|1| Chapter 2, Introduction to Active Directory

Chapter 2, Lesson 1

|2| Active Directory Overview

|3| 1. Active Directory Objects

|4| A. Definitions

1. Objects are resources stored in the directory, such as user data, printers, servers, databases, groups, computers, and security policies.

2. An object is a distinct named set of attributes that represents a network resource.

3. Attributes are characteristics of objects in the directory.

4. Classes are logical groupings of objects.

5. Containers are objects that can contain other objects.

B. Active Directory schema

1. Basic concepts

a. The Active Directory schema is the list of definitions that define the kinds of objects and the types of information about the objects stored.

b. Definitions are stored as objects.

c. Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in Active Directory.

d. Two types of definitions are in the schema: attributes and classes.

e. Attributes and classes are also referred to as schema objects, or metadata.

|5| 2. Attributes

a. Defined separately from classes

b. Defined only once and can be used in multiple classes

c. Store the information that describes the object

|6| 3. Classes

a. Are collections of attributes

b. Describe the possible objects that can be created

c. Are also referred to as object classes

d. Every object is an instance of an object class

4. Advanced concepts

a. A set of basic classes and attributes is shipped with Microsoft Windows 2000 Server.

b. The schema can be extended by defining new classes and attributes for existing classes.

c. The schema cannot be deleted, but only deactivated, and is automatically replicated.

2. Active Directory Components

A. Logical structure of the organization

1. Domains

2. Organizational units

3. Trees

4. Forests

|7| B. Physical structure of the organization

1. Sites (physical subnets)

2. Domain controllers

|8| 3. Logical Structures

|9| A. Overview

1. Resources should be organized in a logical structure that mirrors the logical structure of the organization.

2. Grouping resources logically enables users and administrators to find resources by name rather than by physical location.

3. The network’s physical structure is transparent to users.

B. Domains

1. Overview

a. The core unit of logical structure in Active Directory is the domain.

b. Active Directory is made up of one or more domains.

c. A domain is able to store up to 10 million objects, although 1 million objects per domain is more realistic.

d. Objects stored in a domain are those considered “interesting” to the network: items the networked community members need to function.

e. All network objects exist within a domain.

f. Each domain stores information only about the objects it contains.

g. Grouping objects into one or more domains allows a network to reflect the company’s organization.

2. Security

a. A domain is a security boundary.

b. Access control lists (ACLs) control access to domain objects.

c. ACLs contain the permissions associated with objects that control which users can gain access to an object and what type of access users can gain to the objects.

d. Objects include files, folders, shares, printers, and other Active Directory objects.

e. Not all security policies and settings cross from one domain to another.

f. The domain administrator has absolute rights to set policies only within that domain.

|10| C. Organizational units (OUs)

1. Containers used to organize objects within a domain into logical administrative groups that mirror an organization’s functional or business structure

2. Contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain

3. Hierarchy within a domain is independent of the hierarchy structure of other domains

4. Provide a means for handling administrative tasks

5. The smallest scope to which you can delegate administrative authority over users and resources

6. Permissions can be granted separately within each OU.

7. By default, all child objects within the Active Directory inherit permissions from their parents.

Note Granting permissions at a higher level and using inheritance capabilities can reduce administrative tasks.

|11| D. Trees

1. Overview

a. A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains created by adding one or more child domains to an existing parent domain.

b. Domains in a tree share a contiguous namespace and a hierarchical naming structure.

c. Creating a hierarchy of domains in a tree allows retention of security and allows for administration within an OU or within a single domain of a tree.

d. Permissions can flow down the tree by granting permissions to the user on an OU basis.

e. Structure easily accommodates organizational changes.

2. Characteristics

a. Follow DNS standards

b. All domains within a single tree share a common schema and a common global catalog.

|12| E. Forests

1. The grouping or hierarchical arrangement of one or more separate, completely independent domain trees

2. Characteristics

a. All trees in a forest share a common schema.

b. Trees in a forest have different naming structures, according to their domains.

c. All domains in a forest share a common global catalog.

d. Domains in a forest operate independently, but the forest enables communication across the entire organization.

e. Implicit two-way transitive trusts exist between domains and domain trees.

f. Namespace is contiguous only within each tree.

4. Physical Structure

|13| A. Sites

1. The combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible

2. Typically, has the same boundaries as a LAN

3. When grouping subnets on the network, combine only those subnets that have fast, inexpensive, and reliable network connections with one another.

4. Available bandwidth of 128 Kbps or greater is sufficient.

5. Not a part of the namespace

6. Contain only computer objects and connection objects used to configure replication between sites

Note A single domain can span multiple geographical sites, and a single site can include user accounts and computers belonging to multiple domains.

B. Domain controllers

1. Overview

a. A domain controller is a computer running a Windows 2000 Server that stores a replica of the domain directory (local domain database).

b. A domain can contain one or more domain controllers.

2. Functions

a. Each domain controller stores a complete copy of all Active Directory information for that domain.

b. Domain controllers automatically replicate all objects in the domain to one another.

c. Replication can be controlled by specifying how often replication occurs and the amount of data that Windows 2000 replicates at one time.

d. Domain controllers immediately replicate certain important updates, such as the disabling of a user account.

e. Active Directory uses multimaster replication, in which no one domain controller is the master domain controller.

f. Having more than one domain controller in a domain provides fault tolerance.

g. Domain controllers manage all aspects of users’ domain interaction, such as locating Active Directory objects and validating user logon attempts.

|14| Chapter 2, Lesson 2

Understanding Active Directory Concepts

|15| 1. Global Catalog

A. General information

1. A central repository of information about objects in a tree or forest

2. A global catalog is automatically created on the initial domain controller in the forest and is known as the global catalog server.

3. A global catalog server stores a full replica of all object attributes in the directory for its host domain and a partial replica for all object attributes contained in the directory of every domain in the forest.

4. A partial replica stores attributes most frequently used in search operations.

5. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.

|16| B. Two key directory roles

1. Enable network logon by providing universal group membership information to a domain controller when a logon process is initiated

2. Enable finding directory information regardless of which domain in the forest actually contains the data

|17| C. Universal group membership information

1. If only one domain controller exists in the domain, the domain controller and the global catalog are the same server.

2. If multiple domain controllers exist on the network, the global catalog is the domain controller configured as such.

3. If a global catalog is not available when a user initiates a network logon process, the user is able to log on to the local computer only.

D. Queries

1. The global catalog is designed to respond to user and programmatic queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic.

2. Finding information in the directory does not produce unnecessary query traffic across domain boundaries.

|18| E. Global catalog servers

1. The administrator can optionally configure any domain controller or designate additional domain controllers as global catalog servers.

2. When considering which domain controllers to designate as global catalog servers, base the decision on the ability of the network structure to handle replication and query traffic.

3. Additional servers can provide quicker responses to user inquiries, as well as redundancy.

4. Every major site in the enterprise should have at least one global catalog server.

|19| 2. Replication

A. Overview

1. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain.

2. Directory information is replicated to domain controllers both within and among sites.

B. What information is replicated

1. Information is partitioned into three categories, each referred to as a directory partition. These directory partitions are the units of replication.

2. The following information is contained in each directory:

a. Schema information: Defines objects that can be created in the directory and the attributes associated with those objects

b. Configuration information: Describes the logical structure of the deployment, containing information such as domain structure or replication topology; common to all domains in the domain tree or forest

c. Domain data: Describes all of the objects in a domain; domain-specific and not distributed to any other domains; a subset of the properties for all objects in all domains is stored in the global catalog

3. Schema and configuration information is replicated to all domain controllers in the domain tree or forest.

4. Domain data for a particular domain is replicated to every domain controller in that domain.

5. All of the objects in every domain, and a subset of the properties of all objects in a forest, are replicated to the global catalog.

|20| 6. A domain controller stores and replicates:

a. Schema information for the domain tree or forest

b. Configuration information for all domains in the domain tree or forest

c. All directory objects and properties for its domain

d. A subset of the properties of all objects in the domain (replicated to the global catalog)

|21| 7. A global catalog stores and replicates:

a. Schema information for a forest

b. Configuration information for all domains in a forest

c. A subset of the properties for all directory objects in the forest (replicated between global catalog servers only)

d. All directory objects and all their properties for the domain in which the global catalog is located

Note Extensions to schema can have disastrous effects on large networks due to the full synchronization of all the domain data.

C. How replication works

1. Overview

a. Active Directory replicates information within a site more frequently than across sites.

b. The need for up-to-date directory information is balanced with the limitations imposed by available network bandwidth.

|22| 2. Replication within a site

|23| a. Active Directory automatically generates a topology for replication among domain controllers in the same domain using a ring structure.

b. Topology defines the path for directory updates to flow from one domain controller to another until all domain controllers receive the directory updates.

c. Ring structure ensures that at least two replication paths exist from one domain controller to another.

d. Active Directory periodically analyzes the replication topology within a site to ensure that it is still efficient.

e. If a domain controller is added or removed from the network or a site, Active Directory reconfigures the topology to reflect the change.

|24| 3. Replication between sites

a. To ensure replication between sites, Active Directory must be customized to replicate information using site links to represent network connections.

b. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance.

c. Information is provided about the replication protocol used, cost of a site link, times when the link is available for use, and how often the link should be used.

d. Active Directory uses this information to determine which site link will be used to replicate information.

Note When operating in native mode, Windows 2000 domain controllers do not replicate with pre–Windows 2000 domain controllers.

|25| 3. Trust Relationships

A. Overview

1. A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain.

2. Active Directory supports two forms of trust relationships: implicit two-way transitive trusts and explicit one-way transitive trusts.

|26| B. Implicit two-way transitive trust

1. The trust relationship between parent and child domains within a tree and between the top-level domains in a forest

2. Trust relationships among domains in a tree are established and automatically maintained.

3. Transitive trust is a feature of the Kerberos authentication protocol.

4. If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C.

5. Domains joining a tree immediately have trust relationships established with every domain in the tree; these trust relationships make all objects in the domains of the tree available to all other domains in the tree.

6. Transitive trust between domains eliminates the management of interdomain trust accounts.

7. Domains that are members of the same tree automatically participate in a transitive, bidirectional trust relationship with the parent domain.

8. Users in one domain can access resources to which they have been granted permission in all other domains in a tree.

|27| C. Explicit one-way nontransitive trust

1. The trust relationship between domains that are not part of the same tree

2. Nontransitive trust is bounded by the two domains in the trust relationship and does not flow to any other domains in the forest.

3. Nontransitive trust must be manually created in most cases.

4. This is the only form of trust possible with

a. A Windows 2000 domain and a Windows NT domain

b. A Windows 2000 domain in one forest and a Windows 2000 domain in another forest

c. A Windows 2000 domain and an MIT Kerberos V5 realm, allowing a client in a Kerberos realm to authenticate to an Active Directory domain in order to access network resources in that domain

|28| 4. DNS Namespace

A. Overview

1. Active Directory is primarily a namespace, a bounded area in which a name can be resolved.

2. Name resolution is the process of translating a name into some object or information that the name represents.

3. The Active Directory namespace is based on the DNS naming scheme.

4. Private networks use DNS extensively to resolve computer names and to locate computers within their local networks and the Internet.

5. Benefits of DNS

a. User-friendly names that are easier to remember than IP addresses

b. DNS names remain more constant than IP addresses.

c. Allows users to connect to local servers using the same naming convention as the Internet

Note For more information on DNS, see RFCs 1034 and 1035. To read the text of these RFCs, use your Web browser to search for RFC 1034 and RFC 1035.

|29| B. Dynamic DNS (DDNS)

1. Windows 2000 domain names are also DNS names.

2. Enables clients with dynamically assigned addresses to register directly with a server running the DNS service and update the DNS table dynamically

3. Eliminates the need for other Internet naming services, such as WINS

Note For Active Directory and associated client software to function correctly, you must have installed and configured the DNS service.

|30| C. Domain namespace

1. The naming scheme that provides the hierarchical structure for the DNS database

2. Each node represents a partition of the DNS database; these nodes are referred to as domains.

3. A DNS database is indexed by name; therefore, each domain must have a name.

4. As names are added to the hierarchy, the name of the parent domain is appended to its child domain—a subdomain.

5. The domain’s name identifies its position in the hierarchy.

6. Hierarchical structure of the domain namespace typically consists of a root domain, top-level domains, and host names.

|31| 7. Two types of namespaces

a. Contiguous namespace

(1) The name of the child object in an object hierarchy always contains the name of the parent domain.

(2) A tree is a contiguous namespace.

b. Disjointed namespace

(1) Names of a parent object and a child of the same parent object are not directly related to one another.

(2) A forest is a disjointed namespace.

Note The term domain, in the context of DNS, is not related to domain as used in Windows 2000 directory services. A Windows 2000 domain is a group of computers and devices that are administered as a unit.

8. Root domain

a. Top of the hierarchy and is represented as a period (.)

b. The Internet root domain is managed by several organizations, including Network Solutions, Inc.

9. Top-level domains

a. Organized by organization type or geographic location

b. Contain second-level domains and host names

Note See Table 2.1 on page 51 for examples of top-level domains. Individual country names may also be a part of top-level domains. Examples of country domain names are “au” for Australia and “fr” for France. Also see http://www.wowworx.com/tips/countrycodes.htm

10. Second-level domains

a. Organizations assign and register second-level domains to individuals and organizations for the Internet.

Note Currently, Network Solutions, Inc. (www.networksolutions.com) is the organization responsible for assigning second-level domains.

b. Two name parts: a top-level name and a unique second-level name

Note See Table 2.2, page 52, for examples of second-level domains. In the case of country names, “gov.au”, “edu.au”, and “com.au” are top-level domains. If the name is structured as “company.au”, however (and in this case only), “.au” is top level.

11. Host names

a. Refer to specific computers on the Internet or a private network

c. Leftmost portion of a fully qualified domain name (FQDN), which describes the exact position of a host within the domain hierarchy

Note The host name does not have to be the same as the computer name, NetBIOS, or any other naming protocol.

|32| 12. Zones

a. Each zone represents a discrete portion of the domain namespace.

b. Provide a way to partition the domain namespace into manageable sections

c. Multiple zones in a domain namespace are used to distribute administrative tasks to different groups.

d. Must encompass a contiguous domain namespace

e. Name-to-IP-address mappings for a zone are stored in the zone database file.

f. Anchored to a specific domain—the zone’s root domain

g. The zone database file does not necessarily contain information for all subdomains of the zone’s root domain, only those subdomains within the zone.

|33| 5. Name Servers

A. Overview

1. A DNS name server stores the zone database file.

2. Name servers can store data for one zone or multiple zones.

3. A name server has authority for the domain namespace that the zone encompasses.

4. At least one name server must exist for a zone.

5. Changes to a zone, such as adding domains or hosts, are performed on the server that contains the primary zone database file.

B. Multiple name servers

1. Perform zone transfers

2. A zone transfer occurs when additional name servers obtain a copy of the zone database file from the name server that contains the primary zone database file.

3. Provide redundancy

4. Improve access speed for remote locations

5. Reduce the load on the name server containing the primary zone database file

|34| 6. Naming Conventions

|35| A. Distinguished name (DN)

Note See Table 2.3 on page 54 for an example of a distinguished name.

1. Uniquely identifies an object and contains sufficient information for a client to retrieve the object from the directory

2. Includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object

3. Must be unique

Note For more information about distinguished names, see RFC 1779. To read the text of the Request for Comment, use your Web browser to search for RFC 1779.

|36| B. Relative distinguished name (RDN)

1. The part of the name that is an attribute of the object itself

2. Duplicate RDNs are allowed for Active Directory objects, but two objects with the same RDN cannot exist in the same OU.

3. Objects with duplicate RDNs can exist in separate OUs because they have different DNs.

|37| C. Globally unique identifier (GUID)

1. A 128-bit number that is guaranteed to be unique across all domains

2. Assigned to an object when the object is created

3. Never changes, even if the object is moved or renamed

4. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.

5. Objects can be moved from domain to domain, and they will still have a unique identifier.

|38| D. User principal name (UPN)

1. Friendly name

2. Composed of a “shorthand” name for the user account and the DNS name of the tree where the user account object resides