You are on page 1of 8

MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.

shtml

Our Free Study Guides and Practice Exams Will Make You Certifiable!

HOME | EXAM DETAILS | FREE TESTS | STUDY GUIDES | GLOSSARY | ARTICLES | BOOKS & TRAINING | FORUMS | CAREER & JOBS

MICROSOFT
COMPTIA Active Directory Study Guide
CISCO
CIW
LPI
RED HAT What is Active Directory?
IBM
Active Directory or A.D. is the antithesis of NT 4.0's LanManager. It is
essentially a database of network resources(known as objects) and
FREE MAGAZINES
WHITE PAPERS
information about each of these objects. This is not a new concept as Novell
and Banyan have used directory services for years. Familiarity with Novell CareerAcademy
TOPSITES
Certification training
CONTRIBUTORS 4.11 will greatly improve the time it takes to become comfortable with this videos with private
SITE MAP
SITE FAQ new network management system as many of AD's features and instructors. Topics cover
Microsoft MCSE,
terminology are very similar to that of Novell Directory Services(NDS). CompTIA, CISSP &
Cisco exams. Courses

Users online
Why Active Directory? also come with official
practice exams with
total users: 189 While NT 4.0 was a pretty good networking operating system, it wasn't 7x24 mentors.
entirely equipped for enterprise networking. The network neighborhood was
Last Post a great tool until you had a huge network, then browsing problems would Netwind Learning
question about
A+/Network+ study begin and finding a particular printer or server could become a nightmare Providing quality Live
Boot Camp Classes and
guides especially if you didn't know the name of it. Furthermore, in order to even Self Paced CD-ROM
by Headhunter
Jan. 16, 2009 05:16
accomodate such a network, you would most likely have to partition it into Computer Certification
several domains connected with trust relationships. AD solves many of Training since 1996. Get
certified fast in Microsoft
Board statistics these problems and offers a new level of scalability and orginization for MCSE, MCSA, MCDBA,
We have a total of enterprise computing. The directory of each domain can store as many as MOS, CCNA, CCNP, A+,
83593 posts! Network+ and more.
10 million objects which is enough to accommodate millions of users per
domain.
TechTutorials EDULEARN
CertifyPro Certification Training on
Certnotes Directory Architecture: CD-ROMs & Videos:
Web Host Reviews Microsoft MCSE
CBT Training First let's introduce the concept of "Sites". Sites are used to define the
Training, A+
MCSE Boot Camp boundaries of high-speed links on a network containing Active Directory Certification, Windows
MCSE Training Servers. Sites are based on IP subnets and are defined as a "well-connected 2003, & Free demos.
MCSE certification
subnet or subnets". Do not confuse this term with the concept of domains training includes videos
which are discussed next. and labs.

One thing that hasn't changed from NT 4.0 is the use of domains. A domain Training Planet
is still the centerpiece of a Windows 2000 network, however, it is set up Nationwide Computer
Training Boot Camp
differently. Domain controllers are no longer separated into PDCs and BDCs. Classes and also CD
Now there are simply DCs(Domain Controllers). By default, all Win2K based training courses
servers are installed as Standalone Member Servers. DCPROMO.EXE is the A+ Certification, Cisco
Training, MCSE,
Active Directory Installation Wizard and is used to promote a non-domain CISSP, Autocad,
controller to a DC and vice versa. The wizard prompts for all of the required Office, PMP, SOX, PC
Diagnostics
information to install Active Directory under the conditions that you have
asked it to run Knowledge Consistency Checker(KCC) - This is a service
Online Computer
created in order to ensure that the Active Directory service in the Windows Training by K Alliance.
2000 operating system can replicate properly, runs on all DCs and Certification training
automatically establishes connections between individual computers in the videos for MCTS, MCITP,
Oracle OCA/OCP, A+,
same site. These are known as Active Directory connection objects. An CCNA, RHCE and more.
administrator can establish additional connection objects or remove Our e-learning courses
connection objects, but at any point where replication within a site becomes come with 24/7 online
mentoring.
impossible or has a single point of failure, the KCC steps in and establishes
as many new connection objects as necessary to resume Active Directory More Training Options
replication.

