Académique Documents
Professionnel Documents
Culture Documents
In this section, learn about the basics of Active Directory and the benefits of Active Directory implementation. Find information on Active Directory forests, domains, organizational units and sites, as well as the basics of LDAP Lightweight Directory Access Protocol! and "roup Policy. After that, move on to the ne#t section of our Active Directory Learning "uide, which focuses on the Domain $ame %ystem D$%!. The basics of Active Directory What is Active Directory? Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory services, such as ovell Directory !ervices " D!#, Active Directory is a centrali$ed and standardi$ed system that automates network management of user data, security and distri%uted resources and ena%les interoperation with other directories. Active Directory is designed especially for distri%uted networking environments. Active Directory was new to Windows &''' !erver and further enhanced for Windows !erver &''(, making it an even more important part of the operating system. Windows !erver &''( Active Directory provides a single reference, called a directory service, to all the o%)ects in a network, including users, groups, computers, printers, policies and permissions. *or a user or an administrator, Active Directory provides a single hierarchical view from which to access and manage all of the network's resources. Why implement Active Directory? +here are many reasons to implement Active Directory. *irst and foremost, Microsoft Active Directory is generally considered to %e a significant improvement over Windows + !erver ,.' domains or even standalone server networks. Active Directory has a centrali$ed administration mechanism over the entire network. -t also provides for redundancy and fault tolerance when two or more domain controllers are deployed within a domain. Active Directory automatically manages the communications %etween domain controllers to ensure the network remains via%le. .sers can access all resources on the network for which they are authori$ed through a single sign/on. All resources in the network are protected %y a ro%ust security mechanism that verifies the identity of users and the authori$ations of resources on each access. 0ven with Active Directory's improved security and control over the network, most of its features are invisi%le to end users1 therefore, migrating users to an Active Directory network will re2uire little re/training. Active Directory offers a means of easily promoting and demoting domain controllers and mem%er servers. !ystems can %e managed and secured
via 3roup 4olicies. -t is a fle5i%le hierarchical organi$ational model that allows for easy management and detailed specific delegation of administrative responsi%ilities. 4erhaps most importantly, however, is that Active Directory is capa%le of managing millions of o%)ects within a single domain. Basic divisions of Active Directory Active Directory networks are organi$ed using four types of divisions or container structures. +hese four divisions are forests, domains, organi$ational units and sites. Forests& +he collection of every o%)ect, its attri%utes and attri%ute synta5 in Domain& A collection of computers that share a common set of policies, a 'rganizational units& 6ontainers in which domains can %e grouped. +hey
the Active Directory. name and a data%ase of their mem%ers. create a hierarchy for the domain and create the structure of the Active Directory's company in geographical or organi$ational terms. %ites& 4hysical groupings independent of the domain and 7. structure. !ites distinguish %etween locations connected %y low/ and high/speed connections and are defined %y one or more -4 su%nets. Forests are not limited in geography or network topology. A single forest can contain numerous domains, each sharing a common schema. Domain mem%ers of the same forest need not even have a dedicated LA or WA connection %etween them. A single network can also %e the home of multiple independent forests. -n general, a single forest should %e used for each corporate entity. 8owever, additional forests may %e desired for testing and research purposes outside of the production forest. Domains serve as containers for security policies and administrative assignments. All o%)ects within a domain are su%)ect to domain/wide 3roup 4olicies %y default. Likewise, any domain administrator can manage all o%)ects within a domain. *urthermore, each domain has its own uni2ue accounts data%ase. +hus, authentication is on a domain %asis. 7nce a user account is authenticated to a domain, that user account has access to resources within that domain. Active Directory re2uires one or more domains in which to operate. As mentioned %efore, an Active Directory domain is a collection of computers that share a common set of policies, a name and a data%ase of their mem%ers. A domain must have one or more servers that serve as domain controllers "D6s# and store the data%ase, maintain the policies and provide the authentication of domain logons.
With Windows
were roles that could %e assigned to a server in a network of computers that used a Windows operating system. Windows used the idea of a domain to manage access to a set of network resources "applications, printers and so forth# for a group of users. +he user need only to log in to the domain to gain access to the resources, which may %e located on a num%er of different servers in the network. 7ne server, known as the primary domain controller, managed the master user data%ase for the domain. 7ne or more other servers were designated as %ackup domain controllers. +he primary domain controller periodically sent copies of the data%ase to the %ackup domain controllers. A %ackup domain controller could step in as primary domain controller if the 4D6 server failed and could also help %alance the workload if the network was %usy enough. With Windows &''' !erver, while domain controllers were retained, the 4D6 and 9D6 server roles were %asically replaced %y Active Directory. -t is no longer necessary to create separate domains to divide administrative privileges. Within Active Directory, it is possi%le to delegate administrative privileges %ased on organi$ational units. Domains are no longer restricted %y a ,','''/user limit. Active Directory domains can manage millions of o%)ects. As there are no longer 4D6s and 9D6s, Active Directory uses multi/master replication and all domain controllers are peers. 'rganizational units are much more fle5i%le and easier overall to manage than domains. 7.s grant you nearly infinite fle5i%ility as you can move them, delete them and create new 7.s as needed. 8owever, domains are much more rigid in their e5istence. Domains can %e deleted and new ones created, %ut this process is more disruptive of an environment than is the case with 7.s and should %e avoided whenever possi%le. 9y definition, sites are collections of -4 su%nets that have fast and relia%le communication links %etween all hosts. Another way of putting this is a site contains LA not WA connections, with the general understanding that WA significantly slower and less relia%le than LA connections, %ut connections are links. +his can result in link costs down for
and reduce the amount of traffic that flows over your slower WA pay/%y/the/%it services. The Infrastructure Master and Global Catalog
more efficient traffic flow for productivity tasks. -t can also keep WA
Among the other key components within Active Directory is the -nfrastructure Master. +he -nfrastructure Master "-M# is a domain/wide *!M7 "*le5i%le !ingle Master of 7perations# role responsi%le for an unattended process that :fi5es/up: stale references, known as phantoms, within the Active Directory data%ase.
4hantoms are created on D6s that re2uire a data%ase cross/reference%etween an o%)ect within their own data%ase and an o%)ect from another domain within the forest. +his occurs, for e5ample, when you add a user from one domain to a group within another domain in the same forest. 4hantoms are deemed stale when they no longer contain up/to/date data, which occurs %ecause of changes that have %een made to the foreign o%)ect the phantom represents, e.g., when the target o%)ect is renamed, moved, migrated %etween domains or deleted. +he -nfrastructure Master is e#clusively responsible for locating and fi5ing stale phantoms. Any changes introduced as a result of the :fi5/up: process must then %e replicated to all remaining D6s within the domain. +he -nfrastructure Master is sometimes confused with the 3lo%al 6atalog "36#, which maintains a partial, read/only copy of every domain in a forest and is used for universal group storage and logon processing, among other things. !ince 36s store a partial copy of all o%)ects within the forest, they are a%le to create cross/domain references without the need for phantoms. Active Directory and DA! Microsoft includes LDA4 "Lightweight Directory Access 4rotocol# as part of Active Directory. LDA4 is a software protocol for ena%ling anyone to locate organi$ations, individuals and other resources such as files and devices in a network, whether on the pu%lic -nternet or on a corporate intranet. -n a network, a directory tells you where in the network something is located. 7n +64;-4 networks "including the -nternet#, the domain name system "D !# is the directory system used to relate the domain name to a specific network address "a uni2ue location on the network#. 8owever, you may not know the domain name. LDA4 allows you to search for individuals without knowing where they're located "although additional information will help with the search#. An LDA4 directory is organi$ed in a simple :tree: hierarchy consisting of the following levels< +he root directory "the starting place or the source of the tree#, which 6ountries, each of which %ranches out to 7rgani$ations, which %ranch out to 7rgani$ational units "divisions, departments and so forth#, which %ranch out to -ndividuals "which include people, files and shared resources, such as printers#
%ranches out to
An LDA4 directory can %e distri%uted among many servers. 0ach server can have a replicated version of the total directory that is synchroni$ed periodically. -t is important for every administrator to have an understanding of what LDA4 is when searching for information in Active Directory and to %e a%le to create LDA4 2ueries is especially useful when looking for information stored in your Active Directory data%ase. *or this reason, many admins go to great lengths to master the LDA4 search filter. Group !olicy management and Active Directory -t's difficult to discuss Active Directory without mentioning 3roup 4olicy. Admins can use 3roup 4olicies in Microsoft Active Directory to define settings for users and computers throughout a network. +hese setting are configured and stored in what are called 3roup 4olicy 7%)ects "347s#, which are then associated with Active Directory o%)ects, including domains and sites. -t is the primary mechanism for applying changes to computers and users throughout a Windows environment. +hrough 3roup 4olicy management, administrators can glo%ally configure desktop settings on user computers, restrict;allow access to certain files and folders within a network and more. -t is important to understand how 347s are used and applied. 3roup 4olicy 7%)ects are applied in the following order< Local machine policies are applied first, followed %y site policies, followed %y domain policies, followed %y policies applied to individual organi$ational units. A user or computer o%)ect can only %elong to a single site and a single domain at any one time, so they will receive only 347s that are linked to that site or domain. 347s are split into two distinct parts< the 3roup 4olicy +emplate "34+# and the 3roup 4olicy 6ontainer "346#. +he 3roup 4olicy +emplate is responsi%le for storing the specific settings created within the 347 and is essential to its success. -t stores these settings in a large structure of folders and files. -n order for the settings to apply successfully to all user and computer o%)ects, the 34+ must %e replicated to all domain controllers within the domain. +he 3roup 4olicy 6ontainer is the portion of a 347 stored in Active Directory that resides on each domain controller in the domain. +he 346 is responsi%le for keeping references to 6lient !ide 05tensions "6!0s#, the path to the 34+, paths to software installation packages, and other referential aspects of the 347. +he 346 does not contain a wealth of information related to its corresponding 347, %ut it is essential to the functionality of 3roup 4olicy. When software installation policies are configured, the 346 helps keep the links associated within the 347. +he 346 also keeps other relational links and paths stored within the o%)ect attri%utes. =nowing the structure of the 346 and how to access the hidden information
stored in the attri%utes will pay off when you need to track down an issue related to 3roup 4olicy. *or Windows !erver &''(, Microsoft released a 3roup 4olicy management solution as a means of unifying management of 3roup 4olicy in the form of asnap/in known as the 3roup 4olicy Management 6onsole "34M6#. +he 34M6 provides a 347/focused management interface, thus making the administration, management and location of 347s much simpler. +hrough 34M6 you can create new 347s, modify and edit 347s, cut;copy;paste 347s, %ack up 347s and perform >esultant !et of 4olicy modeling.