Module 1: Introduction to Active Directory Infrastructure

Overview

• The Architecture of Active Directory• How Active Directory Works• Examining Active Directory • The Active Directory Design, Planning, and

Implementation Processes

Lesson: The Architecture of Active Directory

• What Does Active Directory Do?• The Logical Structure of Active Directory• The Physical Structure of Active Directory• What Are Operations Masters?

What Is a Directory Service? A directory service is a network service that identifies all resources on anetwork and makes that information available to users and applications.Directory services are important, because they provide a consistent way toname, describe, locate, access, manage, and secure information about theseresources.When a user searches for a shared folder on the network, it is the directoryservice that identifies the resource and provides that information to the user.

What Is a Active Directory?

Active Directory is the directory service in the Windows Server family.It extends the basic functionality of a directory service to provide the followingbenefits:• Domain Name System integration• Scalability• Centralized management• Delegated administration

What Does Active Directory Do?

• Centralizes control of network resources• Centralizes and decentralizes resource

management• Stores objects securely in a logical structure • Optimizes network traffic

The Logical Structure of Active Directory

DomainDomain

Domain

Domain

Domain

DomainOU

OU OU

Domain TreeDomain Tree

DomainDomain

ForestForest

Organizational UnitOrganizational Unit

ObjectsObjects

The logical components of the Active Directory structure

Domain. The core unit of the logical structure in Active Directory is the domain. A domain is a collection of security principals such as user and computer accounts and other objects like printers and shared folders. The domain objects are defined by an administrator and share a common directory database, security policies, and trust relationships with other domains. Domains provide the following three functions:• An administrative boundary for objects• A means of managing security for shared resources• A unit of replication for objects

Forest. A forest is one or more domains that share a common configuration, schema, and global catalog.

Tree. A tree consists of domains in a forest that share a contiguous DNS namespace and have a two-way transitive trust relationship between parent and child domains.

Organizational unit. An organizational unit is a type of container object that you use to organize objects within a domain. An organizational unit might contain objects such as user accounts, groups, computers, printers, and other organizational units.

The Physical Structure of Active Directory

• Sites• Domain controllers• WAN links

SiteSite

Domain ControllersDomain Controllers

WAN LinkWAN Link

SiteSite

Domain controllers. These computers run Microsoft® Windows® Server and Active Directory. Each domain controller performs storage and replication functions. A domain controller can support only one domain. To ensure continuous availability of Active Directory, each domain should have more than one domain controller.

Active Directory sites. These sites are groups of well-connected computers. When you establish sites, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site; that is, the time required for a change that is made on one domain controller to be replicated to other domain controllers. You create sites to optimize the use of bandwidth between domain controllers that are in different locations.

The physical components of the Active Directory structure

What Are Operations Masters?

First domain controller in the forest root domain

First domain controller in the forest root domain

Forest-wide rolesForest-wide roles

Schema master

Domain naming master

Schema master

Domain naming master

PDC emulator

RID master

Infrastructure master

PDC emulator

RID master

Infrastructure master

Domain-wide rolesDomain-wide roles

PDC emulator

RID master

Infrastructure master

PDC emulator

RID master

Infrastructure master

Domain-wide rolesDomain-wide roles

RID master

PDC emulator

Infrastructure master

RID master

PDC emulator

Infrastructure master

How Active Directory Enables a Single Sign-on

Domain ControllerDomain Controller Server XYZServer XYZ

Windowsxp

Log On to Windows

REDMOND

How to Verify the Active Directory Installation

Your instructor will demonstrate how to:Your instructor will demonstrate how to:

Verify the creation of SYSVOL and its sharesThe directory database and log files The default Active Directory structure

Verify the installation results by examining the event logs

Verify the creation of SYSVOL and its sharesThe directory database and log files The default Active Directory structure

Verify the installation results by examining the event logs

How to Troubleshoot the Installation of Active Directory

Symptom Possible causes

Access denied when creating or adding a domain controller

You are not logged on using an account in the Local Administrators group Your credentials are not from a user account that is a member of the Domain Admins or Enterprise Admins group

DNS or NetBIOS domain names are not unique

Another domain has the same DNS or NetBIOS name

Domain cannot be contacted

Network errorDNS error

Insufficient disk space Available disk space is less than the minimum required to install Active Directory

Types of Trusts

Forest(root)

Tree/RootTrustTree/RootTrust

Forest TrustForest Trust

Shortcut TrustShortcut TrustExternal TrustExternal Trust

Kerberos Realm

Realm TrustRealm Trust

Domain D

Forest 1

Domain BDomain ADomain E

Domain F

Forest(root)

Domain P Domain Q

Parent/ChildTrustParent/ChildTrust

Forest 2

Domain C

How Trusts Work Across Forests

nwtraders.msft contoso.msft

Forest trust

Global catalog

Global catalog

Seattle

vancouver.nwtraders.msft

seattle.contoso.msft

Vancouver

22 44

66

11

3355

77

88

99

Forest 1 Forest 2

What Is an Organizational Unit?