Each domain controller in a domain is capable of accepting requests for


changes to the domain database and replicating that information with the
other DCs in the domain. The first domain that is created is referred to as
the "root domain" and is at the top of the directory tree. All subsequent
domains will live beneath the root domain and are referred to as child
domains. The child domain names must be unique. As you are viewing the
items below, pay attention to how Windows 2000 now supports internet
naming conventions.

1 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml

When a root domain and at least 1 child domain have been created, a "tree"
is formed. Remember and understand this term as you will hear it often
when working with a directory service.

You can see that the structure begins to take the shape of a tree with
branches and sub-branches. Now what if we are a company like Microsoft or
DuPont that owns several other corporations. Typically, each company
would have its own tree and these would be aggregated together via trusts
to create a "forest". Let's look at an example using our site.

So let's say that our company owns techtutorials.com(actually that is true)


and xyzabc. You can see that the individual trees are organized just like the
root domain(mcmcse).

Trusts Overview:
Trusts are much more easily managed in Windows 2000 than in NT 4.0.
There are 2 main reasons that this is the case.

2 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml

1. When a new domain is added, trust relationships are automatically


configured.
2. Trusts are now commutative 2-way trusts. This means that if domain
A trusts domain B then the reverse is automatically true. In Windows
NT 4.0 trusts had to be administered as a series of 1 way trusts and
could be quite cumbersome.
3. Trusts are automatically transitive which means that if domain A
trusts domain B and domain B trusts domain C, then domain A trusts
domain C and vice versa.

These changes save an adminstrator some of the time consuming


administration efforts spent creating and maintaining trusts that were
required in NT 4.0. 1-way trusts can still be created when necessary.

Directory Components:
Now that we have looked at the big picture, it is time to take a look at what
happens inside a domain. To get started, the first concept that you will need
to understand what the directory is made of. A common analogy for a
directory is a phonebook. Both contain listings of various objects and
information and properties about them. Within the directory are several
other terms that you must know to gain even an entry level understanding
as to how it all works.

Objects - Objects in the database can include printers, users,


servers, clients, shares, services, etc. and are the most basic
component of the directory.
Attributes - An attribute describes an object. For example, passwords
and names are attributes of user objects. Different objects will have a
different set of attributes that define them, however, different objects
may also share attributes. For example, a printer and Windows 2000
Professional Workstation may both have an IP address as an attribute.
Schema - A schema defines the list of attributes that describe a given
type of object. For example, let's say that all printer objects are
defined by name, PDL type and speed attributes. This list of attributes
comprises the schema for the object class "printers". The schema is
customizable, meaning that the attributes that define an object class
can be modified.
Containers - A container is very similar to the folder concept in
Windows. A folder contains files and other folders. In Active Directory,
a container holds objects and other containers. Containers have
attributes just like objects even though they do not represent a real
entity like an object. The 3 types of containers are Domains, Sites and
Organizational Units and are explained in more detail below.
Domains - We have already discussed this concept in the
preceding paragraphs.
Sites - A site is a location. Specifically, sites are used to
distinguish between local and remote locations. For example,
company XYZ has its headquarters in San Fransisco, a branch
office in Denver and an office that uses DUN to connect to the
main network from Portland. These are 3 different sites.
Organizational Units - Organizational units are containers into
which you can place users, groups, computers, and other
organizational units. An organizational unit cannot contain
objects from other domains. The fact that organizational units
can contain other OUs, a hierarchy of containers can be created
to model your organization's structure and hierarchy within a
domain. Organizational units should be used to help minimize
the number of domains required for a network.

Now that we know what these concepts mean, let's take a visual look at
what is going on inside a domain.

3 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml

The folder symbols represent Organizational Unit(OU) containers and within


each of these we find objects such as printers, servers, computers, users,
etc. Instead of objects directly located inside these OUs, there could be
more OU containers.

