Lesson 5

Lesson 5
Essential Servers
Learning Objectives
Students will learn about:
Objects
Groups
Domains, Trees, and Forests
Organizational Units
Directory Services with Active Directory
Group Policies

ODN Skills

Understand accounts and groups

Understand organizational units (OUs) and containers
Understand Active Directory infrastructure
Understand group policy

3.1
3.2
3.3
3.4

Lesson Summary Lecture Notes

This lesson discusses essential services (Active Directory) that other services often use to
function, to provide security, and which use DNS to find those resources.
The first part of the lecture discusses naming resolution. Of course, the main emphasis
will be Domain Name System (DNS). You should also discuss how name resolution
began with HOST and LMHOSTS files and how it progress to the DNS that we use
today. Also emphasize that while it is not recommended to use HOSTS and LMHOSTS
files for a corporation, it can still be used effectively by an administrator to test a system
before it becomes public.
When discussing DNS, explain a FQDN, how it is used, and how it connects with DNS.
Then review resource records that make up a SQL database, including the standard
records, SOA, NS, A, PTR, MX records, and SRV.
Before going into Active Directory, discuss Windows Internet Naming Service (WINS).
Of course, emphasize that WINS is being phased out. This provides a good transition to
DNS GlobalName Zones.
After naming resolution, the next essential service to discuss is DHCP. Besides the fact
its essential to configuring IP addresses for clients, it also sets DNS and WINS addresses
for clients.

5-1

Lesson 5

The rest of the lesson deals with Active Directory. Since most companies use Active
Directory, it is common for server administrators to deal with Active Directory.
Therefore, you should tell the students what Active Directory is and what it can do for a
company.
Next, introduce its structure, starting with a domain, the linking it to trees, and then
linking it to forests. When describing its structure, you can explain that for Active
Directory, there is a logical structure and a physical structure. The logical structure is
used to organize your resources; the physical is how they actually exist. Logical structure
is the domain, tree, and forest; physical structure is in the form of domain controllers and
sites.
To understand how Active Directory works, students need to understand FSMO roles and
global catalogs. Then you should discuss functional levels, domain, and forest.
The next part of the lesson discusses organizing your resources. Therefore, introduce
organizational units and common leaf objects, including users, computers, and groups.
You should also differentiate between local and domain user accounts and differentiate
between domain local group, global group, and universal groups.
Lastly, the lesson ends with a group policy. Students should understand that one of the
powerful features of Active Directory is its group policies.

Key Terms
Active Directory A technology created by Microsoft that provides a variety of network services,
including LDAP, Kerberos, DNS-based naming and central location for network administration
and delegation of authority.
built-in group A default group that has been granted specific rights and permissions to get you
started.
computer account An identity found in a domain that represents a computer.
directory service A application that stores, organizes, and provides access to information in a
directory.
distribution group A group used only for non-security functions, such as distributing email.
domain controller A Windows server that stores a replica of the account, security information
for the domain, and defines the domain boundaries.
domain local group A group that contains global groups and universal groups, even though it
can also contain user accounts and other domain local groups. It is usually in the domain with the
resource to which you want to assign permissions or rights.
Domain Name System (DNS) A popular naming resolution system used on the Internet and
most networks which translates host names to IP addresses..
Dynamic Host Configuration Protocol (DHCP) A service that automatically assigns IP
addresses and related parameters so that a host can immediately communicate on an IP network
when it starts.

5-2

Lesson 5
Flexible Single Master Operations (FSMO) roles Also known as operations master roles,
these are servers that provide certain functions that can only be handled by one domain controller
at a time.
forest One or more trees in Active Directory that have disjointed namespace between trees.
fully qualified domain name (FQDN) The exact position of a host within the DNS hierarchy.
functional level A level defined for a forest or domain that defines what features are available.
global catalog A system that replicates the information of every object in a tree and forest so
that objects can be found and accessed from any domain.
global group A group that can contain user accounts and other global groups. Global groups
are designed to be global for the domain. After you place user accounts into global groups, the
global groups are typically placed into domain local groups or local groups.
group A collection or list of user accounts or computer accounts
group policy - One of the most powerful features of Active Directory that controls the working
environment for user accounts and computer accounts. Group Policy provides centralized
management and configuration of operating systems, applications, and user settings in an Active
Directory environment.
hosts file A text file used to translate host names to IP addresses.
Lightweight Directory Access Protocol (LDAP) An application protocol for querying and
modifying data using directory services running over TCP/IP. Within the directory, the sets of
objects are organized in a logical hierarchical manner so that you can easily find and manage
them.
member server A server that is not running as a domain controller.
object A distinct, named set of attributes or characteristics that represent a network resource.
organizational unit A container found within a domain used to organize objects such as
groups, users, and computers.
permission A mechanism that defines the type of access that is granted to an object (an object
can be identified with a security identifier) or object attribute.
right A mechanism that authorizes a user to perform certain actions on a computer, such as
logging on to a system interactively or backing up files and directories on a system.
security group A group used to assign rights and permissions and gain access to network
resources.
site One or more IP subnets that are connected by a high-speed link, typically defined by a
geographical location.
tree One or more domains in Active Directory with contiguous name space.
trusts relationship A link that allows users in one domain to access resources in another
domain.

5-3

Lesson 5
universal group A group scope is designed to contain global groups from multiple domains.
Universal groups can contain global groups, other universal groups, and user accounts.
user account An identity found in an Active Directory identity used to represent a user.
Windows Internet Name Service (WINS) A legacy naming service that translates from
NetBIOS (computername) to specify a network resource.

5-4

Lesson 5

Lesson 5
Essential Services
Knowledge Assessment
Fill in the Blank
Complete the following sentences by writing the correct word or words in
the blanks provided.
1.

The file that is used to resolve hostnames to IP addresses is hosts.

2.

The resource record used in DNS to resolve IP address to hostnames is

PTR.

3.

The DHCP automatically assigns IP addresses and other IP configuration to

a host.

4.

LDAP is a popular directory service with objects in a logical hierarchical

manner.

5.

The FSMO are roles that provide certain functions that can only be handled
by one domain controller.

6.

A(n) OU is used to organize the objects within a domain.

7.

Printers, users, and computers are examples of objects in Active Directory.

8.

The local security database found on a member server is known as the

SAM.

9.

A collection or list of users is known as groups.

10. The account operators built-in group is used to create, delete, and modify
user accounts and groups.

Multiple Choice
Circle the letter that corresponds to the best answer.
1.

2.

The primary naming service used in Windows is ____________.

a.

AD

b.

WINS

c.

DNS

d.

DHCP

What is the resource record that translates from hostname to IP address in

DNS?
a.

PTR

b.

c.

IP

5-5

Lesson 5
d. A
3.

_______ is a legacy naming system used to translate Computer

Names/NetBIOS names to IP addresses.
a.

AD

b. WINS

4.

5.

6.

c.

DNS

d.

DHCP

What is the master time server?

a.

Schema Master

b.

Domain Naming Master

c.

PDC Emulator

d.

RID Master

What holds replica information of every object in a tree and forest?

a.

Infrastructure Master

b.

Schema Master

c.

Global Catalog

d.

PDC Emulator

Which group scope is meant to be used to assign permissions to a local

resource?
a.

Distribution group

b. Domain local

7.

c.

Global

d.

Captured

Which group scope can contain global groups from multiple domains?
a.

Emulation

b.

Domain local

c.

Global

d. Universal
8.

What can be used to specify how many times a user can enter a login with
an incorrect password before the account is disabled?
a.

User profile

b. Group policy

9.

c.

Software policy

d.

User account collection

To which of the following can a group policy not be directly applied?

a.

Group

b.

Site

c.

Domain

d.

OU

10. What authorizes a user to perform certain actions on a computer?

5-6

Lesson 5
a.

Permission

b.

UNC

c.

Right

d.

Task

True / False
Circle T if the statement is true or F if the statement is false.
T

1.

A collection is two or more trees.

2.

A site and domain controllers are the physical aspects of the

network.

3.

A member server is running Active Directory domain services.

4.

Higher domain and forest functional levels will enhance the

functionality of Active Directory.

5.

Active Directory is closely tied to DNS.

Competency Assessment
Scenario 5-1: Designing Active Directory
You have ten sites throughout the country and five major departments. How would you
design your Active Directory structure?
You can use one domain with two different approaches (depending on your
management needs). One approach is to have five OUs for each department with
OUs for sites inside each department or to have an OU for each department with
OUs for each site in the department OUs. When creating OUs, you should try not to
make it two deep.
Scenario 5-2: Designing AD Physical Structure
How do you define how the domain controllers will replicate data to the other domain
controllers?
You need to first define sites based on your IP subnets and you should place two or
more domain controllers on each site. For larger sites that may have additional
domain controllers, you define bridgeheads that will be used as the central point of
replication between the sites.

Proficiency Assessment
Scenario 5-3: Installing Active Directory
Install Active Directory services and promote your computer to a domain controller with
the domain name of domainxx where xx is your student number. If you do not have a
student number, use 01.
No answer is needed. However, this is something that can be demonstrated in class.

5-7

Lesson 5

Remember that students first need to install Active Directory services. Then
students need to run the dcpromo command to start the Active Directory wizard.
You can also direct the students to the following website:
http://technet.microsoft.com/en-us/library/cc755258(WS.10).aspx
To install a new forest by using the Windows interface:
1. Open Server Manager. Click Start, point to Administrative Tools, and then
click Server Manager.
2. In Roles Summary, click Add Roles.
3. If necessary, review the information on the Before You Begin page and then
click Next.
4. On the Select Server Roles page, click the Active Directory Domain Services
check box, and then click Next. Note: On a server that runs Windows Server
2008 R2, you might have to click Add Required Features to install .NET
Framework 3.5.1 features before you can click Next.
5. If necessary, review the information on the Active Directory Domain Services
page, and then click Next.
6. On the Confirm Installation Selections page, click Install.
7. On the Installation Results page, click Close this wizard and launch the
Active Directory Domain Services Installation Wizard (dcpromo.exe).
8. On the Welcome to the Active Directory Domain Services Installation Wizard
page, click Next.
9. On the Operating System Compatibility page, review the warning about the
default security settings for Windows Server 2008 and Windows Server 2008
R2 domain controllers, and then click Next.
10. On the Choose a Deployment Configuration page, click Create a new domain
in a new forest, and then click Next.
11. On the Name the Forest Root Domain page, type the full Domain Name
System (DNS) name for the forest root domain, and then click Next.
12. If you selected Use advanced mode installation on the Welcome page, the
Domain NetBIOS Name page appears. On this page, type the NetBIOS name
of the domain if necessary or accept the default name, and then click Next.
13. On the Set Forest Functional Level page, select the forest functional level that
accommodates the domain controllers that you plan to install anywhere in
the forest, and then click Next.
14. On the Set Domain Functional Level page, select the domain functional level
that accommodates the domain controllers that you plan to install anywhere
in the domain, and then click Next.
15. On the Additional Domain Controller Options page, DNS server is selected
by default so that your forest DNS infrastructure can be created during AD
DS installation. If you plan to use Active Directoryintegrated DNS, click
5-8

Lesson 5

Next. If you have an existing DNS infrastructure and you do not want this
domain controller to be a DNS server, clear the DNS server check box, and
then click Next.
16. On the Location for Database, Log Files, and SYSVOL page, type or browse
to the volume and folder locations for the database file, the directory service
log files, and the SYSVOL files, and then click Next.
17. On the Directory Services Restore Mode Administrator Password page, type
and confirm the restore mode password, and then click Next. This password
must be used to start AD DS in Directory Service Restore Mode for tasks that
must be performed offline.
18. On the Summary page, review your selections. Click Back to change any
selections, if necessary. When you are sure that your selections are accurate,
click Next to install AD DS.
You can either select the Reboot on completion check box to have the server restart
automatically or you can restart the server to complete the AD DS installation when
you are prompted to do so.
Scenario 5-4: Managing a Domain
Next, create three users in each OU. Then create a group in each OU that contains the
members of the OU. Create a user called JSmith in the Engineering OU. Add JSmith to
the Engineers group.
No answer is needed. However, this is something that can be demonstrated in class.
To create an Organizational Unit, right-click where you want to place the
organizational unit and select New. Then select Organizational Unit. Then type in
the name of the organizational unit and click OK.
To create a group, right-click the organizational unit where you want the group to
be, select New, and then select Group. Specify the name of the group. Select the
group scope, type the name of the group, and then click OK.
To create a user:
1. Right-click the organizational unit where you want the user account to be,
select New, and then select User. Type a first name, last name, and a user
login name. Then click Next.
2. Type a password in both boxes and click Next.
3. Click Finish.

5-9