Professional Documents
Culture Documents
2-1
Module 2
Introduction to Active Directory Domain Services
Contents:
Lesson 1: Overview of Active Directory Domain Services Lesson 2: Overview of AD DS Logical Components Lesson 3: Overview of AD DS Physical Components Lab: Exploring AD DS Components and Tools 2-3 2-11 2-22 2-32
2-2
Module Overview
Windows Server 2008 Active Directory Domain Services (AD DS) is a Microsoft Windows-based directory service. As a directory service, AD DS stores information about objects on a network and makes this information available to users and network administrators. Additionally, AD DS can be used to ensure that only authorized users have access to network resources.
2-3
Lesson 1
AD DS stores information about objects on a network and makes this information available to users and network administrators. AD DS also enables network users to access resources anywhere on the network using a single logon process. AD DS also provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.
2-4
Key Points
The primary reasons for deploying AD DS are as follows: Centralized directory simplifies network administration by allowing management of all accounts in a single directory. Single sign-on access most organizations have multiple servers offering a variety of services to users. Without some type of common directory service, each of these servers would require a separate logon for user authentication and authorization. Integrated security AD DS works with Windows Server 2008 to check the security permissions associated with each person. AD DS can accommodate users logging on from workstations using Windows NT, 98, 2000, XP, and Vista.
2-5
Scalability AD DS can be easily configured to add additional servers and users within the same building as well as servers and users in other buildings and regions. Once added, scheduled AD DS replication of user and computer directory information between various locations will continue to give users consistent access to servers and applications. Common management interface The Microsoft Management Console (MMC) provides network administrators and technicians with consistent user interface for all tasks related to maintenance and deployment of AD DS, as well as all other Microsoft Windows Server 2008 services.
Additional reading
Active Directory on a Windows Server 2003 Network
2-6
What is Authentication?
Key Points
Authentication simply refers to the process of verifying that a user is who they claim to be. Authentication, including single sign-on, is a two-part process: interactive logon and network authentication.
Interactive logon
Interactive logon confirms the users identification on a specific computer by using either a domain account or a local computer.
Network authentication
Network authentication confirms the user's identification to any network service that the user is attempting to access.
Additional reading
Logon and Authentication Technologies
2-7
What is Authorization?
Key Points
Authorization is the second step in the process of gaining access to network resources. Authorization, which happens after authentication, is based on the security token that is granted to the user account when they log on to the network.
Terminology
Terminology Security Identifier (SID) Security Token Description A unique security identifier created with the user account. A security token is granted to the user account for a logon session. The system uses the token to control access to securable objects. One type of ACL (Access Control List). Defines which users and groups (based on the user or group SID) have access to the object and defines the level of access granted to the user or group.
2-8
Authorization process
When the user tries to access a network resource, the client computer presents the security token to the server hosting the resource. The SID stored in the security token is compared to the security descriptor stored in the DACL. The users request to access the resource is granted if a match is found between the DACL on the resource and SIDs in the security token.
Additional reading
Authorization and Access Control Technologies Security Identifiers Tools to Manage Security Principals
2-9
Key Points
The largest cost of owning computers is the cost in managing and maintaining them. If systems were maintained individually, the cost would quickly become unacceptably high. AD DS provides a way to automate computer management using centrally applied settings. This allows for the most efficient use of IT administrative resources.
Additional reading
Group Policies
2-10
Overview of AD DS Components
Key Points
When an organization implements AD DS, several physical and logical components are created. AD DS is composed of both physical and logical components.
Additional reading
What Are Domains and Forests?
2-11
Lesson 2
As an AD DS administrator, you will spend most of your time working with the logical components that make up AD DS. During the implementation of AD DS, your organization will have configured various AD DS components such as domains, sites and organizational units. You will be working with these components as you create and manage user accounts or computer accounts.
2-12
Key Points
The AD DS schema defines every type of object that can be stored in the directory. Before an object can be created in AD, it must first be defined in the schema. The schema also enforces a number of rules regarding the creation of objects in the database. These rules define the information that can be stored with each object and the data type of that information.
Additional reading
What Is the Active Directory Schema?
2-13
What Is a Domain?
Key Points
A domain is a logical grouping of AD DS objects, and the most basic building block in the AD DS model. Each domain must have at least one domain controller installed. In fact, you create a domain by installing the first domain controller in the domain, and you remove a domain by removing the last domain controller in the domain.
Additional reading
What Are Domains and Forests?
2-14
Key Points
Domains can allow secure access to shared resources outside of their boundaries using authenticated connections called trusts. Trusts enable users to: Access resources in domains other than the domain where their user account is configured. Log on to computers that are members of domains other than the domain where the user account is configured.
Additional reading
Trusts How Domains and Forests Work
2-15
Key Points
A domain tree is a hierarchy of domains in AD DS. The first domain created is the root domain. As subsequent domains are added to the domain tree, they are created as child domains under the root domain. Within a domain tree, all domains share a common or contiguous namespace. For example, if the root domain is WoodgroveBank.com, the child domains would use names such as EMEA.WoodgroveBank.com.
Additional reading
What Are Domains and Forests?
2-16
What Is a Forest?
Key Points
A forest is a collection of one or more domain trees. All domains and domain trees exist within an Active Directory forest.
Additional reading
What Are Domains and Forests?
2-17
Key Points
Organizational units (OUs) are Active Directory containers into which you can place users, groups, computers, and other OUs. OUs are designed to make AD DS easier to administer.
Additional reading
Organizational Units
2-18
Questions For each scenario, describe how AD DS logical components (Domain, OUs) could be deployed in these organizations. Scenario 1: Contoso Inc. has a single office with 20 employees and a single business unit. The business owner manages all AD DS administrative tasks. Scenario 2: NorthWind Traders has a single office. The organization has two business units which are administered separately but all AD DS management tasks will be managed by the same administrative team. The organization also needs to assign different policies to managers and to each business unit as well as to the computers used by each of these groups.
2-19
Scenario 3: Coho Vineyards has two separate business units located in two offices in different countries. Each office has about 10,000 users. Each office has multiple departments and all of the departments need different policies applied to them. Each office also has a separate team of administrators that must be able to manage all of the user and computer accounts in their office, but should not be able to manage any objects in the other office. One team of administrators at the head office should be able to manage all user accounts, computer accounts and servers in both offices. Scenario 4: Woodgrove Bank has multiple locations deployed in different countries around the world. Because of the privacy requirements in the different countries, the offices in each country must be managed by a different group of administrators and the administrators must not be able to modify any objects in other countries. No group of administrators should be able to access objects in other countries.
2-20
Key Points
AD DS objects are entities created on AD DS domain controllers. AD DS objects all fall into one or more categories, such as resources (e.g.: printers), services (e.g. email, shared folders) and users (both individuals and groups). Each category of object has a set of defined attributes which exist in the Active Directory schema. This makes creating and administering new instances of a particular type of object very efficient.
Additional reading
Active Directory Users and Computers Help
2-21
Questions 1. 2. What is the basis of the OU organization at Woodgrove Bank? You need to manage an AD DS domain controller from your computer running Windows Vista, but you do not have the administration tools installed on the computer. How could you manage the domain controller?
2-22
Lesson 3
AD DS information is stored in a single database on the domain controllers hard disk. If a domain or forest has more than one domain controller, the AD DS data is replicated regularly to each domain controller. This lesson describes the physical components that make up AD DS and provides an overview of how replication works.
2-23
Key Points
A domain controller is a server in an AD DS domain that provides directory services. All domain controllers (except Read Only Domain Controllers) contain a writable copy of the AD DS database and allow administrators access to manage user accounts and other network resources. Domain controllers are also involved in authenticating users and authorizing access to network resources in the domain. Domain controllers also participate in the replication of the AD DS database where changes made on the domain controller are replicated to other domain controllers within their domain.
Additional reading
Domain Controller Roles
2-24
Key Points
AD DS relies entirely on the Domain Name System (DNS) to locate resources on a network. Therefore, all AD DS domains must be DNS domain names. Without a reliable DNS infrastructure, domain controllers on your network will not be able to replicate with each other, workstations will not be able to log on to the network, and Microsoft Exchange Servers will not be able to send e-mail.
2-25
Key Points
The global catalog server is a domain controller, as such it stores a full copy of all objects in the directory for its host domain; but additionally it stores a partial copy of all objects for all other domains in the forest. That partial catalog of objects used in other domains is commonly used in search operations. Storing information about objects in other domains provides users with efficient searches without affecting network performance and unnecessary referrals to other domain controllers.
Additional reading
What Is the Global Catalog?
