Documente Academic
Documente Profesional
Documente Cultură
Contents
1.Introduction to Active Directory……………………………
page 1
2.Installation of ADS…………………………………………………
page 5
3.FSMO roles…………………………………………………………….
page 6
4.Network support services……………………………………….
page 8
5.Benefits of ADS……………………………………………………….
page 22
ADS Schema
ADS Schema contains definition of all objects such as computer, user, and
printer.
In win 2003 there is only one schema for entire forest. There are 2 types
of definition in the schema
1) Object class
2) Attributes
Object class describes the possible dir objects that can be created, each
object class is a collection of attributes
Attributes are defined separately from object class. Each attribute is
defined once and can be used in multiple object class
Site
A site consists of IP, sub-net. Sites are connected by high speed link. Sites
control network traffic (on lease line) and work station log on traffic
Installation of ADS
1. Click Start, click Run, type dcpromo, and then click OK.
2. On the first page of the Active Directory Installation Wizard, click
Next.
Note: if this is the first time you have installed Active Directory, you
can click Active Directory help to learn more about Active Directory
before clicking next.
3. On the next page of the Active Directory Installation Wizard, click
Next.
4. On the Domain Controller Type page, click Domain Controller for a
new domain, and then click Next.
5. On the Create New Domain page, click Domain in a new forest, and
then click Next.
6. On the New Domain Name page, in the Full DNS name for new
domain box, type corp.contoso.com, and then click Next.
7. On the Database and Log Folders page, accept the defaults in the
Database folder box and the Log folder box, and then click Next.
8. On the Shared System Volume page, accept the default in the Folder
location box, and then click Next.
9. On the DNS Registration Diagnostics page, click Install and configure
the DNS server on this computer and set this computer to use this
DNS server as its preferred DNS Server, and then click Next.
10. On the Permissions page, click Permissions compatible only with
Windows 2000 or Windows Server 2003 operating systems, and
then click Next.
11. On the Directory Services Restore Mode Administrator Password
page, enter a password in the Restore Mode Password box, retype
the password to confirm it in the Confirm password box, and then
click Next.
12. On the Summary page, confirm the information is correct, and then
click Next.
13. When prompted to restart the computer, click Restart now.
14.After the computer restarts, log on to CONT-CA01 as a member of
the Administrators group.
FSMO Roles
There are just five operations where the usual multiple master model
breaks down, and the Active Directory task must only be carried out on
one Domain Controller. FSMO roles:
PDC Emulator: Most famous for backwards compatibility with NT 4.0
BDC's. However, there are two other FSMO roles which operate even in
Windows 2003 Native Domains, synchronizing the W32Time service and
creating group policies. I admit that it is confusing that these two jobs
have little to do with PDCs and BDCs.
Identify the PDC Emulator
1. Open Active Directory Users and Computers.
• Every domain has only one PDC emulator master. To identify the
PDC emulator in a different domain, target the appropriate domain
before clicking Operations Masters.
RID Master: The Relative ID (RID) Master is one of the operations master
roles that exist in each domain in a forest. It controls the sequence
number for the domain controllers within a domain. It provides a unique
sequence of RIDs to each domain controller in a domain. When a domain
controller creates a new object, the object is assigned a unique security ID
consisting of a combination of a domain SID and a RID. The domain SID is
a constant ID, whereas the RID is assigned to each object by the domain
controller. The domain controller receives the RIDs from the RID Master.
When the domain controller has used all the RIDs provided by the RID
Master, it requests the RID Master to issue more RIDs for creating
additional objects in the domain. When a domain controller exhausts its
pool of RIDs, and the RID Master is unavailable, any new object in the
domain cannot be created.
Infrastructure Master - The Infrastructure Master (IM) is a domain-wide
FSMO (Flexible Single Master of Operations) role responsible for an
unattended process that "fixes-up" stale references, known as phantoms,
within the Active Directory database or DIT (Directory Information Table).
Phantoms are created on Domain Controllers (DCs) that require a
database cross-reference between an object within their own database
and an object from another domain within the forest. This occurs, for
example, when you add a user from one domain to a group within another
domain in the same forest.
Each DC is individually responsible for creating its own phantoms with the
notable exception of Global Catalogs (GCs). Since GCs store a partial copy
of all objects within the forest, they are able to create cross-domain
references without the need for such phantoms. Phantoms are deemed
stale when they no longer contain up-to-date data, which occurs because
of changes that have been made to the foreign object the phantom
represents, e.g., when the target object is renamed, moved, migrated
between domains or deleted. The IM is exclusively responsible for locating
and fixing stale phantoms. Any changes introduced as a result of the "fix-
up" process must then be replicated to all remaining DCs within the
domain.
Domain Naming Master: Ensures that each child domain has a unique
name. How often do child domains get added to the forest? Not very
often I suggest, so the fact that this is a FSMO does not impact on normal
domain activity. My point is it's worth the price to confine joining and
leaving the domain operations to one machine, and save the tiny risk of
getting duplicate names or orphaned domains.
Schema Master: Operations that involve expanding user properties e.g.
Exchange 2003 / forest prep which adds mailbox properties to users.
Rather like the Domain naming master, changing the schema is a rare
event. However if you have a team of Schema Administrators all
experimenting with object properties, you would not want there to be a
mistake which crippled your forest. So its a case of Microsoft know best,
Jaadulla Ali Page 7
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
the Schema Master should be a Single Master Operation and thus a FSMO
role.
TCP/IP
TCP and IP were developed by a Department of Defense (DOD) research
project to connect a number different networks designed by different
vendors into a network of networks (the "Internet"). It was initially
successful because it delivered a few basic services that everyone needs
(file transfer, electronic mail, remote logon) across a very large number of
client and server systems. Several computers in a small department can
use TCP/IP (along with other protocols) on a single LAN. The IP component
provides routing from the department to the enterprise network, then to
regional networks, and finally to the global Internet. On the battlefield a
communications network will sustain damage, so the DOD designed TCP/IP
to be robust and automatically recover from any node or phone line
failure. This design allows the construction of very large networks with
less central management. However, because of the automatic recovery,
network problems can go undiagnosed and uncorrected for long periods of
time.
As with all other communications protocol, TCP/IP is composed of layers:
• IP - is responsible for moving packet of data from node to node. IP
forwards each packet based on a four byte destination address (the
IP number). The Internet authorities assign ranges of numbers to
different organizations. The organizations assign groups of their
numbers to departments. IP operates on gateway machines that
move data from department to organization to region and then
around the world.
• TCP - is responsible for verifying the correct delivery of data from
client to server. Data can be lost in the intermediate network. TCP
adds support to detect errors or lost data and to trigger
retransmission until the data is correctly and completely received.
• Sockets - is a name given to the package of subroutines that provide
access to TCP/IP on most systems.
The Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of
protocols specifically
designed to fulfill two goals:
Allow communication across WAN (wide area network) links
Allow communication between diverse environments
Understanding the roots of these protocols leads to an understanding of
their importance in
today’s networks.
Jaadulla Ali Page 8
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
IP Subnetting
Class A addresses begin with a first octet value between 1 and 126. In
other words, there are only 126. Class A networks available on the entire
Internet. (Needless to say, there is no more class A addresses available.)
The first octet is the network portion of the IP address, and the last three
octets represent the host portion. Each class A network can support over
16 million hosts. Now you can see why only a few of these addresses are
needed—not many companies have that number of hosts on their
networks.
Finally, class C networks begin with a first octet value between 192 and
223. On a class C network, the first three octets represent the network
and the last octet represents the host portion. This means that there are a
little over 16 million class C network addresses available, but each can
only support a maximum of 254 hosts.
Let’s start our discussion of management tools with the one we’d really
like to get rid of: WINS. WINS is used to resolve user-friendly NetBIOS
names to their associated IP addresses. While this sounds like a fairly
simple process—and a lot like DNS—you’ll see that WINS is really
yesterday’s news.
First, let’s talk about NetBEUI. NetBEUI is an old, no routable
communication protocol that was actually designed quite some time ago
to support an Application Programming Interface (API) set named NetBIOS.
When Microsoft first entered the network operating system business, they
decided to use NetBEUI as their default communication protocol. After all,
their first networking product was Windows for Workgroups (WFW)—not a
really robust or scalable product. WFW was designed for small,
departmental-sized environments—in other words, environments without
multiple IP networks (and their associated routers). Most of Microsoft’s
first networking endeavors revolved around the use of NetBEUI to support
NetBIOS.
The next window will ask you to define the range of addresses that the
scope will distribute across the network and the subnet mask for the IP
address. Enter the appropriate details and click next.
You are shown a window in which you must add any exclusions to the
range of IP addresses you specified in the previous window. If for example,
the IP address 10.0.0.150 is that of the company router then you won't
want the DHCP server to be able to distribute that address as well. In this
example I have excluded a range of IP addresses, 10.0.0.100 to
10.0.0.110, and a single address, 10.0.0.150. In this case, eleven IP's will
be reserved and not distributed amongst the network clients.
It is now time to set the lease duration for how long a client can use an IP
address assigned to it from this scope. It is recommended to add longer
leases for a fixed network (in the office for example) and shorter leases for
remote connections or laptop computers. In this example I have set a
lease duration of twelve hours since the network clients would be a fixed
desktop computer in a local office and the usual working time is eight
hours.
You are given a choice of whether or not you wish to configure the DHCP
options for the scope now or later. If you choose Yes then the upcoming
screenshots will be of use to you. Choosing No will allow you to configure
these options at a later stage.
In the following window, the DNS and domain name settings can be
entered. The DNS server IP address will be distributed by the DHCP server
and given to the client.
If you have WINS setup then here is where to enter the IP Address of the
WINS server. You can just input the server name into the appropriate box
and press "Resolve" to allow it to find the IP address itself.
The last step is to activate the scope - just press next when you see the
window below. The DHCP server will not work unless you do this.
The DHCP server has now been installed with the basic settings in place.
The next stage is to configure it to the needs of your network structure.
Configuring a DHCP server
Hereunder is a simple explanation of how to configure a DHCP server.
The address pool displays a list of IP ranges assigned for distribution and
IP address exclusions. You are able to add an exclusion by right clicking
the address pool text on the left hand side of the mmc window and
selecting "new exclusion range". This will bring up a window (as seen
below) which will allow you to enter an address range to be added.
Entering only the start IP will add a single IP address.
DHCP servers permit you to reserve an IP address for a client. This means
that the specific network client will have the same IP for as long as you
wanted it to. To do this you will have to know the physical address (MAC)
of each network card. Enter the reservation name, desired IP address,
MAC address and description - choose whether you want to support DHCP
or BOOTP and press add. The new reservation will be added to the list. As
an example, I have reserved an IP address (10.0.0.115) for a client
computer called Andrew.
If you right click scope options and press "configure options" you will be
taken to a window in which you can configure more servers and their
parameters. These settings will be distributed by the DHCP server along
with the IP address. Server options act as a default for all the scopes in
the DHCP server. However, scope options take preference over server
options.
In my opinion, the DHCP server in Windows 2003 is excellent! It has been
improved from the Windows 2000 version and is classified as essential for
large networks. Imagine having to configure each and every client
manually - it would take up a lot of time and require far more
troubleshooting if a problem was to arise. Before touching any settings
related to DHCP, it is best to make a plan of your network and think about
the range of IPs to use for the computers.
Domain Name System (DNS)
DNS is the directory used by traditional TCP/IP environments (like the
Internet) to resolve user-friendly names into IP addresses. DNS is a group
of name servers linkedtogether to create a single namespace.
Installing DNS
Please make sure that all of the Windows updates are done and the latest
drivers and Rom packs have been loaded on the server and applied to the
hardware this is essential as you do not want to be applying these
changes at a later stage when the machine goes into production.
Skipping this step will cause unnecessary down time in future. Please
make sure that the static IP address is assigned to the server before
beginning the installation process.
After the entire preamble we are now ready to start installing DNS on our
newly configured and prepared server.
Ensure that you have Windows Server 2003 Std is installed and that a
static IP address has been assigned. Figure 1.1 depicts how DNS should be
configured and under the advanced TCP/IP settings. In the DNS settings
you must point the server to itself for DNS resolution. If external internet
names need to be resolved you can configure a forwarder so that the
requests are sent to the DNS server of the ISP or an external DNS server.
Selecting a DNS server that is consistently up is paramount as external
name resolution rests on this resource.
Figure 1.1
Install Microsoft DNS Server
Click on Start, Control Panel, Add or Remove Programs and then on Add or
Remove Windows Components. Then click on Components list, then click
on Networking Services and then click Details, select the Domain Name
System (DNS) check box, and then click OK. Follow the below figure 1.2 for
guidance.
Figure 1.2
After installing DNS you will need to test if the installation was successful
and if you are able to resolve names. Nslookup is a built-in utility that can
be used to test if the service has been installed and configured correctly.
Remember to test both internal and external names before concluding
your tests. After typing Nslookup it connects to the configured server
within your TCP/IP properties or if you run this command form a client it
will connect to the DNS server handed out by DHCP. You will then be able
to type in the name you want to lookup i.e. www.google.com or
machine.localdomain.net it will then resolve the name to an IP address if
this happens you have installed and configured DNS correctly.
.Once the client has accepted an IP address from the DHCP server, it (the
DHCP server) then registers a DNS record on behalf of the client (step
number 2 in Figure 7.27).
This system allows for the creation of host records for those clients that
are unable to register themselves, such as Windows 95, 98, etc. In other
words, your legacy clients can be included in the dynamic registration
process.
Why is this important, you might ask? Well, remember our goal here. The
goal is to remove dependence upon NetBIOS functions. As long as the only
method of resolving those older clients is NetBIOS-based (either through
broadcasts or a WINS server), we are stuck with the NetBIOS traffic on our
networks. For now though, you’ll probably end up with both as you begin
the switch to an Active Directory environment.
Benefits of ADS
Active Directory is a state-wide authentication directory that supports
enterprise systems, provides contact information and scheduling
integration, along with providing mechanisms for centralized desktop
management. There are multiple Active Directory (AD) environments in
use across the University of Tennessee campuses and institutes. The
purpose of the Active Directory Project is to migrate all of these
environments into a single AD forest, which will provide the following
benefits:
• Single user name and password - NetID
• Password synched between AD and LDAP Directory Services
• Reduce overhead through standardization
• Improve services through centralized management capabilities
• Provide foundation for the following AD related services:
○ Exchange
○ SharePoint
• Improve workstation security
• Central storage provided for individuals and departments
• Backup and restoration services for central storage
• Server storage space for user documents
• Backed up data on Home and Departmental drives
• Lower departmental cost because infrastructure is managed and
maintained by OIT