AD Fundamentals

7/31/2019 AD Fundamentals

http://slidepdf.com/reader/full/ad-fundamentals 1/38

Active Directory FundamentalsActive Directory Fundamentals

Win MoodyWin Moody

Senior Trainer QASenior Trainer [email protected]@qa.com



What we will cover:What we will cover:

Domains, Trees, ForestsDomains, Trees, Forests Domain Controllers, SitesDomain Controllers, Sites

The Domain Naming Service (DNS)The Domain Naming Service (DNS)

ReplicationReplication

Operations MastersOperations Masters

Lots of demos….Lots of demos….



Prerequisite KnowledgePrerequisite Knowledge

Understanding of what a directory serviceUnderstanding of what a directory serviceisis

Level 200+Level 200+



AgendaAgenda

Active Directory Logical ConceptsActive Directory

Logical Concepts Active Directory Physical ConceptsActive Directory Physical Concepts

DNSDNS





Active Directory LogicalActive Directory LogicalConceptsConcepts

DomainsDomains Boundary of SecurityBoundary of Security AuthenticationAuthentication

Security PoliciesSecurity Policies

Boundary of ReplicationBoundary of Replication Domain NC ReplicationDomain NC Replication

Boundary of DNS NamespaceBoundary of DNS Namespace

Boundary of AdministrationBoundary of Administration KAPOHO.NET



Active Directory Logical Concepts Tr

Hierarchy of Domains forming aHierarchy of Domains forming acontiguous namespacecontiguous namespace

Transitive Trust RelationshipsTransitive Trust Relationships

All Domains in a Tree share:All Domains in a Tree share: SchemaSchema

ConfigurationConfiguration

Global CatalogGlobal Catalog

KAPOHO.NET

EUROPE.KAPOHO.NETHAWAII.KAPOHO.NET

MAUI.HAWAII.KAPOHO.NET



Hierarchy of Domains forming aHierarchy of Domains forming acontiguous or disjoint namespacecontiguous or disjoint namespace

Transitive Trust RelationshipsTransitive Trust Relationships

All Domains in a Forest share:All Domains in a Forest share: SchemaSchema

ConfigurationConfiguration

Global CatalogGlobal CatalogPSP.CO.UK KAPOHO.NET

HAWAII.KAPOHO.NET

Active Directory Logical ConceptsForests



Containers within DomainsContainers within Domains

Distinct Units of AdministrationDistinct Units of Administration

Unique to DomainsUnique to Domains

Active Directory Logical ConceptsOrganizational Units



AgendaAgenda

Active Directory Logical ConceptsActive Directory Logical Concepts Active Directory Physical ConceptsActive Directory Physical Concepts

DNSDNS





Active Directory PhysicalActive Directory PhysicalConceptsConceptsDomain ControllersDomain ControllersPrimary Domain Controller (PDC)Primary Domain Controller (PDC)

Backup Domain Controllers (BDCs)Backup Domain Controllers (BDCs)

Domain Controllers (DCs)Domain Controllers (DCs)



What is a Site?What is a Site? A set of well-connected IP subnetsA set of well-connected IP subnets

Site UsageSite Usage Locating Services (e.g. Logon, DFS)Locating Services (e.g. Logon, DFS)


Group Policy ApplicationGroup Policy Application

Sites are connected with Site LinksSites are connected with Site Links Connects two or more sitesConnects two or more sites

Active Directory PhysicalActive Directory PhysicalConceptsConceptsSitesSites



Active Directory PhysicalActive Directory PhysicalConceptsConcepts

Site TopologySite Topology

Company.com

america.company.com europe.company.com

DC

Site A

Site B

Site C

DC

GC

GC

DC

DC

DC = Domain Controller

GC = Global Catalog



Partial Replica of all ObjectsPartial Replica of all Objectsin the Forestin the Forest

Configurable subset of AttributesConfigurable subset of Attributes Fast Forest-wide searchesFast Forest-wide searches

Required at Logon for UniversalRequired at Logon for Universal

Group MembershipGroup Membership

Active Directory Physical Concepts Global Catalog



AgendaAgenda


DNSDNS





SRV Records to locate services (req’d)SRV Records to locate services (req’d) DDNS for Dynamic Update (desired)DDNS for Dynamic Update (desired)

Windows 2000 and up, DNS alsoWindows 2000 and up, DNS also

provides:provides: Incremental Zone TransfersIncremental Zone Transfers

Integration with Active DirectoryIntegration with Active Directory

Single replication topologySingle replication topology Multi-master replicationMulti-master replication

