You are on page 1of 28

WINDOWS 2000 SERVER & ACTIVE

DIRECTORY CONFIGURATION
Overview

Figure 1 below shows the basic server configuration.

Figure 1. The Server Configuration

Server Disk Configuration

To use a single server for the infrastructure in this guide, you need a
server with either two disk drives or a single disk drive with two
partitions. (Some step-by-step guides in this series require additional
servers or other equipment; those additions are addressed in the
specific guide.)

The first disk or partition holds Windows 2000 and the other files for
the common infrastructure, such as the Windows Installer packages
and application source files.

The second disk or partition is reserved for procedures in other step-


by-step guides. For example, it holds the operating system images for
the "Step-by-Step Guide to Remote OS Installation."

Each disk or partition must hold several gigabytes of information, and


each disk or partition must be formatted for the NTFS file system. The
steps for creating partitions and formatting them are contained within
this guide.
Server Installation

This installation procedure starts with making boot disks. You start the
installation after booting from these disks. This procedure is used for
these guides so that you can easily reconfigure the disk partitions.

Note: When you configure partitions and format drives, any data on
the server hard drive is destroyed.

Making the Windows 2000 Installation Floppy Disks

You need four formatted disks and the Windows 2000 Server CD. On a
computer running a 32-bit version of the Windows operating system:

1. Insert the Windows 2000 Server CD into the CD-ROM drive.


2. When prompted, Would you like to upgrade to Windows
2000, click No.
3. On the Windows 2000 Server CD splash screen, click Browse
This CD.
4. When a list of folders appears, double-click the BOOTDISK
folder.
5. Double-click MAKEBT32.
6. At the prompt, Please specify the floppy drive to copy the
images to, type: A.
7. Insert the first disk, and press Enter.
8. Follow the instructions to create the remaining three disks.
9. Close the BOOTDISK folder and close the Windows 2000 CD
splash screen.

Beginning the Installation

Setup creates the disk partitions on the computer running Windows


2000 Server, formats the drive, and then copies installation files from
the CD to the server.

Note: These instructions assume you are installing Windows 2000


Server on a computer that is not already running Windows. If you are
upgrading from an older version of Windows, some of the installation
steps may differ.
1. Insert the Windows 2000 Server installation floppy disk number
one.
2. Restart the computer. The Windows 2000 Server installation
begins.
3. Insert the remaining three Windows 2000 Server installation
disks as prompted by Windows 2000 Setup.
4. At the Welcome to Setup screen, press Enter.
5. Review and if acceptable, agree to the license agreement by
pressing F8.

Note: If you had a previous version of Windows 2000 installed


on this server, you might get a message asking if you want to
repair the drive. Press Esc to continue and not repair the drive.

6. Follow the instructions to delete all existing disk partitions. The


exact steps will differ based on the number and type of partitions
already on the computer. Continue to delete partitions until all
disk space is labeled as Unpartitioned space.
7. When all disk space is labeled as Unpartitioned space, press C
to create a partition in the unpartitioned space.
8. If your server has a single disk drive, split the available disk
space in half to create two equal sized partitions. Delete the total
space default value. Type the value of half your total disk
space at the Create partition of size (in MB) prompt. Press
Enter. (If your server has two disk drives, type the total size of
the first drive at this prompt.)
9. After the New (Unformatted) partition is created, press Enter.
10. Select Format the partition using the NTFS file system (the
default selection) and press Enter. Remove the floppy disk from
the drive.

Windows 2000 Setup formats the partition and then copies the files
from the Windows 2000 Server CD to the hard drive. The computer
restarts, and the Windows 2000 Installation Program continues.

Continuing the Installation

This procedure continues the installation with the Windows 2000


Server Setup Wizard.
1. The Welcome to the Windows 2000 Setup Wizard appears,
click Next. Windows 2000 then detects and installs devices. This
can take several minutes, and during the process your screen
may flicker.
2. In the Regional Settings dialog box, make changes required for
your locale (typically, none are required for the United States),
and click Next.
3. In the Personalize Your Software dialog, type Mike Nash in
the Name box and type Reskit in the Organization box. Click
Next.
4. Type the Product Key (found on the back of your Windows 2000
CD case) in the text boxes provided. Click Next.
5. In the Licensing Modes dialog box, select the appropriate
licensing mode for your organization and click Next.
6. In the Computer Name and Administrator Password dialog
box, type the new computer name HQ-RES-DC-01 in the
computer name box and click Next.

Best Practice: To facilitate the steps in these guides, the


Administrator password is left blank and there is no password.
This is bad security practice. When installing a server for your
production network, a password should always be set.

7. In the Windows 2000 Components dialog box, click Next .


Wait while networking components are installed. This takes a few
minutes.
8. In the Date and Time Settings dialog, correct the current date
and time if necessary and click Next.
9. In the Networking Settings dialog, make sure Typical
Settings is selected and then click Next.
10. In the Workgroups or Computer Domain dialog box, No is
selected by default, then click Next.

Note: A domain name could be specified at this point, but this


guide uses the Configure Your Server Wizard to create the
domain name at a later time.
Windows 2000 Server Installation continues and configures the
necessary components. This takes a few minutes.

11. When you reach the Completing the Windows 2000 Setup
Wizard, remove the CD-ROM from the drive and click Finish.

The server restarts and the operating system loads from the hard
drive.

Configuring Your Server as a Domain Controller

Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), and
DCPromo (the command-line tool that creates DNS and Active Directory) can be
installed manually or by using the Windows 2000 Configure Your Server Wizard.
This guide uses the wizard; the manual procedures are not covered here.

1. Press Ctrl-Alt-Del and log on to the server as administrator. Leave the


password blank.
2. When the Windows 2000 Configure Your Server page appears, select This is
the only server in my network and click Next.
3. Click Next to configure the server as a domain controller and set up Active
Directory, DHCP, and DNS.
4. On the What do you want to name your domain page, type Reskit.
5. In the Domain name box, type com. Click on the screen outside of the textbox
to see the Preview of the Active Directory domain name. Click Next.

Note: As shown in Figure 2 below, the combined name appears as reskit.com in


the Preview of Active Directory domain name box. The wizard puts the dot (.)
into the name.
Figure 2. Configure Your Server Wizard

6. Click Next to run the wizard. When prompted, insert the Windows 2000
Server CD-ROM. When the wizard is finished, the machine reboots.

The Configure Your Server Wizard installs DNS and DHCP and configures DNS,
DHCP, and Active Directory. The default values set by the wizard are:

DHCP Scope: 10.0.0.3-10.0.0.254

Preferred DNS Server: 127.0.0.1

IP address: 10.10.1.1

Subnet mask: 255.0.0.0

Reskit.com is the Active Directory domain and DNS name, and reskit
is the down-level domain name.

Format the Second Disk Drive or Partition

Warning: Formatting the partition destroys any data on the partition.


Make sure you do this only if necessary, and that you select the
correct partition.

1. Log on to the server as the Administrator.


2. Clear the Show this screen at start-up check box in the
Configure Your Server Wizard, and close the wizard.
3. Click Start, point to Programs, then point to Administrative
Tools, and click Computer Management. The Computer
Management snap-in appears.
4. Click the + next to Storage if the folder is not already
expanded.
5. Click the Disk Management folder.
6. Right-click unallocated disk space and click Create partition.
7. The Welcome to the Create Partition wizard appears. Click
Next.
8. Select Extended Partition, and click Next.
9. Accept the specified partition size by clicking Next, and then
click Finish.
10. Right-click Free space and then click Create logical drive.
11. The Welcome to the Create Partition wizard appears. Click
Next.
12. Select Logical drive, and click Next.
13. Accept the specified partition size by clicking Next.
14. Accept the default drive letter by clicking Next.
15. On the Format Partition page, accept the defaults for File system
to use (NTFS format and the entire size of the partition),
Allocation unit size, and Volume label. Click Next and then click
Finish. The drive or partition will be formatted. This may take
some time depending on the size of the disk and the speed of
the computer. At the end, your window should look similar to
Figure 3 below.

Figure 3. Disk Management Snap-In Window


Note: You might get an error message saying Volume is open
or in use. Request cannot be completed. This is a timing
error because you just created the partition. If you receive this
message, click OK, then right-click the partition again and click
Format. Accept all defaults and click OK. You receive a warning
that continuing the format will erase all data. Click OK.

16. After the disk or partition has been formatted, close the Disk
management snap-in.

Active Directory

Active Directory Sample Infrastructure

The common infrastructure is based on the fictitious company Reskit.

Reskit has the DNS name reskit.com that was configured using the Configure Your
Server Wizard in the preceding section. Figure 4 below illustrates the sample Active
Directory structure.

Figure 4. Sample Active Directory Structure

Of most interest here are the Domain (reskit.com), and the Accounts, Headquarters,
Production, Marketing, Groups, Resources, Desktops, Laptops, and Servers
organizational units (OUs). These are represented by circles in Figure 4. OUs exist for
the delegation of administration and for the application of Group Policy and not to
simply mirror a business organization. Please see the Windows 2000 Deployment Guide
chapter, "Designing the Active Directory Structure," for an in-depth discussion on
creating an OU structure.

Populating Active Directory

This section describes how to manually create the OUs, Users, and Security Groups
outlined in Appendix A of this document.

To create Organizational Units and Groups

1. Click Start, point to Programs, then point to Administrative Tools, and click
Active Directory Users and Computers.
2. Click the + next to Reskit.com to expand it. Click Reskit.com itself to show its
contents in the right pane.
3. In the left pane, right-click Reskit.com, point to New, and click Organizational
Unit.
4. Type Accounts in the name box, and click OK.
5. Repeat steps 3 and 4 to create the Groups and Resources OUs. These three OUs
now show up in the right pane.
6. Click Accounts in the left pane. Its contents now display in the right pane (it is
empty to start).
7. Right-click Accounts, point to New, and click Organizational Unit.
8. Type Headquarters, and click OK.
9. Repeat steps 6 and 7 to create the Production and Marketing OUs under
Accounts. When you have finished, the OU structure should look like Figure 5
below:
Figure 5. Create Organizational Units

10. In the same way, create Desktops, Laptops, and Servers under the Resources OU.
11. Create the two security groups by right-clicking Groups, then pointing to New,
then clicking Group. The two groups to add are Management and Non-
management. The settings for each group should be Global and Security. Click
OK to create each group.

To create User Accounts

1. In the left-hand screen, click the + next to the Accounts folder


to expand it.
2. Click Headquarters (under Accounts) in the left-hand screen.
Its contents now display in the right pane (it is empty at the
beginning of this procedure).
3. Right-click Headquarters, point to New, and click User.
4. Type Teresa for the first name and Atkinson for the last name.
(Note that the full name is automatically filled in at the full name
box.)
5. Type Teresa for the User logon name. The window will look
like Figure 6 below:
Figure 6. Adding a User

6. Click Next.
7. Click Next on the Password page to accept the defaults.
8. Click Finish. Teresa Atkinson now displays on the right-hand
screen, as a user under Reskit.com/Accounts/Headquarters.
9. Repeat steps 2 through 7, adding the names listed in Appendix A
for the Headquarters OU. When you are finished, the
Headquarters OU screen appears as illustrated in Figure 7 below.
Figure 7. User listing in the Headquarters OU

10. Repeat steps 1 through 8 to create the users in the Production


and Marketing OUs.

To add Users to Security Groups

1. In the left pane, click Groups.


2. In the right pane, double-click the group Management.
3. Click the Members tab and then click Add.
4. Select the users in the upper pane as shown in Figure 8 below by
holding down the ctrl key while clicking each name; click Add to
add them all at once. (The users who should be members of this
security group are listed in Appendix A.) Their names will display
in the bottom pane. Click OK to accept.

Figure 8. The members of the Management group are drawn


from three OUs.
5. Repeat steps 2 through 4 to add members to the Non-
management group.
6. Close the Active Directory Users and Computers snap-in.

Important Notes

The example company, organization, products, people, and events


depicted in this step-by-step guide are fictitious. No association with
any real company, organization, product, person, or event is intended
or should be inferred.

This common infrastructure is designed for use on a private network.


The fictitious company name and DNS name used in the common
infrastructure are not registered for use on the Internet. Please do not
use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is


designed to show how Microsoft Windows 2000 Change and
Configuration Management works and functions with the Active
Directory. It was not designed as a model for configuring an Active
Directory for any organization—for such information see the Active
Directory documentation.

Active Directory Architecture

Three critical MMC snap-ins are used to administer Active


Directory. They are:

o Active Directory Users and Computers: Accounts for Logon,


Groups, Partitions, Domain Controllers, Foreign Security
Principals, Builtin System Settings, Resources
o Active Directory Domains and Trusts
o Active Directory Sites and Services

Item Organized Stored


around
Sites Physical IP ...
Subnets
Domains Logical AD
Domain Physical ...
Controllers servers
Ous Logical Values in
AD
Global Catalog Physical server ...

Local account information for each Windows 2000


machine is stored in a SAM database file (just as it did in
NT4).

The SAM database file on a W2K domain controller is used


only for directory services restore mode.

Information on domain accounts (password hashes) are stored in the


Active Directory database file on a domain controller located at
%systemroot% \ntds\ntds.dit.

Logon Accounts

When a user logs on...


Scope of
Attribute Value Type Usage Uniqueness

Using an X.500 DN specifies the Complete


attributed naming complete path: Must be
convention: path to the unique in its
CN=JohnDoe location of an forest because
CN=Users container entry (an every object in
DC=domain1 domain object) in a AD has an LDAP
name container DN.
DC=com Domain_root hierarchy
(the root domain which
contains the object)

John Doe RDN LDAP Canonical:


searches Must be unique
within an in
identified its own OU, not
domain the entire
directory.
JohnDoe@domain1.c UPN logon name -- Contextual:
om Each AD user Must be unique
has one. within a single
domain

domain1\JohnDoe Downlev backward NetBIOS


el Login comptibility network
Name with NT stored in a SAM
on a DC.

During logon authentication, the DC locator service responds to user


logon attempts by searching for the closest site on the same TCP/IP
subnet (LAN segment) as the user.

Sites on Network

Sites usually
correspond to a common physical (geographical) location on one or
more unique TCP subnets. This is because sites are used to organize
LAN and WAN segments to optimize network traffic patterns.

Before Windows 2000, the Microsoft Exchange product used the


concept of sites -- servers "well-connected" with each other. Machines
within a site are usually connected by a high-speed high-bandwidth
(10/100 mbps) LAN rather than a slow-speed (dial-up) WAN.

Sites exist as server and configuration objects within the Global


Catalog. Site configuration objects are used to configure replication
paths.

Sites are NOT part of the logical namespace of domains.


Global Catalog

User authentication begins with access to a global catalog


server. Users are then refered to a domain controller for
logon to a domain.

To designate a DC to be a Global Catalog server, check the


"Global Catalog" property setting in the "Active Directory
Sites and Services" MMC snap-in.

• Each global catalog server is part of a physical site for supporting


logon authentication and replication.
• For redundancy and load balancing, each major site should have
two or more GCs.
• The global catalog servers within the same MDT have the same
schema of objects. Each Global Catalog contains:
o a full replica of all objects in the host domain

a partial replica (not all attribute values) of objects in other domains in


the MDT.

Domains Are Administrative

A domain is an administrative boundary for security,


replication, and authentication.

Several domains can be joined into trees which share a


common schema.

When a user logs on to any Windows 2000 machine, it


sends the domain user account's authentication
information to the domain controller specified by the UPN
entered by the user.

A local user account has permission only for the local


machine, not the domain.

Each domain is a container for AD information. Because


Windows 2000 enables domains to identify parent-child
associations, Domains can now mirror the administrative
hierarchy of an organization.

From Program Files Administrative, use "Active Directory


Users and Computers"

• Each domain must have its own domain controller to store the
domain directory containing account information for a domain.
• Windows 2000 does not use NT4 "Primary" and "Backup"
controllers. All domain controllers are equal with the Windows
2000 "multi-master" model.
• All changes made to one domain controller are replicated to all
other domain controllers on its domain.

Dommon.exe Domain Monitor [from the Resource Kit]


monitors the status of Replication and Trusts for Domain Controllers
within user-selected Domains.

To simplify the granting of permissions, users are usually organized


into groups to which permissions are assigned.

Groups

To add, display, or modify global and local groups (Aliases):


NET LOCALGROUP

NET GROUP (on domain controllers)

For more information, use command


NET HELP GROUP
Types of groups:

o Security groups can be granted permissions:


 container object permissions
 individual object permissions
 attribute object permissions
o Distribution groups cannot be used to grant
permissions, only to send email.

The scope of groups: A G (U) DL P

o Domain local groups are valid in a single domain.


o Members of Universal groups can be from any domain.
This is available only if Windows 2000 is in native mode.
o Members of Global groups are from a single domain can
access resources in other domains. Permissions are never
assigned directly to global groups.

• In Windows 2000, Global groups can nest other global groups


from within their own domain, but they don't appear in the GC.

A group can only belong to a single OU.

Namespaces: Active Directory Architecture

The Active Directory™ service in Microsoft®


Windows® 2000 is directory service designed for
distributed networking environments. Active Directory lets
organizations share and manage information about
network resources and users, and it acts as the central
authority for network security.

• Each domain controller in a forest holds a copy of the Active


Directory database, which is replicated to other domains.
• The Active Directory database file is named ntds.dit in default
folder %systemroot% \Ntds.
• The Schema.ini file defines AD configurations.
• Active Directory services are provided from the Directory Service
module Ntdsa.dll of the LSA component of the protected
Security Subsystem, which runs in user mode to authenticate
Windows 2000 users.
• The ESE can theoretically store up to 10 million objects per
domain in a Active Directory database up to 17 terabytes.
• The Directory System Agent (DSA) is the actual process that
manages the directory's physical storage.
• At the top of the namespace is a rootDSE object
configuration container which holds the internal logical
architecture of the Active Directory.

AD defines 4 naming contexts:-schema, sites, partitions, and


services.

Partitions for Replication

• The AD database contains 3 Partitions (units of replication):


o Domain Directory Partition unique to a domain,
replicated only within controllers in a single domain.
o Schema Directory Partition
o Configuration Directory Partition

Schema and Configuration partitions are replicated to all


DC's Enterprise-wide.
Situation Strategy
Users are organized strictly by Create OU's or domains for each
location division
Many employees are involved Create a versatile yet logical
in inter-company ventures structure
Many employees frequently Organize users into a single
move among different domain rather than separate
divisions domains.
There is many frequent Use global groups
changes in (temporary)
employees
There is few changes among Use universal groups
permanent employees

Schema Objects
Each network resource (computer, drive share, printer,
etc.) exists as an object in an Active Directory schema,
which is like the data dictionary to a table.

The default schema provided with Windows 2000


contains 140 classes of __ objects with 850 attributes.

Each object has distinctly named attribute properties and


property values which can be extended and searched. An
Attribute definition within AD contains:

o Object Name
o Object Identifier
o Syntax (for its data type: Boolean true/false, text mask,
etc.)
o Optional Range Limits

Have Some Class

Objects that share common attributes (such as printers - a


type of object) can be grouped into a class. Objects are
actual instances of object classes. A class definition in the
schema contains:

o Object Name
o Object Identifier
o "May Contain" Attribute
o "Must Contain" Attribute
o Parent Classes
o Auxiliary Classes

In other words, objects belonging to the same class have


the same attributes, but contain different values.

A child class derived from an existing class inherits the


attributes from the existing class.

Containers

Objects within a domain are organized into containers of


Organizational Units (OU's) which mirror an organization's
departments. This allows for easier delegation of
permissions, done by placing objects in an OU and granting
permissions to the OU.
• Objects are also organized logically into administrative
organizational groups such as Finance or Sales.
• User accounts added to a domain are copied to all domain
controllers on that same domain.
• Differences between Schema Masters and Domain Naming
Masters. ???
• The Directory schema defines the universe of objects that can
be stored in an entire forest.
• All domains in a tree must share their Configuration
information (such as the replication topology).

To initialize the first domain and forest ("Default-First-Site-


Name" in Sites and Services) use the dcpromo Active
Directory Installation Wizard

o Create a domain controller


o "Create a new domain tree"
o Chose "Create a new forest of domain trees" or "Place the
new domain tree in an exiting forest"
o input the root name of the domain.

1. The default location for the database and log files is


%systemroot% \Ntds on the shared system volume %systemroot
% \Sysvol
2. New to Windows 2000 is the ability to delegate Authority.
Some guidelines for delegation:
o Delegate at the OU level.

Avoid delegation at the attribute level.

Schema Management

The AD schema is usually viewed using the "Active


Directory Schema" MMC, which enable classes to be
modified or deactivated.

The "ADSI Edit" MMC from the Windows 2000


Resource Kit views CN and DN information.

To add a property to a user account using ADSI:

 Register the dll:


regsvr32 %systemroot%
\system32\schmmgmt.dll
 Login as user in the "Schema admins" universal
group.

AD Schema Extensibility

To AD-enable applications such as MS Exchange,


Lotus Notes, or Novell Directory Services, Schema
Administrators may add to the AD schema using
Microsoft's ADSI, a set of API's that expose AD
functionality to applications written in C, C++, and
other programming languages. ADSI is a part of
Microsoft's ODSI, which, in turn, is part of WOSA and
Microsoft's COM (Component Object Model).

How much is the LDAP C API [RFC 1823] used?

Searching with LDAP

Enumprop [from the Resource Kit] enumerates properties


such as the /security descriptor or /attributes for objects within
a user-supplied LDAP path:

enumprop
/ATTR:objectGuid,objectSid,distinguishedName

"LDAP://cn=administrator,cn=users,
dc=user5,dc=com"

LDAP [RFC 1777] (Lightweight Directory Access Protocol) is


used to search for objects between domains. An LDAP query is
passed among domains within its own tree in a multiple-tree
forest. A cross-linked trust between distant domains speed
such searches.

LDAP is not a service on a server like DNS, DHCP, WINS, or


IIS. LDAP information is stored in DNS servers for
authenticating identity information. It does not synchronize
data across servers.
LDAP implements an information model of named objects
(also called principals) in a meta directory. Each object has
values for a data type and other descriptive attributes.

LDAP data are objects in a class library which defines what


attributes are required and allowed.

LDAP is a simplified version of the X.500 hierarchical data


model, which uses an X.500 attributed naming convention:

CN=Common Name
DC=Domain Component
OU=Organizational Unit

Security Precautions

o Rename the default "Administrator" userid.


o For occassional users, grant network and utility
permissions to the built-in Guest account.
o Set the maximum length of a User name 20 characters
o Passwords:
 Ensure passwords contain lower and upper case
 Set minimum password lengths.
 Enable password histories
 Install on machines PASSFILT.DLL and
"strongpass.dll" from Ntsecurity.nu, which enhances
restrictions on passwords even further.
o Define organizational conventions for:
 resolving duplicates (add number, dept., middle
initial, etc.)
 time of day for access
 Password must contain at least a certain length,
upper & lower case, a number.
 Must password change on first login.
 Time before expiration/warning.
 Logon to which machines
 Deny dial-up/VPN access
o Windows assigns to each object a permanent 128-bit GUID
(Guaranteed Unique IDentifier) based on the current time
stamp, the network adapter card's MAC Address, etc.
o Windows 2000 does not use NetBIOS names used by
Windows NT 4.
o When a user logs on, the domain controller returns an
access token containing the user SID (Security ID) and
group memberships.
o This token is compared to the ACL (Access Control List) of
the resource on a domain.
o ACL's are populated by Access Control Entries (ACE's).
o An organization may have several domains for several
reasons:
 Allow for different groupings (alternative
organizations)
 Segment high network traffic into two subnets
 Enable decentralized IT administration (each with
different set of permissions)

OU's are nested under another OU to build a hierarchy in a


domain. This provides for greater control.

Domain Forests

o A forest, or multi-tree forest (MTF), is a collection of


separate trees. is a collection of trees They usually come
about from a corporate acquisition or merger.
o A domain forest does *not* form a continguous
namespace. Each forest has its own (hetereogenious)
schema.
o So, User accounts in one forest are not valid in another
forest.

Trusts

o A forest can be connected by two-way trust relationships


between different root domains which share a common
Active Directory. Two-way trusts are transitive --
implicit.
o Unlike NT4, which requires a two-way trust to be explicitly
created to each domain, when Windows 2000 adds a
domain to a domain tree, it automatically creates a trust
relationship between domains in a forest. This is one of the
main benefits from upgrading to Windows 2000.
o The first domain controller defined in a forest is created
with default name "Default-First-Site-Name".
o It permanently retains the domain-naming master role.
o This is why Microsoft recommends that the first NT4 server
converted to Windows 2000 should be the NT4 PDC.
o Access between forests are estabalished with one-way explicit trusts
between different Active Directory directories.

Explicit trusts are not transferable as with transitive trusts.

DNS (Domain Name System)

o Each child domain requires a DSN subdomain.


o Forward DNS lookup query resolves a name to a given IP
address.
o A reverse DNS lookup query resolves an IP address for a
given name.

Each DNS zone database file contains SRV resource


records which point to DNS hosts running Active
Directory. In Windows 2000 native mode, it can be
larger than the 40 MB limit NT4 had.

They must be registered manually on Windows NT,


which does not dynamically update DNS. They are
stored in Netlogon.dns files on %systemroot
%\System32\Config and read by the DNS MMC and
updated by standard DNS zone transfers.

Active Directory Integrated Zones are replicated through Active


Directory to provide fault tolerance for DNS.

Permissions

Read permission includes viewing the object owner


and permissions as well as the object attributes.

Full Control allows change permissions and assign


ownership.

To create a domain (as the domain's eadmin --


Enterprise Admin):

o Non-members of the eaadmin group can pre-create a


domain controller:

11 Open a command-line utility:


11 NTDSutil
11 domain management
precreate DC=sales,DC=mycompany,DC=com
server1.mycompany.com

Trees

Domains with a common root name share a contiguous


namespace which organize domains into a hierarchical
tree.

o Trees help structure delegation.


o Trees do not have their own boundary for storage and
replication.
o Trees allow objects from one domain to access resources
on another domain.

• Multiple Domain Trees (MDT's) have a single root domain.

To implement a new tree in a forest, use the Active Directory


Installation Wizard.

Directory Replication & Synchronization

Two methods:

o Each domain controller replicates domain partition to the


next server in its own domain ring using uncompressed
RPC (Remote Procedural Calls) protocol over TCP/IP, a
synchronous transport. This type of replication occurs
every 5 minutes by default.
o Inter-site replication traffic between sites use dynamically
assigned port numbers using compressed asychoronous
SMTP email traffic via the IIS5 service and Collaboration
Data Objects (CDO v2) interface.

• In a multi-site topology, a domain controller may be a


Bridgehead for contact with adjacent sites.
• Inter-site Transports topology is controlled by settings for the
cost of each link.

DCs fulfill five Flexible (Floating) Single-Master


Operation (FSMO) roles for replication: Roles:

o The PDC Emulator (PDC Advertiser) acts as the PDC for


down-level BDCs in mixed mode operation. In native mode,
it is the first to receive replications and logon requests
from other DCs. So, there can only be one of these per
domain.
o The Relative ID Operations Master administers
allocation of Relative ID sequences of the SID. So, there
can only be one of these per domain.
o The Infrastructure Master administers additions or
changes in user/group mappings. So, there can only be one
of these per domain.
o The Domain Naming Operations Master administers
addition or removal of domains in a forest or cross-
references to external directory services (such as on
Exchange and Novell). So, there can only be one of these
per forest..
o The Schema Operations Master administers schema
updates and changes within its own forest. So, there can
only be one of these per forest..

Use NTDSUTIL.exe (the Swiss Army knife) on the


domain controller which wants to seize the role.

Use Essentutl.exe to repair the database and to


validate the database (integrity check to see if is
damaged).

1. For updates, Active Directory uses a multi-master model


where all domain controllers are equivalent. All domain
controllers perform replication. Categories:
o Originating (committed) update to Replicated update

You might also like