Understanding
Active Directory in
Windows Server 2003
Overview
Active Directory
®
Directory Services Overview
Active Directory Logical Components
Functional Levels
Active Directory Physical Components
Active Directory Partitions
Active Directory Objects
Administering a Microsoft
®
Windows
®
Server 2003
Network Using Active Directory
Tools
Lesson: Active Directory Directory Services Overview
What Is Active Directory?
Benefits of Active Directory
DNS Integration
Active Directory Naming Conventions
What Is Active Directory?
Directory service functionality
Organize
Manage
Control
Centralized management
Single point of administration
Active Directory
Resources
Benefits of Active Directory
Windows Server 2003 without Active Directory provides significant
benefits
Scalable and reliable application server
Internet Information Server 6.0
Remote access and VPN server
Network Services (DNS and DHCP, for example)
Windows Server 2003 with Active Directory provides additional
benefits
Authentication and authorization service
Single sign-on across multiple servers and services
Centralized management of servers and client computers
Centralized administration of users and computers
Centralized management of network resources
DNS Integration
Name resolution
Resolve names of servers and clients to IP addresses
and vice versa (possibly)
Namespace definition
An Active Directory domain’s name must be represented
in DNS
• Active Directory requires DNS
• DNS does not require Active Directory
Locating the physical components of Active Directory
Client computers query DNS to locate domain controllers
running specific services, such as global catalog (GC),
Kerberos protocol, LDAP, and so on
Active Directory Naming Conventions
LDAP Distinguished name
LDAP Relative distinguished name
User principal name (Kerberos)
Service principal name
Globally unique identifier (GUID)
Uniqueness of names
[email protected]
CN=Jeff Smith, CN=Users, DC=contoso, DC=msft
Lesson: Active Directory Logical Components
What Are Domains?
What Are Trees?
What Are Forests?
What Are Organizational Units?
What Are Trust Relationships?
Types of Trusts in Windows Server 2003
What Are Domains?
Logical partition in Active Directory database
Collections of users, computers, groups, and so on
Units of replication
Domain controllers in a domain replicate with each other
and contain a full copy of the domain partition for their
domain
Domain controllers do not
replicate domain partition
information for
other domains
Windows 2000 or
Windows Server 2003 Domain
Replication
What Are Trees?
One or more domains that share a contiguous DNS
namespace, for example:
nwtraders.msft
childdomain.nwtraders.msft
otherdomain.nwtraders.msft
Child domains derive their namespace from parent
Group policy, administration, and such do not flow
across domain boundaries by default
What Are Forests?
One or more domains that share:
Common schema
Common configuration
Automatic transitive trust relationships
Common global catalog
Forests can contain from as few as one domain to many
domains and/or many trees
Domains are not required to be in a single tree or share a
namespace
First domain created is the forest root, which cannot be
changed without rebuilding the entire forest, although the
forest root domain name can be changed in
Windows Server 2003
What Are Organizational Units?
Container objects within a domain
Used to organize resources to reflect administrative
divisions; may not map to organizational structure
Used to delegate administrative authority
Used to apply Group Policy
Organizational structure Network administrative model
Sales
Paris
Repair
Users
Sales
Computers
What Are Trust Relationships?
Secure communication paths that allow security
principals in one domain to be authenticated and
accepted in other domains
Some trusts are automatically created
Parent-child domains trust each other
Tree root domains trust forest root domain
Other trusts are manually created
Forest-to-forest transitive trusts can be created between
Windows Server 2003 forests only (ie not between
Windows 2000 forests).
Types of Trusts in Windows Server 2003
Default: two-way, transitive Kerberos trusts (intraforest)
Shortcut: one- or two-way, transitive Kerberos trusts (intraforest)
Reduce authentication requests
Forest: one- or two-way, transitive Kerberos trusts
Windows Server 2003 forests; Windows 2000 does not support forest
trusts
Only between forest roots
Creates transitive domain trust relationships
External: one-way, non-transitive NTLM trusts
Used to connect to/from Microsoft Windows NT® or external
Windows 2000 domains
Manually created
Realm: one- or two-way, non-transitive Kerberos trusts
Connect to/from UNIX MIT Kerberos realms