2004.07.13
TRANSCRIPT
-
7/30/2019 2004.07.13
1/44
Welcome to St. EdwardsUniversity Professional
Education Center
Ed Jacoby
MCSE, MCNE, MCNI, MCT
-
7/30/2019 2004.07.13
2/44
UnderstandingActive Directory in
Windows Server 2003
-
7/30/2019 2004.07.13
3/44
Overview
Active DirectoryDirectory Services OverviewActive Directory Logical Components
Functional Levels
Active Directory Physical Components
Active Directory Partitions
Active Directory Objects
Administering a MicrosoftWindowsServer 2003
Network Using Active DirectoryTools
-
7/30/2019 2004.07.13
4/44
Lesson: Active Directory Directory Services Overview
What Is Active Directory?Benefits of Active Directory
DNS Integration
Active Directory Naming Conventions
-
7/30/2019 2004.07.13
5/44
What Is Active Directory?
Directory service functionalityOrganize
Manage
Control
Centralized management
Single point of administration
Active Directory
Resources
-
7/30/2019 2004.07.13
6/44
Benefits of Active Directory
Windows Server 2003 without Active Directory provides significantbenefits
Scalable and reliable application server
Internet Information Server 6.0
Remote access and VPN server
Network Services (DNS and DHCP, for example)
Windows Server 2003 with Active Directory provides additionalbenefits
Authentication and authorization service
Single sign-on across multiple servers and services
Centralized management of servers and client computers
Centralized administration of users and computers
Centralized management of network resources
-
7/30/2019 2004.07.13
7/44
DNS Integration
Name resolutionResolve names of servers and clients to IP addresses
and vice versa (possibly)
Namespace definition
An Active Directory domains name mustbe representedin DNS
Active Directory requires DNS
DNS does not require Active Directory
Locating the physical components of Active DirectoryClient computers query DNS to locate domain controllers
running specific services, such as global catalog (GC),Kerberos protocol, LDAP, and so on
-
7/30/2019 2004.07.13
8/44
Active Directory Naming Conventions
LDAP Distinguished name
LDAP Relative distinguished nameUser principal name (Kerberos)
Service principal nameGlobally unique identifier (GUID)
Uniqueness of names
CN=Jeff Smith, CN=Users, DC=contoso, DC=msft
-
7/30/2019 2004.07.13
9/44
Lesson: Active Directory Logical Components
What Are Domains?What Are Trees?
What Are Forests?
What Are Organizational Units?
What Are Trust Relationships?
Types of Trusts in Windows Server 2003
-
7/30/2019 2004.07.13
10/44
What Are Domains?
Logical partition in Active Directory databaseCollections of users, computers, groups, and so on
Units of replication
Domain controllers in a domain replicate with each otherand contain a full copy of the domain partition for their
domain
Domain controllers do not
replicate domain partitioninformation for
other domains
Windows 2000 orWindows Server 2003 Domain
Replication
-
7/30/2019 2004.07.13
11/44
What Are Trees?
One or more domains that share a contiguous DNSnamespace, for example:
nwtraders.msft
childdomain.nwtraders.msft
otherdomain.nwtraders.msft
Child domains derive their namespace from parent
Group policy, administration, and such do not flow
across domain boundaries by default
-
7/30/2019 2004.07.13
12/44
What Are Forests?
One or more domains that share:
Common schema
Common configuration
Automatic transitive trust relationships
Common global catalogForests can contain from as few as one domain to manydomains and/or many trees
Domains are not required to be in a single tree or share a
namespaceFirst domain created is the forest root, which cannot bechanged without rebuilding the entire forest, although theforest root domain name can be changed inWindows Server 2003
-
7/30/2019 2004.07.13
13/44
What Are Organizational Units?
Container objects within a domain
Used to organize resources to reflect administrative
divisions; may not map to organizational structureUsed to delegate administrative authority
Used to apply Group Policy
Organizational structure Network administrative model
Sales
Paris
Repair
Users
Sales
Computers
-
7/30/2019 2004.07.13
14/44
What Are Trust Relationships?
Secure communication paths that allow securityprincipals in one domain to be authenticated andaccepted in other domains
Some trusts are automatically created
Parent-child domains trust each other
Tree root domains trust forest root domain
Other trusts are manually created
Forest-to-forest transitive trusts can be created betweenWindows Server 2003 forests only (ie not betweenWindows 2000 forests).
-
7/30/2019 2004.07.13
15/44
Types of Trusts in Windows Server 2003
Default: two-way, transitive Kerberos trusts (intraforest)Shortcut: one- or two-way, transitive Kerberos trusts (intraforest)
Reduce authentication requests
Forest: one- or two-way, transitive Kerberos trusts
Windows Server 2003 forests; Windows 2000 does not support forest
trusts Only between forest roots
Creates transitive domain trust relationships
External: one-way, non-transitive NTLM trusts
Used to connect to/from Microsoft Windows NT or external
Windows 2000 domains Manually created
Realm: one- or two-way, non-transitive Kerberos trusts
Connect to/from UNIX MIT Kerberos realms
-
7/30/2019 2004.07.13
16/44
Lesson: Functional Levels
Forest and Domain Functional LevelsForest Functional Levels
Forest Functional Levels: Features
Domain Functional Levels
Domain Functional Levels: Features
-
7/30/2019 2004.07.13
17/44
Forest and Domain Functional Levels
Functional levels determine:
Supported domain controller operating system
Active Directory features available
Domain functional levels can be raised independently ofone another
Raising forest functional level is performed byEnterprise Administrator
Requires all domains to be at Windows 2000 native orWindows Server 2003 functional levels
-
7/30/2019 2004.07.13
18/44
Forest Functional Levels: Features
Forest Functional Level Features SupportedWindows 2000
Install replica DC from media
Universal group caching
Windows Server 2003 Interim
Same as Windows 2000, plus:
LVR replication (Linked Value Replication
new group structuring)Improved ISTG (Inter-Site Topology
Generatorgenerates replication
connections)
Windows Server 2003
Same as Windows Server 2003 Interim, plus:
Dynamic auxiliary classesUser to INetOrgPerson change
Schema deactivation or reactivation
Domain rename
Forest trust
-
7/30/2019 2004.07.13
19/44
Domain Functional Levels: Features
Functional Level Features Supported
Windows 2000 mixed
Install replica DC from media
Universal group caching
Application directory partitions
UI enhancementssaved queries, drag-
and-drop
Windows 2000 native/Windows Server 2003 Interim
Same as Windows 2000 mixed, plus:
Group nesting and converting
Universal security and distribution groups
Universal group membership caching
SID history
Windows Server 2003
Same as Windows 2000 native, plus:
Update logon timestamp attribute
Kerberos KDC version numbers
User password on INetOrgPerson
Domain Rename
-
7/30/2019 2004.07.13
20/44
Lesson: Active Directory Physical Components
What Are Sites?Why Use Sites?
Domain Controllers
What Is a Global Catalog?
Global Catalog Servers
Single Master Operations
Schema Master
Domain Naming Master
PDC Emulator
RID Master
Infrastructure Master
-
7/30/2019 2004.07.13
21/44
What Are Sites?
Areas of fast network connectivitySingle site may contain manydomains
Single domain may span many
sitesDomain controllers are associated with a given site
Domain Site
-
7/30/2019 2004.07.13
22/44
Why Use Sites?
Each site should have one or more subnets associated with it
Used by domain controllers to determine replication behavior
Used by computers to locate closest domain controllers forauthentication and searches of the directory
Used by site-aware applications like DFS to locate network
resources closest to client computers
Site
Chicago
Seattle
New York
Los Angeles
IP Subnet
IP Subnet
-
7/30/2019 2004.07.13
23/44
Domain Controllers
Domain controllers provide authentication andauthorization services
Domain controllers replicate directory partitions
Every domain controller in the forest has a replica of
schema and configuration partitionsEvery domain controller in a domain has a replica of thatdomains domain partition
Domain controllers may contain replicas of application
partitions
-
7/30/2019 2004.07.13
24/44
What Is a Global Catalog?
