Introduction to Active Directory Domain Services

2-1

Module 2
Introduction to Active Directory Domain Services
Contents:
Lesson 1: Overview of Active Directory Domain Services Lesson 2: Overview of AD DS Logical Components Lesson 3: Overview of AD DS Physical Components Lab: Exploring AD DS Components and Tools 2-3 2-11 2-22 2-32

BETA COURSEWARE. EXPIRES 4/30/2008

2-2

Fundamentals of Windows Server 2008 Active Directory

Module Overview

Windows Server 2008 Active Directory Domain Services (AD DS) is a Microsoft Windows-based directory service. As a directory service, AD DS stores information about objects on a network and makes this information available to users and network administrators. Additionally, AD DS can be used to ensure that only authorized users have access to network resources.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-3

Lesson 1

Overview of Active Directory Domain Services

AD DS stores information about objects on a network and makes this information available to users and network administrators. AD DS also enables network users to access resources anywhere on the network using a single logon process. AD DS also provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.

BETA COURSEWARE. EXPIRES 4/30/2008

2-4

Fundamentals of Windows Server 2008 Active Directory

Why Deploy Active Directory Domain Services?

Key Points
The primary reasons for deploying AD DS are as follows: Centralized directory simplifies network administration by allowing management of all accounts in a single directory. Single sign-on access most organizations have multiple servers offering a variety of services to users. Without some type of common directory service, each of these servers would require a separate logon for user authentication and authorization. Integrated security AD DS works with Windows Server 2008 to check the security permissions associated with each person. AD DS can accommodate users logging on from workstations using Windows NT, 98, 2000, XP, and Vista.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-5

Scalability AD DS can be easily configured to add additional servers and users within the same building as well as servers and users in other buildings and regions. Once added, scheduled AD DS replication of user and computer directory information between various locations will continue to give users consistent access to servers and applications. Common management interface The Microsoft Management Console (MMC) provides network administrators and technicians with consistent user interface for all tasks related to maintenance and deployment of AD DS, as well as all other Microsoft Windows Server 2008 services.

Additional reading
Active Directory on a Windows Server 2003 Network

BETA COURSEWARE. EXPIRES 4/30/2008

2-6

Fundamentals of Windows Server 2008 Active Directory

What is Authentication?

Key Points
Authentication simply refers to the process of verifying that a user is who they claim to be. Authentication, including single sign-on, is a two-part process: interactive logon and network authentication.

Interactive logon
Interactive logon confirms the users identification on a specific computer by using either a domain account or a local computer.

Network authentication
Network authentication confirms the user's identification to any network service that the user is attempting to access.

Additional reading
Logon and Authentication Technologies

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-7

What is Authorization?

Key Points
Authorization is the second step in the process of gaining access to network resources. Authorization, which happens after authentication, is based on the security token that is granted to the user account when they log on to the network.

Terminology
Terminology Security Identifier (SID) Security Token Description A unique security identifier created with the user account. A security token is granted to the user account for a logon session. The system uses the token to control access to securable objects. One type of ACL (Access Control List). Defines which users and groups (based on the user or group SID) have access to the object and defines the level of access granted to the user or group.

Discretionary access control list (DACL)

BETA COURSEWARE. EXPIRES 4/30/2008

2-8

Fundamentals of Windows Server 2008 Active Directory

Authorization process
When the user tries to access a network resource, the client computer presents the security token to the server hosting the resource. The SID stored in the security token is compared to the security descriptor stored in the DACL. The users request to access the resource is granted if a match is found between the DACL on the resource and SIDs in the security token.

Additional reading
Authorization and Access Control Technologies Security Identifiers Tools to Manage Security Principals

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-9

Using AD DS to Centralize Network Management

Key Points
The largest cost of owning computers is the cost in managing and maintaining them. If systems were maintained individually, the cost would quickly become unacceptably high. AD DS provides a way to automate computer management using centrally applied settings. This allows for the most efficient use of IT administrative resources.

Additional reading
Group Policies

BETA COURSEWARE. EXPIRES 4/30/2008

2-10

Fundamentals of Windows Server 2008 Active Directory

Overview of AD DS Components

Key Points
When an organization implements AD DS, several physical and logical components are created. AD DS is composed of both physical and logical components.

Additional reading
What Are Domains and Forests?

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-11

Lesson 2

Overview of AD DS Logical Components

As an AD DS administrator, you will spend most of your time working with the logical components that make up AD DS. During the implementation of AD DS, your organization will have configured various AD DS components such as domains, sites and organizational units. You will be working with these components as you create and manage user accounts or computer accounts.

BETA COURSEWARE. EXPIRES 4/30/2008

2-12

Fundamentals of Windows Server 2008 Active Directory

What Is the AD DS Schema?

Key Points
The AD DS schema defines every type of object that can be stored in the directory. Before an object can be created in AD, it must first be defined in the schema. The schema also enforces a number of rules regarding the creation of objects in the database. These rules define the information that can be stored with each object and the data type of that information.

Additional reading
What Is the Active Directory Schema?

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-13

What Is a Domain?

Key Points
A domain is a logical grouping of AD DS objects, and the most basic building block in the AD DS model. Each domain must have at least one domain controller installed. In fact, you create a domain by installing the first domain controller in the domain, and you remove a domain by removing the last domain controller in the domain.

Additional reading
What Are Domains and Forests?

BETA COURSEWARE. EXPIRES 4/30/2008

2-14

Fundamentals of Windows Server 2008 Active Directory

What Are AD DS Trusts?

Key Points
Domains can allow secure access to shared resources outside of their boundaries using authenticated connections called trusts. Trusts enable users to: Access resources in domains other than the domain where their user account is configured. Log on to computers that are members of domains other than the domain where the user account is configured.

Additional reading
Trusts How Domains and Forests Work

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-15

What Is a Domain Tree?

Key Points
A domain tree is a hierarchy of domains in AD DS. The first domain created is the root domain. As subsequent domains are added to the domain tree, they are created as child domains under the root domain. Within a domain tree, all domains share a common or contiguous namespace. For example, if the root domain is WoodgroveBank.com, the child domains would use names such as EMEA.WoodgroveBank.com.

Additional reading
What Are Domains and Forests?

BETA COURSEWARE. EXPIRES 4/30/2008

2-16

Fundamentals of Windows Server 2008 Active Directory

What Is a Forest?

Key Points
A forest is a collection of one or more domain trees. All domains and domain trees exist within an Active Directory forest.

Additional reading
What Are Domains and Forests?

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-17

What Is an Organizational Unit?

Key Points
Organizational units (OUs) are Active Directory containers into which you can place users, groups, computers, and other OUs. OUs are designed to make AD DS easier to administer.

Additional reading
Organizational Units

BETA COURSEWARE. EXPIRES 4/30/2008

2-18

Fundamentals of Windows Server 2008 Active Directory

Discussion: Scenarios for Implementing AD DS Logical Components

Questions For each scenario, describe how AD DS logical components (Domain, OUs) could be deployed in these organizations. Scenario 1: Contoso Inc. has a single office with 20 employees and a single business unit. The business owner manages all AD DS administrative tasks. Scenario 2: NorthWind Traders has a single office. The organization has two business units which are administered separately but all AD DS management tasks will be managed by the same administrative team. The organization also needs to assign different policies to managers and to each business unit as well as to the computers used by each of these groups.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-19

Scenario 3: Coho Vineyards has two separate business units located in two offices in different countries. Each office has about 10,000 users. Each office has multiple departments and all of the departments need different policies applied to them. Each office also has a separate team of administrators that must be able to manage all of the user and computer accounts in their office, but should not be able to manage any objects in the other office. One team of administrators at the head office should be able to manage all user accounts, computer accounts and servers in both offices. Scenario 4: Woodgrove Bank has multiple locations deployed in different countries around the world. Because of the privacy requirements in the different countries, the offices in each country must be managed by a different group of administrators and the administrators must not be able to modify any objects in other countries. No group of administrators should be able to access objects in other countries.

BETA COURSEWARE. EXPIRES 4/30/2008

2-20

Fundamentals of Windows Server 2008 Active Directory

What Are AD DS Objects?

Key Points
AD DS objects are entities created on AD DS domain controllers. AD DS objects all fall into one or more categories, such as resources (e.g.: printers), services (e.g. email, shared folders) and users (both individuals and groups). Each category of object has a set of defined attributes which exist in the Active Directory schema. This makes creating and administering new instances of a particular type of object very efficient.

Additional reading
Active Directory Users and Computers Help

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-21

Demonstration: Tools for Managing the AD DS Logical Component

Questions 1. 2. What is the basis of the OU organization at Woodgrove Bank? You need to manage an AD DS domain controller from your computer running Windows Vista, but you do not have the administration tools installed on the computer. How could you manage the domain controller?

BETA COURSEWARE. EXPIRES 4/30/2008

2-22

Fundamentals of Windows Server 2008 Active Directory

Lesson 3

Overview of AD DS Physical Components

AD DS information is stored in a single database on the domain controllers hard disk. If a domain or forest has more than one domain controller, the AD DS data is replicated regularly to each domain controller. This lesson describes the physical components that make up AD DS and provides an overview of how replication works.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-23

What Are AD DS Domain Controllers?

Key Points
A domain controller is a server in an AD DS domain that provides directory services. All domain controllers (except Read Only Domain Controllers) contain a writable copy of the AD DS database and allow administrators access to manage user accounts and other network resources. Domain controllers are also involved in authenticating users and authorizing access to network resources in the domain. Domain controllers also participate in the replication of the AD DS database where changes made on the domain controller are replicated to other domain controllers within their domain.

Additional reading
Domain Controller Roles

BETA COURSEWARE. EXPIRES 4/30/2008

2-24

Fundamentals of Windows Server 2008 Active Directory

Overview of DNS and AD DS

Key Points
AD DS relies entirely on the Domain Name System (DNS) to locate resources on a network. Therefore, all AD DS domains must be DNS domain names. Without a reliable DNS infrastructure, domain controllers on your network will not be able to replicate with each other, workstations will not be able to log on to the network, and Microsoft Exchange Servers will not be able to send e-mail.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-25

What Are Global Catalog Servers?

Key Points
The global catalog server is a domain controller, as such it stores a full copy of all objects in the directory for its host domain; but additionally it stores a partial copy of all objects for all other domains in the forest. That partial catalog of objects used in other domains is commonly used in search operations. Storing information about objects in other domains provides users with efficient searches without affecting network performance and unnecessary referrals to other domain controllers.

Additional reading
What Is the Global Catalog?

BETA COURSEWARE. EXPIRES 4/30/2008

2-26

Fundamentals of Windows Server 2008 Active Directory

What Is the AD DS Data Store?

Key Points
All the data in AD DS is stored in a single file on the domain controller. The location for this file, named Ntds.dit, can be set during the domain controller promotion process. The default location for the database and database log files is %SystemRoot%\Ntds. The AD DS data store contains database files and file processes that store and manage directory information for users, services, and applications.

Additional reading
What is a Data Store?

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-27

What Is AD DS Replication?

Key Points
AD DS replication refers to the process by which the directory data is synchronized between domain controllers in a forest. AD DS uses a multi-master replication model. This means that the AD DS information can be modified on each domain controller which will then send its most current directory information to other domain controllers during replication schedules.

Additional reading
What Is the Active Directory Replication Model?

BETA COURSEWARE. EXPIRES 4/30/2008

2-28

Fundamentals of Windows Server 2008 Active Directory

What Are Sites?

Key Points
A site is defined as an area of the network where all domain controllers are connected by a fast, inexpensive, and reliable network connection. A site is a specific AD DS organizational entity used to manage network traffic. You can also use sites to assign group policy settings. If all user or computers in a company location require the same configuration, you can assign a Group Policy object at the site level.

Additional reading
Active Directory Sites and Services

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-29

Discussion: Scenarios for Implementing AD DS Physical Components

Questions Question: For each scenario, describe how AD DS physical components could be deployed in these organizations. Scenario 1: Contoso Inc. has a single office with 20 employees and a single business unit. The business owner manages all AD DS administrative tasks. Scenario 2: NorthWind Traders has a head office with about 250 workers. The organization also has a small branch office with 25 users that is connected to the head office through a slow and unreliable network connection. The organization has two business units which are administered separately but all AD DS management tasks will be managed by the same administrative team.

BETA COURSEWARE. EXPIRES 4/30/2008

2-30

Fundamentals of Windows Server 2008 Active Directory

Scenario 3: Coho Vineyards has two separate business units located in two offices in different countries. Each office has about 10,000 users. The offices are connected by a high speed and reliable network connection that is not heavily utilized during business hours. Scenario 4: Woodgrove Bank has multiple locations deployed in different countries around the world. In all countries, the company has a single data center located in a central city. In addition, the company has numerous small branch offices with 5-100 users. The branch offices are connected to the main office through a variety of WAN connections.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-31

Demonstration: Tools for Managing the AD DS Physical Components

Questions 1. 2. You need to determine which site a workstation is located in. How would you do this? You run the Repadmin /showrepls command and notice several errors between domain controllers located in different sites. What would you do to resolve the errors?

BETA COURSEWARE. EXPIRES 4/30/2008

2-32

Fundamentals of Windows Server 2008 Active Directory

Lab: Exploring AD DS Components and Tools

Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank also has strategic partnerships with other organizations, including Fabrikam, Inc and NorthWind Traders. Woodgrove Bank has deployed AD DS. As the new AD DS administrator, you must install the AD DS management tools on your Windows Vista workstation and then examine the AD DS environment at Woodgrove Bank.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-33

Exercise 1: Installing the AD DS Management Tools

In this exercise you will install the AD DS management tools on a Windows Vista computer. The main tasks are as follows: 1. 2. 3. 4. Start the 6424A-NYC-DC1 virtual machine and log on as Administrator. Start the 6424A-NYC-CL1 virtual machine and log on as Claudia. Start the 6424A-LON-DC1 virtual machine and log on as Administrator. Install the Windows Server 2008 administration tools on Windows Vista.

f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as

administrator
Start 6424A-NYC-DC1 and log on as Administrator using the password Pa$$w0rd.

f Task 2: Start the 6424A-NYC-CL1 virtual machine and log on as

Claudia
Start 6424A-NYC-CL1 and log on as Claudia using the password Pa$$w0rd.

f Task 3: Start the 6424A-LON-DC1 virtual machine and log on as

administrator
Start 6424A-LON-DC1 and log on as Administrator using the password Pa$$w0rd.

f Task 4: Install the Windows Server 2008 administration tools on

Windows Vista

Result: At the end of this exercise, you will have installed the Windows Server 2008 administration tools on Windows Vista.

BETA COURSEWARE. EXPIRES 4/30/2008

2-34

Fundamentals of Windows Server 2008 Active Directory

Exercise 2: Examining the AD DS Logical Components

In this exercise you will use the AD DS management tools to examine the AD DS logical components. The main tasks are as follows: 1. 2. 3. Open Active Directory Users and Computers to examine the logical components of Woodgrove Bank AD DS. Open Active Directory Domains and Trusts to examine the logical components of Woodgrove Bank AD DS. In Active Directory Users and Computers, change the domain that you are administering.

f Task 1: Open Active Directory Users and Computers to examine the

logical components of Woodgrove Bank AD DS.
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, open Active Directory Users and Computers as an administrator. What domain are you administering? What are the three types of objects listed under the domain? How can you tell the difference? Expand the NYC OU, and then click BranchManagers. What design was used to create the OU structure at WoodgroveBank.com? Examine the BranchManagers OU properties. Review the configuration options that can be configured for an OU. Examine the properties for the NYC_BranchManagersGG group. What is the group type and scope? Click the Members and Member of tabs and review the information. Double-click Doris Krieger and review the configuration options for a user account. In the console tree pane, click Computers. In the details pane, double-click NYC-CL1 and review the configuration options for a computer account.

10. Leave Active Directory Users and Computers open.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-35

f Task 2: Open Active Directory Domains and Trusts to examine the

logical components of Woodgrove Bank AD DS.
1. 2. 3. On NYC-CL1, open Active Directory Domains and Trusts as an administrator. What domains are listed as child domains in the WoodgroveBank.com forest? Access the Trusts tab on the WoodgroveBank.com Properties. What type of trust is created between WoodgroveBank.com and EMEA.WoodgroveBank.com? What type of trust is created between EMEA.WoodgroveBank.com and WoodgroveBank.com? Close Active Directory Domains and Trusts.