Secure Dynamic updatesSecure Dynamic updates

DNSDNSDNS RequirementsDNS Requirements



DNSDNSDNSDNS ImplementationsImplementations

No existing DNS infrastructureNo existing DNS infrastructure Deploy Microsoft DNSDeploy Microsoft DNS

Check existing DNS meetsCheck existing DNS meetsrequirementsrequirements

Existing DNS not adequate:Existing DNS not adequate: Choice 1: Update Server Choice 1: Update Server

Choice 2: Migrate to Microsoft DNSChoice 2: Migrate to Microsoft DNS

Choice 3: Delegate a subdomain toChoice 3: Delegate a subdomain toMicrosoft DNSMicrosoft DNS



AgendaAgenda


DNSDNS





Naming Contexts (NCs)that areNaming Contexts (NCs)that arereplicatedreplicated Schema Naming ContextSchema Naming Context

Configuration Naming ContextConfiguration Naming Context

Domain Naming ContextDomain Naming Context

Multi-master ReplicationMulti-master Replication Intra-site Bi-directional RingIntra-site Bi-directional Ring

TopologyTopology Inter-site Spanning Tree TopologyInter-site Spanning Tree Topology

Synchronous RPC over TCP/IPSynchronous RPC over TCP/IP

Asynchronous SMTPAsynchronous SMTP

ReplicationReplication Details

R li i



SchemaSchema Definitions of object classes andDefinitions of object classes and

attributesattributes

Replicated to all DCs in the forestReplicated to all DCs in the forest ConfigurationConfiguration

AD Structure (domains, sites, andAD Structure (domains, sites, andwhere the DCs are)where the DCs are)

Replicated to all DCs in the forestReplicated to all DCs in the forest

DomainDomain Domain specific objects (users,Domain specific objects (users,

groups, computers, and OUs)groups, computers, and OUs)

ReplicationNaming Contexts

R li ti



Intra-site Replication: AD replicationIntra-site Replication: AD replicationbetween DCs within a Sitebetween DCs within a Site

Inter-site Replication: AD replicationInter-site Replication: AD replicationbetween Sitesbetween Sites

ReplicationReplication Topologies

R li ti



RPC replication within a SiteRPC replication within a Site No compressionNo compression

Assumes good network connectionsAssumes good network connections

Uses notification processUses notification process 5 minutes5 minutes -2k-2k

Less – 2k3Less – 2k3

KCC generates a bi-directional RingKCC generates a bi-directional Ringwith extra edgeswith extra edges

Tip: Always let KCC generate the intra-siteTip: Always let KCC generate the intra-site

replication topology when possiblereplication topology when possible

ReplicationIntra-site Replication

R li ti



Replication between SitesReplication between Sites DS-RPC (RPC over IP) or DS-RPC (RPC over IP) or

SMTP TransportsSMTP Transports

SMTP can be used only betweenSMTP can be used only betweenGCs across SitesGCs across Sites

DCs of different domains and inDCs of different domains and in

different sitesdifferent sites CompressionCompression

10%-20% of original size10%-20% of original size

ScheduledScheduled

ReplicationInter-Site Replication

R li ti



Site-links link two or more sitesSite-links link two or more sites Costs and schedules can be specifiedCosts and schedules can be specified

Transitive (can be disabled)Transitive (can be disabled)

Site-link BridgesSite-link Bridges Bridge two or more site-linksBridge two or more site-links

Bridgehead serversBridgehead servers

KCC generates a minimum costKCC generates a minimum costspanning treespanning tree

Tip: Always let KCC generate the replication topologyTip: Always let KCC generate the replication topology

ReplicationSite-links, Bridges and Bridgehead

Servers



AgendaAgenda


DNSDNS



O ti M t



SchemaSchema Performs updates to schemaPerforms updates to schema

Sends updates to all DCsSends updates to all DCs

One per forestOne per forest Default is the first DC installedDefault is the first DC installed

DomainDomain

Performs add/remove of domains andPerforms add/remove of domains andcross-references to external DScross-references to external DS

One per forestOne per forest

Default is the first DC installedDefault is the first DC installed

Operations MastersSchema and Domain

O ti M t



Primary Domain Controller (PDC)Primary Domain Controller (PDC) Acts as a PDC for requests from NT clientsActs as a PDC for requests from NT clients

One per domainOne per domain

Relative Identifier (RID)Relative Identifier (RID) Generates pools of security identifiers to beGenerates pools of security identifiers to be

distributed to DCs in the domaindistributed to DCs in the domain


InfrastructureInfrastructure Updates SIDs on objects across domainsUpdates SIDs on objects across domains


Not required in a single-domain forestNot required in a single-domain forest

Operations MastersPDC, RID and Infrastructure



SummarySummary

There are Logical and Physical conceptsThere are Logical and Physical conceptsin Active Directoryin Active Directory

DNSDNS

Plenty of InformationPlenty of Information



For More Information…For More Information…

Main TechNet Web site atMain TechNet Web site atwww.microsoft.com/technetwww.microsoft.com/technet

Additional resources to support thisAdditional resources to support this

Session page can be found atSession page can be found at

www.microsoft.com/technet/tnt1-98www.microsoft.com/technet/tnt1-98

MS PMS P



MS PressMS PressInside information for IT ProfessionalsInside information for IT Professionals

To find the latest IT Professional related titles visitTo find the latest IT Professional related titles visitwww.microsoft.com/learning/it/bookswww.microsoft.com/learning/it/books

Thi d P t P bli tiThird Part P blications



Third Party PublicationsThird Party PublicationsSupplementary Publications for IT ProsSupplementary Publications for IT Pros

These books can be found and purchased at all good bookThese books can be found and purchased at all good book

stores and on-line retailersstores and on-line retailers

Mi ft L iMicrosoft Learning



Microsoft LearningMicrosoft LearningTraining Resources for IT ProfessionalsTraining Resources for IT Professionals

Planning, Implementing, and MaintainingPlanning, Implementing, and Maintaininga Microsoft Windows Server 2003 Activea Microsoft Windows Server 2003 ActiveDirectory InfrastructureDirectory Infrastructure Course Number: 2279Course Number: 2279

Availability: NowAvailability: Now

Detailed Syllabus:Detailed Syllabus:www.microsoft.com/learningwww.microsoft.com/learning

To locate a training provider, please accessTo locate a training provider, please access

www.microsoft.com/learningwww.microsoft.com/learning

Microsoft Certified Technical Education CentersMicrosoft Certified Technical Education Centers

are Microsoft’s premier partners for training servicesare Microsoft’s premier partners for training services

http://www.microsoft.com/learning





Assess your Readiness Assess your ReadinessMicrosoft Skills AssessmentMicrosoft Skills Assessment

What is Microsoft Skills Assessment?What is Microsoft Skills Assessment? Self-study learning tool to evaluate readiness for product andSelf-study learning tool to evaluate readiness for product and

technology solutions, instead of job-roles (certification)technology solutions, instead of job-roles (certification)

Windows Server 2003Windows Server 2003,, Exchange Server 2003, Windows StorageExchange Server 2003, Windows Storage

Server 2003, Visual Studio .NET, Office 2003Server 2003, Visual Studio .NET, Office 2003 Free, online, unproctored, and available to anyoneFree, online, unproctored, and available to anyone

Answers, “Am I ready?”Answers, “Am I ready?”

Determines skills gaps, provides learning plans with MicrosoftDetermines skills gaps, provides learning plans with MicrosoftOfficial Curriculum courses, plus more Microsoft learningOfficial Curriculum courses, plus more Microsoft learning

content suggestions such as TechNet resourcescontent suggestions such as TechNet resources Post your High Score to see how you stack upPost your High Score to see how you stack up

visitvisit http://www.microsoft.com/assessmenthttp://www.microsoft.com/assessment

B Mi ft C tifi dBecome a Microsoft Certified

http://www.microsoft.com/assessment





Become a Microsoft CertifiedBecome a Microsoft CertifiedSystems Administrator (MCSA)Systems Administrator (MCSA) What is the MCSA certification?What is the MCSA certification?

For For IT professionals who manage and maintainIT professionals who manage and maintainnetworks and systems based on the Microsoftnetworks and systems based on the MicrosoftWindows Server operating systemWindows Server operating system

How do I become an MCSA on MicrosoftHow do I become an MCSA on MicrosoftWindows 2003?Windows 2003? Pass 3 core examsPass 3 core exams

Pass 1 elective exam or 2 CompTIA certificationsPass 1 elective exam or 2 CompTIA certifications

Where do I get more information?Where do I get more information? For more information about certificationFor more information about certification

requirements, exams, and training,requirements, exams, and training,visitvisit www.microsoft.com/mcsawww.microsoft.com/mcsa



Become A Microsoft CertifiedBecome A Microsoft CertifiedSystems Engineer (MCSE)Systems Engineer (MCSE) What is the MCSE certification?What is the MCSE certification?

Premier certification for ITPremier certification for IT professionals who analyze theprofessionals who analyze thebusiness requirements and design, plan, and implement thebusiness requirements and design, plan, and implement theinfrastructure for business solutions based on the Microsoftinfrastructure for business solutions based on the MicrosoftWindows Server System integrated server software.Windows Server System integrated server software.

How do I become an MCSE on Microsoft Windows 2003?How do I become an MCSE on Microsoft Windows 2003?

Pass 6 core examsPass 6 core exams

Pass 1 elective exams from a comprehensive listPass 1 elective exams from a comprehensive list

Where do I get more information?Where do I get more information?

For more information about certification requirements,For more information about certification requirements,exams, and training options,exams, and training options,visitvisit www.microsoft.com/mcsewww.microsoft.com/mcse

http://www.microsoft.com/mcse





Demonstrate Your Security or Demonstrate Your Security or Messaging SpecializationMessaging Specialization What are MCSA/MCSE specializations?What are MCSA/MCSE specializations?

MCSA and MCSE specializations allow IT professionals toMCSA and MCSE specializations allow IT professionals tohighlight specific expertise or technical focus within their jobhighlight specific expertise or technical focus within their jobrole.role.

What specializations are available?What specializations are available? MCSA: SecurityMCSA: Security MCSA: MessagingMCSA: Messaging

MCSE: SecurityMCSE: Security MCSE: MessagingMCSE: Messaging

Where do I get more information?Where do I get more information?

For more information about MCSA and MCSE specializationFor more information about MCSA and MCSE specializationrequirements, exams, and training options, visitrequirements, exams, and training options, visitwww.microsoft.com/mcsawww.microsoft.com/mcsa or or www.microsoft.com/mcsewww.microsoft.com/mcse

?Wh t i T hN t?

http://www.microsoft.com/mcsa








What is TechNet?What is TechNet? Put the right answers at your fingertipsPut the right answers at your fingertips

TechNet is the comprehensive collection of resources to help ITTechNet is the comprehensive collection of resources to help IT

implementers plan, deploy, and manage Microsoft productsimplementers plan, deploy, and manage Microsoft productssuccessfullysuccessfully

Monthly updates delivered on DVD or CDMonthly updates delivered on DVD or CD

The definitive resource to help you evaluate, deploy andThe definitive resource to help you evaluate, deploy and

maintain Microsoft productsmaintain Microsoft products

TechNetSubscription

Accessible atAccessible at www.microsoft.com/technetwww.microsoft.com/technet

Online resources and communityOnline resources and community

Subscriber-only Online ServicesSubscriber-only Online Services

TechNet Web Site

Bi-weekly e-newsletter Bi-weekly e-newsletter

Security updates, new resources, and special offersSecurity updates, new resources, and special offersTechNet Flash

Briefings on the latest Microsoft products and technologiesBriefings on the latest Microsoft products and technologies

Hands-on, “how to” informationHands-on, “how to” information

TechNet Eventsand Web Casts

User GroupsUser Groups

Managed NewsgroupsManaged Newsgroups

TechNetCommunities

Wh C I G T hN ?Wh C I G t T hN t?

http://www.microsoft.com/technet





Where Can I Get TechNet?Where Can I Get TechNet?

Visit TechNet Online atVisit TechNet Online atwww.microsoft.com/technetwww.microsoft.com/technet

Register for the TechNet FlashRegister for the TechNet Flashwww.microsoft.com/technet/subscriptions/flash.aspwww.microsoft.com/technet/subscriptions/flash.asp

Join the TechNet Online forum atJoin the TechNet Online forum atwww.microsoft.com/technet/itcommunitywww.microsoft.com/technet/itcommunity

Become a TechNet Subscriber atBecome a TechNet Subscriber at

www.microsoft.com/technet/buynow/subscribewww.microsoft.com/technet/buynow/subscribe

Attend More TechNet Events or view on-lineAttend More TechNet Events or view on-linewww.microsoft.com/technet/tcevents/iteventswww.microsoft.com/technet/tcevents/itevents



Documents

AD Fundamentals