|1| Chapter 4, Implementing Active Directory
|2| Chapter 4, Lesson 1
Planning Active Directory Implementation
|3| 1. Planning a Domain Structure
|4| A. Assessing the logical environment
|5| 1. Consider
how the company conducts daily operations to determine the logical structure of
the organization.
2. Consider how the company operates
functionally and geographically.
|6| B. Assessing the physical environment
1. The physical environment dictates the
technical requirements for implementing Active Directory.
2. Consider the company’s user and network
requirements to determine the logical requirements for implementing Active
Directory.
|7| 3. To assess
user requirements for each functional and geographical division, determine
a. Number of employees
b. Growth rate
c. Plans for expansion
|8| 4. To assess
network requirements for each geographical division, determine
a. Organization of network connections
b. Network connection speed
c. Utilization of network connections
d. TCP/IP subnets
|9| C. Assessing administrative requirements
1. Centralized administration
a. A single administrative team manages the
network, users, and security.
b. This method is often used by smaller
companies with fewer locations or business functions.
2. Decentralized administration
a. A number of administrators or
administrative teams manage the network, users, and security.
b. Teams are divided by location or business
function.
3. Customized administration
a. Administration is centralized for some
resources and decentralized for others.
b. The method of administration is dependent
upon business needs.
|10| D. Domain requirements
1. Start with a single domain that is the
easiest domain structure to administer.
2. Add domains only when the single domain
model no longer meets the needs of the company.
3. One domain can span multiple sites and
contain millions of objects.
4. Site and domain structures are separate
and flexible.
5. A single domain can span multiple
geographical sites; a single site can include users and computers belonging to
multiple domains.
6. No need exists to create separate domains
merely to reflect the company’s organization of divisions and departments.
7. Use OUs to model the organization’s
management hierarchy for delegation or administration.
|11| 8. Reasons
to create more than one domain:
a. Decentralized network administration
b. Replication control
c. Different password requirements between
organizations
d. Massive number of objects
e. Different Internet domain names
f. International requirements
g. Internal political requirements
|12| E. Assessing domain organization needs
1. Organize the domains into a tree or a
forest hierarchy that fits the organization’s needs.
2. Domains in trees and forests share the
same configuration, schema, and global catalog.
3. The two-way transitive trust relationship
allows the domains to share resources.
4. DNS name structure is the primary
difference between domain trees and forests.
5. Unless the organization operates as a
group of several entities, the network probably lends itself to a contiguous
DNS namespace; multiple domains should be set up in a single domain tree.
6. Create a forest to combine organizations
with unique domain names and to separate DNS zones.
7. Each tree in the forest has its own
unique namespace.
|13| 2. Planning a Domain Namespace
A. Overview
1. Domains are named with DNS names.
2. Plan the DNS namespace before using DNS
on the network.
3. Decisions must be made about how DNS is
to be used and what goals will be accomplished using DNS.
a. Has a DNS domain name been previously
chosen and registered for the Internet?
b. Will the company’s internal Active
Directory namespace be the same or different from its external Internet
namespace?
c. What naming requirements and guidelines
must be followed when choosing DNS domain names?
|14| B. Choosing a DNS domain name
1. First choose and register a unique parent
DNS name that can be used for hosting the organization on the Internet.
2. Before deciding on a parent DNS name for the
organization, perform a search to see if the name is already registered to
another entity.
3. The Internet DNS namespace is currently
managed by Network Solutions, Inc., though other domain name registrars are
also available.
4. Combine the parent DNS name with a
location or organizational name used within your organization to form other subdomain names.
|15| C. Same internal and external namespaces
1. Overview
a. A company uses the same name for the
internal and external namespaces.
b. Users on the company’s internal, private
network must be able to access both internal and external servers.
c. Clients accessing resources from the
outside must not be able to access internal company resources or resolve names
to protect company data.
d. Two separate DNS zones must exist.
e. One zone is outside the firewall and
provides name resolution for public resources; it is not configured to resolve
internal resources, thereby making internal company resources inaccessible to
external clients.
