Course Project(Active Directory)
Content
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Contents 1.Introduction to Active Directory…………………………… page 1 2.Installation of ADS………………………………………………… page 5 3.FSMO roles……………………………………………………………. page 6 4.Network support services………………………………………. page 8 5.Benefits of ADS………………………………………………………. page 22
Jaadulla Ali
Page 1
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Introduction to Active Directory
Active Directory is a technology created by Microsoft that provides a variety of network services, including: Using the same database, for use primarily in Windows environments, Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different domains and large server farms spanning many geographical locations. Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2. Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services. Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries. There is a common misconception that Active Directory provides software distribution. Software distribution is run by a separate service that uses additional proprietary schema attributes that work in conjunction with the LDAP protocol. Active Directory does not automate software distribution, but provides a mechanism by which other services can provide software distribution. Here I’m having a brief look at active directory in windows 2003 server. A central component of the Windows platform, Active Directory service provides the means to manage the identities and relationships that make up network environments. Windows Server 2003 makes Active Directory simpler to manage, easing migration and deployment.
Jaadulla Ali
Page 2
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Active Directory Objects Active Dir stores information about network objects. Active Dir object represent network resources such as user, group, computer and printer ADS Schema ADS Schema contains definition of all objects such as computer, user, and printer. In win 2003 there is only one schema for entire forest. There are 2 types of definition in the schema 1) Object class 2) Attributes Object class describes the possible dir objects that can be created, each object class is a collection of attributes Attributes are defined separately from object class. Each attribute is defined once and can be used in multiple object class Active Directory Service Logical Structure
A Domain is centralized. A domain is security boundary. A domain is a unit of replication. Organizational Units (OUs) An organizational unit is a container object that you use to organize objects within a domain. An organization unit may contain objects such as users, group, computer, printer and other organizational unit. Trees and Forest. Tree: - A Tree is an hierarchical arrangement of win 2003 domain. Domain in a tree share a contiguous name space Forest: - A Forest is one or more tree. Tree in a forest do not share a contiguous name space but trees in a forest share a common Schema and
Jaadulla Ali
Page 3
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Active Directory Services Physical Structure
A Domain controller is a computer running win 2003 server, which stores replica of the directory. Changes made on one DC are replicated to another DC on the same Domain. Site A site consists of IP, sub-net. Sites are connected by high speed link. Sites control network traffic (on lease line) and work station log on traffic
Site1 and site2 share a common DC so every time someone logs in it takes time to log in from site 2. So to reduce time and traffic.
Jaadulla Ali
Page 4
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Installation of ADS
1. Click Start, click Run, type dcpromo, and then click OK.
2. On the first page of the Active Directory Installation Wizard, click
Next. Note: if this is the first time you have installed Active Directory, you can click Active Directory help to learn more about Active Directory before clicking next.
3. On the next page of the Active Directory Installation Wizard, click
Next.
4. On the Domain Controller Type page, click Domain Controller for a
new domain, and then click Next.
5. On the Create New Domain page, click Domain in a new forest, and
then click Next.
6. On the New Domain Name page, in the Full DNS name for new
domain box, type corp.contoso.com, and then click Next.
7. On the Database and Log Folders page, accept the defaults in the
Database folder box and the Log folder box, and then click Next.
8. On the Shared System Volume page, accept the default in the Folder
location box, and then click Next.
9. On the DNS Registration Diagnostics page, click Install and configure
the DNS server on this computer and set this computer to use this DNS server as its preferred DNS Server, and then click Next.
10. On the Permissions page, click Permissions compatible only with
Windows 2000 or Windows Server 2003 operating systems, and then click Next.
11. On the Directory Services Restore Mode Administrator Password
page, enter a password in the Restore Mode Password box, retype the password to confirm it in the Confirm password box, and then click Next.
12. On the Summary page, confirm the information is correct, and then
click Next.
13. When prompted to restart the computer, click Restart now.
14.After the computer restarts, log on to CONT-CA01 as a member of the Administrators group.
Jaadulla Ali
Page 5
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
FSMO Roles
There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller. FSMO roles: PDC Emulator: Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. Identify the PDC Emulator 1. Open Active Directory Users and Computers.
2. Right-click the domain node, and then click Operations Masters. 3. On the PDC tab, under Operations masters, view the operations
masters that will serve as the PDC emulator. • Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then doubleclick Active Directory Users and Computers. Every domain has only one PDC emulator master. To identify the PDC emulator in a different domain, target the appropriate domain before clicking Operations Masters.
•
•
Jaadulla Ali
Page 6
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
RID Master: The Relative ID (RID) Master is one of the operations master roles that exist in each domain in a forest. It controls the sequence number for the domain controllers within a domain. It provides a unique sequence of RIDs to each domain controller in a domain. When a domain controller creates a new object, the object is assigned a unique security ID consisting of a combination of a domain SID and a RID. The domain SID is a constant ID, whereas the RID is assigned to each object by the domain controller. The domain controller receives the RIDs from the RID Master. When the domain controller has used all the RIDs provided by the RID Master, it requests the RID Master to issue more RIDs for creating additional objects in the domain. When a domain controller exhausts its pool of RIDs, and the RID Master is unavailable, any new object in the domain cannot be created. Infrastructure Master - The Infrastructure Master (IM) is a domain-wide FSMO (Flexible Single Master of Operations) role responsible for an unattended process that "fixes-up" stale references, known as phantoms, within the Active Directory database or DIT (Directory Information Table). Phantoms are created on Domain Controllers (DCs) that require a database cross-reference between an object within their own database and an object from another domain within the forest. This occurs, for example, when you add a user from one domain to a group within another domain in the same forest. Each DC is individually responsible for creating its own phantoms with the notable exception of Global Catalogs (GCs). Since GCs store a partial copy of all objects within the forest, they are able to create cross-domain references without the need for such phantoms. Phantoms are deemed stale when they no longer contain up-to-date data, which occurs because of changes that have been made to the foreign object the phantom represents, e.g., when the target object is renamed, moved, migrated between domains or deleted. The IM is exclusively responsible for locating and fixing stale phantoms. Any changes introduced as a result of the "fixup" process must then be replicated to all remaining DCs within the domain. Domain Naming Master: Ensures that each child domain has a unique name. How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it's worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains. Schema Master: Operations that involve expanding user properties e.g. Exchange 2003 / forest prep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best,
Jaadulla Ali Page 7
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
the Schema Master should be a Single Master Operation and thus a FSMO role.
Network Support Services.
TCP/IP TCP and IP were developed by a Department of Defense (DOD) research project to connect a number different networks designed by different vendors into a network of networks (the "Internet"). It was initially successful because it delivered a few basic services that everyone needs (file transfer, electronic mail, remote logon) across a very large number of client and server systems. Several computers in a small department can use TCP/IP (along with other protocols) on a single LAN. The IP component provides routing from the department to the enterprise network, then to regional networks, and finally to the global Internet. On the battlefield a communications network will sustain damage, so the DOD designed TCP/IP to be robust and automatically recover from any node or phone line failure. This design allows the construction of very large networks with less central management. However, because of the automatic recovery, network problems can go undiagnosed and uncorrected for long periods of time. As with all other communications protocol, TCP/IP is composed of layers:
•
IP - is responsible for moving packet of data from node to node. IP forwards each packet based on a four byte destination address (the IP number). The Internet authorities assign ranges of numbers to different organizations. The organizations assign groups of their numbers to departments. IP operates on gateway machines that move data from department to organization to region and then around the world. TCP - is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. Sockets - is a name given to the package of subroutines that provide access to TCP/IP on most systems.
•
•
The Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of protocols specifically designed to fulfill two goals: Allow communication across WAN (wide area network) links Allow communication between diverse environments Understanding the roots of these protocols leads to an understanding of their importance in today’s networks.
Jaadulla Ali Page 8
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
IP Subnetting IP addressing is a little more complex than I just described. When a company receives a network address (either from the Internet authorities or from an Internet Service Provider), the company is given a range of possible addresses. There are three main classes of addresses available: A, B, and C. The ABCs of IP Addresses Class A addresses begin with a first octet value between 1 and 126. In other words, there are only 126. Class A networks available on the entire Internet. (Needless to say, there is no more class A addresses available.) The first octet is the network portion of the IP address, and the last three octets represent the host portion. Each class A network can support over 16 million hosts. Now you can see why only a few of these addresses are needed—not many companies have that number of hosts on their networks. Finally, class C networks begin with a first octet value between 192 and 223. On a class C network, the first three octets represent the network and the last octet represents the host portion. This means that there are a little over 16 million class C network addresses available, but each can only support a maximum of 254 hosts. Windows Internet Name Service (WINS) Let’s start our discussion of management tools with the one we’d really like to get rid of: WINS. WINS is used to resolve user-friendly NetBIOS names to their associated IP addresses. While this sounds like a fairly simple process—and a lot like DNS—you’ll see that WINS is really yesterday’s news. First, let’s talk about NetBEUI. NetBEUI is an old, no routable communication protocol that was actually designed quite some time ago to support an Application Programming Interface (API) set named NetBIOS. When Microsoft first entered the network operating system business, they decided to use NetBEUI as their default communication protocol. After all, their first networking product was Windows for Workgroups (WFW)—not a really robust or scalable product. WFW was designed for small, departmental-sized environments—in other words, environments without multiple IP networks (and their associated routers). Most of Microsoft’s first networking endeavors revolved around the use of NetBEUI to support
Jaadulla Ali Page 9
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
NetBIOS. NetBIOS was first designed to act as an API so that applications running on different computers could share information or work together. It includes various processes to facilitate this communication. Rather than rewrite a networking process from scratch, Microsoft incorporated NetBIOS into their own networking scheme. For our discussion, there are a few important NetBIOS functions you should know about: NetBIOS Names NetBIOS names are the unique, user-friendly names associated with devices in a NetBIOS-based environment. They are 16 bytes in length; the first 15 bytes are assigned during the installation/setup of the hardware, and the last byte represents services on the device. NetBIOS Name Registration NetBIOS devices use (by default) a broadcast technique to ensure that the name being used by the device is unique on the network. Basically, the device sends out a broadcast packet declaring its name. If no negative response is heard (in other words, some other device is using the name and protests), then the device assumes its name is unique and begins using it. NetBIOS Name Resolution While NetBIOS uses the user-friendly computer name, the lower layer communication protocols use other identifiers. When one device wants to communicate with another, it will broadcast the destination’s NetBIOS name. The destination device will respond with its IP address. At that time, communication can commence. NetBIOS Name Release When a device is properly shut down, it will broadcast a packet notifying other devices on the network that it is going offline. This allows them to update any NetBIOS name tables that they might have built. Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is an IP standard designed to reduce the complexity of administering IP address configurations." Microsoft's definition. A DHCP server would be set up with the appropriate settings for a given network. Such settings would include a set of
Jaadulla Ali Page 10
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
fundamental parameters such as the gateway, DNS, subnet masks, and a range of IP addresses. Using DHCP on a network means administrators don't need to configure these settings individually for each client on the network. The DHCP would automatically distribute them to the clients itself. The DHCP server assigns a client an IP address taken from a predefined scope for a given amount of time. If an IP address is required for longer than the lease has been set for, the client must request an extension before the lease expires. If the client has not requested an extension on the lease time, the IP address will be considered free and can be assigned to another client. If the user wishes to change IP address then they can do so by typing "ipconfig /release", followed by "ipconfig /renew" in the command prompt. This will remove the current IP address and request a new one. Reservations can be defined on the DHCP server to allow certain clients to have their own IP address (this will be discussed a little later on). Addresses can be reserved for a MAC address or a host name so these clients will have a fixed IP address that is configured automatically. Most Internet Service Providers use DHCP to assign new IP addresses to client computers when a customer connects to the internet - this simplifies things at user level.
The above diagram diplays a simple structure consisting of a DHCP server and a number of client computers on a network. The DHCP Server itself contains an IP Address Database which holds all the IP addresses available for distribution. If the client (a member of the network with a Windows 2000 Professional/XP operating system, for example) has "obtain an IP address automatically" enabled in TCP/IP settings, then it is able to receive an IP address from the DHCP server Setting up a DHCP server This will serve as a step-by-step guide on how to setup a DHCP server. Installing the DHCP server is made quite easy in Windows 2003. By using the "Manage your server" wizard, you are able to enter the details you require and have the wizard set the basics for you. Open to "Manage your server" wizard, select the DHCP server option for the list of server roles and press Next. You will be asked to enter the name and description of your scope. Scope: A scope is a collection of IP addresses for computers on a subnet that use DHCP.
Jaadulla Ali Page 11
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
The next window will ask you to define the range of addresses that the scope will distribute across the network and the subnet mask for the IP address. Enter the appropriate details and click next.
You are shown a window in which you must add any exclusions to the range of IP addresses you specified in the previous window. If for example,
Jaadulla Ali Page 12
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
the IP address 10.0.0.150 is that of the company router then you won't want the DHCP server to be able to distribute that address as well. In this example I have excluded a range of IP addresses, 10.0.0.100 to 10.0.0.110, and a single address, 10.0.0.150. In this case, eleven IP's will be reserved and not distributed amongst the network clients.
It is now time to set the lease duration for how long a client can use an IP address assigned to it from this scope. It is recommended to add longer leases for a fixed network (in the office for example) and shorter leases for remote connections or laptop computers. In this example I have set a lease duration of twelve hours since the network clients would be a fixed desktop computer in a local office and the usual working time is eight hours.
Jaadulla Ali
Page 13
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
You are given a choice of whether or not you wish to configure the DHCP options for the scope now or later. If you choose Yes then the upcoming screenshots will be of use to you. Choosing No will allow you to configure these options at a later stage.
Jaadulla Ali
Page 14
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
The router, or gateway, IP address may be entered in next. The client computers will then know which router to use.
In the following window, the DNS and domain name settings can be entered. The DNS server IP address will be distributed by the DHCP server and given to the client.
Jaadulla Ali
Page 15
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
If you have WINS setup then here is where to enter the IP Address of the WINS server. You can just input the server name into the appropriate box and press "Resolve" to allow it to find the IP address itself.
The last step is to activate the scope - just press next when you see the window below. The DHCP server will not work unless you do this.
Jaadulla Ali
Page 16
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
The DHCP server has now been installed with the basic settings in place. The next stage is to configure it to the needs of your network structure. Configuring a DHCP server Hereunder is a simple explanation of how to configure a DHCP server. The address pool displays a list of IP ranges assigned for distribution and IP address exclusions. You are able to add an exclusion by right clicking the address pool text on the left hand side of the mmc window and selecting "new exclusion range". This will bring up a window (as seen below) which will allow you to enter an address range to be added. Entering only the start IP will add a single IP address.
DHCP servers permit you to reserve an IP address for a client. This means that the specific network client will have the same IP for as long as you wanted it to. To do this you will have to know the physical address (MAC) of each network card. Enter the reservation name, desired IP address, MAC address and description - choose whether you want to support DHCP or BOOTP and press add. The new reservation will be added to the list. As an example, I have reserved an IP address (10.0.0.115) for a client computer called Andrew.
Jaadulla Ali
Page 17
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
If you right click scope options and press "configure options" you will be taken to a window in which you can configure more servers and their parameters. These settings will be distributed by the DHCP server along with the IP address. Server options act as a default for all the scopes in the DHCP server. However, scope options take preference over server options. In my opinion, the DHCP server in Windows 2003 is excellent! It has been improved from the Windows 2000 version and is classified as essential for large networks. Imagine having to configure each and every client manually - it would take up a lot of time and require far more troubleshooting if a problem was to arise. Before touching any settings related to DHCP, it is best to make a plan of your network and think about the range of IPs to use for the computers. Domain Name System (DNS) DNS is the directory used by traditional TCP/IP environments (like the Internet) to resolve user-friendly names into IP addresses. DNS is a group of name servers linkedtogether to create a single namespace. Installing DNS Please make sure that all of the Windows updates are done and the latest drivers and Rom packs have been loaded on the server and applied to the hardware this is essential as you do not want to be applying these changes at a later stage when the machine goes into production. Skipping this step will cause unnecessary down time in future. Please
Jaadulla Ali Page 18
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
make sure that the static IP address is assigned to the server before beginning the installation process. After the entire preamble we are now ready to start installing DNS on our newly configured and prepared server. Ensure that you have Windows Server 2003 Std is installed and that a static IP address has been assigned. Figure 1.1 depicts how DNS should be configured and under the advanced TCP/IP settings. In the DNS settings you must point the server to itself for DNS resolution. If external internet names need to be resolved you can configure a forwarder so that the requests are sent to the DNS server of the ISP or an external DNS server. Selecting a DNS server that is consistently up is paramount as external name resolution rests on this resource.
Figure 1.1 Install Microsoft DNS Server Click on Start, Control Panel, Add or Remove Programs and then on Add or Remove Windows Components. Then click on Components list, then click on Networking Services and then click Details, select the Domain Name System (DNS) check box, and then click OK. Follow the below figure 1.2 for guidance.
Jaadulla Ali
Page 19
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Figure 1.2 After installing DNS you will need to test if the installation was successful and if you are able to resolve names. Nslookup is a built-in utility that can be used to test if the service has been installed and configured correctly. Remember to test both internal and external names before concluding your tests. After typing Nslookup it connects to the configured server within your TCP/IP properties or if you run this command form a client it will connect to the DNS server handed out by DHCP. You will then be able to type in the name you want to lookup i.e. www.google.com or machine.localdomain.net it will then resolve the name to an IP address if this happens you have installed and configured DNS correctly.
Jaadulla Ali
Page 20
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Combining DNS and DHCP While the dynamic registration of host records in the DNS database sounds like a great idea, a few potential problems come to mind. First, how do I, as an administrator, ensure that all of my machines (including my non-Windows 2000/Windows Server 2003 clients) get registered? And second, how do I ensure that the proper information is included (such as the correct domain name)? The secret is to use DHCP. The version of DHCP included in Windows 2000/Windows Server 2003 has the ability to register DNS records on behalf of its clients as they are given their TCP/IP configuration.
.Once the client has accepted an IP address from the DHCP server, it (the DHCP server) then registers a DNS record on behalf of the client (step number 2 in Figure 7.27). This system allows for the creation of host records for those clients that are unable to register themselves, such as Windows 95, 98, etc. In other words, your legacy clients can be included in the dynamic registration process. Why is this important, you might ask? Well, remember our goal here. The goal is to remove dependence upon NetBIOS functions. As long as the only method of resolving those older clients is NetBIOS-based (either through broadcasts or a WINS server), we are stuck with the NetBIOS traffic on our networks. For now though, you’ll probably end up with both as you begin the switch to an Active Directory environment.
Jaadulla Ali
Page 21
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Benefits of ADS
Active Directory is a state-wide authentication directory that supports enterprise systems, provides contact information and scheduling integration, along with providing mechanisms for centralized desktop management. There are multiple Active Directory (AD) environments in use across the University of Tennessee campuses and institutes. The purpose of the Active Directory Project is to migrate all of these environments into a single AD forest, which will provide the following benefits: • • • • • Single user name and password - NetID Password synched between AD and LDAP Directory Services Reduce overhead through standardization Improve services through centralized management capabilities Provide foundation for the following AD related services: ○ Exchange ○ SharePoint • • • • • • Improve workstation security Central storage provided for individuals and departments Backup and restoration services for central storage Server storage space for user documents Backed up data on Home and Departmental drives Lower departmental cost because infrastructure is managed and maintained by OIT
Jaadulla Ali
Page 22
Contents 1.Introduction to Active Directory…………………………… page 1 2.Installation of ADS………………………………………………… page 5 3.FSMO roles……………………………………………………………. page 6 4.Network support services………………………………………. page 8 5.Benefits of ADS………………………………………………………. page 22
Jaadulla Ali
Page 1
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Introduction to Active Directory
Active Directory is a technology created by Microsoft that provides a variety of network services, including: Using the same database, for use primarily in Windows environments, Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different domains and large server farms spanning many geographical locations. Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2. Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services. Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries. There is a common misconception that Active Directory provides software distribution. Software distribution is run by a separate service that uses additional proprietary schema attributes that work in conjunction with the LDAP protocol. Active Directory does not automate software distribution, but provides a mechanism by which other services can provide software distribution. Here I’m having a brief look at active directory in windows 2003 server. A central component of the Windows platform, Active Directory service provides the means to manage the identities and relationships that make up network environments. Windows Server 2003 makes Active Directory simpler to manage, easing migration and deployment.
Jaadulla Ali
Page 2
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Active Directory Objects Active Dir stores information about network objects. Active Dir object represent network resources such as user, group, computer and printer ADS Schema ADS Schema contains definition of all objects such as computer, user, and printer. In win 2003 there is only one schema for entire forest. There are 2 types of definition in the schema 1) Object class 2) Attributes Object class describes the possible dir objects that can be created, each object class is a collection of attributes Attributes are defined separately from object class. Each attribute is defined once and can be used in multiple object class Active Directory Service Logical Structure
A Domain is centralized. A domain is security boundary. A domain is a unit of replication. Organizational Units (OUs) An organizational unit is a container object that you use to organize objects within a domain. An organization unit may contain objects such as users, group, computer, printer and other organizational unit. Trees and Forest. Tree: - A Tree is an hierarchical arrangement of win 2003 domain. Domain in a tree share a contiguous name space Forest: - A Forest is one or more tree. Tree in a forest do not share a contiguous name space but trees in a forest share a common Schema and
Jaadulla Ali
Page 3
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Active Directory Services Physical Structure
A Domain controller is a computer running win 2003 server, which stores replica of the directory. Changes made on one DC are replicated to another DC on the same Domain. Site A site consists of IP, sub-net. Sites are connected by high speed link. Sites control network traffic (on lease line) and work station log on traffic
Site1 and site2 share a common DC so every time someone logs in it takes time to log in from site 2. So to reduce time and traffic.
Jaadulla Ali
Page 4
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Installation of ADS
1. Click Start, click Run, type dcpromo, and then click OK.
2. On the first page of the Active Directory Installation Wizard, click
Next. Note: if this is the first time you have installed Active Directory, you can click Active Directory help to learn more about Active Directory before clicking next.
3. On the next page of the Active Directory Installation Wizard, click
Next.
4. On the Domain Controller Type page, click Domain Controller for a
new domain, and then click Next.
5. On the Create New Domain page, click Domain in a new forest, and
then click Next.
6. On the New Domain Name page, in the Full DNS name for new
domain box, type corp.contoso.com, and then click Next.
7. On the Database and Log Folders page, accept the defaults in the
Database folder box and the Log folder box, and then click Next.
8. On the Shared System Volume page, accept the default in the Folder
location box, and then click Next.
9. On the DNS Registration Diagnostics page, click Install and configure
the DNS server on this computer and set this computer to use this DNS server as its preferred DNS Server, and then click Next.
10. On the Permissions page, click Permissions compatible only with
Windows 2000 or Windows Server 2003 operating systems, and then click Next.
11. On the Directory Services Restore Mode Administrator Password
page, enter a password in the Restore Mode Password box, retype the password to confirm it in the Confirm password box, and then click Next.
12. On the Summary page, confirm the information is correct, and then
click Next.
13. When prompted to restart the computer, click Restart now.
14.After the computer restarts, log on to CONT-CA01 as a member of the Administrators group.
Jaadulla Ali
Page 5
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
FSMO Roles
There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller. FSMO roles: PDC Emulator: Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. Identify the PDC Emulator 1. Open Active Directory Users and Computers.
2. Right-click the domain node, and then click Operations Masters. 3. On the PDC tab, under Operations masters, view the operations
masters that will serve as the PDC emulator. • Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then doubleclick Active Directory Users and Computers. Every domain has only one PDC emulator master. To identify the PDC emulator in a different domain, target the appropriate domain before clicking Operations Masters.
•
•
Jaadulla Ali
Page 6
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
RID Master: The Relative ID (RID) Master is one of the operations master roles that exist in each domain in a forest. It controls the sequence number for the domain controllers within a domain. It provides a unique sequence of RIDs to each domain controller in a domain. When a domain controller creates a new object, the object is assigned a unique security ID consisting of a combination of a domain SID and a RID. The domain SID is a constant ID, whereas the RID is assigned to each object by the domain controller. The domain controller receives the RIDs from the RID Master. When the domain controller has used all the RIDs provided by the RID Master, it requests the RID Master to issue more RIDs for creating additional objects in the domain. When a domain controller exhausts its pool of RIDs, and the RID Master is unavailable, any new object in the domain cannot be created. Infrastructure Master - The Infrastructure Master (IM) is a domain-wide FSMO (Flexible Single Master of Operations) role responsible for an unattended process that "fixes-up" stale references, known as phantoms, within the Active Directory database or DIT (Directory Information Table). Phantoms are created on Domain Controllers (DCs) that require a database cross-reference between an object within their own database and an object from another domain within the forest. This occurs, for example, when you add a user from one domain to a group within another domain in the same forest. Each DC is individually responsible for creating its own phantoms with the notable exception of Global Catalogs (GCs). Since GCs store a partial copy of all objects within the forest, they are able to create cross-domain references without the need for such phantoms. Phantoms are deemed stale when they no longer contain up-to-date data, which occurs because of changes that have been made to the foreign object the phantom represents, e.g., when the target object is renamed, moved, migrated between domains or deleted. The IM is exclusively responsible for locating and fixing stale phantoms. Any changes introduced as a result of the "fixup" process must then be replicated to all remaining DCs within the domain. Domain Naming Master: Ensures that each child domain has a unique name. How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it's worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains. Schema Master: Operations that involve expanding user properties e.g. Exchange 2003 / forest prep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best,
Jaadulla Ali Page 7
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
the Schema Master should be a Single Master Operation and thus a FSMO role.
Network Support Services.
TCP/IP TCP and IP were developed by a Department of Defense (DOD) research project to connect a number different networks designed by different vendors into a network of networks (the "Internet"). It was initially successful because it delivered a few basic services that everyone needs (file transfer, electronic mail, remote logon) across a very large number of client and server systems. Several computers in a small department can use TCP/IP (along with other protocols) on a single LAN. The IP component provides routing from the department to the enterprise network, then to regional networks, and finally to the global Internet. On the battlefield a communications network will sustain damage, so the DOD designed TCP/IP to be robust and automatically recover from any node or phone line failure. This design allows the construction of very large networks with less central management. However, because of the automatic recovery, network problems can go undiagnosed and uncorrected for long periods of time. As with all other communications protocol, TCP/IP is composed of layers:
•
IP - is responsible for moving packet of data from node to node. IP forwards each packet based on a four byte destination address (the IP number). The Internet authorities assign ranges of numbers to different organizations. The organizations assign groups of their numbers to departments. IP operates on gateway machines that move data from department to organization to region and then around the world. TCP - is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. Sockets - is a name given to the package of subroutines that provide access to TCP/IP on most systems.
•
•
The Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of protocols specifically designed to fulfill two goals: Allow communication across WAN (wide area network) links Allow communication between diverse environments Understanding the roots of these protocols leads to an understanding of their importance in today’s networks.
Jaadulla Ali Page 8
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
IP Subnetting IP addressing is a little more complex than I just described. When a company receives a network address (either from the Internet authorities or from an Internet Service Provider), the company is given a range of possible addresses. There are three main classes of addresses available: A, B, and C. The ABCs of IP Addresses Class A addresses begin with a first octet value between 1 and 126. In other words, there are only 126. Class A networks available on the entire Internet. (Needless to say, there is no more class A addresses available.) The first octet is the network portion of the IP address, and the last three octets represent the host portion. Each class A network can support over 16 million hosts. Now you can see why only a few of these addresses are needed—not many companies have that number of hosts on their networks. Finally, class C networks begin with a first octet value between 192 and 223. On a class C network, the first three octets represent the network and the last octet represents the host portion. This means that there are a little over 16 million class C network addresses available, but each can only support a maximum of 254 hosts. Windows Internet Name Service (WINS) Let’s start our discussion of management tools with the one we’d really like to get rid of: WINS. WINS is used to resolve user-friendly NetBIOS names to their associated IP addresses. While this sounds like a fairly simple process—and a lot like DNS—you’ll see that WINS is really yesterday’s news. First, let’s talk about NetBEUI. NetBEUI is an old, no routable communication protocol that was actually designed quite some time ago to support an Application Programming Interface (API) set named NetBIOS. When Microsoft first entered the network operating system business, they decided to use NetBEUI as their default communication protocol. After all, their first networking product was Windows for Workgroups (WFW)—not a really robust or scalable product. WFW was designed for small, departmental-sized environments—in other words, environments without multiple IP networks (and their associated routers). Most of Microsoft’s first networking endeavors revolved around the use of NetBEUI to support
Jaadulla Ali Page 9
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
NetBIOS. NetBIOS was first designed to act as an API so that applications running on different computers could share information or work together. It includes various processes to facilitate this communication. Rather than rewrite a networking process from scratch, Microsoft incorporated NetBIOS into their own networking scheme. For our discussion, there are a few important NetBIOS functions you should know about: NetBIOS Names NetBIOS names are the unique, user-friendly names associated with devices in a NetBIOS-based environment. They are 16 bytes in length; the first 15 bytes are assigned during the installation/setup of the hardware, and the last byte represents services on the device. NetBIOS Name Registration NetBIOS devices use (by default) a broadcast technique to ensure that the name being used by the device is unique on the network. Basically, the device sends out a broadcast packet declaring its name. If no negative response is heard (in other words, some other device is using the name and protests), then the device assumes its name is unique and begins using it. NetBIOS Name Resolution While NetBIOS uses the user-friendly computer name, the lower layer communication protocols use other identifiers. When one device wants to communicate with another, it will broadcast the destination’s NetBIOS name. The destination device will respond with its IP address. At that time, communication can commence. NetBIOS Name Release When a device is properly shut down, it will broadcast a packet notifying other devices on the network that it is going offline. This allows them to update any NetBIOS name tables that they might have built. Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is an IP standard designed to reduce the complexity of administering IP address configurations." Microsoft's definition. A DHCP server would be set up with the appropriate settings for a given network. Such settings would include a set of
Jaadulla Ali Page 10
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
fundamental parameters such as the gateway, DNS, subnet masks, and a range of IP addresses. Using DHCP on a network means administrators don't need to configure these settings individually for each client on the network. The DHCP would automatically distribute them to the clients itself. The DHCP server assigns a client an IP address taken from a predefined scope for a given amount of time. If an IP address is required for longer than the lease has been set for, the client must request an extension before the lease expires. If the client has not requested an extension on the lease time, the IP address will be considered free and can be assigned to another client. If the user wishes to change IP address then they can do so by typing "ipconfig /release", followed by "ipconfig /renew" in the command prompt. This will remove the current IP address and request a new one. Reservations can be defined on the DHCP server to allow certain clients to have their own IP address (this will be discussed a little later on). Addresses can be reserved for a MAC address or a host name so these clients will have a fixed IP address that is configured automatically. Most Internet Service Providers use DHCP to assign new IP addresses to client computers when a customer connects to the internet - this simplifies things at user level.
The above diagram diplays a simple structure consisting of a DHCP server and a number of client computers on a network. The DHCP Server itself contains an IP Address Database which holds all the IP addresses available for distribution. If the client (a member of the network with a Windows 2000 Professional/XP operating system, for example) has "obtain an IP address automatically" enabled in TCP/IP settings, then it is able to receive an IP address from the DHCP server Setting up a DHCP server This will serve as a step-by-step guide on how to setup a DHCP server. Installing the DHCP server is made quite easy in Windows 2003. By using the "Manage your server" wizard, you are able to enter the details you require and have the wizard set the basics for you. Open to "Manage your server" wizard, select the DHCP server option for the list of server roles and press Next. You will be asked to enter the name and description of your scope. Scope: A scope is a collection of IP addresses for computers on a subnet that use DHCP.
Jaadulla Ali Page 11
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
The next window will ask you to define the range of addresses that the scope will distribute across the network and the subnet mask for the IP address. Enter the appropriate details and click next.
You are shown a window in which you must add any exclusions to the range of IP addresses you specified in the previous window. If for example,
Jaadulla Ali Page 12
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
the IP address 10.0.0.150 is that of the company router then you won't want the DHCP server to be able to distribute that address as well. In this example I have excluded a range of IP addresses, 10.0.0.100 to 10.0.0.110, and a single address, 10.0.0.150. In this case, eleven IP's will be reserved and not distributed amongst the network clients.
It is now time to set the lease duration for how long a client can use an IP address assigned to it from this scope. It is recommended to add longer leases for a fixed network (in the office for example) and shorter leases for remote connections or laptop computers. In this example I have set a lease duration of twelve hours since the network clients would be a fixed desktop computer in a local office and the usual working time is eight hours.
Jaadulla Ali
Page 13
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
You are given a choice of whether or not you wish to configure the DHCP options for the scope now or later. If you choose Yes then the upcoming screenshots will be of use to you. Choosing No will allow you to configure these options at a later stage.
Jaadulla Ali
Page 14
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
The router, or gateway, IP address may be entered in next. The client computers will then know which router to use.
In the following window, the DNS and domain name settings can be entered. The DNS server IP address will be distributed by the DHCP server and given to the client.
Jaadulla Ali
Page 15
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
If you have WINS setup then here is where to enter the IP Address of the WINS server. You can just input the server name into the appropriate box and press "Resolve" to allow it to find the IP address itself.
The last step is to activate the scope - just press next when you see the window below. The DHCP server will not work unless you do this.
Jaadulla Ali
Page 16
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
The DHCP server has now been installed with the basic settings in place. The next stage is to configure it to the needs of your network structure. Configuring a DHCP server Hereunder is a simple explanation of how to configure a DHCP server. The address pool displays a list of IP ranges assigned for distribution and IP address exclusions. You are able to add an exclusion by right clicking the address pool text on the left hand side of the mmc window and selecting "new exclusion range". This will bring up a window (as seen below) which will allow you to enter an address range to be added. Entering only the start IP will add a single IP address.
DHCP servers permit you to reserve an IP address for a client. This means that the specific network client will have the same IP for as long as you wanted it to. To do this you will have to know the physical address (MAC) of each network card. Enter the reservation name, desired IP address, MAC address and description - choose whether you want to support DHCP or BOOTP and press add. The new reservation will be added to the list. As an example, I have reserved an IP address (10.0.0.115) for a client computer called Andrew.
Jaadulla Ali
Page 17
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
If you right click scope options and press "configure options" you will be taken to a window in which you can configure more servers and their parameters. These settings will be distributed by the DHCP server along with the IP address. Server options act as a default for all the scopes in the DHCP server. However, scope options take preference over server options. In my opinion, the DHCP server in Windows 2003 is excellent! It has been improved from the Windows 2000 version and is classified as essential for large networks. Imagine having to configure each and every client manually - it would take up a lot of time and require far more troubleshooting if a problem was to arise. Before touching any settings related to DHCP, it is best to make a plan of your network and think about the range of IPs to use for the computers. Domain Name System (DNS) DNS is the directory used by traditional TCP/IP environments (like the Internet) to resolve user-friendly names into IP addresses. DNS is a group of name servers linkedtogether to create a single namespace. Installing DNS Please make sure that all of the Windows updates are done and the latest drivers and Rom packs have been loaded on the server and applied to the hardware this is essential as you do not want to be applying these changes at a later stage when the machine goes into production. Skipping this step will cause unnecessary down time in future. Please
Jaadulla Ali Page 18
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
make sure that the static IP address is assigned to the server before beginning the installation process. After the entire preamble we are now ready to start installing DNS on our newly configured and prepared server. Ensure that you have Windows Server 2003 Std is installed and that a static IP address has been assigned. Figure 1.1 depicts how DNS should be configured and under the advanced TCP/IP settings. In the DNS settings you must point the server to itself for DNS resolution. If external internet names need to be resolved you can configure a forwarder so that the requests are sent to the DNS server of the ISP or an external DNS server. Selecting a DNS server that is consistently up is paramount as external name resolution rests on this resource.
Figure 1.1 Install Microsoft DNS Server Click on Start, Control Panel, Add or Remove Programs and then on Add or Remove Windows Components. Then click on Components list, then click on Networking Services and then click Details, select the Domain Name System (DNS) check box, and then click OK. Follow the below figure 1.2 for guidance.
Jaadulla Ali
Page 19
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Figure 1.2 After installing DNS you will need to test if the installation was successful and if you are able to resolve names. Nslookup is a built-in utility that can be used to test if the service has been installed and configured correctly. Remember to test both internal and external names before concluding your tests. After typing Nslookup it connects to the configured server within your TCP/IP properties or if you run this command form a client it will connect to the DNS server handed out by DHCP. You will then be able to type in the name you want to lookup i.e. www.google.com or machine.localdomain.net it will then resolve the name to an IP address if this happens you have installed and configured DNS correctly.
Jaadulla Ali
Page 20
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Combining DNS and DHCP While the dynamic registration of host records in the DNS database sounds like a great idea, a few potential problems come to mind. First, how do I, as an administrator, ensure that all of my machines (including my non-Windows 2000/Windows Server 2003 clients) get registered? And second, how do I ensure that the proper information is included (such as the correct domain name)? The secret is to use DHCP. The version of DHCP included in Windows 2000/Windows Server 2003 has the ability to register DNS records on behalf of its clients as they are given their TCP/IP configuration.
.Once the client has accepted an IP address from the DHCP server, it (the DHCP server) then registers a DNS record on behalf of the client (step number 2 in Figure 7.27). This system allows for the creation of host records for those clients that are unable to register themselves, such as Windows 95, 98, etc. In other words, your legacy clients can be included in the dynamic registration process. Why is this important, you might ask? Well, remember our goal here. The goal is to remove dependence upon NetBIOS functions. As long as the only method of resolving those older clients is NetBIOS-based (either through broadcasts or a WINS server), we are stuck with the NetBIOS traffic on our networks. For now though, you’ll probably end up with both as you begin the switch to an Active Directory environment.
Jaadulla Ali
Page 21
ACTIVE DIRECTORY IN WINDOWS 2003 SERVER
Benefits of ADS
Active Directory is a state-wide authentication directory that supports enterprise systems, provides contact information and scheduling integration, along with providing mechanisms for centralized desktop management. There are multiple Active Directory (AD) environments in use across the University of Tennessee campuses and institutes. The purpose of the Active Directory Project is to migrate all of these environments into a single AD forest, which will provide the following benefits: • • • • • Single user name and password - NetID Password synched between AD and LDAP Directory Services Reduce overhead through standardization Improve services through centralized management capabilities Provide foundation for the following AD related services: ○ Exchange ○ SharePoint • • • • • • Improve workstation security Central storage provided for individuals and departments Backup and restoration services for central storage Server storage space for user documents Backed up data on Home and Departmental drives Lower departmental cost because infrastructure is managed and maintained by OIT
Jaadulla Ali
Page 22
