Active Directory – 2003

© 2007 IBM Corporation
A/NZ – Intel Pool - 5
13/02/2010
Active Directory 2003

Dominic
Active Directory – 2003
© 2007 IBM Corporation
Motto of this day
 Learn Fundamentals of Active Directory 2K3.
 Experience the learning.
 Learn from other’s Questions

Active Directory – 2003
© 2007 IBM Corporation
Today’s Roadmap
A Little History – Before AD
Introduction to Active Directory
Active Directory Components
Installation of AD
DNS
Physical & Logical structure of AD
Active Directory Database
FSMO
FRS
Group
Tools
Active Directory – 2003
© 2007 IBM Corporation
A Little History – Before AD


Microsoft Client and Server History
Active Directory – 2003
© 2007 IBM Corporation
Introduction to Active Directory
 NT - SAM Novell - NDS NTDS.dit

Scalability, Extensibility, Security , Policy-based administration Integration
with the Domain Name System (DNS) ,Centralized data store
Active Directory – 2003
© 2007 IBM Corporation
What is Active directory? Why we need AD?
The Active Directory is a network-based object store and service that
locates and manages resources, and makes these resources available to
authorized users and groups.
Active Directory is an essential and inseparable part of the Windows 2000
and above network architectures. It improves on the domain architecture of
the Windows NT® 4.0 operating system to provide a directory service
designed for distributed networking environments.


Active Directory allows for logical grouping of user & computer accounts
AD provides a single point of administration across the enterprise
Form a security boundary for divisions and groups
Control over other applications – MS Mail system, Citrix etc.
Package deployments and System controls.


Active Directory – 2003
© 2007 IBM Corporation
Active Directory Components
Physical Components - DCs , Sites Eg.
Logical Components - OUs , Domains , Tree, Forest Eg.
Basic components - User accounts , Computer accounts, Printers,
Groups, Files Etc.




Active Directory – 2003
© 2007 IBM Corporation
Installation of AD
 Install Active Directory in Existing Windows 2003 server.
 Post Installation checks - Ports, Dcdiag, Sysvol, Replication, Site
and OU, Connections,
 Active Directory Files
Ex: Edb.log, Edb.chk,Res1.log, Res2.log
 Understand the AD control consoles - Dsa.msc , Dssite.msc,
Domain.msc
 Experience the components of AD.
Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation
AD Integrated DNS
 DNS server converts DNS names like www.Westpac.com to an IP address.

 DNS is significant for several reasons, but here’s the main one: DNS is now the central name
repository for Active Directory, replacing WINS’s role in NT 4.

 With Active Directory–based networks, all of that changes. The heart of naming in AD is
DNS.


 Active Directory–integrated zones offer two features:
– They secure dynamic DNS by keeping unwanted outsiders from registering dynamic DNS
records. Only machines that are members of an associated Active Directory domain can
dynamically register records with an AD-integrated zone.
– AD-integrated also means that only domain controllers can be DNS servers.
Active Directory – 2003
© 2007 IBM Corporation
Physical & Logical structure of AD
Physical structure - Domain controllers , Sites
Logical Structure - OUs, Domains, Tree, Forest

Active Directory – 2003
© 2007 IBM Corporation
Physical structure - Domain controllers , Sites
Domain controllers and GCs

DC Functions :
Stores the AD database
Load balancing
Authentication
Replication
Etc.
GC Functions :
The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog
is created automatically on the initial domain controller in the first domain in the forest.

It enables a user to log on to a network by providing universal group membership information to a domain controller
when a logon process is initiated.

It enables finding directory information regardless of which domain in the forest actually contains the data.

Sites and concepts:

A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much
network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).

Active Directory – 2003
© 2007 IBM Corporation
Logical structure of AD
Forest : A forest is a grouping or hierarchical arrangement of one or
more separate, completely independent domain trees.
Tree : A tree is a grouping or hierarchical arrangement of one or more
Windows Server 2003 domains that you create by adding one or more child
domains to an existing parent domain.
Domain : The core unit of logical structure in Active Directory is the
domain, which can store millions of objects.
OUs: An OU is a container used to organize objects within a domain
into a logical administrative group.
Other objects : Groups, USN , GUID
Trusts: Tree – root, Parent – child , Shortcut, External , Realm.
Active Directory – 2003
© 2007 IBM Corporation
Logical structure of AD
Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation
Active Directory Database
NTDS.DIT – Located in c:\windows\NTDS\
ESE
Tables : Schema table
Link Table
Data table
Configuration Table
Partitions:
Schema
Configuration
Domain
Application

Active Directory – 2003
© 2007 IBM Corporation
Managing NTDS.DIT
NTDSUtil.exe
Metadata cleanup
Tombstone objects , Lingering objects
Online and offline Defragmentation
Active Directory – 2003
© 2007 IBM Corporation
FSMO Roles
Forest-wide Operation Master Roles:
• Schema master
• Domain naming master



Domain-Wide Operations Master Roles

• Relative ID master
• Primary domain controller (PDC) emulator
• Infrastructure master

Active Directory – 2003
© 2007 IBM Corporation
These roles must be unique in the forest. This means that throughout the entire forest there
can be only one schema master and one domain naming master.

