Activ Directory Presentation cum directorui.ppt

7/28/2019 Activ Directory Presentation cum directorui.ppt

1/156

Windows Server 2003 Active

Directory


2/156

Windows Server 2003 is a server operating system produced by Microsoft

Introduced on April 24, 2003 as the successor to Windows 2000 Server

An updated version, Windows Server 2003 R2 was released to manufacturing on

6th December 2005

Unlike Windows 2000 Server, Windows Server 2003's default installation has none

of the server components enabled, to reduce the attack surface of new machines

Windows Server 2003 includes compatibility modes to allow older applications to

run with greater stability

Windows Server 2003 brought in enhanced Active Directory compatibility, and

better deployment support

Windows Server 2003 operating systems take the best of Windows 2000 Server

technology and make it easier to deploy, manage, and use

IntroductionWindows Server 2003


3/156

Windows Server 2003 is a multipurpose operating system capable of handling a

diverse set of server roles, depending on your needs, in either a centralized or

distributed fashion

Some of these server roles include

File and print server.

Web server and Web application services.

Mail server.

Terminal server.

Remote access and virtual private network (VPN) server.

Directory services, Domain Name System (DNS)

Dynamic Host Configuration Protocol (DHCP) server

Windows Internet Naming Service (WINS).

Streaming media server

2003 Server Roles


4/156

Windows Server 2003 R2 Standard Edition

Windows Server 2003, Standard Edition is aimed towards small to mediumsized businesses

Flexible yet versatile, Standard Edition supports file and printer sharing,

offers secure Internet connectivity, and allows centralized desktop

application deployment

Windows Server 2003 R2 Enterprise Edition

Windows Server 2003, Enterprise Edition is aimed towards medium to largebusinesses.

It is a full-function server operating system that supports up to eightprocessors and provides enterprise-class features such as eight-node

clustering and support for up to 32 GB of memory

Enterprise Edition also comes in 64-bit edition for Intel Itanium-based computers

capable of supporting 8 processors and 64 GB of RAM

2003 Flavours


5/156

Windows Server 2003 R2, Datacenter Edition

Windows Server 2003, Datacenter Edition is the flagship of the WindowsServer line and designed for immense infrastructures demanding high

security and reliability.

Datacenter supports up to 32-way SMP and 64 GB of RAM with the 32-bit

version and up to 128-way machines with individual partitions of up to 64

processors and 512 GB of RAM with the 64-bit version.

Datacenter provides both eight-node clustering and load balancing service

as standard features and includes Windows System Resource Managerfacilitating consolidation and system management

Windows Server 2003 Web Edition

Windows Server 2003, Web Edition is mainly for building and hosting Web

applications, Web pages, and XML Web Services.

It is designed to be used primarily as an IIS 6.0 Web server and provides

a platform for rapidly developing and deploying XML Web services and

applications that use ASP.NET technology, a key part of the .NET Framework

2003 Flavours


6/156

Introduction to

Active Directory Infrastructure


7/156

Architecture of Active Directory

Introduction Function of Active Directory

Active Directory logical structure

Active Directory physical structure

Operations Master Roles

How Active Directory works

Active Directory as a directory service

Purpose of the Global Catalog

Active Directory schema

What Are Distinguished and Relative Distinguished Names

Construct an LDAP query string

Objective


8/156

Organizations operating a distributed environment need to have a way to manage

network resources and services. As the organization grows, the need for a secure

and centralized management system becomes more critical

A directory service provides a centralized location to store information in a distributed

environment about networked devices & services and the people who use them

A directory service also implements the services that make this information available

to users, computers, and applications

A directory service is both a database storage system (directory store) and a set of

services that provide the means to securely add, modify, delete, and locate data in the

directory store

Active Directory directory service is the distributed directory service that is includedwith Microsoft Windows Server 2003 and Microsoft Windows 2000 Server operating

systems

Active Directory enables centralized, secure management of an entire network,

which might span a building, a city, or multiple locations throughout the world

IntroductionActive Directory


9/156

To access Windows 2003 network a user needs an account

To access Windows 2003 network a user needs an account

Account determines 3 factors:

when a user may log on

where within the domain/workgroup

what privilege level a user is assigned

Each account has SID that serves as security credentials

Any object trying to access resource must do it through a user account

Windows 2003 has 2 types of accounts

Local Account

Domain Account

User Accounts


10/156

Local Account

Supported on all Windows 2000 and 2003 systems except DCs

On member servers participating in domains and on standalone systemsparticipating in workgroups

Maintained on the local system, not distributed to other systems

Local user account authenticates the user for local machine access only;

access to resources on other computers is not supported

Built-in local accounts: Guest; Administrator

Domain Account

Permit access throughout a domain and provide centralized user

administration through AD

Created within a domain container in AD database and propagated to

all other DCs Once authenticated against AD database using GC, a user obtains

an access token for the logon session, which determines permissions

to all resources in the domain

User Accounts


11/156

Domain accounts names must be unique within the domain, although the same

logon name can be used on several systems with local logon

Logon names are not case sensitive, must not contain more than 20 chars,

and must not contain: +,*,?,,/,\,[,],:,;.

Passwords are case sensitive, must be secure not easy to guess

Renaming account doesnt affect any of the user account properties, except the nam

Accounts can be moved from one container to another

Disabled accounts cant be accessed

When account is copied, most properties are copied, except the username, full name

password, logon hours, address/phone info, organization info, the Account is

disabled option, and user rights and permissions

User Accounts


12/156

Deleting account permanently removes it, and all if its group memberships,

permissions and user rights. The new account with the same name has different

SID and GUID

Disabling an account may be a better option

Administrator is the super account

User Accounts


13/156

A users local profile is located in the Documents and Settings directory on

the local machine

When a user logs on to a machine for the first time, a subdirectory matching their

user name is created under the Documents and Settings directory

In this subdirectory, the users profile is created and named ntuser.dat

The user profile is copied from the Default User directory

Any changes made to the ntuser.dat file in the Default User directory will only affect

new users when they log on

There is also an All Users subdirectory of the Documents and Settings directory

The All Users subdirectory also contains an ntuser.dat file

Changes to this file affect all users logging on to the computer

Local Profiles


14/156

If users access more than one machine or move around the network, a roaming

profile can be created to ensure that the user will receive his or her user settings and

preferences no matter where they log on

When roaming profiles are used, the ntuser.dat file is stored on a network share and

loaded to the local machine when the user logs on

Changes made to the user preferences or settings are copied back to the network

share when the user logs off

The local profile will remain on the local machine, and should the network share be

unavailable the next time the user logs on from that machine, the locally cached profile

will be loaded instead

Changes to the local profile will not be saved back to the network share in this case

