Chapter 6, Active Directory Services

Chapter 6, Lesson 1

Overview of Active Directory Services

|1| 1. Introduction to Active Directory Services

A. Completely integrated with Microsoft Windows 2000 Server

1. Allows administrators, developers, and users to gain access to a directory service that is seamlessly integrated with intranet and Internet environments

2. Offers the hierarchical view, extensibility, scalability, and distributed security required by all business customers

B. Integrates the Internet concept of namespace with the operating system’s directory service

1. Allows enterprises to unify and manage the multiple namespaces that now exist in the heterogeneous environments of corporate networks

2. Uses Lightweight Directory Access Protocol (LDAP) as its core protocol

3. Supports the X.500 information model without requiring the system to host the entire X.500 overhead

4. Can work across operating system boundaries to integrate multiple namespaces

5. Can manage application-specific directories as well as other NOS-based directories

C. Allows a single point of administration for all published resources

1. Uses Domain Name Service (DNS) as its locator service

2. Organizes objects in domains into a hierarchy of organizational units (OUs)

3. Allows multiple domains to be connected to a tree structure

4. Uses domain controllers only, and all domains are peers

|2| 2. Understanding Active Directory Concepts

|3| A. Extensible schema

1. Introduction to the extensible schema

a. Contains a formal definition of the contents and structure of the Active Directory store

b. Defines what attributes an instance of the class must have, what additional attributes it can have, and what object class can be a parent of the current object class

c. Created when Active Directory services is installed on the first domain controller in a network

d. Can define new directory object types and attributes and new attributes for existing objects

2. Extending the schema is an advanced operation, intended to be performed by experienced programmers and system administrators

Note Extending the schema is a highly sensitive operation, with implications potentially throughout your network. Scheme extension is best handled programmatically and only when absolutely necessary. Improper schema modifications can impair or disable Windows 2000 Server and possibly your entire network.

|4| B. Global catalog

1. The global catalog is the central repository of information about objects in a domain tree or forest.

2. The global catalog is a service as well as a physical storage location that contains a replica of selected attributes of every object in the Active Directory store.

3. By default, the first domain controller is a global catalog server.

4. Additional domain controllers can also be designated as global catalog servers by using the Active Directory Sites And Services snap-in.

|5| C. Namespace

1. Active Directory services is primarily a namespace, which is any bounded area in which a name can be resolved.

2. The Active Directory namespace is based on the DNS naming scheme.

3. Using a common namespace allows you to unify and manage multiple hardware and software environments in your network.

4. There are two types of namespaces: contiguous and disjointed.

|6| D. Naming conventions

1. Introduction to naming conventions

a. Every object in the Active Directory store is identified with a name.

b. All access to directory objects occurs through LDAP.

|7| 2. Distinguished names (DNs)

a. Objects are located within Active Directory domains according to a hierarchical path.

b. Every object in the Active Directory store has a DN, which uniquely identifies the object.

c. The DN includes the name of the domain that holds the object as well as the complete path through the container hierarchy to the object.

d. Example of DN: DC=msft/DC=Contoso/CN=Users/CN=John Smith

Note The Active Directory snap-ins do not display the LDAP abbreviations (DC= and CN=). These abbreviations are shown only to illustrate how LDAP recognizes the portions of the distinguished names.

|8| 3. Relative distinguished names (RDNs)

a. The RDN is one of an object’s attributes.

b. The RDN is part of the full DN.

c. Example: CN=John Smith

d. Active Directory services allows duplicate RDNs for objects, but no two objects with the same RDN can exist within the same OU.

|9| 4. Globally unique identifiers (GUIDs)

a. Every object in the Active Directory store has a unique identity (the GUID) that never changes, even if you move or rename the object.

b. A GUID is unique across all domains.

c. The GUID is stored in the objectGUID attribute, which cannot be altered or removed.

|10| 5. User principal names (UPNs)

a. The UPN is a friendly name that is shorter than the DN and easier to remember.

b. The UPN consists of a shorthand name that represents the user and usually the DNS name of the domain where the object resides.

c. Example: johns@contoso.msft

3. Active Directory Architecture

|11| A. Structure of Active Directory architecture

1. Data model

a. The data model is derived from the X.500 data model.

b. The directory holds objects that represent various components of the network, and each object is described by its attributes.

2. Schema

a. The schema is implemented as a set of object class instances stored in the directory.

b. Schema objects are protected by access control lists (ACLs), so only authorized users can alter the schema.

3. Security model

a. The directory is part of the Windows 2000 Trusted Computing Base and is a full participant in the Windows 2000 security infrastructure.

b. ACLs protect all objects in the Active Directory store.

4. Administration model

a. Authorized users perform administration in Active Directory services.

b. Delegated administration allows granular control over who can do what and enables delegation of authority without granting elevated privileges.

c. The Directory System Agent (DSA) process manages the directory’s physical storage and provides client isolation from the physical storage format of the directory data.

|12| B. Access to Active Directory services

|13| 1. Protocol support

a. LDAP is the Active Directory core protocol.

b. Active Directory services supports remote procedure call (RPC) interfaces that support Messaging Application Programming Interface (MAPI) interfaces.

c. The Active Directory information model is derived from the X.500 information model.

|14| 2. Application programming interfaces

a. Active Directory Service Interfaces (ADSI)

(1) ADSI is a set of extensible, easy-to-use programming interfaces that can be used to write applications to access and manage Active Directory services, any LDAP-based directory, and other directory services.

(2) ADSI is part of ODSI and WOSA.

(3) ADSI extracts the capabilities of directory services from different network providers to represent a single set of directory service interfaces.

(4) ADSI objects are designed to meet the needs of three main audiences: developers, system administrators, and users.

b. LDAP C API

(1) LDAP C API provides a lowest common denominator solution.

(2) Existing LDAP applications will run against Active Directory services with little or no modification.

c. Windows MAPI

(1) Active Directory services provides support for MAPI so that legacy MAPI applications will continue to work with Active Directory services.

(2) Developers of new applications are encouraged to use ADSI.

|15| 3. Virtual containers

a. Active Directory services supports virtual containers, which allow any LDAP-compliant directory to be accessed transparently through Active Directory services.

b. The virtual container is implemented via location information in the Active Directory store.

|16| C. Directory service architecture

|17| 1. Active Directory key service components

a. The DSA builds a hierarchy from the parent-child relationship stored in the directory.

b. The Database Layer provides an abstraction layer between applications and the database.

c. The Extensible Storage Engine (ESE) communicates directly with individual records in the directory data store on the basis of an object’s RDN attribute.

d. The data store (the Ntds.dit database file) is manipulated only by the ESE database engine.

Note Ntdsutil.exe is installed in %systemroot\System32 when Windows 2000 Server is installed.

|18| 2. Interfaces

a. LDAP provides the API for LDAP clients and exposes the ADSI so that additional applications can be written that can talk to the Active Directory services.

b. REPL is used by the replication service to facilitate Active Directory replication via RPC over Internet Protocol (IP) or Simple Mail Transfer Protocol (SMTP).

c. Security Account Manager (SAM) provides down-level compatibility to facilitate communication between Windows 2000 and Microsoft Windows NT 4.0 domains.

d. MAPI supports legacy MAPI clients.

|19| 3. Directory System Agent (DSA)

a. The DSA is the Active Directory process that runs on each domain controller and manages all directory service functions.

b. The DSA provides access to the store.

c. The DSA layer exposes interfaces to support a set of core operations.

(1) Object identification

(2) Transaction processing

(3) Schema enforcement of updates

(4) Access control enforcement

(5) Support for replication

(6) Referrals

|20| 4. Database layer

a. Provides an object view of database information by applying schema semantics to database records

b. Is an internal interface that is not exposed to the public

c. Follows the parent references in the database and concatenates the successive RDNs to form DNs

d. Translates each DN into an integer structure called the DN tag, which is used for internal access

e. Is responsible for the creation, retrieval, and deletion of individual records, attributes, and values

|21| 5. Extensible Storage Engine (ESE)

a. A new and improved version of the JET database

b. Implements a transacted database system that uses log files to ensure that committed transactions are safe