Just as a telephone book contains limited information about all people
and businesses within a city, the global catalog (GC) contains limitedinformation about every object in a forest
Within the schema, certain attributes are marked for inclusion in theGC, and:
Searches are commonly performed against these attributes
By searching against the GC, individual domains do not have to be
queried in most cases: the GC can resolve
Servers that hold a copy of the global catalog are called global catalogservers
GCs are always domain controllers for some domain in the forestBy default, only the first domain controller in a forest is configured asa GC
In most cases, at least one domain controller in each site should beconfigured as a GC
-
7/30/2019 2004.07.13
25/44
Single Master Operations
Most operations in Active Directory are multi-master,meaning that any domain controller can write to theActive Directory database
Some functionality must not be performed in multi-master fashion, so five single master operations rolesare defined in Active Directory:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
-
7/30/2019 2004.07.13
26/44
PDC Emulator
One per Active Directory domainEmulates PDC functionality for Windows NT BDCs
Even in domains without Windows NT BDCs, PDCemulator role is still required
Urgent replication events are sent to the PDC emulator;
for example:
Account lockouts
Changing of LSA secrets (trust passwords)
Numerous other functions rely on PDC emulator
Default placement is first domain controller in domain
-
7/30/2019 2004.07.13
27/44
Lesson: Active Directory Objects
Security PrincipalsWhat Is a SID?
What Is a RID?
What Is a GUID?
Groups in Active Directory
What Are Global Groups?
What Are Universal Groups?
What Are Domain Local Groups?
Other Active Directory Objects
-
7/30/2019 2004.07.13
28/44
Security Principals
Entities that can initiate an action or be granted ordenied access to resources
Users
InetOrgPerson
Computers that are running:
Microsoft Windows NT 4.0, Windows 2000, Windows XP, or
Windows Server 2003
Groups
Service accounts
If it can be placed into an access control list (ACL), it is asecurity principal
-
7/30/2019 2004.07.13
29/44
What Is a SID?
Security IDentifierVariable-length number that is used to identify securityprincipals
Used in ACLs to identify security principals that are
granted or denied access to objects in Active Directoryand file system resources
When a security principal is moved from one domain toanother in Windows Server 2003, the objects SIDchanges
When a security principal is moved within a domain, its
SID does not change
-
7/30/2019 2004.07.13
30/44
What Is a RID?
Relative IDentifierWhen a security principal is created in aWindows Server 2003 domain, the principals SID iscomprised of two concatenated values:
The SID of the domain in which the principal is beingcreated
A relative identifier that is unique within that domain
When a security principal is moved to another domain, itreceives a new SID, which is comprised of the SID of the
destination domain and a RID that is unique within thethat domain
Moves within a domain do not change SIDs or RIDs
G ?
-
7/30/2019 2004.07.13
31/44
What Is a GUID?
Globally Unique IDentifier128-bit number generated at the time an object is createdin the directory
Never changes
Travels with an object
When an object is moved, even between domains in a
forest, its GUID does not change
Used by domain controllers to identify objects inActive Directory for purposes of replication
Not used to identify security principals in ACLs
G i A ti Di t
-
7/30/2019 2004.07.13
32/44
Groups in Active Directory
Group typesDistribution groups
Not a security principal
Used primarily as an e-mail distribution list
Security groups Security principals
Used to manage access to network resources
Group scopes
Global groupsUniversal groups
Domain local groups
Wh t A Gl b l G ?
-
7/30/2019 2004.07.13
33/44
Global group rules
What Are Global Groups?
Members
Mixed mode: User accounts from same domain
Native mode: User accounts and global groups fromsame domain
Can be a member ofMixed mode: Domain local groupsNative mode: Universal and domain local groups in anydomain, and global groups in the same domain
Scope Visible in its own domain and all trusted domains
Permissions All domains in the forest
Wh t A U i l G ?
-
7/30/2019 2004.07.13
34/44
Universal group rules
What Are Universal Groups?
Members
Mixed mode: Not applicable
Native mode: User accounts, global groups, and otheruniversal groups from any domain in the forest
Can be a member ofMixed mode: Not applicableNative mode: Domain local and universal groups in anydomain
Scope Visible in all domains in a forest
Permissions All domains in a forest
Wh t A D i L l G ?
-
7/30/2019 2004.07.13
35/44
Domain local group rules
What Are Domain Local Groups?
