Professional Documents
Culture Documents
shtml
Our Free Study Guides and Practice Exams Will Make You Certifiable!
HOME | EXAM DETAILS | FREE TESTS | STUDY GUIDES | GLOSSARY | ARTICLES | BOOKS & TRAINING | FORUMS | CAREER & JOBS
MICROSOFT
COMPTIA Active Directory Study Guide
CISCO
CIW
LPI
RED HAT What is Active Directory?
IBM
Active Directory or A.D. is the antithesis of NT 4.0's LanManager. It is
essentially a database of network resources(known as objects) and
FREE MAGAZINES
WHITE PAPERS
information about each of these objects. This is not a new concept as Novell
and Banyan have used directory services for years. Familiarity with Novell CareerAcademy
TOPSITES
Certification training
CONTRIBUTORS 4.11 will greatly improve the time it takes to become comfortable with this videos with private
SITE MAP
SITE FAQ new network management system as many of AD's features and instructors. Topics cover
Microsoft MCSE,
terminology are very similar to that of Novell Directory Services(NDS). CompTIA, CISSP &
Cisco exams. Courses
Users online
Why Active Directory? also come with official
practice exams with
total users: 189 While NT 4.0 was a pretty good networking operating system, it wasn't 7x24 mentors.
entirely equipped for enterprise networking. The network neighborhood was
Last Post a great tool until you had a huge network, then browsing problems would Netwind Learning
question about
A+/Network+ study begin and finding a particular printer or server could become a nightmare Providing quality Live
Boot Camp Classes and
guides especially if you didn't know the name of it. Furthermore, in order to even Self Paced CD-ROM
by Headhunter
Jan. 16, 2009 05:16
accomodate such a network, you would most likely have to partition it into Computer Certification
several domains connected with trust relationships. AD solves many of Training since 1996. Get
certified fast in Microsoft
Board statistics these problems and offers a new level of scalability and orginization for MCSE, MCSA, MCDBA,
We have a total of enterprise computing. The directory of each domain can store as many as MOS, CCNA, CCNP, A+,
83593 posts! Network+ and more.
10 million objects which is enough to accommodate millions of users per
domain.
TechTutorials EDULEARN
CertifyPro Certification Training on
Certnotes Directory Architecture: CD-ROMs & Videos:
Web Host Reviews Microsoft MCSE
CBT Training First let's introduce the concept of "Sites". Sites are used to define the
Training, A+
MCSE Boot Camp boundaries of high-speed links on a network containing Active Directory Certification, Windows
MCSE Training Servers. Sites are based on IP subnets and are defined as a "well-connected 2003, & Free demos.
MCSE certification
subnet or subnets". Do not confuse this term with the concept of domains training includes videos
which are discussed next. and labs.
One thing that hasn't changed from NT 4.0 is the use of domains. A domain Training Planet
is still the centerpiece of a Windows 2000 network, however, it is set up Nationwide Computer
Training Boot Camp
differently. Domain controllers are no longer separated into PDCs and BDCs. Classes and also CD
Now there are simply DCs(Domain Controllers). By default, all Win2K based training courses
servers are installed as Standalone Member Servers. DCPROMO.EXE is the A+ Certification, Cisco
Training, MCSE,
Active Directory Installation Wizard and is used to promote a non-domain CISSP, Autocad,
controller to a DC and vice versa. The wizard prompts for all of the required Office, PMP, SOX, PC
Diagnostics
information to install Active Directory under the conditions that you have
asked it to run Knowledge Consistency Checker(KCC) - This is a service
Online Computer
created in order to ensure that the Active Directory service in the Windows Training by K Alliance.
2000 operating system can replicate properly, runs on all DCs and Certification training
automatically establishes connections between individual computers in the videos for MCTS, MCITP,
Oracle OCA/OCP, A+,
same site. These are known as Active Directory connection objects. An CCNA, RHCE and more.
administrator can establish additional connection objects or remove Our e-learning courses
connection objects, but at any point where replication within a site becomes come with 24/7 online
mentoring.
impossible or has a single point of failure, the KCC steps in and establishes
as many new connection objects as necessary to resume Active Directory More Training Options
replication.
