Active Directory

Fundamentals

Thomas Lee
Chief Technologist QA
thomas.lee@qa.com

What we will cover:

Domain, Trees, Forests

Domain Controllers, Sites
The Domain Naming Service
Replication
Operations Masters
Lots of demos.

Prerequisite Knowledge

Understanding of what a directory

service is
Networking skills!

Level 200+

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Active Directory Logical Concepts

Domains

Boundary of Security

Boundary of Authentication
Boundary of Replication

NOT!!!

Domain NC Replication

Boundary of DNS Namespace

Boundary of Administration

KAPOHO.NET

Active Directory Logical Concepts

Trees

Hierarchy of Domains forming a

contiguous DNS namespace
Transitive Trust Relationships between
domains
All domains in a Tree share:

KAPOHO.NET

Schema
Configuration
Global Catalog
HAWAII.KAPOHO.NET

MAUI.HAWAII.KAPOHO.NET

EUROPE.KAPOHO.NET

Active Directory Logical Concepts

Hierarchy of Domains forming a
Forests

contiguous or disjoint namespace

Transitive Trust Relationships
All Domains in a Forest share:

Schema
Configuration
Global Catalog

PSP.CO.UK

KAPOHO.NET

HAWAII.KAPOHO.NET

Active Directory Logical Concepts

Organizational Units

Containers within Domains

Distinct Units of Administration
Unique to Domains

Two main uses:

Delegation
Policies

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Active Directory Physical

Concepts
Domain Controllers
Primary Domain Controller (PDC)

Backup Domain Controller (BDC)

Domain Controllers (DC)

Active Directory Physical

Concepts
Sites

What is a Site?

Site Usage

A set of well-connected IP subnets

Locating Services (e.g. Logon, DFS)
Replication
Group Policy Application

Sites are connected with Site Links

Connects two or more sites

Active Directory Physical

Concepts
DC = Domain Controller
Site Topology

GC = Global Catalog

DC
GC

Site A

Company.com

Site C

DC

DC

GC

DC

america.company.com

europe.company.com

Site B

Active Directory Physical

Concepts
Global Catalog

Partial Replica of all Objects

in the Forest
Configurable subset of Attributes
Fast Forest-wide searches
Required at Logon for Universal
Group Membership

Win2k3 Universal Group Caching

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

DNS

DNS is fundamental to AD

No DNS == No AD
Even on a single server!

You have options over:

DNS Topology
DNS Namespace
DNS Server

DNS
DNS

SRV Records to locate services (reqd.)

DDNS for Dynamic Update (desired)
Windows 2000 and up, DNS also
provides:

Incremental Zone Transfer

Active Directory Integrated
Single replication topology
Multi-master replication
Secure Dynamic update

Tip: Use the latest version of BIND!

DNS
DNS Implementations

No existing DNS infrastructure

Deploy Microsoft DNS

Existing DNS meets requirements

Existing DNS not adequate:

Choice 1: Update Server

Choice 2: Migrate to Microsoft DNS
Choice 3: Delegate a subdomain to
Microsoft DNS

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Replication
Replication Details

Naming Contexts that are replicated

Schema Naming Context

Configuration Naming Context
Domain Naming Context

Multi-Master Replication
Intra-site Bi-directional Ring
Topology
Inter-site Spanning Tree Topology

Synchronous RPC over TCP/IP

Asynchronous SMTP

Replication
Naming Contexts

Schema

Configuration

Definitions of attributes
Replicated to all DCs in the forest
AD Structure (domains, sites, and
where the DCs are)
Replicated to all DCs in the forest

Domain

Domain specific objects (users,

groups, computers, and OUs)
Replicated to all DCs in its domain

Replication
Replication Topologies

Intra-Site Replication: AD replication

between DCs within a Site
Inter-site Replication: AD replication
between Sites

Replication
Intra-Site Replication

RPC Replication in a Site

No compression

Uses notification process

Assumes good network connections

5 minutes -2k
Less 2k3

KCC Generates a bi-directional Ring

with extra edges

Tip: Always let KCC generate the intra-site

replication topology when possible

Replication
Inter-Site Replication

Replication between Sites

DS-RPC (RPC over IP) or
SMTP Transports
SMTP can be used only between
GCs across Sites
DCs of different domains and in
different sites
Compression
10%-20% of

Scheduled

original size

Replication
Site-Links, Bridges and
Bridgehead Servers

Site Links link two or more sites

Site-Link Bridges

Cost and schedules can be specified

Transitive (can be disabled)
Bridge two or more site links

Bridgehead servers
KCC generates a minimum cost
spanning tree

Tip: Always let KCC generate the replication topology

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Operations Masters
Schema and Domain

