Read an Excerpt
Chapter 2: Study GuideThis chapter includes the following sections, which address various topics covered on the Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure MCSE exam:
- Introduction to Active Directory
- Introduces the vocabulary and concepts needed to understand the Windows 2000 Active Directory architecture.
- Installing Active Directory
- Discusses the steps necessary to plan for and install Active Directory. It also describes how to verify that the installation was successfully completed.
- Configuring Active Directory
- Describes how to set up the Organizational Unit (OU) structure and discusses the creation and management of Active Directory components.
- Active Directory Objects
- Describes the building blocks of Active Directory objects. Discusses how to create, manage, and move objects through the use of Group Policies, administrative templates, and software policies.
- DNS for Active Directory
- Describes the creation and integration of DNS zones. Includes dynamic updates, DNS monitoring, and replication.
- Directory Maintenance and Replication
- Describes both intersite and intrasite replication.
- Remote Installation Service (RIS)
- Describes the steps necessary to automatically deploy Windows 2000, including disk images, security, and troubleshooting Remote Installation Service.
- Active Directory Security
- Discusses issues related to Directory Services infrastructure and Group Policy security. Describes security templates, audit policies, and security events.
- Active Directory Maintenance
- Describes techniques for managing accounts and backing up and restoring Active Directory. Discusses how to optimize the performance of both Active Directory and the domain controllers that support it.
- Troubleshooting Active Directory
- Discusses how to troubleshoot problems with DNS, Group Policies, Active Directory components, and software deployment. Describes how to recover from a system failure.
Introduction to Active Directory
Active Directory replaces the Windows NT domain model. It is designed to simplify access to network resources by providing network administrators with the ability to add, modify, and remove both users and resources from a single, hierarchical database. There are many new concepts to learn, but if you keep in mind that its two main functions are to keep track of all the available network resources and to provide access only to authorized users, you'll have no trouble getting up to speed with Active Directory.
Active Directory is stored on Windows 2000 domain controllers. Only Windows 2000 Servers can be Windows 2000 domain controllers. One major change between Windows NT and Windows 2000 is that there are no primary or backup domain controllers on a Windows 2000 network. All Windows 2000 domain controllers are equal and replicate the Active Directory database using a virtual ring topology.
The following terms relating to Microsoft Active Directory will be useful in understanding how Active Directory works. A solid understanding of the vocabulary will help make an abstract concept like Active Directory a lot easier to grasp:
- A network of computers and related hardware that share a user database. This user database is replicated among all the domain controllers. The main benefits of a domain are centralized administration of network resources and a single user logon to access those resources, regardless of where the resources are physically located in the domain.
- Organizational Unit (OU)
- A tool for dividing domain resources into groups that match the actual structure of your business. For example, the Accounting Organizational Unit can contain the user accounts of employees in the accounting department, the folders that store financial data, the printers used for invoices, and the billing software. Permissions can then be granted to the OU as a whole.
- A collection of Windows 2000 domains with two-way trust relationships. These domains share a common root domain, such as oreilly.com. Subdomains of the root domain are named in DNS dotted format, to the left of the root domain. Two examples of this naming scheme would be linux.oreilly.com and windows.oreilly.com.
- A collection of two or more trees, each with its own root domain name. The trees in the forest automatically have transitive trust relationships. This means that if tree A trusts tree B and tree B trusts tree C, tree A automatically trusts tree C and vice-versa, without any separate trust relationships between A and C.
- A section of the network that has a fast enough TCP/IP connection to allow for efficient replication of files. Microsoft recommends a minimum of 512 Kbps for efficient replication. Because the main requirement is speed, a single site can span multiple domains or a domain can have multiple sites, depending on the network bandwidth available.
- Any individual component on the network, including files, folders, scanners, printers, tape backup devices, and even user accounts.
- An object that contains other objects is called a container. A folder that contains files would be a container because the folder is an object and its files are also objects.
- An object is described by its attributes. A file's attributes would include its name, size, location, and permissions.
- A way to describe objects within the Active Directory schema. A class is just the list of attributes that describe an object. Basically, the file object is the physical file itself. The file class is the logical definition of the file's properties, such as name, size, and location.
- A list of what types of objects can be managed in the Active Directory database. The schema is made up of classes (definitions of objects) and attributes (containers for the descriptions of objects). The schema can theoretically be modified by a qualified programmer to customize and extend Active Directory to meet their individual needs.
Installing Active Directory
After you have at least one Windows 2000 Server up and running, you can get started with Active Directory. You'll need to do a bit of planning first. The best way to get started is to take an inventory of all the hardware and map out the physical network connections.
If all the network administration tasks are handled from one location, this process can be relatively simple. If you are configuring an Active Directory that spans multiple physical locations across WAN links, it will get quite complex.
IN THE REAL WORLDWhen planning a network, you should always take a methodical approach and document everything you've done. There will come a day when another administrator will have to figure out what you've done after you've gone on to bigger and better things. Just remember . . . some day that other administrator will be you.
Every Windows 2000 domain and its Active Directory can consist of millions of objects. Instead of adding new domains for each location, you should consider breaking down a single large domain into Organizational Units (OU), which are covered in detail later in this chapter.
There are a few cases where multiple domains would be a better solution. If two locations have different Internet domain names, they'll probably want to keep their identities separate on the private portions of their networks, too.
If you have slow WAN connections between physical locations or very strict security requirements in a certain location, you probably want to use separate domains to reduce replication and authentication traffic across those links. Otherwise, keep it as simple as possible by using one domain.
Microsoft recommends that you register at least one domain name for your network from an official naming organization, like Network Solutions. You can choose to register a single domain name for use inside and outside a firewall, or you can register two separate domain names. There are advantages and disadvantages to both methods.
If you choose to use the same domain for the private portion of your network as you do for your Internet presence, you have to be very careful not to allow access to your private data from the public Internet. With the sheer number of security holes in all network operating systems, including Windows 2000, this can be a serious issue. Because of the additional security concerns, it is generally more complex to successfully manage a domain using this naming scheme.
If you choose to use a different domain name inside your network than you use for your Internet presence, it is much easier to figure out whether a resource is public or private. This makes the security a bit easier to manage.
If you've just finished installing Windows 2000 Server on the first computer in the domain and the Configure Your Server window is displayed, choose the Active Directory Installation Wizard. Otherwise, you can open the Configure Your Server window by choosing it from the Start Programs Administrative Tools menu.
When you begin the installation with the Active Directory Installation Wizard, you'll have the choice of creating a new domain controller for a new domain or adding a domain controller to an existing domain.
If you choose to create a new domain controller, you'll have the choice of either starting a new tree or joining an existing tree as a subdomain. Active Directory requires a DNS server to function properly. The Active Directory Installation Wizard allows you to make the current computer the DNS server during the installation process. Following is a description of the steps involved in running the wizard:
- Start the Active Directory Installation Wizard from the Configure Your Server dialog box. During the install, you'll have to click the Next button to move between screens.
- You'll see the Domain Controller Type screen. Here's where you'll have to choose to either create a domain controller for a new domain or add a domain controller to an existing domain. I'll assume you're starting from scratch and want to create a new domain.
- You'll see the Create Tree or Child Domain screen. Create a new tree.
- You'll see the Create or Join Forest screen. Create a new forest.
- You'll see the New Domain Name screen. Type your registered domain name in the Full DNS Name for New Domain box.
- For some reason, Microsoft didn't kill off NetBIOS completely, so the next screen you'll see will show you the shortened DNS domain name as a Domain NetBIOS name.
- You'll see the Database and Log Locations screen. You should see the path WINNT\NTDS.
- You'll see the Shared System Volume screen. You should see the path WINNT\SYSVOL.
- You'll get a warning screen about the need for a DNS server. Click OK, and the Configure DNS Wizard will start.
- Choose Install and Configure DNS on This Computer.
- You'll see the Permissions screen. Choose Permissions Compatible Only with Windows 2000 Servers.
- You'll see the Directory Services Restore Mode Administrative Password screen. Type in the password that will be required if you ever have to restore Active Directory.
- You'll see a report of all the choices you've made so far.
- After you've accepted the configuration, the wizard will actually start the configuration process. You'll see a progress bar, and it could take a few minutes to finish.
- You'll see the Completing the Active Directory Installation Wizard screen. Click Finish, then click Restart. When the computer reboots, you should be all set.
Verifying the Active Directory installation
There are a couple of quick tests to be sure that Active Directory and DNS are working. Look for the new domain you created in My Network Places. If you see your domain name, you should be okay. You can also look for your domain using the Active Directory Users and Computers MMC snap-in...