• Organizes objects in a domain• Allows you to delegate

administrative control• Simplifies the management of

commonly grouped resources

Organizational Unit Hierarchical Models

Function-Based Hierarchy

S

C M

S – SalesC – ConsultantsM - Marketing

Examples of Hybrid-Based Hierarchies

Function Organization

Location Function

Organization Location

Organization-Based Hierarchy

M

E R

M – ManufacturingE – EngineeringR - Research

Location-Based Hierarchy

N

F I

N – Norway F – FranceI – Indonesia

What Is a User Account?

Domain user accounts (stored in Active Directory)Domain user accounts (stored in Active Directory)

Local user accounts (stored on local computer)Local user accounts (stored on local computer)

Windows Server 2008 Domain

User Account Placement in a HierarchyGeopolitical DesignGeopolitical Design

Users

North America

Users

South America

Business DesignBusiness Design

Users

Accounting

Users

Sales

User Account Password Options

Account options Description

User must change password at next logon

Users must change their passwords the next time they log on to the network

User cannot change password

Users do not have the permissions to change their own password

Password never expires

Users’ passwords will not expire and do not need to be changed

Account is disabled

Users cannot log on by using the selected account

Best Practices for Creating User Accounts

Best practices for creating local user accountsBest practices for creating local user accountsLimit the number of people who can log on locallyLimit the number of people who can log on locally

Best practices for creating domain user accountsBest practices for creating domain user accounts

Disable any account that will not be used immediatelyDisable any account that will not be used immediately

Require users to change their passwords the first time that they log onRequire users to change their passwords the first time that they log on

Do not use the Users container for ordinary user accountsDo not use the Users container for ordinary user accounts

Rename the Administrator accountRename the Administrator account

Use strong passwordsUse strong passwords

What Are Groups?

Groups simplify administration by enabling you to assign permissions for resources

Group type Description

SecurityUsed to assign user rights and permissions Can be used as an e-mail distribution list

DistributionCan be used only with e-mail applicationsCannot be used to assign permissions

GroupGroup

Groups are characterized by scope and type

What Are Global Groups?

Global group rules

Membership can include

Mixed functional level: User and computer accounts from same domainNative functional level: User and computer accounts and global groups from same domain

Can be a member of

Mixed functional level: Domain local groupsNative functional level: Universal and domain local groups in any trusting domain and global groups in the same domain

Scope Visible in its own domain and all trusting domains

Permissions All domains in the forest and trusting domains

What Are Universal Groups?Universal group rules

Membership can include

Mixed functional level: Not applicableNative functional level: User accounts, global groups, and universal groups from any domain in the forest

Can be a member of

Mixed functional level: Not applicableNative functional level: Domain local or universal groups in any domain

Scope Visible in all domains in the forest and all trusting domains

Permissions All domains in the forest and all trusting domains

What Are Domain Local Groups?Domain local group rules

Membership can include

Mixed functional level and Windows interim 2003: User and computer accounts and global groups from any trusted domainNative functional level: User and computer accounts, global and universal groups from any domain in the forest or trusted domains, plus domain local groups from the same domain

Can be a member of

Mixed functional level and Windows interim 2003: NoneNative functional level: Domain local groups in the same domain

Scope Visible only in its own domain

Permissions Domain to which the domain local group belongs

What Are Local Groups?Local group rules

Membership can include

Local user accounts, domain user and computer accounts, global and universal groups from the computer's domain and trusted domains

Can be a member of Not applicable

What Is Group Policy?

All computers with Microsoft Windows® 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8 or Windows Server 2008 operating systems are capable of accepting Group Policy settings. The local Group Policy settings can be used to manage the local computer in a standalone or domain environment. The Active directory® directory service can use Group Policy to manage users and computers in a domain. For example, you can define Group Policy settings that affect the entire domain or define settings that affect specific organizational units (OUs) or use local Group Policy settings to affect a single computer.

What Is a GPO Link?

Site

Domain

OUDomain GPO

Organizational Unit GPO

Organizational Unit GPO

Site GPO

OUOU

What Is Remote Desktop for Administration?

Administrator

LAN

Remote computerrunning RemoteDesktop Connection

Remote computerrunning RemoteDesktop Connection

Remote Desktop Service enabled on WindowsServer 2003/2008

Remote Desktop Service enabled on WindowsServer 2003/2008

Terminal Services Remote Desktop Protocol (LAN, WAN, or dial-up connection)

Terminal Services Remote Desktop Protocol (LAN, WAN, or dial-up connection)

Why Use Remote Desktop for Administration?

Provide remote access to most configuration settingsDiagnose a problem and test multiple solutions quickly Allow access to servers from anywhere in the world Perform time-consuming batch administrative jobs, such as tape backupsUpgrade server applications and operating systems remotely

Provide remote access to most configuration settingsDiagnose a problem and test multiple solutions quickly Allow access to servers from anywhere in the world Perform time-consuming batch administrative jobs, such as tape backupsUpgrade server applications and operating systems remotely

What Is Terminal Services Manager?

• Monitors user sessions• Manually forces user logoff or session disconnect• You can oversee all users and sessions on a server from

one location

What Is Event Viewer? • A tool for viewing and configuring

event logs• A way to view the application log• A collection of log files with a 16

MB default size• Filter events based on type,

source, computer, and time

Why Use DHCP?

DHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configurationDHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configuration

Manual TCP/IP ConfigurationManual TCP/IP Configuration

IP addresses are entered manually

IP address could be entered incorrectly

Communication and network issues can result

Frequent computer moves increase administrative effort

IP addresses are entered manually

IP address could be entered incorrectly

Communication and network issues can result

Frequent computer moves increase administrative effort

Automatic TCP/IP ConfigurationAutomatic TCP/IP Configuration

IP addresses are supplied automatically

Correct configuration information is ensured

Client configuration is updated automatically

A common source of network problems is eliminated

IP addresses are supplied automatically

Correct configuration information is ensured

Client configuration is updated automatically

A common source of network problems is eliminated

What Is Automatic Private IP Addressing?

APIPA automatically self-configures addresses when there is no DHCP server availableAPIPA automatically self-configures addresses when there is no DHCP server available

AdvantagesAdvantages

Serves as a DHCP server failover mechanism for small networks

Automatically assigns an IP address in a specific range

Serves as a DHCP server failover mechanism for small networks

Automatically assigns an IP address in a specific range

DisadvantagesDisadvantages

Forces assignment of addresses typically not used

Conceals possible connectivity problems

Does not work outside 169.254.x.x subnet

Is not routable

Forces assignment of addresses typically not used

Conceals possible connectivity problems

Does not work outside 169.254.x.x subnet

Is not routable

How the DHCP Lease Generation Process Works

DHCP client broadcasts a DHCPDISCOVER packetDHCP client broadcasts a DHCPDISCOVER packet11

DHCP servers broadcast a DHCPOFFER packetDHCP servers broadcast a DHCPOFFER packet22

DHCP client broadcasts a DHCPREQUEST packetDHCP client broadcasts a DHCPREQUEST packet33

DHCP Server1 broadcasts a DHCPACK packetDHCP Server1 broadcasts a DHCPACK packet44

DHCP ClientDHCP Client

DHCP Server1DHCP Server1

DHCP Server2DHCP Server2

DHCP client broadcasts a DHCPDISCOVER packetDHCP client broadcasts a DHCPDISCOVER packet11

DHCP servers broadcast a DHCPOFFER packetDHCP servers broadcast a DHCPOFFER packet22

DHCP client broadcasts a DHCPREQUEST packetDHCP client broadcasts a DHCPREQUEST packet33

DHCP Server1 broadcasts a DHCPACK packetDHCP Server1 broadcasts a DHCPACK packet44

DHCP ClientDHCP Client

DHCP Server1DHCP Server1

DHCP Server2DHCP Server2

Host Name Resolution Process

Host name resolution is the process of resolving a host name to an IP addressHost name resolution is the process of resolving a host name to an IP address

What is the IP address for

Salescomputer2?

What is the IP address for

Salescomputer2?

Salescomputer2Salescomputer2

11 22

33

192.168.1.35Salescomputer2

DNS NetBIOS Name Cache

WINS Broadcast Lmhost FileClient Resolver Cache/Hosts File

Overview of Domain Name SystemDomain Name System is a hierarchical distributed databaseDomain Name System is a hierarchical distributed database

DNS is the foundation of the Internet naming scheme DNS supports accessing resources by using alphanumeric names InterNIC is responsible for managing the domain namespace DNS was created to support the Internet’s growing number of hosts

What Is a Domain Namespace?Root Domain

Subdomain

Second-Level Domain

Top-Level Domain

FQDN:SERVER1.sales.south.nwtraders.comFQDN:SERVER1.sales.south.nwtraders.com

southsouth

nwtradersnwtraders

comcom

salessales

westwest easteast

orgorgnetnet

Host: SERVER1Host: SERVER1

What Are Resource Records and Record Types?

Type DescriptionA Resolves a host name to an IP address

PTR Resolves an IP address to a host name

SOA The first record in any zone file SRV Resolves names of servers providing servicesNS Identifies the DNS server for each zone

MX The mail server

CNAME Resolves an alias to a host name

What Are DNS Zone Types?Zones Description

Primary Read/write copy of a DNS database

Secondary Read-only copy of a DNS database

Active Directory integrated

Zone data is stored in Active Directory rather than in zone files

What Are Forward and Reverse Lookup Zones?Namespace: training.nwtraders.msft

DNS Client1DNS Client1DNS Client2DNS Client2

DNS Client3DNS Client3

DNS Server Authorizedfor trainingDNS Server Authorizedfor training

Forward zone Training

DNS Client1 192.168.2.45

DNS Client2 192.168.2.46

DNS Client3 192.168.2.47

Reverse zone

1.168.192.in-addr.arpa

192.168.2.45 DNS Client1

192.168.2.46 DNS Client2

192.168.2.47 DNS Client3DNS Client2 = ?DNS Client2 = ?

192.168.2.46 = ?192.168.2.46 = ?