Schema

Perform updates to schema

Sends updates to all DCs
One per forest
Default is the first DC installed

Domain

Performs add/remove of domains and

cross-references to external DS
One per forest
Default is the first DC installed

Operations Masters
PDC, RID and Infrastructure

Primary Domain Controller (PDC)

Relative Identifier (RID)

Acts as a PDC for requests from NT

clients
One per domain
Generates pools of security identifiers
to be distributed to DCs in the domain
One per domain

Infrastructure

updates SIDs and domains that are

moved in and out of the domain

Summary

There are Logical and Physical concept

DNS
Plenty of Information

For More Information

Main TechNet Web site at

www.microsoft.com/technet

Additional resources to support this Session page can

be found at

www.microsoft.com/technet/tnt1-98

MS Press

Inside information for IT Professionals

To find the latest IT Professional related titles visit

www.microsoft.com/learning/it/books

Third Party Publications

Supplementary Publications for IT Pros

These books can be found and purchased at all good book

stores and on-line retailers

Microsoft Learning

Training Resources for IT Professionals

Planning,

Implementing, and Maintaining a Microsoft

QA2003
Special
Offer onInfrastructure
Windows Server
Active Directory

ALL
IT2279
Professional Training
Number:

Course

Availability:

Now
Detailed Syllabus: www.microsoft.com/learning
st

50% off all QA courses running 1 Week in

January 2005
40% off all Toother
running
in January
locate a courses
training provider,
please access
2005
www.microsoft.com/learning
Microsoft Certified Technical Education Centers

www.qa.com/course/specialofferdetails.aspx?code=xmasbonus
are Microsofts premier partners for training services

Assess your Readiness

Microsoft Skills Assessment
What is Microsoft Skills Assessment?

Self-study learning tool to evaluate readiness for product and

technology solutions, instead of job-roles (certification)
Windows Server 2003, Exchange Server 2003, Windows Storage
Server 2003, Visual Studio .NET, Office 2003
Free, online, unproctored, and available to anyone
Answers, Am I ready?
Determines skills gaps, provides learning plans with Microsoft
Official Curriculum courses, plus more Microsoft learning
content suggestions such as TechNet resources
Post your High Score to see how you stack up
visit

http://www.microsoft.com/assessment

Become a Microsoft Certified

Systems Administrator (MCSA)

What is the MCSA certification?

How do I become an MCSA on Microsoft

Windows 2000?

For IT professionals who manage and maintain

networks and systems based on the Microsoft
Windows Server operating system

Pass 3 core exams

Pass 1 elective exam or 2 CompTIA certifications

Where do I get more information?

For more information about certification

requirements, exams, and training,
visit www.microsoft.com/mcsa

Become A Microsoft Certified

Systems Engineer (MCSE)

What is the MCSE certification?

How do I become an MCSE on Microsoft Windows 2003?

Premier certification for IT professionals who analyze the

business requirements and design, plan, and implement the
infrastructure for business solutions based on the Microsoft
Windows Server System integrated server software.
Pass 6 core exams
Pass 1 elective exams from a comprehensive list

Where do I get more information?

For more information about certification requirements,

exams, and training options,
visit www.microsoft.com/mcse

Demonstrate Your Security or

Messaging Specialization

What are MCSA/MCSE specializations?

What specializations are available?

MCSA and MCSE specializations allow IT professionals to

highlight specific expertise or technical focus within their job
role.
MCSA: Security
MCSE: Security

MCSA: Messaging
MCSE: Messaging

Where do I get more information?

For more information about MCSA and MCSE specialization

requirements, exams, and training options, visit
www.microsoft.com/mcsa or www.microsoft.com/mcse

What is TechNet?

Put the right answers at your fingertips

TechNet is the comprehensive collection of resources to help IT

implementers plan, deploy, and manage Microsoft products
successfully

TechNet
Subscription

TechNet Web Site

TechNet Flash
TechNet Events
and Web Casts
TechNet
Communities

Monthly updates delivered on DVD or CD

The definitive resource to help you evaluate, deploy and
maintain Microsoft products
Accessible at www.microsoft.com/technet
Online resources and community
Subscriber-only Online Services
Bi-weekly e-newsletter
Security updates, new resources, and special offers
Briefings on the latest Microsoft products and technologies
Hands-on, how to information
User Groups
Managed Newsgroups

Where Can I Get TechNet?

Visit

TechNet Online at

www.microsoft.com/technet
Register

for the TechNet Flash

www.microsoft.com/technet/subscriptions/flash.asp
Join

the TechNet Online forum at

www.microsoft.com/technet/itcommunity
Become

a TechNet Subscriber at

www.microsoft.com/technet/buynow/subscribe
Attend

More TechNet Events or view on-line

www.microsoft.com/technet/tcevents/itevents