Professional Documents
Culture Documents
2003 Flavours
sized businesses
Windows Server 2003 R2 Enterprise Edition Windows Server 2003, Enterprise Edition is aimed towards medium to large
businesses. It is a full-function server operating system that supports up to eight processors and provides enterprise-class features such as eight-node clustering and support for up to 32 GB of memory Enterprise Edition also comes in 64-bit edition for Intel Itanium-based computers capable of supporting 8 processors and 64 GB of RAM
2003 Flavours
Windows Server 2003 R2, Datacenter Edition
Windows Server 2003, Datacenter Edition is the flagship of the Windows Server line and designed for immense infrastructures demanding high security and reliability. Datacenter supports up to 32-way SMP and 64 GB of RAM with the 32-bit version and up to 128-way machines with individual partitions of up to 64 processors and 512 GB of RAM with the 64-bit version. Datacenter provides both eight-node clustering and load balancing service as standard features and includes Windows System Resource Manager facilitating consolidation and system management
Windows Server 2003 Web Edition Windows Server 2003, Web Edition is mainly for building and hosting Web
applications, Web pages, and XML Web Services.
It is designed to be used primarily as an IIS 6.0 Web server and provides a platform for rapidly developing and deploying XML Web services and applications that use ASP.NET technology, a key part of the .NET Framework
Objective
Architecture of Active Directory Introduction
User Accounts
To access Windows 2003 network a user needs an account To access Windows 2003 network a user needs an account Account determines 3 factors: when a user may log on where within the domain/workgroup what privilege level a user is assigned Each account has SID that serves as security credentials Any object trying to access resource must do it through a user account Windows 2003 has 2 types of accounts Local Account Domain Account
User Accounts
Local Account Supported on all Windows 2000 and 2003 systems except DCs On member servers participating in domains and on standalone systems participating in workgroups Maintained on the local system, not distributed to other systems Local user account authenticates the user for local machine access only; access to resources on other computers is not supported Built-in local accounts: Guest; Administrator Domain Account Permit access throughout a domain and provide centralized user administration through AD Created within a domain container in AD database and propagated to all other DCs Once authenticated against AD database using GC, a user obtains an access token for the logon session, which determines permissions to all resources in the domain
User Accounts
Domain accounts names must be unique within the domain, although the same logon name can be used on several systems with local logon
Logon names are not case sensitive, must not contain more than 20 chars, and must not contain: +,*,?,<,>,/,\,[,],:,;.
Passwords are case sensitive, must be secure not easy to guess
Renaming account doesnt affect any of the user account properties, except the name
Accounts can be moved from one container to another Disabled accounts cant be accessed
When account is copied, most properties are copied, except the username, full name, password, logon hours, address/phone info, organization info, the Account is disabled option, and user rights and permissions
User Accounts
Deleting account permanently removes it, and all if its group memberships, permissions and user rights. The new account with the same name has different SID and GUID Disabling an account may be a better option Administrator is the super account
Local Profiles
A users local profile is located in the Documents and Settings directory on the local machine When a user logs on to a machine for the first time, a subdirectory matching their user name is created under the Documents and Settings directory In this subdirectory, the users profile is created and named ntuser.dat The user profile is copied from the Default User directory
Any changes made to the ntuser.dat file in the Default User directory will only affect new users when they log on
There is also an All Users subdirectory of the Documents and Settings directory
Roaming Profiles
If users access more than one machine or move around the network, a roaming profile can be created to ensure that the user will receive his or her user settings and preferences no matter where they log on When roaming profiles are used, the ntuser.dat file is stored on a network share and loaded to the local machine when the user logs on Changes made to the user preferences or settings are copied back to the network share when the user logs off
The local profile will remain on the local machine, and should the network share be unavailable the next time the user logs on from that machine, the locally cached profile will be loaded instead
Changes to the local profile will not be saved back to the network share in this case Roaming profiles can cause network problems if users save large files to their Desktop or to their My Documents folder
Mandatory Profiles
Mandatory profiles can be used when the user should be prevented from saving changes to the user settings or preferences For example, a profile could be created with many shortcuts to file shares and applications Users shouldnt be able to delete these shortcuts and then save the changes back to the network share By creating the profile as a mandatory profile, users are able to make changes to their settings and preferences, but the changes are lost when the user logs off the machine A mandatory profile can also be used for a group of people, and then every user would get the exact same settings and preferences
Home Folders
Users can use home folders to store their personal files A home folder is a folder on a computer, usually a file server, which can be assigned to users to save documents and files Home folders are generally used to consolidate user data into one place for easy backup Also, many applications use the users home folder as the default location for the Save As and File Open command A home folder can be located on a single computer or on a network share, where it is available to the user anywhere in the network
Computer Accounts
Every desktop, workstation, laptop, server, and DC in the network must have a valid computer account in Active Directory Computer accounts are used to identify a computer to the domain Computer accounts are accounts for computers, like a user account is an account for a person Active Directory requires that all logons not only come from a valid user, but that the logon attempt also comes from a valid computer When a domain controller receives an authentication request, it first checks to make sure the request is coming from a computer that has a valid computer account in the domain The domain wont accept the user logon, even if its valid, if its from a computer that doesnt belong to the domain
Domain groups
Domain groups allow for user accounts within a domain to be collected into a group that can then be used to grant access to resources or to assign user rights There are two types of domain groups Security Groups Distribution Groups
A security group is a security principal and so can be used to assign permissions and rights to a collection of user accounts
A distribution group is not a security principal and cannot be used to assign permissions A distribution group is used for e-mail It can be created when a mailbox is desired for a collection of user accounts, but no permissions will be needed
Group Scope
Within each type of group, there is a group scope, There are three possible group scopes, Domain local Global Universal
Domain local A domain local group can contain users and global groups from any trusted domain
However, a domain local group cannot contain domain local groups or local machine groups
Domain local groups are primarily used to assign permissions to resources
Group Scope
Group Scope
Use a domain local group when you want to assign access permissions to resources that are located in the same domain in which you create the domain local group You can add all global groups that must share the same resources to the appropriate domain local group Global Group A global group is a security or distribution group that can contain users, groups, and computers as members from its own domain Use global groups to organize users by job description or function You can grant rights and permissions to global security groups for resources in any domain in the forest Because global groups are visible throughout the forest, do not create them for the purpose of allowing users access to domain-specific resources
Group Scope
Universal Group A universal group is a security or distribution group that can contain users, groups, and computers as members from any domain in its forest Universal security groups can be granted rights and permissions on resources in any domain in the forest A Windows Server 2003 domain must be in Windows 2000 native mode or Windows Server 2003 mode to use universal security groups You can use universal distribution groups in a Windows Server 2003 domain that is in Windows 2000 mixed mode or higher
DNS
For computers in a Windows 2003 network infrastructure to talk to one another, one of the key ingredients is the DNS service DNS is the name resolution mechanism used by Windows Server 2003 clients to find other computers and services running on those computers A client consults its configured DNS servers for a list of Active Directory domain controllers where it will then submit its logon credentials We will start our discussion of DNS with the NetBIOS (Network Basic Input Output System) namespace
There are important differences between the DNS namespace and the NetBIOS namespace, and identifying some of the advantages and disadvantages of each namespace can help you understand them
A NetBIOS name is a 16-byte address that identifies a NetBIOS resource on a network
NETBIOS
The important thing to keep in mind about the NetBIOS namespace, especially when contrasting it to the DNS namespace, is that its a flat namespace
DNS, conversely is a hierarchical namespace. Every NetBIOS name must be unique, period
There is no structure of parent and child namespaces that allows computer or service names to be used In the NetBIOS environment, computers and services register unique NetBIOS names by using a 15-character computer name appended with a 16th hexadecimal character that identifies the service on the network If the computer name does not contain 15 characters, the protocol of NetBIOS dictates that the name is padded with as many spaces as necessary to generate a 15-character name In Windows, this NetBIOS name server is called the Windows Internet Naming Service, or WINS
DNS Components
Without DNS, you would have to know the IP address of every computer you are communicating with. DNS exists to resolve the names of computers to IP addresses
There are three main components youll find in the Domain Name System. Not just Microsofts implementation, but any DNS solution. These three items are Domain name servers DNS resolvers The logical namespace
The domain name servers are servers running the DNS software component, wich store information about a zone file These name servers provide address resolution and other information about the computers that you access in both Active Directory domain and in the named domains across the entire Internet DNS resolvers are pieces of code that are built into the operating system. These pieces of code, known also as DNS clients, request resolution of FQDNs to IP addresses by querying their configured name servers
DNS Components
The namespace is the logical division of names where DNS objects are stored Active Directory domain, the namespace can often reflect the organizational chart of a particular company, where the company name starts at the root of the namespace, and then from there breaks into domains that provide a hierarchy for your domain enterprise Fully Qualified Domain Names The job of a resolver is to request resolution of a fully qualified domain name (FQDN) to an IP address A fully qualified domain name represents a host name appended to the parent namespaces in a hierarchy The leftmost portion of the FQDN is the host portion of the name. A host name is an alias we give to an IP address There are organizations outside of your control that manage the topmost levels of the domain namespace InterNIC is the organization that manages the top-level namespaces.
DNS Zones
If domains represent logical division of the DNS namespace, zones represent the physical separations of the DNS namespace
In other words, information about records of the resources within your DNS domains is stored in a zone file, and this zone file exists on the hard drive of one of your name servers
Domain name servers are simply servers that store these zone database files, which in turn provide resolution for records in the zone files The DNS servers also manage how those zone files are updated and transferred Zone files are divided into one of two basic types: Forward lookup zone Provides host-name-to-IP-address resolution Reverse lookup zone Provides IP-address-to-host-name resolution When a zone file is first created on a DNS server, that server is said to be authoritative for that zone.
DNS Zones
Then, for each child DNS domain name included in a zone, the zone becomes the authoritative source for the resource records stored in that child domain as well
This means that the DNS server can provide resolution for multiple domains within a zone file, and all changes to the resource records in both domains are made to the authoritative zone it stores
Zone Categories The DNS zones kept on Windows Server 2003 computers can be further broken down into one of three categories. For each forward or reverse lookup zone, the file will be one of these types of zones: Primary zone Secondary zone Stub zone All of the zones you can create in Windows 2003 can be integrated in Active Directory
All changes to the zone are then replicated to secondary servers. This replication model is called single master replication, where there is a single entity that controls changes to records
Windows NT 4 used this single master model for directory database replication as well This also highlights the biggest drawback of the standard primary server model: it includes a single point of failure. Just like when an NT 4 primary domain controller went down, if for any reason the primary server for a zone is unavailable, no updates to the zone can be made This does not, however, affect resolution of names as long as secondary servers for the zone are available, and name-to-IP-address mappings have not changed.
The secondary servers are secondary servers because they store copies of zone files
Changes to the DNS domains are made at the primary zone level and then are copied to secondary zones for secondary zone servers At the end of the day, theyll both end up storing the same information; its just that changes to the domain are made at the primary level, not the secondary level A DNS server can be a primary name server and a secondary name server at the same time The designation is made by what kind of zone file is stored on the server, and you can store both primary and secondary zones on the same machine
Locally configured DNS server has a zone file that contains a record for the resource youre trying to browse to (or if its contained in the servers cache), that resources IP address is returned to your resolver
In most cases, the zone file is not going to hold the IP address for the record that youre trying to look up The computer doesnt care what the name of the computer is; in order to communicate, it needs the IP address. The first place it looks for resolution is its configured DNS server
This query to the locally configured DNS server is called a recursive query
The DNS server performs the name resolution; the DNS client sits there and waits for a response to its recursive query
The clients local DNS server then talks to other DNS servers throughout the DNS hierarchy using a series of iterative queries The client asks its local DNS server using a recursive query. A recursive query says, basically, give me the answer or tell me that you cant find it. Its a pass/fail type of proposition The other type of query, where other DNS servers are talking to each other as the local DNS server is walking the domain tree, is called an iterative query. When your DNS server uses an iterative query
Domains
A Windows 2003 Active Directory domain is a logical collection of users and computers In other words, its an organizational entity that groups together the objects in your enterprise With a domain in place, you have several benefits, including the following: They enable you to organize objects within a single department or single location, and all information about the object is available They act as security boundaries. Domain admins exercise complete control over all domain objects. Further, in Windows 2003 Active Directory, Group Policies, another kind of domain object, can be applied to determine how resources can be managed and accessed
Domains
Domains allow control over replication. That is, domain objects are fully replicated to other domain controllers within a domain, but not to other domains in an Active Directory enterprise
Trees
Once youve decided to create domains in your enterprise, you may find that you need more than one domain to best reflect the administrative structure of your company
Domains have many benefits; thus, you may find compelling reasons to apply these benefits separately to various groups of users and computers in your organization
The domains exist in a tree, and trees subsequently live in a forest. If you want to link your Windows 2003 domains together for purposes of administration and/or sharing of resources youll need to start building Active Directory trees and forests The hallmark of an Active Directory tree is that it is a contiguous linking of one or more Active Directory domains that share a common namespace
In other words, the domains are linked together in parent-child relationships as far as the naming conventions go
Forests
A forest lets you link together multiple domain trees in a hierarchical arrangement The goal in designing a forest is the same as when designing a tree: to define and maintain an administrative relationship between the domains All domains in the tree are linked by two-way, transitive trust relationships, and all tree roots in the forest are likewise linked by two-way, transitive trusts We need to choose our forest root domain with caution. Once established, the forest root cannot be changed without decommissioning the entire logical Active Directory infrastructure In Windows Server 2003, it is now possible to rename the forest root domain, but the domain designated as the forest root cannot be changed once established.
Organizational Units
When properly implemented, an organizational unit (OU) is the administrative lynchpin of a Windows 2003 Active Directory hierarchy It is a container object within a domain that represents sub administrative entities within an Active Directory Organizational units are used to group together domain computers, users, and other domain objects into an administrative collection These collections are kept as separate logical units Windows 2003 domains are designed to be self-contained, and through the use of organizational units, you have a lot of flexibility about how that domain is administered OUs are not groups; they are administrative containers. Anything you can put into the domain, anything you can put into an Active Directory database, you can put into an organizational unit
DOMAIN CONTROLLERS
The job of a domain controller is to store a writable copy of the Active Directory database for the domain of which it is a member
Sometimes, these domain controllers will store additional information like the Global Catalog. Sometimes, the domain controllers play important roles in the functioning of the network and sometimes, they perform many of these tasks at once
During the Active Directory installation process, each domain controller is made aware of other domain controllers within the same domain
The Knowledge Consistency Checker works to ensure that every one of these domain controllers has at least one replication partner, or peer The end result of the KCCs hard work is that all domain controllers are able to get updated Active Directory information from all others using a fault-tolerant ring topology The other job of the Knowledge Consistency Checker is to allow Active Directory to take care of the replication of directory database information without administrators having to worry about it too much, or configure it manually
This version number is called an Update Sequence Number (USN), and it is used to track the changes made to each copy of Active Directory
Every time a change is made to the database, the domain controller updates the database USN where the change was made Every domain controller keeps track of its USN and, more importantly, the USNs of its replication partners Then, every 5 minutes (this is the default interval), the domain controller checks for changes from its replication partners in the same site If a domain controller finds that its replication partner has an update to its USN, it then requests that all changes since the last known USN be sent
To force replication over a connection object, right-click the connection object and choose Replicate Now from the context menu
KCC is a dynamic process. That is, it automatically adjusts the replication topology as network conditions change As domain controllers or subnets are added or removed from a site, the KCC constantly checks to make sure each domain controller is able to exchange information with at least two others within the site, thus keeping the ring topology intact So even though you need to do virtually nothing to tweak the performance of the KCC in a production network, your job as a test candidate is to make sure you understand the purpose of the KCC
The intersite replication topology defines the replication between sites on a network
It also selects one or more domain controllers to become bridgehead servers. If a bridgehead server becomes unavailable it will automatically select another bridgehead server, if possible It runs the KCC to determine the replication topology and resultant connection objects to be used by the bridgehead servers o communicate with the bridgehead servers of other sites If the domain controller designated as the intersite topology generator becomes unavailable, another domain controller will be automatically designated
The application partition is different than a domain partition in that it is not allowed to store security principal objects such as user accounts. In addition, the data in an application partition is not stored in the Global Catalog.