4. 5.

f Task 3: In Active Directory Users and Computers, change the domain

that you are administering.
1. 2. 3. 4. In Active Directory Users and Computers, change the domain to administer EMEA.WoodgroveBank.com. Verify that you can connect to the EMEA.WoodgroveBank.com domain. Why can you connect to the domain without providing authentication credentials? Change the domain controller so that you are administering LONDC1.EMEA.WoodgroveBank.com and click OK. Verify that you can connect to the LON-DC1.WoodgroveBank.com domain controller. What domain is displayed in Active Directory Users and Computers? Close Active Directory Users and Computers

5.

Result: At the end of this exercise, you will have explored the WoodgroveBank.com AD DS environment by using the AD DS management tools.

BETA COURSEWARE. EXPIRES 4/30/2008

2-36

Fundamentals of Windows Server 2008 Active Directory

Exercise 3: Examining the AD DS Physical Components

In this exercise you will use the AD DS management tools to examine the AD DS physical components. The main tasks are as follows: 1. 2. 3. 4. Enable Remote Desktop connections on NYC-DC1. Connect to NYC-DC1 using Remote Desktop. Use Active Directory Users and Computers to examine the Domain Controllers in the WoodgroveBank.com domain. Log off from Remote Desktop and shut down all virtual machines.

f Task 1: Enable Remote Desktop connections on NYC-DC1.

1. 2. On NYC-DC1, click Start, and then open Server Manager. In Server Manager, configure Remote Desktop to allow connections only from computers running Remote Desktop with Network Level Authentication (more secure). What limitation does this selection place on the remote desktop connections? Which users have Remote Desktop access by default?

3.

f Task 2: Connect to NYC-DC1 using Remote Desktop.

1. 2. On NYC-CL1, start a Remote Desktop Connection. Connect to NYC-DC1 using Administrator as the User name and Pa$$w0rd as the password. Click OK.

f Task 3: Use Active Directory Users and Computers to examine the

Domain Controllers in the WoodgroveBank.com domain.
1. 2. 3. In the Remote Desktop connection, open Active Directory Users and Computers. How many domain controllers are deployed in the domain? What is different about each domain controller? Close Active Directory Users and Computers.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-37

f Task 4: Use Active Directory Sites and Services to examine the Domain
Controllers in the WoodgroveBank.com domain.
1. 2. 3. 4. 5. In the Remote Desktop connection, open Active Directory Sites and Services. How many sites are listed in the forest? What is the site or sites called? Verify that the same domain controllers are listed in the Default-First-SiteName as were listed in Active Directory Users and Computers. Expand NYC-DC1, right-click NTDS Settings, and click Properties. Verify that NYC-DC1 is configured as global catalog server. On the Connections tab, examine the replication connections on the domain controller.

f Task 5: Log off Remote Desktop and shut down all virtual machines.
1. 2. In the Remote Desktop connection, click Start, and then click Log off. Shut down all virtual machines and delete changes.

Result: At the end of this exercise, you will have examined the AD DS physical properties in the WoodgroveBank.com domain.

BETA COURSEWARE. EXPIRES 4/30/2008

2-38

Fundamentals of Windows Server 2008 Active Directory

Module Review and Takeaways

Review Questions
1. You have just installed a new domain controller in your domain. What two tools could you use to verify that the domain controller has been added to the domain? You want to group all of the users in branch office together so that you can assign permissions to a shared folder to all of the users in the branch office. What type of AD DS object should you create? What are the differences between a domain, domain tree and forest? What feature makes it easy and fast to search a forest for user phone numbers? What is the relationship between a domain and a site?

2.

3. 4. 5.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Domain Services

2-39

Summary of Active Directory Domain Services AD DS provides a directory service for organizations that enables them to provide secure access to network resources and centralized administration. AD DS enables users to be authenticated, and then authorizes the user to access network resources based on that network authentication. AD DS is composed of logical and physical components. Logical components such as domains, forests and OUs are used to group objects together for administrative purposes. Physical components such as domain controllers and sites are deployed to provide a consistent experience for users throughout the AD DS environment.

BETA COURSEWARE. EXPIRES 4/30/2008

BETA COURSEWARE. EXPIRES 4/30/2008