f. Make publicly available resources
accessible to internal clients by duplicating the external zone on an internal
DNS for internal clients to resolve resources.
g. If a proxy server is being used, the proxy
client should be configured to treat the namespace (such as microsoft.com) as
an internal resource.
|16| 2. Advantages
to using the same internal and external namespaces
a. The tree name is consistent on both the
internal private network and the external public Internet.
b. The idea of a single logon name is extended
to the public Internet, allowing users to use the same logon name both
internally and externally.
|17| 3. Disadvantages
to using the same internal and external namespaces
a. The result is a more complex proxy
configuration.
b. Proxy clients must be configured to know
the difference between internal and external resources.
c. Care must be taken not to publish
internal resources on the external public Internet.
d. Duplication of efforts in managing
resources could occur.
e. Users will get a different view of
internal and external resources even though the namespace is the same.
|18| D. Separate internal and external namespaces
1. Overview
a. A company uses separate internal and
external namespaces.
b. Names will be different on either side of
the firewall.
c. Two namespaces must be registered with
the Internet DNS.
d. The purpose of registering both names is
to prevent duplication of the internal name by another public network.
e. If the name were not reserved, internal
clients would not be able to distinguish between the internal name and the
publicly registered DNS namespace.
f. Two zones will be established.
g. Users can clearly distinguish between
internal and external resources.
|19| 2. Advantages
to using separate internal and external namespaces
a. Because they are based on different domain
names, the difference between internal and external resources is clear.
b. The environment is more easily managed
because no overlap or duplication of effort occurs.
c. Configuration of proxy clients is simpler
because exclusion lists need to contain only a tree name when identifying
external resources.
|20| 3. Disadvantages
to using separate internal and external namespaces
a. Logon names are different from e-mail
names.
a.
Multiple names
must be registered with an Internet DNS.
Note An administrator can use the MMC to change the user
principal name (UPN) suffix properties of users so that the user logon will
match the user e-mail address.
|21| E. Domain naming requirements and guidelines
|22| 1. Select a
root domain name that will remain static.
2. Use simple and precise domain names that
are easy for users to remember and enable users to search intuitively for
resources.
3. Use standard DNS characters and Unicode
characters.
2.
Windows 2000
supports the following standard DNS characters: A–Z, a–z, 0–9, and the hyphen
(-), as defined in RFC 1035.
Note The Unicode character set, which includes additional
characters not found in the ASCII character set, is used for languages other
than English. Use Unicode characters only if all servers running DNS service in
your environment support Unicode. For more information on the Unicode character
set, read RFC 2044.
5. Limit the number of domain levels.
6. Use unique names.
7. Avoid lengthy domain names; can be up to
63 characters, including the periods; total length cannot exceed 255
characters.
8. Case-sensitive naming is not supported.
|23| 3. Planning an OU Structure
A. Overview
1. Plan the OU structure after the company’s
domain structure and namespace have been determined.
2. Organize users and resources by using a
hierarchy of OUs to reflect the structure of the company.
3. OUs allow the organization to be modeled
in a meaningful and manageable way.
4. OUs allow assignment of an appropriate
local authority as administrator at any hierarchical level.
5. Consider creating an OU if you want to do
the following:
a. Reflect the company’s structure and
organization within a domain
b. Delegate administrative control over
network resources, but maintain the ability to manage them
c. Accommodate potential changes in your
company’s organizational structure
d. Group objects to allow administrators to
locate similar network resources easily, to simplify security, and to perform
any administrative tasks
e. Restrict the visibility of network
resources in Active Directory
B. Planning an OU hierarchy
1. Guidelines
a. A shallow hierarchy performs better than a
deep one.
b.
OUs should
represent business structures not subject to change.
Note There are no restrictions on the depth of the OU
hierarchy.
2. Consider the following models for
classifying OUs in the OU hierarchy:
|24| a. Business function–based OUs
(1) Can be created based on various business
functions within the organization
(2) Top-level OUs correspond to the company’s
business divisions.
(3) Second-level OUs represent the functional
divisions within the business divisions.
|25| b. Geographical-based OUs
(1) Can be created based on the location of
company offices
(2) Top-level OUs correspond to the regions set
up for the organization.
(3) Second-level OUs represent the physical
locations of the company’s offices.
|26| c. Business function– and geographical-based
OUs
(1) Can be created based on both business
function and the location of company offices
(2) The top-level OUs correspond to the
continents on which the company has offices.
(3) The second-level OUs represent the
functional divisions within the company.
|27| 4. Planning a Site Structure
A. Overview
1. A site is part of the Active Directory
physical structure; a combination of one or more IP subnets connected by a
highly reliable and fast network connection.
2. Site structure is concerned with the
physical environment; maintained separately from the logical environment, the
domain structure.
3. A single domain can include multiple
sites; a single site can include multiple domains or parts of multiple domains.
4. The main role of a site is to provide
good network connectivity.
|28| 5. The
manner in which sites are set up affects Windows 2000 in two ways:
a. Workstation logon and authentication: When
a user logs on, Windows 2000 will try to find a domain controller in the same
site as the user’s computer to service the user’s logon request and subsequent
requests for network information.
b.
Directory
replication: You can configure the schedule and path for replication of a
domain’s directory differently for intersite
replication, as opposed to replication within a site.
Note Generally, replication between sites should be set to occur
less frequently than replication within a site.
|29| B. Optimizing workstation logon traffic
1. Consider which domain controller(s) the
workstations on a given subnet should use.
2. To have a particular workstation, log on
only to a specific set of domain controllers, define sites so that only those
domain controllers are in the same subnet as that workstation.
|30| C. Optimizing directory replication
1. Consider where the domain controllers and
the network connections between the domain controllers will be located.
2. Each domain controller must participate
in directory replication with the other domain controllers in its domain.
3. Configure sites so that replication
occurs at times and intervals that will not interfere with network performance.
4. Consider establishing a bridgehead server
to provide criteria for choosing which domain controller should be preferred as
the recipient for intersite replication.
|31| D. Designing a site
structure
1. A simple LAN can be a single site,
because connections typically are fast.
2. Establish a separate site with its own
domain controllers when domain controllers are not responding fast enough to
meet the needs of the users.
3. Determining what is fast enough depends
on the criteria for network performance.
4. Inadequate performance is more common
when deployments span a wide geographic range.
5. Other inadequacies may be attributed to
poor network design and implementation.
6. Follow these steps to design a site
structure for an organization with multiple physical locations:
a. Assess the physical environment: Review
domain structure, including site locations, network speed, how network
connections are organized, network connection speed, how network connections
are utilized, and TCP/IP subnets
b. Determine the physical locations that form
domains: Determine which physical locations are involved in each domain
c. Determine
which areas of the network should be sites: If a network area requires
workstation logon controls or directory replication, the area should be set up
as a site
c.
Identify the
physical links connecting sites: Identify the link types, speeds, and
utilization that exist so the links can be determined as site link objects
Note A site link object contains the schedule that
determines when replication can occur between the sites that it connects.
d.
For each site
link object, determine the cost and schedule: The lowest-cost site link
performs replication; determine the priority of each link by setting the cost.
Note Site Replication occurs every three hours by default; set
the schedule according to the needs.
e.
Provide
redundancy by configuring a site link bridge: A site link bridge provides fault
tolerance for replication.
|32| Chapter 4, Lesson 2
Installing Active Directory
1. The Active Directory Installation Wizard
|33| A. Overview
1. Run DCPROMO from the command prompt or
run Configure Your Server on the Administrative Tools menu of the Start menu to
launch the wizard.
2. The wizard runs on a stand-alone server
and aids in the process of installing Active Directory and creating a new
domain controller.
3. During the installation process, the
choice must be made to add the new domain controller to an existing domain or
create the first domain controller for a new domain.
|34| 4. The
wizard can perform the following tasks:
a. Add a domain controller to an existing
domain
b. Create the first domain controller of a
new domain
c. Create a new child domain
d. Create a new domain tree
e. Install a DNS server
f. Create the database and database log
files
g. Create the shared system volume
h. Remove Active
Directory services from a domain controller
B. Adding a domain controller to an existing
domain
1. Creates a peer domain controller
2. Peer domain controllers provide
redundancy and reduce the load on the existing domain controller.
