Exam 70-294 Planning, Implementing, and Maintaining
Download
Report
Transcript Exam 70-294 Planning, Implementing, and Maintaining
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003
Goals
Introduce Active
Directory
Identify the functions
and features of Active
Directory
Introduce Active
Directory architecture
Introduce Active
Directory objects
1.1
Examine the logical and
physical structure of Active
Directory
Examine more Active
Directory concepts
Plan a domain structure
Plan a domain
namespace
Examine guidelines for
planning a site structure
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory
Active Directory database
Stores information about users, groups, domains,
and objects on a network
Allows you to centrally access and administer the
information
Provides an unique identity for each object called a
Security ID (SID)
1.2
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory (2)
Active Directory database
Allows you to access and administer the directory
service globally, unlike decentralized network models
Reduces the effort required to complete day-to-day
administrative tasks, such as managing users and
resources
1.3
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Figure 1-1 Active Directory
1.4
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory (3)
Windows NT
Introduced the concept of a directory service based on
domains that provide a single point of authentication for
all users on a network
Limitations prevent it from being used effectively in
large networks
Has only one writable copy of the database, which leads to a
single point of failure for Write operations
Trust relationships between domains must be built manually
1.5
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory (4)
Active Directory’s advantages over Windows NT
Most trust relationships within a single forest are
created automatically
Makes it possible for Active Directory to provide
scalability in large business organizations
1.6
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory
Active Directory features make it a reliable and secure
directory service
Policy-based administration
Active Directory makes network administration easier by
using Group Policies
Using this feature, an administrator can make complex
modifications to the user’s environment, assign rights,
configure network security, and install software to
collections of users or computers
1.7
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (2)
Active Directory features make it a reliable and secure
directory service
Increased security of information
Windows Server 2003 supports protection of both stored
data and network data
Stored data can be protected using Encrypting File
System (EFS) and permissions
1.8
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (3)
Active Directory features make it a reliable and secure
directory service
Integration with Domain Name System (DNS)
DNS is a naming service that translates host names into
numeric IP addresses
Active Directory uses standard DNS naming conventions
for domains
1.9
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (4)
Active Directory features make it a reliable and secure
directory service
Extensibility
Active Directory allows nearly any type of information to
be added to the database because it has an extensible
schema
Schema contains a list of all possible object types (object
classes), their attributes, and relationships allowed
between objects
1.10
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (5)
Active Directory features make it a reliable and secure
directory service
Scalability
Active Directory can store anywhere from a small number to
millions of objects
An object automatically inherits the permissions of the
container into which it is placed
1.11
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (6)
Active Directory features make it a reliable and secure
directory service
Information replication
Active Directory automatically replicates the contents of its
database across every domain controller in the domain
Compatibility with other directory services
Active Directory is based on protocols, such as LDAP,
HTTP, and NSPI, so it is compatible with other directory
services that use these protocols
1.12
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (7)
Active Directory features make it a reliable and secure
directory service
Mutual authentication
Active Directory utilizes Kerberos as the default
authentication mechanism
Kerberos is an industry-standard, high-security mutual
authentication mechanism that provides increased security
for logon information
1.13
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture
Windows Server 2003 architecture has two
primary layers
User mode
Kernel mode
1.14
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (2)
User mode layer
The interface between applications and the kernel
mode layer
Accepts requests from an application and forwards
them to the kernel for processing
1.15
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (3)
Components of the user mode layer
Environment subsystems
Provide interfaces for applications to interact with the
kernel and integral subsystems
The environment subsystem components make
applications run by providing Application Programming
Interfaces (APIs)
1.16
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (4)
Components of the user mode layer
Integral subsystems
Perform important operating system functions such as
security and session management
Security subsystem receives logon requests and
initiates logon authentication
Workstation Service enables a client computer to
access the network
Server Service allows a Windows Server 2003 to share
network resources
1.17
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Figure 1-2 Location of Active Directory within the
Windows Server 2003 architecture
1.18
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (5)
Kernel mode layer
Communicates with system data and hardware to
process any input/output requests made by a user
Operates in a protected area of memory
Is responsible for executing I/O requests
Prioritizes hardware and software interrupts based on
the precedence of the application or service making
the request
1.19
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introduce Active Directory Architecture (6)
Components of the kernel mode layer
Executive
Performs I/O functions, object management, and
security functions
Has a number of subcomponents
Provides security guidelines for the user mode layer
1.20
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (7)
Components of the kernel mode layer
Microkernel, which manages the computer’s
processors
Kernel mode drivers, which take requests from
applications and translate them into hardware
functions
Hardware Abstraction Layer (HAL), which provides the
interface between the other software layers and the
core hardware
1.21
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (8)
Active Directory is made up of three service layers
and the underlying Data Store
Directory System Agent (DSA)
Provides the interface for application calls made to
the directory
Supports the protocols that enable clients to gain
access to the Active Directory
LDAP/ADSI
SAM
MAPI
REPL
1.22
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (9)
Database Layer
Access calls to the database go through the Database
Layer
Acts as an abstraction layer between the applications that
make the access calls and the database
Extensible Storage Engine (ESE)
Has direct contact with the records in the directory data
store
Based on an object’s relative distinguished name attribute
1.23
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (10)
Data Store (Ntds.dit)
Contains the records that make up the Active Directory
database
Stored by default in the \%systemroot%\NTDS folder on
the domain controller
Administered from Active Directory Restore Mode using
Ntdsutil.exe, located in the system32 folder in the
%systemroot% folder
1.24
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Figure 1-3 Active Directory architecture
1.25
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects
Active Directory
Treats each domain resource as an object
Each object is represented by distinct characteristics
known as attributes
1.26
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (2)
Types of Active Directory objects
User accounts
Store the logon information for the users in a domain
A domain acts as a security boundary: assuming no
trusts are in place, users can only access objects within
their own domains
1.27
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-4 Objects and their attributes
1.28
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (3)
Types of Active Directory objects
Contacts
Used to store information about any person or
organization that has business relations with your
organization
Contacts information includes name, address,
telephone number, and e-mail address
1.29
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (4)
Types of Active Directory objects
Computers
Computer objects store information about computers
that are members of a domain
Information includes computer name, description,
and other attributes
1.30
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (5)
Types of Active Directory objects
Groups
Used to apply permissions across large numbers of
users, computers, and groups
They are not strictly containers, but have
membership lists that define which objects are
members of the group
1.31
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (6)
Types of Active Directory objects
Published folders
Shared folders that have been listed in Active
Directory
When you publish a folder in Active Directory, you
create an object that stores a pointer to the folder
1.32
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (7)
Types of Active Directory objects
Printers
A printer is represented by a printer object that contains
a pointer to the printer on a computer
A Windows Server 2003 print server automatically
detects and publishes printers to Active Directory
1.33
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (8)
Types of Active Directory objects
Domain controllers
A Windows Server 2003 computer that authenticates user
logon attempts and exchanges the directory information
with other domain controllers
Exchanging directory information is called replication
In Active Directory, domain controllers use multimaster
replication to exchange directory information with other
domain controllers in a domain
No single domain controller is responsible for replication and
all of the domain controllers act as peers
1.34
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (9)
Types of Active Directory objects
Domain controllers
Each domain controller is represented by a Domain
Controller object in Active Directory
You can store the Domain Name System (DNS) name,
pre-Windows Server 2003 name, operating system
version, location, and name of the administrator in this
object
Domain controllers also handle a user’s interactions with
a domain such as locating objects and logon requests
1.35
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introduce Active Directory Objects (10)
Types of Active Directory objects
Organizational units (OUs)
Container objects that can store groups, users, computers,
and other OUs
Used to organize the objects in the domain, to delegate
control over a small portion of the domain, and to apply
Group Policy to a select group of objects
Only one OU exists by default
It is recommended that you create additional OUs based on
your administrative needs
1.36
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-5 A typical Active Directory hierarchy
1.37
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-6 Active Directory objects
1.38
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (11)
In Active Directory, you use names to locate objects
in a network
Naming conventions that Active Directory supports
Distinguished name (DN)
A unique name for every object in a network
It includes the name of the domain that holds the object
and the complete path to the object through the container
hierarchy
1.39
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (12)
Naming conventions that Active Directory supports
Relative distinguished name (RDN)
Derived from the DN
The RDN of an object is simply the object’s name
Globally unique identifier (GUID)
A unique 128-bit number assigned to an object at the time
of its creation
The GUID for an object does not change even when you
move or rename the object
1.40
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (13)
Naming conventions that Active Directory supports
User principal name (UPN)
Consists of the first name and last name attributes for a
user
Consists of the UPN suffix, which is usually the DNS
name of the domain where the user is located
1.41
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-7 Examples of naming conventions
1.42
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory
Objects in Active Directory can be organized
logically and physically
Logical structure
Consists of domains, trees, and forests
Besides being Active Directory objects, OUs are also
part of the logical structure
Physical structure
Consists of sites
Domain controllers are also part of the physical
structure, as well as being Active Directory objects
1.43
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (2)
Components of the logical structure
Domains
In Active Directory, domains represent the core unit of the
logical structure
Used to represent the administrative boundaries of your
organization
Store information only about the objects they contain
Can span multiple physical locations
1.44
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-8 A domain structure in an organization
1.45
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (3)
Components of the logical structure
Trees
Formed when you add one or more child domains to the
top-level domain (also known as the root of the tree)
Follows a contiguous naming scheme where every child
domain (subdomain) in the tree derives its name from the
root domain
Implicit two-way transitive trust exists between the parent
domains and the child domains in a domain tree, which is
a type of a logical link, automatically established between
domains
1.46
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-9 A tree structure in Active Directory
1.47
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (4)
Components of the logical structure
Forests
Collection of domains that share a common schema,
global catalog, and configuration
All domains in a forest share a common schema and a
common global catalog, which allows all domains within a
forest to contain uniform information
Although domains in a forest operate independently, they
communicate with each other because all domain trees in
a forest share a common schema
1.48
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examine the Logical and Physical
Structure of Active Directory (5)
Components of the logical structure
Forests
All domains in a forest share a common global catalog
Forests allow a disjointed naming scheme where the
names of domain trees may not be related to one
another
In a forest, an implicit two-way transitive trust exists
between the root domains of domain trees and the root
of the forest
1.49
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-10 A forest structure in Active Directory
1.50
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (6)
Components of the logical structure
Sites
Logical representations of a physical location within
Active Directory
Subnets are always associated with sites
Allows clients to determine the site to which they belong
Allows clients to use a domain controller located in its
physical site
1.51
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (7)
Components of the logical structure
Sites
Used to control replication traffic between physical
locations
Logical structure of Active Directory is different from the
physical structure
A site can span multiple domains
A domain can span multiple sites
1.52
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-11 Structure of a site
1.53
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts
Global catalog
Stores information about all objects in a forest
By default, the global catalog is created on the first
domain controller in a forest, known as a global
catalog server
Whenever object information is updated, a global
catalog server exchanges this information with other
global catalog servers in a forest
1.54
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (2)
Global catalog
In a single domain, the global catalog stores information
about all of the objects in that domain
In multiple domains, the global catalog stores a full
replica of information about objects belonging to its
domain and a partial replica of information for objects
belonging to other domains
You can add global catalog servers to a forest to
provide backup for the default global catalog server
1.55
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-12 The function of the global catalog
1.56
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (3)
Global catalog
Global catalog servers also participate in logons in
Windows 2000 native mode
Perform Universal Principal Name (UPN) lookups
Provide universal group storage
Handles user and program-related queries about
objects
Can quickly resolve a query about an object anywhere
in the forest
1.57
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (4)
Trust relationships
A trust is a connection between domains allowing users
from one or both domains to be granted access to
resources in the opposing domain
In a multi-domain environment, trusts allow users to
access resources in other domains without the need to
log on to each domain separately
Trusts allow users to log on to their own domain on
computers that are members of a different domain
1.58
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (5)
Trusts come in four basic forms
One-way trusts allow a domain to access another
domain’s resources, but not vice-versa
Two-way trusts allow both domains to access each
other’s resources
Transitive trusts follow through, meaning they pass from
domain to domain
Non-transitive trusts do not follow through, so each
domain must explicitly trust the other domains
1.59
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-13 Simple one-way trusts
1.60
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-14 An additional trust from domain A to domain C
1.61
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-15 Trusting and trusted domains
1.62
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-16 Two-way trusts
1.63
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (6)
Five basic names for describing the type of trust
Default trust
Automatically established between the forest root domain
and the root of each tree in the forest, as well as between
each child domain and each parent domain
Are always two-way and transitive
Inter-forest trust
Established between two Windows Server 2003 forest
root domains
Either one-way or two-way, and always transitive
1.64
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (7)
Five basic names for describing the type of trust
Shortcut trust
Established to reduce the normal Kerberos trust
resolution path between domains when there are a
large number of domains that are widely
geographically dispersed
Can be one-way or two-way, are always transitive
Can only be established within a single forest
1.65
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-17 Use of shortcut trusts
1.66
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (8)
Five basic names for describing the type of trust
External trust
Established between different Windows 2000 forests,
between Windows Server 2003 and Windows 2000
forests, and between Windows NT and Windows 2000 or
Server 2003 domains
Are always an NT trust; that is, an external trust is always
one-way and non-transitive
Used to connect Windows 2000 domains and Unix
Kerberos realms
1.67
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (9)
Five basic names for describing the type of trust
Realm trust
Established between a Windows Server 2003 domain
and a Unix Kerberos realm
A Kerberos realm is similar to a domain in Active
Directory
Can either be one-way or two-way
Can be transitive or non-transitive
1.68
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (10)
Domain Name System (DNS)
Active Directory uses DNS as its name resolution
service
The computer running this service is known as a DNS
name server
DNS helps computers to locate other computers on a
network
DNS organizes domains in a hierarchical structure
using a naming scheme called the domain namespace
1.69
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (11)
Domain Name System (DNS)
Computers in a domain use this service to locate
domain controllers in the domain
DNS zones
A DNS server typically holds a copy of the DNS zone
for a given domain or collection of contiguous domains
The DNS zone is contained in a file known as the zone
database file, typically called the zone file
1.70
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Planning Domain Structure
In Active Directory, domain structure is primarily
dependent on administrative needs
In Windows Server 2003
Domains are simply administrative boundaries
Best to use a single domain model if at all possible
Domain models are broadly classified into two
categories
Single domain model
Multiple domain model
1.71
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Planning Domain Structure (2)
Single domain model
Easy to manage and administer because the
administrative boundary is clearly defined
Suitable for any organization that follows a truly
centralized administrative model
Easy to set up because only a single domain must
be configured
1.72
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Planning Domain Structure (3)
Multiple domain model
Typically only appropriate in three specific situations
To separate domain-level administrative privileges
To separate account policies
To control localized traffic
1.73
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Figure 1-18 Domain models
1.74
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Figure 1-19 Account Policies
1.75
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace
Choose a unique domain name for your organization
Register it with an organization that manages Internet
DNS namespaces
This organization adds an entry pointing to the
authoritative name servers for your domain on the toplevel name servers on the Internet
Use this domain name to host the Web site for your
organization on the Internet
1.76
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (2)
DNS namespace types
Internal
External
Hybrid
1.77
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (3)
Internal namespace
Is not resolvable by hosts who are using public
(Internet) DNS servers
Only used for internal clients
Is well-suited for hosting Active Directory due to
increased security
1.78
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (4)
External namespace
Is resolvable from any client on the Internet
Is required for Internet-accessible resources, such as
Web sites
Is typically a poor choice for hosting Active Directory
due to the potential lack of security it provides
1.79
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (5)
Hybrid namespace
One design method provides the best of both
worlds by dividing your namespace into two zones
One for public access
One for private access
One design method involves delegating a DNS
subdomain as the root of your internal structure
1.80
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Figure 1-20 Hybrid namespace with DNS sub-domain
1.81
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (6)
Hybrid namespace
Another design method involves creating two
disconnected zones for the same name
Create two separate zones for your domain on two
separate servers
Place the publicly accessible records on the external
server, which is outside of the firewall
Place both the public and private records on the
internal server, which is behind the firewall
This solution reduces naming convention confusion
for users
1.82
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Figure 1-21 Hybrid namespace with two disconnected zones
1.83
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (7)
Naming guidelines
All Active Directory domain names should be static
Keep it short, simple, and easy to remember
Use standard DNS characters
Limit it to 63 characters including the periods
The Fully Qualified Domain Name (FQDN) can be up
to 255 characters
1.84
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure
Sites
Map to the physical structure of an organization
Participate actively in the user logon and
authentication process
Play an important role in the directory replication
process
1.85
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (2)
Directory replication
Can take place within a site or between sites
Within a site, Active Directory automatically generates
a replication topology
You can disable Active Directory’s automatic creation
of connection objects by manually creating connection
objects, and thus control intra-site replication
1.86
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Figure 1-22 Replication within a site using a ring topology
1.87
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (3)
Site planning guidelines
Decide which domain controller the computers on a
given subnet should use
To optimize logon traffic, ensure the availability of at
least one domain controller per site
To optimize inter-site replication, configure replication
so that it occurs when network traffic is light
1.88
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (4)
Site planning guidelines
Configure a powerful server as the preferred
bridgehead server for inter-site replication
The bridgehead server is the only server in a site that is
allowed to replicate to other sites
Reduces the amount of replication traffic between sites,
because all servers are not attempting to replicate with all
other servers
1.89
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Figure 1-23 Using a bridgehead server for inter-site replication
1.90
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (5)
Site planning site guidelines
Place your domain controllers in the correct sites
By default, clients will choose the correct site each time
they get a new IP address
Domain controllers only choose a site when they are
first created, and must be manually moved thereafter
1.91
© 2004 Pearson Education, Inc.