Overview
Active Directory Directory Services Overview Active Directory Logical Components Functional Levels Active Directory Physical Components Active Directory Partitions Active Directory Objects Administering a Microsoft Windows Server 2003 Network Using Active Directory
Tools
What Is Active Directory? Benefits of Active Directory DNS Integration Active Directory Naming Conventions
Active Directory
Centralized management
Single point of administration
DNS Integration
Name resolution Resolve names of servers and clients to IP addresses and vice versa (possibly) Namespace definition An Active Directory domains name must be represented in DNS
Active Directory requires DNS DNS does not require Active Directory
Client computers query DNS to locate domain controllers running specific services, such as global catalog (GC), Kerberos protocol, LDAP, and so on
nwtraders.msft
childdomain.nwtraders.msft otherdomain.nwtraders.msft Child domains derive their namespace from parent Group policy, administration, and such do not flow across domain boundaries by default
Common configuration
Automatic transitive trust relationships Common global catalog Forests can contain from as few as one domain to many domains and/or many trees Domains are not required to be in a single tree or share a namespace First domain created is the forest root, which cannot be changed without rebuilding the entire forest, although the forest root domain name can be changed in Windows Server 2003
Used to organize resources to reflect administrative divisions; may not map to organizational structure
Domain
Site
Site
Domain Controllers
Domain controllers provide authentication and authorization services
Every domain controller in a domain has a replica of that domains domain partition
Domain controllers may contain replicas of application partitions
Within the schema, certain attributes are marked for inclusion in the GC, and:
Searches are commonly performed against these attributes By searching against the GC, individual domains do not have to be queried in most cases: the GC can resolve Servers that hold a copy of the global catalog are called global catalog servers GCs are always domain controllers for some domain in the forest
Schema master
Domain naming master RID master PDC emulator Infrastructure master
PDC Emulator
One per Active Directory domain Emulates PDC functionality for Windows NT BDCs Even in domains without Windows NT BDCs, PDC emulator role is still required Urgent replication events are sent to the PDC emulator; for example:
Account lockouts Changing of LSA secrets (trust passwords)
Numerous other functions rely on PDC emulator Default placement is first domain controller in domain
Security Principals
Entities that can initiate an action or be granted or denied access to resources
Users
InetOrgPerson Computers that are running:
Microsoft Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003
Groups
Service accounts
If it can be placed into an access control list (ACL), it is a security principal
What Is a SID?
Security IDentifier Variable-length number that is used to identify security principals Used in ACLs to identify security principals that are granted or denied access to objects in Active Directory and file system resources When a security principal is moved from one domain to another in Windows Server 2003, the objects SID changes
When a security principal is moved within a domain, its SID does not change
What Is a RID?
Relative IDentifier When a security principal is created in a Windows Server 2003 domain, the principals SID is comprised of two concatenated values: The SID of the domain in which the principal is being created
A relative identifier that is unique within that domain When a security principal is moved to another domain, it receives a new SID, which is comprised of the SID of the destination domain and a RID that is unique within the that domain
Moves within a domain do not change SIDs or RIDs
What Is a GUID?
Globally Unique IDentifier 128-bit number generated at the time an object is created in the directory Never changes Travels with an object
When an object is moved, even between domains in a forest, its GUID does not change
Used by domain controllers to identify objects in Active Directory for purposes of replication Not used to identify security principals in ACLs
Security groups
Security principals Used to manage access to network resources
Universal groups
Domain local groups
Mixed mode: User accounts from same domain Native mode: User accounts and global groups from same domain Mixed mode: Domain local groups Native mode: Universal and domain local groups in any domain, and global groups in the same domain Visible in its own domain and all trusted domains All domains in the forest
Mixed mode: Not applicable Native mode: User accounts, global groups, and other universal groups from any domain in the forest Mixed mode: Not applicable Native mode: Domain local and universal groups in any domain Visible in all domains in a forest All domains in a forest
Members
Lesson: Administering a Microsoft Windows Server 2003 Network Using Active Directory
Using Active Directory for Centralized Management Managing the User Environment Delegating Administrative Control
Domain
Searc h
OU1
OU2
Active Directory: Enables a single administrator to centrally manage resources Enables administrators to easily locate information Enables administrators to group objects into organizational units Uses Group Policy to specify policy-based settings
Printers Printer1
Domain
TM
OU1
OU2
OU3
1 2 3
Use Group Policy to: Control and lock down what users can do
Grant permissions: To delegate control to other administrators for specific OU3 organizational units To modify specific attributes of an object in a single organizational unit To perform the same task in all organizational units Customize administrative tools to: Map to delegated administrative tasks Simplify interface design
OU2
Admin2
Admin3
Description
Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer Uses new WMI-based RSoP provider to show policy status Refreshes local and Active Directory Group Policy settings, including security settings Supersedes now obsolete /refreshpolicy option for secedit command
GPUpdate.exe
Description
Configures ACPI/hibernate state Classic logon script tool Powerful commandline search tool Enhances batch file control Checks space before launching scripts Determines SKU type in Windows Replaces files on next reboot
Tool
SetX.exe TimeOut.exe Choice.exe Clip.exe WaitFor.exe TakeOwn.exe VBS tools
Description
Sets environment variables Classic sleep tool with /Nobreak Enhances batch file control and select state Redirects output to clipboard and cut/paste Synchronizes start of batch files Sets ownership ACL on files Now digitally signed to work with SAFER
Description
Bulk product licensing and rollout tool Active Directory diagnostics DNS server management Displays file version information LDAP query tool, any Active Directory object Network and security diagnostics
Tool
Netdom.exe
Description
Domain management tool Network Logon diagnostics GUI-based process inspection tool Replication diagnostics Replication monitoring tool Extended ACL management
ADdiag.exe
DNScmd.exe Filever.exe LDP.exe NetDiag.exe
Nltest.exe
Pviewer.exe RepAdmin.exe Replmon.exe Xcalcs.exe