Roaming profiles can cause network problems if users save large files to their

Desktop or to their My Documents folder

Roaming Profiles


15/156

Mandatory profiles can be used when the user should be prevented from saving

changes to the user settings or preferences

For example, a profile could be created with many shortcuts to file shares and

applications

Users shouldnt be able to delete these shortcuts and then save the changes back

to the network share

By creating the profile as a mandatory profile, users are able to make changes to

their settings and preferences, but the changes are lost when the user logs off the

machine

A mandatory profile can also be used for a group of people, and then every userwould get the exact same settings and preferences

Mandatory Profiles


16/156

Users can use home folders to store their personal files

A home folder is a folder on a computer, usually a file server, which can be assigned

to users to save documents and files

Home folders are generally used to consolidate user data into one place for easy

backup

Also, many applications use the users home folder as the default location for the

Save As and File Open command

A home folder can be located on a single computer or on a network share, where it

is available to the user anywhere in the network

Home Folders


17/156

Every desktop, workstation, laptop, server, and DC in the network must have a valid

computer account in Active Directory Computer accounts are used to identify acomputer to the domain

Computer accounts are accounts for computers, like a user account is an account

for a person

Active Directory requires that all logons not only come from a valid user, but that thelogon attempt also comes from a valid computer

When a domain controller receives an authentication request, it first checks to make

sure the request is coming from a computer that has a valid computer account in the

domain

The domain wont accept the user logon, even if its valid, if its from a computer that

doesnt belong to the domain

Computer Accounts


18/156

Domain groups allow for user accounts within a domain to be collected into a group

that can then be used to grant access to resources or to assign user rights

There are two types of domain groups

Security Groups

Distribution Groups

A security group is a security principal and so can be used to assign permissions

and rights to a collection of user accounts

A distribution group is not a security principal and cannot be used to assign

permissions

A distribution group is used for e-mail

It can be created when a mailbox is desired for a collection of user accounts, but no

permissions will be needed

Domain groups


19/156

Within each type of group, there is a group scope, There are three possible group

scopes,

Domain local

Global

Universal

Domain local

A domain local group can contain users and global groups from any trusted

domain

However, a domain local group cannot contain domain local groups or local

machine groups

Domain local groups are primarily used to assign permissions to resources

Group Scope


20/156

Group Scope


21/156

Use a domain local group when you want to assign access permissions to resources

that are located in the same domain in which you create the domain local group

You can add all global groups that must share the same resources to the appropriate

domain local group

Global Group

A global group is a security or distribution group that can contain users, groups,

and computers as members from its own domain

Use global groups to organize users by job description or function

You can grant rights and permissions to global security groups for resources inany domain in the forest

Because global groups are visible throughout the forest, do not create them for

the purpose of allowing users access to domain-specific resources

Group Scope


22/156

Universal Group

A universal group is a security or distribution group that can contain users,

groups, and computers as members from any domain in its forest

Universal security groups can be granted rights and permissions on resources in

any domain in the forest

A Windows Server 2003 domain must be in Windows 2000 native mode or

Windows Server 2003 mode to use universal security groups

You can use universal distribution groups in a Windows Server 2003 domain that

is in Windows 2000 mixed mode or higher

Group Scope


23/156

For computers in a Windows 2003 network infrastructure to talk to one another,

one of the key ingredients is the DNS service

DNS is the name resolution mechanism used by Windows Server 2003 clients to

find other computers and services running on those computers

A client consults its configured DNS servers for a list of Active Directory domain

controllers where it will then submit its logon credentials

We will start our discussion of DNS with the NetBIOS (Network Basic Input Output

System) namespace

There are important differences between the DNS namespace and the NetBIOS

namespace, and identifying some of the advantages and disadvantages of eachnamespace can help you understand them

A NetBIOS name is a 16-byte address that identifies a NetBIOS resource on a

network

DNS


24/156

The important thing to keep in mind about the NetBIOS namespace, especially

when contrasting it to the DNS namespace, is that its a flat namespace

DNS, conversely is a hierarchical namespace. Every NetBIOS name must be

unique, period

There is no structure of parent and child namespaces that allows computer or

service names to be used

In the NetBIOS environment, computers and services register unique NetBIOS

names by using a 15-character computer name appended with a 16th hexadecimal

character that identifies the service on the network

If the computer name does not contain 15 characters, the protocol of NetBIOS

dictates that the name is padded with as many spaces as necessary to generate a15-character name

In Windows, this NetBIOS name server is called the Windows Internet Naming

Service, or WINS

NETBIOS


25/156

Without DNS, you would have to know the IP address of every computer you are

communicating with. DNS exists to resolve the names of computers to IP addresses

There are three main components youll find in the Domain Name System. Not just

Microsofts implementation, but any DNS solution. These three items are

Domain name servers

DNS resolvers

The logical namespace

The domain name servers are servers running the DNS software component, wich

store information about a zone file

These name servers provide address resolution and other information about the

computers that you access in both Active Directory domain and in the named

domains across the entire Internet

DNS resolvers are pieces of code that are built into the operating system. These

pieces of code, known also as DNS clients, request resolution of FQDNs to IP

addresses by querying their configured name servers

DNS Components


26/156

The namespace is the logical division of names where DNS objects are stored

Active Directory domain, the namespace can often reflect the organizational chartof a particular company, where the company name starts at the root of the

namespace, and then from there breaks into domains that provide a hierarchy for

your domain enterprise

Fully Qualified Domain Names

The job of a resolver is to request resolution of a fully qualified domain

name (FQDN) to an IP address

A fully qualified domain name represents a host name appended to the

parent namespaces in a hierarchy

The leftmost portion of the FQDN is the host portion of the name. A host

name is an alias we give to an IP address There are organizations outside of your control that manage the topmost

levels of the domain namespace

InterNIC is the organization that manages the top-level namespaces.

DNS Components


27/156

If domains represent logical division of the DNS namespace, zones represent the

physical separations of the DNS namespace

In other words, information about records of the resources within your DNS

domains is stored in a zone file, and this zone file exists on the hard drive of one of

your name servers

Domain name servers are simply servers that store these zone database files,

which in turn provide resolution for records in the zone files

The DNS servers also manage how those zone files are updated and transferred

Zone files are divided into one of two basic types:

Forward lookup zone Provides host-name-to-IP-address resolution

Reverse lookup zone Provides IP-address-to-host-name resolution

When a zone file is first created on a DNS server, that server is said to be

authoritative for that zone.

