Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.

Hands-On Microsoft Windows Server 2008

Chapter 4-Part 1Introduction to Active Directory and

Account Manager

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 2

Objectives

• Understand Active Directory basic concepts• Install and configure Active Directory• Implement Active Directory containers

3

Introduction to Active Directory (AD)

• As the nerve system controls everything in human body, Active Directory coordinates servers, client computers, printers, shared files, and other resources in a Windows Server 2008 network.

• Active Directory also secures network resources.

• Active Directory accomplishes all its tasks by providing a hierarchy of management elements that enable you to organize resources.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 4

Active Directory Basics• What is Active Directory (AD)? • Directory service that houses information about all

network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information

• Active Directory also referred to as Active Directory Domain Services or AD DS.

• Responsible for providing a central listing of resources and ways to quickly find and access specific resources and for providing a way to manage network resources

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 5

Active Directory Basics (continued)

• Windows Server 2008 uses Active Directory to manage accounts, groups, and many more network management services

• Domain controllers (DCs)– Servers that have the AD DS server role installed– Contain writable copies of information in Active

Directory

6

Domain Controller Replication

• In Windows Server 2008, each DC is equal to every other DC in which it contains all information that composes Active Directory.

• If information on one DC changes it is replicated to all other

DCs. This process is called multimaster replication.

• The advantage of this approach is that if one DC fails, Active Directory could be accessed from other DCs

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

7

Domain Controller Replication

• In Windows Server 2008 Allows you to:

1. Set how replication of AD information to occur: • At a fixed interval• Or as soon as an update occurs.

2. Determine how much of AD is replicated each time it is copied from one DC to another.

Active Directory is built to make replication efficient so that it transports as little as possible.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 8

Active Directory Basics (continued)

• Object– Object is every resource contained in the domain (such

as User-Printer-Scanner) – Object is associated to a particular domain– Every object has a globally unique identifier (GUID),

which is a unique number associated with it.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 9

10

Schema

– AD schema defines the objects and the information associated to those objects stored in AD.

– Schema is a small database of information associated with that object, including the object class and its attributes.• Example: Object std from class Student and its

attributes (F_Name, L_Name,Address,City)

– Schema information for objects in a domain is replicated on every DC.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

11

Global catalog

• The global catalog stores information about every object within a forest.

• The first DC configured in a forest becomes the global catalog server.

• The global catalog server will store a full copy of every object within its own domain and a partial copy of each object within every domain in the forest

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

12

Global catalog

• The global catalog serves the following purposes:– Authenticating users when they log on– Providing lookup and access to all resources in all

domains– Providing replication of key Active Directory

elements– Keeping a copy of the most used attributes for each

object for quick access

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

13

Namespace

• Active Directory uses Domain Name System (DNS), which means there must be a DNS server on the network that AD can access

• DNS is a TCP/IP-based name service that converts computer and domain host names to dotted decimal addresses (IP address) and vice versa, through a process called name resolution.

• Namespace is a logical area on a network that contains directory services and named objects, and that has the ability to perform name resolution.

• Active Directory depends on one or more DNS servers to resolve names in a designated logical DNS names

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

14

Namespaces

• Contiguous namespace is one in which every child object contains the name of the parent object. – Example: object msdn2.microsoft.com and its

parent object microsoft.com.

• Disjointed namespace When the child name does not resemble the name of its parent object.– Example: when the parent for a university is

uni.edu, and a child is bio.ethicsresearch.com.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

15Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

16

Forest

• At the highest level in an Active Directory design is the

forest.

• A forest consists of one or more AD trees that are in a

common relationship and that have the following features:

1. The trees can use a disjointed namespace.

2. All trees use the same schema.

3. All trees use the same global catalog.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

17

Forest

4. Domains enable administration of commonly

associated objects, such as accounts and other

resources, within a forest.

5. Two-way transitive trusts (resources shared

equally) are automatically configured between

domains within a single forest.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

18

Forest Functional Levels

• The forest functional level refers to the Active Directory

functions supported forest-wide.

• Windows Server 2008 Active Directory recognizes three

types of forest functional levels:

– Windows 2000 Native forest functional level- Provides

AD functions compatible with a network that has a

combination of Windows 2000,2003 and 2008 DCs.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

19

Forest Functional Levels

– Windows Server 2003 forest functional level—Intended

for Windows Server 2003 & 2008 DCs only and enables

more forest management functions.

– Windows Server 2008 forest functional level—Contains

only Windows Server 2008 domain controllers.

• Currently this level has no more functional features than in

the Windows Server 2003 forest functional level.

• New features could be added later.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

20

Tree

• A tree contains one or more domains that are in a

common relationship, it has the following features:

– Domains are represented in a contiguous namespace and

can be in a hierarchy.

– Two-way trust exist between parent & child domains.

– All domains in a single tree use the same schema.

– All domains use the same global catalog.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

21

Domains

• A domain is a grouping of objects that typically exists as a

primary container within Active Directory.

• Domain usually represents how a business, government, or

school is organized,

• The basic functions of a domain are as follows:

– To provide an AD ‘‘partition’’ in which to contain objects, such

as accounts and groups, that have a common relationship,

particularly in terms of management and security

– To facilitate management of a set of objects

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

22Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais

Domain

Objects

Domain Controller

Active Directory

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 23

Organizational Unit• Organizational unit (OU)

– An OU is a grouping of related objects within a domain– OUs allow the grouping of objects so that they can be

administered using the same group policies– OUs similar to the idea of having subfolders within a

folder. – OUs can be used to reflect the structure of the

organization without having to completely restructure the domain(s) when that structure changes.

• OUs can be nested within OUs

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais24

Organizational Unit (continued)

• When you plan to create OUs, keep the following concerns in mind:– Microsoft recommends that you limit OUs to 10 levels

or fewer– Active Directory works more efficiently when OUs are

set up horizontally instead of vertically. How?

– The creation of OUs involves more processing time.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 25

Active Directory Guidelines

1. Above all, keep Active Directory as simple as

possible

– Plan its structure before you implement it

2. Implement the least number of domains possible

– With one domain being the ideal and building from

there

3. Implement only one domain on most small

networks

26

Active Directory Guidelines

6. Use OUs to reflect the organization’s structure

7. Create only the number of OUs that are absolutely

necessary

8. Do not build an AD with more than 10 levels of OUs

9. Implement multiple trees and forests only as

necessary.

Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais