8/12/2019 Domain and Active Directory

1/14

UnderstandingActive Directory in

Windows Server 2003

8/12/2019 Domain and Active Directory

2/14

Overview

Active DirectoryDirectory Services OverviewActive Directory Logical Components

Functional Levels

Active Directory Physical Components

Active Directory Partitions

Active Directory Objects

Administering a MicrosoftWindowsServer 2003

Network Using Active DirectoryTools

8/12/2019 Domain and Active Directory

3/14

Lesson: Active Directory Directory Services Overview

What Is Active Directory?Benefits of Active Directory

DNS Integration

Active Directory Naming Conventions

8/12/2019 Domain and Active Directory

4/14

What Is Active Directory?

Directory service functionalityOrganize

Manage

Control

Centralized management

Single point of administration

Active Directory

Resources

8/12/2019 Domain and Active Directory

5/14

Benefits of Active Directory

Windows Server 2003 without Active Directory provides significantbenefits

Scalable and reliable application server

Internet Information Server 6.0

Remote access and VPN server

Network Services (DNS and DHCP, for example)

Windows Server 2003 with Active Directory provides additionalbenefits

Authentication and authorization service

Single sign-on across multiple servers and services

Centralized management of servers and client computers

Centralized administration of users and computers

Centralized management of network resources

8/12/2019 Domain and Active Directory

6/14

DNS Integration

Name resolutionResolve names of servers and clients to IP addresses

and vice versa (possibly)

Namespace definition

An Active Directory domains name mustbe representedin DNS

Active Directory requires DNS

DNS does not require Active Directory

Locating the physical components of Active DirectoryClient computers query DNS to locate domain controllers

running specific services, such as global catalog (GC),Kerberos protocol, LDAP, and so on

8/12/2019 Domain and Active Directory

7/14

Active Directory Naming Conventions

LDAP Distinguished name

LDAP Relative distinguished nameUser principal name (Kerberos)

Service principal nameGlobally unique identifier (GUID)

Uniqueness of names

JeffS@contoso.msft

CN=Jeff Smith, CN=Users, DC=contoso, DC=msft

8/12/2019 Domain and Active Directory

8/14

Lesson: Active Directory Logical Components

What Are Domains?What Are Trees?

What Are Forests?

What Are Organizational Units?

What Are Trust Relationships?

Types of Trusts in Windows Server 2003

8/12/2019 Domain and Active Directory

9/14

What Are Domains?

Logical partition in Active Directory databaseCollections of users, computers, groups, and so on

Units of replication

Domain controllers in a domain replicate with each otherand contain a full copy of the domain partition for their

domain

Domain controllers do not

replicate domain partitioninformation for

other domains

Windows 2000 orWindows Server 2003 Domain

Replication

8/12/2019 Domain and Active Directory

10/14

What Are Trees?

One or more domains that share a contiguous DNSnamespace, for example:

nwtraders.msft

childdomain.nwtraders.msft

otherdomain.nwtraders.msft

Child domains derive their namespace from parent

Group policy, administration, and such do not flow

across domain boundaries by default

8/12/2019 Domain and Active Directory

11/14

What Are Forests?

One or more domains that share:

Common schema

Common configuration

Automatic transitive trust relationships

Common global catalogForests can contain from as few as one domain to manydomains and/or many trees

Domains are not required to be in a single tree or share a

namespaceFirst domain created is the forest root, which cannot bechanged without rebuilding the entire forest, although theforest root domain name can be changed inWindows Server 2003

8/12/2019 Domain and Active Directory

12/14

What Are Organizational Units?

Container objects within a domain

Used to organize resources to reflect administrative

divisions; may not map to organizational structureUsed to delegate administrative authority

Used to apply Group Policy

Organizational structure Network administrative model

Sales

Paris

Repair

Users

Sales

Computers

8/12/2019 Domain and Active Directory

13/14

What Are Trust Relationships?

Secure communication paths that allow securityprincipals in one domain to be authenticated andaccepted in other domains

Some trusts are automatically created

Parent-child domains trust each other

Tree root domains trust forest root domain

Other trusts are manually created

Forest-to-forest transitive trusts can be created betweenWindows Server 2003 forests only (ie not betweenWindows 2000 forests).

8/12/2019 Domain and Active Directory

14/14

Types of Trusts in Windows Server 2003

Default: two-way, transitive Kerberos trusts (intraforest)Shortcut: one- or two-way, transitive Kerberos trusts (intraforest)

Reduce authentication requests

Forest: one- or two-way, transitive Kerberos trusts

Windows Server 2003 forests; Windows 2000 does not support forest

trusts Only between forest roots

Creates transitive domain trust relationships

External: one-way, non-transitive NTLM trusts

Used to connect to/from Microsoft Windows NT or external

Windows 2000 domains Manually created

Realm: one- or two-way, non-transitive Kerberos trusts

Connect to/from UNIX MIT Kerberos realms