C. Creating the first domain controller for a
new domain
1. Creates a new domain
2. New domains are used to partition the
organization’s information.
3. A new child domain or a new tree can be
created.
a. New child domain: New domain is a child
domain of an existing domain
b. New domain tree: New domain is not part of
an existing domain; create a new tree in an existing forest or create a new
forest
|35| 2. Configuring DNS for Active
Directory
A. Active Directory uses DNS as its location
service to find domain controllers.
B. A client queries DNS for resource records
that provide the names and IP addresses for the LDAP servers for the domain.
C. LDAP is the protocol used to query and
update Active Directory; all domain controllers run the LDAP service.
D.
Active
Directory cannot be installed without DNS on the network.
Note The DNS server does not have to be a Microsoft DNS
server, but the DNS server must support IXFR and dynamic updates Version
8.1.
E. DNS can be installed without Active Directory.
F. Configure a Windows 2000 DNS server
automatically using the Active Directory Installation Wizard.
G. Manual configuration of DNS to support
Active Directory is not needed unless using a DNS server other than Windows
2000 or using a special configuration.
H.
Manually
configure DNS using the DNS console.
|36| 3. The Database and Shared System
Volume
A. Overview
1. Installing Active Directory creates the
database and database log files, as well as the shared system volume.
2. Replication of the shared system volume
occurs on the same schedule as replication of the Active Directory.
3. File replication to or from the newly
created system volume may not be noticed until two replication periods have
elapsed, typically 10 minutes.
4. The first file replication period updates
the configuration of other system volumes so that they are aware of the newly
created system volume.
B. Types of files created by installing
Active Directory
|37| 1. Database
and database log files
a. The database is the directory for the new
domain.
b. The default location is systemroot\NTDS.
c. Place the database and log file on
separate hard disks.
|38| 2. Shared
system volume
a. A folder structure that exists on all
Windows 2000 domain controllers
b. Stores scripts and some of the group
policy objects for both the current domain and the enterprise
c. Default location is systemroot\SYSVOL.
d. Must be located on a partition or volume
formatted with NTFS 5.0
|39| 4. Domain Modes
A. Mixed mode
1. The domain controller is set to run in
mixed mode when it is first installed or upgraded.
2. Allows the
domain controller to interact with any domain controllers in the domain that
are running previous versions of Windows NT
B. Native mode
1. Switch to native mode
a. When all domain controllers in the domain
run Windows 2000 Server
b. When no more pre–Windows 2000 domain
controllers are planned to be added to the domain
2. During the
conversion
a. Support for pre–Windows 2000 replication
ceases
b. No new pre–Windows 2000 domain controllers
can be added to the domain
c. The server that served as the primary
domain controller during migration is no longer the domain master
c.
All domain
controllers begin acting as peers
Note The change from mixed mode to native mode is one-way
only; you cannot change from native mode to mixed mode.
3. To change the
domain mode to native mode
a. Click Start, point to Programs, point to
Administrative Tools, then click Active Directory Users And
Computers
b. Right-click the domain, then click
Properties
c. On the General tab, click Change Mode
d. In the Active Directory message box, click
Yes, then click OK e. Restart the computer
|40| 5. Removing Active Directory
Services from a Domain Controller
A. Overview
1. Remove Active Directory by running
DCPROMO from the Run dialog box.
2. If the domain controller is the last
domain controller in the domain, it will become a stand-alone server.
3. Removing Active Directory from all domain
controllers in the domain also deletes the directory database for the domain;
the domain no longer exists.
4. Computers joined to this domain can no
longer log on to the domain or use domain services.
B. To remove Active Directory from a domain
controller
1. Log on as Administrator
2. Click Start, click Run, and then type “dcpromo” in the Open box and click OK
3. Click Next on
the Welcome To The Active Directory Installation Wizard page
4. If the server is the last domain
controller in the domain, select the check box, then click Next
5. Enter a user name and password with
Enterprise Administrator privileges for the domain, then click Next
6. Enter and confirm the password to be
assigned to the server Administrator account, then click Next
7. Click Next on the Summary Page
8. Click Finish to complete the removal of
Active Directory from the computer
|41| Chapter 4, Lesson 3
Operations Master Roles
|42| 1. Overview of Operations Master
Roles
A. Active Directory supports multimaster replication of the Active Directory database
between all domain controllers in the domain.
B. Some changes are impractical to perform in
multimaster fashion; one or more domain controllers
can be assigned to perform operations that are single-master operations.
C. Single-master operations are not permitted
to occur at different places in a network at the same time.
|43| 2. Forest-Wide Operations Master
Roles
A. Schema master role
1. Controls all updates and modifications to
the schema
2. Must be accessed to update the schema of
the forest
3. Can be only one in the entire forest
B. Domain naming master role
1. Controls the addition or removal of
domains in the forest
2. Can be only one in the entire forest
|44| 3. Domain-Wide Operations Master
Roles
|45| A. Relative ID master role
1. Allocates sequences of relative IDs to
each of the various domain controllers in its domain
2. Only one domain controller acts as the
relative ID master in each domain in the forest.
3. Whenever a domain controller creates a
user, group, or computer object, it assigns the object a unique security ID
(SID).
4. SID consists of a domain SID, plus a
relative ID that is unique for each SID created within the domain.
3.
To move an
object between domains, you must initiate the move on the domain controller
acting as the relative ID master of the domain that currently contains the
object.
Note Use the Windows 2000 command-line utility MOVETREE.EXE:
Active Directory Object Manager to move objects between domains.
|46| B. Primary domain controller (PDC) emulator
role
1. Acts as a Windows NT PDC, if the domain
contains computers operating without Windows 2000 client software or if it
contains BDCs
2. Processes password changes from clients
and replicates updates to the BDCs
3. Receives preferential replication of
password changes performed by other domain controllers in the domain once all
systems are upgraded to Windows 2000 and the Windows 2000 domain is operating
in native mode
4. If a logon authentication fails at
another domain controller due to a bad password, that domain controller will
forward the authentication request to the PDC emulator before rejecting the
logon attempt.
5. Only one domain controller acts as the
PDC emulator in each domain in the forest.
|47| C. Infrastructure master role
1. Responsible for updating the
group-to-user references whenever the members of groups are renamed or changed
2. When renaming or moving a member of a
group and that member resides in a different domain from the group, the group
may temporarily appear not to contain that member.
3. Responsible for updating the group so
that it knows the new name or location of the member
4. Distributes the update via multimaster replication
5. No compromise to security during the time
between the member rename and the group update
6. Only one domain controller acts as the
infrastructure master in each domain.
|48| 4. Planning Operations Master
Locations
A. Overview
1. In a small Active Directory forest with
only one domain and one domain controller, the domain controller is assigned
all the operations master roles.
2. When the first domain in a new forest is
created, all of the operations master roles are automatically assigned to the
first domain controller in that domain.
3. When a child domain or root domain of a
new domain tree in an existing forest is created, the first domain controller
in the new domain is automatically assigned the following roles:
a. Relative identifier master
b. PDC emulator
c. Infrastructure master
4. The schema master and domain naming
master remain in the first domain created in the forest.
5. The default operations master locations
work well for a forest deployed on a few domain controllers in a single site.
4.
In a forest with
more domain controllers, or in a forest that spans multiple sites, consider
transferring the default operations master role assignments to other domain
controllers in the domain or forest.
Note The first domain created in the forest is also called
the forest root domain.
