Microsoft Windows Server 2003 Active Directory Infrastructure Prof. Abdul Hameed

Goals Install Active Directory Verify Active Directory installation Introduce operations master roles View the operations master role assignments for a domain Transfer operations master roles Implement an organizational unit structure within a domain Examine application data partitions Prepare for schema modifications

Installing Active Directory (Skill 1) Installing Active Directory To organize objects and implement domain structure Install Active Directory on a Windows Server 2003 computer using the Active Directory Installation Wizard During first time installation Create the root domain, a new domain tree, and a new forest Designate a Windows Server 2003 computer as a domain controller

Installing Active Directory (2) (Skill 1) Installing Active Directory (2) Creating a domain By default, the domain is configured to run in Windows 2000 mixed mode Windows 2000 mixed mode allows various domain controllers to coexist Windows NT 4.0 backup domain controllers (BDCs) Windows 2000 domain controllers (DCs) Windows Server 2003 domain controllers (DCs)

Installing Active Directory (3) (Skill 1) Installing Active Directory (3) If your network consists of only Windows 2000 and Windows Server 2003 domain controllers, switch to Windows 2000 native mode Windows 2000 native mode supports only Windows 2000 domain controllers Windows Server 2003 domain controllers Windows 2000 mixed mode and native mode are identical to those available in Windows 2000

Installing Active Directory (4) (Skill 1) Installing Active Directory (4) Windows Server 2003 provides two new modes Windows Server 2003 mode Only supports Windows Server 2003 domain controllers Gives you the additional ability to rename domain controllers at any time Windows Server 2003 interim mode is used when you upgrade a Windows NT 4.0 primary domain controller (PDC) to Windows Server 2003

Installing Active Directory (5) (Skill 1) Installing Active Directory (5) During Active Directory installation, three components are installed Domain Name System (DNS) service Database and database log files Shared system volume

Figure 2-1 Active Directory installation (Skill 1) Figure 2-1 Active Directory installation

Figure 2-2 Internet Protocol (TCP/IP) Properties dialog box (Skill 1) Figure 2-2 Internet Protocol (TCP/IP) Properties dialog box

Figure 2-3 Running Dcpromo (Skill 1) Figure 2-3 Running Dcpromo

Figure 2-4 Detecting network settings (Skill 1) Figure 2-4 Detecting network settings

Figure 2-5 The Server Role screen (Skill 1) Figure 2-5 The Server Role screen

Figure 2-6 The Operating System Compatibility screen (Skill 1) Figure 2-6 The Operating System Compatibility screen

Figure 2-7 The Domain Controller Type screen (Skill 1) Figure 2-7 The Domain Controller Type screen

Figure 2-8 The Create New Domain screen (Skill 1) Figure 2-8 The Create New Domain screen

Figure 2-9 The Permissions screen (Skill 1) Figure 2-9 The Permissions screen

Figure 2-10 Adding a client to a domain (Skill 1) Figure 2-10 Adding a client to a domain

Verifying Active Directory Installation (Skill 2) Verifying Active Directory Installation After you install Active Directory on the first domain controller, you may need to add additional Active Directory domain controllers Before installing additional domain controllers You need installation-critical information from Active Directory You must verify the initial installation to make sure certain components were successfully installed

Verifying Active Directory Installation (2) (Skill 2) Verifying Active Directory Installation (2) Use the Active Directory Users and Computers console to verify an Active Directory installation Use this console, which is an administrative tool, to create and delete objects, set their permissions, and modify their properties Use this console to control primary objects Organizational units (OUs) Windows Server 2003 user accounts, group accounts, computer accounts Published printers

Verifying Active Directory Installation (3) (Skill 2) Verifying Active Directory Installation (3) Verifying an Active Directory installation Verify the presence of the domain that you specified during the Active Directory installation Verify the presence of your new domain controller in the domain controllers OU The presence of certain administrative tools also verifies that Active Directory was successfully installed Active Directory and Trusts console Active Directory Sites and Services console

Verifying Active Directory Installation (4) (Skill 2) Verifying Active Directory Installation (4) Use the Active Directory Domains and Trusts console To manage the trust relationships between two or more domains in the same forest or different forests To provide interoperability with other domains To raise the domain functional level for a domain To transfer the domain naming master role from one domain controller to another To add or remove alternate User Principal Name (UPN) suffixes to/from user logon names

Figure 2-11 The Active Directory Domains and Trusts console (Skill 2) Figure 2-11 The Active Directory Domains and Trusts console

Verifying Active Directory Installation (5) (Skill 2) Verifying Active Directory Installation (5) Use the Active Directory Sites and Services console To create sites and subnets To move domain controllers to the correct sites To configure servers as global catalog servers To create site links This information is used to decide the replication method for directory information and to process service requests

Figure 2-12 The Active Directory Sites and Services console (Skill 2) Figure 2-12 The Active Directory Sites and Services console

Figure 2-13 Verifying the presence of a domain controller (Skill 2) Figure 2-13 Verifying the presence of a domain controller

Figure 2-14 The Sysvol directory (Skill 2) Figure 2-14 The Sysvol directory

Figure 2-15 The Ntds folder (Skill 2) Figure 2-15 The Ntds folder

Verifying Active Directory Installation (6) (Skill 2) Verifying Active Directory Installation (6) In addition to the three default consoles, you can also install an additional tool called the Active Directory Schema snap-in Permits you to view and modify the schema The schema defines the types of objects and the type of information pertaining to those objects that can be stored in Active Directory

Figure 2-16 The Active Directory Schema snap-in installed (Skill 2) Figure 2-16 The Active Directory Schema snap-in installed

Introducing Operations Master Roles (Skill 3) Introducing Operations Master Roles Replication models Multi-master replication model Used to control most functions All domain controllers have the ability to modify Active Directory Single-master model Used when a single domain controller modifies data to control certain types of events in Active Directory

Introducing Operations Master Roles (2) (Skill 3) Introducing Operations Master Roles (2) Each of these special functions is controlled by FSMO (Flexible Single Masters of Operations) servers or, more typically, operations masters Types of special functions Forest-wide operations master roles Domain-wide operations master roles

Introducing Operations Master Roles (3) (Skill 3) Introducing Operations Master Roles (3) Forest-wide operations master roles Two forest-wide FSMO roles Schema master role Domain naming master role Each of these roles can reside on only a single server for the entire forest By default, both roles will be held by the first domain controller created in the root domain of the forest

Introducing Operations Master Roles (4) (Skill 3) Introducing Operations Master Roles (4) Domain-wide operations master roles Three domain-wide roles Primary domain controller (PDC) emulator role Relative ID (RID) master role Infrastructure master role Each of these roles can reside on only a single domain controller in each domain By default, all three roles will be held by the first domain controller created in each domain

Introducing Operations Master Roles (5) (Skill 3) Introducing Operations Master Roles (5) When you create the first domain in a new forest, by default, all five operations master roles are assigned to the first domain controller in that domain Active Directory assigns only the domain-wide operations master roles to the first domain controller of any subsequent child domains that you create in the forest The first domain controller in each of the other domains holds the domain-wide operations master roles

Introducing Operations Master Roles (6) (Skill 3) Introducing Operations Master Roles (6) Guidelines for planning operations master roles for per-forest roles Assign the two forest-wide roles to a high-uptime server; backups of this machine are of special importance Assign the schema master and the domain naming master roles to a single domain controller in one of the domains in the forest

Introducing Operations Master Roles (7) (Skill 3) Introducing Operations Master Roles (7) Guidelines for planning operations master roles for per-domain roles Have at least one additional domain controller act as a standby operations master for other operations masters If a domain controller fails, the standby domain controller can be manually configured to seize the failed domain controller’s roles

Introducing Operations Master Roles (8) (Skill 3) Introducing Operations Master Roles (8) Guidelines for planning operations master roles for per-domain roles Assign both the RID master and the PDC emulator roles to the same domain controller If the domain is large, these roles can be assigned to separate domain controllers to reduce the load on the PDC emulator Make sure these servers are always capable of communicating with each other

