Transcript Exam 70-294 Planning, Implementing, and Maintaining

Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003
Goals
 Introduce Active
Directory
 Identify the functions
and features of Active
Directory
 Introduce Active
Directory architecture
 Introduce Active
Directory objects
1.1
 Examine the logical and
physical structure of Active
Directory
 Examine more Active
Directory concepts
 Plan a domain structure
 Plan a domain
namespace
 Examine guidelines for
planning a site structure
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory
Active Directory database
 Stores information about users, groups, domains,
and objects on a network
 Allows you to centrally access and administer the
information
 Provides an unique identity for each object called a
Security ID (SID)
1.2
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory (2)
Active Directory database
 Allows you to access and administer the directory
service globally, unlike decentralized network models
 Reduces the effort required to complete day-to-day
administrative tasks, such as managing users and
resources
1.3
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Figure 1-1 Active Directory
1.4
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory (3)
Windows NT
 Introduced the concept of a directory service based on
domains that provide a single point of authentication for
all users on a network
 Limitations prevent it from being used effectively in
large networks
 Has only one writable copy of the database, which leads to a
single point of failure for Write operations
 Trust relationships between domains must be built manually
1.5
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 1)
Introducing Active Directory (4)
 Active Directory’s advantages over Windows NT
 Most trust relationships within a single forest are
created automatically
 Makes it possible for Active Directory to provide
scalability in large business organizations
1.6
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory
 Active Directory features make it a reliable and secure
directory service
 Policy-based administration
Active Directory makes network administration easier by
using Group Policies
Using this feature, an administrator can make complex
modifications to the user’s environment, assign rights,
configure network security, and install software to
collections of users or computers
1.7
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (2)
 Active Directory features make it a reliable and secure
directory service
 Increased security of information
Windows Server 2003 supports protection of both stored
data and network data
Stored data can be protected using Encrypting File
System (EFS) and permissions
1.8
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (3)
 Active Directory features make it a reliable and secure
directory service
 Integration with Domain Name System (DNS)
DNS is a naming service that translates host names into
numeric IP addresses
Active Directory uses standard DNS naming conventions
for domains
1.9
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (4)
 Active Directory features make it a reliable and secure
directory service
 Extensibility
Active Directory allows nearly any type of information to
be added to the database because it has an extensible
schema
Schema contains a list of all possible object types (object
classes), their attributes, and relationships allowed
between objects
1.10
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (5)
 Active Directory features make it a reliable and secure
directory service
 Scalability
Active Directory can store anywhere from a small number to
millions of objects
An object automatically inherits the permissions of the
container into which it is placed
1.11
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (6)
 Active Directory features make it a reliable and secure
directory service
 Information replication
Active Directory automatically replicates the contents of its
database across every domain controller in the domain
 Compatibility with other directory services
Active Directory is based on protocols, such as LDAP,
HTTP, and NSPI, so it is compatible with other directory
services that use these protocols
1.12
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 2)
Identifying the Functions and Features
of Active Directory (7)
 Active Directory features make it a reliable and secure
directory service
 Mutual authentication
Active Directory utilizes Kerberos as the default
authentication mechanism
Kerberos is an industry-standard, high-security mutual
authentication mechanism that provides increased security
for logon information
1.13
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture
 Windows Server 2003 architecture has two
primary layers
 User mode
 Kernel mode
1.14
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (2)
 User mode layer
 The interface between applications and the kernel
mode layer
 Accepts requests from an application and forwards
them to the kernel for processing
1.15
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (3)
 Components of the user mode layer
 Environment subsystems
Provide interfaces for applications to interact with the
kernel and integral subsystems
The environment subsystem components make
applications run by providing Application Programming
Interfaces (APIs)
1.16
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (4)
 Components of the user mode layer
 Integral subsystems
Perform important operating system functions such as
security and session management
Security subsystem receives logon requests and
initiates logon authentication
Workstation Service enables a client computer to
access the network
Server Service allows a Windows Server 2003 to share
network resources
1.17
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Figure 1-2 Location of Active Directory within the
Windows Server 2003 architecture
1.18
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (5)
 Kernel mode layer
 Communicates with system data and hardware to
process any input/output requests made by a user
 Operates in a protected area of memory
 Is responsible for executing I/O requests
 Prioritizes hardware and software interrupts based on
the precedence of the application or service making
the request
1.19
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introduce Active Directory Architecture (6)
 Components of the kernel mode layer
 Executive
Performs I/O functions, object management, and
security functions
Has a number of subcomponents
Provides security guidelines for the user mode layer
1.20
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (7)
 Components of the kernel mode layer
 Microkernel, which manages the computer’s
processors
 Kernel mode drivers, which take requests from
applications and translate them into hardware
functions
 Hardware Abstraction Layer (HAL), which provides the
interface between the other software layers and the
core hardware
1.21
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (8)
 Active Directory is made up of three service layers
and the underlying Data Store
 Directory System Agent (DSA)
Provides the interface for application calls made to
the directory
Supports the protocols that enable clients to gain
access to the Active Directory
 LDAP/ADSI
 SAM
 MAPI
 REPL
1.22
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (9)
 Database Layer
Access calls to the database go through the Database
Layer
Acts as an abstraction layer between the applications that
make the access calls and the database
 Extensible Storage Engine (ESE)
Has direct contact with the records in the directory data
store
Based on an object’s relative distinguished name attribute
1.23
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Introducing Active Directory Architecture (10)
 Data Store (Ntds.dit)
 Contains the records that make up the Active Directory
database
 Stored by default in the \%systemroot%\NTDS folder on
the domain controller
 Administered from Active Directory Restore Mode using
Ntdsutil.exe, located in the system32 folder in the
%systemroot% folder
1.24
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 3)
Figure 1-3 Active Directory architecture
1.25
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects
 Active Directory
 Treats each domain resource as an object
 Each object is represented by distinct characteristics
known as attributes
1.26
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (2)
 Types of Active Directory objects
 User accounts
Store the logon information for the users in a domain
A domain acts as a security boundary: assuming no
trusts are in place, users can only access objects within
their own domains
1.27
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-4 Objects and their attributes
1.28
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (3)
 Types of Active Directory objects
 Contacts
Used to store information about any person or
organization that has business relations with your
organization
Contacts information includes name, address,
telephone number, and e-mail address
1.29
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (4)
 Types of Active Directory objects
 Computers
Computer objects store information about computers
that are members of a domain
Information includes computer name, description,
and other attributes
1.30
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (5)
 Types of Active Directory objects
 Groups
Used to apply permissions across large numbers of
users, computers, and groups
They are not strictly containers, but have
membership lists that define which objects are
members of the group
1.31
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (6)
 Types of Active Directory objects
 Published folders
Shared folders that have been listed in Active
Directory
When you publish a folder in Active Directory, you
create an object that stores a pointer to the folder
1.32
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (7)
 Types of Active Directory objects
 Printers
A printer is represented by a printer object that contains
a pointer to the printer on a computer
A Windows Server 2003 print server automatically
detects and publishes printers to Active Directory
1.33
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (8)
 Types of Active Directory objects
 Domain controllers
A Windows Server 2003 computer that authenticates user
logon attempts and exchanges the directory information
with other domain controllers
Exchanging directory information is called replication
 In Active Directory, domain controllers use multimaster
replication to exchange directory information with other
domain controllers in a domain
 No single domain controller is responsible for replication and
all of the domain controllers act as peers
1.34
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (9)
 Types of Active Directory objects
 Domain controllers
Each domain controller is represented by a Domain
Controller object in Active Directory
You can store the Domain Name System (DNS) name,
pre-Windows Server 2003 name, operating system
version, location, and name of the administrator in this
object
Domain controllers also handle a user’s interactions with
a domain such as locating objects and logon requests
1.35
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introduce Active Directory Objects (10)
 Types of Active Directory objects
 Organizational units (OUs)
Container objects that can store groups, users, computers,
and other OUs
Used to organize the objects in the domain, to delegate
control over a small portion of the domain, and to apply
Group Policy to a select group of objects
Only one OU exists by default
It is recommended that you create additional OUs based on
your administrative needs
1.36
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-5 A typical Active Directory hierarchy
1.37
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-6 Active Directory objects
1.38
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (11)
 In Active Directory, you use names to locate objects
in a network
 Naming conventions that Active Directory supports
 Distinguished name (DN)
A unique name for every object in a network
It includes the name of the domain that holds the object
and the complete path to the object through the container
hierarchy
1.39
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (12)
 Naming conventions that Active Directory supports
 Relative distinguished name (RDN)
Derived from the DN
The RDN of an object is simply the object’s name
 Globally unique identifier (GUID)
A unique 128-bit number assigned to an object at the time
of its creation
The GUID for an object does not change even when you
move or rename the object
1.40
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Introducing Active Directory Objects (13)
 Naming conventions that Active Directory supports
 User principal name (UPN)
Consists of the first name and last name attributes for a
user
Consists of the UPN suffix, which is usually the DNS
name of the domain where the user is located
1.41
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 4)
Figure 1-7 Examples of naming conventions
1.42
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory
 Objects in Active Directory can be organized
logically and physically
 Logical structure
Consists of domains, trees, and forests
Besides being Active Directory objects, OUs are also
part of the logical structure
 Physical structure
Consists of sites
Domain controllers are also part of the physical
structure, as well as being Active Directory objects
1.43
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (2)
 Components of the logical structure
 Domains
In Active Directory, domains represent the core unit of the
logical structure
Used to represent the administrative boundaries of your
organization
Store information only about the objects they contain
Can span multiple physical locations
1.44
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-8 A domain structure in an organization
1.45
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (3)
 Components of the logical structure
 Trees
Formed when you add one or more child domains to the
top-level domain (also known as the root of the tree)
Follows a contiguous naming scheme where every child
domain (subdomain) in the tree derives its name from the
root domain
Implicit two-way transitive trust exists between the parent
domains and the child domains in a domain tree, which is
a type of a logical link, automatically established between
domains
1.46
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-9 A tree structure in Active Directory
1.47
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (4)
 Components of the logical structure
 Forests
Collection of domains that share a common schema,
global catalog, and configuration
All domains in a forest share a common schema and a
common global catalog, which allows all domains within a
forest to contain uniform information
Although domains in a forest operate independently, they
communicate with each other because all domain trees in
a forest share a common schema
1.48
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examine the Logical and Physical
Structure of Active Directory (5)
 Components of the logical structure
 Forests
All domains in a forest share a common global catalog
Forests allow a disjointed naming scheme where the
names of domain trees may not be related to one
another
In a forest, an implicit two-way transitive trust exists
between the root domains of domain trees and the root
of the forest
1.49
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-10 A forest structure in Active Directory
1.50
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (6)
 Components of the logical structure
 Sites
Logical representations of a physical location within
Active Directory
Subnets are always associated with sites
 Allows clients to determine the site to which they belong
 Allows clients to use a domain controller located in its
physical site
1.51
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Examining the Logical and Physical
Structure of Active Directory (7)
 Components of the logical structure
 Sites
Used to control replication traffic between physical
locations
Logical structure of Active Directory is different from the
physical structure
 A site can span multiple domains
 A domain can span multiple sites
1.52
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 5)
Figure 1-11 Structure of a site
1.53
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts
 Global catalog
 Stores information about all objects in a forest
 By default, the global catalog is created on the first
domain controller in a forest, known as a global
catalog server
 Whenever object information is updated, a global
catalog server exchanges this information with other
global catalog servers in a forest
1.54
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (2)
 Global catalog
 In a single domain, the global catalog stores information
about all of the objects in that domain
 In multiple domains, the global catalog stores a full
replica of information about objects belonging to its
domain and a partial replica of information for objects
belonging to other domains
 You can add global catalog servers to a forest to
provide backup for the default global catalog server
1.55
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-12 The function of the global catalog
1.56
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (3)
 Global catalog
 Global catalog servers also participate in logons in
Windows 2000 native mode
Perform Universal Principal Name (UPN) lookups
Provide universal group storage
 Handles user and program-related queries about
objects
 Can quickly resolve a query about an object anywhere
in the forest
1.57
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (4)
 Trust relationships
 A trust is a connection between domains allowing users
from one or both domains to be granted access to
resources in the opposing domain
 In a multi-domain environment, trusts allow users to
access resources in other domains without the need to
log on to each domain separately
 Trusts allow users to log on to their own domain on
computers that are members of a different domain
1.58
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (5)
 Trusts come in four basic forms
 One-way trusts allow a domain to access another
domain’s resources, but not vice-versa
 Two-way trusts allow both domains to access each
other’s resources
 Transitive trusts follow through, meaning they pass from
domain to domain
 Non-transitive trusts do not follow through, so each
domain must explicitly trust the other domains
1.59
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-13 Simple one-way trusts
1.60
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-14 An additional trust from domain A to domain C
1.61
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-15 Trusting and trusted domains
1.62
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-16 Two-way trusts
1.63
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (6)
 Five basic names for describing the type of trust
 Default trust
Automatically established between the forest root domain
and the root of each tree in the forest, as well as between
each child domain and each parent domain
Are always two-way and transitive
 Inter-forest trust
Established between two Windows Server 2003 forest
root domains
Either one-way or two-way, and always transitive
1.64
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (7)
 Five basic names for describing the type of trust
 Shortcut trust
Established to reduce the normal Kerberos trust
resolution path between domains when there are a
large number of domains that are widely
geographically dispersed
Can be one-way or two-way, are always transitive
Can only be established within a single forest
1.65
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Figure 1-17 Use of shortcut trusts
1.66
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (8)
 Five basic names for describing the type of trust
 External trust
Established between different Windows 2000 forests,
between Windows Server 2003 and Windows 2000
forests, and between Windows NT and Windows 2000 or
Server 2003 domains
Are always an NT trust; that is, an external trust is always
one-way and non-transitive
Used to connect Windows 2000 domains and Unix
Kerberos realms
1.67
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (9)
 Five basic names for describing the type of trust
 Realm trust
Established between a Windows Server 2003 domain
and a Unix Kerberos realm
A Kerberos realm is similar to a domain in Active
Directory
Can either be one-way or two-way
Can be transitive or non-transitive
1.68
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (10)
 Domain Name System (DNS)
 Active Directory uses DNS as its name resolution
service
 The computer running this service is known as a DNS
name server
 DNS helps computers to locate other computers on a
network
 DNS organizes domains in a hierarchical structure
using a naming scheme called the domain namespace
1.69
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 6)
Examining More Active Directory Concepts (11)
 Domain Name System (DNS)
 Computers in a domain use this service to locate
domain controllers in the domain
 DNS zones
A DNS server typically holds a copy of the DNS zone
for a given domain or collection of contiguous domains
The DNS zone is contained in a file known as the zone
database file, typically called the zone file
1.70
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Planning Domain Structure
 In Active Directory, domain structure is primarily
dependent on administrative needs
 In Windows Server 2003
 Domains are simply administrative boundaries
 Best to use a single domain model if at all possible
 Domain models are broadly classified into two
categories
 Single domain model
 Multiple domain model
1.71
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Planning Domain Structure (2)
 Single domain model
 Easy to manage and administer because the
administrative boundary is clearly defined
 Suitable for any organization that follows a truly
centralized administrative model
 Easy to set up because only a single domain must
be configured
1.72
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Planning Domain Structure (3)
 Multiple domain model
 Typically only appropriate in three specific situations
To separate domain-level administrative privileges
To separate account policies
To control localized traffic
1.73
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Figure 1-18 Domain models
1.74
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 7)
Figure 1-19 Account Policies
1.75
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace
 Choose a unique domain name for your organization
 Register it with an organization that manages Internet
DNS namespaces
 This organization adds an entry pointing to the
authoritative name servers for your domain on the toplevel name servers on the Internet
 Use this domain name to host the Web site for your
organization on the Internet
1.76
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (2)
 DNS namespace types
 Internal
 External
 Hybrid
1.77
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (3)
 Internal namespace
 Is not resolvable by hosts who are using public
(Internet) DNS servers
 Only used for internal clients
 Is well-suited for hosting Active Directory due to
increased security
1.78
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (4)
 External namespace
 Is resolvable from any client on the Internet
 Is required for Internet-accessible resources, such as
Web sites
 Is typically a poor choice for hosting Active Directory
due to the potential lack of security it provides
1.79
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (5)
 Hybrid namespace
 One design method provides the best of both
worlds by dividing your namespace into two zones
One for public access
One for private access
 One design method involves delegating a DNS
subdomain as the root of your internal structure
1.80
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Figure 1-20 Hybrid namespace with DNS sub-domain
1.81
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (6)
 Hybrid namespace
 Another design method involves creating two
disconnected zones for the same name
Create two separate zones for your domain on two
separate servers
Place the publicly accessible records on the external
server, which is outside of the firewall
Place both the public and private records on the
internal server, which is behind the firewall
This solution reduces naming convention confusion
for users
1.82
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Figure 1-21 Hybrid namespace with two disconnected zones
1.83
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 8)
Planning a Domain Namespace (7)
 Naming guidelines
 All Active Directory domain names should be static
 Keep it short, simple, and easy to remember
 Use standard DNS characters
 Limit it to 63 characters including the periods
 The Fully Qualified Domain Name (FQDN) can be up
to 255 characters
1.84
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure
 Sites
 Map to the physical structure of an organization
 Participate actively in the user logon and
authentication process
 Play an important role in the directory replication
process
1.85
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (2)
 Directory replication
 Can take place within a site or between sites
 Within a site, Active Directory automatically generates
a replication topology
 You can disable Active Directory’s automatic creation
of connection objects by manually creating connection
objects, and thus control intra-site replication
1.86
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Figure 1-22 Replication within a site using a ring topology
1.87
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (3)
 Site planning guidelines
 Decide which domain controller the computers on a
given subnet should use
 To optimize logon traffic, ensure the availability of at
least one domain controller per site
 To optimize inter-site replication, configure replication
so that it occurs when network traffic is light
1.88
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (4)
 Site planning guidelines
 Configure a powerful server as the preferred
bridgehead server for inter-site replication
The bridgehead server is the only server in a site that is
allowed to replicate to other sites
Reduces the amount of replication traffic between sites,
because all servers are not attempting to replicate with all
other servers
1.89
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Figure 1-23 Using a bridgehead server for inter-site replication
1.90
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 1: Introducing Active Directory Services in Windows Server 2003 (Skill 9)
Guidelines for Planning a Site Structure (5)
 Site planning site guidelines
 Place your domain controllers in the correct sites
By default, clients will choose the correct site each time
they get a new IP address
Domain controllers only choose a site when they are
first created, and must be manually moved thereafter
1.91
© 2004 Pearson Education, Inc.