Introducing Active
Directory
After reading this chapter and completing the
exercises, you will be able to:
Describe the role of a directory service and the physical and logical
Active Directory structure
Install Active Directory
Describe the main Active Directory objects
Explain configuring and applying group policies1423902351_chO3_Final.qxd
chapter 3 Introducing Active Directory
Windows Server 2008 Active Directory is the core component in a Windows
domain environment, The Active Directory Domain Services role provides a single point of wer,
desktop, and server administration. To understand Active Directory and its role in a network,
you need to know what a directory service is and how it’s used to manage resources and access
to resources on a network, Before administrators can use Active Directory to manage user
desktops, and servers ina network, they need a good understanding of Active Directorys str
‘ze and underlying components and objects, which ate covered in this chapter. You also learn
about installing Active Directory and using the powerful Group Policy tool to set consistent secu-
rity, uses, and desktop standards throughout your organization.
The Role of a Directory Service
A network directory service, a the name suggests, stores information about ac
and offers features for retrieving and managing that information. Essentially it’s a database com
posed of records or objects describing users and available network resources, such as servers,
printers, and applications. Like a database for managing a company’s inventory, a directory serv=
ice includes functions to search for, add, modify, and delete information. Unlike an inventory
database, a directory service can also manage how its stored resources can be used and by whom.
For example, a directory service can be used to specify who has the right to log on to a computer
fr restrict what software can be installed on a computer.
A directory service is often thought of as an administrator's tool, but users can use it, to.
Users might need the dicectory service to locate network resources, such as printers or shared
folders, by performing a search. They can even use the directory service as a phone book of sorts
to look up information about other users, such as phone numbers, office locations, and e-mail
addresses
‘Whether an organization consists of a single facility or has multiple locations, a directory
service provides a centralized management tool for users and resources in all locations. This
capability does add a certain amount of complexity, so making sure the directory service is strse-
tured and designed correctly before using itis critical
Windows Active Directory
Windows Active Directory became part of the Windows family of server OSs starting with
Windows 2000 Server. Before Windows 2000, Windows NT Server had a directory service that
was litle more than a usee manages; it included centralized logon and grouped users and com-
puters into logical security boundaries called domains. The Windows NT domain system was a
Mat database of users and computers with no way to organize users ot resources by department,
fanction, oF location, no matter how many users you had. This single, unstructured lst made
managing large numbers of users cumbersome.
‘Active Directory’s hierarchieal database enables administrators to organize usets and net-
work resources to reflect the organization of the environment in which itis used. For example,
if a company identifies its users and resources primarily by department or location, Active
Directory can be configured to mirror that structure. You ean structure Aetive Directory ancl
‘organize the objects representing users and resources ina way that makes the most sense. Active
Directory offers the following features, among others, that make it a highly flexible direeory
+ Hierarchical organization—This steucture makes management of network resources and
administration of security policies easier,
+ Centralized bus distributed database—All network data is centrally located, but it ean be
distributed among many servers for fast, eary access to information from any location.
Automatic replication of information also provides load balancing and fault tolerance.
‘Active Directory replication isthe transfer of information among domain controllers to
‘make sare all domain controllers have consistent and up-to-date information,
+ Scalability Advanced indexing technology provides high-performance data access,
whether Active Directory consists of a few dozen of few million objects.14239023$1_chO3_Pinel.qnd 11/28/08 3:32 mt
The Role of #0
tory Service ”
+ Secwrity—Fine-grained access controls enable administrators to control access to each
directory object and its properties. Active Directory also supports secure authentication
protocols to maximize compatibility with Internet applications and other systems.
+ lesibility Active Directory is installed with some predefined objects, such as user
accounts and groups, but their properties can be modified, and new objects can be added.
for a customized solution.
+ Policy-based administration Administrators can define policies to ensure a secure and
consistent environment for users yet maintain the flexibility ro apply different sets of rales
for departments, locations, or user classes as needed.
Overview of the Active Directory Structure
[As with most things, the best way to understand how Active Ditectory works is to install it and
start using i, but fis, knowing the terms used to descebe is structure is helpful There ate two
aspects of Active Directory’ stuctute:
+ Physica strvture
+ Lopealsteucture
Active Directory’s Physical Structure The physical structure consists of sites and servers
configured as domain controllers. An Active Directory ste is nothing more than a physical loca
tion in which domain controllers communicate and replicate information regulaly. Specifically,
Microsoft defines a ste as one or more IP subnets connected by high-speed LAN technology
A small business with no branch offices or other locations, for example, consists of single ite
However business with a branch office in another part of the city connected tothe main office
through a slow WAN link usually has two sites. Typically, cach physical location with a domain
controller operating in common domain connected by a WAN constitutes 2 site. The mat tea-
sons for defining tultiple sites are to control the frequency of Active Directory replication and 0
‘assign policies based on physical location, Chapters 4 and 10 discuss sites in more detail
“Another component of the physical structure isa server configured as 2 domain controller,
whichis a computer running Windows Server 2008 with the Active Directory Domain Services
role installed. Although an Active Directory domain ean consist of many domain controllers
cach domain controller can service only one domain, Each domain controller contains a fall
replica of the objects that make up the domain and is responsible forthe following functions:
+ Storing a copy of the domain data and replicating changes to that data to all other domain
controllers throughout the domain
data search and retrieval functions for users attempting to locate objects in the
directory
+ Providing authentication and authorization services for users who log on to the domain,
and artempe to access network resources
Active Directory’s Logical Structure ‘The logical structure of Aetive Directory makes
it possible to pattern the directory service's look and feel after the organization in which it rune
"There are four organizing components of Active Directory:
+ Organizational units (OUs)
+ Domaine
+ Trees
+ Forests
‘These four components can be thought of as containers and are listed from most specific to
broadest in terms of what they contain. To use a geographical analogy, an OU represents a city,
1a domain is the state, a tree is the country, and a forest isthe continent.