1.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

1.1 © 2004 Pearson Education, Inc.

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Lesson 1: Introducing Active Directory Services in Windows Server 2003

Goals Introduce Active

Directory

Identify the functions and features of Active Directory

Introduce Active Directory architecture

Introduce Active Directory objects

Examine the logical and physical structure of Active Directory

Examine more Active Directory concepts

Plan a domain structure

Plan a domain namespace

Examine guidelines for planning a site structure




Active Directory database

Stores information about users, groups, domains, and objects on a network

Allows you to centrally access and administer the information

Provides an unique identity for each object called a Security ID (SID)

(Skill 1)

Introducing Active Directory




Introducing Active Directory (2)

Active Directory database

Allows you to access and administer the directory service globally, unlike decentralized network models

Reduces the effort required to complete day-to-day administrative tasks, such as managing users and resources

(Skill 1)




Figure 1-1 Active Directory

(Skill 1)





Windows NT

Introduced the concept of a directory service based on domains that provide a single point of authentication for all users on a network

Limitations prevent it from being used effectively in large networks

Has only one writable copy of the database, which leads to a single point of failure for Write operations

Trust relationships between domains must be built manually

(Skill 1)





Active Directory’s advantages over Windows NTMost trust relationships within a single forest are

created automaticallyMakes it possible for Active Directory to provide

scalability in large business organizations

(Skill 1)




Identifying the Functions and Features of Active Directory

Active Directory features make it a reliable and secure directory service

Policy-based administration

Active Directory makes network administration easier by using Group Policies

Using this feature, an administrator can make complex modifications to the user’s environment, assign rights, configure network security, and install software to collections of users or computers

(Skill 2)




Identifying the Functions and Features of Active Directory (2)


Increased security of information

Windows Server 2003 supports protection of both stored data and network data

Stored data can be protected using Encrypting File System (EFS) and permissions

(Skill 2)






Integration with Domain Name System (DNS)

DNS is a naming service that translates host names into numeric IP addresses

Active Directory uses standard DNS naming conventions for domains

(Skill 2)






ExtensibilityActive Directory allows nearly any type of information to

be added to the database because it has an extensible schema

Schema contains a list of all possible object types (object classes), their attributes, and relationships allowed between objects

(Skill 2)






Scalability

Active Directory can store anywhere from a small number to millions of objects

An object automatically inherits the permissions of the container into which it is placed

(Skill 2)






Information replication

Active Directory automatically replicates the contents of its database across every domain controller in the domain

Compatibility with other directory services

Active Directory is based on protocols, such as LDAP, HTTP, and NSPI, so it is compatible with other directory services that use these protocols

(Skill 2)






Mutual authentication

Active Directory utilizes Kerberos as the default authentication mechanism

Kerberos is an industry-standard, high-security mutual authentication mechanism that provides increased security for logon information

(Skill 2)




Introducing Active Directory Architecture

Windows Server 2003 architecture has two primary layers

User mode

Kernel mode

(Skill 3)




Introducing Active Directory Architecture (2)

User mode layer

The interface between applications and the kernel mode layer

Accepts requests from an application and forwards them to the kernel for processing

(Skill 3)





Components of the user mode layer

Environment subsystems

Provide interfaces for applications to interact with the kernel and integral subsystems

The environment subsystem components make applications run by providing Application Programming Interfaces (APIs)

(Skill 3)





Components of the user mode layer

Integral subsystems

Perform important operating system functions such as security and session management

Security subsystem receives logon requests and initiates logon authentication

Workstation Service enables a client computer to access the network

Server Service allows a Windows Server 2003 to share network resources

(Skill 3)




Figure 1-2 Location of Active Directory within the Windows Server 2003 architecture

(Skill 3)





Kernel mode layer

Communicates with system data and hardware to process any input/output requests made by a user

Operates in a protected area of memory

Is responsible for executing I/O requests

Prioritizes hardware and software interrupts based on the precedence of the application or service making the request

(Skill 3)




Components of the kernel mode layer

Executive

Performs I/O functions, object management, and security functions

Has a number of subcomponents

Provides security guidelines for the user mode layer

Introduce Active Directory Architecture (6)

(Skill 3)




Components of the kernel mode layer

Microkernel, which manages the computer’s processors

Kernel mode drivers, which take requests from applications and translate them into hardware functions

Hardware Abstraction Layer (HAL), which provides the interface between the other software layers and the core hardware


(Skill 3)




Active Directory is made up of three service layers and the underlying Data Store

Directory System Agent (DSA)

Provides the interface for application calls made to the directory

Supports the protocols that enable clients to gain access to the Active DirectoryLDAP/ADSI

SAM

MAPI

REPL


(Skill 3)




Database Layer

Access calls to the database go through the Database Layer

Acts as an abstraction layer between the applications that make the access calls and the database

Extensible Storage Engine (ESE)

Has direct contact with the records in the directory data store

Based on an object’s relative distinguished name attribute


(Skill 3)




Data Store (Ntds.dit)

Contains the records that make up the Active Directory database

Stored by default in the \%systemroot%\NTDS folder on the domain controller

Administered from Active Directory Restore Mode using Ntdsutil.exe, located in the system32 folder in the %systemroot% folder


(Skill 3)




Figure 1-3 Active Directory architecture

(Skill 3)




Introducing Active Directory Objects

Active Directory

Treats each domain resource as an object

Each object is represented by distinct characteristics known as attributes

(Skill 4)




Introducing Active Directory Objects (2)

Types of Active Directory objects

User accounts

Store the logon information for the users in a domain

A domain acts as a security boundary: assuming no trusts are in place, users can only access objects within their own domains

(Skill 4)




Figure 1-4 Objects and their attributes

(Skill 4)






Contacts

Used to store information about any person or organization that has business relations with your organization

Contacts information includes name, address, telephone number, and e-mail address

(Skill 4)






Computers

Computer objects store information about computers that are members of a domain

Information includes computer name, description, and other attributes

(Skill 4)






Groups

Used to apply permissions across large numbers of users, computers, and groups

They are not strictly containers, but have membership lists that define which objects are members of the group

(Skill 4)






Published folders

Shared folders that have been listed in Active Directory

When you publish a folder in Active Directory, you create an object that stores a pointer to the folder

(Skill 4)






Printers

A printer is represented by a printer object that contains a pointer to the printer on a computer

A Windows Server 2003 print server automatically detects and publishes printers to Active Directory

(Skill 4)






Domain controllers

A Windows Server 2003 computer that authenticates user logon attempts and exchanges the directory information with other domain controllers

Exchanging directory information is called replication

In Active Directory, domain controllers use multimaster replication to exchange directory information with other domain controllers in a domain

No single domain controller is responsible for replication and all of the domain controllers act as peers

(Skill 4)






Domain controllers

Each domain controller is represented by a Domain Controller object in Active Directory

You can store the Domain Name System (DNS) name, pre-Windows Server 2003 name, operating system version, location, and name of the administrator in this object

Domain controllers also handle a user’s interactions with a domain such as locating objects and logon requests

(Skill 4)




Introduce Active Directory Objects (10)


Organizational units (OUs)

Container objects that can store groups, users, computers, and other OUs

Used to organize the objects in the domain, to delegate control over a small portion of the domain, and to apply Group Policy to a select group of objects

Only one OU exists by default

It is recommended that you create additional OUs based on your administrative needs

(Skill 4)




Figure 1-5 A typical Active Directory hierarchy

(Skill 4)




Figure 1-6 Active Directory objects

(Skill 4)





In Active Directory, you use names to locate objects in a network

Naming conventions that Active Directory supports

Distinguished name (DN)

A unique name for every object in a network

It includes the name of the domain that holds the object and the complete path to the object through the container hierarchy

(Skill 4)






Relative distinguished name (RDN)

Derived from the DN

The RDN of an object is simply the object’s name

Globally unique identifier (GUID)

A unique 128-bit number assigned to an object at the time of its creation

The GUID for an object does not change even when you move or rename the object

(Skill 4)






User principal name (UPN)

Consists of the first name and last name attributes for a user

Consists of the UPN suffix, which is usually the DNS name of the domain where the user is located

(Skill 4)




Figure 1-7 Examples of naming conventions

(Skill 4)




Examining the Logical and Physical Structure of Active Directory

Objects in Active Directory can be organized logically and physically

Logical structure Consists of domains, trees, and forests

Besides being Active Directory objects, OUs are also part of the logical structure

Physical structure Consists of sites

Domain controllers are also part of the physical structure, as well as being Active Directory objects

(Skill 5)




Examining the Logical and Physical Structure of Active Directory (2)

Components of the logical structure

Domains

In Active Directory, domains represent the core unit of the logical structure

Used to represent the administrative boundaries of your organization

Store information only about the objects they contain Can span multiple physical locations

