Active Directory

Fundamentals

Win Moody
Senior Trainer QA
win.moody@qa.com

What we will cover:

Domains, Trees, Forests

Domain Controllers, Sites
The Domain Naming Service (DNS)
Replication
Operations Masters
Lots of demos.

Prerequisite Knowledge

Understanding of what a directory service is

Level 200+

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Active Directory Logical

Concepts
Boundary of Security
Domains

Boundary of Replication

Authentication
Security Policies
Domain NC Replication

Boundary of DNS Namespace

Boundary of Administration

KAPOHO.NET

Active Directory Logical Concepts

Trees

Hierarchy of Domains forming a

contiguous namespace
Transitive Trust Relationships
All Domains in a Tree share:

Schema
Configuration
Global Catalog

KAPOHO.NET

HAWAII.KAPOHO.NET

MAUI.HAWAII.KAPOHO.NET

EUROPE.KAPOHO.NET

Active Directory Logical Concepts

Hierarchy of Domains forming a
Forests

contiguous or disjoint namespace

Transitive Trust Relationships
All Domains in a Forest share:

Schema
Configuration
Global Catalog
PSP.CO.UK

KAPOHO.NET

HAWAII.KAPOHO.NET

Active Directory Logical Concepts

Organizational Units

Containers within Domains

Distinct Units of Administration
Unique to Domains

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Active Directory Physical

Concepts
Domain Controllers
Primary Domain Controller (PDC)

Backup Domain Controllers (BDCs)

Domain Controllers (DCs)

Active Directory Physical

Concepts
Sites

What is a Site?

Site Usage

A set of well-connected IP subnets

Locating Services (e.g. Logon, DFS)
Replication
Group Policy Application

Sites are connected with Site Links

Connects two or more sites

Active Directory Physical

Concepts

DC = Domain Controller
GC = Global Catalog

Site Topology

DC
GC

Site A

Company.com

Site C

DC

DC

GC

DC

america.company.com

europe.company.com

Site B

Active Directory Physical

Concepts
Global Catalog

Partial Replica of all Objects

in the Forest
Configurable subset of Attributes
Fast Forest-wide searches
Required at Logon for Universal
Group Membership

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

DNS
DNS Requirements

SRV Records to locate services (reqd)

DDNS for Dynamic Update (desired)
Windows 2000 and up, DNS also provides:

Incremental Zone Transfers

Integration with Active Directory
Single replication topology
Multi-master replication
Secure Dynamic updates

DNS
DNS Implementations

No existing DNS infrastructure

Deploy Microsoft DNS

Check existing DNS meets requirements

Existing DNS not adequate:

Choice 1: Update Server

Choice 2: Migrate to Microsoft DNS
Choice 3: Delegate a subdomain to
Microsoft DNS

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Replication
Replication Details

Naming Contexts (NCs)that are

replicated

Schema Naming Context

Configuration Naming Context
Domain Naming Context

Multi-master Replication
Intra-site Bi-directional Ring
Topology
Inter-site Spanning Tree Topology

Synchronous RPC over TCP/IP

Asynchronous SMTP

Replication
Naming Contexts

Schema

Configuration

Definitions of object classes and

attributes
Replicated to all DCs in the forest
AD Structure (domains, sites, and
where the DCs are)
Replicated to all DCs in the forest

Domain

Domain specific objects (users, groups,

computers, and OUs)

Replication
Replication Topologies

Intra-site Replication: AD replication

between DCs within a Site
Inter-site Replication: AD replication
between Sites

Replication
Intra-site Replication

RPC replication within a Site

No compression

Uses notification process

Assumes good network connections

5 minutes -2k
Less 2k3

KCC generates a bi-directional Ring

with extra edges

Tip: Always let KCC generate the intra-site

replication topology when possible

Replication
Inter-Site Replication

Replication between Sites

DS-RPC (RPC over IP) or
SMTP Transports
SMTP can be used only between
GCs across Sites
DCs of different domains and in
different sites
Compression
10%-20% of

Scheduled

original size

Replication
Site-links, Bridges and
Bridgehead Servers

Site-links link two or more sites

Site-link Bridges

Costs and schedules can be specified

Transitive (can be disabled)
Bridge two or more site-links

Bridgehead servers
KCC generates a minimum cost
spanning tree

Tip: Always let KCC generate the replication topology

Agenda

Active Directory Logical Concepts

Active Directory Physical Concepts
DNS
Replication
Operations Masters

Operations Masters
Schema and Domain

Schema

Performs updates to schema

Sends updates to all DCs
One per forest
Default is the first DC installed

Domain

Performs add/remove of domains and

cross-references to external DS
One per forest
Default is the first DC installed

Operations Masters
PDC, RID and Infrastructure

Primary Domain Controller (PDC)

Relative Identifier (RID)

Acts as a PDC for requests from NT clients

One per domain
Generates pools of security identifiers to be
distributed to DCs in the domain
One per domain

Infrastructure

Updates SIDs on objects across domains

One per domain
Not required in a single-domain forest

Summary

There are Logical and Physical concepts in

Active Directory
DNS
Plenty of Information

For More Information

Main TechNet Web site at

www.microsoft.com/technet

Additional resources to support this Session page can

be found at

www.microsoft.com/technet/tnt1-98

MS Press

Inside information for IT Professionals

To find the latest IT Professional related titles visit

www.microsoft.com/learning/it/books

Third Party Publications

Supplementary Publications for IT Pros

These books can be found and purchased at all good book

stores and on-line retailers

Microsoft Learning

Training Resources for IT Professionals

Planning,

Implementing, and Maintaining a Microsoft

Windows Server 2003 Active Directory Infrastructure
Course

Number: 2279
Availability: Now
Detailed Syllabus: www.microsoft.com/learning

To locate a training provider, please access

www.microsoft.com/learning
Microsoft Certified Technical Education Centers
are Microsofts premier partners for training services

Assess your Readiness

Microsoft Skills Assessment
What is Microsoft Skills Assessment?

Self-study learning tool to evaluate readiness for product and

technology solutions, instead of job-roles (certification)
Windows Server 2003, Exchange Server 2003, Windows Storage
Server 2003, Visual Studio .NET, Office 2003
Free, online, unproctored, and available to anyone
Answers, Am I ready?
Determines skills gaps, provides learning plans with Microsoft
Official Curriculum courses, plus more Microsoft learning content
suggestions such as TechNet resources
Post your High Score to see how you stack up
visit

http://www.microsoft.com/assessment

Become a Microsoft Certified

Systems Administrator
What is the MCSA certification?
(MCSA)
For IT professionals who manage and maintain

networks and systems based on the Microsoft

Windows Server operating system

How do I become an MCSA on Microsoft

Windows 2003?

Pass 3 core exams

Pass 1 elective exam or 2 CompTIA certifications

Where do I get more information?

For more information about certification

requirements, exams, and training,
visit www.microsoft.com/mcsa

Become A Microsoft Certified

Systems Engineer (MCSE)

What is the MCSE certification?

How do I become an MCSE on Microsoft Windows 2003?

Premier certification for IT professionals who analyze the

business requirements and design, plan, and implement the
infrastructure for business solutions based on the Microsoft
Windows Server System integrated server software.
Pass 6 core exams
Pass 1 elective exams from a comprehensive list

Where do I get more information?

For more information about certification requirements,

exams, and training options,
visit www.microsoft.com/mcse

Demonstrate Your Security or

Messaging Specialization

What are MCSA/MCSE specializations?

What specializations are available?

MCSA and MCSE specializations allow IT professionals to

highlight specific expertise or technical focus within their job
role.
MCSA: Security
MCSE: Security

MCSA: Messaging
MCSE: Messaging

Where do I get more information?

For more information about MCSA and MCSE specialization

requirements, exams, and training options, visit
www.microsoft.com/mcsa or www.microsoft.com/mcse

What is TechNet?

Put the right answers at your fingertips

TechNet is the comprehensive collection of resources to help IT

implementers plan, deploy, and manage Microsoft products
successfully

TechNet
Subscription

TechNet Web Site

TechNet Flash
TechNet Events
and Web Casts
TechNet
Communities

Monthly updates delivered on DVD or CD

The definitive resource to help you evaluate, deploy and
maintain Microsoft products
Accessible at www.microsoft.com/technet
Online resources and community
Subscriber-only Online Services
Bi-weekly e-newsletter
Security updates, new resources, and special offers
Briefings on the latest Microsoft products and technologies
Hands-on, how to information
User Groups
Managed Newsgroups

Where Can I Get TechNet?

Visit

TechNet Online at

www.microsoft.com/technet
Register

for the TechNet Flash

www.microsoft.com/technet/subscriptions/flash.asp
Join

the TechNet Online forum at

www.microsoft.com/technet/itcommunity
Become

a TechNet Subscriber at

www.microsoft.com/technet/buynow/subscribe
Attend

More TechNet Events or view on-line

www.microsoft.com/technet/tcevents/itevents