DNS Zones


28/156

Then, for each child DNS domain name included in a zone, the zone becomes the

authoritative source for the resource records stored in that child domain as well

This means that the DNS server can provide resolution for multiple domains within

a zone file, and all changes to the resource records in both domains are made to the

authoritative zone it stores

Zone Categories

The DNS zones kept on Windows Server 2003 computers can be further

broken down into one of three categories. For each forward or reverse

lookup zone, the file will be one of these types of zones:

Primary zone

Secondary zone

Stub zone

All of the zones you can create in Windows 2003 can be integrated in Active

Directory

DNS Zones


29/156

The primary DNS server for a zone is the location where all updates to the zones

records are made

All changes to the zone are then replicated to secondary servers. This replication

model is called single master replication, where there is a single entity that controls

changes to records

Windows NT 4 used this single master model for directory database replication as

well

This also highlights the biggest drawback of the standard primary server model: it

includes a single point of failure. Just like when an NT 4 primary domain controller

went down, if for any reason the primary server for a zone is unavailable, no updates

to the zone can be made

This does not, however, affect resolution of names as long as secondary servers

for the zone are available, and name-to-IP-address mappings have not changed.

DNS Primary Zones


30/156

When you create a new zone, it will be a primary zone, and the server sorting the

zone will be a primary DNS server. You can then use primary zones in one of two

ways: as Standard Primary Zones

Primary Zones Integrated With Active Directory

Using a standard primary zone, only a single DNS server will host and load the

master copy of the zone

Further, only that server is allowed to accept dynamic updates, and no additional

primary servers for the zone are permitted

You typically implement a standard primary zone when you need to replicate zone

information with DNS servers running on other platforms such as Unix

If you want to add more primary servers for a zone, you need to configure an

Active Directoryintegrated zone, which will then take advantage of Active Directory

integrated storage and replication features of the DNS Server service

DNS Primary Zones


31/156

Any time you have a secondary of anything, it is usually for load balancing and

fault tolerance

The secondary servers are secondary servers because they store copies of zone

files

Changes to the DNS domains are made at the primary zone level and then are

copied to secondary zones for secondary zone servers

At the end of the day, theyll both end up storing the same information; its just that

changes to the domain are made at the primary level, not the secondary level

A DNS server can be a primary name server and a secondary name server at the

same time

The designation is made by what kind of zone file is stored on the server, and you

can store both primary and secondary zones on the same machine

DNS Secondary Zones


32/156

Each record stored in a zone file has a specific purpose

Some of the records set the behaviour of the name server, others have the job ofresolving a host name or service into an IP address

Resource Records Stored in a Zone File


33/156

There have been several enhancements to the DNS features available with the

Windows 2003 implementation of DNS, especially when compared to Microsofts

earlier deployments of the DNS service. Some of the improvements include thefollowing:

Conditional forwarders DNS queries can be sent to specific DNS servers if

they meet a defined set of conditions. For example, the 2003 DNS server can be

set so that all queries of FQDNs that end in hclcomnet.co.in be forwarded to a

specific DNS server

Stub zones Stub zones keep a DNS server that hosts a parent zone aware of

the authoritative DNS servers for its child zone. This improves efficiency of DNS

name resolution

Enhanced DNS zone replication in Active Directory You now have four

replication choices for Active Directoryintegrated DNS zone data

Enhanced debug logging The DNS server has been written with enhanced

debug logging options to aid in troubleshooting of DNS name resolution

Updates to Windows Server 2003s DNS


34/156

Now that we have an understanding of the components of the DNS infrastructure,

we need to also understand how a DNS client resolves an FQDN to an IP address

There are actually many ways. A client can sometimes answer a query using

information cached from a previously successfully resolved name. In fact, this is the

first location the DNS resolver checks

If the check of the cache is unsuccessful in providing IP address resolution, the

resolver gets help from its configured DNS server. This process is known as arecursive query

The DNS server in turn can use its own cache of resource record information to

answer a query. Barring a quick resolution from the DNS servers cache, the server

begins a walk of the DNS tree through a series of iterative queries

Resolving a Host Name


35/156

Any time you enter a fully qualified domain name into an application, your

operating system uses the resolver piece of code to query its configured DNS server

(or servers) to get an IP address for the name you have just entered

Locally configured DNS server has a zone file that contains a record for the

resource youre trying to browse to (or if its contained in the servers cache), that

resources IP address is returned to your resolver

In most cases, the zone file is not going to hold the IP address for the record thatyoure trying to look up

The computer doesnt care what the name of the computer is; in order to

communicate, it needs the IP address. The first place it looks for resolution is its

configured DNS server

This query to the locally configured DNS server is called a recursive query

Forward Lookup Resolution of FQDNs


36/156

If the local DNS server does not have an A record that maps to an IP address, the

clients local DNS server if its configured to do so will begin looking through the entire

DNS hierarchy on behalf of the DNS client

The DNS server performs the name resolution; the DNS client sits there and waits

for a response to its recursive query

The clients local DNS server then talks to other DNS servers throughout the DNS

hierarchy using a series of iterative queries

The client asks its local DNS server using a recursive query. A recursive query

says, basically, give me the answer or tell me that you cant find it. Its a pass/fail type

of proposition

The other type of query, where other DNS servers are talking to each other as thelocal DNS server is walking the domain tree, is called an iterative query. When your

DNS server uses an iterative query



37/156



38/156

The logical components of Active Directory are important because they define how

the computing enterprise will be administered. By designing and determining the

logical elements of Active Directory, we become the architects of the network

There are four logical components of Active Directory. They are

Domains

Trees

Forests

Organizational units

Logical Elements of Active Directory


39/156

A Windows 2003 Active Directory domain is a logical collection of users and

computers

In other words, its an organizational entity that groups together the objects in your

enterprise

With a domain in place, you have several benefits, including the following:

They enable you to organize objects within a single department or single

location, and all information about the object is available

They act as security boundaries. Domain admins exercise complete control

over all domain objects. Further, in Windows 2003 Active Directory, Group

Policies, another kind of domain object, can be applied to determine how

resources can be managed and accessed

Domain objects can be made available to other domains

Domain names follow established DNS naming conventions, permitting the

creation of child domains to best suit your administrative needs

Domains


40/156

Domains allow control over replication. That is, domain objects are fully replicated

to other domain controllers within a domain, but not to other domains in an Active

Directory enterprise

Domains


41/156

Once youve decided to create domains in your enterprise, you may find that you

need more than one domain to best reflect the administrative structure of your

company

Domains have many benefits; thus, you may find compelling reasons to apply

these benefits separately to various groups of users and computers in your

organization

The domains exist in a tree, and trees subsequently live in a forest. If you want tolink your Windows 2003 domains together for purposes of administration and/or

sharing of resources youll need to start building Active Directory trees and forests

The hallmark of an Active Directory tree is that it is a contiguous linking of one or

more Active Directory domains that share a common namespace

In other words, the domains are linked together in parent-child relationships as far

as the naming conventions go

Trees


42/156

A forest lets you link together multiple domain trees in a hierarchical arrangement

The goal in designing a forest is the same as when designing a tree: to define andmaintain an administrative relationship between the domains

All domains in the tree are linked by two-way, transitive trust relationships, and all

tree roots in the forest are likewise linked by two-way, transitive trusts

We need to choose our forest root domain with caution. Once established, theforest root cannot be changed without decommissioning the entire logical Active

Directory infrastructure

In Windows Server 2003, it is now possible to rename the forest root domain, but

the domain designated as the forest root cannot be changed once established.

