MC MCSE: Introduction to Windows 2000 Active Directory Architecture.

http://www.mcmcse.com/microsoft/guides/ad.shtml

Our Free Study Guides and Practice Exams Will Make You Certifiable!

HOME | EXAM DETAILS | FREE TESTS | STUDY GUIDES | GLOSSARY | ARTICLES | BOOKS & TRAINING | FORUMS | CAREER & JOBS MICROSOFT COMPTIA CISCO CIW LPI RED HAT IBM FREE MAGAZINES WHITE PAPERS TOPSITES CONTRIBUTORS SITE MAP SITE FAQ

Active Directory Study Guide What is Active Directory?
Active Directory or A.D. is the antithesis of NT 4.0's LanManager. It is essentially a database of network resources(known as objects) and information about each of these objects. This is not a new concept as Novell and Banyan have used directory services for years. Familiarity with Novell 4.11 will greatly improve the time it takes to become comfortable with this new network management system as many of AD's features and terminology are very similar to that of Novell Directory Services(NDS).

Users online total users: 189 Last Post question about A+/Network+ study guides by Headhunter Jan. 16, 2009 05:16 Board statistics We have a total of 83593 posts! TechTutorials CertifyPro Certnotes Web Host Reviews CBT Training MCSE Boot Camp MCSE Training

Why Active Directory?
While NT 4.0 was a pretty good networking operating system, it wasn't entirely equipped for enterprise networking. The network neighborhood was a great tool until you had a huge network, then browsing problems would begin and finding a particular printer or server could become a nightmare especially if you didn't know the name of it. Furthermore, in order to even accomodate such a network, you would most likely have to partition it into several domains connected with trust relationships. AD solves many of these problems and offers a new level of scalability and orginization for enterprise computing. The directory of each domain can store as many as 10 million objects which is enough to accommodate millions of users per domain.

CareerAcademy Certification training videos with private instructors. Topics cover Microsoft MCSE, CompTIA, CISSP & Cisco exams. Courses also come with official practice exams with 7x24 mentors. Netwind Learning Providing quality Live Boot Camp Classes and Self Paced CD-ROM Computer Certification Training since 1996. Get certified fast in Microsoft MCSE, MCSA, MCDBA, MOS, CCNA, CCNP, A+, Network+ and more. EDULEARN Certification Training on CD-ROMs & Videos: Microsoft MCSE Training, A+ Certification, Windows 2003, & Free demos. MCSE certification training includes videos and labs. Training Planet Nationwide Computer Training Boot Camp Classes and also CD based training courses A+ Certification, Cisco Training, MCSE, CISSP, Autocad, Office, PMP, SOX, PC Diagnostics Online Computer Training by K Alliance. Certification training videos for MCTS, MCITP, Oracle OCA/OCP, A+, CCNA, RHCE and more. Our e-learning courses come with 24/7 online mentoring. More Training Options

Directory Architecture:
First let's introduce the concept of "Sites". Sites are used to define the boundaries of high-speed links on a network containing Active Directory Servers. Sites are based on IP subnets and are defined as a "well-connected subnet or subnets". Do not confuse this term with the concept of domains which are discussed next. One thing that hasn't changed from NT 4.0 is the use of domains. A domain is still the centerpiece of a Windows 2000 network, however, it is set up differently. Domain controllers are no longer separated into PDCs and BDCs. Now there are simply DCs(Domain Controllers). By default, all Win2K servers are installed as Standalone Member Servers. DCPROMO.EXE is the Active Directory Installation Wizard and is used to promote a non-domain controller to a DC and vice versa. The wizard prompts for all of the required information to install Active Directory under the conditions that you have asked it to run Knowledge Consistency Checker(KCC) - This is a service created in order to ensure that the Active Directory service in the Windows 2000 operating system can replicate properly, runs on all DCs and automatically establishes connections between individual computers in the same site. These are known as Active Directory connection objects. An administrator can establish additional connection objects or remove connection objects, but at any point where replication within a site becomes impossible or has a single point of failure, the KCC steps in and establishes as many new connection objects as necessary to resume Active Directory replication. Each domain controller in a domain is capable of accepting requests for changes to the domain database and replicating that information with the other DCs in the domain. The first domain that is created is referred to as the "root domain" and is at the top of the directory tree. All subsequent domains will live beneath the root domain and are referred to as child domains. The child domain names must be unique. As you are viewing the items below, pay attention to how Windows 2000 now supports internet naming conventions.

