Title: Active Directory Fundamentals
1Active Directory Fundamentals Thomas Lee Chief
Technologist QA thomas.lee_at_qa.com
2What we will cover
- Domain, Trees, Forests
- Domain Controllers, Sites
- The Domain Naming Service
- Replication
- Operations Masters
- Lots of demos.
3Prerequisite Knowledge
- Understanding of what a directory service is
Level 200
4Agenda
- Active Directory Logical Concepts
- Active Directory Physical Concepts
- DNS
- Replication
- Operations Masters
5Active Directory Logical Concepts Domains
- Boundary of Security
- NOT!!!
- Boundary of Authentication
- Boundary of Replication
- Domain NC Replication
- Boundary of DNS Namespace
- Boundary of Administration
KAPOHO.NET
6Active Directory Logical Concepts Trees
- Hierarchy of Domains forming a contiguous
namespace - Transitive Trust Relationships
- All Domains in a Tree share
- Schema
- Configuration
- Global Catalog
KAPOHO.NET
HAWAII.KAPOHO.NET
EUROPE.KAPOHO.NET
MAUI.HAWAII.KAPOHO.NET
7Active Directory Logical Concepts Forests
- Hierarchy of Domains forming a contiguous or
disjoint namespace - Transitive Trust Relationships
- All Domains in a Forest share
- Schema
- Configuration
- Global Catalog
KAPOHO.NET
PSP.CO.UK
HAWAII.KAPOHO.NET
8Active Directory Logical Concepts Organizational
Units
- Containers within Domains
- Distinct Units of Administration
- Unique to Domains
9Agenda
- Active Directory Logical Concepts
- Active Directory Physical Concepts
- DNS
- Replication
- Operations Masters
10Active Directory Physical Concepts Domain
Controllers
Primary Domain Controller (PDC)
Domain Controllers (DC)
Backup Domain Controller (BDC)
11Active Directory Physical Concepts Sites
- What is a Site?
- A set of well-connected IP subnets
- Site Usage
- Locating Services (e.g. Logon, DFS)
- Replication
- Group Policy Application
- Sites are connected with Site Links
- Connects two or more sites
12Active Directory Physical Concepts Site Topology
DC Domain Controller GC Global Catalog
DC
GC
Site A
Company.com
Site C
DC
DC
GC
DC
Site B
europe.company.com
america.company.com
13Active Directory Physical Concepts Global Catalog
- Partial Replica of all Objects in the Forest
- Configurable subset of Attributes
- Fast Forest-wide searches
- Required at Logon for Universal Group Membership
14Agenda
- Active Directory Logical Concepts
- Active Directory Physical Concepts
- DNS
- Replication
- Operations Masters
15DNS DNS
- SRV Records to locate services (reqd.)
- DDNS for Dynamic Update (desired)
- Windows 2000 and up, DNS also provides
- Incremental Zone Transfer
- Active Directory Integrated
- Single replication topology
- Multi-master replication
- Secure Dynamic update
Tip Use the latest version of BIND!
16DNS DNS Implementations
- No existing DNS infrastructure
- Deploy Microsoft DNS
- Existing DNS meets requirements
- Existing DNS not adequate
- Choice 1 Update Server
- Choice 2 Migrate to Microsoft DNS
- Choice 3 Delegate a subdomain to Microsoft DNS
17Agenda
- Active Directory Logical Concepts
- Active Directory Physical Concepts
- DNS
- Replication
- Operations Masters
18ReplicationReplication Details
- Naming Contexts that are replicated
- Schema Naming Context
- Configuration Naming Context
- Domain Naming Context
- Multi-Master Replication
- Intra-site Bi-directional Ring Topology
- Inter-site Spanning Tree Topology
- Synchronous RPC over TCP/IP
- Asynchronous SMTP
19ReplicationNaming Contexts
- Schema
- Definitions of attributes
- Replicated to all DCs in the forest
- Configuration
- AD Structure (domains, sites, and where the DCs
are) - Replicated to all DCs in the forest
- Domain
- Domain specific objects (users, groups,
computers, and OUs) - Replicated to all DCs in its domain
20ReplicationReplication Topologies
- Intra-Site Replication AD replication between
DCs within a Site - Inter-site Replication AD replication between
Sites
21ReplicationIntra-Site Replication
- RPC Replication in a Site
- No compression
- Assumes good network connections
- Uses notification process
- 5 minutes -2k
- Less 2k3
- KCC Generates a bi-directional Ring with extra
edges
Tip Always let KCC generate the intra-site
replication topology when possible
22ReplicationInter-Site Replication
- Replication between Sites
- DS-RPC (RPC over IP) or SMTP Transports
- SMTP can be used only between
- GCs across Sites
- DCs of different domains and in different sites
- Compression
- 10-20 of original size
- Scheduled
23ReplicationSite-Links, Bridges and Bridgehead
Servers
- Site Links link two or more sites
- Cost and schedules can be specified
- Transitive (can be disabled)
- Site-Link Bridges
- Bridge two or more site links
- Bridgehead servers
- KCC generates a minimum cost spanning tree
Tip Always let KCC generate the replication
topology
24Agenda
- Active Directory Logical Concepts
- Active Directory Physical Concepts
- DNS
- Replication
- Operations Masters
25Operations MastersSchema and Domain
- Schema
- Perform updates to schema
- Sends updates to all DCs
- One per forest
- Default is the first DC installed
- Domain
- Performs add/remove of domains and
cross-references to external DS - One per forest
- Default is the first DC installed
26Operations MastersPDC, RID and Infrastructure
- Primary Domain Controller (PDC)
- Acts as a PDC for requests from NT clients
- One per domain
- Relative Identifier (RID)
- Generates pools of security identifiers to be
distributed to DCs in the domain - One per domain
- Infrastructure
- updates SIDs and domains that are moved in and
out of the domain
27Summary
- There are Logical and Physical concept
- DNS
- Plenty of Information
28For More Information
- Main TechNet Web site at www.microsoft.com/technet
- Additional resources to support this Session page
can be found at
www.microsoft.com/technet/tnt1-98
29MS PressInside information for IT Professionals
To find the latest IT Professional related titles
visit www.microsoft.com/learning/it/books
30Third Party PublicationsSupplementary
Publications for IT Pros
These books can be found and purchased at all
good book stores and on-line retailers
31Microsoft LearningTraining Resources for IT
Professionals
- Planning, Implementing, and Maintaining a
Microsoft Windows Server 2003 Active Directory
Infrastructure - Course Number 2279
- Availability Now
- Detailed Syllabus www.microsoft.com/learning
To locate a training provider, please
access www.microsoft.com/learning Microsoft
Certified Technical Education Centers are
Microsofts premier partners for training
services
32Assess your ReadinessMicrosoft Skills Assessment
- What is Microsoft Skills Assessment?
- Self-study learning tool to evaluate readiness
for product and technology solutions, instead of
job-roles (certification) - Windows Server 2003, Exchange Server 2003,
Windows Storage Server 2003, Visual Studio .NET,
Office 2003 - Free, online, unproctored, and available to
anyone - Answers, Am I ready?
- Determines skills gaps, provides learning plans
with Microsoft Official Curriculum courses, plus
more Microsoft learning content suggestions such
as TechNet resources - Post your High Score to see how you stack up
- visit http//www.microsoft.com/assessment
33Become a Microsoft Certified Systems
Administrator (MCSA)
- What is the MCSA certification?
- For IT professionals who manage and maintain
networks and systems based on the Microsoft
Windows Server operating system - How do I become an MCSA on Microsoft Windows
2000? - Pass 3 core exams
- Pass 1 elective exam or 2 CompTIA certifications
- Where do I get more information?
- For more information about certification
requirements, exams, and training, visit
www.microsoft.com/mcsa
34Become A Microsoft Certified Systems Engineer
(MCSE)
- What is the MCSE certification?
- Premier certification for IT professionals who
analyze the business requirements and design,
plan, and implement the infrastructure for
business solutions based on the Microsoft Windows
Server System integrated server software. - How do I become an MCSE on Microsoft Windows
2003? - Pass 6 core exams
- Pass 1 elective exams from a comprehensive list
- Where do I get more information?
- For more information about certification
requirements, exams, and training options, visit
www.microsoft.com/mcse
35Demonstrate Your Security or Messaging
Specialization
- What are MCSA/MCSE specializations?
- MCSA and MCSE specializations allow IT
professionals to highlight specific expertise or
technical focus within their job role. - What specializations are available?
- MCSA Security ? MCSA Messaging
- MCSE Security ? MCSE Messaging
- Where do I get more information?
- For more information about MCSA and MCSE
specialization requirements, exams, and training
options, visit www.microsoft.com/mcsa or
www.microsoft.com/mcse
36What is TechNet?
- Put the right answers at your fingertips
- TechNet is the comprehensive collection of
resources to help IT implementers plan, deploy,
and manage Microsoft products successfully
- Monthly updates delivered on DVD or CD
- The definitive resource to help you evaluate,
deploy and maintain Microsoft products
TechNet Subscription
- Accessible at www.microsoft.com/technet
- Online resources and community
- Subscriber-only Online Services
TechNet Web Site
- Bi-weekly e-newsletter
- Security updates, new resources, and special
offers
TechNet Flash
- Briefings on the latest Microsoft products and
technologies - Hands-on, how to information
TechNet Events and Web Casts
- User Groups
- Managed Newsgroups
TechNet Communities
37Where Can I Get TechNet?
- Visit TechNet Online atwww.microsoft.com/technet
- Register for the TechNet Flash www.microsoft.com/t
echnet/subscriptions/flash.asp - Join the TechNet Online forum at
www.microsoft.com/technet/itcommunity - Become a TechNet Subscriber at www.microsoft.com/t
echnet/buynow/subscribe - Attend More TechNet Events or view
on-linewww.microsoft.com/technet/tcevents/itevent
s
38(No Transcript)