Planning Implementing Maintaining AD Infrastructure

BACK

Planning Implementing Maintaining AD Infrastructure (an AD planning 70-294 intro)

NOS – Network Operating System

Definitions:
- A server-based network operating system, or NOS, provides networking support for multiple simultaneous users as well as administrative, security, and management functions.
- Typically used to run computers that act as servers
- Software that connects all devices on a network so that resources can be shared efficiently
- Allows multiple computers to communicate, share files and hardware devices with one another
- define:"network operating system"
- wikipedia
Services:
- File and print sharing
- Account administration for users
- Security
- Data backup

DS – Directory Service

A collection of software, hardware, processes, policies and administrative procedures involved in organizing the information in a directory and making it available to users
A network database used to locate objects such as printers, machines, and users. The DS helps applications resolve names to network locations.
define:"Directory Service"
wikipedia

NOS Examples: (in not particular order, some obsolete, not all fit the NOS definition purely)

E-Directory
IBM OS/2 and AIX
LDAP (*NIX)
Macintosh
Microsoft AD 2003 / AD 2000
NIS (*NIX)
Novell Netware
NTDS (Microsoft Windows NT)
SUN Solaris

Active Directory (AD) overview

Some of the major things AD does:
- Authentication of AD user --> authorization to AD resource
- Centralized storage and search of resources and (directory) information
- Where resources and information is files, printers, email addresses, etc.
Server 2003 "flavors”
- Isolated non-networked (workgroup)
- Stand alone (workgroup)
- Member server (AD)
- Domain Controller - DC (AD)

AD vs Workgroup
AD	Workgroup
KRB - Kerberos	SAM – Security Accounts Manager
SSO – Single Sign-On	small
DDNS – Dynamic Domain Name System	Decentralized administration
LDAP – Lightwieght Directory Access Protocol	Decentralized security
Requires >= 2 DCs	-

Active Directory (AD) components

AD definition: Microsoft's directory service included with Windows 2003/2000 that provides a single point of administration, storage for users, groups, and computer objects.
Central storage
Central administration
Central user authentication
Delegation of administration
DC
- Holds a copy of the AD database
- Performs user authentication
- Services requests and queries
Multi-master replication
- Changes within a site replicated to other DCs in 15 sec
- Plus 3 sec for each additional DC
- One hour replication default
- Between sites replication default is 3 hours
Built on DNS
- Naming
- Locating of resources
- Name resolution and service location
Contains objects
- Users
- Computers
- groups
- Etc.
Schema
- Unique per forest
- Object classes
- Attributes
- The schema partition of the AD database exists on all DCs
Domains
- Password policy – unique per domain
- Administrative boundary
- Replication boundary
OU – Organizational Unit
- Logical container
- Used to delegate
- Used to link GPOs
- Designing an OU Structure that Supports Group Policy http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/deployguide/dmebb_gpu_pxyo.asp
Group Policy Object (GPO)
- A group or policies
- Nothing to do with user groups
- Introduction to Group Policy in Windows Server 2003 http://www.microsoft.com/windowsserver2003/techinfo/overview/gpintro.mspx
- Troubleshooting Group Policy in Windows Server 2003 http://microsoft.com/downloads/details.aspx?FamilyId=B24BF2D5-0D7A-4FC5-A14D-E91D211C21B2&displaylang=en
Tree
- One or more namespace-wise contiguous domains
Forest
- Single AD instance
- One schema
- One or more trees
- Forest root domain
Trust
- Allows access to resources in another domain
- implicit, two-way, transitive trusts
- Explicit domain trusts
- Forest trust
- multiple-forest trust relationships http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/mtfstwp.asp?frame=true
Site
- >= 1 network with higher speed connectivity (>=10 MB)
- >= 1 GC per site
- Physical AD != logical AD
Site link
- Connects site objects
GC – Global Catalog
- Supports Exchange 2000/2003
- Performs Universal group lookups
- Forest-wide index
- Partial replica of objects and attributes frequently used throughout AD
LDAP
- Used to query or update AD
Universal Groups (UG)
- special considerations re UGs and GCs and WAN use and security

FSMO - Flexible Single Master Operations roles/services

Schema Master - Forest level - oversees all schema operations
Domain Naming Master - Forest level - oversees all domain instantiation
RID (Relative ID) Master - Domain level - Grants pools of ID numbers to be used by DCs (for object creation by DCs)
PDC (Primary DC ("old" NT term)) Emulator - Domain level - used for backward compatibility AND many other AD critical functions: authoritative password source, forest and domain time masters, more
Infrastructure Master - Domain level - handles updates and name changes involving cross domain relationships
Must know
- what will break with a FSMO down or inaccessible
- Where to place FSMOs site-wise
- Where to place FSMOs forest-wise
- how to transfer
- how to seize
- when to seize
- when not to return the seize to production
Note that most everything else in AD is handled by Multi-Master replication, where, for example, all DCs are read write, changes can be made anywhere and replicate around. These five FSMOs are the exceptions. They are flexible roles because they can be moved to different DCs by NTDSUTIL or some GUIs
FSMO placement and optimization on Active Directory domain controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;223346

NEW to 2003

Tools to know - relevant to the 70-294 AD Planning subject area

ADUC - Active Directory Users and Computers
GPMC - Group Policy Management Console - Administering Group Policy with the GPMC http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
RSOP - Resultant Set Of Policy http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/RSPintro.asp
ADSS - Active Directory Sites and Services
ADDT - Active Directory Domains and Trusts
replmon - AD Replication Monitor. Installed from the Support\Tools. Offers many AD replication statistics and logs. It allows you to show replication topologies, available GCs and FSMOs, BridgeHead servers and trust relationships, etc..
Event Viewer - duh
ADSI - Active Directory Services Interface Editor, a low-level AD editor and search tool
DCdiag - query the state of a domain controller, report any problems and assist in troubleshooting.
Directory Services Restore Mode - reboot a DC into this mode to do AD restores and off-line AD NTDS.dit maintenancehttp://support.microsoft.com/default.aspx?scid=kb;en-us;241594
NTDSutil.exe
ADprep.exe - Windows 2000 forests and domains are readied for Windows 2003 DCs with this utility; makes sure that a Windows 2000 forest and domain contain the additional objects, attributes and permissions to support the Windows 2003 AD environment. Know sequence and permissions to run
domain rename tools http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx
GPresult [/u or /c]

Windows Server 2003 Security Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en

Windows Server 2003 Deployment Kit: Designing a Managed Environment:

http://www.microsoft.com/downloads/details.aspx?FamilyID=b671967b-ef65-4ccf-9d00-89d6ae428edc&DisplayLang=en
Planning and Implementing User, Computer, and Group Strategies: Review chapters two, three and four
maintaining software using GPOs: chapters eight and nine

REDMOND MAG 70-294 Active Directory Planner http://redmondmag.com/reviews/exams/article.asp?EditorialsID=104

BACK