01 Introduction To Active Directory

Revision no.
: PPT/2K403/02
Introduction to Active
Directory
(70-294)
Revision no.: PPT/2K403/02
Lesson 1: Active Directory Overview

2
• Understanding Directory Services
• Why Have a Directory Service ?
• The Windows Server 2003 Directory Service
• Active Directory Objects
• Active Directory Schema
• Active Directory Components
• Global Catalog Server
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Understanding Directory Services

3
• A directory is a stored collection of information about objects

that are related to one another in some way or the other
• A directory service stores all the information needed to use
and manage these objects in a centralized location, simplifying
the process of locating and managing these resources
• A directory service differs from a directory in that it is both the
source of the information and the mechanism that makes the
information available to the users
• It is the central authority that manages the identities and
manages the relationships between distributed resources,
enabling them to work together
Why Have a Directory Service ?

4
• A directory service provides the means to organize and
simplify access to resources of a networked computer system
• Users and administrators might not know the exact name of
the objects they need, they might know one or more
characteristics of the objects in question
• A directory service makes it possible to find an object based
on one or more of its characteristics
Contd…
5
User
Directory Server
Server 1
Name : Server 1
OS: Windows 2000
Type: File Server
Location: 1st Floor
Printer 1 Name : Server 2
OS Novell Netware 4.0
? Type: File Server
Location: 2nd Floor
Name: Printer 1
Type: HP-4Si
Server 2
Color: No
Duplex: Yes
Location: 3rd Floor
The Windows Server 2003 Directory Service

6
• Centralized Data Store

• Scalability
• Extensibility
• Manageability
• Integration with DNS
• Client Configuration Management
• Policy Based Administration
• Replication of Information
• Flexible,secure authentication and authorization
• Security Integration
• Directory enabled applications and Infrastructure
• Interoperability with other Directory Services
• Signed and encrypted LDAP Traffic
Active Directory Objects

7
Active
Active Directory
Directory
Objects
Objects
Printers
Attributes
Attributes
Printer1
Printer
Printer Name
Name
Printer Printer2
Printer Location
Location
Printers
Printers
Printer3 Attribute
Attribute
Value
Value
Users
Attributes
Attributes
First
First Name
Name Jane Doe
Last
Last Name
Name John Doe
Users
Users Logon
Logon Name
Name
• Objects Represent Network Resources

• Attributes Store Information About an Object
Active Directory Schema

8
Objects
Objects Active Directory Schema Is:
• Dynamically Available
Class
Class Examples
Examples • Dynamically Updateable
• Protected by DACLs
Attribute
Attribute
Examples
Examples
Computers
Computers
Attributes
Attributesof
ofUsers
Users List
Listof
ofAttributes
Attributes
Might
MightContain:
Contain:
accountExpires
accountExpires accountExpires
accountExpires
department
department department
department
distinguishedName
Users
Users distinguishedName
distinguishedName distinguishedName
directReports
middleName
middleName directReports
dNSHostName
dNSHostName
operatingSystem
operatingSystem
repsFrom
repsFrom
repsTo
repsTo
Printers
Printers middleName
middleName
……
Active Directory Components

9
• Logical Structures
• Physical Structures
Logical Structures
10
• Domains
• Ous
• Trees
• Forests
Domains
11
• A Domain Is a Security Boundary

– A domain administrator can administer only within the
domain, unless explicitly granted administration rights in
other domains
• A Domain Is a Unit of Replication
– Domain controllers in a domain participate in replication and
contain a complete copy of the directory information for their
domain
r1 Replication
Replication r1
Us e Us e
r2 r2
Us e Us e
Windows
WindowsServer
Server2003
2003
Domain
Domain
Organizational Units
12
• Use OUs to Group Objects into a Logical Hierarchy That Best

Suits the Needs of Your Organization
• Delegate Administrative Control over the Objects Within an OU
by Assigning Specific Permissions to Users and Groups
microsoft.com
Orders OU
Admin
US
Computers
Users Printers ORDERS DISP
Trees
13
• A tree is a grouping or hierarchical arrangement of one or

more Windows Server 2003 domains that you create by
adding one or more child domains to an existing parent
domain
• Domains in a tree share a contiguous namespace and a
hierarchical naming structure.
microsoft.com
uk.microsoft.com us.microsoft.com
sls.uk.microsoft.com
Forests
14
• A forest is a grouping or hierarchical arrangement of one or

more separate, completely independent domain trees.
microsoft.com msn.com
uk.microsoft.com us.microsoft.com uk.msn.com us.msn.com
sls.uk.microsoft.com sls.uk.msn.com
Characteristics Of a Forest
15
• All domains in a forest share a common schema.
• All domains in a forest share a common global catalog.
• All domains in a forest are linked by implicit two-way transitive

trusts.
• Trees in a forest have different naming structures, according

to their domains.
• Domains in a forest operate independently, but the forest

enables communication across the entire organization.
Physical Structures
16
• Sites
• Domain Controllers
Sites
17
Seattle
New York
Chicago
Los Angeles
IP subnet
Site
• Sites: IP subnet
– Optimize replication traffic

– Enable users to log on to a domain controller by
using a reliable, high-speed connection
Domain Controllers
18
• Each domain controller stores a complete copy of all Active

Directory information for that domain, manages changes to
that information, and replicates those changes to other domain
controllers in the same domain
• Domain controllers in a domain automatically replicate
directory information for all objects in the domain to each
other
• Domain controllers immediately replicate certain important
updates, such as the disabling of a user account
• Each Domain Controller in a Domain has a writeable copy of
Directory Database
Global Catalog Server

19
• Finding objects outside of the domain and across the

enterprise requires a mechanism that allows the domains to
act as one entity
• The global catalog is the central repository of information
about objects in a tree or forest
• Any domain controller in a forest can be a Global Catalog
Server
• Global Catalog enables a user to log on to a network by
providing universal group membership information to a
domain controller when a logon process is initiated
• Global Catalog enables finding directory information
regardless of which domain in the forest actually contains the
data
Global Catalog Query Process

20
Domain A Domain B
2 DC3
1
DC2
4 3
DC3 GC
DC2 DC1
GC
DC1 Repl ic ation

aster
Multim
Lesson 2: Understanding Active Directory

Concepts and Administration Tasks
21
• Replication
• Trust Relationships
• Change and Configuration Management
• Group Policies
• DNS
• Object Naming
• Active Directory Administrative Tasks
Replication
22
• What Information Is Replicated
• How Information Is Replicated
What Information Is Replicated

23
Contains:
Definitions
Definitions and
and rules
rules for
for
creating
creating and
and manipulating
manipulating
objects
objects and
and attributes
attributes
Forest Schema
Information
Information about
about the
the Active
Active
Directory
Directory structure
structure
Configuration
Information
Information about
about domain-
domain-
Domain specific
specific objects
objects
<Domain>
Configurable
replication Information
Information about
about applications
applications
<Application>
Active
Active Directory
Directory Database
Database
Contd…
24
• A domain controller stores and replicates:

– The schema partition data for a forest.
– The configuration partition data for all domains in a forest.
– The domain partition data (all directory objects and properties) for its
domain.
• A global catalog stores and replicates:

– The schema partition data for a forest
– The configuration partition data for all domains in a forest
– A partial replica containing commonly used attributes for all directory
objects in the forest (replicated between global catalog servers only)
– A full replica containing all attributes for all directory objects in the
domain in which the global catalog is located
How Information Is Replicated

25
• Intra-site Replication
• Inter-site Replication
Intra-Site Replication
26
• Within a site, a Windows Server 2003 service known as the

knowledge consistency checker (KCC) automatically
generates a topology for replication among domain controllers
in the same domain using a ring structure.
• The KCC is a built-in process that runs on all domain

controllers.
• The topology defines the path for directory updates to flow

from one domain controller to another until all domain
controllers in the site receive the directory updates.
Contd…
27
• The KCC determines which servers are best suited to replicate with
each other, and designates certain domain controllers as replication
partners on the basis of connectivity, history of successful
replication, and the matching of full and partial replicas.
• Domain controllers can have more than one replication partner.
• The KCC then builds connection objects that represent replication
connections between the replication partners.
• The ring structure ensures that there are at least two replication paths
from one domain controller to another; if one domain controller is
down temporarily, replication still continues to all other domain
controllers,
Automatic Generation of Replication Topology

28
KCC
KCC A2 KCC
A1 A3
A8 A4
Automatic Generation of Replication Topology
KCC KCC
A7 A5
A6
KCC KCC
KCC
Inter-Site Replication
29
• To ensure replication between sites, you must connect them
manually by creating site links.
• Site links represent network connections and allow replication
to occur.
• A single KCC per site generates all connections between sites.
• Active Directory uses the network connection information to
generate connection objects that provide efficient replication
and fault tolerance.
Inter-Site Topology
30
Intersite
Intersite Topology
Topology Generator
Generator
A1
• Intersite topology Bridgehead
Bridgehead
IP
IP Subnet
Subnet Server
Server
generator defines A2
the replication
between sites on Replication
Replication
a network
IP
IP Subnet
Subnet
B1
IP
IP Subnet
Subnet
Replication
Replication
B2
Replication
Replication
IP
IP Subnet
Subnet
Bridgehead
Bridgehead Server
Server
Trust Relationships
31
Forest 1 Tree/Root
Tree/Root Forest
Forest Forest 2
Trust
Trust Trust
Trust
Parent/Child
Parent/Child
Trust
Trust Forest
Forest (root)
Domain D (root)
Domain E Domain A Domain B Domain P Domain Q
Shortcut
Shortcut Trust
Trust Realm
Realm External
External
Domain F Domain C Trust
Trust Trust
Trust
Kerberos Realm
Change and Configuration Management

32
• Change and configuration management is a set of Windows
Server 2003 features that simplify computer management
tasks such as
– Managing the configuration of each user’s desktop
– Managing how software is deployed and installed on personal
computers
– Installing an initial operating system on a new computer
– Replacing computers
Change and Configuration Management

Features
33
• The IntelliMirror Management Technologies can be described

as follows:
– User Data Management
– Software Installation and Maintenance
– User Settings Management
– Remote Installation Services
• IntelliMirror is a set of Windows 2000 features that assist with
managing user and computer information , settings, and
applications.
• IntelliMirror uses Active Directory and Group Policy to manage
users’ desktops based on users’ business roles, group
memberships, and locations.
Group Policies
34
• Group policies are collections of user and computer
configuration settings that can be linked to computers, sites,
domains, and OUs to specify the behavior of users’ desktops.
• How GPOs Are Applied
– Local GPO
– GPOs Linked to sites
– GPOs linked to domians
– GPOs linked to OUs
DNS
35
• DNS is a service used in TCP/IP networks to locate computers
and services through user-friendly names.
• DNS provides a method of naming computers and network
services using a hierarchy of domains.
• When a user enters a user-friendly DNS name in an
application, DNS services can resolve the name to other
information associated with the name, such as an IP address.
DNS Name Space

36
org com net gov
Microsoft headrest yahoo cnn
sales research
Root Domain
Top-Level Domain server1 server2
Second-Level Domain
Third-Level Domain
Host Names
Types of Zones
37
• Active Directory Integrated
• Standard Primary
• Standard Secondary
Active Directory and DNS

38
• Active Directory uses DNS as its domain naming and location

service.
• DNS provides the following benefits:
– DNS names are user-friendly, which means they are easier to
remember than IP addresses.
– DNS names remain more constant than IP addresses. An IP
address for a server can change, but the server name remains the
same.
– DNS allows users to connect to local servers using the same
naming convention as the Internet.
Object Naming
39
• Distinguished Name
• Relative Distinguished Name
• Globally Unique Identifier
• User principal Name
Active Directory Administration Tasks

40
• Planning the Active Directory infrastructure design

• Installing and configuring Active Directory
• Administering Active Directory
• Installing and Managing domains, trees and forests
• Configuring Sites and Managing Replication
• Implementing an OU Structure
• Administering User Accounts
• Administering Group Accounts
• Administering Active Directory Objects
• Implementing Group Policy
• Administering Group Policy
• Deploying Software with Group Policy
• Administering Active Directory Security
• Managing Active Directory Performance
Lesson 3: Planning the Active Directory

Infrastructure Design 41
• What Is an Active Directory Infrastructure Design ?
• Design Tools
• The Design Process
What Is an Active Directory Infrastructure

Design ?
42
Active Directory • Based on the organization’s business

Design requirements
Active Directory
• Based on the technical aspects of design
Implementation
• Results in implementation guidelines
Plan
Active Directory
• Creates the forest and domain structure
Implementation
Design Tools
43
• Design Team
– Infrastructure Designers
– Staff Representatives
– Management Representatives
• Business and Technical Analyses
• Test Environment
The Active Directory Design Process

44
Design tasks include: Output of the design

process includes:
• Collecting organizational • Forest and domain

information design
• Analyzing organizational • Organizational unit
information design
• Analyzing design options • Site design
• Selecting a design
• Refining the design
The Active Directory Planning Process

45
Account
Account Site
Site
Strategy
Strategy Implementation
Implementation
Plan
Plan
Audit
Audit
Strategy
Strategy Software
Software
Deployment
Active
Deployment
Organizational
Organizational Plan
Plan Directory
Unit
Unit Implementation
Implementation
Implementation Server
Server Plan
Plan
Plan Placement
Placement Plan
Plan
Group
Group Policy
Policy
Plan
Plan
The Active Directory Implementation Process

46
• To implement the Active Directory plan:

– Implement the forest, domain, and DNS structures
– Create:
• Organizational units and security groups
• User and computer accounts
• Group Policies
– Implement sites
47
Design & Published by:

CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7,
MIDC, Marol, Andheri (E), Mumbai –400093, Tel: 91-22-28216511, 28329198
Email: courseware.inst@cmail.cms.co.in
www.cmsinstitute.co.in

01 Introduction To Active Directory

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 Introduction To Active Directory

Uploaded by

Copyright:

Available Formats

Revision no.

Lesson 1: Active Directory Overview

• Understanding Directory Services

• Why Have a Directory Service ?

• The Windows Server 2003 Directory Service

• Active Directory Objects

• Active Directory Schema

• Active Directory Components

• Global Catalog Server

Understanding Directory Services

• A directory is a stored collection of information about objects

Why Have a Directory Service ?

• A directory service provides the means to organize and

simplify access to resources of a networked computer system

• Users and administrators might not know the exact name of

the objects they need, they might know one or more

characteristics of the objects in question

• A directory service makes it possible to find an object based

on one or more of its characteristics

The Windows Server 2003 Directory Service

• Centralized Data Store

Active Directory Objects

• Objects Represent Network Resources

Active Directory Schema

Active Directory Components

• A Domain Is a Security Boundary

• Use OUs to Group Objects into a Logical Hierarchy That Best

Users Printers ORDERS DISP

• A tree is a grouping or hierarchical arrangement of one or

• A forest is a grouping or hierarchical arrangement of one or

uk.microsoft.com us.microsoft.com uk.msn.com us.msn.com

• All domains in a forest share a common schema.

• All domains in a forest share a common global catalog.

• All domains in a forest are linked by implicit two-way transitive

• Trees in a forest have different naming structures, according

• Domains in a forest operate independently, but the forest

– Optimize replication traffic

• Each domain controller stores a complete copy of all Active

Global Catalog Server

• Finding objects outside of the domain and across the

Global Catalog Query Process

DC1 Repl ic ation

Lesson 2: Understanding Active Directory

• Change and Configuration Management

• Active Directory Administrative Tasks

• What Information Is Replicated

• How Information Is Replicated

What Information Is Replicated

• A domain controller stores and replicates:

• A global catalog stores and replicates:

How Information Is Replicated

• Within a site, a Windows Server 2003 service known as the

• The KCC is a built-in process that runs on all domain

• The topology defines the path for directory updates to flow

Automatic Generation of Replication Topology

• To ensure replication between sites, you must connect them

manually by creating site links.

• Site links represent network connections and allow replication

• A single KCC per site generates all connections between sites.

• Active Directory uses the network connection information to

generate connection objects that provide efficient replication

and fault tolerance.

Domain E Domain A Domain B Domain P Domain Q