3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory

3.1 © 2004 Pearson Education, Inc.

Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment

Lesson 3: Introducing Active Directory

Identifying the Features of Active Directory Active Directory is the directory service for Windows Server 2003

Features

Centralized management

Security

Object-oriented storage

Hierarchical organization

Multi-master replication

Integration with DNS

Lightweight Directory Access Protocol (LDAP) support

Standard name formats

Scalability

(Skill 1)




Figure 3-1 Active Directory

(Skill 1)




Figure 3-2 Replication

(Skill 1)




Figure 3-4 Schema

(Skill 3)




Examining Underlying Active Directory Concepts (2)

Global catalog Stores a full Read-Write replica of all object attributes in

the directory for its host domain Stores a partial replica of all object attributes contained in

the directory for every domain in the forest along with universal groups and group members

Has the ability to search the entire forest, but also keeps the database relatively light, allowing for improved replication

Global catalog server is the name of the domain controller that maintains the global catalog

(Skill 3)




Figure 3-5 Global Catalog in Active Directory

(Skill 3)




Examining Underlying Active Directory Concepts (3)

Namespace Bounded area in which the names used to identify objects are resolved Defines the domain structure in Active Directory

Provides name resolution through the use of the Domain Name System (DNS), which is central to the operation of Windows networks

Without proper name resolution, users cannot locate resources on the network

Domains with contiguous namespaces are members of the same tree A forest is a collection of domains sharing the same schema,

configuration, and global catalog

(Skill 3)




Figure 3-6 Contiguous namespaces (tree)

(Skill 3)




Figure 3-7 Disjointed namespaces (multiple trees)

(Skill 3)




Figure 3-8 Naming conventions

(Skill 3)




Introducing the Basic Elements ofActive Directory

ObjectAny “thing” (tangible or abstract) about which data is

storedCan be a network resource, such as a user, group,

printer, or a virtual object such as a forest, tree, domain, or OU

Each is defined by a set of attributes related to its properties

When you create an object, the Active Directory is populated with some of the attributes for the object

(Skill 4)




Introducing the Basic Elements ofActive Directory (2)

Common types of objects Computer User Group Shared Folder Printer

(Skill 4)





Domain A group of computers and devices on a network that

constitute a single security boundary within Active Directory, but can span more than one physical location

Each has its own security policies and security relationships with other domains

Domains co-existing under the same namespace form a single tree

When multiple domains are connected by trust relationships and share a common schema, configuration, and global catalog, they constitute a forest

(Skill 4)





Types of computers in a domain Domain controller

A computer that stores a replica of the directory database Stores security policies and accounts

Member server A Windows NT 4.0, 2000, or Server 2003 computer that is part of

a domain Does not store a replica of the directory database

Client computers Computers running operating systems that can communicate

with the Active Directory for user authentication and resource access

(Skill 4)




Figure 3-10 Hierarchical structure of Active Directory

(Skill 4)





Organizational unit (OU) A container object for organizing objects within a domain Can contain users, groups, resources, and other OUs Enables the delegation of administration to distinct segments of the

directory, which provides more flexibility in managing the objects in a business unit, department, or other organizational division

Administration of grouped OUs Creation and organization of child OUs Delegation of permissions within specific OUs Assignment of Group Policy links

(Skill 4)





Tree A set of one or more domains in a hierarchical structure The first domain created in the forest is called the forest root and this

is where the forest name is specified All domain trees in a forest share the same forest root If a new tree is created after the forest root, the first domain that is

added to this tree is called the root domain Domains under the root domain are called child domains Any domain immediately above another domain is called the parent

domain

(Skill 4)




Figure 3-11 Multiple domains in a tree

(Skill 4)





Forest A group of one or more Active Directory domains sharing a

common schema, configuration, global catalog, and two-way, transitive trusts

All trees in a given forest trust each other through transitive two-way trust relationships

A forest exists as a set of cross-referenced objects and trust relationships known to the member trees

Trees in a forest form a hierarchy for the purposes of trust

(Skill 4)




Figure 3-12 Forest

(Skill 4)




Figure 3-14 A domain/OU structure for an organization

(Skill 5)




Installing Active Directory

After completing the planning phase, install Active Directory on the Windows Server 2003 using the Active Directory Installation Wizard (Dcpromo.exe)

After first-time installationActive Directory forest is createdFirst domain created in the forest is the forest rootForest root comprises the first Active Directory tree and

this first domain is called the root domainDomains created under the root domain are called child

domains

(Skill 6)




Installing Active Directory (2)

Mixed mode When you create a domain, by default the domain is

configured to run in Windows 2000 mixed mode Allows the coexistence of Windows NT, Windows 2000,

and Windows Server 2003 domains

Windows 2000 native mode If your domain consists of only Windows 2000 domain

controllers, you can switch to Windows 2000 native mode

Native mode supports Windows 2000 and Windows Server 2003 domains

(Skill 6)




Installing Active Directory (3)

Windows Server 2003 interim mode If your domain has only Windows NT 4.0 servers, and

you upgrade a server to Windows Server 2003, you can use Windows Server 2003 interim mode

Used when there are no Windows 2000 servers and you upgrade a Windows NT PDC to Windows Server 2003

Windows Server 2003 mode If your domain consists of only Windows Server 2003

domain controllers, you can switch to Windows Server 2003 mode

Supports the full Windows Server 2003 Active Directory implementation

(Skill 6)




Figure 3-18 The Domain Controller Type screen

(Skill 6)




Figure 3-19 The Create New Domain screen

(Skill 6)




Figure 3-20 Specifying the full DNS domain name

(Skill 6)




Figure 3-21 The NetBIOS Domain Name screen

(Skill 6)




Figure 3-22 The Permissions screen

(Skill 6)




Figure 3-23 An empty console window

(Skill 7)




Figure 3-24 Setting the Author mode in the Console Options dialog box

(Skill 7)




Figure 3-25 The Add Standalone Snap-in dialog box

(Skill 7)




Figure 3-26 Using a snap-in to manage the local computer

(Skill 7)




Creating Organizational Units

You use the Active Directory Users and Computers console to create an organizational unit (OU) and to add objects to OUs

You can create an OU in a domain, in a domain controller object, or in another OU if you have been delegated permission to do so

By default, Windows Server 2003 grants permission to members of the Administrators group to create an OU

(Skill 8)




Figure 3-29 Creating an Organizational Unit (OU)

(Skill 8)




Figure 3-30 The Marketing OU added to the domain

(Skill 8)




Figure 3-31 Creating a new user object

(Skill 8)




Figure 3-32 <User object> Properties dialog box

(Skill 8)




Figure 3-33 The Find Users, Contacts, and Groups dialog box

(Skill 9)




Figure 3-34 Finding a user in Active Directory

(Skill 9)




Managing Active Directory Objects (2)

Securing resources Object security

Active Directory provides a set of security descriptors for each object called a Discretionary Access Control List (DACL) defining how the object can be accessed

Each file or folder on an NTFS drive has a DACL, which contains Access Control Entries (ACEs)

ACEs contain the SID of the user or group and the permissions associated with that user or group

Account logon security protects a computer and its resources from unauthorized access

(Skill 9)




Figure 3-35 Finding the Distinguished Name

(Skill 9)




Figure 3-36 Moving a user object

(Skill 9)

Documents

3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory