Activ Directory Presentation Cum Directorui

Windows Server 2003 Active Directory
Introduction Windows Server 2003

Windows Server 2003 is a server operating system produced by Microsoft Introduced on April 24, 2003 as the successor to Windows 2000 Server An updated version, Windows Server 2003 R2 was released to manufacturing on 6th December 2005 Unlike Windows 2000 Server, Windows Server 2003's default installation has none of the server components enabled, to reduce the attack surface of new machines Windows Server 2003 includes compatibility modes to allow older applications to run with greater stability Windows Server 2003 brought in enhanced Active Directory compatibility, and better deployment support Windows Server 2003 operating systems take the best of Windows 2000 Server technology and make it easier to deploy, manage, and use
2003 Server Roles

Windows Server 2003 is a multipurpose operating system capable of handling a diverse set of server roles, depending on your needs, in either a centralized or distributed fashion Some of these server roles include File and print server. Web server and Web application services. Mail server. Terminal server. Remote access and virtual private network (VPN) server. Directory services, Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP) server

Windows Internet Naming Service (WINS). Streaming media server
2003 Flavours
sized businesses
Windows Server 2003 R2 Standard Edition
Windows Server 2003, Standard Edition is aimed towards small to medium

Flexible yet versatile, Standard Edition supports file and printer sharing, offers secure Internet connectivity, and allows centralized desktop application deployment
Windows Server 2003 R2 Enterprise Edition Windows Server 2003, Enterprise Edition is aimed towards medium to large
businesses. It is a full-function server operating system that supports up to eight processors and provides enterprise-class features such as eight-node clustering and support for up to 32 GB of memory Enterprise Edition also comes in 64-bit edition for Intel Itanium-based computers capable of supporting 8 processors and 64 GB of RAM
2003 Flavours
Windows Server 2003 R2, Datacenter Edition
Windows Server 2003, Datacenter Edition is the flagship of the Windows Server line and designed for immense infrastructures demanding high security and reliability. Datacenter supports up to 32-way SMP and 64 GB of RAM with the 32-bit version and up to 128-way machines with individual partitions of up to 64 processors and 512 GB of RAM with the 64-bit version. Datacenter provides both eight-node clustering and load balancing service as standard features and includes Windows System Resource Manager facilitating consolidation and system management
Windows Server 2003 Web Edition Windows Server 2003, Web Edition is mainly for building and hosting Web
applications, Web pages, and XML Web Services.
It is designed to be used primarily as an IIS 6.0 Web server and provides a platform for rapidly developing and deploying XML Web services and applications that use ASP.NET technology, a key part of the .NET Framework
Introduction to Active Directory Infrastructure
Objective
Architecture of Active Directory Introduction
Function of Active Directory

Active Directory logical structure Active Directory physical structure Operations Master Roles How Active Directory works Active Directory as a directory service Purpose of the Global Catalog
Active Directory schema

What Are Distinguished and Relative Distinguished Names Construct an LDAP query string
Introduction Active Directory

Organizations operating a distributed environment need to have a way to manage network resources and services. As the organization grows, the need for a secure and centralized management system becomes more critical A directory service provides a centralized location to store information in a distributed environment about networked devices & services and the people who use them A directory service also implements the services that make this information available to users, computers, and applications A directory service is both a database storage system (directory store) and a set of services that provide the means to securely add, modify, delete, and locate data in the directory store Active Directory directory service is the distributed directory service that is included with Microsoft Windows Server 2003 and Microsoft Windows 2000 Server operating systems Active Directory enables centralized, secure management of an entire network, which might span a building, a city, or multiple locations throughout the world
User Accounts
To access Windows 2003 network a user needs an account To access Windows 2003 network a user needs an account Account determines 3 factors: when a user may log on where within the domain/workgroup what privilege level a user is assigned Each account has SID that serves as security credentials Any object trying to access resource must do it through a user account Windows 2003 has 2 types of accounts Local Account Domain Account
User Accounts
Local Account Supported on all Windows 2000 and 2003 systems except DCs On member servers participating in domains and on standalone systems participating in workgroups Maintained on the local system, not distributed to other systems Local user account authenticates the user for local machine access only; access to resources on other computers is not supported Built-in local accounts: Guest; Administrator Domain Account Permit access throughout a domain and provide centralized user administration through AD Created within a domain container in AD database and propagated to all other DCs Once authenticated against AD database using GC, a user obtains an access token for the logon session, which determines permissions to all resources in the domain
User Accounts
Domain accounts names must be unique within the domain, although the same logon name can be used on several systems with local logon
Logon names are not case sensitive, must not contain more than 20 chars, and must not contain: +,*,?,<,>,/,\,[,],:,;.
Passwords are case sensitive, must be secure not easy to guess
Renaming account doesnt affect any of the user account properties, except the name
Accounts can be moved from one container to another Disabled accounts cant be accessed
When account is copied, most properties are copied, except the username, full name, password, logon hours, address/phone info, organization info, the Account is disabled option, and user rights and permissions
User Accounts
Deleting account permanently removes it, and all if its group memberships, permissions and user rights. The new account with the same name has different SID and GUID Disabling an account may be a better option Administrator is the super account
Local Profiles
A users local profile is located in the Documents and Settings directory on the local machine When a user logs on to a machine for the first time, a subdirectory matching their user name is created under the Documents and Settings directory In this subdirectory, the users profile is created and named ntuser.dat The user profile is copied from the Default User directory
Any changes made to the ntuser.dat file in the Default User directory will only affect new users when they log on
There is also an All Users subdirectory of the Documents and Settings directory
The All Users subdirectory also contains an ntuser.dat file

Changes to this file affect all users logging on to the computer
Roaming Profiles
If users access more than one machine or move around the network, a roaming profile can be created to ensure that the user will receive his or her user settings and preferences no matter where they log on When roaming profiles are used, the ntuser.dat file is stored on a network share and loaded to the local machine when the user logs on Changes made to the user preferences or settings are copied back to the network share when the user logs off
The local profile will remain on the local machine, and should the network share be unavailable the next time the user logs on from that machine, the locally cached profile will be loaded instead
Changes to the local profile will not be saved back to the network share in this case Roaming profiles can cause network problems if users save large files to their Desktop or to their My Documents folder
Mandatory Profiles
Mandatory profiles can be used when the user should be prevented from saving changes to the user settings or preferences For example, a profile could be created with many shortcuts to file shares and applications Users shouldnt be able to delete these shortcuts and then save the changes back to the network share By creating the profile as a mandatory profile, users are able to make changes to their settings and preferences, but the changes are lost when the user logs off the machine A mandatory profile can also be used for a group of people, and then every user would get the exact same settings and preferences
Home Folders
Users can use home folders to store their personal files A home folder is a folder on a computer, usually a file server, which can be assigned to users to save documents and files Home folders are generally used to consolidate user data into one place for easy backup Also, many applications use the users home folder as the default location for the Save As and File Open command A home folder can be located on a single computer or on a network share, where it is available to the user anywhere in the network
Computer Accounts
Every desktop, workstation, laptop, server, and DC in the network must have a valid computer account in Active Directory Computer accounts are used to identify a computer to the domain Computer accounts are accounts for computers, like a user account is an account for a person Active Directory requires that all logons not only come from a valid user, but that the logon attempt also comes from a valid computer When a domain controller receives an authentication request, it first checks to make sure the request is coming from a computer that has a valid computer account in the domain The domain wont accept the user logon, even if its valid, if its from a computer that doesnt belong to the domain
Domain groups
Domain groups allow for user accounts within a domain to be collected into a group that can then be used to grant access to resources or to assign user rights There are two types of domain groups Security Groups Distribution Groups
A security group is a security principal and so can be used to assign permissions and rights to a collection of user accounts
A distribution group is not a security principal and cannot be used to assign permissions A distribution group is used for e-mail It can be created when a mailbox is desired for a collection of user accounts, but no permissions will be needed
Group Scope
Within each type of group, there is a group scope, There are three possible group scopes, Domain local Global Universal
Domain local A domain local group can contain users and global groups from any trusted domain
However, a domain local group cannot contain domain local groups or local machine groups
Domain local groups are primarily used to assign permissions to resources
Group Scope
Group Scope
Use a domain local group when you want to assign access permissions to resources that are located in the same domain in which you create the domain local group You can add all global groups that must share the same resources to the appropriate domain local group Global Group A global group is a security or distribution group that can contain users, groups, and computers as members from its own domain Use global groups to organize users by job description or function You can grant rights and permissions to global security groups for resources in any domain in the forest Because global groups are visible throughout the forest, do not create them for the purpose of allowing users access to domain-specific resources
Group Scope
Universal Group A universal group is a security or distribution group that can contain users, groups, and computers as members from any domain in its forest Universal security groups can be granted rights and permissions on resources in any domain in the forest A Windows Server 2003 domain must be in Windows 2000 native mode or Windows Server 2003 mode to use universal security groups You can use universal distribution groups in a Windows Server 2003 domain that is in Windows 2000 mixed mode or higher
DNS
For computers in a Windows 2003 network infrastructure to talk to one another, one of the key ingredients is the DNS service DNS is the name resolution mechanism used by Windows Server 2003 clients to find other computers and services running on those computers A client consults its configured DNS servers for a list of Active Directory domain controllers where it will then submit its logon credentials We will start our discussion of DNS with the NetBIOS (Network Basic Input Output System) namespace
There are important differences between the DNS namespace and the NetBIOS namespace, and identifying some of the advantages and disadvantages of each namespace can help you understand them
A NetBIOS name is a 16-byte address that identifies a NetBIOS resource on a network
NETBIOS
The important thing to keep in mind about the NetBIOS namespace, especially when contrasting it to the DNS namespace, is that its a flat namespace
DNS, conversely is a hierarchical namespace. Every NetBIOS name must be unique, period
There is no structure of parent and child namespaces that allows computer or service names to be used In the NetBIOS environment, computers and services register unique NetBIOS names by using a 15-character computer name appended with a 16th hexadecimal character that identifies the service on the network If the computer name does not contain 15 characters, the protocol of NetBIOS dictates that the name is padded with as many spaces as necessary to generate a 15-character name In Windows, this NetBIOS name server is called the Windows Internet Naming Service, or WINS
DNS Components
Without DNS, you would have to know the IP address of every computer you are communicating with. DNS exists to resolve the names of computers to IP addresses
There are three main components youll find in the Domain Name System. Not just Microsofts implementation, but any DNS solution. These three items are Domain name servers DNS resolvers The logical namespace
The domain name servers are servers running the DNS software component, wich store information about a zone file These name servers provide address resolution and other information about the computers that you access in both Active Directory domain and in the named domains across the entire Internet DNS resolvers are pieces of code that are built into the operating system. These pieces of code, known also as DNS clients, request resolution of FQDNs to IP addresses by querying their configured name servers
DNS Components
The namespace is the logical division of names where DNS objects are stored Active Directory domain, the namespace can often reflect the organizational chart of a particular company, where the company name starts at the root of the namespace, and then from there breaks into domains that provide a hierarchy for your domain enterprise Fully Qualified Domain Names The job of a resolver is to request resolution of a fully qualified domain name (FQDN) to an IP address A fully qualified domain name represents a host name appended to the parent namespaces in a hierarchy The leftmost portion of the FQDN is the host portion of the name. A host name is an alias we give to an IP address There are organizations outside of your control that manage the topmost levels of the domain namespace InterNIC is the organization that manages the top-level namespaces.
DNS Zones
If domains represent logical division of the DNS namespace, zones represent the physical separations of the DNS namespace
In other words, information about records of the resources within your DNS domains is stored in a zone file, and this zone file exists on the hard drive of one of your name servers
Domain name servers are simply servers that store these zone database files, which in turn provide resolution for records in the zone files The DNS servers also manage how those zone files are updated and transferred Zone files are divided into one of two basic types: Forward lookup zone Provides host-name-to-IP-address resolution Reverse lookup zone Provides IP-address-to-host-name resolution When a zone file is first created on a DNS server, that server is said to be authoritative for that zone.
DNS Zones
Then, for each child DNS domain name included in a zone, the zone becomes the authoritative source for the resource records stored in that child domain as well
This means that the DNS server can provide resolution for multiple domains within a zone file, and all changes to the resource records in both domains are made to the authoritative zone it stores
Zone Categories The DNS zones kept on Windows Server 2003 computers can be further broken down into one of three categories. For each forward or reverse lookup zone, the file will be one of these types of zones: Primary zone Secondary zone Stub zone All of the zones you can create in Windows 2003 can be integrated in Active Directory
DNS Primary Zones

The primary DNS server for a zone is the location where all updates to the zones records are made
All changes to the zone are then replicated to secondary servers. This replication model is called single master replication, where there is a single entity that controls changes to records
Windows NT 4 used this single master model for directory database replication as well This also highlights the biggest drawback of the standard primary server model: it includes a single point of failure. Just like when an NT 4 primary domain controller went down, if for any reason the primary server for a zone is unavailable, no updates to the zone can be made This does not, however, affect resolution of names as long as secondary servers for the zone are available, and name-to-IP-address mappings have not changed.
DNS Primary Zones

When you create a new zone, it will be a primary zone, and the server sorting the zone will be a primary DNS server. You can then use primary zones in one of two ways: as Standard Primary Zones Primary Zones Integrated With Active Directory Using a standard primary zone, only a single DNS server will host and load the master copy of the zone Further, only that server is allowed to accept dynamic updates, and no additional primary servers for the zone are permitted You typically implement a standard primary zone when you need to replicate zone information with DNS servers running on other platforms such as Unix If you want to add more primary servers for a zone, you need to configure an Active Directoryintegrated zone, which will then take advantage of Active Directory integrated storage and replication features of the DNS Server service
DNS Secondary Zones

Any time you have a secondary of anything, it is usually for load balancing and fault tolerance
The secondary servers are secondary servers because they store copies of zone files
Changes to the DNS domains are made at the primary zone level and then are copied to secondary zones for secondary zone servers At the end of the day, theyll both end up storing the same information; its just that changes to the domain are made at the primary level, not the secondary level A DNS server can be a primary name server and a secondary name server at the same time The designation is made by what kind of zone file is stored on the server, and you can store both primary and secondary zones on the same machine
Resource Records Stored in a Zone File

Each record stored in a zone file has a specific purpose
Some of the records set the behaviour of the name server, others have the job of resolving a host name or service into an IP address
Updates to Windows Server 2003s DNS

There have been several enhancements to the DNS features available with the Windows 2003 implementation of DNS, especially when compared to Microsofts earlier deployments of the DNS service. Some of the improvements include the following: Conditional forwarders DNS queries can be sent to specific DNS servers if they meet a defined set of conditions. For example, the 2003 DNS server can be set so that all queries of FQDNs that end in hclcomnet.co.in be forwarded to a specific DNS server Stub zones Stub zones keep a DNS server that hosts a parent zone aware of the authoritative DNS servers for its child zone. This improves efficiency of DNS name resolution Enhanced DNS zone replication in Active Directory You now have four replication choices for Active Directoryintegrated DNS zone data Enhanced debug logging The DNS server has been written with enhanced debug logging options to aid in troubleshooting of DNS name resolution
Resolving a Host Name

