Welcome to St.

Edwards University Professional Education Center

Ed Jacoby MCSE, MCNE, MCNI, MCT

Understanding Active Directory in Windows Server 2003

Overview
Active Directory Directory Services Overview Active Directory Logical Components Functional Levels Active Directory Physical Components Active Directory Partitions Active Directory Objects Administering a Microsoft Windows Server 2003 Network Using Active Directory

Tools

Lesson: Active Directory Directory Services Overview

What Is Active Directory? Benefits of Active Directory DNS Integration Active Directory Naming Conventions

What Is Active Directory?

Active Directory

Directory service functionality

Organize Manage Control Resources

Centralized management
Single point of administration

Benefits of Active Directory

Windows Server 2003 without Active Directory provides significant benefits Scalable and reliable application server Internet Information Server 6.0 Remote access and VPN server Network Services (DNS and DHCP, for example) Windows Server 2003 with Active Directory provides additional benefits Authentication and authorization service Single sign-on across multiple servers and services

Centralized management of servers and client computers

Centralized administration of users and computers Centralized management of network resources

DNS Integration
Name resolution Resolve names of servers and clients to IP addresses and vice versa (possibly) Namespace definition An Active Directory domains name must be represented in DNS
Active Directory requires DNS DNS does not require Active Directory

Locating the physical components of Active Directory

Client computers query DNS to locate domain controllers running specific services, such as global catalog (GC), Kerberos protocol, LDAP, and so on

Active Directory Naming Conventions

LDAP Distinguished name CN=Jeff Smith, CN=Users, DC=contoso, DC=msft LDAP Relative distinguished name

User principal name (Kerberos)

JeffS@contoso.msft Service principal name

Globally unique identifier (GUID)

Uniqueness of names

Lesson: Active Directory Logical Components

What Are Domains? What Are Trees? What Are Forests? What Are Organizational Units? What Are Trust Relationships? Types of Trusts in Windows Server 2003

What Are Domains?

Logical partition in Active Directory database Collections of users, computers, groups, and so on Units of replication Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain Domain controllers do not replicate domain partition information for other domains
Replication

Windows 2000 or Windows Server 2003 Domain

What Are Trees?

One or more domains that share a contiguous DNS namespace, for example:

nwtraders.msft
childdomain.nwtraders.msft otherdomain.nwtraders.msft Child domains derive their namespace from parent Group policy, administration, and such do not flow across domain boundaries by default

What Are Forests?

One or more domains that share: Common schema

Common configuration
Automatic transitive trust relationships Common global catalog Forests can contain from as few as one domain to many domains and/or many trees Domains are not required to be in a single tree or share a namespace First domain created is the forest root, which cannot be changed without rebuilding the entire forest, although the forest root domain name can be changed in Windows Server 2003

What Are Organizational Units?

Container objects within a domain
Organizational structure
Paris Sales Repair

Network administrative model

Sales Users Computers

Used to organize resources to reflect administrative divisions; may not map to organizational structure

Used to delegate administrative authority

Used to apply Group Policy

What Are Trust Relationships?

Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains Some trusts are automatically created Parent-child domains trust each other

Tree root domains trust forest root domain

Other trusts are manually created Forest-to-forest transitive trusts can be created between Windows Server 2003 forests only (ie not between Windows 2000 forests).

Types of Trusts in Windows Server 2003

Default: two-way, transitive Kerberos trusts (intraforest) Shortcut: one- or two-way, transitive Kerberos trusts (intraforest) Reduce authentication requests Forest: one- or two-way, transitive Kerberos trusts Windows Server 2003 forests; Windows 2000 does not support forest trusts Only between forest roots Creates transitive domain trust relationships External: one-way, non-transitive NTLM trusts Used to connect to/from Microsoft Windows NT or external Windows 2000 domains Manually created Realm: one- or two-way, non-transitive Kerberos trusts Connect to/from UNIX MIT Kerberos realms

Lesson: Functional Levels

Forest and Domain Functional Levels Forest Functional Levels Forest Functional Levels: Features Domain Functional Levels Domain Functional Levels: Features

Forest and Domain Functional Levels

Functional levels determine: Supported domain controller operating system Active Directory features available Domain functional levels can be raised independently of one another Raising forest functional level is performed by Enterprise Administrator Requires all domains to be at Windows 2000 native or Windows Server 2003 functional levels

Forest Functional Levels: Features

Forest Functional Level Windows 2000 Features Supported
Install replica DC from media Universal group caching Same as Windows 2000, plus: LVR replication (Linked Value Replication new group structuring) Improved ISTG (Inter-Site Topology Generatorgenerates replication connections) Same as Windows Server 2003 Interim, plus: Dynamic auxiliary classes User to INetOrgPerson change Schema deactivation or reactivation Domain rename Forest trust

Windows Server 2003 Interim

Windows Server 2003

Domain Functional Levels: Features

Functional Level Features Supported
Install replica DC from media Universal group caching Application directory partitions UI enhancementssaved queries, dragand-drop
Same as Windows 2000 mixed, plus: Group nesting and converting Universal security and distribution groups Universal group membership caching SID history Same as Windows 2000 native, plus: Update logon timestamp attribute Kerberos KDC version numbers User password on INetOrgPerson Domain Rename

Windows 2000 mixed

Windows 2000 native/ Windows Server 2003 Interim

Windows Server 2003

Lesson: Active Directory Physical Components

What Are Sites? Why Use Sites? Domain Controllers What Is a Global Catalog? Global Catalog Servers Single Master Operations Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master

What Are Sites?

Areas of fast network connectivity Single site may contain many domains Single domain may span many sites

Domain controllers are associated with a given site

Domain

Site

Why Use Sites?

Each site should have one or more subnets associated with it
Used by domain controllers to determine replication behavior Used by computers to locate closest domain controllers for authentication and searches of the directory Used by site-aware applications like DFS to locate network resources closest to client computers
Seattle New York Chicago Los Angeles IP Subnet IP Subnet

Site

Domain Controllers
Domain controllers provide authentication and authorization services

Domain controllers replicate directory partitions

Every domain controller in the forest has a replica of schema and configuration partitions

Every domain controller in a domain has a replica of that domains domain partition
Domain controllers may contain replicas of application partitions

What Is a Global Catalog?

Just as a telephone book contains limited information about all people and businesses within a city, the global catalog (GC) contains limited information about every object in a forest

Within the schema, certain attributes are marked for inclusion in the GC, and:
Searches are commonly performed against these attributes By searching against the GC, individual domains do not have to be queried in most cases: the GC can resolve Servers that hold a copy of the global catalog are called global catalog servers GCs are always domain controllers for some domain in the forest

By default, only the first domain controller in a forest is configured as a GC

In most cases, at least one domain controller in each site should be configured as a GC

Single Master Operations

Most operations in Active Directory are multi-master, meaning that any domain controller can write to the Active Directory database Some functionality must not be performed in multimaster fashion, so five single master operations roles are defined in Active Directory:

Schema master
Domain naming master RID master PDC emulator Infrastructure master

PDC Emulator
One per Active Directory domain Emulates PDC functionality for Windows NT BDCs Even in domains without Windows NT BDCs, PDC emulator role is still required Urgent replication events are sent to the PDC emulator; for example:
Account lockouts Changing of LSA secrets (trust passwords)

Numerous other functions rely on PDC emulator Default placement is first domain controller in domain

Lesson: Active Directory Objects

Security Principals What Is a SID? What Is a RID? What Is a GUID? Groups in Active Directory What Are Global Groups? What Are Universal Groups? What Are Domain Local Groups? Other Active Directory Objects

Security Principals
Entities that can initiate an action or be granted or denied access to resources

Users
InetOrgPerson Computers that are running:
Microsoft Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003

Groups

Service accounts
If it can be placed into an access control list (ACL), it is a security principal

What Is a SID?
Security IDentifier Variable-length number that is used to identify security principals Used in ACLs to identify security principals that are granted or denied access to objects in Active Directory and file system resources When a security principal is moved from one domain to another in Windows Server 2003, the objects SID changes

When a security principal is moved within a domain, its SID does not change

What Is a RID?
Relative IDentifier When a security principal is created in a Windows Server 2003 domain, the principals SID is comprised of two concatenated values: The SID of the domain in which the principal is being created

A relative identifier that is unique within that domain When a security principal is moved to another domain, it receives a new SID, which is comprised of the SID of the destination domain and a RID that is unique within the that domain
Moves within a domain do not change SIDs or RIDs

What Is a GUID?
Globally Unique IDentifier 128-bit number generated at the time an object is created in the directory Never changes Travels with an object

When an object is moved, even between domains in a forest, its GUID does not change
Used by domain controllers to identify objects in Active Directory for purposes of replication Not used to identify security principals in ACLs

Groups in Active Directory

Group types Distribution groups
Not a security principal Used primarily as an e-mail distribution list

Security groups
Security principals Used to manage access to network resources

Group scopes Global groups

Universal groups
Domain local groups

What Are Global Groups?

Global group rules

Members

Can be a member of Scope Permissions

Mixed mode: User accounts from same domain Native mode: User accounts and global groups from same domain Mixed mode: Domain local groups Native mode: Universal and domain local groups in any domain, and global groups in the same domain Visible in its own domain and all trusted domains All domains in the forest

What Are Universal Groups?

Universal group rules

Members

Can be a member of Scope Permissions

Mixed mode: Not applicable Native mode: User accounts, global groups, and other universal groups from any domain in the forest Mixed mode: Not applicable Native mode: Domain local and universal groups in any domain Visible in all domains in a forest All domains in a forest

What Are Domain Local Groups?

Domain local group rules Mixed mode: User accounts and global groups from any domain Native mode: User accounts, global groups, and universal groups from any domain in the forest, and domain local groups from the same domain Mixed mode: None Native mode: Domain local groups in the same domain Visible only in its own domain Domain to which the domain local group belongs

Members

Can be a member of Scope Permissions

Other Active Directory Objects

Printer objects Used by clients to locate printers on the network Printer objects can be configured with multiple attributes (printing speed, color, location) to simplify searching for printers Shared folder objects Used by clients to locate shared folders on the network Shared folders can be configured with descriptions and key words to simplify searching Contact Used to store information about a person without creating a security principal

Lesson: Administering a Microsoft Windows Server 2003 Network Using Active Directory
Using Active Directory for Centralized Management Managing the User Environment Delegating Administrative Control

Using Active Directory for Centralized Management

Domain

Domain

OU1 Computers Computer1 Users User1 OU2 Users User2

Searc h

OU1

OU2

User1 Computer1 User2 Printer1

Active Directory: Enables a single administrator to centrally manage resources Enables administrators to easily locate information Enables administrators to group objects into organizational units Uses Group Policy to specify policy-based settings

Printers Printer1

Managing the User Environment

Domain
TM

OU1

OU2

OU3

Apply Group Policy Once

Windows Server Enforces Continually

1 2 3

Use Group Policy to: Control and lock down what users can do

Centrally manage software installation, repairs, updates, and removal

Configure user data to follow users whether they are online or offline

Delegating Administrative Control

Domain OU1 Admin1

Grant permissions: To delegate control to other administrators for specific OU3 organizational units To modify specific attributes of an object in a single organizational unit To perform the same task in all organizational units Customize administrative tools to: Map to delegated administrative tasks Simplify interface design

OU2

Admin2

Admin3

Group Policy Tools

Tool
GPResult.exe

Description
Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer Uses new WMI-based RSoP provider to show policy status Refreshes local and Active Directory Group Policy settings, including security settings Supersedes now obsolete /refreshpolicy option for secedit command

GPUpdate.exe

New Tools for Windows Server 2003

Tool
PowerCfg.exe WhoAmI.exe Where.exe ForFiles.exe FreeDisk.exe GettyPE.exe Inuse.exe

Description
Configures ACPI/hibernate state Classic logon script tool Powerful commandline search tool Enhances batch file control Checks space before launching scripts Determines SKU type in Windows Replaces files on next reboot

Tool
SetX.exe TimeOut.exe Choice.exe Clip.exe WaitFor.exe TakeOwn.exe VBS tools

Description
Sets environment variables Classic sleep tool with /Nobreak Enhances batch file control and select state Redirects output to clipboard and cut/paste Synchronizes start of batch files Sets ownership ACL on files Now digitally signed to work with SAFER

Key Support Tools

Tool
Activate.exe

Description
Bulk product licensing and rollout tool Active Directory diagnostics DNS server management Displays file version information LDAP query tool, any Active Directory object Network and security diagnostics

Tool
Netdom.exe

Description
Domain management tool Network Logon diagnostics GUI-based process inspection tool Replication diagnostics Replication monitoring tool Extended ACL management

ADdiag.exe
DNScmd.exe Filever.exe LDP.exe NetDiag.exe

Nltest.exe
Pviewer.exe RepAdmin.exe Replmon.exe Xcalcs.exe

DISCUSSION AND QUESTIONS