Introducing Operations Master Roles (9) (Skill 3) Introducing Operations Master Roles (9) Guidelines for planning operations master roles for per-domain roles If there is more than one domain, do not assign the infrastructure master role to a domain controller that is hosting the global catalog service Global catalog Stores information about objects in a tree or a forest When this information changes, the global catalog updates the information through replication and always contains the latest information about objects

Introducing Operations Master Roles (10) (Skill 3) Introducing Operations Master Roles (10) Guidelines for planning operations master roles for per-domain roles If you assign the infrastructure master role to a domain controller that is also a global catalog server, the infrastructure master will not function properly, because there are no “phantom” references for it to update If possible, try to place the domain naming master on a server hosting the global catalog

Viewing the Operations Master Role Assignments for a Domain (Skill 4) Viewing the Operations Master Role Assignments for a Domain To monitor the operations master roles, you must identify and view the domain controllers that hold the roles Regular monitoring of the operations masters roles in a domain or forest Enables you to determine the performance and load on each of the operations masters This enables you to decide which roles must be transferred to other domain controllers

Viewing the Operations Master Role Assignments for a Domain (2) (Skill 4) Viewing the Operations Master Role Assignments for a Domain (2) To view all of the domain-wide operations master role assignments, use the Active Directory Users and Computers console To view the schema master and the domain naming master roles, use the Active Directory Schema snap-in and the Active Directory Domains and Trusts console

(Skill 4) Figure 2-17 Viewing the default domain-wide operations master role assignments

Figure 2-18 The Change Schema Master dialog box (Skill 4) Figure 2-18 The Change Schema Master dialog box

Figure 2-19 The Change Operations Master dialog box (Skill 4) Figure 2-19 The Change Operations Master dialog box

Transferring Operations Master Roles (Skill 5) Transferring Operations Master Roles After you have identified the domain controllers that hold the operations master roles, you can easily transfer roles between domain controllers Conditions requiring that you transfer operations master roles When you want to change the default operations master because the domain controller is unavailable for replication When the performance of the domain controller holding the operations master role is deteriorating due to excess load

Transferring Operations Master Roles (2) (Skill 5) Transferring Operations Master Roles (2) You can transfer operations master roles between domain controllers within a forest, as well as within domains, with the assistance of the original operations master To transfer an operations master role from one domain controller to another, make sure that both domain controllers are available and connected to each other through the network

Transferring Operations Master Roles (3) (Skill 5) Transferring Operations Master Roles (3) Transferring an operations master role is a two-stage process Connect to the new domain controller that will hold the role Transfer the role to the domain controller you have identified

Transferring Operations Master Roles (4) (Skill 5) Transferring Operations Master Roles (4) You use the Active Directory Users and Computers console to transfer the relative ID master, PDC emulator, and infrastructure master roles You use the Active Directory Domains and Trusts console to transfer the domain naming master role

Transferring Operations Master Roles (5) (Skill 5) Transferring Operations Master Roles (5) Failure of an operations master An operations master may be unavailable due to a system failure If there is any chance of recovering it, you should do so If you cannot recover it, you can force the transfer of the operations master role to another Windows Server 2003 domain controller without the cooperation of the existing owner of the roles This process is called seizing the role Use the Ntdsutil.exe utility at the command prompt to seize any operations master role

Implementing an Organizational Unit Structure within a Domain (Skill 6) Implementing an Organizational Unit Structure within a Domain Planning and creating an organizational unit (OU) structure is the last activity you perform to complete the implementation of Active Directory OUs are container objects used to organize objects in a domain into logical groups to centralize and simplify administration of a large number of objects You can manage users easily and efficiently in an OU In a multiple-domain model, each domain implements its own OU hierarchy

Implementing an Organizational Unit Structure within a Domain (2) (Skill 6) Implementing an Organizational Unit Structure within a Domain (2) Advantages of creating OUs You can apply Group Policy to a particular group of users or computers independently of other groups of users and computers in other OUs You can structure a domain According to the departments and locations in your organization Without OUs, all users are maintained in a single list under a domain