1 of 8

16/1/2009 1:43 μμ

MC MCSE: Introduction to Windows 2000 Active Directory Architecture.com/microsoft/guides/ad. Remember and understand this term as you will hear it often when working with a directory service. http://www. 2 of 8 16/1/2009 1:43 μμ .mcmcse. each company would have its own tree and these would be aggregated together via trusts to create a "forest". Let's look at an example using our site. You can see that the individual trees are organized just like the root domain(mcmcse).shtml When a root domain and at least 1 child domain have been created. a "tree" is formed. Typically. You can see that the structure begins to take the shape of a tree with branches and sub-branches.com(actually that is true) and xyzabc.0. Now what if we are a company like Microsoft or DuPont that owns several other corporations. So let's say that our company owns techtutorials. Trusts Overview: Trusts are much more easily managed in Windows 2000 than in NT 4. There are 2 main reasons that this is the case.

a printer and Windows 2000 Professional Workstation may both have an IP address as an attribute. services. http://www. Now that we know what these concepts mean. The 3 types of containers are Domains. Containers have attributes just like objects even though they do not represent a real entity like an object.A schema defines the list of attributes that describe a given type of object. Directory Components: Now that we have looked at the big picture.An attribute describes an object. and other organizational units.0 trusts had to be administered as a series of 1 way trusts and could be quite cumbersome. Sites and Organizational Units and are explained in more detail below. let's say that all printer objects are defined by name. the first concept that you will need to understand what the directory is made of. For example. To get started. company XYZ has its headquarters in San Fransisco. 3 of 8 16/1/2009 1:43 μμ . then domain A trusts domain C and vice versa.Organizational units are containers into which you can place users. Within the directory are several other terms that you must know to gain even an entry level understanding as to how it all works. different objects may also share attributes.A container is very similar to the folder concept in Windows. clients. etc. groups. The schema is customizable. Trusts are automatically transitive which means that if domain A trusts domain B and domain B trusts domain C.0. Organizational units should be used to help minimize the number of domains required for a network.MC MCSE: Introduction to Windows 2000 Active Directory Architecture. This list of attributes comprises the schema for the object class "printers". Different objects will have a different set of attributes that define them. Containers . When a new domain is added. Schema .mcmcse. Sites . For example. servers. For example. These are 3 different sites. computers. This means that if domain A trusts domain B then the reverse is automatically true. sites are used to distinguish between local and remote locations. Attributes .Objects in the database can include printers. a branch office in Denver and an office that uses DUN to connect to the main network from Portland. Objects . A common analogy for a directory is a phonebook. 3. 2. and are the most basic component of the directory. These changes save an adminstrator some of the time consuming administration efforts spent creating and maintaining trusts that were required in NT 4. meaning that the attributes that define an object class can be modified. however. In Active Directory. it is time to take a look at what happens inside a domain. Organizational Units . users. 1-way trusts can still be created when necessary. Trusts are now commutative 2-way trusts. Domains . Specifically. passwords and names are attributes of user objects. PDL type and speed attributes. shares. The fact that organizational units can contain other OUs. a container holds objects and other containers. a hierarchy of containers can be created to model your organization's structure and hierarchy within a domain. For example.A site is a location. Both contain listings of various objects and information and properties about them. A folder contains files and other folders.com/microsoft/guides/ad.shtml 1. let's take a visual look at what is going on inside a domain. trust relationships are automatically configured. An organizational unit cannot contain objects from other domains.We have already discussed this concept in the preceding paragraphs. In Windows NT 4.

CN=Users.0.mcmcse. A distinguished name that uses DC attributes will have one DC for every domain level below root.DC=sales. users. CN .com/microsoft/guides/ad. Here is an example of a distinguished name: CN=Jason Sprague.shtml The folder symbols represent Organizational Unit(OU) containers and within each of these we find objects such as printers.DC=mcmcse.Common Name. Instead of objects directly located inside these OUs.DC=mcmcse. The 2 basic concepts that you need to know are distiguished names and common names. Distinguished names are the complete "path" through the hierarchical tree structure to a specific object.com 4 of 8 16/1/2009 1:43 μμ . The following are the components that make up a distinguished name: OU .com domain. Object Names: Most of us are used to the 15 character NetBIOS naming conventions of NT 4. Things are quite different now as Windows 2000 uses Lightweight Directory Access Protocol(LDAP) to supply the naming convention.CN=Computers. This attribute is used to divide a namespace based on organizational structure as previously discussed. computers. Another way of thinking of this would be that there would be a DC attribute for every item separated by a dot in the domain name.DC=mcmcse.DC=COM Now lets say that I was a member of the sales.MC MCSE: Introduction to Windows 2000 Active Directory Architecture. The information that you may see posted refers to NT 5 development.DC=COM Windows 2000 also supports several other naming conventions in addition to distinguished names as listed in the table below. http://www.Domain Component. Domain components . etc. This attribute represents the object itself within the directory service. This is similar to specifying the complete path to a file from a DOS prompt. NOTE: Contrary to information that is currently posted online(even on Microsoft's site). Naming Convention Example Friendly name/RFC 822 jsprague@mcmcse. This "path" points to the location of an object in the hierarchy. Let's take a look in more detail. servers.CN=Users. An OU usually is associated with an Active Directory container or folder. My new DN would be: CN=Jason Sprague.Organizational Unit.mcmcse. DC .DC=COM And what about my computer called WOPR? It would be: CN=WOPR. This is a fairly complicated naming system for those of you without experience with Novell's context concept. AD doesn't support C= and O= objects as Novell has. there could be more OU containers.

The searches that can be performed are far more advanced than those included in NT 4. Windows 2000 includes a service called the Global Catalog(GC) that is used to locate any objects on a network to which a particular user has been granted access. The Global Catalog allows me to search the network for a printer that has these attributes. it is assigned a unique sequence number from a counter that is incremented whenever a change is made. GC is a scaled up version of this feature in exchange in that it allows you to find objects based on a variety of customizable attributes. Let's say that I get a voice mail from someone named Betty Doe in the payroll department. I can add the driver and send the print job. This also means that there is not a master domain controller and all DCs work together in a peer relationship.C=US \mcmcse. But what if I am in Portland and the printer is in Seattle? The GC will provide this information and I can email the owner of the printer and ask them to ship the job to me via our internal mail system. REPLICATION: Windows 2000 networks will rely heavily on AD.com\documents\webpages\index. What other previously existing application has features similar to this? The answer is Microsoft Exchange. When a new object is created in AD. All that needs to be done for a domain controller to become a replication partner is to add it to the AD domain. In a single-master network model. and can intelligently request only necessary updates in case of a failure. the Active Directory performs updates to certain objects in a single-master fashion. So if I have a 50 page document and I need 1000 copies made. Since an Active Directory role is not bound to a single DC. One of the most complex parts of making redundant servers work properly is replicating the information and ensuring that all servers have the most up-to-date content. Her voicemail is garbled and I can't understand her phone number.O=MCMCSE. OU=sales. fast and accessible at all times.MC MCSE: Introduction to Windows 2000 Active Directory Architecture.com/CN=jsprague. but reduces the load on individual servers. The GUID is a 128-bit identifier. and thus. This not only creates redundancy.0 and not only is capable of locating objects by name. This is accomplished via the use of unique sequence numbers(USN). but by attributes as well. which is another way of stating that updates can occur on any Active Directory server. I find a Xerox Docutech 6135. it is referred to as a 5 of 8 16/1/2009 1:43 μμ . Still a little confused? Let's take a look at another example. I need to find a production printer that can print at least 100ppm and has the capability of binding the document. a client can contact a server with duplicate services and information.mcmcse. In order to accomplish this. Every time an update is made. Flexible Single Master Operation: To prevent update conflicts in Windows 2000. the AD database must exist on multiple servers so that if one server fails.shtml LDAP URL Universal Naming Convention(UNC) LDAP://mcmcse.shtml Global Catalog: So now that we have seen how complicated the naming conventions can be. Active Directory uses multimaster replication. I probably won't want to send it to an HP 5si. Exchange also has a global catalog that allows you to find users by name. let's look at the tool that makes it all manageable.com/microsoft/guides/ad. I can use GS to search for her by name and then access her phone number(assuming that our network administrator has stored the phone number attribute for users in the schema). which means that applications that reference objects in Active Directory can record the GUIDs for objects and use the GC to find them even if it has been moved. it is assigned a unique number called a GUID (globally unique identifier). Each server keeps track of which updates it has received from which servers. it will be very important that the service is running. Windows 2000 Active Directory extends the single-master model to include multiple roles and the ability to transfer roles to any DC. The GUID is useful because it stays the same for any given object even if the object is moved. http://www. only one domain controller in an Active Directory handles updates.