Members
Mixed mode: User accounts and global groups from anydomain
Native mode: User accounts, global groups, anduniversal groups from any domain in the forest, and
domain local groups from the same domain
Can be a member ofMixed mode: None
Native mode: Domain local groups in the same domain
Scope Visible only in its own domain
Permissions Domain to which the domain local group belongs
Oth A ti Di t Obj t
-
7/30/2019 2004.07.13
36/44
Other Active Directory Objects
Printer objects Used by clients to locate printers on the network
Printer objects can be configured with multiple attributes (printing
speed, color, location) to simplify searching for printers
Shared folder objects
Used by clients to locate shared folders on the network
Shared folders can be configured with descriptions and key words to
simplify searching
Contact
Used to store information about a person without creating a security
principal
Lesson: Administering a Microsoft Windows Server 2003
-
7/30/2019 2004.07.13
37/44
Lesson: Administering a Microsoft Windows Server 2003Network Using Active Directory
Using Active Directory for Centralized ManagementManaging the User Environment
Delegating Administrative Control
U i A ti Di t f C t li d M t
-
7/30/2019 2004.07.13
38/44
Using Active Directory for Centralized Management
Active Directory:
Enables a single administrator to centrally manage resources
Enables administrators to easily locate information
Enables administrators to group objects into organizational units
Uses Group Policy to specify policy-based settings
OU1
Domain
Computers
Users
OU2
Users
Printers
Computer1
User1
Printer1
User2
Domain
OU1 OU2
User1 Computer1 User2 Printer1
Searc
h
M i th U E i t
-
7/30/2019 2004.07.13
39/44
12
3
Apply GroupPolicy Once Windows ServerEnforces Continually
Domain
OU1 OU2 OU3
1 2 3
TM
Managing the User Environment
Use Group Policy to:
Control and lock down what users can do
Centrally manage software installation, repairs, updates,and removal
Configure user data to follow users whether they areonline or offline
Delegating Administrative Control
-
7/30/2019 2004.07.13
40/44
Delegating Administrative Control
Grant permissions:
To delegate control to otheradministrators for specificorganizationalunits
To modify specific attributesof an object in a single organizational unit
To perform the same task in all organizational units
Customize administrative tools to:
Map to delegated administrative tasks
Simplify interface design
Domain
Admin1
Admin2
Admin3
OU1
OU2
OU3
Group Policy Tools
-
7/30/2019 2004.07.13
41/44
Group Policy Tools
Tool Description
GPResult.exe
Displays Group Policy settings and Resultant Set
of Policy (RSoP) for a user or a computer
Uses new WMI-based RSoP provider to show
policy status
GPUpdate.exe
Refreshes local and Active Directory Group Policy
settings, including security settings
Supersedes now obsolete /refreshpolicy option
for secedit command
New Tools for Windows Server 2003
-
7/30/2019 2004.07.13
42/44
New Tools for Windows Server 2003
Tool Description
PowerCfg.exeConfigures
ACPI/hibernate state
WhoAmI.exeClassic logon scripttool
Where.exe Powerful command-line search tool
ForFiles.exeEnhances batch filecontrol
FreeDisk.exeChecks space beforelaunching scripts
GettyPE.exeDetermines SKU typein Windows
Inuse.exeReplaces files on nextreboot
Tool Description
SetX.exeSets environmentvariables
TimeOut.exeClassic sleep toolwith /Nobreak
Choice.exe Enhances batch filecontrol and select state
Clip.exeRedirects output toclipboard and cut/paste
WaitFor.exeSynchronizes start ofbatch files
TakeOwn.exeSets ownership ACL onfiles
VBS toolsNow digitally signed towork with SAFER
Key Support Tools
-
7/30/2019 2004.07.13
43/44
Key Support Tools
Tool Description
Activate.exeBulk product licensingand rollout tool
ADdiag.exeActive Directorydiagnostics
DNScmd.exe DNS servermanagement
Filever.exeDisplays file versioninformation
LDP.exeLDAP query tool, any
Active Directory object
NetDiag.exeNetwork and securitydiagnostics
Tool Description
Netdom.exeDomain managementtool
Nltest.exeNetwork Logondiagnostics
Pviewer.exe GUI-based processinspection tool
RepAdmin.exe Replication diagnostics
Replmon.exeReplication monitoring
tool
Xcalcs.exeExtended ACLmanagement
-
7/30/2019 2004.07.13
44/44
DISCUSSION
ANDQUESTIONS