Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understand Active Directory Infrastructure

Published byMarilynn Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Understand Active Directory Infrastructure"— Presentation transcript:

1 Understand Active Directory Infrastructure
LESSON 3.2 Windows Server Administration Fundamentals Understand Active Directory Infrastructure

2 Lesson Overview In this lesson, you will learn about: Domains
Active Directory® Forests The 5 operations masters To determine the Operations Masters Trust relationships The points of what the student will learn must reflect the lesson objective.

3 Anticipatory Set List the five operations master roles. Schema master
Domain naming master RID master PDC Emulator Infrastructure master

4 What Is a Domain? Domains determine replication boundaries and use hierarchical names. All of the domain controllers within a domain can receive changes and replicate them to other domain controllers in the domain. Domains provide several benefits: Organizing objects Publishing resources and information about domain objects Applying a Group Policy object to the domain consolidates management. Delegating authority reduces the need for a number of administrators. Security policies and settings do not cross domains. Each domain stores only the information about the objects located in that domain.

5 Active Directory Forests
When you create the first domain controller in your organization, you are creating the first domain (also called the forest root domain) and the first forest. The top-level Active Directory container is called a forest. A forest consists of one or more domains that share a common schema and global catalog. A forest is the security and administrative boundary for all objects that reside within the forest. An organization can have multiple forests, but that will increase the administrative overhead. In contrast, a domain is the administrative boundary for managing objects, such as users, groups, and computers. Each domain can have individual security policies and trust relationships with other domains. When you create the first domain controller in your organization, you are creating the first domain (also called the forest root domain) and the first forest. The top-level Active Directory container is called a forest. A forest consists of one or more domains that share a common schema and global catalog. An organization can have multiple forests. A forest is the security and administrative boundary for all objects that reside within the forest. In contrast, a domain is the administrative boundary for managing objects, such as users, groups, and computers. In addition, each domain can have individual security policies and trust relationships with other domains. Multiple domain trees within a single forest do not form a contiguous namespace; that is, they have noncontiguous DNS domain names. Although trees in a forest do not share a namespace, a forest does have a single root domain, called the forest root domain. The forest root domain is, by definition, the first domain created in the forest. The Enterprise Admins and Schema Admins groups are located in this domain. By default, members of these two groups have forest-wide administrative credentials.

6 Operations Masters The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the first domain controller created in a forest . Three domain-level roles are assigned to the first domain controller created in a domain. Forest Wide Roles: Schema master Domain naming master Domain Level Roles: RID master PDC Emulator Infrastructure master

7 Five Operation Masters
Schema Master—Responsible for performing updates to the schema. Domain Naming Master—Manages the addition and removal of all domains and directory partitions, regardless of the domain, in the forest hierarchy. RID Master—The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. PDC Emulator—Receives preferential replication of password changes performed by other domain controllers in the domain. Infrastructure Master—Responsible for updating object references in its domain that point to the object in another domain. Schema Master—The schema master is responsible for performing updates to the AD DS schema. The schema master is the only domain controller that can perform write operations to the directory schema. Those schema updates are replicated from the schema master to all other domain controllers in the forest. Having only one schema master for each forest prevents any conflicts that would result if two or more domain controllers attempt to concurrently update the schema. Domain Naming Master—The domain naming master manages the addition and removal of all domains and directory partitions, regardless of domain, in the forest hierarchy. The domain controller that has the domain naming master role must be available in order to perform the following actions: Add new domains or application directory partitions to the forest. Remove existing domains or application directory partitions from the forest. Add replicas of existing application directory partitions to additional domain controllers. Add or remove cross-reference objects to or from external directories. Prepare the forest for a domain rename operation. RID Master—The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain. PDC Emulator—PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. Infrastructure Master—The infrastructure operations master is responsible for updating object references in its domain that point to the object in another domain. The infrastructure master updates object references locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the object’s globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within and between domains as well as the deletion of the object. If the infrastructure master is unavailable, updates to object references are delayed until it comes back online.

8 Operation Master Placement
Follow these guidelines to minimize administrative overhead and ensure the performance of Active Directory: Leave the two forest-wide roles on a domain controller in the forest root domain Place the two forest-wide roles on a global catalog server Place the three domain-wide roles on the same domain controller In a forest that contains multiple domains, do not place the domain-wide roles on a global catalog server unless all domain controllers in the domain are also global catalog servers Place the domain-wide roles on a higher performance domain controller Adjust the workload of the operations master role holder, if necessary

9 How to Determine Operation Roles
RID, PDC and Infrastructure Click Start  All Programs  Administrative Tools  Active Directory Users and Computers. Right click on your domain and select Operations Masters. This method will display the owner of the RID, PDC, and Infrastructure roles.

10 How to Determine Operation Roles
Domain Naming Master Click Start  All Programs  Administrative Tools  Active Directory Domains and Trusts. Right click on your domain and select Operations Masters. This method will display the Domain Naming Master.

11 How to Determine Operation Roles
Schema Master Click Start  Run. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. A message states the registration was successful. Click Start  MMC.exe in search programs and files. Click File  Add/Remove Snap-in … and add the Active Directory Schema snap-in and click OK. Right click on your domain and select Operations Masters … The DLL has to be registered in order to be able to add the AD schema snap in.

12 Trust relationships When there are trust relationships between domains, the authentication mechanism for each domain trusts the authentication mechanism for all other trusted domains. Users in a trusted domain have access to resources in the trusting domain, subject to the access controls that are applied in the trusting domain. Remind students about trust relation direction and transitiveness.

13 Lesson Review What domain controller maintains all 5 operation roles by default? What operation role is responsible for password management? What are the two forest-wide roles? What Domain Controller maintains all 5 operation roles by default? The first domain controller in the forest maintains all 5. What operation role is responsible for password management? PDC emulator. What are the two forest-wide roles? Domain Naming and Schema

Download ppt "Understand Active Directory Infrastructure"

Similar presentations

Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Introduction to Active Directory

Introduction to Active Directory
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.

Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.

Similar presentations

Ads by Google