Active Directory stores information about which domain controller holds a specific role
Active Directory defines five operations master roles, each of which has a default location Operations master roles are either forest-wide or domain-wide
RID Master
Infrastructure Master
The schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as users, computers, and printers
Whenever you are extending the schema or are installing an application that does so, such as Exchange Server, the schema master must be available Domain naming master Controls the addition or removal of domains in the forest When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain
This SID consists of a domain SID, which is the same for all security principals created in the domain, and a relative identifier (RID), which is unique for each security principal created in the domain
The RID master allocates blocks of RIDs to each domain controller in the domain The domain controller then assigns a RID to objects that are created from its allocated block of RIDs
The object reference contains the objects globally unique identifier (GUID), distinguished name, and a SID
Active Directory periodically updates the distinguished name and the SID on the object reference to reflect changes made to the actual object, such as moves within and between domains and the deletion of the object Additionally, the infrastructure master is in charge of updating group-to-user references whenever members of groups are modified
Three are domain-wide roles: in every forest, certain single-master roles will be held on only one server per domain
PDC Emulator RID Master Infrastructure Master
If the domain naming master is unavailable, you cannot add or remove domains
If the domain naming master will be unavailable for an unacceptable length of time, you can seize the role from the standby operations master
To seize a role is to move it without the cooperation of its current owner. It is best to avoid seizing roles
When you create a domain, the PDC emulator role is assigned to the first domain controller in the new domain
Acts as the PDC for any existing BDCs.
Manages password changes from computers running Windows NT, Microsoft Windows 95 or Windows 98. You must write password changes directly to the PDC
Minimizes replication latency for password changes Synchronizes the time on all domain controllers throughout the domain to its time
Such changes include decommissioning a domain controller that holds a role or adding a new domain controller that is better suited to hold a specific role
Transferring an operations master role means moving it from one functioning domain controller to another To transfer roles, both domain controllers must be up and running and connected to the network No data loss occurs when you transfer an operations master role as this transfer uses the normal directory replication mechanism The process of role transfer involves replicating the current operations master directory to the new domain controller, which ensures that the new operations master has the most current information available
Because the previous role holder is unavailable during a seizure, you cannot reconfigure or inform it that another domain controller now hosts the operations master role
To reduce risk, perform a role seizure only if the missing operations master role unacceptably affects performance of the directory Calculate the effect by comparing the impact of the missing service to the amount of work that is needed to bring the previous role holder safely back online after you perform the role seizure
This way, it can see if another operations master exists before it comes back online
If it detects one, it reconfigures itself to no longer host the roles in question
Active Directory continues to function when the operations master roles are unavailable
If the role holder is only offline for a short time, you may not need to seize the role to a new domain controller
In each domain in the forest, the server that holds the operations master roles should have both high availability and high capacity
A highly available domain controller is one that uses computer hardware that enables the domain controller to remain operational even during a hardware failure. For example, having a redundant array of independent disks (RAID) may enable the domain controller to keep running if a single hard disk fails A high-capacity domain controller is one that has comparatively higher processing power than other domain controllers to accommodate the additional work load from holding the operations master role. It has a faster CPU and possibly additional memory and network bandwidth
Have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site
How Active Directory Service enable a Single Sign On that allow the users to access the approved resources
Single Sign On
A Single Sign on consists of two parts Authentication Which verifies the credentials of the connection attempt Authorisation Which verifies that the connection attempt is allowed Authorisation process happens only after a successful authentication In the next slides we will see Authentication & Authorisation process in detail
Forest trusts are also only partially transitive because forest trusts can only be created between two forests and they cannot be implicitly extended to a third forest For example, if forest 1 trusts forest 2, and forest 2 trusts forest 3, domains in forest 1 transitively trust domains in forest 2, and domains in forest 2 transitively trust domains in forest 3. However, forest 1 does not transitively trust forest 3.
File fragmentation is a big performance thief, and fragmentation increases exponentially as free space diminishes
Also, you may run into problems as you run out of drive space with online database defragmentation (compaction) This can cause Active Directory to stop working if the indexes cannot be rebuilt
Moving the database does not delete the original database, so you can use the original database if the defragmented database does not work or becomes corrupted
Also, if your disk space is limited, you can add another hard disk drive and move the database to the new hard disk drive Additionally, you move database files for hardware maintenance If the disk on which the files are stored requires upgrading or maintenance, you can move the files to another location temporarily or permanently
The SYSVOL shared folder (only on domain controllers). The SYSVOL folder is a shared folder that contains Group Policy templates and logon scripts
The registry is a database repository for information about the computers configuration The system start-up files are required during the initial start-up phase of Windows Server 2003. These files include the boot and system files that are under Windows file protection and are used by Windows to load, configure, and run the operating system The COM+ Class Registration database. The class registration is a database of information about Component Services applications.
If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure
You can only back up the system state data on a local computer
You also must restore the Active Directory database when objects in Active Directory are changed or deleted
You can restore replicated data on a domain controller in several ways
You can reinstall the domain controller, and then let the normal replication process repopulate the new domain controller with data from its replicas
You can use the Backup Utility Wizard to restore replicated data from backup media without reinstalling the operating system or reconfiguring the domain controller
An authoritative restore marks specific data as current and prevents that data from being overwritten by replication
The authoritative data is then replicated throughout the domain
Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers
When you perform an authoritative restore, all changes to the restore object that occurred after the backup are lost
Group Policy
This session will introduce you to this versatile, mammoth administrative technology, explains what it is, and describes how it works The most important thing is to know How it works Session will then start to demonstrate the capabilities of Group Policy, starting with management of the end-user experience You use Group Policy in the Active Directory directory service to centrally manage users and computers in an enterprise You can centralize policies by setting Group Policy for an entire organization at the site domain or at an organizational unit level Or, you can decentralize Group Policy settings by setting Group Policy for each department at an organizational unit level.
This software object is made up of a collection of settings that can potentially affect almost any aspect of user and computer configuration
Group Policies can then be linked to the container objects in Active Directory: sites, domains, and organizational units The Group Policies linked will then configure settings that, by default, affect all objects in the container They can be used to determine what Start Menu options are available, what the background of the desktop will be, what programs will be available
The individual configuration settings for Users and Computers, however, are not necessarily the same
In the Scripts node, administrators can attach a script to a Group Policy, with virtually no limitations to the scripting languages used
The script can be written in any ActiveX language, including VBScript, JScript, Perl, and DOS-based scripts such as .bat and .cmd
Additionally, in the Windows settings node under only the User Configuration settings, youll find policies used for Internet Explorer Maintenance, Public Key Policies, and Remote Installation Services
If were creating a Group Policy Object that will apply to an Active Directory container, well see a Folder Redirection node, which we will discuss further in this session
That is, configurations made with the administrative templates are written to the registry at either startup or logon time, depending on whether the setting applies to a computer (startup) or user (logon)
The Administrative Templates include several collections of settings: Windows Components, System, Desktop, Control Panel, and Network All can be manipulated in a variety of ways Configuring these settings will noticeably affect the end users desktop
Microsoft Office behaves in the same manner. As improvements are made to the code of a program, these improvements can be sent to computers via a Group Policy
And if a user does indeed need two versions of the same product, Group Policy can be configured to handle most instances of that situation, too
Unique settings. For example, the Finance department could require the ability to override inheritance
Create multiple subnets and associate each subnet with a particular site
Thank You