it is replicated from the schema master to all other DCs in the directory. Software Installation . Each group can have one of two functions in Native mode .similar to logon scripts in NT4. http://www. Infrastructure Daemon Updates user to group memberships when changes are made.MC MCSE: Introduction to Windows 2000 Active Directory Architecture. Included are desktop. application. There are five major categories that group policies can be configured for: Folder redirection: Store users' folders (my documents. Universal groups can have membership from any domain and can be used to assign access to any resource in any domain. This DC is the only one that can add or remove a domain from the directory. Security groups are the ones we are familiar with in NT4 while distribution groups will be used primarily with Exchange 2000 or any other Active Directory mail application. Group policies are not applied to "groups". Each object gets a domain SID that is common to all objects in a domain.NT4 administrators will recognize this section as system policies . Security: Similar to account policies under user manager in NT4 includes settings for the local computer.enables an administrator to have software installed automatically at the client machine . and system settings. Domain Naming Master Domain Naming Master Controls the addition of Domains in a forest.in a much more convenient and flexible configuration. There is only one schema master per directory. If the domain is running in Native Mode then this server is the "preferred" replication partner for the other DCs for password changes and also handles account lockouts and authentication failures.Completely new . What makes SIDS unique is the RID which is unique to all objects in the domain.mcmcse. Security: There are now three types of groups in Windows 2000: Domain Local(similar to a local group) Global Universal groups The rules remain the same for Local and Global groups. the domain. The RID Master is also responsible for removing an object from its domain and putting it in another domain when an object is moved. Scripts . but we can apply them to OUs.or removed automatically. Once the schema update is complete.com/microsoft/guides/ad. but we can now specify a startup and a shutdown script for the computer as well as a logon and a logoff script 6 of 8 16/1/2009 1:43 μμ . my pictures) on the network. The schema master FSMO role is the DC responsible for performing updates to the directory schema. RID Master RID Master(Relative Identifier Master) works with domain controllers to assign unique SIDS to each object that requires one. Group Policy is administered through the Group Policy Microsoft Management Console(MMC) snap-in. Accounts go into Global Groups which then go into local groups that are assigned permissions to use a resource.e have Windows 95/98/NT down-level clients). There are five FSMO roles as follows: Schema Master Remember from earlier that the schema is a list of attributes that define a given object type. This DC is the only one that can process updates to the directory schema. Administrative Templates . except that you can now nest groups in Native mode.shtml Flexible Single Master Operation role. and network security. PDC emulator PDC Emulator acts like a PDC from a Windows NT 4.distribution or security.0 network and is necessary in domains that are not pure Windows 2000(i. Group Policy: Group Policy in Windows 2000 is one of it's largest administrative enhancements and is designed to enable administrators to control the environment with minimal effort.