Now that we have an understanding of the components of the DNS infrastructure, we need to also understand how a DNS client resolves an FQDN to an IP address There are actually many ways. A client can sometimes answer a query using information cached from a previously successfully resolved name. In fact, this is the first location the DNS resolver checks If the check of the cache is unsuccessful in providing IP address resolution, the resolver gets help from its configured DNS server. This process is known as a recursive query The DNS server in turn can use its own cache of resource record information to answer a query. Barring a quick resolution from the DNS servers cache, the server begins a walk of the DNS tree through a series of iterative queries
Forward Lookup Resolution of FQDNs

Any time you enter a fully qualified domain name into an application, your operating system uses the resolver piece of code to query its configured DNS server (or servers) to get an IP address for the name you have just entered
Locally configured DNS server has a zone file that contains a record for the resource youre trying to browse to (or if its contained in the servers cache), that resources IP address is returned to your resolver
In most cases, the zone file is not going to hold the IP address for the record that youre trying to look up The computer doesnt care what the name of the computer is; in order to communicate, it needs the IP address. The first place it looks for resolution is its configured DNS server
This query to the locally configured DNS server is called a recursive query

If the local DNS server does not have an A record that maps to an IP address, the clients local DNS server if its configured to do so will begin looking through the entire DNS hierarchy on behalf of the DNS client
The DNS server performs the name resolution; the DNS client sits there and waits for a response to its recursive query
The clients local DNS server then talks to other DNS servers throughout the DNS hierarchy using a series of iterative queries The client asks its local DNS server using a recursive query. A recursive query says, basically, give me the answer or tell me that you cant find it. Its a pass/fail type of proposition The other type of query, where other DNS servers are talking to each other as the local DNS server is walking the domain tree, is called an iterative query. When your DNS server uses an iterative query
Logical Elements of Active Directory

The logical components of Active Directory are important because they define how the computing enterprise will be administered. By designing and determining the logical elements of Active Directory, we become the architects of the network
There are four logical components of Active Directory. They are

Domains Trees Forests Organizational units
Domains
A Windows 2003 Active Directory domain is a logical collection of users and computers In other words, its an organizational entity that groups together the objects in your enterprise With a domain in place, you have several benefits, including the following: They enable you to organize objects within a single department or single location, and all information about the object is available They act as security boundaries. Domain admins exercise complete control over all domain objects. Further, in Windows 2003 Active Directory, Group Policies, another kind of domain object, can be applied to determine how resources can be managed and accessed
Domain objects can be made available to other domains

Domain names follow established DNS naming conventions, permitting the creation of child domains to best suit your administrative needs
Domains
Domains allow control over replication. That is, domain objects are fully replicated to other domain controllers within a domain, but not to other domains in an Active Directory enterprise
Trees
Once youve decided to create domains in your enterprise, you may find that you need more than one domain to best reflect the administrative structure of your company
Domains have many benefits; thus, you may find compelling reasons to apply these benefits separately to various groups of users and computers in your organization
The domains exist in a tree, and trees subsequently live in a forest. If you want to link your Windows 2003 domains together for purposes of administration and/or sharing of resources youll need to start building Active Directory trees and forests The hallmark of an Active Directory tree is that it is a contiguous linking of one or more Active Directory domains that share a common namespace
In other words, the domains are linked together in parent-child relationships as far as the naming conventions go
Forests
A forest lets you link together multiple domain trees in a hierarchical arrangement The goal in designing a forest is the same as when designing a tree: to define and maintain an administrative relationship between the domains All domains in the tree are linked by two-way, transitive trust relationships, and all tree roots in the forest are likewise linked by two-way, transitive trusts We need to choose our forest root domain with caution. Once established, the forest root cannot be changed without decommissioning the entire logical Active Directory infrastructure In Windows Server 2003, it is now possible to rename the forest root domain, but the domain designated as the forest root cannot be changed once established.
Organizational Units
When properly implemented, an organizational unit (OU) is the administrative lynchpin of a Windows 2003 Active Directory hierarchy It is a container object within a domain that represents sub administrative entities within an Active Directory Organizational units are used to group together domain computers, users, and other domain objects into an administrative collection These collections are kept as separate logical units Windows 2003 domains are designed to be self-contained, and through the use of organizational units, you have a lot of flexibility about how that domain is administered OUs are not groups; they are administrative containers. Anything you can put into the domain, anything you can put into an Active Directory database, you can put into an organizational unit
Understanding the Physical Elements of Active Directory

These logical structures are, however, physically created as software objects But these objects dont live in a vacuum; they have to be created somewhere, and they have to be stored somewhere. Furthermore, the information has to be shared with other computers An Active Directory structure contains two physical components SITES
DOMAIN CONTROLLERS
The job of a domain controller is to store a writable copy of the Active Directory database for the domain of which it is a member
Sometimes, these domain controllers will store additional information like the Global Catalog. Sometimes, the domain controllers play important roles in the functioning of the network and sometimes, they perform many of these tasks at once
Understanding the Physical Elements of Active Directory

All of the objects in the domains Active Directory databasethe user accounts, the groups, the computer accounts, the organizational units, and so forthare stored within a domain controller, and all domain controllers within a single domain act as peers When domain controllers act as peers, they engage in multimaster replication. The multimaster replication model is a carryover from the Windows 2000 Active Directory environment, but it represents a significant departure from the single-master replication model used by Windows NT 4.0 domain controllers All changes to the Windows NT 4.0 directory database were made at a Primary Domain Controller (PDC) and then replicated out to Backup Domain Controllers (BDCs). This is no longer the case When Windows Server 2003 domain controllers engage in multimaster replication, a change to the Active Directory database can be made at any of the domain controllers, and these changes will be then reflected on other domain controllers after replication
Implementing an Active Directory Site Topology

The simple definition of a site is a collection of one or more well-connected IP subnets. More importantly, though, a site is a unit of Active Directory replication If the domain controllers job is to store and replicate the Active Directory database, then the sites job is to govern how that replication occurs A site is also used by Active Directory to manage the following: Logon traffic, ensuring that a client located and submits credentials to local domain controllers when possible Requests to the Global Catalog, by keeping all such requests local (if there is at least one Global Catalog server per site, as is recommended) Optimization of traffic for Active Directoryaware applications, such as the Distributed File System (DFS)
The Role of the Knowledge Consistency Checker

If the sites exist to control replication traffic, how does Active Directory build the replication topology between a sites domain controllers? Automatically, using the Knowledge Consistency Checker
During the Active Directory installation process, each domain controller is made aware of other domain controllers within the same domain
The Knowledge Consistency Checker works to ensure that every one of these domain controllers has at least one replication partner, or peer The end result of the KCCs hard work is that all domain controllers are able to get updated Active Directory information from all others using a fault-tolerant ring topology The other job of the Knowledge Consistency Checker is to allow Active Directory to take care of the replication of directory database information without administrators having to worry about it too much, or configure it manually
The Role of the Knowledge Consistency Checker

Manual creation of replication links between domain controllers can still be done, but Microsoft doesnt recommend it The Knowledge Consistency Checker automates the replication process, ensures the replication topology, minimizes replication latency, and checks all replication links every 15 minutes to ensure that the main controllers are functioning properly Further, if one of the domain controllers should be taken offline, the KCC automatically regenerates a new replication topology between domain controllers for the domain So again, you dont have to do much. You can kind of fall backwards into a good working network with Windows Server 2003
Replication: How and Why