2-26
Key Points
All the data in AD DS is stored in a single file on the domain controller. The location for this file, named Ntds.dit, can be set during the domain controller promotion process. The default location for the database and database log files is %SystemRoot%\Ntds. The AD DS data store contains database files and file processes that store and manage directory information for users, services, and applications.
Additional reading
What is a Data Store?
2-27
What Is AD DS Replication?
Key Points
AD DS replication refers to the process by which the directory data is synchronized between domain controllers in a forest. AD DS uses a multi-master replication model. This means that the AD DS information can be modified on each domain controller which will then send its most current directory information to other domain controllers during replication schedules.
Additional reading
What Is the Active Directory Replication Model?
2-28
Key Points
A site is defined as an area of the network where all domain controllers are connected by a fast, inexpensive, and reliable network connection. A site is a specific AD DS organizational entity used to manage network traffic. You can also use sites to assign group policy settings. If all user or computers in a company location require the same configuration, you can assign a Group Policy object at the site level.
Additional reading
Active Directory Sites and Services
2-29
Questions Question: For each scenario, describe how AD DS physical components could be deployed in these organizations. Scenario 1: Contoso Inc. has a single office with 20 employees and a single business unit. The business owner manages all AD DS administrative tasks. Scenario 2: NorthWind Traders has a head office with about 250 workers. The organization also has a small branch office with 25 users that is connected to the head office through a slow and unreliable network connection. The organization has two business units which are administered separately but all AD DS management tasks will be managed by the same administrative team.
2-30
Scenario 3: Coho Vineyards has two separate business units located in two offices in different countries. Each office has about 10,000 users. The offices are connected by a high speed and reliable network connection that is not heavily utilized during business hours. Scenario 4: Woodgrove Bank has multiple locations deployed in different countries around the world. In all countries, the company has a single data center located in a central city. In addition, the company has numerous small branch offices with 5-100 users. The branch offices are connected to the main office through a variety of WAN connections.
2-31
Questions 1. 2. You need to determine which site a workstation is located in. How would you do this? You run the Repadmin /showrepls command and notice several errors between domain controllers located in different sites. What would you do to resolve the errors?
2-32
Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank also has strategic partnerships with other organizations, including Fabrikam, Inc and NorthWind Traders. Woodgrove Bank has deployed AD DS. As the new AD DS administrator, you must install the AD DS management tools on your Windows Vista workstation and then examine the AD DS environment at Woodgrove Bank.
2-33
Result: At the end of this exercise, you will have installed the Windows Server 2008 administration tools on Windows Vista.
2-34
2-35
4. 5.
5.
Result: At the end of this exercise, you will have explored the WoodgroveBank.com AD DS environment by using the AD DS management tools.
2-36
3.
2-37
f Task 4: Use Active Directory Sites and Services to examine the Domain
Controllers in the WoodgroveBank.com domain.
1. 2. 3. 4. 5. In the Remote Desktop connection, open Active Directory Sites and Services. How many sites are listed in the forest? What is the site or sites called? Verify that the same domain controllers are listed in the Default-First-SiteName as were listed in Active Directory Users and Computers. Expand NYC-DC1, right-click NTDS Settings, and click Properties. Verify that NYC-DC1 is configured as global catalog server. On the Connections tab, examine the replication connections on the domain controller.
f Task 5: Log off Remote Desktop and shut down all virtual machines.
1. 2. In the Remote Desktop connection, click Start, and then click Log off. Shut down all virtual machines and delete changes.
Result: At the end of this exercise, you will have examined the AD DS physical properties in the WoodgroveBank.com domain.
2-38
Review Questions
1. You have just installed a new domain controller in your domain. What two tools could you use to verify that the domain controller has been added to the domain? You want to group all of the users in branch office together so that you can assign permissions to a shared folder to all of the users in the branch office. What type of AD DS object should you create? What are the differences between a domain, domain tree and forest? What feature makes it easy and fast to search a forest for user phone numbers? What is the relationship between a domain and a site?
2.
3. 4. 5.
2-39
Summary of Active Directory Domain Services AD DS provides a directory service for organizations that enables them to provide secure access to network resources and centralized administration. AD DS enables users to be authenticated, and then authorizes the user to access network resources based on that network authentication. AD DS is composed of logical and physical components. Logical components such as domains, forests and OUs are used to group objects together for administrative purposes. Physical components such as domain controllers and sites are deployed to provide a consistent experience for users throughout the AD DS environment.