Active Directory Installation

Windows 2003

ContentsHistoryActive directoryObjectives of ADFramework of ADLogical StructureForestDomain TreeDomainsDomain Controllers

Contents

Organizational UnitsTrust RelationshipGroup PoliciesNaming in ADAD DatabaseActive Directory installation

HISTORY

Active Directory (AD) is a technology created by Microsoft

Active Directory was previewed in 1996

First release with Windows 2000 Server edition

Revised to extend functionality in Windows Server 2003.

Active DirectoryAn 'Active Directory' (AD) structure is a

hierarchical framework of objects.

Object:

represents a single entity, has a unique name and a set of attributes — whether a user, a computer, a printer, or a group — and its attributes.

All objects have an ID

Active Directory stores information and settings in a central database.

Active Directory

Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization.

Administrator can easily update all end users computers with new software, patches, files, etc simply by updating one object

A network administrator can easily clear a person on a set tree or instantly give access to some users for certain applications or deny access to certain users for others.

Logical Structure

The forest, tree, and domain are the logical parts in an AD network.

Forest:At the top of the structure is the forest.

The forest is a collection of every object, its attributes, and rules.

Domain Tree:is a collection of one or more domains.A tree structure is formed by adding child

domains.

DomainsComputer systems and network resources

that share a common logical security boundary.

Maintains their own security policies and security relationships with other domains.

Sometimes created to define functional boundaries such as an administrative unit (e.g., marketing verses engineering).

Domains cont..

Domains are identified by their DNS name structure

Physically the Active Directory information is held on one or more equal peer domain controllers (DCs)

Domain controllers (DCs)Each DC has a copy of the AD; changes

on one computer being synchronized (converged) between all the DC computers by multi-master replication.

Each domain controller has the following information as part of its Active Directory:Data on every object within the particular

domain.A listing of all domains in the tree and

forest.

Organizational Units

The objects held within a domain can be grouped into containers called Organizational Units (OUs).

It is used for ease of administration and to create an AD structure in the company’s geographic or organizational terms

Trust RelationshipsTo allow users in one domain to access

resources in another, AD uses trusts.

Within a single forest, implicit trusts are created when a domain is created. By default, domains have an implicit two-way transitive trust created.A user in domain A can access resources permitted

to him in domain B while a user in domain B can access resources permitted to her in domain A

Groups PoliciesThe OU is the common level at which

to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs)

Applied to domain , organizational units, users.

Administrator can control all the users ,computer , and the delivery of applications.

ComputerComputer Starts Starts

User Logs OnUser Logs On

When Does Group Policy Get Applied?

Windows 2003:

Applies Computer Settings from Group Policies

Windows 2003:Applies User Settings

from Group Policies

DomainDomain

OUOU

11

22

Where Does My Policy Come From?

for user/computerPolicy is inherited“Closer" settings override “farther” ones

OUOU 33

Naming in AD

Every object has a Distinguished name (DN)

So a printer object called HPLaser3 in the OU Marketing and the domain foo.org, would have the DN:

CN(Comon name)=HPLaser3, OU=Marketing, DC=foo, DC=org

The object can also have a Canonical name, foo.org/Marketing/HPLaser3.

Each object also has a Globally Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD for search and replication.

FSMO Roles

Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also known as operations master roles. Although the AD domain controllers operate in a multi-master model, i.e. updates can occur in multiple places at once, there are several roles that are necessarily single instance:

Role Scope Description

Schema Master 1 per forest Controls and handles updates/modifications to the Active Directory schema.

Domain Naming 1 per forest Controls the addition and removal of domains from the master forest if present in root domain

PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCs also run domain specific processes such as the

Security Descriptor Propagator (SDPROP), and is the master time server within the domain.

RID Master 1 per domain Allocates pools of unique identifier to domain controllers for use when creating objects

Infrastructure 1 per domain Synchronizes cross-domain grouup membership

Master changes. The infrastructure master cannot run on a global catalog server (GCS) (unless all DCs are aslo GCs)