Replication between the domain controllers in an Active Directory domain, no matter in which sites those domain controllers live, works by keeping track of a version number assigned to the Active Directory database
This version number is called an Update Sequence Number (USN), and it is used to track the changes made to each copy of Active Directory
Every time a change is made to the database, the domain controller updates the database USN where the change was made Every domain controller keeps track of its USN and, more importantly, the USNs of its replication partners Then, every 5 minutes (this is the default interval), the domain controller checks for changes from its replication partners in the same site If a domain controller finds that its replication partner has an update to its USN, it then requests that all changes since the last known USN be sent

Even if a domain controller has been offline for an extended time, it can quickly be sent all updates to the Active Directory database when it comes back online Two types of Replication Replication within Sites (Intrasite) Replication Between Sites (Intersite) Replication within a site is handled by the Knowledge Consistency Checker Replication between sites is handled by ITG The job of the KCC is to evaluate the domain controllers within a site and automatically establish and maintain a ring-based replication topology It does this by automatically creating connection objects between two domain controllers within a site Each domain controller will have at least one two replication partners, if applicable (if there are only two domain controllers in a site, those domain controllers will only have one partner)

You can manually create these connection objects between domain controllers, or force replication between two domain controllers, but normally you would never need to do so
To force replication over a connection object, right-click the connection object and choose Replicate Now from the context menu
KCC is a dynamic process. That is, it automatically adjusts the replication topology as network conditions change As domain controllers or subnets are added or removed from a site, the KCC constantly checks to make sure each domain controller is able to exchange information with at least two others within the site, thus keeping the ring topology intact So even though you need to do virtually nothing to tweak the performance of the KCC in a production network, your job as a test candidate is to make sure you understand the purpose of the KCC

Moreover, heres what else you need to know about intrasite replication: Replication does not use compression This behaviour reduces the processing load on domain controllers. (Processing cycles are needed to compress and uncompress information) Replication occurs based on a notification process When a domain controller has an update to its Active Directory database, it notifies the other domain controllers in the same site These domain controllers then contact the notifying domain controller and request that the changes to the database be sent

Replication between sites happens automatically after you define configurable values, such as a schedule or a replication interval You can schedule replication for inexpensive or off-peak hours By default, changes are replicated between sites according to a manually defined schedule and not according to when changes occur The schedule determines at which times replication is allowed to occur The interval specifies how often domain controllers check for changes during the time that replication is allowed to occur Replication traffic between sites is designed to optimize bandwidth by compressing all replication traffic between sites Replication traffic is compressed to 10 to 15 percent of its original size before it is transmitted Although compression optimizes network bandwidth that is required, it imposes an additional processing load on domain controllers for the compression and decompression of replication data

The intersite topology generator is an Active Directory process that runs on one domain controller in a site A single domain controller in each site is automatically designated to be the intersite topology generator
The intersite replication topology defines the replication between sites on a network
It also selects one or more domain controllers to become bridgehead servers. If a bridgehead server becomes unavailable it will automatically select another bridgehead server, if possible It runs the KCC to determine the replication topology and resultant connection objects to be used by the bridgehead servers o communicate with the bridgehead servers of other sites If the domain controller designated as the intersite topology generator becomes unavailable, another domain controller will be automatically designated
The Active Directory database

The Active Directory database is logically separated into directory partitions, a schema partition, a configuration partition, domain partitions, and application partitions Each partition is a unit of replication, and each partition has its own replication topology Replication is performed between directory partition replicas All domain controllers in the same forest have at least two directory partitions in common: the schema and configuration partitions All domain controllers in the same domain, in addition, share a common domain partition
Active Directory partitions

Each domain controller contains the following Active Directory partitions: Schema Partition : There is only one schema partition per forest. The schema partition is stored on all domain controllers in a forest The schema partition contains definitions of all objects and attributes that can be created in the directory, and the rules for creating and manipulating them Schema information is replicated to all domain controllers in the forest, so all objects must comply with the schema object and attribute definitions Configuration Partition : There is only one configuration partition per forest. The configuration partition is stored on all domain controllers in a forest The configuration partition contains information about the forest-wide Active Directory structure, including what domains and sites exist, which domain controllers exist in each, and which services are available Configuration information is replicated to all domain controllers in a forest

Domain Partitions :There can be many domain partitions per forest. The domain partitions are stored on all of the domain controllers of the given domain A domain partition holds information about all domain-specific objects created in that domain, including users, groups, computers, and organizational units The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the Global Catalog with only a subset of its attribute values Application partitions : Store application-specific information in Active Directory. Each application determines how it will store, categorize, and use application-specific information To prevent unnecessary replication of specific application partitions, Active Directory administrators can designate which domain controllers in a forest will host specific application partitions
The application partition is different than a domain partition in that it is not allowed to store security principal objects such as user accounts. In addition, the data in an application partition is not stored in the Global Catalog.
What Are Operations Masters?

When a change is made to a domain, the change is replicated across all of the domain controllers in the domain Some changes, such as those made to the schema, are replicated across all of the domains in the forest This replication is called multimaster replication During multimaster replication, a replication conflict can occur if originating updates are performed concurrently on the same object attribute on two domain controllers To avoid replication conflicts, you use single master replication, which designates one domain controller as the only domain controller on which certain directory changes can be made This way, changes cannot occur at different places in the network at the same time. Active Directory uses single master replication for important changes, such as the addition of a new domain or a change to the forest-wide schema.
What Are Operations Masters?

Operations that use single-master replication are arranged together in specific roles in a forest or domain, these roles are called operations master roles For each operations master role, only the domain controller that holds that role can make the associated directory changes The domain controller that is responsible for a particular role is called an operations master for that role
Active Directory stores information about which domain controller holds a specific role
Active Directory defines five operations master roles, each of which has a default location Operations master roles are either forest-wide or domain-wide
Operations Master Roles

There are 5 Operations Master Roles and they are Schema master Domain naming master PDC Emulator
RID Master
Infrastructure Master

Schema master Controls all updates to the schema
The schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as users, computers, and printers
Whenever you are extending the schema or are installing an application that does so, such as Exchange Server, the schema master must be available Domain naming master Controls the addition or removal of domains in the forest When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain

Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Microsoft Windows NT within a mixed-mode domain This type of domain has domain controllers that run Windows NT 4.0 The PDC emulator is the first domain controller that you create in a new domain By default, this FSMO server is responsible for synchronizing the time on all domain controllers throughout the domain The PDC emulator is also the first domain controller notified whenever password changes are performed by other domain controllers in the domain If a user submits a logon to a domain controller that does not have the updated password, the logon request is forwarded to the PDC emulator before rejecting the logon attempt.

Relative identifier master When a new object is created, the domain controller creates a new security principal that represents the object and assigns the object a unique security identifier (SID)
This SID consists of a domain SID, which is the same for all security principals created in the domain, and a relative identifier (RID), which is unique for each security principal created in the domain
The RID master allocates blocks of RIDs to each domain controller in the domain The domain controller then assigns a RID to objects that are created from its allocated block of RIDs

Infrastructure master When objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain
The object reference contains the objects globally unique identifier (GUID), distinguished name, and a SID
Active Directory periodically updates the distinguished name and the SID on the object reference to reflect changes made to the actual object, such as moves within and between domains and the deletion of the object Additionally, the infrastructure master is in charge of updating group-to-user references whenever members of groups are modified
Planning Flexible Operations Master Role Placement

In every forest, five FSMO roles are assigned to one or more domain controllers Two of these operations masters are forest-wide: there is only one such server in the forest Schema Master Domain Naming Master
Three are domain-wide roles: in every forest, certain single-master roles will be held on only one server per domain
PDC Emulator RID Master Infrastructure Master
Roles performed by the schema master