c. Stores all Active Directory objects

d. Comes with a predefined schema that defines all the attributes required and allowed for a given object

e. Stores attributes that can have multiple values

Lesson 2: Planning Active Directory Implementation

1. Planning a Namespace

|22| A. Introduction to namespace planning

1. The Active Directory namespace is the top-level qualified domain name for the company.

2. You must determine whether the internal and external namespaces will be the same or separate.

B. Internal and external namespaces

1. Same internal and external namespaces

2. Separate internal and external namespaces

|23| C. Defining a namespace architecture

1. Introduction

a. You should consider the impact that replication traffic will have over WANs.

b. You must be able to change the namespace structure without great expense and by being as unobtrusive as possible.

c. The namespace architecture should be scalable, able to adapt to change, able to distinguish between internal and external resources, and able to protect company data.

d. The namespace architecture should represent the structure of the organization.

2. Root domain

a. A root domain is the first domain in the namespace, such as contoso.msft.

b. The root domain in Active Directory services maps to the company namespace.

c. All internal domains are part of the root domain.

3. First-layer domains

a. Ideally, domain names at this level should not have to change.

b. The trust relationships between the root and all first-layer domains make resources available to all branches of the domain tree.

c. Domain names at this level should be at least three characters long.

d. Suggested naming conventions

4. Second-layer domains

a. Domains at this layer should be countries only and branch off their corresponding first-layer domains.

b. Use the same naming convention when creating OUs within a domain, which allows an OU to be promoted to a domain.

c. When naming sites internal to the United States, use the two-letter postal codes.

2. Planning OUs

|24| A. Introduction

1. OUs should reflect the details of the organization’s business structure.

2. Create OUs to delegate administrative control over smaller groups of users, groups, and resources.

3. OUs eliminate the need to provide users with administrative access at the domain level.

4. OUs inherit security policies from the parent domain and parent OU unless inheritance is specifically disabled.

|25| B. Creating the OU structure

1. You should begin your OU design by creating an OU structure for the first domain in the namespace.

2. When you create an OU, you should determine who will be able to view and control certain objects and what level of administration each administrator will have over the objects.

|26| C. OU design guidelines

1. Guidelines

a. Create OUs to delegate administration.

b. Create a logical and meaningful OU structure that allows OU administrators to complete their tasks efficiently.

c. Create OUs to apply security policies.

d. Create OUs to manage the visibility of published resources.

e. Create OU structures that are relatively static. OUs also give the namespace flexibility to adapt to changing needs of the enterprise.

f. Avoid allocating too many child objects to any OU.

2. Create OU and object names that are hierarchical, uniform, static, and general enough to use in any domain in the enterprise.

3. The OU design should be able to be used across all domains in the enterprise.

|27| D. Structure the OU hierarchy

1. Administration-based or object-based OUs

a. When the OU structure is based on the administrative model, all administrators who own OUs will benefit.

b. Under most circumstances, this is the best way to organize OUs.

2. Geographical-based OUs

a. You can create OUs that contain all business functions in each geographical category.

b. If you envision major changes in the company’s organizational structure, consider a different OU design.

3. Business function–based OUs

a. OUs can be based on various business functions within the organization.

b. These functions are likely to be stable, even if the organizations that perform them are not.

4. Department-based OUs

a. You can create OUs that mirror a department’s cost center association.

b. This method can be unstable if an organization undergoes reorganization.

5. Project-based OUs

a. Use this type of OU to align a cost center with a project rather than a department.

b. This is not typically a recommended OU structure because it is not considered static.

3. Planning a Site

|28| A. Introduction to site planning

1. The physical design of a Windows 2000 network is demarcated by site.

2. The Active Directory replication engine allows you to differentiate between replication over a LAN and replication over a WAN.

3. How you set up your sites affects Windows 2000 in two key ways.

a. When a user logs on, Active Directory–enabled clients will try to find a domain controller in the same site as the user’s computer.

b. The schedule and the path for replication of a domain’s directory can be configured differently for inter-site replication, as opposed to replication within a site.

4. In Active Directory services, sites are not part of the namespace.

5. Properly planned sites ensure that network links are not saturated by replication traffic, that Active Directory services stay current, and that client computers access resources that are closest to them.

6. When planning how to group subnets into sites, consider the connection speed between the subnets.

a. Combine only those subnets that share fast, inexpensive, and reliable network connections.

b. Configure your sites so that replication occurs at times that will not interfere with network performance.

|29| B. Optimizing workstation logon traffic

1. When planning sites, consider which domain controllers workstations should use.

2. To have a particular workstation log on to a specific set of domain controllers, define the sites so that only those domain controllers are on the same site as the workstation.

|30| C. Optimizing directory replication

1. When planning sites, consider where the domain controllers will be located.

2. Configure sites so that replication occurs at times or intervals that will not interfere with network performance.

3. When implementing sites in branch offices, base your planning on the size of the branch office.

Lesson 3: Implementing Active Directory Services

1. The Active Directory Installation Wizard

|31| A. Introduction to the Active Directory Installation Wizard

1. The Active Directory Installation Wizard is used to perform several tasks.

a. Adding a domain controller

b. Creating the first domain controller of a new domain

c. Creating a new child domain

d. Creating a new domain tree

2. Launching the Active Directory Installation Wizard

a. Use the Configure Your Server tool, which is located in the Administrative Tools program group.

b. Use the Dcpromo.exe utility.

|32| B. Adding or creating a domain controller

|33| 1. If you add a domain controller to an existing domain, you create a peer domain controller.

|34| |35| |36| 2. If you create the first domain controller for a new domain, you are creating not only the domain controller but also a new domain.

a. Domains should be created to partition information.

b. When you create a new domain, you can choose whether to create a new child domain or a new domain tree.

c. When you create a child domain, the new domain is added as a child domain to an existing domain.

d. When you create a new domain tree, the new domain is not part of an existing domain.

Note Running the Dcpromo.exe utility allows you to remove Active Directory services from the domain controller and demote it to a stand-alone server.

|37| 2. The Database and Shared System Volume

|38| A. The Active Directory database

1. The database is a file named Ntds.dit, which is the directory for the new domain.

2. The default location for the database and database log files is %systemroot%\Ntds, although you can specify a different location.

3. The database contains all the information stores in the Active Directory store.

4. The Ntds.dit file is an ESE database that contains the entire schema, the global catalog, and all the objects stored on that domain controller.

|39| B. The shared system volume

1. The shared system volume is a folder structure that exists on all Windows 2000 domain controllers.

2. The shared system volume stores scripts and some of the group policy objects for the current domain as well as the enterprise.

3. Replication of the shared system volume occurs on the same schedule as Active Directory replication.

|40| 3. Domain Modes

A. Mixed mode

1. When you first install or upgrade a domain controller to Windows 2000 Server, the domain controller runs in mixed mode.

2. Mixed mode allows the domain controller to interact with any domain controllers in the domain that are running Microsoft Windows NT 3.51 or 4.0.

3. Any clients using NT LAN Manager (NTLM) and the directory service in Windows NT 3.51 and 4.0 need mixed mode to authenticate to the network.

B. Native mode

1. When all domain controllers in the domain run Windows 2000 Server and you do not plan to add any more down-level domain controllers to the domain, you can switch from mixed mode to native mode.

2. Several events occur during the conversion from mixed mode to native mode.

a. Support for down-level replication ceases, and you can no longer have any domain controllers in your domain that are not running Windows 2000 Server.

b. You can no longer add new down-level domain controllers to the domain.

c. The server that served as the primary domain controller during migration is no longer the domain master; all domain controllers begin acting as peers.

Lesson 4: Administering Active Directory Services

1. Creating OUs and Their Objects

|41| A. Introduction to OUs and their objects

1. Each Active Directory object is a distinct named set of attributes that represents a specific network resource.

2. Before objects are added to Active Directory services, you should create the OUs that will contain those objects.

|42| B. Creating OUs

1. You can create an OU under a domain, a domain controller, or another OU.

2. You must have the required permissions to create an OU.

3. You cannot create OUs within most default containers, such as Computers or Users.

4. The OU structure should be based on administrative needs.

5. You should create an OU for several reasons.

a. To delegate administrative control to other users or administrators

b. To group objects that require similar administrative tasks

c. To restrict visibility of network resources in the Active Directory store

6. You can create an OU by using the Active Directory Users And Computers snap-in.

|43| C. Adding objects to OUs

1. Overview

a. To add objects to an OU, you must have the required permissions.

b. The objects available to create are dictated by the rules of the schema, wizard, or snap-in you use.

c. Often, to completely define object attributes, you must modify the object after you create it.

Note Object attributes (also referred to as properties) in the schema are categories of information that define the characteristics for all instances of a defined object type. All instances of a certain object type have the same attributes. The attribute values of any object instance make it unique. For example, all instances of a user object have a First Name attribute; however, the value for the First Name attribute can be any name, such as Kisha or Willie.

d. You can create an object by using the Active Directory Users And Computers snap-in.

2. Description of Active Directory objects

a. Computer

b. Contact

c. Group

d. Printer

e. User

f. Shared folder

2. Managing Active Directory Objects

|44| A. Locating objects

1. The global catalog contains a partial replica of the entire directory.

2. The global catalog stores information about every object in a domain tree or forest, so users can find information regardless of which domain in the tree or forest contains the data.

3. You can access the Find Users, Contacts, And Groups dialog box through the Active Directory Users And Computers snap-in.

4. Find Users, Contacts, And Groups dialog box

a. The Main window

b. Users, Contacts, And Groups tab

c. Advanced tab

d. Results window

|45| B. Modifying attributes and deleting objects

1. You can modify the attributes of an object to change or add information.

2. You can modify an object’s attribute by opening the properties for that object in the Active Directory Users And Computers snap-in.

3. To maintain security, delete objects when they are no longer needed.

|46| C. Moving objects

1. You can move objects from one location in the Active Directory store to another location.

2. You should move objects when organization or administrative functions change.

3. Controlling Access to Active Directory Objects

|47| A. Managing Active Directory permissions

1. Overview of managing Active Directory permissions

a. Active Directory security

(1) Use Active Directory permissions to determine who has the permissions to gain access to the object and what type of access is allowed.

(2) An ACL is stored for every Active Directory object.

(3) You can use permissions to assign administrative privileges to a specific user or group for an OU, a hierarchy of OUs, or a single object.

b. Object permissions

(1) The object type determines which permissions you can select.

(2) A user can be a member of multiple groups, each with different permissions that provide different levels of access to objects.

(3) The user’s effective permissions are the combination of user and group permissions.

(4) You can allow or deny permissions, although you should deny permissions only when it is necessary to deny permissions to a specific user who is a member of a group with allowed permissions.

c. Assigning Active Directory permissions

(1) You can use the Active Directory Users And Computers snap-in to set permissions for objects and attributes of objects.

(2) Standard permissions are sufficient for most administrative tasks, although you might need to view special permissions.

2. Permissions inheritance

a. Permissions inheritance in Active Directory services minimizes the number of times you need to assign permissions for objects.

b. When you assign permissions, you can apply permissions to the child objects.

c. You can prevent permissions inheritance so that a child object does not inherit permissions from the parent object.

d. When you prevent permissions inheritance, you can copy previously inherited permissions to the object and remove previously inherited permissions from the object.

|48| B. Delegating administrative control of objects

1. You can delegate administrative control of objects to individuals.

2. Use the Delegation Of Control wizard to delegate control of objects.

3. An administrator can delegate specific types of control.

a. Assign permissions to a user or group to create or modify objects in a specific OU.

b. Assign permissions to a user or group to modify specific permissions for an object’s attributes.

4. The most common method of delegating control is to assign permissions at the OU level.

5. To delegate administrative control, you should try to follow specific guidelines.

a. Assign control at the OU level whenever possible.

b. Use the Delegation Of Control wizard.

c. Track the delegation of permission assignments.

d. Follow business requirements.

6. You can access the Delegation Of Control wizard through the Active Directory Users And Computers snap-in.