Active Directory Active Directory FundamentalsFundamentals

Win MoodyWin MoodySenior Trainer QASenior Trainer QAwin.moody@qa.comwin.moody@qa.com

What we will cover:What we will cover:

Domains, Trees, ForestsDomains, Trees, Forests Domain Controllers, SitesDomain Controllers, Sites The Domain Naming Service (DNS)The Domain Naming Service (DNS) ReplicationReplication Operations MastersOperations Masters Lots of demos….Lots of demos….

Prerequisite KnowledgePrerequisite Knowledge

Understanding of what a directory service Understanding of what a directory service isis

Level 200+Level 200+

AgendaAgenda

Active Directory Logical ConceptsActive Directory Logical Concepts Active Directory Physical ConceptsActive Directory Physical Concepts DNSDNS ReplicationReplication Operations MastersOperations Masters

Active Directory Logical Active Directory Logical Concepts Concepts DomainsDomains Boundary of Security Boundary of Security

AuthenticationAuthentication Security PoliciesSecurity Policies

Boundary of ReplicationBoundary of Replication Domain NC ReplicationDomain NC Replication

Boundary of DNS NamespaceBoundary of DNS Namespace Boundary of AdministrationBoundary of Administration KAPOHO.NET

Active Directory Logical Concepts Active Directory Logical Concepts TreesTrees

Hierarchy of Domains forming a Hierarchy of Domains forming a contiguous namespacecontiguous namespace

Transitive Trust Relationships Transitive Trust Relationships All Domains in a Tree share:All Domains in a Tree share:

SchemaSchema ConfigurationConfiguration Global CatalogGlobal Catalog

KAPOHO.NET

EUROPE.KAPOHO.NETHAWAII.KAPOHO.NET

MAUI.HAWAII.KAPOHO.NET

Hierarchy of Domains forming a Hierarchy of Domains forming a contiguous or disjoint namespacecontiguous or disjoint namespace

Transitive Trust RelationshipsTransitive Trust Relationships All Domains in a Forest share:All Domains in a Forest share:

SchemaSchema ConfigurationConfiguration Global CatalogGlobal Catalog

PSP.CO.UK KAPOHO.NET

HAWAII.KAPOHO.NET

Active Directory Logical Concepts Active Directory Logical Concepts

ForestsForests

Containers within DomainsContainers within Domains Distinct Units of AdministrationDistinct Units of Administration Unique to DomainsUnique to Domains

Active Directory Logical Concepts Active Directory Logical Concepts Organizational UnitsOrganizational Units

AgendaAgenda

Active Directory Logical ConceptsActive Directory Logical Concepts Active Directory Physical ConceptsActive Directory Physical Concepts DNSDNS ReplicationReplication Operations MastersOperations Masters

Active Directory Physical Active Directory Physical Concepts Concepts Domain ControllersDomain ControllersPrimary Domain Controller (PDC)Primary Domain Controller (PDC)

Backup Domain Controllers (BDCs)Backup Domain Controllers (BDCs)

Domain Controllers (DCs)Domain Controllers (DCs)

What is a Site?What is a Site? A set of well-connected IP subnetsA set of well-connected IP subnets

Site UsageSite Usage Locating Services (e.g. Logon, DFS)Locating Services (e.g. Logon, DFS) ReplicationReplication Group Policy ApplicationGroup Policy Application

Sites are connected with Site LinksSites are connected with Site Links Connects two or more sitesConnects two or more sites

Active Directory Physical Active Directory Physical Concepts Concepts SitesSites

Active Directory Physical Active Directory Physical Concepts Concepts Site TopologySite Topology

Company.com

america.company.com europe.company.com

DC

Site A

Site B

Site C

DC

GC

GC

DC

DC

DC = Domain ControllerGC = Global Catalog

Partial Replica of all Objects Partial Replica of all Objects in the Forestin the Forest

Configurable subset of AttributesConfigurable subset of Attributes Fast Forest-wide searchesFast Forest-wide searches Required at Logon for Universal Required at Logon for Universal

Group MembershipGroup Membership

Active Directory Physical Active Directory Physical ConceptsConcepts Global CatalogGlobal Catalog

AgendaAgenda

Active Directory Logical ConceptsActive Directory Logical Concepts Active Directory Physical ConceptsActive Directory Physical Concepts DNSDNS ReplicationReplication Operations MastersOperations Masters

SRV Records to locate services (req’d)SRV Records to locate services (req’d) DDNS for Dynamic Update (desired)DDNS for Dynamic Update (desired) Windows 2000 and up, DNS also Windows 2000 and up, DNS also

provides:provides: Incremental Zone TransfersIncremental Zone Transfers Integration with Active DirectoryIntegration with Active Directory

Single replication topologySingle replication topology Multi-master replicationMulti-master replication Secure Dynamic updatesSecure Dynamic updates

DNS DNS DNS RequirementsDNS Requirements

DNS DNS DNSDNS ImplementationsImplementations

No existing DNS infrastructureNo existing DNS infrastructure Deploy Microsoft DNSDeploy Microsoft DNS

Check existing DNS meets Check existing DNS meets requirementsrequirements

Existing DNS not adequate:Existing DNS not adequate: Choice 1: Update ServerChoice 1: Update Server Choice 2: Migrate to Microsoft DNSChoice 2: Migrate to Microsoft DNS Choice 3: Delegate a subdomain to Choice 3: Delegate a subdomain to

Microsoft DNSMicrosoft DNS

AgendaAgenda

Active Directory Logical ConceptsActive Directory Logical Concepts Active Directory Physical ConceptsActive Directory Physical Concepts DNSDNS ReplicationReplication Operations MastersOperations Masters

Naming Contexts (NCs)that are Naming Contexts (NCs)that are replicatedreplicated Schema Naming ContextSchema Naming Context Configuration Naming ContextConfiguration Naming Context Domain Naming ContextDomain Naming Context

Multi-master ReplicationMulti-master Replication Intra-site Bi-directional Ring Intra-site Bi-directional Ring

TopologyTopology Inter-site Spanning Tree TopologyInter-site Spanning Tree Topology

Synchronous RPC over TCP/IPSynchronous RPC over TCP/IP Asynchronous SMTPAsynchronous SMTP

ReplicationReplicationReplication DetailsReplication Details

SchemaSchema Definitions of object classes and Definitions of object classes and

attributesattributes Replicated to all DCs in the forestReplicated to all DCs in the forest

ConfigurationConfiguration AD Structure (domains, sites, and AD Structure (domains, sites, and

where the DCs are)where the DCs are) Replicated to all DCs in the forestReplicated to all DCs in the forest

DomainDomain Domain specific objects (users, Domain specific objects (users,

groups, computers, and OUs)groups, computers, and OUs) Replicated to all DCs in a domainReplicated to all DCs in a domain

ReplicationReplicationNaming ContextsNaming Contexts

Intra-site Replication: AD replication Intra-site Replication: AD replication between DCs within a Sitebetween DCs within a Site

Inter-site Replication: AD replication Inter-site Replication: AD replication between Sitesbetween Sites

ReplicationReplicationReplication TopologiesReplication Topologies

RPC replication within a SiteRPC replication within a Site No compressionNo compression

Assumes good network connections Assumes good network connections

Uses notification processUses notification process 5 minutes5 minutes -2k-2k Less – 2k3Less – 2k3

KCC generates a bi-directional Ring KCC generates a bi-directional Ring with extra edgeswith extra edges

Tip: Always let KCC generate the intra-site Tip: Always let KCC generate the intra-site replication topology when possiblereplication topology when possible

ReplicationReplicationIntra-site ReplicationIntra-site Replication

Replication between SitesReplication between Sites DS-RPC (RPC over IP) or DS-RPC (RPC over IP) or

SMTP TransportsSMTP Transports SMTP can be used only between SMTP can be used only between

GCs across SitesGCs across Sites DCs of different domains and in DCs of different domains and in

different sitesdifferent sites CompressionCompression

10%-20% of original size10%-20% of original size

ScheduledScheduled

ReplicationReplicationInter-Site ReplicationInter-Site Replication

Site-links link two or more sitesSite-links link two or more sites Costs and schedules can be specifiedCosts and schedules can be specified Transitive (can be disabled)Transitive (can be disabled)

Site-link Bridges Site-link Bridges Bridge two or more site-links Bridge two or more site-links

Bridgehead serversBridgehead servers KCC generates a minimum cost KCC generates a minimum cost

spanning treespanning tree

Tip: Always let KCC generate the replication topologyTip: Always let KCC generate the replication topology

ReplicationReplicationSite-links, Bridges and Site-links, Bridges and Bridgehead ServersBridgehead Servers

AgendaAgenda

Active Directory Logical ConceptsActive Directory Logical Concepts Active Directory Physical ConceptsActive Directory Physical Concepts DNSDNS ReplicationReplication Operations MastersOperations Masters

SchemaSchema Performs updates to schemaPerforms updates to schema Sends updates to all DCsSends updates to all DCs One per forestOne per forest Default is the first DC installedDefault is the first DC installed

DomainDomain Performs add/remove of domains and Performs add/remove of domains and

cross-references to external DScross-references to external DS One per forestOne per forest Default is the first DC installedDefault is the first DC installed

Operations MastersOperations MastersSchema and DomainSchema and Domain

Primary Domain Controller (PDC)Primary Domain Controller (PDC) Acts as a PDC for requests from NT clientsActs as a PDC for requests from NT clients One per domainOne per domain

Relative Identifier (RID)Relative Identifier (RID) Generates pools of security identifiers to be Generates pools of security identifiers to be

distributed to DCs in the domaindistributed to DCs in the domain One per domainOne per domain

InfrastructureInfrastructure Updates SIDs on objects across domainsUpdates SIDs on objects across domains One per domainOne per domain Not required in a single-domain forestNot required in a single-domain forest

Operations MastersOperations MastersPDC, RID and InfrastructurePDC, RID and Infrastructure

SummarySummary

There are Logical and Physical concepts There are Logical and Physical concepts in Active Directoryin Active Directory

DNSDNS Plenty of InformationPlenty of Information

For More Information…For More Information…

Main TechNet Web site at Main TechNet Web site at www.microsoft.com/technetwww.microsoft.com/technet

Additional resources to support this Session page Additional resources to support this Session page can be found atcan be found at

www.microsoft.com/technet/tnt1-98www.microsoft.com/technet/tnt1-98

MS PressMS PressInside information for IT ProfessionalsInside information for IT Professionals

To find the latest IT Professional related titles visitTo find the latest IT Professional related titles visit

www.microsoft.com/learning/it/bookswww.microsoft.com/learning/it/books

Third Party PublicationsThird Party PublicationsSupplementary Publications for IT ProsSupplementary Publications for IT Pros

These books can be found and purchased at all good book These books can be found and purchased at all good book stores and on-line retailersstores and on-line retailers

Microsoft LearningMicrosoft LearningTraining Resources for IT ProfessionalsTraining Resources for IT Professionals

Planning, Implementing, and Maintaining a Microsoft Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory InfrastructureWindows Server 2003 Active Directory Infrastructure Course Number: 2279Course Number: 2279 Availability: NowAvailability: Now Detailed Syllabus: www.microsoft.com/learningDetailed Syllabus: www.microsoft.com/learning

To locate a training provider, please accessTo locate a training provider, please access

www.microsoft.com/learningMicrosoft Certified Technical Education CentersMicrosoft Certified Technical Education Centers

are Microsoft’s premier partners for training servicesare Microsoft’s premier partners for training services

Assess your ReadinessAssess your ReadinessMicrosoft Skills AssessmentMicrosoft Skills Assessment

What is Microsoft Skills Assessment?What is Microsoft Skills Assessment? Self-study learning tool to evaluate readiness for product and Self-study learning tool to evaluate readiness for product and

technology solutions, instead of job-roles (certification)technology solutions, instead of job-roles (certification) Windows Server 2003Windows Server 2003, , Exchange Server 2003, Windows Storage Exchange Server 2003, Windows Storage

Server 2003, Visual Studio .NET, Office 2003Server 2003, Visual Studio .NET, Office 2003 Free, online, unproctored, and available to anyoneFree, online, unproctored, and available to anyone Answers, “Am I ready?”Answers, “Am I ready?” Determines skills gaps, provides learning plans with Microsoft Determines skills gaps, provides learning plans with Microsoft

Official Curriculum courses, plus more Microsoft learning Official Curriculum courses, plus more Microsoft learning content suggestions such as TechNet resourcescontent suggestions such as TechNet resources

Post your High Score to see how you stack upPost your High Score to see how you stack up

visitvisit http://www.microsoft.com/assessmenthttp://www.microsoft.com/assessment

Become a Microsoft Certified Become a Microsoft Certified Systems Administrator Systems Administrator (MCSA)(MCSA) What is the MCSA certification?What is the MCSA certification?

For For IT professionals who manage and maintain IT professionals who manage and maintain networks and systems based on the Microsoft networks and systems based on the Microsoft Windows Server operating systemWindows Server operating system

How do I become an MCSA on Microsoft How do I become an MCSA on Microsoft Windows 2003?Windows 2003? Pass 3 core examsPass 3 core exams Pass 1 elective exam or 2 CompTIA certificationsPass 1 elective exam or 2 CompTIA certifications

Where do I get more information?Where do I get more information? For more information about certification For more information about certification

requirements, exams, and training, requirements, exams, and training, visit visit www.microsoft.com/mcsawww.microsoft.com/mcsa

Become A Microsoft Certified Become A Microsoft Certified Systems Engineer (MCSE)Systems Engineer (MCSE)

What is the MCSE certification?What is the MCSE certification? Premier certification for IT Premier certification for IT professionals who analyze the professionals who analyze the

business requirements and design, plan, and implement the business requirements and design, plan, and implement the infrastructure for business solutions based on the Microsoft infrastructure for business solutions based on the Microsoft Windows Server System integrated server software.Windows Server System integrated server software.

How do I become an MCSE on Microsoft Windows 2003?How do I become an MCSE on Microsoft Windows 2003? Pass 6 core examsPass 6 core exams Pass 1 elective exams from a comprehensive listPass 1 elective exams from a comprehensive list

Where do I get more information?Where do I get more information? For more information about certification requirements, For more information about certification requirements,

exams, and training options, exams, and training options, visit visit www.microsoft.com/mcsewww.microsoft.com/mcse

Demonstrate Your Security or Demonstrate Your Security or Messaging SpecializationMessaging Specialization

What are MCSA/MCSE specializations?What are MCSA/MCSE specializations? MCSA and MCSE specializations allow IT professionals to MCSA and MCSE specializations allow IT professionals to

highlight specific expertise or technical focus within their job highlight specific expertise or technical focus within their job role. role.

What specializations are available?What specializations are available? MCSA: SecurityMCSA: Security MCSA: MessagingMCSA: Messaging MCSE: SecurityMCSE: Security MCSE: MessagingMCSE: Messaging

Where do I get more information?Where do I get more information? For more information about MCSA and MCSE specialization For more information about MCSA and MCSE specialization

requirements, exams, and training options, visit requirements, exams, and training options, visit www.microsoft.com/mcsawww.microsoft.com/mcsa oror www.microsoft.com/mcsewww.microsoft.com/mcse

What is TechNet?What is TechNet? Put the right answers at your fingertipsPut the right answers at your fingertips

TechNet is the comprehensive collection of resources to help IT TechNet is the comprehensive collection of resources to help IT implementers plan, deploy, and manage Microsoft products implementers plan, deploy, and manage Microsoft products successfullysuccessfully

Monthly updates delivered on DVD or CDMonthly updates delivered on DVD or CD The definitive resource to help you evaluate, deploy and The definitive resource to help you evaluate, deploy and

maintain Microsoft productsmaintain Microsoft products

TechNet Subscription

Accessible at Accessible at www.microsoft.com/technet Online resources and communityOnline resources and community Subscriber-only Online ServicesSubscriber-only Online Services

TechNet Web Site

Bi-weekly e-newsletterBi-weekly e-newsletter Security updates, new resources, and special offersSecurity updates, new resources, and special offers

TechNet Flash

Briefings on the latest Microsoft products and technologiesBriefings on the latest Microsoft products and technologies Hands-on, “how to” informationHands-on, “how to” information

TechNet Eventsand Web Casts

User GroupsUser GroupsManaged NewsgroupsManaged Newsgroups

TechNet Communities

Where Can I Get TechNet?Where Can I Get TechNet? Visit TechNet Online atVisit TechNet Online at

www.microsoft.com/technetwww.microsoft.com/technet

Register for the TechNet Flash Register for the TechNet Flash www.microsoft.com/technet/subscriptions/flash.aspwww.microsoft.com/technet/subscriptions/flash.asp

Join the TechNet Online forum at Join the TechNet Online forum at www.microsoft.com/technet/itcommunitywww.microsoft.com/technet/itcommunity

Become a TechNet Subscriber at Become a TechNet Subscriber at www.microsoft.com/technet/buynow/subscribewww.microsoft.com/technet/buynow/subscribe

Attend More TechNet Events or view on-lineAttend More TechNet Events or view on-linewww.microsoft.com/technet/tcevents/iteventswww.microsoft.com/technet/tcevents/itevents