Object Names:
Most of us are used to the 15 character NetBIOS naming conventions of NT
4.0. Things are quite different now as Windows 2000 uses Lightweight
Directory Access Protocol(LDAP) to supply the naming convention. This is a
fairly complicated naming system for those of you without experience with
Novell's context concept. The 2 basic concepts that you need to know are
distiguished names and common names. Distinguished names are the
complete "path" through the hierarchical tree structure to a specific object.
This is similar to specifying the complete path to a file from a DOS prompt.
This "path" points to the location of an object in the hierarchy. Let's take a
look in more detail.

The following are the components that make up a distinguished name:

OU - Organizational Unit. This attribute is used to divide a namespace


based on organizational structure as previously discussed. An OU
usually is associated with an Active Directory container or folder.
DC - Domain Component. Domain components . A distinguished name
that uses DC attributes will have one DC for every domain level below
root. Another way of thinking of this would be that there would be a
DC attribute for every item separated by a dot in the domain name.
CN - Common Name. This attribute represents the object itself within
the directory service.

NOTE: Contrary to information that is currently posted online(even on


Microsoft's site), AD doesn't support C= and O= objects as Novell has. The
information that you may see posted refers to NT 5 development.

Here is an example of a distinguished name:


CN=Jason Sprague,CN=Users,DC=mcmcse,DC=COM

Now lets say that I was a member of the sales.mcmcse.com domain. My new
DN would be:
CN=Jason Sprague,CN=Users,DC=sales,DC=mcmcse,DC=COM

And what about my computer called WOPR? It would be:


CN=WOPR,CN=Computers,DC=mcmcse,DC=COM

Windows 2000 also supports several other naming conventions in addition


to distinguished names as listed in the table below.
Naming Convention Example
Friendly name/RFC
jsprague@mcmcse.com
822

4 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml

LDAP://mcmcse.com/CN=jsprague,
LDAP URL
OU=sales,O=MCMCSE,C=US
Universal Naming
\\mcmcse.com\documents\webpages\index.shtml
Convention(UNC)

Global Catalog:
So now that we have seen how complicated the naming conventions can be,
let's look at the tool that makes it all manageable. Windows 2000 includes a
service called the Global Catalog(GC) that is used to locate any objects on a
network to which a particular user has been granted access. The searches
that can be performed are far more advanced than those included in NT 4.0
and not only is capable of locating objects by name, but by attributes as
well. So if I have a 50 page document and I need 1000 copies made, I
probably won't want to send it to an HP 5si. I need to find a production
printer that can print at least 100ppm and has the capability of binding the
document. The Global Catalog allows me to search the network for a printer
that has these attributes. I find a Xerox Docutech 6135. I can add the
driver and send the print job. But what if I am in Portland and the printer is
in Seattle? The GC will provide this information and I can email the owner
of the printer and ask them to ship the job to me via our internal mail
system. Still a little confused? Let's take a look at another example. Let's
say that I get a voice mail from someone named Betty Doe in the payroll
department. Her voicemail is garbled and I can't understand her phone
number. I can use GS to search for her by name and then access her phone
number(assuming that our network administrator has stored the phone
number attribute for users in the schema). What other previously existing
application has features similar to this? The answer is Microsoft Exchange.
Exchange also has a global catalog that allows you to find users by name.
GC is a scaled up version of this feature in exchange in that it allows you to
find objects based on a variety of customizable attributes.

When a new object is created in AD, it is assigned a unique number called a


GUID (globally unique identifier). The GUID is useful because it stays the
same for any given object even if the object is moved. The GUID is a
128-bit identifier, which means that applications that reference objects in
Active Directory can record the GUIDs for objects and use the GC to find
them even if it has been moved.

REPLICATION:
Windows 2000 networks will rely heavily on AD, and thus, it will be very
important that the service is running, fast and accessible at all times. In
order to accomplish this, the AD database must exist on multiple servers so
that if one server fails, a client can contact a server with duplicate services
and information. This not only creates redundancy, but reduces the load on
individual servers. All that needs to be done for a domain controller to
become a replication partner is to add it to the AD domain.

One of the most complex parts of making redundant servers work properly
is replicating the information and ensuring that all servers have the most
up-to-date content. Active Directory uses multimaster replication, which is
another way of stating that updates can occur on any Active Directory
server. This also means that there is not a master domain controller and all
DCs work together in a peer relationship. Each server keeps track of which
updates it has received from which servers, and can intelligently request
only necessary updates in case of a failure. This is accomplished via the use
of unique sequence numbers(USN). Every time an update is made, it is
assigned a unique sequence number from a counter that is incremented
whenever a change is made.

Flexible Single Master Operation:


To prevent update conflicts in Windows 2000, the Active Directory performs
updates to certain objects in a single-master fashion. In a single-master
network model, only one domain controller in an Active Directory handles
updates. Windows 2000 Active Directory extends the single-master model
to include multiple roles and the ability to transfer roles to any DC. Since
an Active Directory role is not bound to a single DC, it is referred to as a

5 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml

Flexible Single Master Operation role. There are five FSMO roles as follows:

Schema Master
Remember from earlier that the schema is a list of attributes that define a
given object type. The schema master FSMO role is the DC responsible for
performing updates to the directory schema. This DC is the only one that
can process updates to the directory schema. Once the schema update is
complete, it is replicated from the schema master to all other DCs in the
directory. There is only one schema master per directory.
Domain Naming Master
Domain Naming Master Controls the addition of Domains in a forest. This
DC is the only one that can add or remove a domain from the directory.
RID Master
RID Master(Relative Identifier Master) works with domain controllers to
assign unique SIDS to each object that requires one. Each object gets a
domain SID that is common to all objects in a domain. What makes SIDS
unique is the RID which is unique to all objects in the domain. The RID
Master is also responsible for removing an object from its domain and
putting it in another domain when an object is moved.
PDC emulator
PDC Emulator acts like a PDC from a Windows NT 4.0 network and is
necessary in domains that are not pure Windows 2000(i.e have Windows
95/98/NT down-level clients). If the domain is running in Native Mode then
this server is the "preferred" replication partner for the other DCs for
password changes and also handles account lockouts and authentication
failures.
Infrastructure Daemon
Updates user to group memberships when changes are made.

Security:
There are now three types of groups in Windows 2000:
Domain Local(similar to a local group)
Global
Universal groups

The rules remain the same for Local and Global groups, except that you can
now nest groups in Native mode. Universal groups can have membership
from any domain and can be used to assign access to any resource in any
domain. Accounts go into Global Groups which then go into local groups
that are assigned permissions to use a resource.

Each group can have one of two functions in Native mode - distribution or
security. Security groups are the ones we are familiar with in NT4 while
distribution groups will be used primarily with Exchange 2000 or any other
Active Directory mail application.

Group Policy:
Group Policy in Windows 2000 is one of it's largest administrative
enhancements and is designed to enable administrators to control the
environment with minimal effort. Group Policy is administered through the
Group Policy Microsoft Management Console(MMC) snap-in. Group policies
are not applied to "groups", but we can apply them to OUs. There are five
major categories that group policies can be configured for:

Folder redirection: Store users' folders (my documents, my pictures) on


the network.
Security: Similar to account policies under user manager in NT4 -
includes settings for the local computer, the domain, and network security.
Administrative Templates - NT4 administrators will recognize this section
as system policies - in a much more convenient and flexible configuration.
Included are desktop, application, and system settings.
Software Installation - Completely new - enables an administrator to
have software installed automatically at the client machine - or removed
automatically.
Scripts - similar to logon scripts in NT4, but we can now specify a startup
and a shutdown script for the computer as well as a logon and a logoff script

6 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml

for the user.

An administrator can create several Group Policy Objects (GPO) in a given


Group Policy Container (GPC) and assign the appropriate GPO to the
computers or users that need the settings contained in that GPO. If you
want to exclude certain users or computers from processing the GPO
assigned to the Site/Domain/OU that they belong to, you can simply
remove the users' or groups' "apply group policy" permissions. This
effectively creates a filter. You can also delegate control over GPOs so that
a manager can change what a GPO does for his or her department, but can't
create any new GPOs or change the scope of a GPO.

