Hands-On Microsoft Windows Server 2008
Chapter 4-Part 1Introduction to Active Directory and
Account Manager
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 2
Objectives
• Understand Active Directory basic concepts• Install and configure Active Directory• Implement Active Directory containers
3
Introduction to Active Directory (AD)
• As the nerve system controls everything in human body, Active Directory coordinates servers, client computers, printers, shared files, and other resources in a Windows Server 2008 network.
• Active Directory also secures network resources.
• Active Directory accomplishes all its tasks by providing a hierarchy of management elements that enable you to organize resources.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 4
Active Directory Basics• What is Active Directory (AD)? • Directory service that houses information about all
network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information
• Active Directory also referred to as Active Directory Domain Services or AD DS.
• Responsible for providing a central listing of resources and ways to quickly find and access specific resources and for providing a way to manage network resources
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 5
Active Directory Basics (continued)
• Windows Server 2008 uses Active Directory to manage accounts, groups, and many more network management services
• Domain controllers (DCs)– Servers that have the AD DS server role installed– Contain writable copies of information in Active
Directory
6
Domain Controller Replication
• In Windows Server 2008, each DC is equal to every other DC in which it contains all information that composes Active Directory.
• If information on one DC changes it is replicated to all other
DCs. This process is called multimaster replication.
• The advantage of this approach is that if one DC fails, Active Directory could be accessed from other DCs
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
7
Domain Controller Replication
• In Windows Server 2008 Allows you to:
1. Set how replication of AD information to occur: • At a fixed interval• Or as soon as an update occurs.
2. Determine how much of AD is replicated each time it is copied from one DC to another.
Active Directory is built to make replication efficient so that it transports as little as possible.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 8
Active Directory Basics (continued)
• Object– Object is every resource contained in the domain (such
as User-Printer-Scanner) – Object is associated to a particular domain– Every object has a globally unique identifier (GUID),
which is a unique number associated with it.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 9
10
Schema
– AD schema defines the objects and the information associated to those objects stored in AD.
– Schema is a small database of information associated with that object, including the object class and its attributes.• Example: Object std from class Student and its
attributes (F_Name, L_Name,Address,City)
– Schema information for objects in a domain is replicated on every DC.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
11
Global catalog
• The global catalog stores information about every object within a forest.
• The first DC configured in a forest becomes the global catalog server.
• The global catalog server will store a full copy of every object within its own domain and a partial copy of each object within every domain in the forest
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
12
Global catalog
• The global catalog serves the following purposes:– Authenticating users when they log on– Providing lookup and access to all resources in all
domains– Providing replication of key Active Directory
elements– Keeping a copy of the most used attributes for each
object for quick access
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
13
Namespace
• Active Directory uses Domain Name System (DNS), which means there must be a DNS server on the network that AD can access
• DNS is a TCP/IP-based name service that converts computer and domain host names to dotted decimal addresses (IP address) and vice versa, through a process called name resolution.
• Namespace is a logical area on a network that contains directory services and named objects, and that has the ability to perform name resolution.
• Active Directory depends on one or more DNS servers to resolve names in a designated logical DNS names
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
14
Namespaces
• Contiguous namespace is one in which every child object contains the name of the parent object. – Example: object msdn2.microsoft.com and its
parent object microsoft.com.
• Disjointed namespace When the child name does not resemble the name of its parent object.– Example: when the parent for a university is
uni.edu, and a child is bio.ethicsresearch.com.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
15Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
16
Forest
• At the highest level in an Active Directory design is the
forest.
• A forest consists of one or more AD trees that are in a
common relationship and that have the following features:
1. The trees can use a disjointed namespace.
2. All trees use the same schema.
3. All trees use the same global catalog.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
17
Forest
4. Domains enable administration of commonly
associated objects, such as accounts and other
resources, within a forest.
5. Two-way transitive trusts (resources shared
equally) are automatically configured between
domains within a single forest.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
18
Forest Functional Levels
• The forest functional level refers to the Active Directory
functions supported forest-wide.
• Windows Server 2008 Active Directory recognizes three
types of forest functional levels:
– Windows 2000 Native forest functional level- Provides
AD functions compatible with a network that has a
combination of Windows 2000,2003 and 2008 DCs.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
19
Forest Functional Levels
– Windows Server 2003 forest functional level—Intended
for Windows Server 2003 & 2008 DCs only and enables
more forest management functions.
– Windows Server 2008 forest functional level—Contains
only Windows Server 2008 domain controllers.
• Currently this level has no more functional features than in
the Windows Server 2003 forest functional level.
• New features could be added later.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
20
Tree
• A tree contains one or more domains that are in a
common relationship, it has the following features:
– Domains are represented in a contiguous namespace and
can be in a hierarchy.
– Two-way trust exist between parent & child domains.
– All domains in a single tree use the same schema.
– All domains use the same global catalog.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
21
Domains
• A domain is a grouping of objects that typically exists as a
primary container within Active Directory.
• Domain usually represents how a business, government, or
school is organized,
• The basic functions of a domain are as follows:
– To provide an AD ‘‘partition’’ in which to contain objects, such
as accounts and groups, that have a common relationship,
particularly in terms of management and security
– To facilitate management of a set of objects
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
22Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais
Domain
Objects
Domain Controller
Active Directory
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 23
Organizational Unit• Organizational unit (OU)
– An OU is a grouping of related objects within a domain– OUs allow the grouping of objects so that they can be
administered using the same group policies– OUs similar to the idea of having subfolders within a
folder. – OUs can be used to reflect the structure of the
organization without having to completely restructure the domain(s) when that structure changes.
• OUs can be nested within OUs
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais24
Organizational Unit (continued)
• When you plan to create OUs, keep the following concerns in mind:– Microsoft recommends that you limit OUs to 10 levels
or fewer– Active Directory works more efficiently when OUs are
set up horizontally instead of vertically. How?
– The creation of OUs involves more processing time.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais 25
Active Directory Guidelines
1. Above all, keep Active Directory as simple as
possible
– Plan its structure before you implement it
2. Implement the least number of domains possible
– With one domain being the ideal and building from
there
3. Implement only one domain on most small
networks
26
Active Directory Guidelines
6. Use OUs to reflect the organization’s structure
7. Create only the number of OUs that are absolutely
necessary
8. Do not build an AD with more than 10 levels of OUs
9. Implement multiple trees and forests only as
necessary.
Hands-On Microsoft Windows Server 2008 - Edited by Maysoon Al-Duwais