(Skill 5)




Figure 1-8 A domain structure in an organization

(Skill 5)






Trees

Formed when you add one or more child domains to the top-level domain (also known as the root of the tree)

Follows a contiguous naming scheme where every child domain (subdomain) in the tree derives its name from the root domain

Implicit two-way transitive trust exists between the parent domains and the child domains in a domain tree, which is a type of a logical link, automatically established between domains

(Skill 5)




Figure 1-9 A tree structure in Active Directory

(Skill 5)






Forests

Collection of domains that share a common schema, global catalog, and configuration

All domains in a forest share a common schema and a common global catalog, which allows all domains within a forest to contain uniform information

Although domains in a forest operate independently, they communicate with each other because all domain trees in a forest share a common schema

(Skill 5)




Examine the Logical and Physical Structure of Active Directory (5)


Forests

All domains in a forest share a common global catalog

Forests allow a disjointed naming scheme where the names of domain trees may not be related to one another

In a forest, an implicit two-way transitive trust exists between the root domains of domain trees and the root of the forest

(Skill 5)




Figure 1-10 A forest structure in Active Directory

(Skill 5)






Sites

Logical representations of a physical location within Active Directory

Subnets are always associated with sites

Allows clients to determine the site to which they belong

Allows clients to use a domain controller located in its physical site

(Skill 5)






Sites

Used to control replication traffic between physical locations

Logical structure of Active Directory is different from the physical structure

A site can span multiple domains

A domain can span multiple sites

(Skill 5)




Figure 1-11 Structure of a site

(Skill 5)




Examining More Active Directory Concepts

Global catalog

Stores information about all objects in a forest

By default, the global catalog is created on the first domain controller in a forest, known as a global catalog server

Whenever object information is updated, a global catalog server exchanges this information with other global catalog servers in a forest

(Skill 6)




Examining More Active Directory Concepts (2)

Global catalog

In a single domain, the global catalog stores information about all of the objects in that domain

In multiple domains, the global catalog stores a full replica of information about objects belonging to its domain and a partial replica of information for objects belonging to other domains

You can add global catalog servers to a forest to provide backup for the default global catalog server

(Skill 6)




Figure 1-12 The function of the global catalog

(Skill 6)





Global catalog

Global catalog servers also participate in logons in Windows 2000 native mode

Perform Universal Principal Name (UPN) lookups

Provide universal group storage

Handles user and program-related queries about objects

Can quickly resolve a query about an object anywhere in the forest

(Skill 6)





Trust relationships

A trust is a connection between domains allowing users from one or both domains to be granted access to resources in the opposing domain

In a multi-domain environment, trusts allow users to access resources in other domains without the need to log on to each domain separately

Trusts allow users to log on to their own domain on computers that are members of a different domain

(Skill 6)





Trusts come in four basic forms

One-way trusts allow a domain to access another domain’s resources, but not vice-versa

Two-way trusts allow both domains to access each other’s resources

Transitive trusts follow through, meaning they pass from domain to domain

Non-transitive trusts do not follow through, so each domain must explicitly trust the other domains

(Skill 6)




Figure 1-13 Simple one-way trusts

(Skill 6)




Figure 1-14 An additional trust from domain A to domain C

(Skill 6)




Figure 1-15 Trusting and trusted domains

(Skill 6)




Figure 1-16 Two-way trusts

(Skill 6)





Five basic names for describing the type of trust

Default trust

Automatically established between the forest root domain and the root of each tree in the forest, as well as between each child domain and each parent domain

Are always two-way and transitive

Inter-forest trust

Established between two Windows Server 2003 forest root domains

Either one-way or two-way, and always transitive

(Skill 6)






Shortcut trust

Established to reduce the normal Kerberos trust resolution path between domains when there are a large number of domains that are widely geographically dispersed

Can be one-way or two-way, are always transitive

Can only be established within a single forest

(Skill 6)




Figure 1-17 Use of shortcut trusts

(Skill 6)






External trust

Established between different Windows 2000 forests, between Windows Server 2003 and Windows 2000 forests, and between Windows NT and Windows 2000 or Server 2003 domains

Are always an NT trust; that is, an external trust is always one-way and non-transitive

Used to connect Windows 2000 domains and Unix Kerberos realms

(Skill 6)






Realm trust

Established between a Windows Server 2003 domain and a Unix Kerberos realm

A Kerberos realm is similar to a domain in Active Directory

Can either be one-way or two-way

Can be transitive or non-transitive

(Skill 6)