It is also possible to disable group policy objects without deleting them. If


you do this (from Group Policy - Options) it will only disable it for that
container and any sub-containers that inherit the settings. If another
administrator "linked" to that GPO from another container, then the GPO is
still active in that container.

Software can be efficiently deployed, updated and removed using Group


Policies and two technologies built into Windows 2000 - Windows Installer
and Software Installation and Maintenance.

Windows Installer will replace Setup.exe for many applications. Its


advantages include the ability to build custom installations, enable
programs to "repair" themselves if a critical file is missing or corrupt and to
remove themselves very cleanly when necessary.
Software Installation and Maintenance combines Group Policies and
Active Directory technologies to enable an administrator to install, manage
and remove software across the network. This is only available for Windows
2000 clients.

When you deploy software, you can choose to assign it or publish it.
Assigned software can be targeted at users or computers. If you assign an
application to a USER, the icons show up on the desktop and/or start menu,
but the program is only installed when the user runs it for the first time. If
it is assigned to a COMPUTER, it's installed the next time the system is
restarted.

If you publish an application, the user can install it through Add/Remove


Programs or through opening a file that requires that particular program(a
file association). Published programs cannot self repair, cannot be published
to computers and are not advertised on the users' desktop or start menu -
only through add/remove programs.

Assigned applications require a windows installer file(.msi) while published


applications can use Windows Installer files or ZAP files. A .ZAP file is an
administrator created text file that specifies the parameters of the program
to be installed and the file extensions associated with it. Installations that
utilize .ZAP files cannot self repair or install with higher privileges and will
typically require user intervention to completely install.

You can deploy upgrades using GPO's simply by specifying which program is
to be upgraded and whether or not it is a mandatory upgrade. You can
apply service packs or patches by "re-deploying" an existing Group Policy
with the new information regarding the service pack.

Active Directory Utilities:


Utility Purpose
SIDwalker Security Administration Tools. Consists of 3 programs,
showaccs.exe, sidwalk.exe and Security Migration Editor
(MMC snap-in). First two used to examine and change ACL
entries. Security Migration Editor edits mappings between
old and new security IDs (SIDs).

7 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml

repadmin.exe Replication Diagnostics Tool. Check replication consistency


between partners, status, force replication events and
knowledge consistency checker recalculation.
acldiag.exe ACL Diagnostics. Used to determine whether users have
been granted/denied access to AD objects. Can be used to
reset Access Control Lists to their default values.
ADSI edit Low-level editor for Active Directory which enables adding,
moving, and deleting objects within Active Directory.
dfsutil.exe Distributed File System Utility. Manages all aspects of the
distributed file system.
dnscmd.exe DNS Server Troubleshooting Tool. Check dynamic
registration of DNS resource records including secure DNS
update and unregister resource records.
dsacls.exe View or modify ACLs of objects in AD.
nltest.exe Create a list of PDCs, force a shutdown, provide info about
trusts and replication.
dsastat.exe Active Directory Diagnostic Tool. Compare naming contexts
on Domain Controllers and detect differences.
ldp.exe Allows LDAP operations be be performed against Active
Directory.
movetree.exe AD Object Manager. Move AD objects like OUs and users
between domains in a single forest.
netdom.exe Windows 2000 Domain Manager. Used to manage Windows
2000 domains and trust relationships.
replmon.exe Active Directory Replication Monitor. Graphically displays
replication topology, monitor status, force replication and
knowledge consistency checker recalculation.
sdcheck.exe Security Descriptor Check Utility. Verify ACL propagation
and replication for specified objects in a directory.

Clients:
As a postscipt, we thought that we should include information about older
Windows clients such as Windows NT 4.0 and Windows 9x. Microsoft is
providing an add-on for the Windows 95, Windows 98, and Windows NT 4.0
that allows those clients to take advantage of many of the features provided
by the Windows 2000 AD. More information about this can be found here

ADVERTISE | PARTNERSHIPS | PRIVACY POLICY | DISCLAIMER | | CONTACT

IT Showcase

8 of 8 16/1/2009 1:43 μμ

You might also like