Forests


43/156

When properly implemented, an organizational unit (OU) is the administrative

lynchpin of a Windows 2003 Active Directory hierarchy

It is a container object within a domain that represents sub administrative entities

within an Active Directory

Organizational units are used to group together domain computers, users, and

other domain objects into an administrative collection

These collections are kept as separate logical units

Windows 2003 domains are designed to be self-contained, and through the use of

organizational units, you have a lot of flexibility about how that domain is administered

OUs are not groups; they are administrative containers. Anything you can put intothe domain, anything you can put into an Active Directory database, you can put into

an organizational unit

Organizational Units

U d di h Ph i l El f A i Di


44/156

These logical structures are, however, physically created as software objects

But these objects dont live in a vacuum; they have to be created somewhere, andthey have to be stored somewhere. Furthermore, the information has to be shared

with other computers

An Active Directory structure contains two physical components

SITES

DOMAIN CONTROLLERS

The job of a domain controller is to store a writable copy of the Active Directory

database for the domain of which it is a member

Sometimes, these domain controllers will store additional information like the

Global Catalog. Sometimes, the domain controllers play important roles in the

functioning of the network and sometimes, they perform many of these tasks at once

Understanding the Physical Elements of Active Directory

U d di h Ph i l El f A i Di


45/156

All of the objects in the domains Active Directory databasethe user accounts,

the groups, the computer accounts, the organizational units, and so forthare stored

within a domain controller, and all domain controllers within a single domain act aspeers

When domain controllers act as peers, they engage in multimaster replication. The

multimaster replication model is a carryover from the Windows 2000 Active Directory

environment, but it represents a significant departure from the single-master

replication model used by Windows NT 4.0 domain controllers

All changes to the Windows NT 4.0 directory database were made at a Primary

Domain Controller (PDC) and then replicated out to Backup Domain Controllers

(BDCs). This is no longer the case

When Windows Server 2003 domain controllers engage in multimaster replication,a change to the Active Directory database can be made at any of the domain

controllers, and these changes will be then reflected on other domain controllers after

replication

Understanding the Physical Elements of Active Directory

I l i A i Di Si T l


46/156

The simple definition of a site is a collection of one or more well-connected IP

subnets. More importantly, though, a site is a unit of Active Directory replication

If the domain controllers job is to store and replicate the Active Directory

database, then the sites job is to govern how that replication occurs

A site is also used by Active Directory to manage the following:

Logon traffic, ensuring that a client located and submits credentials to localdomain controllers when possible

Requests to the Global Catalog, by keeping all such requests local (if there is

at least one Global Catalog server per site, as is recommended)

Optimization of traffic for Active Directoryaware applications, such as theDistributed File System (DFS)

Implementing an Active Directory Site Topology

Th R l f h K l d C i Ch k


47/156

If the sites exist to control replication traffic, how does Active Directory build the

replication topology between a sites domain controllers?

Automatically, using the Knowledge Consistency Checker

During the Active Directory installation process, each domain controller is made

aware of other domain controllers within the same domain

The Knowledge Consistency Checker works to ensure that every one of these

domain controllers has at least one replication partner, or peer

The end result of the KCCs hard work is that all domain controllers are able to get

updated Active Directory information from all others using a fault-tolerant ring

topology

The other job of the Knowledge Consistency Checker is to allow Active Directory totake care of the replication of directory database information without administrators

having to worry about it too much, or configure it manually

The Role of the Knowledge Consistency Checker

Th R l f h K l d C i Ch k


48/156

Manual creation of replication links between domain controllers can still be done,

but Microsoft doesnt recommend it

The Knowledge Consistency Checker automates the replication process, ensures

the replication topology, minimizes replication latency, and checks all replication links

every 15 minutes to ensure that the main controllers are functioning properly

Further, if one of the domain controllers should be taken offline, the KCC

automatically regenerates a new replication topology between domain controllers forthe domain

So again, you dont have to do much. You can kind of fall backwards into a good

working network with Windows Server 2003

The Role of the Knowledge Consistency Checker

R li i H d Wh


49/156

Replication between the domain controllers in an Active Directory domain, no

matter in which sites those domain controllers live, works by keeping track of a

version number assigned to the Active Directory database

This version number is called an Update Sequence Number (USN), and it is used

to track the changes made to each copy of Active Directory

Every time a change is made to the database, the domain controller updates the

database USN where the change was made

Every domain controller keeps track of its USN and, more importantly, the USNs of

its replication partners

Then, every 5 minutes (this is the default interval), the domain controller checks for

changes from its replication partners in the same site

If a domain controller finds that its replication partner has an update to its USN, it

then requests that all changes since the last known USN be sent

Replication: How and Why

R li i H d Wh


50/156

Even if a domain controller has been offline for an extended time, it can quickly be

sent all updates to the Active Directory database when it comes back online

Two types of Replication

Replication within Sites (Intrasite)

Replication Between Sites (Intersite)

Replication within a site is handled by the Knowledge Consistency Checker

Replication between sites is handled by ITG

The job of the KCC is to evaluate the domain controllers within a site and

automatically establish and maintain a ring-based replication topology

It does this by automatically creating connection objects between two domain

controllers within a site

Each domain controller will have at least one two replication partners, if applicable

(if there are only two domain controllers in a site, those domain controllers will only

have one partner)


R li ti H d Wh


51/156

You can manually create these connection objects between domain controllers,

or force replication between two domain controllers, but normally you would never

need to do so

To force replication over a connection object, right-click the connection object and

choose Replicate Now from the context menu

KCC is a dynamic process. That is, it automatically adjusts the replication topology

as network conditions change

As domain controllers or subnets are added or removed from a site, the KCC

constantly checks to make sure each domain controller is able to exchange

information with at least two others within the site, thus keeping the ring topology

intact

So even though you need to do virtually nothing to tweak the performance of the

KCC in a production network, your job as a test candidate is to make sure you

understand the purpose of the KCC


R li ti H d Wh


52/156

Moreover, heres what else you need to know about intrasite replication:

Replication does not use compression This behaviour reduces the processing

load on domain controllers. (Processing cycles are needed to compress and

uncompress information)

Replication occurs based on a notification process When a domain controller

has an update to its Active Directory database, it notifies the other domain

controllers in the same site

These domain controllers then contact the notifying domain controller and

request that the changes to the database be sent




53/156

Replication between sites happens automatically after you define configurable

values, such as a schedule or a replication interval

You can schedule replication for inexpensive or off-peak hours

By default, changes are replicated between sites according to a manually defined

schedule and not according to when changes occur

The schedule determines at which times replication is allowed to occur

The interval specifies how often domain controllers check for changes during the

time that replication is allowed to occur

Replication traffic between sites is designed to optimize bandwidth by compressing

all replication traffic between sites

Replication traffic is compressed to 10 to 15 percent of its original size before it is

transmitted

Although compression optimizes network bandwidth that is required, it imposes an

additional processing load on domain controllers for the compression and

decompression of replication data




54/156

The intersite topology generator is an Active Directory process that runs on one

domain controller in a site

A single domain controller in each site is automatically designated to be the

intersite topology generator

The intersite replication topology defines the replication between sites on a

network

It also selects one or more domain controllers to become bridgehead servers. If a

bridgehead server becomes unavailable it will automatically select another

bridgehead server, if possible

It runs the KCC to determine the replication topology and resultant connection

objects to be used by the bridgehead servers o communicate with the bridgeheadservers of other sites

If the domain controller designated as the intersite topology generator becomes

unavailable, another domain controller will be automatically designated


The Active Directory database


55/156

The Active Directory database is logically separated into directory partitions, a

schema partition, a configuration partition, domain partitions, and application

partitions

Each partition is a unit of replication, and each partition has its own replication

topology

Replication is performed between directory partition replicas

All domain controllers in the same forest have at least two directory partitions in

common: the schema and configuration partitions

All domain controllers in the same domain, in addition, share a common domain

partition

The Active Directory database

Active Directory partitions


56/156

Each domain controller contains the following Active Directory partitions:

Schema Partition : There is only one schema partition per forest. The schema

partition is stored on all domain controllers in a forest

The schema partition contains definitions of all objects and attributes that can be

created in the directory, and the rules for creating and manipulating them

Schema information is replicated to all domain controllers in the forest, so all

objects must comply with the schema object and attribute definitions

Configuration Partition : There is only one configuration partition per forest. The

configuration partition is stored on all domain controllers in a forest

The configuration partition contains information about the forest-wide ActiveDirectory structure, including what domains and sites exist, which domain controllers

exist in each, and which services are available

Configuration information is replicated to all domain controllers in a forest




57/156

Domain Partitions :There can be many domain partitions per forest. The domain

partitions are stored on all of the domain controllers of the given domain

A domain partition holds information about all domain-specific objects created in thatdomain, including users, groups, computers, and organizational units

The domain partition is replicated to all domain controllers of that domain. All objects in

every domain partition in a forest are stored in the Global Catalog with only a subset of its

attribute values

Application partitions : Store application-specific information in Active Directory. Each

application determines how it will store, categorize, and use application-specific

information

To prevent unnecessary replication of specific application partitions, Active Directory

administrators can designate which domain controllers in a forest will host specificapplication partitions

The application partition is different than a domain partition in that it is not allowed to

store security principal objects such as user accounts. In addition, the data in an

application partition is not stored in the Global Catalog.




58/156


What Are Operations Masters?


59/156

When a change is made to a domain, the change is replicated across all of the

domain controllers in the domain

Some changes, such as those made to the schema, are replicated across all of the

domains in the forest

This replication is called multimaster replication

During multimaster replication, a replication conflict can occur if originatingupdates are performed concurrently on the same object attribute on two domain

controllers

To avoid replication conflicts, you use single master replication, which designates

one domain controller as the only domain controller on which certain directory

changes can be made

This way, changes cannot occur at different places in the network at the same

time. Active Directory uses single master replication for important changes, such as

the addition of a new domain or a change to the forest-wide schema.




60/156

Operations that use single-master replication are arranged together in specific

roles in a forest or domain, these roles are called operations master roles

For each operations master role, only the domain controller that holds that role can

make the associated directory changes

The domain controller that is responsible for a particular role is called an

operations master for that role

Active Directory stores information about which domain controller holds a specific

role

Active Directory defines five operations master roles, each of which has a

default location

Operations master roles are either forest-wide or domain-wide




61/156

There are 5 Operations Master Roles and they are

Schema master

Domain naming master

PDC Emulator

RID Master

Infrastructure Master




62/156

Schema master

Controls all updates to the schema

The schema contains the master list of object classes and attributes that are

used to create all Active Directory objects, such as users, computers, and

printers

Whenever you are extending the schema or are installing an application thatdoes so, such as Exchange Server, the schema master must be available

Domain naming master

Controls the addition or removal of domains in the forest

When you add a new domain to the forest, only the domain controller that

holds the domain naming master role can add the new domain




63/156

Primary domain controller emulator (PDC)

Acts as a Windows NT PDC to support any backup domain controllers (BDCs)

running Microsoft Windows NT within a mixed-mode domain

This type of domain has domain controllers that run Windows NT 4.0

The PDC emulator is the first domain controller that you create in a new

domain

By default, this FSMO server is responsible for synchronizing the time on all

domain controllers throughout the domain

The PDC emulator is also the first domain controller notified whenever

password changes are performed by other domain controllers in the domain

If a user submits a logon to a domain controller that does not have the

updated password, the logon request is forwarded to the PDC emulator before

rejecting the logon attempt.




64/156

Relative identifier master

When a new object is created, the domain controller creates a new securityprincipal that represents the object and assigns the object a unique security

identifier (SID)

This SID consists of a domain SID, which is the same for all security principals

created in the domain, and a relative identifier (RID), which is unique for each

security principal created in the domain

The RID master allocates blocks of RIDs to each domain controller in the

domain

The domain controller then assigns a RID to objects that are created from its

allocated block of RIDs




65/156

Infrastructure master

When objects are moved from one domain to another, the infrastructuremaster updates object references in its domain that point to the object in the

other domain

The object reference contains the objects globally unique identifier (GUID),

distinguished name, and a SID

Active Directory periodically updates the distinguished name and the SID on

the object reference to reflect changes made to the actual object, such as moves

within and between domains and the deletion of the object

Additionally, the infrastructure master is in charge of updating group-to-user

references whenever members of groups are modified


Planning Flexible Operations Master Role Placement


66/156

In every forest, five FSMO roles are assigned to one or more domain controllers

Two of these operations masters are forest-wide: there is only one such server in

the forest

Schema Master

Domain Naming Master

Three are domain-wide roles: in every forest, certain single-master roles will be

held on only one server per domain

PDC Emulator

RID Master

Infrastructure Master

Planning Flexible Operations Master Role Placement

Roles performed by the schema master


67/156

An Active Directory schema defines the kinds of objects and the types of

information about those objects that you can store in Active Directory

The definitions are stored as objects so that Active Directory can manage the

schema objects with the object management operations that its uses to manage other

objects in the directory

The schema master performs the following roles:

Controls all originating updates to the schema

Contains the master list of object classes and attributes that are used to

create all Active Directory objects

Replicates updates to the Active Directory schema to all domain controllers inthe forest by using standard replication of the schema partition

Allows only the members of the schema Admin group to make modifications to

the schema

Roles performed by the schema master


68/156

The effect of the schema master being unavailable


69/156

Having only one schema master per forest prevents any conflicts that would result

if two or more domain controllers attempt to simultaneously update the schema

Temporary loss of the schema master is not visible to network users or to network

administrators unless they are trying to modify the schema or install an application

that modifies the schema during installation

If the schema master is unavailable and you need to make a change to the

schema, you can seize the role to a standby operations master

The effect of the schema master being unavailable

Roles performed by the Domain Naming Master


70/156

When you add or remove a domain from a forest, the change is recorded in Active

Directory

The domain naming master controls the addition or removal of domains in the forest

There is only one domain naming master per forest

When you add a new domain to the forest, only the domain controller that holds

the domain naming master role can add the new domain

The domain naming master prevents multiple domains with the same domain

name from joining the forest

When you use the Active Directory Installation wizard to create a child domain, it

contacts the domain naming master and requests the addition or deletion

Roles performed by the Domain Naming Master


71/156

The effect of the Domain Naming Master being unavailable


72/156

Like the schema master, temporary loss of the domain naming master is not visible

to network users or to network administrators unless the administrator is trying to add

a domain to the forest or remove a domain from the forest

If the domain naming master is unavailable, you cannot add or remove domains

If the domain naming master will be unavailable for an unacceptable length of

time, you can seize the role from the standby operations master

To seize a role is to move it without the cooperation of its current owner. It is best

to avoid seizing roles

g g

Roles performed by the PDC Emulator


73/156

The PDC emulator acts as a Microsoft Windows NT Primary Domain Controller

(PDC) to support any backup domain controllers (BDCs) running Windows NT in a

mixed-mode domain

When you create a domain, the PDC emulator role is assigned to the first domain

controller in the new domain

Acts as the PDC for any existing BDCs.

Manages password changes from computers running Windows NT, Microsoft

Windows 95 or Windows 98. You must write password changes directly to the PDC

Minimizes replication latency for password changes

Synchronizes the time on all domain controllers throughout the domain to its time

Roles performed by the PDC Emulator


74/156

What Is the RID Master?


75/156

Whenever a domain controller creates a new security principal, such as a user,

group, or computer object, it assigns the object a unique security identifier (SID)

This SID consists of a domain SID, which is the same for all security principals

created in the domain, and a RID, which is unique for each security principal created

in the domain

Creating objects

To allow a multimaster operation to create objects on any domain, theRID master allocates a block of RIDs to a domain controller

When a domain controller needs an additional block of RIDs, it contacts

the RID master, which allocates a new block of RIDs to the domain

controller, which in turn assigns them to the new objects

If a domain controllers RID pool is empty, and the RID master is

unavailable, you cannot create new security principals on that domain

controller


76/156

What Is the Infrastructure Master?


77/156

The infrastructure master is a domain controller that is responsible for updating

object references in its domain that point to objects in another domain

Active Directory periodically updates the distinguished name and SID to reflectchanges made to the actual object, such as moves within and between domains and

the deletion of the object

The infrastructure master updates object identification according to the following

rules:

If the object moves at all, its distinguished name will change because the

distinguished name represents its exact location in the directory

If the object is moved within the domain, its SID remains the same

If the object is moved to another domain, the SID changes to incorporate thenew domain SID

Infrastructure master and the global catalog


78/156

The infrastructure master should not be the same domain controller that hosts the

global catalog

If the infrastructure master and the global catalog are on the same computer, theinfrastructure master does not function because it does not contain any references to

objects that it does not hold

In addition, the domain replica data and the global catalog server data cannot exist

on the same domain controller

Periodically, the infrastructure master for a domain examines the references in its

replica of the directory data to objects that are not held on that domain controller

It queries a global catalog server for current information about the distinguished

name and SID of each referenced object

If this information has changed, the infrastructure master makes the change in its

local replica

g g

Transferring and Seizing Operations Master Roles


79/156

When you create a Microsoft Windows Server 2003 domain, Windows Server

2003 automatically configures all of the operations master roles

However, you may need to reassign an operations master role to another domaincontroller in the forest or the domain

To reassign an operations master role, determine the holder of the operations

master role and then either transfer or seize the operations master role

g g p

Transfer of Operations Master Roles


80/156

The placement of operations master roles in a forest is done when the forest and

domain structure is implemented, and requires change only when making a major

change to the domain infrastructure

Such changes include decommissioning a domain controller that holds a role or

adding a new domain controller that is better suited to hold a specific role

Transferring an operations master role means moving it from one functioning

domain controller to another

To transfer roles, both domain controllers must be up and running and connected

to the network

No data loss occurs when you transfer an operations master role as this transfer

uses the normal directory replication mechanism

The process of role transfer involves replicating the current operations master

directory to the new domain controller, which ensures that the new operations master

has the most current information available

p


81/156

Transfer of Operations Master Roles


82/156

To transfer an operations master role, you must have the appropriate Permissions

The following table lists the groups that you must be a member of to transfer an

operations master role

p

Seizing an operations master role


83/156

Seizing an operations master role means forcing an operations master role on

another domain controller that cannot contact the failed domain controller and

perform a transfer

Seizing an operations master role is a drastic step

Do it only if the current operations master will never be available again and if a role

cannot be transferred

Because the previous role holder is unavailable during a seizure, you cannot

reconfigure or inform it that another domain controller now hosts the operations

master role

To reduce risk, perform a role seizure only if the missing operations master role

unacceptably affects performance of the directory

Calculate the effect by comparing the impact of the missing service to the amount

of work that is needed to bring the previous role holder safely back online after you

perform the role seizure

g p


84/156

Seizing an operations master role


85/156

If the previous role holder comes back online after you seize an operations master

role, it waits until after a full replication cycle before resuming the role of operations

master

This way, it can see if another operations master exists before it comes back

online

If it detects one, it reconfigures itself to no longer host the roles in question

Active Directory continues to function when the operations master roles are

unavailable

If the role holder is only offline for a short time, you may not need to seize the role

to a new domain controller

g p


86/156

Guidelines for Placing Operations Masters


87/156

In each child domain, leave the PDC emulator, RID master, and Infrastructure

master roles on the first server in the domain, and ensure that this server is never

designated as a global catalog server

In each domain in the forest, the server that holds the operations master roles

should have both high availability and high capacity

A highly available domain controller is one that uses computer hardware that

enables the domain controller to remain operational even during a hardware

failure. For example, having a redundant array of independent disks (RAID) may

enable the domain controller to keep running if a single hard disk fails

A high-capacity domain controller is one that has comparatively higher

processing power than other domain controllers to accommodate the additional

work load from holding the operations master role. It has a faster CPU and

possibly additional memory and network bandwidth


88/156

Guidelines for Placing the Schema Master


89/156

The schema master is a forest-wide operations master role

It controls all originating updates to the schema. If the schema master isunavailable, you cannot modify the schema

By default, the first domain controller of a new forest holds the schema master role

Make a highly available domain controller the schema master

Since the schema defines all the objects that Active Directory can store, it is critical

to record all changes that are made to the schema

Do not require that the schema master be a high-capacity domain controller

Schema changes are infrequent, the average server load is minimal, and theaverage replication traffic is not an overall concern

Guidelines for Placing the Domain Naming Master


90/156

The domain naming master is a forest-wide operations master role

It controls the addition or removal of domains in the forest

By default, the first domain controller of a new forest holds the domain naming

master role

Use a highly available domain controller as the domain naming master

High availability is necessary when you add or remove a domain to or from the

forest

Do not require that the domain naming master be a high-capacity domain

controller

Adding and removing domains are infrequent tasks and the average server load is

minimal.

Guidelines for Placing the PDC Emulator Master


91/156

The PDC emulator master is a domain-wide operations master role

It acts as a PDC in Windows NT to support any backup domain controllers (BDCs)running Windows NT within a domain that is set to either the Windows 2000 mixed or

Windows interim domain functionality

The first domain controller that you create in a new domain is assigned the PDC

emulator role

Use a highly available domain controller as the PDC emulator

All domain controllers frequently access the PDC emulator for password changes,

forwarding of mismatched passwords during logon, time synchronization, and support

of BDCs and clients running Windows NT and earlier

Use a high-capacity domain controller as the PDC emulator

Guidelines for Placing the PDC Emulator Master


92/156

Because there would be an increased load placed on this domain controller, do one

of the following:

Increase the size of the domain controllers processing power

Do not make the domain controller a global catalog server

Reduce the priority and weight of the service (SRV) record to give preference for

authentication to other domain controllers in the site

Centrally locate this domain controller to accommodate the majority of the domain

users

Guidelines for Placing the RID Master


93/156

Use a highly available domain controller as the RID master

High availability is critical to the continued creation of security principals and to

help prevent the necessity for seizing

Do not require that the RID master be a high-capacity domain controller

Creating security principals is typically an ongoing operation without large peaks.

Also, because RIDs are distributed in blocks of 500 to each domain controller, the

average server load and average replication traffic are minimal

Configure the domain controller that holds the RID master role as a direct

replication partner with the domain controller that is the standby or backup RID

master

This configuration reduces the risk of losing data when you seize the role because

replication latency is minimized

Centrally locate the RID master in your network if no site performs most of the user

account creation


94/156


95/156

Single Sign On How Active Directory Service enable a Single Sign On that allow the users to

access the approved resources

A Single Sign on consists of two parts

Authentication

Which verifies the credentials of the connection attempt

Authorisation

Which verifies that the connection attempt is allowed

Authorisation process happens only after a successful authentication

In the next slides we will see Authentication & Authorisation process in detail

Single Sign On Authentication


96/156


1. The user enters the credentials at a workstation to logon

2. The credentials are encrypted by the client and sent to a domain controller for

the client's domain



97/156

Single Sign On Authentication3. The KDC (Key Distribution Center) compares the credentials with the credentials

that the KDC stores

If the credentials match then the process continues



98/156

Single Sign On Authentication4. The domain controller creates a list of the domain-based groups that the user

belongs to



99/156

Single Sign On Authentication5. The domain controller then queries the global catalog to identify the universal

groups that the user belongs to


100/156

Single Sign On Authorization


101/156

Single Sign On Authorization7. The client requests access to a resource that resides on a specific server



102/156

Single Sign On Authorization8. The client uses the TGT to access the TGS



103/156

Single Sign On Authorization9. The TGS issues a session ticket to the client for the server that the resource

resides on. The session ticket also contains the SIDs for the user's group

memberships



104/156

Single Sign On Authorization10.The client presents the session ticket to the server



105/156

Single Sign On Authorization11. The LSA compares the SIDs in the access token with the groups that are

assigned permissions in the resource's DACl

If they match, the user is granted access to the resource

Single Sign On Conclusion


106/156

S g S g O CTo conclude Authentication and authorization are complex process, we will review it

now

Granting Access Between Domains


107/156

If an enterprise has multiple domains, in order for a user in one domain to access a

resource in another domain, there needs to first be a trust relationship created between

the two domains

Once the trust relationship has been created, users from one domain will be able to

access resources in the other domain

Trust relationships have evolved significantly since they were introduced back in the

NT days

When trusts were first being implemented, it was a very simple model with one

domain trusting another, and administrators in each domain were responsible for

maintaining their part of the trust

Windows 2000 introduced the two-way transitive trust

Windows Server 2003 takes the trust a step further with a forest trust and by

enabling a single administrator to configure both sides of the trust



108/156

A transitive trust is a trust in which the two domains forming the trust not only trust

each other, but other trusted domains as well

If domain A trusts domain B, and domain B trusts domain C, then domain A also

trusts domain C

Nontransitive trusts are not automatic and must be set up

An example of a nontransitive trust is an external trust, such as the trust between adomain in one forest and a domain in another forest

Shortcut trusts are only partially transitive because trust transitivity is extended

only down the hierarchy from the trusted domain not up the hierarchy

Forest trusts are also only partially transitive because forest trusts can only be



109/156

Forest trusts are also only partially transitive because forest trusts can only be

created between two forests and they cannot be implicitly extended to a third forest

For example, if forest 1 trusts forest 2, and forest 2 trusts forest 3, domains inforest 1 transitively trust domains in forest 2, and domains in forest 2 transitively trust

domains in forest 3. However, forest 1 does not transitively trust forest 3.

Introduction to Maintaining Active Directory


110/156

Maintenance of the Active Directory database is an important administrative task

that must be regularly scheduled to ensure that, in the case of disaster, you can

recover lost or corrupted data and repair the Active Directory database

Active Directory has its own database engine, the Extensible Storage Engine

(ESE), which manages the storage of all Active Directory objects in the Active

Directory database

An understanding of how the changes that are made to attributes in ActiveDirectory are written to the database will help you understand how data modification

affects database performance, database fragmentation, and data integrity

Active Directory support files and their functions


111/156

Ntds.dit

This is the main AD database

NTDS stands for NT Directory Services. The DIT stands for Directory

Information Tree

The Ntds.dit file on a particular domain controller contains all naming contexts

hosted by that domain controller, including the Configuration and Schemanaming contexts

A Global Catalog server stores the partial naming context replicas in the

Ntds.dit right along with the full Domain naming context for its domain.



112/156

Edb.log

This is a transaction log

Any changes made to objects in Active Directory are first saved to a

transaction log

During lulls in CPU activity, the database engine commits the transactions into

the main Ntds.dit database

This ensures that the database can be recovered in the event of a system

crash

Entries that have not been committed to Ntds.dit are kept in memory to

improve performance

Transaction log files used by the ESE engine are always 10MB.



113/156

Edbxxxxx.log

These are auxiliary transaction logs used to store changes if the main Edb.logfile gets full before it can be flushed to Ntds.dit

The xxxxx stands for a sequential number in hex. When the Edb.log file fills

up, an Edbtemp.log file is opened

The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log isrenamed to Edb.log file, and the process starts over again

ESENT (Server Database Storage Engine) uses circular logging

Excess log files are deleted after they have been committed. You may see

more than one Edbxxxxx.log file if a busy domain controller has many updates

pending



114/156

Edb.chk

This is a checkpoint file

It is used by the transaction logging system to mark the point at which updates

are transferred from the log files to Ntds.dit

As transactions are committed, the checkpoint moves forward in the Edb.chk

file

If the system terminates abnormally, the pointer tells the system how far along

a given set of commits had progressed before the termination

Temp.edb. This is a scratch pad used to store information about in-progress

transactions and to hold pages pulled out of Ntds.dit during compaction.

Schema.ini. This file is used to initialize the Ntds.dit during the initial promotion of a

domain controller. It is not used after that has been accomplished.


115/156


116/156

Moving and Defragmenting the Active Directory Database


117/156

Why move database and log files?

You move a database to a new location when you defragment the database

Moving the database does not delete the original database, so you can use

the original database if the defragmented database does not work or becomes

corrupted

Also, if your disk space is limited, you can add another hard disk drive andmove the database to the new hard disk drive

Additionally, you move database files for hardware maintenance

If the disk on which the files are stored requires upgrading or maintenance,

you can move the files to another location temporarily or permanently

Backing Up Active Directory


118/156

Backing up is essential to maintaining the Active Directory database

You can back up Active Directory by using the graphical user interface (GUI) andcommand-line tools that are provided in the Windows Server 2003 family

You back up the system state data of domain controllers frequently so that you

have the most current data to restore

By establishing a regularly scheduled backup routine, you have a better chance ofrecovering data when necessary

To ensure a good backup, which includes at least the system state data and

contents of the system disk, you must be aware of the tombstone lifetime

By default, the tombstone is 60 days; any backup older than 60 days is not a goodbackup

Backing Up Active Directory


119/156

You should plan to back up at least two domain controllers in each domain, one of

which is an operations master role holder

For each domain, you should maintain at least one backup to enable authoritative

restores of the data when necessary

Components of the System State Data


120/156

Active Directory (only on domain controllers). System state data does not contain

Active Directory unless the server on which you are backing up the system state data

is a domain controller

The SYSVOL shared folder (only on domain controllers). The SYSVOL folder is a

shared folder that contains Group Policy templates and logon scripts

The registry is a database repository for information about the computers

configuration

The system start-up files are required during the initial start-up phase of Windows

Server 2003. These files include the boot and system files that are under Windows file

protection and are used by Windows to load, configure, and run the operating system

The COM+ Class Registration database. The class registration is a database ofinformation about Component Services applications.


121/156

How to Back Up Active Directory


122/156

To perform a backup procedure, you must be a member of the Administrators or

Backup Operators group on the local computer, or you must have been delegated the

appropriate authority

If the computer is joined to a domain, members of the Domain Admins group might

be able to perform this procedure

You can only back up the system state data on a local computer

You cannot back up the system state data on a remote computer

Restoring Active Directory


123/156

The Windows Server 2003 family enables you to restore the Active Directory

database if it becomes corrupted or is destroyed because of hardware or software

failures

You also must restore the Active Directory database when objects in Active

Directory are changed or deleted

You can restore replicated data on a domain controller in several ways

You can reinstall the domain controller, and then let the normal replication

process repopulate the new domain controller with data from its replicas

You can use the Backup Utility Wizard to restore replicated data from backup

media without reinstalling the operating system or reconfiguring the domain

controller



124/156

There are three methods for restoring Active Directory from backup media

The Primary Restore Method

The Normal (Nonauthoritative) Restore Method

The Authoritative Restore Method



125/156

Primary restore:

A primary restore rebuilds the first domain controller in a domain when there isno other way to rebuild the domain

A primary restore should only be performed when all the domain controllers in

the domain are lost, and you are trying to rebuild the domain from the backup

Normal (nonauthoritative) restore

A nonauthoritative restore reinstates the Active Directory data to the state

before the backup, and then updates the data through the normal replication

process

A normal restore should only be performed when you want to restore a singledomain controller to a previously known good state



126/156

Authoritative restore

An authoritative restore is performed in tandem with a normal restore

An authoritative restore marks specific data as current and prevents that data

from being overwritten by replication

The authoritative data is then replicated throughout the domain

Perform an authoritative restore to restore individual objects in a domain that

has multiple domain controllers

When you perform an authoritative restore, all changes to the restore object

that occurred after the backup are lost


127/156

Whats a Group Policy?


128/156

Like files and folder, like users and groups, like domains and organizational units,

a Group Policy Object (GPO) is just another software object, typically stored in the

Active Directory database

This software object is made up of a collection of settings that can potentially affect

almost any aspect of user and computer configuration

Group Policies can then be linked to the container objects in Active Directory:

sites, domains, and organizational units

The Group Policies linked will then configure settings that, by default, affect all

objects in the container

They can be used to determine what Start Menu options are available, what the

background of the desktop will be, what programs will be available

The Local Group Policy Object


129/156

Activ Directory Presentation cum directorui.ppt

Documents

Transcript of Activ Directory Presentation cum directorui.ppt