B. Planning the operations master role
assignments by domain
1. Overview
a. If a domain has only one domain
controller, that domain controller will hold all of the domain roles.
b. If two well-connected domain controllers
that are direct replication partners exist
(1) Make one of the domain controllers the
operations master domain controller
(2)
Make the other
the standby operations master domain controller
Note The standby operations master domain controller is used
in case of failure of the operations master domain controller.
|49| 2. Relative
identifier master and PDC emulator
a. In typical domains, assign both the
relative identifier master and PDC emulator roles to the operations master
domain controller.
b. In very large domains, reduce the peak
load on the PDC emulator by placing these roles on separate domain controllers,
both of which are direct replication partners of the standby operations master
domain controller.
c. Keep the two roles together unless the
load on the operations master domain controller justifies separating the roles.
|50| 3. Infrastructure
master and global catalog
a. The infrastructure master role should not
be assigned to the domain controller that is hosting the global catalog unless
only one domain controller in the domain.
b. Assign the infrastructure master role to
any domain controller that is well connected to a global catalog in the same
site.
c. If the infrastructure master and global
catalog are on the same domain controller, the infrastructure master will not
function.
d. The infrastructure master will never find
data that is out of date, so it will never replicate any changes to the other
domain controllers in the domain.
e. If all the domain controllers in a domain
are also hosting the global catalog, all the domain controllers will have the
current data, and it does not matter which domain controller holds the
infrastructure master role.
|51| C. Planning the
operations master roles for the forest
1. After all the domain roles have been
planned for each domain, consider the forest roles.
2. Schema master and domain naming master
roles should always be assigned to the same domain controller.
3. For best performance, assign them to a
domain controller that is well connected to the computers used by the
administrator or group responsible for schema updates and the creation of new
domains.
4. The load of these operations master roles
is very light.
5. Place these roles on the operations
master domain controller of one of the domains in the forest.
|52| D. Planning for
growth
1. Normally, it is not necessary to change
the locations of the various operations master roles as the forest grows.
2. Review the plan and revise the operations
master role assignments when planning to decommission a domain controller,
change the global catalog status of a domain controller, or reduce the
connectivity of parts of your network.
5. Identifying Operations Master Role
Assignments
A. To identify the relative ID master, PDC
emulator, or infrastructure master role assignment
1. Open the Active Directory Users and
Computers console
2. Right-click the Active Directory Users And Computers node, and then click Operations Masters
3. Select one of the following:
a. RID tab
b. PDC tab
c. Infrastructure tab
4. Click Cancel to close the Operations
Master dialog box
B. To identify the domain naming master role
assignment
1. Open the Active Directory Domains and
Trusts console
2. Right-click the Active Directory Domains And Trusts node, and then click Operations Master
3. Click Close to close the Change Operations
Master dialog box
C. To identify the schema master role
assignment
1.
Open the Active
Directory Schema snap-in
Note The Active Directory Schema snap-in must be installed
with the Windows 2000 Administration Tools using Add/Remove Programs in the
Control Panel.
2. Right-click Active Directory Schema, and
then click Operations Master
3. Click Close to close the Change
Operations Master dialog box
6. Transferring Operations Master Role
Assignments
A. To transfer the relative ID master, PDC
emulator, or infrastructure master role assignment
1. Open the Active Directory Users and
Computers console
2. Right-click the domain node that will
become the new relative ID master, PDC emulator, or infrastructure master, and
then click Connect To Domain
3. Type the domain name or click Browse to
select the domain from the list, and then click OK
4. Right-click the Active Directory Users And Computers node, and then click Operations Masters
5. In the Operations Master dialog box,
select one of the following and then click Change:
a. RID tab
b. PDC tab
c. Infrastructure tab
6. Click OK to close the Operations Master
dialog box
B. To transfer the domain naming master role
assignment
1. Open the Active Directory Domains and
Trusts console
2. Right-click the domain controller node
that will become the new domain naming master, and then click Connect To Domain
3. Type the domain name or click Browse to
select the domain from the list, and then click OK
4. Right-click the Active Directory Domains And Trusts node, and then click Operations Master
5. In the Change Operations Master dialog
box, click Change
6. Click OK to close the Change Operations
Master dialog box
C. To transfer the schema master role
assignment
1. Open the Active Directory Schema snap-in
2. Right-click Active Directory Schema, and
then click Change Domain Controller
3. In the Change Domain Controller dialog
box, click one of the following:
a. Any DC to let Active Directory select the
new schema operations master
b. Specify Name and type the name of the new
schema master to specify the new schema operations master
4. Click OK
5. Right-click Active Directory Schema, and
then click Operations Master
6. In the Change Schema Master dialog box, click Change
7. Click OK to close the Change Schema
Master dialog box
|53| 7. Responding to Operations Master
Failures
|54| A. Overview
1. Some of the operations master roles are
crucial to the operation of the network.
2. Others can be unavailable for some time
before their absence becomes a problem.
3. If an operations master is not available
due to computer failure or network problems, seize the operations master role,
also known as forcing a transfer.
4. Before forcing the transfer, first
determine the cause and expected duration of the computer or network failure.
5. If the cause is a networking problem or a
server failure that will be resolved soon, wait for the role holder to become
available again.
6.
Seizing an
operations master role is a drastic step that should be considered only if the
current operations master will never be available again.
Note A
domain controller whose schema, domain naming, or relative identifier master
role has been seized must never be brought back online without first
reformatting the drives and reloading Windows 2000.
|55| B. Schema master failure
1. Temporary loss of the schema operations
master is not visible to network users.
2. If unavailable for an unacceptable length
of time, you can seize the role to the standby operations master.
3. Seizing this role is a step that should
be taken only when the failure is permanent.
|56| C. Domain naming master failure
1. Temporary loss of the domain naming
master is not visible to network users.
2. If unavailable for an unacceptable length
of time, seize the role to the standby operations master.
3. Seizing this role is a step that should
be taken only when the failure is permanent.
|57| D. Relative ID master failure
1. Temporary loss of the relative identifier
operations master is not visible to network users.
2. If unavailable for an unacceptable length
of time, seize the role to the standby operations master.
3. Seizing this role is a step that should
be taken only when the failure is permanent.
|58| E. PDC emulator failure
1. This loss affects network users.
2. You may need to immediately seize the
role.
3. Seize the PDC emulator master role to the
standby operations master if it is unavailable for an unacceptable length of
time and its domain has clients without Windows 2000 client software, or if it
contains Windows NT BDCs.
4. When the original PDC emulator master is
returned to service, return the role to the original domain controller.
|59| F. Infrastructure master failure
1. Temporary loss of the infrastructure
master is not visible to network users.
2. If unavailable for an unacceptable length
of time, seize the role to a domain controller that is not a global catalog but
is well connected to a global catalog, ideally in the same site as the current
global catalog.
3. When the original infrastructure master
is returned to service, transfer the role back to the original domain
controller.
|60| Chapter 4, Lesson 4
Implementing an Organizational Unit Structure
|61| 1. Overview of OU Structures
A. Create OUs that mirror the organization’s
functional or business structure.
B. Each domain can implement its own OU
hierarchy.
C. If the enterprise contains several
domains, create OU structures within each domain independent of the structures
in the other domains.
2. Creating OUs
A. Overview
1. Use Active Directory Users and Computers
console to create OUs.
2. An OU is always created on the first
available domain controller that is contacted by MMC, and then the OU is
replicated to all domain controllers.
B. To create OUs
1. Log on as Administrator
2. Click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Users And
Computers
3. Click the location where the new OU is to
be created, either a domain or another OU
4. On the Action menu, point to New, and
then click Organizational Unit
5. In the New Object-Organizational Unit
dialog box, in the Name box, type the name of the new OU, and then click OK
|62| 3. Setting OU Properties
|63| A. Overview
1. A set of default properties is associated
with each OU that is created.
2. These properties equate to the object
attributes.
3. Use the properties that are defined for
an OU to search for OUs in the directory.
4. Provide detailed property definitions for
each OU that is created.
5. The tabs in the OU Properties dialog box
contain information about each OU.
B. Tabs of the Organizational Unit Properties
dialog box
1. General: Documents the OU’s description, street address, city, state or province,
ZIP or postal code, and country or region
2. Managed By: Documents the OU manager’s
name, office location, street address, city, state or province, country or
region, telephone number, and fax number
3. Group Policy: Documents the OU’s group policy
C. To set OU properties
1. Click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Users And
Computers
2.
Expand the
domain
3.
Right-click the
appropriate OU, and then click Properties
4. Click the appropriate tab for the OU
properties that are to be entered or changed
5. Enter values for each property