ACTIVE DIRECTORY SERVICES

Published on December 2016 | Categories: Documents | Downloads: 34 | Comments: 0 | Views: 1145
of 42
Download PDF   Embed   Report

Comments

Content

ACTIVE DIRECTORY SERVICES

Modules :
1. Introduction to Active Directory in Windows 2003 Server. 2. Implementing DNS to support ADS. 3. Creating a Windows 2003 Server as domain. 4. Setting up an administering users and groups. 5. Publishing resources in ADS. 6. Delegating administrative control. 7. Implementing Group Policy. 8. Use group policy to manage environment. 9. Use group policy to manage Software. 10. Creating and managing Trees and Forest. 11. Managing Active Directory Replication. 12. Managing Operation Master Roles. 13. Maintaining Active Directory Services.

1

MODULE1 : INTRODUCTION TO ACTIVE DIRECTORY SERVICES
 Workgroup
Workgroup is Decentralized. Its used for 5-10 machines in a small network. There is no domain controller. Every PC works individual.
Win2000prof Win98

XP

Win2003srv

 NT 4.0 Domain Standard
NT SRV PDC  PDC

NT SRV BDC

NT SRV BDC



BDC

Win98

NT workstation

95/DOS

NTsrv



Stand-alone

Clients

2

PDC (Primary Domain Controller) : Primary Domain Controller can be only
one.

BDC (Backup Domain Controller) : Backup Domain Controller it’s backup of
Primary Domain Controller. It can be converted to Primary Domain Controller.

Stand-alone : Stand- alone are clients, if the machine is NT server and you want it
as client then during installation of NT server we select stand alone. NT client cannot be converted into a Domain Controller, we have to re-install NT server again. In NT 4.0 server 40000 account can be made (ie user/group/computer) in one Domain Controller. At a time 4000 users can log on in NT server. So we use Backup Domain Controller In NT 4.0 srv 40,000 a/c can be made (ie user/group/company) in one DC. At a time 4,000 users can log on in NT Srv. So we use BDC ie by 1 BDC its another 40,000 being added.

 What is Active Directory?
ADS is directory services in a win 2003 network.A directory service is network services that store information about network resources and make use of it. Organize Manage RESOURCES Control ADS provides centralize management ie single point of administration and full user access to directory resources by a single log-on

 Active Directory Objects
Active Dir stores information about network objects. Active Dir object represent network resources such as user, group, computer and printer

 ADS Schema
ADS Schema contains definition of all objects such as computer,user, printer. In win 2003 there is only one schema for entire forest.there are 2 types of definition in the schema 1) Object class 2) Attributes Object class describes the possible dir objects that can be created, each object class is a collection of attributes Attributes are defined separately from object class.Each attribute is defined once and can be used in multiple object class

3

Note:- eg of object class is user and Attributes are the details of the users.

SCHEMA
Object Class User Group Printer Shared folder OU Attributes First name Last name Full name Display name Description Email id Group name Printer name

Note:Few attributes are used by all object class like description and few attributes are used by specific object only like first name, full name used by users

 Ldap Light weight dir access protocol
Ldap provides a way to communicate by ADS By specifying unique name and path for each object in the dir. MCSE.com

Sale User 1 CN = user 1, OU = sales, DC = MCSE, DC = com. Note:- MCSE.com is divided into 2 MCSE and Com CN = Common Name OU = Organizational Unit DC = Domain Component

4

 Active Directory Service Logical Structure  Domain
Cisco.com
ADS

Master DC
ADS XP 2000/03 ser

ADS XP XP

ADS

Additional DC Member Server

A Domain is centralized. A domain is security boundary. A domain is a unit of replication.

 Organizational Units (OUs)
A organizational unit is a container object that you use to organize objects within a domain. A organization unit may contain objects such as users, group, computer, printer and other organizational unit.

MCSE
Sale

HR

Mkt

 Trees and Forest. Tree:- A Tree is an hierarchical arrangement of win 2003 domain. Domain in
a tree share a contiguous name space Forest:- A Forest is one or more tree. Tree in a forest do not share a contiguous name space but trees in a forest share a common Schema and Global Catalogue. Forest/Tree Domain in 2003 forest have 2 way Transitive Trust Relationship. MCSE.com Two -Way DC -Schema DC Transitive Trust Relationship -Global Catalog 5 HR.MCSE.com DC MCSE.com Child Domain Sales.MCSE.com DC

New Tree Joint Forest

Admin.MCP.com MCP.com

MCSE.com is the Master Dc. It is the Forest as it is the 1st tree under it. We have HR and Sales which is child domain of MCSE.com and not a new tree. MCP.com is a new tree under joint forest MCSE.com under which Admin is child domain of MCP.com. Forest for it is MCSE.com. If you change MCSE.com changes have to be made every where. User under each domain or child domain are stored within themselves. Schema / Global catalog solve the queries of the domains and users (it is master Dc)

 Global Catalogs:A global catalogue is a repository of information that contains a subset of attribute of all objects in the active dir global catalog perform important function like 1) Find ADS information in the entire forest 2) Use universal group membership to log on to the network ADS physical structure and Dc The Root domain have Global catalog. When any information is send to Global catalogue. Global catalog will send that information every where. After receiving response, it will send that information back to domain where request had been sent. (Global catalogue) First time it will search for information and next time onwards it will not search, if information is there. Otherwise it will search.

6

 Active Directory Services Physical Structure
 Domain controller
DC

Replication

Additional DC

A Domain controller is a computer running win 2003 server, that stores replica of the directory. Changes made on one DC are replicated to another DC on the same Domain.

 Site
A site consist of IP, sub-net. Site are connected by high speed link. Sites control network traffic (on lease line) and work station log on traffic Site 1

DC INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.pcbypaul.com/w

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYco

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1c Site 2 Lease Line

DC INCLUDEPICTURE "http://images.google.co.in

INCLUDEPICTU

INCLUDEPICTURE "htt

Site1 and site2 share a common DC so everytime some1 logs in it takes time to log in from site 2. So to reduce time and traffic. 7

MODULE : IMPLEMENTING DNS TO SUPPORT ADS
 Role of DNS
1) DNS translate computer name to IP address. Computer use DNS to locate each other on network. 2) Win 2003 use DNS naming standard for Domain names. 3) DNS domain and ADS domain share common naming structure

 DNS and ADS name space

DNS
Microsoft

ADS
Microsoft.com

Sales

Training Sales.Microsoft.com Child
Comp1

Child Training.Microsoft.com

Comp1mp1

FQDN = Fully Qualified Domain Name Comp1.Traning.Microsoft.com It is same for DNS and ADS. DNS host record and ADS object represent the same physical comp.

 Service Records (SRV)
SRV Records allow computer to locate the DC. Wins 2003 use SRV records to locate 1) A Dc in a domain or forest 2) A Dc in the same site of client computer 3) Dc configure as global catalogue server

8

DC1

DC2

MailSrv

WebSrv

Comp1

Comp2

SRV1

SRV2

SRV3 DNS

SRV4

SRV5

SRV6

Z C1 --C3 --S1 --S2 --C2 --S3 --IP IP IP IP IP IP SRV Record S1 S2 S3 S4 ----DC -- Ldap DC -- Ldap HTTP Web - MX

Note:SRV Records are special records specially made to store the information of the server computers only. We add the computer name, IP add again in a different folder but this time with more details like protocol, DC….. SRV Records are created so that its easy for the DNS to provide the IP of the server faster and not checking in all the other records where there are clients also.

 Creating SRV Records
DNS server right lick other new records select server create a new record. The new records is created in a folder where all SRV records are stored. Its in DNS

9

MODULE : CREATING WINS 2003 DOMAIN
Domain are the core administrative units. The 1st domain created is root domain for the entire forest. Use DCPROMO to create and remove domain and domain controller

 Preparing ADS Installation (Requirements)
1) 2) 3) 4) 5) 6) Win 2003 srv (except web addition) TCP/IP (static IP address) DNS installed and configured 300 mb disk space for ADS database and 50 mb for log files NTFS volume Administrative Rights

 Verifying ADS Installation.  Verify DNS Srv records
DNS zone -msdcs - tcp - udp - sites - domain DNS name - forest DNS name Use Nslookup cmd to query the registered Srv records. As you give cmd Nslookup (you get a reply) : ls –t srv domain name. Domain name will be the same name given during installating DNS eg:- MCSE. This means DNS is properly installed.

 Verify SYSVOL Folder
\windows \ Sysvol - domain - staging - Staging areas - sysvol

 Verify NTDS Folder
\windows\ NTDS - ntds.dit - edb*log - edb.chk - res*log

10

Ntds.dit file is where all the user information is stored. Its an important file.  Verify Shared Folder - Netlogon - Sysvol These 2 folders are shared by default after installing ADS. PATH:- Computer Management – shared folders – shared. In DNS you get an option Active Directory Integrated Zone after installing ADS

 Default Password Policy
Once a PC is made a Dc by installing ADS. Passwords policies get enabled. We have to disable them from 2 places on the Dc 1st Programs – administrative tools – AD user and comp – right click MCSE.com – properties – group policy – select and edit – comp comfiguration – win setting – security - a/c policy – password policy – change password –policy to not defined. 2nd Run – gpedit.msc – computer configuration – win settings – security – a/c policy – password policy – not defined.  Log in a normal user on Domain Once ADS is installed. No one can log in on the DC except the administrator by Default Domain Policy. Therefore for others to log-on on DC changes have to be made from 2 places 1st On DC – administrative tools – AD user and comp – right click MCSE.com – properties – group policy – default domain policy - edit – computer configuration – win setting – security setting – local policy – user rights assignment – log on locally – add user or group – advance – find now – select administrators – everyone – ok 2nd Administrative tools – domain controller – security policy – local policy – user rights assignment – allow log on locally – add everyone – apply – ok.

 Domain Mode in win 2003  Mixed Mode

DC

Win2000Srv
NT4.0 NT

BDC

2000srv XP

ADS

BDC

11

win98

2000prof

 Native mode
DC

Win2000Srv
2000srv NT

Additional DC
win98

2000srv XP

ADS

Additional DC

2000prof

 Functional level in win 2003  Win 2000 Mixed
DC

Win2003Srv
NT4.0 NT

Additional DC
win98

2003srv XP

ADS 2000prof

BDC

 Win 2000 Native
DC

Win2003Srv
2003Srv NT

2000srv

ADS XP

Additional DC
win98 2000prof

Additional DC

12

 Win 2003 SRV
DC

Win2003Srv
2003Srv NT

2003srv

ADS XP

Additional DC
win98 2000prof

Additional DC

Once you change functional from lower to higher. You cannot revert the higher functional level to lower functional level. Raise 3 win 2003 srv 2 win 2000 native 1 win 2000 mixed

Use Active Dir Domain and trust to view and raise the function level The default functional level in win 2003 is win 2000 Mixed level 1.

 Active Dir User and Computer
It is the most important tool for managing users and groups on the domain. This tool contains the following options by default. 1) Built in It is a container. It contains the default built-in securities group. 2) Computer It is a container. It is a default location for the computer a/c for the domain (ie the client comp are added here by default) 3) Domain Controller It is an OU. It is a default location of domain controller computer a/c 4) Foreign Security Principal It is a container. It stores SID (security identifier) of external trusted Domain. 5) Users It is a container. It is default location of user a/c. 13

MCSE.com These 5 folders are by default Built-in Computer Domain Controller Foreign Security Principal Users

Note:- you can assign group policies only to the OUs and not containers. You can create OUs but not containers.

14

MODULE : SETTING UP AND ADMINISTRATIVE USER AND GROUPS
 Introduction:Create user A/c for each person who regularly use the network Create multiple user a/c in a single batch processed – grouped user a/c to manage user access to share resources Nest group with another group to reduce administration

 User Logon Name
1. User Principal name Abc @mcse.com Prefix Suffix

The suffix default to the name of root domain but it can be changed and other can be added. Additional suffix are created from active directory domain and trust. The 1st name is user principal name. 2. Use log on name It is mainly used for pre win 2000 comp. a user selects the domain when login on pre 2000

 Creating Multiple user accounts in a single batch process
ADS

Text file ---------User info..

Import

For each object the file:1) must include the path to the user a/c OU, object type and user log on name. 2) The file should include the user principal name and if the user a/c is enabled or disabled 3) Can include personal user information eg telephone no, email id ,dept…. 4) Cannot include password of users.

15

Format for text file for Multiple user in a single batch process CSVDE file Comma Separate Value Dir Enchange User 1 ----------------User 2 ----------------1st line will be syntax (heading) 2nd line is user information.

Each user information in 1 line DN,Object class, SAMaccountname, userprincipalname, displayname, useraccountcontrol. (2nd line) “CN=user1,OU=sales,DC=MCSE,DC = COM”, User,user1,[email protected], bill gates, 512 – enable user 514 – disable user Cmd to transfer this text file to ADS Cmd E:\> CSVDE –I –f new.text Where the fife is created Import File File name

 Using LDIFDE
DN = is description name Object class = it’s a user or group Samaccoutname = log on name Userprinciplename = Displayname = full name Useraccountcontrol = enable or disable user

 Managing Administrative task
(Active dir user and computer) - Creating of user account - Resting of user password - Enable / disable user a/c - Unlocke user a/c - Renaming user a/c - Moving user between OU - Deleting user a/c 2 new options introduced in win 2003 Drag and drop users and object between different organizational unit Multiple user common properties

16



Intrduction to Group in Active Directory

A group is a collection of users, Group simplifies assinigning permissions to the resourses.Users can be a member of multiple group. Group can be nested inside another group. There are 3types of groups on Domain 1. Global Group Membership -Mixed Mode:User are from the same domain -Native mode; Users a/c &global a/c are from the same domain Can be a member of: Mixed model Domain local group(anywhere ther is a local group this group will go under it) Native mode: Universal & Domain local groups in any domain and global group in the same domain. Scope :Visible in its own domain & all trusted domains.

Permission: All domain in the forest. 2. Domain local Group Membership Mixed Mode:- user a/c &global groups from any domain Native Mode :- User A/C ,Global Group & universal group from any domain in the forest & any domain in the forest and the domain in the forest and domain local group from the same domain. Can be made member of: Mixed mode: Not a member of any group Native mode: Domain local group of same domain Scope: Only visible in its own domain Permissions :Domain in which the domain local group exits(ie only the same domain member can se)

17

3. Using Universal Group Membership Mixed mode: Not applicable (ie there is no universal group) Native mode: User a/c Global group & other univesal group from any domain in the forest. Can be a member of: Mixed mode: not applicable Native mode:Domain local and universal group an any domain Scope: visible in all domain in a forest Permissions: All domains in a forest

Sales

Global

Marketin g HR
Hr5

Local Group By giving permission to local we indirectly give permission to Sales & HR users also.

After adding HR OU user Hr 5 can be denied

Rules
1. Add domain user a/c to global group 2. Add the global group to the domain 3. Asssingn resourses permissions to domain local group

18

MODULE : PUBLISHING RESOURSE IN ADS
 INTRODUCTION:We publish resourses 1. To create object in ADS that contains a required information & provide a reference to the required information. 2. That do not exist in active directory . 3. That are static (fixed) & changed in frequently.
ADS Publish Shared Data Publish

Shared Printer

Shared Soft Client XP XP Find Printer

Shared Printer2

1) Any printer share by win 2000/03 based print server is published in ADS it self. 2) Any printer is automatically removed from Activ directry when a print server is removed from the network. 3) Each printserver is responsible for its printers being published in ADS.
ADS

Manually

Publish

Automatically Publish

NT4.0 /98

Win2000/03

In Win 2000/03 printer server is automatically published & remaining like NT 4.0/98 are to be manually published in case of printer server.

19

 MANAGING

PUBLISHED PRINTER

On a 2000/03 comp a shared printer is by default published To stop publishing a shared printer PATH: Printers ->properties->clear the option list in the directory. View published printer:Active dir user & comp->view->user,groub&computer as containers. This will show all shared printer which are published.  PUBLISHING PRINTER FROM PRE WINDOWS 2000

COMPUTER
1) Install & share the printers on the pre win 2000. 2) On the domain go to active dir user & comp – specify the UNC path i.e. \\computer name\printername. Printer publishaed from pre win 2000 is to be removed from publishing manually.

 PUBLISHING SHARE FOLDER
To publish share folders on the ADS has to be done manually for any operating system. 1) Creat & share the folder from the client. 2) On demand Path : Active dir user & computer ->right click->container->new->shared folder->specify the UNC path. i.e. \\computer name\share folder name. NOTE:- conainer can be any thing the comp name or group like sale

20

MODULE : DELEGATING ADMINISTRATIVE CONTROL

 Active dir security components
1) Security principle:- It is an a/c holder to which you can assign permission eg. User ,group& computer. 2) Security identifier (sids) :- Side identifiers the security principal sids are never reused. 3) Security Descriptor:- It s security information associated with an object that contains DACL & SACL DALL:- Discretionary Access control List. It identifies in security permission that allows or deny access & the level of access being allows or denied. SACL:- System Access Control List It controls how object access be audited .

 LOG ON PROCESS (STEP WHEN USER LOGIN)
1) The user log on. 2) The LSS (local security sub system) Service obtaines a ticket for the user. 3) The LSS request a workstation ticket 4) Kerboros service send,the workstation ticket. 5) The LSS service creates an access ticket. 6) Access ticket is attached to the user process. Eg. Access token. Security ID of user : 5-2-00-68 Group ID – sales,hr,mkts Rights-FC.



ADS PERMISSION FOR FOLDERS

There are two type of permission 1) Implicit:Which a problem to perform an application is not explicitly assigned. It is implicitly denied. Eg. Sales have allow read permission to folder Mkts is not added so it is not allowed.

21

2) Explicit:Permission can also be explicitly denied. Sales-------allow read-----------\Data Mkts--------Deny read----------\Data i.e. mkts is added and then denyed read permission.

 INTRODUCTION TO DELEGATION
(Administrator) MCSE Sales - admin1 Hr - admin2

Mkts - admin3 NOTE:- Administrator has full control over all OU’s (sales ,hr, mkts) admin1 has control only on sales parallaly admin2 on hr & admin3 on mkts. Delegatoin allows to 1. Change properties on a particular cotiner. 2. Create & delete object of a specific type under an OU . 3. Update specific properties of an object under an OU. To delegate: Steps: Right click OUDelegate controladd user or groupselect the permission to delegate. Removing delegation Steps: Go o Active dir user & computer view select advance feature right click on OUpropertiessecurityselect the user& remove.

22

MODULE : IMPIMENTING GROUP POLICY
 Introduction:Group policy enables you to 1. set centraalised & decentralised policy i.e. for every group or specifically. 2. Ensure that user have their required environment. 3. And force co oprate policies .

 GROUP POLICIES STRUCTURE
1. 2. 3. 4. 5. 6. 7. Type of GP settings Administrative templates : registry based GP settings Security settings for local domain & network security. Software Installation : setting for central management of software installation. Scripts: start up ,shut down,log on ,log off. RIS: settings that control the options available to user when runnings the client installation used by RIS. IE maintainance: settings to administrator to Microsoft IE(Internet expolorer) Folder redirection:setting for storing of user older on a network server.

 Group Policy Object (GPO)
The content of GPO is stored in 2 difference locations 1. GPC :- (Group Policy Container) It is located in ADS . It provides version information used by DC. 2. GPT :- (Group Policy Templates) It is located in the shared sysvol folder. It provides policy setting for 2000,2003 computers.

Group Policy contains two settings
• G P setting for computer Specifies OS behaviour ,desktop behaviour , security setting, computer start up and shut down script computer assign application object and application setting

23



G P setting for users Specify OS behaviour desktop behaviour ,security setting assign &publish application object ,user log on & log off scripts &folder redirection GP setting for computer apply when the machine starts & during the periodic refresh cycle ( 90 min ) GP setting for the user applies when the user logs on on the computer Linking GPO • • • Sites Domain OU’s Mcse.com No Controll \Sysvol Default Policy No Run No Control No Display No Cmd No Display No Cmd No Control No run is given to MCSE.com ie . domain so it is centerlized & no run for all Sales :- No run, no control Mkts :- No run, no display Hr :- No run , no cmd Later you wants give control hr also so you don’t have to create new a new policy again for no control instead we go to sales and we add no control policy to it.  Applying Group Policy (1) The sales department people don’t have right for control panel • • • • Start Administrator tools Active directory users & computer Click plus sign (Domain name) 24 Mkt HR M1, M2, M3 H1, H2, H3 Sales S1, S2, S3

• • • • • • • • • • • •

Sales (properties) Group policy New (Give any name) (NO control) Double Click that given name User configuration Administrative templates Control panel Prohibit access to control panel Enable Ok Close Close

There are two rules of policy 1. You can link 1 group policy to multipale site ,domain & Organizational unit 2. You can link multiple GPO to one site, domain & organizational unit. Creating new Group Policy: -Right click Domain / OU -Properties -Group policy -New Adding Groups Policy: -Right click Domain /OU -Properties -Group Policy -Add Group Policy is stored in the SYSVOL folder on the domain Group Policy Inheritance: The domain policy is applied to all the domain users & child OU’s.

 BLOCK INHERITANCE
If an OU requires some settings but those settings are disabled by the Parent Group Policy Inheritance. Enable Block Policy Inheritance on the whole domain, but the sales want access to run so we block Policy Inheritance i.e. no policy from the parents come to the child. -Right click Domain /OU -Properties -Group Policy -Click Block Policy Inheritance 25

Applying Policy to whole domain -Start -Programme -Administrative Tools -Active Directory Users & Comps -Microsoft.com (Domain name) -Right click Properties -Group Policy -New –Name -Double click name -User configuration -Administrative Templates -Start Menu & Task bar -Remove Run from Start Menu -Properties -Enable OK close window -OK (in Group Policy)

 Using no Override (forced)
This option is mainly used on the parent (Domain /OU) so that the GPO is forced on the child OU even if the child OU is enabled with Group OU is enabled with Group Policy Inheritance (Blocked)

 Filter Group Policy
You can filter the GPO in case you do not want the policies to be applied to a user under an OU. PATH:-Right click -Domain /OU -Properties-Group Policy -Select the GP -Properties -Security -Add the user & give -Apply Group Policy -Denie Permission

 Folder Redirection
In folder Redirection. A user saves his data in my documents on comp2 Later if he logs-in on any other PC he can find the same date on my documents of that PC(Its like personal My Documents) 26

In Folder Redirection we create a shared folder in any PC eg COMP10 when ever a user sitting on any PC saves his data in My Documents it gets saved in the shared folders in COMP10 the user can access to this data from my documents on any PC Group Policy supports diff. Types of folders to Redirct. My Documents Start Menu Desktop Application Data Advantages : 1. Data is always available to user irrespective of the computer loged-in. 2. Data is centrally stored for use fo management.(In some other pc) 3. Network Traffic is generated only when user gain access to files. 4. Files are not saved on the client computer. PATH:-- GPO User Configuration Windows Setting Folder Redirection My Documents PATH On DC Create a new folder XYZ Share the folder & give full permission Active Dir user & Comp Ritht Click on domain(Microsoft.com) Properties Group Policy Edit User Configuration Windows Setting Folder Redirection Right Click on My Documents Properties

27

Folder Redirection provides 2 option 1. Basic- Redirection all user data to one Location(ie save data of all user in 1 folder) 2. Advance- Redirection various group data to diff location (ie save data group wise in diff folders)

 Intoduction In windows 2003 you can use group policy to manage deployment software development centrally. The Task used for deploying software installation & maintaince are : 1) Preparation : Prepare the files that enable the applications to deploy the applications to deploy for the Group policy , copy the windows installation package file to a Distribution point. 2) Deployment : Create a GPO that install the software on the client computer and link that GPO to the proper ADS container (OU). 3) Maintainance : Deploy software is upgraded with the new version or redeployed with service files and patch files.. 4) Removal : TO remove software that is no longer required remove the software packages from GPO.

 Benifits of Windows Installer :
a) Resilient Application : If a critical file is deleted or become currupt the application will return to the installation source and get a new copy of the file. b) Clean Removal : Applications are uninstalled without leaving an orphaned files.

28

Assigning Software : you assign software to make sure that users have all the applications that they need , installed on their computer. The next time the user logon , the newly installed software is advertised on their desktop. Note : Assigned software are installed from Start -> Program-> Publishing software : When u publish software it becomes avalaible to user to install on their computer. Publish software are not advertised on the desktop, Published software are available in control-panel - > Add/Remove Program-> New Program Assigning software support software resilient and publishing software support document activation. Removing Software : When u remove the assigned or published software , you can remove completely from all computer or do not allow new installation for new users. Path : Group Policy Computer configuration Software settings Software installation New Package.

29

MODULE : CREATING AND MANAGING TREES AND FOREST
 Introduction :
Tree : Trees are heirarchical arrangement of windows 2003 domains. that share an contiguous name space. MCSE.com New Domain New Tree New Forest New Domain Child Domain In a Tree HR.MCSE.com Sales.MCSE.com

New Domain Child Domain In a Tree

FOREST : A forest is one or more tree. Tree in a forest do not share an contiguous name space.Trees in a forest share a common schema, configuration. and global catalog. Forest root domain : The first domain created in the forest is called Forest root. The name of the forest root domain is used to refer to the entire forest. Forest root domain contains 2 predefined groups : * Schema Admins * Enterprise Admins CREATING THE FIRST DOMAIN (ROOT) DCPROMP * Domain controller type DC for a New Domain

30

* Create a New DC

-

Domain in a new forest

CREATING NEW CHILD DOMAIN DCPROMP * Domain controller type * Create a New DC * Network Crenditials DC for a New Domain Child Domain in an existing Domain tree. specify Domain user name and passowrd.

CREATING NEW TREE IN FOREST DCPROMP * Domain controller type * Create a New DC * Network Crenditials DC for a New Domain Domain Tree in a new existing forest. specify Domain user name and passowrd

CREATING ADDITIONAL DC. DCPROMP * Domain controller type * Network Crenditials Additional DC for an existing domain specify Domain user name and passowrd

 Benifts of creating multiple domains.
1. 2. 3. 4. Reduce Replication traffice. Maintain Separate policy between domain Preserve domain structure for Win NT. separate Administrative control.

 Installing Additional Dc requirement
• • • • • Master Dc Installed Win 2003 server. Static Ip DNS server NTFS volume Administrator password of master DC

 Managing ADS Replication Replication is a process of updating information in ADS from DC to another DC within a domain 31

The DC keep talking (Replicate within them self’s) DC

Addional DC

How Replication Works ADS can be update is the following base • Additional object • Modifying object • Moving object • Deleting objects

 Replication Latency
It is a time needed for a change made to replicate from DC & to be received by another DC. The default Replication latency is 5 min.

 Replication Conflict
There are types of confects • Attributes value (i.e. User tel no , inf. etc ) • Add or remove object under a deleted container E.g. Other Admin has deleted container mkt & we are creating user under Mkt at same time. • Sibling name E.g. other admin is creating s1 in sales & we are creating s1 in Mkt at the same time on other pc.

32

 Active Directory Services Sites
1. The First Site is Set Up Automatically and is called Default-First-SiteName 2. Sites can consist of Zero, One, or more Subnets. 3. Sites are used to control Replication Traffic and Logon Traffic. 4. Sites contain server Object and are Associated with IP Subnet Object.

 Active Directory Services Replication Within Sites
1. 2. 3. 4. Occurs between Domain Controller in the Same Site. Assumes fast and highly reliable network links. Does not compress Replication Traffic. Uses change notification mechanism .

 Active Directory Services Replication Between Sites
1. Occurs on a manually defined schedule. 2. It is used to optimized bandwidth. 3. One or more replicas in each sites act as Bridgeheads Servers. SITE

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p DC

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p

SITE INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p DC

DC INCLUDEPICTURE "http://images.google.co.in/i

INCLUDEPICTUR

INCLUDEPICTURE "http DC

33



Replication Protocol
1. RPC (Remote Procedure Protocol): Active Directory replication uses RPC over IP for replication within site and between sites. 2. SMTP (Simple Mail Transfer Protocol): SMTP supports schema configuration and global catalog replication but can not be used to replicate the domain partition to domain controllers of the same domain.



Configuring Site Link
1. Transport: The networking technology that is used to transfer the data that is replicated. 2. Member Site: Two or more site that will be connected through the site link. 3. Cost: Site link cost is a number that represents the priority an organization assigns to replication traffic between the sites. 4. Schedule: The times when replication will occur. 5. Replication Interval: This is the time how long the replication will occur.

 Managing Operation Masters
34

An Operation Master is a Domain Controller that performs specific role in windows 2003 Active Directory and may control a specific set of directory changes.

 Introduction to Operation Master
1. Only a DC that holds a specific Operation Master Role can perform associated Active Directory changes. 2. Changes made by an Operation Master are replicated to other domain controllers. 3. Any Domain Controller can hold an Operation Master Role . 4. Operation Master Role can be moved to other Domain Controllers.

 Operation Master Roles 1. 2. 3. 4. 5. Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master

 Operation Master Default Location
Forest-wide Role Schema Master Domain Naming Master DC Domain-wide Role PDC Emulator RID Master Infrastructure Master

Child DC DC Domain-wide Role PDC Emulator RID Master Infrastructure Master

Child

35

 Schema Master:
It controls all updates to the schema. Replicate Domain Controller to all domains in the forest.

 Domain Naming Master:
The Domain Naming Master controls the addion or removal of domians in the Forest. There is only one Domain Naming Master per forest.

36

 PDC Emulator: Acts as a PDC to support Wndows NT BDCs and Pre-Windows 2000-based client computer. Updates password changes from Pre-windows 2000- based client computer. Prevent the possibilities of overwriting GPOs.  RID Master: Relative Identifier Master allocatesblocks of RIDs to each domain controller in the domain.Whenever a domain controller creates a new security principle, such as a user, group, or computer object, it assigns the object a unique Securty Identifier (SID). Prevent object duplication if object move from one domain controller to another.  Infrastructure Master: Infrastructure Masterupdates references to object and group membership from other domain.

 Seize Operation Master Role
(If the main DC crashed or down) Master DC
Down Seize the OM Role

Additional DC If the master DC is crashed or down you can make the additional DC as the master DC by seizing the Operation Master Roles. Note:Once you seize the OM roles on the additional DC and make it as master DC then you can not bring up the original matser DC, you have to re-install the original master DC.

37

 Steps to Seize the OM Roles
Restart the machin in Restore Active Directory Mode. In command prompt write the following commands Ntdsutil ↵ Ntdsutil : ? ↵ Ntdsutil : roles ↵ Fsmo maintainance : connections ↵ Server connection:connect to server computername.domain.com↵ o Server connection : quit ↵ o o o o o o o o Fsmo maintainance : seize PDC ↵ Ok o Fsmo maintainance : seize RID Master ↵ Ok o Fsmo maintainance : seize Infrastructure Master ↵ Ok o Fsmo maintainance : seize Domain Naming Master ↵ Ok o Fsmo maintainance : seize Schema Master ↵ Ok o Fsmo maintainance : quit ↵ o Ntdsutil : quit ↵ o Verify the new holder of the operations master role that you seized

 Managing Active Directory Database
Active Directory Database is manage in the following ways. o Backup Active Directory Database o Restore Active Directory Database o Defrag Active Directory Database

38

o Move Active Directory Database

39

 The Files in Active Directory
o Ntds.dit : This single file is the Active Directory database and stores all of the Active Directory objects on the domain controller. The .dit extension means directory information tree. o Edb.log : This is a transaction log file, each log file is of 10 mb. The first file is edb1.log. o Edb.chk : This is a checkpoint file used by the database engine to track the data not yet written to the Active Directory database file. o Res1.log & Res2.log : These are reserve transaction log files each of 20 mb, these log file space is used in case if you have less space disk space.

 Backup Active Directory Database You can backup ADS database by using the system state data option data option in windows backup.
System State Data :1. ADS database (only on DC) 2. Sysvol folder. 3. Registry 4. System Startup Files 5. Class Registration Files 6. Certificate Server Database (if certificate service installed)

40

 Restore Active Directory Service Database There are two types of restore 1. Non Authorative Restore : It is the restore which brings back the system to the state where it was backed up Steps: 1. Restart the DC in Directory services Restore Mode. 2. Logon using SAM account. 3. Go to windows backup and restore the backup 2. Authoritative Restore : It is a restore in which you can select specific object from the backup. Steps: 1. Restart the DC in Directory services Restore Mode. 2. Restore Active Directory but do not restart the Computer. 3. Run the Ntdsutil.exe 4. Switch to the authoritative restore prompt 5. Provide the distinguished name of the object 6. exit Ntdsutil 7. Restart the domain controller normally.



Defrag Active Directory Service Database

You should defrag the Active Directory Database on periodic basis. Steps: 1. Restart the DC in Directory services Restore Mode. 2. Logon using the SAM account 3. Go to Ntdsutil.exe Ntdsutil : files Files Maintainance : Compact to z:/ Then copy the file to the original location.

41

 Steps :

Moving Active Directory Database 1. Restart the DC in Directory services Restore Mode. 2. Logon using SAM account 3. Go to Ntdsutil.exe Ntdsutil : files Files Maintainance : move database to c:/

42

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close