Domain Name System (DNS)

Active Directory uses DNS as its name resolution service

The computer running this service is known as a DNS name server

DNS helps computers to locate other computers on a network

DNS organizes domains in a hierarchical structure using a naming scheme called the domain namespace

(Skill 6)




Domain Name System (DNS)

Computers in a domain use this service to locate domain controllers in the domain

DNS zones

A DNS server typically holds a copy of the DNS zone for a given domain or collection of contiguous domains

The DNS zone is contained in a file known as the zone database file, typically called the zone file

(Skill 6)





Planning Domain Structure

In Active Directory, domain structure is primarily dependent on administrative needs

In Windows Server 2003Domains are simply administrative boundaries

Best to use a single domain model if at all possible

Domain models are broadly classified into two categoriesSingle domain model

Multiple domain model

(Skill 7)




Planning Domain Structure (2)

Single domain model

Easy to manage and administer because the administrative boundary is clearly defined

Suitable for any organization that follows a truly centralized administrative model

Easy to set up because only a single domain must be configured

(Skill 7)




Planning Domain Structure (3)

Multiple domain model

Typically only appropriate in three specific situations

To separate domain-level administrative privileges

To separate account policies

To control localized traffic

(Skill 7)




Figure 1-18 Domain models

(Skill 7)




Figure 1-19 Account Policies

(Skill 7)




Planning a Domain Namespace

Choose a unique domain name for your organization

Register it with an organization that manages Internet DNS namespaces

This organization adds an entry pointing to the authoritative name servers for your domain on the top-level name servers on the Internet

Use this domain name to host the Web site for your organization on the Internet

(Skill 8)




Planning a Domain Namespace (2)

DNS namespace types

Internal

External

Hybrid

(Skill 8)





Internal namespace

Is not resolvable by hosts who are using public (Internet) DNS servers

Only used for internal clients

Is well-suited for hosting Active Directory due to increased security

(Skill 8)





External namespace

Is resolvable from any client on the Internet

Is required for Internet-accessible resources, such as Web sites

Is typically a poor choice for hosting Active Directory due to the potential lack of security it provides

(Skill 8)





Hybrid namespace

One design method provides the best of both worlds by dividing your namespace into two zones

One for public access

One for private access

One design method involves delegating a DNS subdomain as the root of your internal structure

(Skill 8)




Figure 1-20 Hybrid namespace with DNS sub-domain

(Skill 8)





Hybrid namespace

Another design method involves creating two disconnected zones for the same name

Create two separate zones for your domain on two separate servers

Place the publicly accessible records on the external server, which is outside of the firewall

Place both the public and private records on the internal server, which is behind the firewall

This solution reduces naming convention confusion for users

(Skill 8)




Figure 1-21 Hybrid namespace with two disconnected zones

(Skill 8)





Naming guidelines

All Active Directory domain names should be static

Keep it short, simple, and easy to remember

Use standard DNS characters

Limit it to 63 characters including the periods

The Fully Qualified Domain Name (FQDN) can be up to 255 characters

(Skill 8)




Guidelines for Planning a Site Structure

Sites

Map to the physical structure of an organization

Participate actively in the user logon and authentication process

Play an important role in the directory replication process

(Skill 9)




Guidelines for Planning a Site Structure (2)

Directory replication

Can take place within a site or between sites

Within a site, Active Directory automatically generates a replication topology

You can disable Active Directory’s automatic creation of connection objects by manually creating connection objects, and thus control intra-site replication

(Skill 9)




Figure 1-22 Replication within a site using a ring topology

(Skill 9)





Site planning guidelines

Decide which domain controller the computers on a given subnet should use

To optimize logon traffic, ensure the availability of at least one domain controller per site

To optimize inter-site replication, configure replication so that it occurs when network traffic is light

(Skill 9)





Site planning guidelines

Configure a powerful server as the preferred bridgehead server for inter-site replication

The bridgehead server is the only server in a site that is allowed to replicate to other sites

Reduces the amount of replication traffic between sites, because all servers are not attempting to replicate with all other servers

(Skill 9)




Figure 1-23 Using a bridgehead server for inter-site replication

(Skill 9)





Site planning site guidelines

Place your domain controllers in the correct sitesBy default, clients will choose the correct site each time

they get a new IP addressDomain controllers only choose a site when they are

first created, and must be manually moved thereafter

(Skill 9)

Documents

1.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure