Lesson 2

Lesson 2 Working with Active Directory

Learning Objectives
Students will learn to: Describe the purpose and function of Active Directory. Understand the structure of Active Directory. Understand the function of groups, functional levels, sites, global catalog, and FSMO roles in an Active Directory environment. Raise domain and forest functional levels. Configure Active Directory sites. Administer FSMOs, global catalog, and Trusts. Create and manage OU, user, group, and computer objects. Configure GPOs.

Key Terms
Active Directory Domains and Trusts A Windows utility that manages Active Directory trust relationships and domain functional levels. Active Directory Sites and Services A Windows utility that manages site objects and Global Catalog functionality for an Active Directory domain. Active Directory Users and Computers Directory objects. Bridgehead Server Container Object objects. Directory Partitions Distribution Group the group. Domain A Windows utility that manages Active

A domain controller that is responsible for intersite replication. An Active Directory object that contains other Active Directory Divisions of the Active Directory database. A group type that can be used to relay email to the members of

A portion of the Domain Name Space. A computer that hosts the Active Directory database.

Domain Controller (DC)

3-1

Lesson 2

Domain Functional Level A mode that indicates the level of backwards compatibility for Active Directory domain controllers. Domain Naming Master An Active Directory FSMO role that enforces the uniqueness of domain names within a forest. Dynamic Update The process whereby a computer automatically creates or updates its DNS records on a DNS server. Flexible Single Master Operations (FSMO) A domain controller role that provides a unique function within an Active Directory domain or forest. Forest The largest container object within Active Directory.

Forest Functional Level A mode that represents the level of backwards compatibility for legacy domain controllers within an Active Directory forest. Forest Root Domain The first domain within an Active Directory forest.

Global Catalog (GC) An Active Directory database and service that records user and group object information for the forest to ensure quick access and searching. Globally Unique IDentifier (GUID) Directory object. A unique number assigned to every Active

Group Policy Objects (GPOs) An object that contains a set of configuration settings that are applied to users and computers. Group Scope The Active Directory domains that can assign permissions to an Active Directory group. Infrastructure Master domains within a forest. Kerberos An FSMO role that updates group membership across

The authentication protocol used by Active Directory.

Leaf Object An object within Active Directory that does not contain other Active Directory objects. Lightweight Directory Access Protocol (LDAP) Active Directory database. The protocol used to search the

PDC Emulator An FSMO role that manages time synchronization, password changes, and BDC replication within an Active Directory domain.

3-2

Lesson 2

RID Master domain. Schema Master schema.

An FSMO role that generates Relative Identifiers for objects within a The FSMO role that has the ability to modify the Active Directory

Security Accounts Manager (SAM) The portion of the Windows registry that contains local user accounts and user accounts within a Windows NT4 domain. Security Group An Active Directory group type that can be assigned permissions and rights to resources. Security IDentifier (SID) A unique identifier assigned to a user account for use in permissions and rights assignments. Service Record (SRV) a specific computer. Site Link Site Object Subnet Object site object. A DNS record that is used to list services that are available on

An object that is used to represent the physical connection between sites. An object that represents a physical location with a fast interconnect. An Active Directory object that represents an IP network used by a

Tree A group of Active Directory domains within the same forest that share the same domain name suffix. Trust Relationship An association between two Active Directory, NT4, or Kerberos domains that allows for remote resource access. It is also called a trust. Universal Group Membership Caching (UGMC) A feature of an Active Directory site that allows domain controllers within the site to cache universal group memberships to speed logon times in a native mode domain. User Principle Name (UPN) Active Directory forest. The unique name assigned to a user account in an

3-3

Lesson 2

Lesson 2 Working with Active Directory

Knowledge Assessment Fill in the Blank
Complete the following sentences by writing the correct word or words in the blanks provided. 1.To begin an AD installation, you can run the dcpromo.exe command. 2.The authentication protocol used by Windows 2000 and later computers in a domain is called Kerberos. 3.The PDC Emulator FSMO role is responsible for time synchronization across the domain. 4.To complete the authentication process in a domain that is at the Windows 2000 Native functional level or higher, a Global Catalog server must be contacted. 5.Following an AD installation, you should verify the existence of SRV records on the DNS server that holds the zone for the AD domain. 6.The general principle used when using groups in a large forest is represented by the letters: A G U DL P. 7.To view the DC that holds the Schema Master FSMO role, you must use the Active Directory Schema MMC snap-in. 8.A(n) Distinguished Name (DN) is a LDAP name used to describe each object within AD. 9.To speed up resource access across child domains in your forest, you can create shortcut trusts. 10. To enable Universal Group Membership Caching, you must use the Active Directory Sites and Services console.

Multiple Choice
Circle the letter that corresponds to the best answer. 1.You receive an object-related error when attempting to create a new user account within your domain. What FSMO role should you ensure is online to complete the addition of the user account? a. b. c. d. PDC Emulator Domain Naming Master Infrastructure Master RID Master

The RID Master is used to generate RIDs for use when creating new objects. 2.You plan on promoting an existing Windows Server 2003 computer to become and additional domain controller in your domain. To which group must the user account you specify during the AD installation belong at minimum?

3-4

Lesson 2 a. b. c. d. Domain Users Domain Admins Enterprise Admins Schema Admins

Domain Admins have the ability to add additional DCs to a domain. Enterprise Admins also have this ability, but can do so in any domain within the forest. 3.Which of the following utilities must you use to seize a FSMO fole? a. b. c. d. ntdsutil.exe dcpromo.exe Active Directory Domains and Trusts Active Directory Sites and Services

Ntdsutil.exe is the only utility that can be used to seize a FSMO role. 4.Which of the following are container objects in the AD database? (Choose all that apply.) a. b. c. d. group policy site domain OU

Sites, domains and OUs can contain objects within AD. GPOs are objects themselves. 5.Which of the following objects is used to locate the correct site for a newly installed DC? a. b. c. d. site link subnet locator bridgehead

Subnets objects are linked to a site and used to determine the correct site for a DC that is configured for a particular subnet. 6.Several users called you today stating that they could not change their passwords. After investigating, you also noticed that the time on their computers was also incorrect. Which of the following FSMO roles may be unavailable? a. b. c. d. PDC Emulator RID Master Infrastructure Master Schema Master

The PDC Emulator is responsible for password changes and time synchronization. 7.Which of the following DCs are allows to participate in a Windows 2000 Native mode domain? (Choose all that apply.) a. b. c. d. Windows NT4 Server Windows 2000 Server Windows Sever 2003 Windows Server 2008

Only Windows 2000 Server and later operating systems can participate in a domain that is running at the 2000 Native mode functional level

3-5

Lesson 2 8.A single user within your organization calls you for help after having trouble logging on to the domain. Upon further investigation you notice that the user is able to log on to the domain from another computer and that no users are able to successfully log on to the domain from the users original computer. What is the most likely cause of the problem? a. b. c. d. The time on the computer is incorrect and must be changed The user account has been disabled and must be enabled The user account has been locked and must be unlocked The computer account for the users computer has become corrupted and must be reset

When a computer account becomes corrupted, no user will be able to log on to the domain from the affected computer account. To remedy the situation, the computer account must be reset. 9.You wish to create a group that will contain the Marketing staff within your own domain. This group will be assigned permissions to resources in other domains within your forest. What is the most appropriate scope for this new group? a. b. c. d. Local Global Domain Local Universal

Global groups can contain members from the local domain and can be used globally within the forest. Although Universal groups can also be used for the same purpose, it is recommended that you minimize the use of Universal groups since they are stored in the GC. 10. When attempting to remove AD from an existing DC that you wish to decommission, you receive an error message. Which switch to the dcpromo.exe command will allow you to remove this DC from the domain? a. b. c. d. /force /remove /forceremoval /f

The /forceremoval switch to the dcpromo.exe command will remove AD if the dcpromo.exe wizard returns an error.

True/False
Circle T if the statement is true or F if the statement is false. TF 1. TF 2. TF 3. TF 4. TF 5. Tokens are issued to users following authentication and used to provide access to resources that list the user in their ACL. When a domain functional level is set to Windows 2000 Interim, only Windows 2000 and later DCs are allowed to participate in domain authentication. Global groups may only be used in the local domain but can contain objects from any domain in the forest. Computer objects may be managed using the Active Directory Users and Computers console. By default, two-way transitive trusts between all domains in a forest.

3-6

Lesson 2 TF 6. TF 7. TF 8. TF 9. To control replication, you configure the properties of site link objects. When possible, you should ensure that each site in the forest contains a DC that contains the GC role. You can configure Group Policy using the Active Directory Domains and Trusts console. The Domain Naming Master FSMO role should be on a DC that contains the GC.

TF 10. A single AD domain can contain an unlimited number of objects. 1.True 2.False 3.False 4.True 5.False 6.True 7.True 8.False 9.True 10. True

Review Questions
1.Explain why it is important to create sites after deploying your first domain in the forest. It is important to create sites after deploying your first DC in the forest such that additional DCs are automatically added to the appropriate site. If DCs are located in different sites, AD replication will not occur as frequently across the sites by default and will result in less WAN link congestion. 2.Why will understanding the function and location of your FSMO roles help you troubleshoot AD problems. FSMO roles provide unique functions within an AD domain and forest. Understanding FSMO roles will help you identify whether an AD-related problem is the result of a failed FSMO. Understanding which DCs hold these FSMOs will help you locate a failed FSMO role quickly such that you can seize the role on another DC. 3.Give some reasons why each AD site should contain a DC that hosts the GC. Since GC contains a list of all forest objects, placing a GC in each site will speed up access to resources that are not in the current domain. In addition, for domains that are at the Windows 2000 Native or higher functional level, universal group membership is stored in the GC and a GC must be contacted during the logon process. As a result, placing a GC in each site will ensure that logon traffic will be localized to each site for these domain. 4. Explain why AD domains are a security and replication boundary. Domains provide a security boundary because they have different administrator accounts, GPOs, and prevent external access to resources unless a trust relationship exists. Domains also provide a replication boundary since most replication occurs in the domain partition of the AD database. This domain partition is shared only by DCs in the same

3-7

Lesson 2 domain. Only the occasional replication of schema and configuration partition information is sent to all DCs in the forest.

Case Scenarios Scenario 2-1: Designing a Forest You are the network administrator for a shipping company that has locations in the U.S., Canada and Japan. There are 5 offices in the U.S, 3 offices in Canada, and 3 offices in Japan. In a short memo, diagram a sample forest, domain and OU structure that will accommodate this organization. Answers will vary, but will either include different domains for each location or different domains for each country with country-specific locations represented by OUs, or a single domain with OUs to represent all locations.

Scenario 2-2: Planning for Sites, GC and FSMO Roles In the forest diagram that you created for the company described in Scenario 1-1, label the appropriate sites that should be created to ensure efficient replication. Assuming that each site has a minimum of two DCs, label the location of GC servers and FSMO roles. Answers will vary, but will include a site for each location. In addition, there should be a GC on at least one DC in each site (or UGMC enabled on the site otherwise). The placement of FSMOs will be different for each answer, but in general they should be moved from their default locations to provide better fault tolerance should a single DC fail. The Domain Naming Master FSMO should be on a GC server, whereas the Infrastructure Master FSMO in each domain should not be on a GC server.

3-8