1 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml
When a root domain and at least 1 child domain have been created, a "tree"
is formed. Remember and understand this term as you will hear it often
when working with a directory service.
You can see that the structure begins to take the shape of a tree with
branches and sub-branches. Now what if we are a company like Microsoft or
DuPont that owns several other corporations. Typically, each company
would have its own tree and these would be aggregated together via trusts
to create a "forest". Let's look at an example using our site.
Trusts Overview:
Trusts are much more easily managed in Windows 2000 than in NT 4.0.
There are 2 main reasons that this is the case.
2 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml
Directory Components:
Now that we have looked at the big picture, it is time to take a look at what
happens inside a domain. To get started, the first concept that you will need
to understand what the directory is made of. A common analogy for a
directory is a phonebook. Both contain listings of various objects and
information and properties about them. Within the directory are several
other terms that you must know to gain even an entry level understanding
as to how it all works.
Now that we know what these concepts mean, let's take a visual look at
what is going on inside a domain.
3 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml
Object Names:
Most of us are used to the 15 character NetBIOS naming conventions of NT
4.0. Things are quite different now as Windows 2000 uses Lightweight
Directory Access Protocol(LDAP) to supply the naming convention. This is a
fairly complicated naming system for those of you without experience with
Novell's context concept. The 2 basic concepts that you need to know are
distiguished names and common names. Distinguished names are the
complete "path" through the hierarchical tree structure to a specific object.
This is similar to specifying the complete path to a file from a DOS prompt.
This "path" points to the location of an object in the hierarchy. Let's take a
look in more detail.
Now lets say that I was a member of the sales.mcmcse.com domain. My new
DN would be:
CN=Jason Sprague,CN=Users,DC=sales,DC=mcmcse,DC=COM
4 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml
LDAP://mcmcse.com/CN=jsprague,
LDAP URL
OU=sales,O=MCMCSE,C=US
Universal Naming
\\mcmcse.com\documents\webpages\index.shtml
Convention(UNC)
Global Catalog:
So now that we have seen how complicated the naming conventions can be,
let's look at the tool that makes it all manageable. Windows 2000 includes a
service called the Global Catalog(GC) that is used to locate any objects on a
network to which a particular user has been granted access. The searches
that can be performed are far more advanced than those included in NT 4.0
and not only is capable of locating objects by name, but by attributes as
well. So if I have a 50 page document and I need 1000 copies made, I
probably won't want to send it to an HP 5si. I need to find a production
printer that can print at least 100ppm and has the capability of binding the
document. The Global Catalog allows me to search the network for a printer
that has these attributes. I find a Xerox Docutech 6135. I can add the
driver and send the print job. But what if I am in Portland and the printer is
in Seattle? The GC will provide this information and I can email the owner
of the printer and ask them to ship the job to me via our internal mail
system. Still a little confused? Let's take a look at another example. Let's
say that I get a voice mail from someone named Betty Doe in the payroll
department. Her voicemail is garbled and I can't understand her phone
number. I can use GS to search for her by name and then access her phone
number(assuming that our network administrator has stored the phone
number attribute for users in the schema). What other previously existing
application has features similar to this? The answer is Microsoft Exchange.
Exchange also has a global catalog that allows you to find users by name.
GC is a scaled up version of this feature in exchange in that it allows you to
find objects based on a variety of customizable attributes.
REPLICATION:
Windows 2000 networks will rely heavily on AD, and thus, it will be very
important that the service is running, fast and accessible at all times. In
order to accomplish this, the AD database must exist on multiple servers so
that if one server fails, a client can contact a server with duplicate services
and information. This not only creates redundancy, but reduces the load on
individual servers. All that needs to be done for a domain controller to
become a replication partner is to add it to the AD domain.
One of the most complex parts of making redundant servers work properly
is replicating the information and ensuring that all servers have the most
up-to-date content. Active Directory uses multimaster replication, which is
another way of stating that updates can occur on any Active Directory
server. This also means that there is not a master domain controller and all
DCs work together in a peer relationship. Each server keeps track of which
updates it has received from which servers, and can intelligently request
only necessary updates in case of a failure. This is accomplished via the use
of unique sequence numbers(USN). Every time an update is made, it is
assigned a unique sequence number from a counter that is incremented
whenever a change is made.
5 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml
Flexible Single Master Operation role. There are five FSMO roles as follows:
Schema Master
Remember from earlier that the schema is a list of attributes that define a
given object type. The schema master FSMO role is the DC responsible for
performing updates to the directory schema. This DC is the only one that
can process updates to the directory schema. Once the schema update is
complete, it is replicated from the schema master to all other DCs in the
directory. There is only one schema master per directory.
Domain Naming Master
Domain Naming Master Controls the addition of Domains in a forest. This
DC is the only one that can add or remove a domain from the directory.
RID Master
RID Master(Relative Identifier Master) works with domain controllers to
assign unique SIDS to each object that requires one. Each object gets a
domain SID that is common to all objects in a domain. What makes SIDS
unique is the RID which is unique to all objects in the domain. The RID
Master is also responsible for removing an object from its domain and
putting it in another domain when an object is moved.
PDC emulator
PDC Emulator acts like a PDC from a Windows NT 4.0 network and is
necessary in domains that are not pure Windows 2000(i.e have Windows
95/98/NT down-level clients). If the domain is running in Native Mode then
this server is the "preferred" replication partner for the other DCs for
password changes and also handles account lockouts and authentication
failures.
Infrastructure Daemon
Updates user to group memberships when changes are made.
Security:
There are now three types of groups in Windows 2000:
Domain Local(similar to a local group)
Global
Universal groups
The rules remain the same for Local and Global groups, except that you can
now nest groups in Native mode. Universal groups can have membership
from any domain and can be used to assign access to any resource in any
domain. Accounts go into Global Groups which then go into local groups
that are assigned permissions to use a resource.
Each group can have one of two functions in Native mode - distribution or
security. Security groups are the ones we are familiar with in NT4 while
distribution groups will be used primarily with Exchange 2000 or any other
Active Directory mail application.
Group Policy:
Group Policy in Windows 2000 is one of it's largest administrative
enhancements and is designed to enable administrators to control the
environment with minimal effort. Group Policy is administered through the
Group Policy Microsoft Management Console(MMC) snap-in. Group policies
are not applied to "groups", but we can apply them to OUs. There are five
major categories that group policies can be configured for:
6 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml
When you deploy software, you can choose to assign it or publish it.
Assigned software can be targeted at users or computers. If you assign an
application to a USER, the icons show up on the desktop and/or start menu,
but the program is only installed when the user runs it for the first time. If
it is assigned to a COMPUTER, it's installed the next time the system is
restarted.
You can deploy upgrades using GPO's simply by specifying which program is
to be upgraded and whether or not it is a mandatory upgrade. You can
apply service packs or patches by "re-deploying" an existing Group Policy
with the new information regarding the service pack.
7 of 8 16/1/2009 1:43 μμ
MC MCSE: Introduction to Windows 2000 Active Directory Architecture. http://www.mcmcse.com/microsoft/guides/ad.shtml
Clients:
As a postscipt, we thought that we should include information about older
Windows clients such as Windows NT 4.0 and Windows 9x. Microsoft is
providing an add-on for the Windows 95, Windows 98, and Windows NT 4.0
that allows those clients to take advantage of many of the features provided
by the Windows 2000 AD. More information about this can be found here
IT Showcase
8 of 8 16/1/2009 1:43 μμ