Implementing an Organizational Unit Structure within a Domain (3) (Skill 6) Implementing an Organizational Unit Structure within a Domain (3) Advantages of creating OUs You can delegate administrative control over network resources to users You can easily accommodate any changes that take place in the structure of your organization, for example, reorganizing users between OUs requires less time and effort than reorganizing users between domains

Implementing an Organizational Unit Structure within a Domain (4) (Skill 6) Implementing an Organizational Unit Structure within a Domain (4) Advantages of creating OUs OUs simplify the viewing and administration of directory objects within a domain OUs allow administrators to have easy access to all objects at any level of the hierarchy Plan your OU structure carefully so the organizational units represent your organization in a meaningful and manageable way

Implementing an Organizational Unit Structure within a Domain (5) (Skill 6) Implementing an Organizational Unit Structure within a Domain (5) Three standard models are typically used to design an OU hierarchy Business function-based Geographically-based A combination of both business function and geographically-based

Implementing an Organizational Unit Structure within a Domain (6) (Skill 6) Implementing an Organizational Unit Structure within a Domain (6) Use the business function-based model to create an OU structure that reflects the various business functions within an organization Use the geographically-based model to create an OU structure that represents the location of branches in an organization

Figure 2-20 A business function-based OU structure (Skill 6) Figure 2-20 A business function-based OU structure

Figure 2-21 A geographically-based OU structure (Skill 6) Figure 2-21 A geographically-based OU structure

Implementing an Organizational Unit Structure within a Domain (7) (Skill 6) Implementing an Organizational Unit Structure within a Domain (7) Use a combination of business function and geographically-based models to create an OU structure that reflects the various business functions within the different branches of an organization

Figure 2-22 A business function and geographically-based OU structure (Skill 6) Figure 2-22 A business function and geographically-based OU structure

Figure 2-23 Creating an organizational unit (Skill 6) Figure 2-23 Creating an organizational unit

Implementing an Organizational Unit Structure within a Domain (8) (Skill 6) Implementing an Organizational Unit Structure within a Domain (8) Each OU you create contains a set of default properties Each OU also has additional properties Properties are attributes you use to locate the OU Use the Active Directory Users and Computers console to set the properties

Figure 2-24 MKTG Properties dialog box (Skill 6) Figure 2-24 MKTG Properties dialog box

Understanding Application Data Partitions (Skill 7) Understanding Application Data Partitions Application data partitions Are special database structures within Active Directory They hold information specific to a particular application To fully understand why they are necessary, you must first understand how they function in Active Directory

Understanding Application Data Partitions (2) (Skill 7) Understanding Application Data Partitions (2) A partition in Active Directory is a section of the database With its own root name (using LDAP distinguished names) With its own replication topology The critical principle is replication topology Since all partitions have their own topology, information changes in one partition do not force replication to other partitions

Figure 2-25 Using application data partitions (Skill 7) Figure 2-25 Using application data partitions

Understanding Application Data Partitions (3) (Skill 7) Understanding Application Data Partitions (3) Application data partitions have their own naming convention Applies to DNS names and LDAP distinguished names From the DNS side, an application data partition is typically configured as a child domain of an Active Directory domain From the LDAP side, the partition has its own LDAP distinguished name

Understanding Application Data Partitions (4) (Skill 7) Understanding Application Data Partitions (4) LDAP distinguished name An LDAP naming convention that is used in most, if not all, LDAP compliant databases Think of it as a path name describing the entire path to the object from within the database LDAP names are particularly important because some of the advanced Active Directory utilities (such as Ntdsutil) require them

Understanding Application Data Partitions (5) (Skill 7) Understanding Application Data Partitions (5) Administering application data partitions Typically, you will not need to perform any real administration Your application will usually create the partition for you, and perform all writes and changes Common current applications that make use of application data partitions are DNS and TAPI In certain cases, you may be required to create an application data partition

Understanding Application Data Partitions (6) (Skill 7) Understanding Application Data Partitions (6) To create an application data partition, you can use Ntdsutil.exe, a raw LDAP editor, or Active Directory Services Interface (ADSI) Ntdsutil is the most accessible of these tools It is a powerful and versatile tool for making major modifications to the Active Directory database Since it is a very powerful application, you have the potential for making major mistakes very quickly

Understanding Application Data Partitions (7) (Skill 7) Understanding Application Data Partitions (7) Ntdsutil command line utility Must be run in Directory Services Restore Mode on the domain controller on which you wish to make a change Application data partitions can only be created by Enterprise Administrators By default, the only Enterprise Administrator is the Administrator account in the forest root domain

Preparing for Schema Modifications (Skill 8) Preparing for Schema Modifications Schema Considered the blueprint or rulebook for Active Directory Defines the structure and rules for the Active Directory database To understand more specifically what the schema does, you need to understand more about the structure of Active Directory

Preparing for Schema Modifications (2) (Skill 8) Preparing for Schema Modifications (2) Active Directory is composed of various types of objects Each object is defined by its type, which is referred to as the object class Each object class is defined by the attributes included in the class Attributes are specific fields for the object that store a particular type of information Different object classes can have different attributes, which are suited to the needs of the object

Figure 2-26 Object classes and attributes (Skill 8) Figure 2-26 Object classes and attributes

Preparing for Schema Modifications (3) (Skill 8) Preparing for Schema Modifications (3) You can examine and change most of the attributes for an object class by opening the object class in the Active Directory Schema snap-in You can add attributes to an existing class You can create a new class using new or existing attributes to drastically change the functionality of Active Directory This allows Active Directory to support your own customized applications and data

Preparing for Schema Modifications (4) (Skill 8) Preparing for Schema Modifications (4) A mistake made in the schema can have very severe consequences Microsoft has put several safeguards in place to reduce the chance that mistakes may occur when you are viewing or editing the schema

Preparing for Schema Modifications (5) (Skill 8) Preparing for Schema Modifications (5) Some of Microsoft’s safeguards Object classes and attributes can be deactivated, but they cannot be deleted Deactivating a class results in the inability to create new objects in that class. Deactivating an attribute results in the inability to add the attribute to other classes Mandatory attributes of an existing class cannot be deactivated

Preparing for Schema Modifications (6) (Skill 8) Preparing for Schema Modifications (6) Some of Microsoft’s safeguards Default attributes, which are required for Active Directory to function properly, cannot be deactivated The schema can only be modified on the schema master Only members of the Schema Admins group have permission to modify the schema, by default The Active Directory Schema snap-in is not installed by default

Preparing for Schema Modifications (7) (Skill 8) Preparing for Schema Modifications (7) Precautions exist because of the scope of schema modifications However, there are a few instances in which a schema modification is warranted

Preparing for Schema Modifications (8) (Skill 8) Preparing for Schema Modifications (8) Most commonly, schema modifications are performed for one of two reasons To support business requirements, you may need to add a new attribute or class to the schema To support new Active Directory-integrated applications that store a portion of their data in the Active Directory database, you may need to supply new attributes or classes

Preparing for Schema Modifications (9) (Skill 8) Preparing for Schema Modifications (9) If you choose to modify the schema in the Active Directory Schema snap-in, follow these precautions Thoroughly evaluate the need for the schema modification and make sure that modifying the schema is the best solution Specifically define the modification to be performed Create a script or use another programmatic method to apply the modification and test it thoroughly in an offline environment

Preparing for Schema Modifications (10) (Skill 8) Preparing for Schema Modifications (10) Steps to modify the schema Connect to the schema operations master, preferably using an account that is not a member of the Schema Admins group Use the Run as facility to launch the application you are using to modify the schema as a member of the Schema Admins group

Preparing for Schema Modifications (11) (Skill 8) Preparing for Schema Modifications (11) Steps to modify the schema If the operations master is a Windows 2000 domain controller, enable writes on the schema Modify the schema If the operations master is a Windows 2000 domain controller, disable writes on the schema Disconnect from the schema operations master

Figure 2-27 Viewing an object class in the Schema console (Skill 8) Figure 2-27 Viewing an object class in the Schema console