An Active Directory schema defines the kinds of objects and the types of information about those objects that you can store in Active Directory The definitions are stored as objects so that Active Directory can manage the schema objects with the object management operations that its uses to manage other objects in the directory The schema master performs the following roles:
Controls all originating updates to the schema

Contains the master list of object classes and attributes that are used to create all Active Directory objects Replicates updates to the Active Directory schema to all domain controllers in the forest by using standard replication of the schema partition Allows only the members of the schema Admin group to make modifications to the schema
The effect of the schema master being unavailable

Having only one schema master per forest prevents any conflicts that would result if two or more domain controllers attempt to simultaneously update the schema Temporary loss of the schema master is not visible to network users or to network administrators unless they are trying to modify the schema or install an application that modifies the schema during installation If the schema master is unavailable and you need to make a change to the schema, you can seize the role to a standby operations master
Roles performed by the Domain Naming Master

When you add or remove a domain from a forest, the change is recorded in Active Directory The domain naming master controls the addition or removal of domains in the forest There is only one domain naming master per forest When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain The domain naming master prevents multiple domains with the same domain name from joining the forest When you use the Active Directory Installation wizard to create a child domain, it contacts the domain naming master and requests the addition or deletion
The effect of the Domain Naming Master being unavailable

Like the schema master, temporary loss of the domain naming master is not visible to network users or to network administrators unless the administrator is trying to add a domain to the forest or remove a domain from the forest
If the domain naming master is unavailable, you cannot add or remove domains
If the domain naming master will be unavailable for an unacceptable length of time, you can seize the role from the standby operations master
To seize a role is to move it without the cooperation of its current owner. It is best to avoid seizing roles
Roles performed by the PDC Emulator

The PDC emulator acts as a Microsoft Windows NT Primary Domain Controller (PDC) to support any backup domain controllers (BDCs) running Windows NT in a mixed-mode domain
When you create a domain, the PDC emulator role is assigned to the first domain controller in the new domain
Acts as the PDC for any existing BDCs.
Manages password changes from computers running Windows NT, Microsoft Windows 95 or Windows 98. You must write password changes directly to the PDC
Minimizes replication latency for password changes Synchronizes the time on all domain controllers throughout the domain to its time
What Is the RID Master?

Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID) This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which is unique for each security principal created in the domain Creating objects To allow a multimaster operation to create objects on any domain, the RID master allocates a block of RIDs to a domain controller When a domain controller needs an additional block of RIDs, it contacts the RID master, which allocates a new block of RIDs to the domain controller, which in turn assigns them to the new objects If a domain controllers RID pool is empty, and the RID master is unavailable, you cannot create new security principals on that domain controller
What Is the Infrastructure Master?

The infrastructure master is a domain controller that is responsible for updating object references in its domain that point to objects in another domain Active Directory periodically updates the distinguished name and SID to reflect changes made to the actual object, such as moves within and between domains and the deletion of the object The infrastructure master updates object identification according to the following rules: If the object moves at all, its distinguished name will change because the distinguished name represents its exact location in the directory If the object is moved within the domain, its SID remains the same If the object is moved to another domain, the SID changes to incorporate the new domain SID
Infrastructure master and the global catalog

The infrastructure master should not be the same domain controller that hosts the global catalog If the infrastructure master and the global catalog are on the same computer, the infrastructure master does not function because it does not contain any references to objects that it does not hold In addition, the domain replica data and the global catalog server data cannot exist on the same domain controller Periodically, the infrastructure master for a domain examines the references in its replica of the directory data to objects that are not held on that domain controller It queries a global catalog server for current information about the distinguished name and SID of each referenced object If this information has changed, the infrastructure master makes the change in its local replica
Transferring and Seizing Operations Master Roles

When you create a Microsoft Windows Server 2003 domain, Windows Server 2003 automatically configures all of the operations master roles However, you may need to reassign an operations master role to another domain controller in the forest or the domain To reassign an operations master role, determine the holder of the operations master role and then either transfer or seize the operations master role
Transfer of Operations Master Roles

The placement of operations master roles in a forest is done when the forest and domain structure is implemented, and requires change only when making a major change to the domain infrastructure
Such changes include decommissioning a domain controller that holds a role or adding a new domain controller that is better suited to hold a specific role
Transferring an operations master role means moving it from one functioning domain controller to another To transfer roles, both domain controllers must be up and running and connected to the network No data loss occurs when you transfer an operations master role as this transfer uses the normal directory replication mechanism The process of role transfer involves replicating the current operations master directory to the new domain controller, which ensures that the new operations master has the most current information available
Transfer of Operations Master Roles

To transfer an operations master role, you must have the appropriate Permissions The following table lists the groups that you must be a member of to transfer an operations master role
Seizing an operations master role

Seizing an operations master role means forcing an operations master role on another domain controller that cannot contact the failed domain controller and perform a transfer
Seizing an operations master role is a drastic step

Do it only if the current operations master will never be available again and if a role cannot be transferred
Because the previous role holder is unavailable during a seizure, you cannot reconfigure or inform it that another domain controller now hosts the operations master role
To reduce risk, perform a role seizure only if the missing operations master role unacceptably affects performance of the directory Calculate the effect by comparing the impact of the missing service to the amount of work that is needed to bring the previous role holder safely back online after you perform the role seizure
Seizing an operations master role

If the previous role holder comes back online after you seize an operations master role, it waits until after a full replication cycle before resuming the role of operations master
This way, it can see if another operations master exists before it comes back online
If it detects one, it reconfigures itself to no longer host the roles in question
Active Directory continues to function when the operations master roles are unavailable
If the role holder is only offline for a short time, you may not need to seize the role to a new domain controller
Guidelines for Placing Operations Masters

In a forest that has a large number of domain controllers or multiple sites, you must plan the placement of operations master roles to maximize performance and minimize risk to the operational environment in the event of a loss of the domain controller In a single domain forest, leave all of the operations master roles on the first domain controller in the forest. Designate each domain controller as a global catalog server, because the data in the global catalog contains only the domain data
In a multiple domain forest, use the following guidelines:

In the forest root domain: If all domain controllers are also global catalog servers, leave all of the roles on the first domain controller in the forest If all domain controllers are not also global catalog servers, move all of the operations masters to a domain controller that is not a global catalog server

In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first server in the domain, and ensure that this server is never designated as a global catalog server
In each domain in the forest, the server that holds the operations master roles should have both high availability and high capacity
A highly available domain controller is one that uses computer hardware that enables the domain controller to remain operational even during a hardware failure. For example, having a redundant array of independent disks (RAID) may enable the domain controller to keep running if a single hard disk fails A high-capacity domain controller is one that has comparatively higher processing power than other domain controllers to accommodate the additional work load from holding the operations master role. It has a faster CPU and possibly additional memory and network bandwidth

In each server that holds one or more operations master roles, another domain controller in the same domain should be available as a standby operations master The standby operations master should: Not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers
Have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site
Guidelines for Placing the Schema Master

The schema master is a forest-wide operations master role It controls all originating updates to the schema. If the schema master is unavailable, you cannot modify the schema By default, the first domain controller of a new forest holds the schema master role Make a highly available domain controller the schema master Since the schema defines all the objects that Active Directory can store, it is critical to record all changes that are made to the schema Do not require that the schema master be a high-capacity domain controller Schema changes are infrequent, the average server load is minimal, and the average replication traffic is not an overall concern
Guidelines for Placing the Domain Naming Master

The domain naming master is a forest-wide operations master role It controls the addition or removal of domains in the forest By default, the first domain controller of a new forest holds the domain naming master role Use a highly available domain controller as the domain naming master High availability is necessary when you add or remove a domain to or from the forest Do not require that the domain naming master be a high-capacity domain controller Adding and removing domains are infrequent tasks and the average server load is minimal.
Guidelines for Placing the PDC Emulator Master

The PDC emulator master is a domain-wide operations master role It acts as a PDC in Windows NT to support any backup domain controllers (BDCs) running Windows NT within a domain that is set to either the Windows 2000 mixed or Windows interim domain functionality The first domain controller that you create in a new domain is assigned the PDC emulator role Use a highly available domain controller as the PDC emulator All domain controllers frequently access the PDC emulator for password changes, forwarding of mismatched passwords during logon, time synchronization, and support of BDCs and clients running Windows NT and earlier Use a high-capacity domain controller as the PDC emulator
Guidelines for Placing the PDC Emulator Master

Because there would be an increased load placed on this domain controller, do one of the following: Increase the size of the domain controllers processing power Do not make the domain controller a global catalog server Reduce the priority and weight of the service (SRV) record to give preference for authentication to other domain controllers in the site Centrally locate this domain controller to accommodate the majority of the domain users
Guidelines for Placing the RID Master

Use a highly available domain controller as the RID master High availability is critical to the continued creation of security principals and to help prevent the necessity for seizing Do not require that the RID master be a high-capacity domain controller Creating security principals is typically an ongoing operation without large peaks. Also, because RIDs are distributed in blocks of 500 to each domain controller, the average server load and average replication traffic are minimal Configure the domain controller that holds the RID master role as a direct replication partner with the domain controller that is the standby or backup RID master This configuration reduces the risk of losing data when you seize the role because replication latency is minimized Centrally locate the RID master in your network if no site performs most of the user account creation
Guidelines for Placing the Infrastructure Master

Do not require that the infrastructure master be a highly available domain controller There is no potential loss of information controlled by this operations master In addition, the impact of the infrastructure master being offline for a short period of time is negligible because it does not affect end users Do not require that the infrastructure master be a high-capacity domain Controller The infrastructure master does not use server resources intensively Avoid placing the infrastructure master role on a domain controller that hosts a global catalog If a domain controller that holds the infrastructure master role is also a global catalog server, cross-domain object references in that domain will not be updated
How Active Directory Service enable a Single Sign On that allow the users to access the approved resources
Single Sign On
A Single Sign on consists of two parts Authentication Which verifies the credentials of the connection attempt Authorisation Which verifies that the connection attempt is allowed Authorisation process happens only after a successful authentication In the next slides we will see Authentication & Authorisation process in detail
Single Sign On Authentication

1. The user enters the credentials at a workstation to logon 2. The credentials are encrypted by the client and sent to a domain controller for the client's domain

3. The KDC (Key Distribution Center) compares the credentials with the credentials that the KDC stores
If the credentials match then the process continues

4. The domain controller creates a list of the domain-based groups that the user belongs to

5. The domain controller then queries the global catalog to identify the universal groups that the user belongs to

6. The KDC issues the client a ticket-granting ticket or TGT, which contains the encrypted SIDs, or security identifiers, for the groups that the user is a member of
The user is now authenticated and can request access to resources
Single Sign On Authorization

7. The client requests access to a resource that resides on a specific server

8. The client uses the TGT to access the TGS

9. The TGS issues a session ticket to the client for the server that the resource resides on. The session ticket also contains the SIDs for the user's group memberships

10. The client presents the session ticket to the server

11. The LSA compares the SIDs in the access token with the groups that are assigned permissions in the resource's DACl
If they match, the user is granted access to the resource
Single Sign On Conclusion

To conclude Authentication and authorization are complex process, we will review it now
Granting Access Between Domains

If an enterprise has multiple domains, in order for a user in one domain to access a resource in another domain, there needs to first be a trust relationship created between the two domains Once the trust relationship has been created, users from one domain will be able to access resources in the other domain Trust relationships have evolved significantly since they were introduced back in the NT days When trusts were first being implemented, it was a very simple model with one domain trusting another, and administrators in each domain were responsible for maintaining their part of the trust Windows 2000 introduced the two-way transitive trust Windows Server 2003 takes the trust a step further with a forest trust and by enabling a single administrator to configure both sides of the trust

A transitive trust is a trust in which the two domains forming the trust not only trust each other, but other trusted domains as well If domain A trusts domain B, and domain B trusts domain C, then domain A also trusts domain C Nontransitive trusts are not automatic and must be set up An example of a nontransitive trust is an external trust, such as the trust between a domain in one forest and a domain in another forest Shortcut trusts are only partially transitive because trust transitivity is extended only down the hierarchy from the trusted domain not up the hierarchy
Forest trusts are also only partially transitive because forest trusts can only be created between two forests and they cannot be implicitly extended to a third forest For example, if forest 1 trusts forest 2, and forest 2 trusts forest 3, domains in forest 1 transitively trust domains in forest 2, and domains in forest 2 transitively trust domains in forest 3. However, forest 1 does not transitively trust forest 3.
Introduction to Maintaining Active Directory

Maintenance of the Active Directory database is an important administrative task that must be regularly scheduled to ensure that, in the case of disaster, you can recover lost or corrupted data and repair the Active Directory database Active Directory has its own database engine, the Extensible Storage Engine (ESE), which manages the storage of all Active Directory objects in the Active Directory database An understanding of how the changes that are made to attributes in Active Directory are written to the database will help you understand how data modification affects database performance, database fragmentation, and data integrity
Active Directory support files and their functions

Ntds.dit This is the main AD database NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain.

Edb.log This is a transaction log Any changes made to objects in Active Directory are first saved to a transaction log During lulls in CPU activity, the database engine commits the transactions into the main Ntds.dit database This ensures that the database can be recovered in the event of a system crash Entries that have not been committed to Ntds.dit are kept in memory to improve performance Transaction log files used by the ESE engine are always 10MB.

Edbxxxxx.log These are auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit The xxxxx stands for a sequential number in hex. When the Edb.log file fills up, an Edbtemp.log file is opened The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the process starts over again ESENT (Server Database Storage Engine) uses circular logging Excess log files are deleted after they have been committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending

Edb.chk This is a checkpoint file It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit As transactions are committed, the checkpoint moves forward in the Edb.chk file If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination Temp.edb. This is a scratch pad used to store information about in-progress transactions and to hold pages pulled out of Ntds.dit during compaction. Schema.ini. This file is used to initialize the Ntds.dit during the initial promotion of a domain controller. It is not used after that has been accomplished.

Res1.log and Res2.log These are reserve log files If the hard drive fills to capacity just as the system is attempting to create an Edbxxxxx.log file, the space reserved by the Res log files is used The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted You should never let a volume containing Active Directory files get even close to being full
File fragmentation is a big performance thief, and fragmentation increases exponentially as free space diminishes
Also, you may run into problems as you run out of drive space with online database defragmentation (compaction) This can cause Active Directory to stop working if the indexes cannot be rebuilt
Moving and Defragmenting the Active Directory Database

Over time, fragmentation occurs as records in the Active Directory database are deleted and new records are added When the records are fragmented, the computer must search the Active Directory database to find all of the records each time the Active Directory database is opened This search slows response time Fragmentation also degrades the overall performance of Active Directory database operations To overcome the problems that are caused by fragmentation, you defragment the Active Directory database Defragmentation is the process of rewriting records in the Active Directory database to contiguous sectors to increase the speed of access and retrieval When records are updated, these updates are saved on the largest contiguous space in the Active Directory database
Moving and Defragmenting the Active Directory Database