Schema Master Role

The domain controller assigned the schema master role controls all updates and
modifications to the schema. To update the schema of a forest, you must have access to the
schema master. At any time, there can be only one schema master in the entire forest.

Domain Naming Master Role

The domain controller holding the domain naming master role controls the
addition or removal of domains in the forest. There can be only one domain naming master
in the entire forest at any time.

Active Directory – 2003
© 2007 IBM Corporation

These roles must be unique in each domain. This means that each domain in the forest can have only one
RID master, PDC emulator master, and infrastructure master.

RID Master Role
The domain controller assigned the RID master role allocates sequences of relative IDs to each of the
various domain controllers in its domain. At any time, there can be only one domain controller acting as
the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique
security ID. The security ID consists of a domain security ID (that is the same for all security IDs created
in the domain) and a relative ID that is unique for each security ID created in the domain.
To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must
initiate the move on the domain controller acting as the RID master of the domain that currently contains
the object

PDC Emulator
If the domain contains computers operating without Windows Server 2003 client soft-ware or if it contains
Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator role
acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the
BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain
in the forest

Infrastructure master
It is responsible for updating the group-to-user references whenever the members of groups are
renamed or changed. At any time, there can be only one domain controller acting as the
infrastructure master in each domain.
Active Directory – 2003
© 2007 IBM Corporation
Manage FSMO Roles
Seize and transferring the roles
How to fetch the role holders – GUI and Command
line.
Regsrv32 Schmmgmt.dll


Active Directory – 2003
© 2007 IBM Corporation
FRS
Inter site Replication
Intra site Replication
Push and Pull Replication
Bridge head servers , topologies
Protocols : RPC-IP and SMTP over IP
Compression – 10 to 20 %
Manual Scheduling
Managing and Trouble shooting
Site links



Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation
Groups
Types of Groups

New to Windows 2000/Windows Server 2003 are two types of group objects, each used for a
specific

Security Groups These are used to grant permissions to resources. Computers, users, and
other groups can be members of a security group.


Distribution Groups These groups are used for nonsecurity functions, such as e-mail.
Distribution groups cannot be assigned permissions or rights.

Active Directory – 2003
© 2007 IBM Corporation
Scopes of Groups
Windows 2000/Windows Server 2003 provides the ability to limit the area of influence for a group.
A group can be one of the following three types:

Domain Local Groups Limited to a single domain. They can be used to grant permissions to
resources only within that domain, but can have members from any domain. These groups should
be used when the permissions are to be granted specifically within a domain: domain local groups
are not visible outside of their own domain.

Global Groups Used to grant permissions to objects in multiple domains and are visible to all
trusted domains. Global groups, though, can have as members only users and groups from within
their own domain. If your AD database is configured for native-mode operation, global groups can
be nested; in other words, a global group can contain other global groups.

Universal Groups Similar to global groups in that they can be used to grant permissions
across
multiple domains. The big difference is that universal groups can contain any combination of user

Active Directory – 2003
© 2007 IBM Corporation
TOOLS & AD Backup

TOOLS to Manage AD
Dsadd, Dsmod,Dsget,Dsquery, Netdom,
Dcdiag,Netdiag…
AD Backup and Restore Methods
Ntbackup
Authoritative and Non-Authoritative
Active Directory – 2003
© 2007 IBM Corporation
Things to Know !!!!

 1 . Each domain controller in an Active Directory forest can create a little bit less than
2.15 billion objects during its lifetime.
 2.There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a
domain.
 3.Security principals (that is, user, group, and computer accounts) can be members of
a maximum of approximately 1,015 groups.
 4.Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64
characters in total length, including hyphens and periods (.).
 5.The file system that Windows operating systems uses limits file name lengths
(including the path to the file name) to 260 characters.
 6.The maximum length for the name of an organizational unit (OU) is 64 characters.
 7.There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user
account or computer account.
 8.For Windows 2000 Server, the recommended maximum number of domains in a
forest is 800. 2 k3 - 1200.

Active Directory – 2003
© 2007 IBM Corporation
Active Directory – 2003
© 2007 IBM Corporation