Working with domains and Active Directory Ch 8-1 Working with domains and Active Directory
Objectives Introduction to domains and domain controllers Pros and cons of using domains Factors to choose between domains and workgroup Domains, subdomains, trees and forests
Introduction to domains The main reason to choose building a network , either workgroup or domain, is to have control over what users can and cannot do on the network Using a workgroup , the administrator have to configure the settings(security and file sharing permissions ) on each machine individually Using a domain one machine called a Domain Controller is responsible for security and permissions
Introduction to domains Windows Server 2008 supports two kinds of network using two different server configurations: for smaller numbers of users,it relies on the workgroup for larger numbers of users,it relies on the domain The same machine can act as either a workgroup server or a domain server Having a domain server means that this server is responsible for dealing with security and permissions on the network
Advantages of using a Domain Better security Centralization of control over users, machines, and resources Improved organizational capability Enhanced performance through efficient resource usage better reliability on large networks
Cost of using domains Increased complexity, which can increase administration time and result in more errors Loss of certain Windows Server 2008 features, such as Internet Connection Sharing (ICS) Required use of some features, such as Active Directory Significantly increased training costs
Factors to choose between a domain or workgroup The number of users Application types, such as databases, require better security and control, which means that you may need a domain with fewer users. High-security applications normally require a domain no matter how few or many users Shared resource applications, such as word processing, don’t require a domain in most cases unless you have a large number of users that must collaborate on content.
Factors to choose between a domain or workgroup Services such as file sharing and printing don’t usually require a domain. Power users generally work better in a workgroup setup. Novice users may not require a domain, but the domain environment can sometimes prevent them from making as many mistakes. Networks with high growth rates may not require a domain today, but will likely need one tomorrow
Domain controller The decision to create a domain means promoting the server to a domain controller Domain controllers (DCs): Servers that have the Active Directory Directory Services (AD DS) server role installed and the same Active Directory information is replicated to every DC. Multimaster replication Each DC is equal to every other DC in that it contains the full range of information that composes Active Directory If information on one DC changes, such as the creation of an account, it is replicated to all other DCs in a process called multimaster replication. In case of DC failure, users can still access resources
Active Directory Basics Directory service that contains information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information Directory service Responsible for providing: a central listing of resources and ways to quickly find and access specific resources and for providing a way to manage network resources AD DS is like a central management center for a Windows Server network.
Schema Active Directory schema User account Part of AD DS , It is simply a database of how data is stored in the domain controller and what information is stored in the domain controller about users and computers and other objects in the network. User account One class of object in Active Directory that is defined through schema elements unique to that class Foe example for the user accounts schema there will be user names and password and email address Schemas are expandable , you can add more data when needed
Hands-On Microsoft Windows Server 2008
Groups and permissions Security is the main issue when managing user accounts in the active directory Instead of giving certain permissions to each account individually it is better to create Groups to deal with security With groups the administrator can add the permissions to different resources on the network one time and then assign users to be a member of the groups
Organizational Unit Organizational unit (OU) Offers a way to achieve more flexibility in managing the resources associated with a business unit, department, or division Than is possible through domain administration alone An OU is a grouping of related objects within a domain similar to the idea of having subfolders within a folder OUs allow the grouping of objects so that they can be administered using the same group policies OUs can be nested within Ous Groups are made of users OUs are made of groups , users and other resources such as printers
Organizational Unit (continued) When you plan to create OUs, keep three concerns in mind: Microsoft recommends that you limit OUs to 10 levels or fewer Active Directory works more efficiently when OUs are set up horizontally instead of vertically The creation of OUs involves more processing resources because each request through an OU requires CPU time
The Domain The Domain is basically all the computers and users and objects that are tied to the domain controller AD DS On a local area network (LAN), a domain is a sub-network made up of a group of clients and servers under the control of one central security database On the Internet, a domain is part of every network address, including web site addresses, email addresses
Sub domain A sub domain is a domain that is part of a larger domain; the only domain that is not also a sub domain is the root domain Example: googel.com, europe.google.com When you create sub domains from the original domain we will have what is called “a Tree”
Namespace Namespace A logical area on a network that contains directory services and named objects Active Directory employs two kinds of namespaces: contiguous and disjointed A contiguous namespace is one in which every child object contains the name of the parent object, such as in the example of the child object msdn2.microsoft.com and its parent object microsoft.com When the child name does not resemble the name of its parent object, this is called a disjointed name space, such as when the parent for a university is uni.edu, and a child is bio.ethicsresearch.com.
Tree Tree Tree has the following characteristics: Contains one or more domains that are in a common relationship Tree has the following characteristics: Domains are represented in a contiguous namespace and can be in a hierarchy Two-way trust relationships exist between parent domains and child domains All domains use the same global catalog
Forest Forest Forests have the following characteristics: Consists of one or more Active Directory trees that are in a common relationship Forests have the following characteristics: The trees can use a disjointed namespace Two-way transitive trusts are automatically configured between domains within a single forest
Hands-On Microsoft Windows Server 2008
Forest (continued) Forest provides a means to relate trees that use a contiguous namespace in domains within each tree But that have disjointed namespaces in relationship to each other The advantage of joining trees into a forest is that all domains share the same schema and global catalog
Forest (continued) Hands-On Microsoft Windows Server 2008
Global Catalog Global catalog Stores information about every object within a forest Store a full replica of every object within its own domain and a partial replica of each object within every domain in the forest The first DC configured in a forest becomes the global catalog server The global catalog server enables forest-wide searches of data Hands-On Microsoft Windows Server 2008 - edited by Nada Almohaimeed
Homework Download homework 8-1 from the site , solve it, PRINT IT and submit it on the due date