startup/shutdown scripts, and much more. You can assign a GPO to a
specific security group, Organizational units (OU), site, or domain. This is called
scope of management (SOM for short) because only the users or computers that fall
under the scope of the group, OU, site, or domain will process the GPO. Assigning a
GPO to a SOM is referred to as linking the GPO.
With Windows Server 2003, you can also use a WMI filter to restrict the application
of a GPO. A WMI filter is simply a WMI query that can search against any
information on a client's computer. If the WMI filter returns a true value (i.e.,
something is returned from the query), the GPO will be processed; otherwise, it will
not. So not only do you have all of the SOM options for applying GPOs, you can now
use any WMI information available on the client's computer to determine whether
GPOs should be applied. For more on the capabilities of GPOs, I recommend reading
Chapter 7 of Active Directory, Second Edition (O'Reilly).
So why are there two storage points for GPOs? The need for the Active Directory
object is obvious: to be able to link GPOs to other types of objects, the GPOs need to
be represented in Active Directory. It is necessary to store GPOs on the file system
because clients currently use a file-based mechanism to process and store GPOs, and
to provide legacy support for the NETLOGON share.
Creating a GPO
9.2.1 Problem
You want to create a GPO to force users to have a particular desktop configuration or
provision configuration settings on workstations or servers.
9.2.2 Solution