Software Installation and Maintenance combines Group Policies and Active Directory technologies to enable an administrator to install. http://www. Published programs cannot self repair. you can choose to assign it or publish it. If you want to exclude certain users or computers from processing the GPO assigned to the Site/Domain/OU that they belong to. Active Directory Utilities: Utility SIDwalker Purpose Security Administration Tools.Options) it will only disable it for that container and any sub-containers that inherit the settings. enable programs to "repair" themselves if a critical file is missing or corrupt and to remove themselves very cleanly when necessary. then the GPO is still active in that container. If another administrator "linked" to that GPO from another container.exe for many applications. 7 of 8 16/1/2009 1:43 μμ . it's installed the next time the system is restarted. If it is assigned to a COMPUTER. First two used to examine and change ACL entries. You can deploy upgrades using GPO's simply by specifying which program is to be upgraded and whether or not it is a mandatory upgrade. the user can install it through Add/Remove Programs or through opening a file that requires that particular program(a file association). You can also delegate control over GPOs so that a manager can change what a GPO does for his or her department.exe. but the program is only installed when the user runs it for the first time. An administrator can create several Group Policy Objects (GPO) in a given Group Policy Container (GPC) and assign the appropriate GPO to the computers or users that need the settings contained in that GPO. Consists of 3 programs. If you assign an application to a USER. showaccs.shtml for the user. When you deploy software.MC MCSE: Introduction to Windows 2000 Active Directory Architecture.mcmcse. cannot be published to computers and are not advertised on the users' desktop or start menu only through add/remove programs. You can apply service packs or patches by "re-deploying" an existing Group Policy with the new information regarding the service pack. A . but can't create any new GPOs or change the scope of a GPO. Assigned applications require a windows installer file(. Software can be efficiently deployed. If you do this (from Group Policy .ZAP files cannot self repair or install with higher privileges and will typically require user intervention to completely install.exe and Security Migration Editor (MMC snap-in). This effectively creates a filter. It is also possible to disable group policy objects without deleting them. sidwalk. If you publish an application.ZAP file is an administrator created text file that specifies the parameters of the program to be installed and the file extensions associated with it. Security Migration Editor edits mappings between old and new security IDs (SIDs). Its advantages include the ability to build custom installations. the icons show up on the desktop and/or start menu.Windows Installer and Software Installation and Maintenance. manage and remove software across the network. Windows Installer will replace Setup.com/microsoft/guides/ad. Assigned software can be targeted at users or computers. Installations that utilize . you can simply remove the users' or groups' "apply group policy" permissions. This is only available for Windows 2000 clients.msi) while published applications can use Windows Installer files or ZAP files. updated and removed using Group Policies and two technologies built into Windows 2000 .

0 and Windows 9x. netdom. Graphically displays replication topology. DNS Server Troubleshooting Tool.exe nltest.exe dsacls.mcmcse.exe ldp. Low-level editor for Active Directory which enables adding. Move AD objects like OUs and users between domains in a single forest. Allows LDAP operations be be performed against Active Directory.exe movetree. Windows 98. Check replication consistency between partners.exe Windows 2000 Domain Manager. View or modify ACLs of objects in AD. Verify ACL propagation and replication for specified objects in a directory. and deleting objects within Active Directory. More information about this can be found here ADVERTISE | PARTNERSHIPS | PRIVACY POLICY | DISCLAIMER | | CONTACT IT Showcase 8 of 8 16/1/2009 1:43 μμ . monitor status. force replication and knowledge consistency checker recalculation.exe dsastat. Security Descriptor Check Utility. ADSI edit dfsutil. Active Directory Diagnostic Tool.0 that allows those clients to take advantage of many of the features provided by the Windows 2000 AD. force a shutdown. Create a list of PDCs. Manages all aspects of the distributed file system.exe Clients: As a postscipt. Can be used to reset Access Control Lists to their default values.MC MCSE: Introduction to Windows 2000 Active Directory Architecture.exe ACL Diagnostics.exe dnscmd.com/microsoft/guides/ad. http://www. we thought that we should include information about older Windows clients such as Windows NT 4. Check dynamic registration of DNS resource records including secure DNS update and unregister resource records. Compare naming contexts on Domain Controllers and detect differences. status. sdcheck. Used to determine whether users have been granted/denied access to AD objects.exe replmon. Microsoft is providing an add-on for the Windows 95.exe AD Object Manager. force replication events and knowledge consistency checker recalculation. acldiag. provide info about trusts and replication. Distributed File System Utility.exe Replication Diagnostics Tool. and Windows NT 4. Used to manage Windows 2000 domains and trust relationships.shtml repadmin. Active Directory Replication Monitor. moving.