Why move database and log files? You move a database to a new location when you defragment the database
Moving the database does not delete the original database, so you can use the original database if the defragmented database does not work or becomes corrupted
Also, if your disk space is limited, you can add another hard disk drive and move the database to the new hard disk drive Additionally, you move database files for hardware maintenance If the disk on which the files are stored requires upgrading or maintenance, you can move the files to another location temporarily or permanently
Backing Up Active Directory

Backing up is essential to maintaining the Active Directory database You can back up Active Directory by using the graphical user interface (GUI) and command-line tools that are provided in the Windows Server 2003 family You back up the system state data of domain controllers frequently so that you have the most current data to restore By establishing a regularly scheduled backup routine, you have a better chance of recovering data when necessary To ensure a good backup, which includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime By default, the tombstone is 60 days; any backup older than 60 days is not a good backup
Backing Up Active Directory

You should plan to back up at least two domain controllers in each domain, one of which is an operations master role holder For each domain, you should maintain at least one backup to enable authoritative restores of the data when necessary
Components of the System State Data

Active Directory (only on domain controllers). System state data does not contain Active Directory unless the server on which you are backing up the system state data is a domain controller
The SYSVOL shared folder (only on domain controllers). The SYSVOL folder is a shared folder that contains Group Policy templates and logon scripts
The registry is a database repository for information about the computers configuration The system start-up files are required during the initial start-up phase of Windows Server 2003. These files include the boot and system files that are under Windows file protection and are used by Windows to load, configure, and run the operating system The COM+ Class Registration database. The class registration is a database of information about Component Services applications.
How to Back Up Active Directory

To perform a backup procedure, you must be a member of the Administrators or Backup Operators group on the local computer, or you must have been delegated the appropriate authority
If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure
You can only back up the system state data on a local computer
You cannot back up the system state data on a remote computer
Restoring Active Directory

The Windows Server 2003 family enables you to restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures
You also must restore the Active Directory database when objects in Active Directory are changed or deleted
You can restore replicated data on a domain controller in several ways
You can reinstall the domain controller, and then let the normal replication process repopulate the new domain controller with data from its replicas
You can use the Backup Utility Wizard to restore replicated data from backup media without reinstalling the operating system or reconfiguring the domain controller

There are three methods for restoring Active Directory from backup media The Primary Restore Method
The Normal (Nonauthoritative) Restore Method

The Authoritative Restore Method

Primary restore: A primary restore rebuilds the first domain controller in a domain when there is no other way to rebuild the domain A primary restore should only be performed when all the domain controllers in the domain are lost, and you are trying to rebuild the domain from the backup Normal (nonauthoritative) restore A nonauthoritative restore reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process A normal restore should only be performed when you want to restore a single domain controller to a previously known good state

Authoritative restore An authoritative restore is performed in tandem with a normal restore
An authoritative restore marks specific data as current and prevents that data from being overwritten by replication
The authoritative data is then replicated throughout the domain
Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers
When you perform an authoritative restore, all changes to the restore object that occurred after the backup are lost
Group Policy
This session will introduce you to this versatile, mammoth administrative technology, explains what it is, and describes how it works The most important thing is to know How it works Session will then start to demonstrate the capabilities of Group Policy, starting with management of the end-user experience You use Group Policy in the Active Directory directory service to centrally manage users and computers in an enterprise You can centralize policies by setting Group Policy for an entire organization at the site domain or at an organizational unit level Or, you can decentralize Group Policy settings by setting Group Policy for each department at an organizational unit level.
Whats a Group Policy?

Like files and folder, like users and groups, like domains and organizational units, a Group Policy Object (GPO) is just another software object, typically stored in the Active Directory database
This software object is made up of a collection of settings that can potentially affect almost any aspect of user and computer configuration
Group Policies can then be linked to the container objects in Active Directory: sites, domains, and organizational units The Group Policies linked will then configure settings that, by default, affect all objects in the container They can be used to determine what Start Menu options are available, what the background of the desktop will be, what programs will be available
The Local Group Policy Object

Every computer running Windows 2000, Windows XP Professional, or Windows Server 2003 has a local Group Policy Object linked to it With a local GPO, its possible to configure the settings of just a single computer without affecting any others In an Active Directory environment, these local settings are low on the pole, because the settings dictated by a local policy can be overwritten by settings configured at the site, domain, or OU level However, in a non-Active Directory environment, the local GPO is the only measure of applying a Group Policy setting
Components of Group Policy

Computer Configuration : This setting is used to set policies that affect the computer regardless of who logs on It is applied as the operating system initializes, before the user is presented with the logon screen User Configuration : This setting is used to set policies that apply to users regardless of the computer they are using User settings are applied after a user identifies himself or herself, usually through a user name a password, and before the desktop is presented Each grouping of configuration settings includes collections for Software settings, Windows settings, and Administrative Templates settings
The individual configuration settings for Users and Computers, however, are not necessarily the same

Software Settings For both User and Computer configurations, the software settings specify software installation options These settings will help you deploy and maintain installed software for the computers and/or users in your organization For example, you could use the software settings to ensure that all computers in a site get a service pack update to an application The software settings can also ensure that a particular user has an accounting program available no matter which computer he or she logs on from

Windows Settings The Windows settings contain scripts and security settings The Scripts node is one place where you can most clearly see the difference between which settings affect the user and which ones affect the computer Notice here that the scripts assigned to computers are Startup/Shutdown scripts, as computers engage in starting up and shutting down
In the Scripts node, administrators can attach a script to a Group Policy, with virtually no limitations to the scripting languages used
The script can be written in any ActiveX language, including VBScript, JScript, Perl, and DOS-based scripts such as .bat and .cmd

The Security settings node allows for manual configuration of security levels These settings include collections of Audit policies, Password policies, and User Rights assignments, to name a few
Additionally, in the Windows settings node under only the User Configuration settings, youll find policies used for Internet Explorer Maintenance, Public Key Policies, and Remote Installation Services
If were creating a Group Policy Object that will apply to an Active Directory container, well see a Folder Redirection node, which we will discuss further in this session

Administrative Templates The settings configurable with the administrative templates are all registry based
That is, configurations made with the administrative templates are written to the registry at either startup or logon time, depending on whether the setting applies to a computer (startup) or user (logon)
The Administrative Templates include several collections of settings: Windows Components, System, Desktop, Control Panel, and Network All can be manipulated in a variety of ways Configuring these settings will noticeably affect the end users desktop
Group Policy Inheritance

Group Policy settings are passed down from parent container to child container For example, a GPO setting you have configured for a top-level OU also applies to all child OUs within This inheritance extends to any user and computer objects stored in the parent and child containers However, if a GPO has been set for the child container, and that setting conflicts with the parent-level GPO, the child setting will be the effective setting If a setting is configured for a parent OU, and the setting is not configured for the child OU, the child inherits the setting from the parent
WMI Filtering Group Policy

WMI filters are used to implement exceptions to given policy processing The WMI filters are written in a language called the WMI Query Language (WQL)
Group Policy Processing Sequence

Heres how GPO are processed, by default: Local : Each Windows Server 2003 computer has exactly one GPO stored locally, which gets processed first Site : Any GPOs associated with a site to which the computer belongs, or from which a user is logging on, is processed next Domain : GPOs linked to the domain container are processed next according to the order listed on the Group Policy tab Organizational unit (OU) : GPOs linked to parent OUs are processed next, followed by GPOs linked to child OUs if applicable
Deploying Software Through Group Policy

There are four stages of the software life cycle, each of which can be addressed through a Group Policy Object: Preparation : The preparation stage looks at issues surrounding planning for software deployment and laying groundwork for deployment These include the creation of a Windows Installer Package (an .msi file) if one has not shipped with the software product, and configuration of a network share for storage of the .msi file and the rest of the installation files. Sometimes, applications will not ship with the newer Windows Installer package You also check for hardware and software compatibility in the software preparation stage

Deployment : In this stage, the software is actually pushed to the target computer The software can be configured to be installed no matter which user logs on, or to install upon the presentation of certain user credentials Software can be deployed to sites, entire domains, organizational units, or even individual computers at our discretion

Maintenance Because the life cycle of a software product is ever-evolving, the GPO can be tailored to accommodate changes as the application matures A perfect example of an evolving software product is the Windows operating system itself. Service packs are changes and updates to files that address security, stability, performance, and compatibility issues, and are released as improvements are made
Microsoft Office behaves in the same manner. As improvements are made to the code of a program, these improvements can be sent to computers via a Group Policy

Removal The fourth stage in the software product life cycle is the removal of software Group Policies have the ability to both install and uninstall software The only real caveat here is that for software to be removed through a Group Policy, it must have been installed with a Group Policy as well
And if a user does indeed need two versions of the same product, Group Policy can be configured to handle most instances of that situation, too
Planning and Implementing an Active Directory Infrastructure

Now we will apply the knowledge and skills that we have learned in this course to plan and then implement an Active Directory directory service infrastructure We will implement Active Directory based on the business requirements of a fictitious company called Tailspin Toys After completing this module, we will be able to: Review the Active Directory design and create an Active Directory implementation plan for Tailspin Toys Implement the Active Directory infrastructure for Tailspin Toys
Review of the Components of the Implementation Plan
Introduction to Tailspin Toys

Tailspin Toys has headquarters in Manhattan and 3,000 fulltime employees throughout the United States Over the years, the company has expanded its business to include board games, an exclusive line of stuffed animals, building toys, dolls, and riding toys To keep up with the growth of the company, it opened a production and distribution location in Arkansas To maintain pace with the competition from the electronic game industry, Tailspin Toys is acquiring two small manufacturers of electronic games, Contoso, Ltd and Wingtip Toys Tailspin Toys has decided to use an external vendor, Consolidated Messenger, to manage human resources (HR) Consolidated Messenger has headquarters in Chicago, Illinois and a branch office in La Jolla, California.
Exercise 1 - Planning the Forest Structure

In this exercise, we will decide how to implement an Active Directory forest structure for Tailspin Toys and its partner companies Following table could be used for this purpose
Exercise 2 - Planning the Organizational Unit Structure

In this exercise, we will need to decide how to implement an organizational unit structure for Tailspin Toys and its partner companies What type of approach will we use to implement organization units in the enterprise
Exercise 3 - Planning User, Group, and Computer Accounts

In this exercise, we will decide how to implement user, group, and computer accounts for Tailspin Toys and its partner companies We must consider standards that your decisions will set throughout the enterprise and what types of group account you need to create Document what conventions will we use for creating user, group, and computer accounts User accounts: A maximum of eight characters composed of the first character of the first name, followed by up to seven characters of the last name. If the last name is fewer than seven characters, you can use pad characters, such as 001, for a user with a four-character last name Group accounts: Named according to the function that the group performs. For example, the accounts Internal Sales and External Sales denote these groups within the Sales department. Similarly, Accounts Payable and Accounts Receivable denote these groups within the Finance department
Exercise 3 - Planning User, Group, and Computer Accounts

Computer accounts: Named according to their location so that the administrative staff can easily identify and track them. For example, the account NYFIN01 denotes that this system is located in the New York office, is part of the Finance group, and is sequentially numbered
Exercise 4 - Planning Group Policy Requirements

In this exercise, we will decide how to implement Group Policy in the Tailspin Toys environment Document what elements will we set using Group Policy Password settings, such as password length and complexity
Maximum and minimum settings for password expiration

Account lockout settings, which vary depending upon requirements of each department
Unique settings. For example, the Finance department could require the ability to override inheritance
Exercise 5 - Planning Software Deployment

In this exercise, we will decide what software you will deploy in the Enterprises environment and how to best use the distribution methods What software will we deploy in Tailspin Toys and its partner companies
Exercise 6 - Planning Sites and Placement of Domain Controllers

In this exercise, we will determine what sites, if any, we need to create We will also plan the distribution of domain controllers in the enterprise based on the roles that they perform Document what all sites will we create for all of the companies of Tailspin Toy
Exercise 6 - Planning Sites and Placement of Domain Controllers

Maintain a Default-First-Site-Name for each forest and create a site for the second location For example, Tailspin Toys is located in New York and Arkansas. Make the New York office the default site. Then create a separate site for the Arkansas location
Create multiple subnets and associate each subnet with a particular site
Exercise 6 - Document the placement of domain controllers

Where will we place domain controller roles in all of the companies of Tailspin Toys Place a global catalog on the first server in each location that does not already have one Place the Primary Domain Controller (PDC) emulator, Relative Identifier (RID) master, and infrastructure master roles on the second server in each location
Exercise 7 - Planning Trusts

What types of trusts will we establish for all of the companies of Tailspin Toys? Where will we create these trusts? Create two-way trusts between Tailspin Toys, Contoso, Ltd, and Wingtip Toys Create a one-way trust from Consolidated Messenger to Tailspin Toys
Exercise 8 - Planning Disaster Recovery

We will decide on an approach to use for planning disaster recovery Back up the system state at least twice within the tombstone lifetime, which is 60 days. Back up at least two domain controllers in each domain: system state and system disk contents
Plan for restore test and verification

Plan for off-site disaster recovery and testing
Thank You

Activ Directory Presentation Cum Directorui

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Activ Directory Presentation Cum Directorui

Uploaded by

Copyright:

Available Formats

Windows Server 2003 Active Directory

Introduction Windows Server 2003

2003 Server Roles

Dynamic Host Configuration Protocol (DHCP) server

Windows Server 2003 R2 Standard Edition

Windows Server 2003, Standard Edition is aimed towards small to medium

Introduction to Active Directory Infrastructure

Function of Active Directory

Active Directory schema

Introduction Active Directory

The All Users subdirectory also contains an ntuser.dat file

DNS Primary Zones

DNS Primary Zones

DNS Secondary Zones

Resource Records Stored in a Zone File

Updates to Windows Server 2003s DNS

Resolving a Host Name

Forward Lookup Resolution of FQDNs

Forward Lookup Resolution of FQDNs

Forward Lookup Resolution of FQDNs

Logical Elements of Active Directory

There are four logical components of Active Directory. They are

Domain objects can be made available to other domains

Understanding the Physical Elements of Active Directory

Understanding the Physical Elements of Active Directory

Implementing an Active Directory Site Topology

The Role of the Knowledge Consistency Checker

The Role of the Knowledge Consistency Checker

Replication: How and Why

Replication: How and Why

Replication: How and Why

Replication: How and Why

Replication: How and Why

Replication: How and Why

The Active Directory database

Active Directory partitions

Active Directory partitions

Active Directory partitions

What Are Operations Masters?

What Are Operations Masters?

Operations Master Roles

Operations Master Roles

Operations Master Roles

Operations Master Roles

Operations Master Roles

Planning Flexible Operations Master Role Placement

Roles performed by the schema master

Controls all originating updates to the schema

The effect of the schema master being unavailable

Roles performed by the Domain Naming Master

The effect of the Domain Naming Master being unavailable

Roles performed by the PDC Emulator

What Is the RID Master?

What Is the Infrastructure Master?

Infrastructure master and the global catalog

Transferring and Seizing Operations Master Roles

Transfer of Operations Master Roles

Transfer of Operations Master Roles

Seizing an operations master role

Seizing an operations master role is a drastic step

Seizing an operations master role

Guidelines for Placing Operations Masters

In a multiple domain forest, use the following guidelines: