ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Contents
1.Introduction to Active Directory……………………………
page 1
2.Installation of ADS…………………………………………………
page 5
3.FSMO roles…………………………………………………………….
page 6
4.Network support services……………………………………….
page 8
5.Benefits of ADS……………………………………………………….
page 22

Jaadulla Ali Page 1

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Introduction to Active Directory

Active Directory is a technology created by Microsoft that provides a
variety of network services, including:
Using the same database, for use primarily in Windows environments,
Active Directory also allows administrators to assign policies, deploy
software, and apply critical updates to an organization. Active Directory
stores information and settings in a central database. Active Directory
networks can vary from a small installation with a few computers, users
and printers to tens of thousands of users, many different domains and
large server farms spanning many geographical locations.
Active Directory was previewed in 1999, released first with Windows 2000
Server edition, and revised to extend functionality and improve
administration in Windows Server 2003. Additional improvements were
made in Windows Server 2003 R2. Active Directory was refined further in
Windows Server 2008 and Windows Server 2008 R2 and was renamed
Active Directory Domain Services.
Active Directory was called NTDS (NT Directory Service) in older Microsoft
documents. This name can still be seen in some Active Directory binaries.
There is a common misconception that Active Directory provides software
distribution. Software distribution is run by a separate service that uses
additional proprietary schema attributes that work in conjunction with the
LDAP protocol. Active Directory does not automate software distribution,
but provides a mechanism by which other services can provide software
distribution.
Here I’m having a brief look at active directory in windows 2003 server. A
central component of the Windows platform, Active Directory service
provides the means to manage the identities and relationships that make
up network environments. Windows Server 2003 makes Active Directory
simpler to manage, easing migration and deployment.

Jaadulla Ali Page 2

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Active Directory Objects

Active Dir stores information about network objects. Active Dir object
represent network resources such as user, group, computer and printer

ADS Schema
ADS Schema contains definition of all objects such as computer, user, and
printer.
In win 2003 there is only one schema for entire forest. There are 2 types
of definition in the schema
1) Object class
2) Attributes
Object class describes the possible dir objects that can be created, each
object class is a collection of attributes
Attributes are defined separately from object class. Each attribute is
defined once and can be used in multiple object class

Active Directory Service Logical Structure

A Domain is centralized. A domain is security boundary. A domain is a unit

of replication.

Organizational Units (OUs)

An organizational unit is a container object that you use to organize
objects within a domain. An organization unit may contain objects such as
users, group, computer, printer and other organizational unit.

Trees and Forest.

Tree: - A Tree is an hierarchical arrangement of win 2003 domain. Domain
in a tree share a contiguous name space
Forest: - A Forest is one or more tree. Tree in a forest do not share a
contiguous name space but trees in a forest share a common Schema and

Jaadulla Ali Page 3

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Active Directory Services Physical Structure

A Domain controller is a computer running win 2003 server, which stores

replica of the directory. Changes made on one DC are replicated to
another DC on the same Domain.

Site
A site consists of IP, sub-net. Sites are connected by high speed link. Sites
control network traffic (on lease line) and work station log on traffic

Site1 and site2 share a common DC so every time someone logs in it

takes time to log in from site 2. So to reduce time and traffic.

Jaadulla Ali Page 4

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Installation of ADS
1. Click Start, click Run, type dcpromo, and then click OK.
2. On the first page of the Active Directory Installation Wizard, click
Next.
Note: if this is the first time you have installed Active Directory, you
can click Active Directory help to learn more about Active Directory
before clicking next.
3. On the next page of the Active Directory Installation Wizard, click
Next.
4. On the Domain Controller Type page, click Domain Controller for a
new domain, and then click Next.
5. On the Create New Domain page, click Domain in a new forest, and
then click Next.
6. On the New Domain Name page, in the Full DNS name for new
domain box, type corp.contoso.com, and then click Next.
7. On the Database and Log Folders page, accept the defaults in the
Database folder box and the Log folder box, and then click Next.
8. On the Shared System Volume page, accept the default in the Folder
location box, and then click Next.
9. On the DNS Registration Diagnostics page, click Install and configure
the DNS server on this computer and set this computer to use this
DNS server as its preferred DNS Server, and then click Next.
10. On the Permissions page, click Permissions compatible only with
Windows 2000 or Windows Server 2003 operating systems, and
then click Next.
11. On the Directory Services Restore Mode Administrator Password
page, enter a password in the Restore Mode Password box, retype
the password to confirm it in the Confirm password box, and then
click Next.
12. On the Summary page, confirm the information is correct, and then
click Next.
13. When prompted to restart the computer, click Restart now.
14.After the computer restarts, log on to CONT-CA01 as a member of
the Administrators group.

Jaadulla Ali Page 5

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

FSMO Roles
There are just five operations where the usual multiple master model
breaks down, and the Active Directory task must only be carried out on
one Domain Controller. FSMO roles:
PDC Emulator: Most famous for backwards compatibility with NT 4.0
BDC's. However, there are two other FSMO roles which operate even in
Windows 2003 Native Domains, synchronizing the W32Time service and
creating group policies. I admit that it is confusing that these two jobs
have little to do with PDCs and BDCs.
Identify the PDC Emulator
1. Open Active Directory Users and Computers.

2. Right-click the domain node, and then click Operations Masters.

3. On the PDC tab, under Operations masters, view the operations

masters that will serve as the PDC emulator.

• Performing this task does not require you to have administrative

credentials. Therefore, as a security best practice, consider
performing this task as a user without administrative credentials.

• To open Active Directory Users and Computers, click Start, click

Control Panel, double-click Administrative Tools, and then double-
click Active Directory Users and Computers.

• Every domain has only one PDC emulator master. To identify the
PDC emulator in a different domain, target the appropriate domain
before clicking Operations Masters.

Jaadulla Ali Page 6

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

RID Master: The Relative ID (RID) Master is one of the operations master
roles that exist in each domain in a forest. It controls the sequence
number for the domain controllers within a domain. It provides a unique
sequence of RIDs to each domain controller in a domain. When a domain
controller creates a new object, the object is assigned a unique security ID
consisting of a combination of a domain SID and a RID. The domain SID is
a constant ID, whereas the RID is assigned to each object by the domain
controller. The domain controller receives the RIDs from the RID Master.
When the domain controller has used all the RIDs provided by the RID
Master, it requests the RID Master to issue more RIDs for creating
additional objects in the domain. When a domain controller exhausts its
pool of RIDs, and the RID Master is unavailable, any new object in the
domain cannot be created.
Infrastructure Master - The Infrastructure Master (IM) is a domain-wide
FSMO (Flexible Single Master of Operations) role responsible for an
unattended process that "fixes-up" stale references, known as phantoms,
within the Active Directory database or DIT (Directory Information Table).
Phantoms are created on Domain Controllers (DCs) that require a
database cross-reference between an object within their own database
and an object from another domain within the forest. This occurs, for
example, when you add a user from one domain to a group within another
domain in the same forest.
Each DC is individually responsible for creating its own phantoms with the
notable exception of Global Catalogs (GCs). Since GCs store a partial copy
of all objects within the forest, they are able to create cross-domain
references without the need for such phantoms. Phantoms are deemed
stale when they no longer contain up-to-date data, which occurs because
of changes that have been made to the foreign object the phantom
represents, e.g., when the target object is renamed, moved, migrated
between domains or deleted. The IM is exclusively responsible for locating
and fixing stale phantoms. Any changes introduced as a result of the "fix-
up" process must then be replicated to all remaining DCs within the
domain.
Domain Naming Master: Ensures that each child domain has a unique
name. How often do child domains get added to the forest? Not very
often I suggest, so the fact that this is a FSMO does not impact on normal
domain activity. My point is it's worth the price to confine joining and
leaving the domain operations to one machine, and save the tiny risk of
getting duplicate names or orphaned domains.
Schema Master: Operations that involve expanding user properties e.g.
Exchange 2003 / forest prep which adds mailbox properties to users.
Rather like the Domain naming master, changing the schema is a rare
event. However if you have a team of Schema Administrators all
experimenting with object properties, you would not want there to be a
mistake which crippled your forest. So its a case of Microsoft know best,
Jaadulla Ali Page 7
 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

the Schema Master should be a Single Master Operation and thus a FSMO
role.

Network Support Services.

TCP/IP
TCP and IP were developed by a Department of Defense (DOD) research
project to connect a number different networks designed by different
vendors into a network of networks (the "Internet"). It was initially
successful because it delivered a few basic services that everyone needs
(file transfer, electronic mail, remote logon) across a very large number of
client and server systems. Several computers in a small department can
use TCP/IP (along with other protocols) on a single LAN. The IP component
provides routing from the department to the enterprise network, then to
regional networks, and finally to the global Internet. On the battlefield a
communications network will sustain damage, so the DOD designed TCP/IP
to be robust and automatically recover from any node or phone line
failure. This design allows the construction of very large networks with
less central management. However, because of the automatic recovery,
network problems can go undiagnosed and uncorrected for long periods of
time.
As with all other communications protocol, TCP/IP is composed of layers:
• IP - is responsible for moving packet of data from node to node. IP
forwards each packet based on a four byte destination address (the
IP number). The Internet authorities assign ranges of numbers to
different organizations. The organizations assign groups of their
numbers to departments. IP operates on gateway machines that
move data from department to organization to region and then
around the world.
• TCP - is responsible for verifying the correct delivery of data from
client to server. Data can be lost in the intermediate network. TCP
adds support to detect errors or lost data and to trigger
retransmission until the data is correctly and completely received.
• Sockets - is a name given to the package of subroutines that provide
access to TCP/IP on most systems.
The Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of
protocols specifically
designed to fulfill two goals:
Allow communication across WAN (wide area network) links
Allow communication between diverse environments
Understanding the roots of these protocols leads to an understanding of
their importance in
today’s networks.
Jaadulla Ali Page 8
 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

IP Subnetting

IP addressing is a little more complex than I just described. When a

company receives a network address (either from the Internet authorities
or from an Internet Service Provider), the company is given a range of
possible addresses. There are three main classes of addresses available:
A, B, and C.
The ABCs of IP Addresses

Class A addresses begin with a first octet value between 1 and 126. In
other words, there are only 126. Class A networks available on the entire
Internet. (Needless to say, there is no more class A addresses available.)
The first octet is the network portion of the IP address, and the last three
octets represent the host portion. Each class A network can support over
16 million hosts. Now you can see why only a few of these addresses are
needed—not many companies have that number of hosts on their
networks.
Finally, class C networks begin with a first octet value between 192 and
223. On a class C network, the first three octets represent the network
and the last octet represents the host portion. This means that there are a
little over 16 million class C network addresses available, but each can
only support a maximum of 254 hosts.

Windows Internet Name Service (WINS)

Let’s start our discussion of management tools with the one we’d really
like to get rid of: WINS. WINS is used to resolve user-friendly NetBIOS
names to their associated IP addresses. While this sounds like a fairly
simple process—and a lot like DNS—you’ll see that WINS is really
yesterday’s news.
First, let’s talk about NetBEUI. NetBEUI is an old, no routable
communication protocol that was actually designed quite some time ago
to support an Application Programming Interface (API) set named NetBIOS.
When Microsoft first entered the network operating system business, they
decided to use NetBEUI as their default communication protocol. After all,
their first networking product was Windows for Workgroups (WFW)—not a
really robust or scalable product. WFW was designed for small,
departmental-sized environments—in other words, environments without
multiple IP networks (and their associated routers). Most of Microsoft’s
first networking endeavors revolved around the use of NetBEUI to support

Jaadulla Ali Page 9

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

NetBIOS.

NetBIOS was first designed to act as an API so that applications running on

different computers could share information or work together. It includes
various processes to facilitate this communication.
Rather than rewrite a networking process from scratch, Microsoft
incorporated NetBIOS into their own networking scheme.
For our discussion, there are a few important NetBIOS functions you
should know about:
NetBIOS Names NetBIOS names are the unique, user-friendly names
associated with devices in a NetBIOS-based environment. They are 16
bytes in length; the first 15 bytes are assigned during the
installation/setup of the hardware, and the last byte represents services
on the device.
NetBIOS Name Registration NetBIOS devices use (by default) a broadcast
technique to ensure that the name being used by the device is unique on
the network. Basically, the device sends out a broadcast packet declaring
its name. If no negative response is heard (in other words, some other
device is using the name and protests), then the device assumes its name
is unique and begins using it.
NetBIOS Name Resolution While NetBIOS uses the user-friendly computer
name, the lower layer communication protocols use other identifiers.
When one device wants to communicate with another, it will broadcast the
destination’s NetBIOS name. The destination device will respond with its IP
address. At that time, communication can commence.
NetBIOS Name Release When a device is properly shut down, it will
broadcast a packet notifying other devices on the network that it is going
offline. This allows them to update any NetBIOS name tables that they
might have built.

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) is an IP standard designed to

reduce the complexity of administering IP address configurations." -
Microsoft's definition. A DHCP server would be set up with the appropriate
settings for a given network. Such settings would include a set of

Jaadulla Ali Page 10

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

fundamental parameters such as the gateway, DNS, subnet masks, and a

range of IP addresses. Using DHCP on a network means administrators
don't need to configure these settings individually for each client on the
network. The DHCP would automatically distribute them to the clients
itself.
The DHCP server assigns a client an IP address taken from a predefined
scope for a given amount of time. If an IP address is required for longer
than the lease has been set for, the client must request an extension
before the lease expires. If the client has not requested an extension on
the lease time, the IP address will be considered free and can be assigned
to another client. If the user wishes to change IP address then they can do
so by typing "ipconfig /release", followed by "ipconfig /renew" in the
command prompt. This will remove the current IP address and request a
new one. Reservations can be defined on the DHCP server to allow certain
clients to have their own IP address (this will be discussed a little later on).
Addresses can be reserved for a MAC address or a host name so these
clients will have a fixed IP address that is configured automatically. Most
Internet Service Providers use DHCP to assign new IP addresses to client
computers when a customer connects to the internet - this simplifies
things at user level.

The above diagram diplays a simple structure consisting of a DHCP server

and a number of client computers on a network.
The DHCP Server itself contains an IP Address Database which holds all
the IP addresses available for distribution. If the client (a member of the
network with a Windows 2000 Professional/XP operating system, for
example) has "obtain an IP address automatically" enabled in TCP/IP
settings, then it is able to receive an IP address from the DHCP server

Setting up a DHCP server

This will serve as a step-by-step guide on how to setup a DHCP server.
Installing the DHCP server is made quite easy in Windows 2003. By using
the "Manage your server" wizard, you are able to enter the details you
require and have the wizard set the basics for you. Open to "Manage your
server" wizard, select the DHCP server option for the list of server roles
and press Next.
You will be asked to enter the name and description of your scope.

Scope: A scope is a collection of IP addresses for computers on a subnet

that use DHCP.
Jaadulla Ali Page 11
 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

The next window will ask you to define the range of addresses that the
scope will distribute across the network and the subnet mask for the IP
address. Enter the appropriate details and click next.

You are shown a window in which you must add any exclusions to the
range of IP addresses you specified in the previous window. If for example,

Jaadulla Ali Page 12

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

the IP address 10.0.0.150 is that of the company router then you won't
want the DHCP server to be able to distribute that address as well. In this
example I have excluded a range of IP addresses, 10.0.0.100 to
10.0.0.110, and a single address, 10.0.0.150. In this case, eleven IP's will
be reserved and not distributed amongst the network clients.

It is now time to set the lease duration for how long a client can use an IP
address assigned to it from this scope. It is recommended to add longer
leases for a fixed network (in the office for example) and shorter leases for
remote connections or laptop computers. In this example I have set a
lease duration of twelve hours since the network clients would be a fixed
desktop computer in a local office and the usual working time is eight
hours.

Jaadulla Ali Page 13

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

You are given a choice of whether or not you wish to configure the DHCP
options for the scope now or later. If you choose Yes then the upcoming
screenshots will be of use to you. Choosing No will allow you to configure
these options at a later stage.

Jaadulla Ali Page 14

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

The router, or gateway, IP address may be entered in next. The client

computers will then know which router to use.

In the following window, the DNS and domain name settings can be
entered. The DNS server IP address will be distributed by the DHCP server
and given to the client.

Jaadulla Ali Page 15

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

If you have WINS setup then here is where to enter the IP Address of the
WINS server. You can just input the server name into the appropriate box
and press "Resolve" to allow it to find the IP address itself.

The last step is to activate the scope - just press next when you see the
window below. The DHCP server will not work unless you do this.

Jaadulla Ali Page 16

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

The DHCP server has now been installed with the basic settings in place.
The next stage is to configure it to the needs of your network structure.
Configuring a DHCP server
Hereunder is a simple explanation of how to configure a DHCP server.
The address pool displays a list of IP ranges assigned for distribution and
IP address exclusions. You are able to add an exclusion by right clicking
the address pool text on the left hand side of the mmc window and
selecting "new exclusion range". This will bring up a window (as seen
below) which will allow you to enter an address range to be added.
Entering only the start IP will add a single IP address.

DHCP servers permit you to reserve an IP address for a client. This means
that the specific network client will have the same IP for as long as you
wanted it to. To do this you will have to know the physical address (MAC)
of each network card. Enter the reservation name, desired IP address,
MAC address and description - choose whether you want to support DHCP
or BOOTP and press add. The new reservation will be added to the list. As
an example, I have reserved an IP address (10.0.0.115) for a client
computer called Andrew.

Jaadulla Ali Page 17

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

If you right click scope options and press "configure options" you will be
taken to a window in which you can configure more servers and their
parameters. These settings will be distributed by the DHCP server along
with the IP address. Server options act as a default for all the scopes in
the DHCP server. However, scope options take preference over server
options.
In my opinion, the DHCP server in Windows 2003 is excellent! It has been
improved from the Windows 2000 version and is classified as essential for
large networks. Imagine having to configure each and every client
manually - it would take up a lot of time and require far more
troubleshooting if a problem was to arise. Before touching any settings
related to DHCP, it is best to make a plan of your network and think about
the range of IPs to use for the computers.
Domain Name System (DNS)
DNS is the directory used by traditional TCP/IP environments (like the
Internet) to resolve user-friendly names into IP addresses. DNS is a group
of name servers linkedtogether to create a single namespace.

Installing DNS

Please make sure that all of the Windows updates are done and the latest
drivers and Rom packs have been loaded on the server and applied to the
hardware this is essential as you do not want to be applying these
changes at a later stage when the machine goes into production.
Skipping this step will cause unnecessary down time in future. Please

Jaadulla Ali Page 18

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

make sure that the static IP address is assigned to the server before
beginning the installation process.
After the entire preamble we are now ready to start installing DNS on our
newly configured and prepared server.
Ensure that you have Windows Server 2003 Std is installed and that a
static IP address has been assigned. Figure 1.1 depicts how DNS should be
configured and under the advanced TCP/IP settings. In the DNS settings
you must point the server to itself for DNS resolution. If external internet
names need to be resolved you can configure a forwarder so that the
requests are sent to the DNS server of the ISP or an external DNS server.
Selecting a DNS server that is consistently up is paramount as external
name resolution rests on this resource.

Figure 1.1
Install Microsoft DNS Server
Click on Start, Control Panel, Add or Remove Programs and then on Add or
Remove Windows Components. Then click on Components list, then click
on Networking Services and then click Details, select the Domain Name
System (DNS) check box, and then click OK. Follow the below figure 1.2 for
guidance.

Jaadulla Ali Page 19

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Figure 1.2
After installing DNS you will need to test if the installation was successful
and if you are able to resolve names. Nslookup is a built-in utility that can
be used to test if the service has been installed and configured correctly.
Remember to test both internal and external names before concluding
your tests. After typing Nslookup it connects to the configured server
within your TCP/IP properties or if you run this command form a client it
will connect to the DNS server handed out by DHCP. You will then be able
to type in the name you want to lookup i.e. www.google.com or
machine.localdomain.net it will then resolve the name to an IP address if
this happens you have installed and configured DNS correctly.

Jaadulla Ali Page 20

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Combining DNS and DHCP

While the dynamic registration of host records in the DNS database

sounds like a great idea, a few potential problems come to mind. First,
how do I, as an administrator, ensure that all of my machines (including
my non-Windows 2000/Windows Server 2003 clients) get registered? And
second, how do I ensure that the proper information is included (such as
the correct domain name)?
The secret is to use DHCP. The version of DHCP included in Windows
2000/Windows
Server 2003 has the ability to register DNS records on behalf of its clients
as they are given their
TCP/IP configuration.

.Once the client has accepted an IP address from the DHCP server, it (the
DHCP server) then registers a DNS record on behalf of the client (step
number 2 in Figure 7.27).
This system allows for the creation of host records for those clients that
are unable to register themselves, such as Windows 95, 98, etc. In other
words, your legacy clients can be included in the dynamic registration
process.
Why is this important, you might ask? Well, remember our goal here. The
goal is to remove dependence upon NetBIOS functions. As long as the only
method of resolving those older clients is NetBIOS-based (either through
broadcasts or a WINS server), we are stuck with the NetBIOS traffic on our
networks. For now though, you’ll probably end up with both as you begin
the switch to an Active Directory environment.

Jaadulla Ali Page 21

 ACTIVE DIRECTORY IN WINDOWS 2003 SERVER

Benefits of ADS
Active Directory is a state-wide authentication directory that supports
enterprise systems, provides contact information and scheduling
integration, along with providing mechanisms for centralized desktop
management. There are multiple Active Directory (AD) environments in
use across the University of Tennessee campuses and institutes. The
purpose of the Active Directory Project is to migrate all of these
environments into a single AD forest, which will provide the following
benefits:
• Single user name and password - NetID
• Password synched between AD and LDAP Directory Services
• Reduce overhead through standardization
• Improve services through centralized management capabilities
• Provide foundation for the following AD related services:
○ Exchange
○ SharePoint
• Improve workstation security
• Central storage provided for individuals and departments
• Backup and restoration services for central storage
• Server storage space for user documents
• Backed up data on Home and Departmental drives
• Lower departmental cost because infrastructure is managed and
maintained by OIT

Jaadulla Ali Page 22