CHAPTER 4
IMPLEMENTING ACTIVE DIRECTORY
Lesson 1:
Planning Active Directory Implementation
Before implementing Active Directory you must examine your organization’s business structure and
operations and plan the domain structure, domain namespace, OU structure, and site structure
needed by your organization.
Planning a Domain Structure
Because the core unit of logical structure in Active Directory is the domain, which can store millions
of objects, it is essential to plan the domain structure for your company carefully. When planning a
domain structure, you must access your company’s
Assessing the Logical Environment
You must understand how your company conducts daily operations to determine the logical structure
of your organization. Consider how the company operates functionally and geographically.
Assessing the Physical Environment
By assessing your company’s physical environment, you can determine the technical requirements
for implementing Active Directory.
To access user requirements, for each functional and geographical division determine:
=====================================================================
winads4.html PAGE 2 2002/02/08
To access network requirements, for each geographical
division determine:
Assessing Administrative Requirements
Assessing how your company’s network resources are managed also helps you to plan your domain
structure. Identify the method of network administration used by your company:
Centralized administration. A single administrative team provides network services. Smaller
companies with fewer locations or business functions often use this method.
Decentralized administration. A number of administrators or administrative teams provide network
services. Teams may be divided by location or business function.
Customized administration. The administration of some resources is centralized and it is decentralized
for other, depending on business needs.
Domain Requirements
One domain can span multiple sites and contain millions of objects. Keep in mind that site and
domain structures are separate and flexible. A single domain can span multiple geographical sites,
and a single site can include users and computers belonging to multiple domains.
The following are some reasons to create more than one domain:
=====================================================================
winads4.html PAGE 3 2002/02/08
Assessing Domain Organization Needs
If you’ve determined that your company requires more than one domain, you must organize the
domains into a hierarchy that fits the needs of your organizations. You can organized domains into
a tree or a forest depending on the company’s business needs. Recall that domains in trees and
forests share the same configuration, schema, and global catalog. As domains are placed in a tree
or forest hierarchy, the two-way transitive trust relationship allows the domains to share resources.
All domains in a domain tree have a contiguous DNS namespace.
Planning a Domain Namespace
In Windows 2000 Active Directory, domains are named with DNS names.
external Internet namespace?
Choosing a DNS Domain Name
When setting up DNS servers, it is recommended that you first choose and register a unique parent
DNS name that can be used for hosting your organization on the Internet.
Before you decide on a parent DNS name for your organization to use on the Internet, perform a
search to see if the name is already registered to another entity. The Internet DNS namespace is
currently managed by Network Solutions, Inc., through other domain name registrars are also
available.
=====================================================================
winads4.html PAGE 4 2002/02/08
Internal and External Namespaces
To implement Active Directory, there are two choices for namespace design. The Active Directory
namespace can either be the same or separate from the established, registered DNS namespace.
Same Internal and External Namespaces
Users on the company’s internal, private network must be able to access both internal and external
servers (both sides of the firewall).
Clients accessing resources from the outside must not be able to access internal company resources
or resolve names to protect company data.
Advantages of using
the same internal and external namespaces are as follows:
The tree name, Microsoft.com is consistent both on the internal private network and on the external
public Internet.
This scenario (p94) extends the idea of a single logon name to the public Internet, allowing users to
use the same logon name both internally and externally. For example, jsmith@microsoft.com would
serve as both the logon and e-mail ID.
Disadvantages to
using the same internal and external namespaces are as follows:
difference between internal and external resources.
zone records for internal and external name resolution.
resources.
Separate Internal and External Namespaces
Basically, the names will be different on either side of the firewall. Microsoft.com is the name that is
used outside the firewall and msn.com is the name used inside the firewall.
=====================================================================
winads4.html PAGE 5 2002/02/08
Separate names are used inside and outside the corporation. Microsoft.com is the name that the
Internet community sees and uses. Msn.com is the name that the private network sees and uses.
To do this, two namespaces must be registered with the Internet DNS. The purpose of registering
both names is to prevent duplication of the internal name by another public network.
Two zones will be established. One zone will resolve Microsoft.com and the other DNS zone will
resolve msn.com on the inside of the firewall. Users can clearly distinguish between internal and
external resources.
The advantages of
using the separate internal and external namespaces are as follows:
Based on different domain names, the difference between internal and external resources is clear.
There is no overlap or duplication of effort, resulting in more easily managed environment.
Configuration of proxy clients is simpler because exclusion lists only need to contain Microsoft.com
when identifying external resources.
The disadvantage of using the separate internal and external namespaces are as follows:
Logon names are different from e-mail names. For example, John Smith would log on as
jsmith@msn.com and his e-mail address would be jsmith@microsoft.com
Multiple names must be registered with an Internet DNS.
Domain Naming Requirements and Guidelines
When you plan your company’s domain namespace, consider and following domain naming
requirements and guidelines for root domains and subdomains:
standard DNS characters: A-Z, 0-9 and – the hyphen. No underscore, only the hyphen.
characters. Case-sensitive naming is not supported. The Internet is not case-sensitive, upper
and lower are accepted.
domains and domain organizations.
=====================================================================
winads4.html PAGE 6 2002/02/08
Planning an OU Structure
After you determine your company’s domain structure and plan its domain namespace, you must plan its
OU structure. You can create a hierarchy of OUs in a domain. In a single domain, organize users and
resources by using a hierarchy of OUs to reflect the structure of the company.
Consider creating an OU if you want to do the following:
users are maintained and displayed in a single list, regardless of a user’s department,
location, or role.
manage them.
objects to allow administrators to locate similar network resources easily, to
simplify security and to perform any administrative tasks.
Planning an OU Hierarchy
Although there are no restrictions on the depth of the OU hierarchy, a shallow hierarch performs
better than a deep one. OUs should represent business structures that are not subject to change.
** See the diagrams
page 99 ***
Business function-bases OUs: can be created on various business functions within
the organization.
Geographical-based OUs: can be created on the location of the company offices.
Business function and geographical-based OUs: can be created based on both
business function and the location of company offices. A business function and
geographical-based OU hierarchy fordomain.com
=====================================================================
winads4.html PAGE 7 2002/02/08
Planning a Site Structure
Recall that a site is part of the Active Directory physical structure and is a combination of one or more
Internet Protocol (IP) subnets connected by a highly reliable and fast network connection. A single
domain can include multiple sites, and single site can include multiple domains or parts of multiple
domains.
The say in which you set
up sites affects Windows 2000 in two ways:
Workstation logon and authentication. When a user logs on, Windows 2000 will try
to find a domain controller in the same site as the user’s computer to service the user’s
logon request and subsequent requests for network information.
Directory replication. You can configure the schedule and path for replication of a
domain’s directory differently for inter-site replication, as opposed to replication within a site.
Optimizing Workstation Logon Traffic
When planning sites, consider which domain controllers the workstations on a given subnet should use.
Optimizing Directory Replication
When planning sites, consider where the domain controller and the network connections between the
domain controllers will be located. Because each domain controller must participate in directory
replication with the other domain controllers in its domain, configure sites so that replication occurs
at times and intervals that will
not interfere with network performance. Consider establishing a
bridgehead server to provide criteria for choosing
which domain controller should be preferred
as the recipient for inter-site replication.
Designing a Site Structure
Designing a site structure for a network that consists of a single local area network (LAN) is simple.
Establish a separate site with its own domain controllers when you feel domain controllers are not
responding fast enough to meet the needs of your users.
=====================================================================
winads4.html PAGE 8 2002/02/08
Follow these steps to design a site structure for an organization with multiple physical locations:
domain structure, including site locations, network speed, how network connections are
organized, network connection speed, how network connections are utilized, and TCP/IP
subnets.
determines
when replication can occur between the sites that it connects. Wiring, check it periodically.
for replication.
Summary:
and operations and plan the domain structure, domain namespace, OU structure, and site
structure needed by your organization.
environment structure, administrative requirements, needs for multiple domains, and domain
organization needs.
determine if the internal and external will be the same or different. If so, are you going to
register them both?
Lesson 2:
Installing Active Directory
The active Directory Installation Wizard performs the following tasks:
Active Directory is loaded by running dcpromo.exe. It is also important to set up the DNS before
you install decpromo,
so you do not have any problems. When I
installed it, it did it within the dcpromo
command both at home and at school, and I did not have any problems, but some people at school were
having all kinds of problems.
=====================================================================
winads4.html PAGE 9 2002/02/08
To launch the Active Directory Installation Wizard, run Configure Your Server on the Administrative
Tools menu, Start menu, or run DCPROMO from the command prompt.
As you install Active Directory, you can choose whether to add the new domain controller to an existing
domain or create the first domain controller for a new domain.
Adding a Domain Controller to an Existing Domain
If you choose to add a domain controller to an existing domain, you create a peer domain controller.
You create peer domain controllers for redundancy and to reduce the load on the existing domain
controllers.
Creating the First Domain Controller for a New Domain
If you choose to create the first domain controller for a new domain, you create a new domain. You
create domains on your network to partition your information, which enables you to scale Active
Directory to meet the needs of your organization.
======================================================================
Creating a New Domain Description
======================================================================
New child domain When you create a child domain, the new
domain is a child domain in an existing
domain.
New domain tree When you create a new tree, the new
Domain is not part of an existing domain.
You can create a new tree in an existing
=====================================================================
winads4.html PAGE 10 2002/02/08
;
Configuring DNS for Active Directory
Active Directory uses DNS as its location service, enabling computers to find the location of domain
controllers. To find a domain controller in a particular domain, a client queries DNS for resource
records that provide the names and IP addresses of the Lightweight Directory Access Protocol
LDAP) servers for the domain. LDAP is the protocol used to query and update Active Directory,
and all domain controllers run the LDAP service.
Active Directory required DNS. But DNS does not require active directory, and you can install
DNS without it.
The Database and Shared System Volume
Installing Active Directory creates the database and database log files, as well as the shared system
volume.
The database log files are usually located in systemroot\NTDS, and on the boot partition. Some of
the log files should have no contents. If this is true it means that DCPROMO was run successfully,
nd there were no errors. It is a good idea to check the log files to ensure that the operation was
successful.
The log files are as follows:
Replication of the shared system volume occurs on the same schedule as replication of the Active
Directory. Typically every 10 minutes, but usually the default is 5 minutes for replications.
Domain Modes
There are two domain modes: mixed mode and native mode.
Mixed Mode
When you first install or upgrade a domain controller to Windows 2000 Server, the domain
controller is set to run in mixed mode.
=====================================================================
winads4.html PAGE 11 2002/02/08
Native Mode
When all the domain controllers in the domain run Windows 2000 Server, and you do not plan to
add any more pre-Windows 2000 domain controllers to the domain, you can switch the domain
from mixed mode to native mode.
During the conversion from mixed mode to native mode:
gone, you can no longer have any domain controllers in your domain that are not running Windows
2000 Server.
The Server that served as the primary domain controller during migration is no longer the domain
master; all domain controllers begin acting as peers.
NOTE: The change from mixed mode to native mode is one-way only; you cannot change from
native mode to mixed mode.
To change the domain mode to native mode: Start/Programs/Administrative Tools/Active Directory
Domains and Trusts/Properties/change mode.
Removing Active Directory Services from a Domain Controller
Running DCPROMO from the run command on an existing domain controller allows you to remove Active
Directory from the domain controller, thus demoting it to a member server. If the domain controller is the
last domain controller in the domain, it will become a stand-alone server. If you remove Active Directory
from all domain controllers in a domain, you also delete the directory database for the domain, and the
domain no longer exists. Computers joined to this domain can no longer log on to the domain or use
domain services.
***** For more
information on installing Active Directory see page 107 ***
=====================================================================
winads4.html PAGE 12 2002/02/08
Lesson Summary:
Directory Installation Wizard.
(or the Root drive which is C).
Active Directory uses DNS as its location service.
Directory Installation Wizard. Unless you are using a DNS server other than Windows
2000 or you want to perform a special configuration, you do not need to manually configure
DNS to support Active Directory.
2000 Server.
Users and Computers console.
Lesson 3: Operations Master Roles
The domain controllers assigned these roles perform single-master replication.
Operations Master roles are assigned to domain controllers to perform single-master operations.
In any Active Directory forest, five operations master roles must be assigned to one or more domain
controllers. Some roles must appear in every forest. Other roles must appear in every domain in the
forest. You can change the assignment of operations master roles after setup, but in most cases this
will not be necessary.
Forest-Wide Operations Master Roles
Every Active Directory forest must have the following roles:
Schema master (entire forest)
Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there can be
only one schema master and one domain naming master.
=====================================================================
winads4.html PAGE 13 2002/02/08
Schema Master Role
The schema master domain controller controls all updates and modifications to the schema. To update
the schema of a forest, you must have access to the schema master. At any time, there can be only
one schema master in
the entire forest.
Domain Naming Master Role
The domain controller holding the domain naming master role controls the addition or removal of
domains in the forest. There can be only one domain naming master in the entire forest at any time.
Usually goes to the first one installed.
Domain-Wide Operations Master Roles
Every domain in the forest must have the following roles:
These roles must be unique in each domain. This means that each domain in the forest can have only
one relative ID master, PDC emulator, and infrastructure master.
Relative ID Master Role
The relative ID master allocates sequences of relative Ids to each of the various domain controllers in
its domain. At any time, there can only be on domain controller acting as the relative ID master in
each domain in the forest.
To move an object between domains (using MOVETREE.EXE: Active Directory Object Manager),
you must initiate the move on the domain controller acting as the relative ID master of the domain that
currently contains the object.
=====================================================================
winads4.html PAGE 14 2002/02/08
PDC Emulator Role
If the domain contains computers operating without Windows 2000 client software or if it contains Windows
NT backup domain controllers BDCs, the PDC emulator acts as a Windows NT primary Domain Controller.
It processes password changes from clients and replicates updates to the BDCs. At any time, there can be
only one domain controller acting as the PDC emulator in each domain in the forest.
If a logon authentication fails at another domain controller due to a bad password, that domain controller
will forward the authentication request to the PDC emulator before rejecting the logon attempt. If down,
this will be missed by the users, because they will be unable to logon!
Infrastructure Master Role (was on quiz)
The infrastructure master is responsible for updating the group-to-user references whenever the members
of groups are renamed or changed. At any time, there can be only one domain controller acting as the
infrastructure master in each domain. This should not be on the same domain controller as the Global
Catalog Server.
When you rename or move a member of a group (and that member resides in a different domain from the
group). The group may temporarily appear not to contain that member. Only an administrator looking
at that particular group membership would notice the temporary inconsistency.
Planning Operations Master Locations
When you create a new child domain or the root domain of a new domain tree in an existing forest, the
first domain controller in the new domain is automatically assigned the following roles:
Because there can be only one schema master and one domain naming master in the forest, these roles
remain in the first domain created in the forest.
The first domain controller in each of the other domains is assigned the three domain-specific roles.
The default operations master locations work well for a forest deployed on a few domain controllers in
a single site.
=====================================================================
winads4.html PAGE 15 2002/02/08
Planning the Operations Master Role Assignments by Domain
If a domain has only one domain controller, that domain controller will hold all of the domain roles.
Otherwise, choose two well-connected domain controllers that are direct replication partners.
In typical domains, you assign both the relative identifier master and PDC emulator roles to the
operations master domain controller.
Unless there is only one domain controller in the domain, the infrastructure master role should not be
assigned to the domain controller that is hosting the global catalog.
If the infrastructure master and global catalog are on the same domain controller, the infrastructure
master will not function.
Planning the Operations Master Roles for the
Once you have planned all of the domain roles for each domain, consider the forest roles. The schema
master and domain naming master roles should always be assigned to the same domain controller.
Planning for Growth
Normally, as your forest grows, you will not need to change the locations of the various operations
master roles. But when you are planning to decommission a domain controller, change the global
catalog status of a domain controller, or reduce the connectivity or parts of your network, you should
review your plan and revise the operations master role assignments, as necessary.
Audit every once and a while, Active Directory can use a lot of chatter, so Plan Well.
=====================================================================
winads4.html PAGE 16 2002/02/08
Responding to Operations Master Failures
Some of the operations master roles are crucial to the operation of your network.
If an operation master is not available due to computer failure or network problems, you can seize
the operations master role.
Before forcing the transfer, first determine the cause and expected duration of the computer or
network failure.
IMPORTANT A domain controller whose schema, domain naming, or relative identifier master
role has been seized must never be brought back online without first reformatting the drives and
reloading Windows 2000.
Schema Master Failure
Temporary loss of the schema operations master is not visible to network users. It will not be
visible to network administrators either, unless they are trying to modify the schema or install an
application that modifies the schema during installation.
Domain Naming Master Failure
Temporary loss of the domain naming master is not visible to network users. It will not be visible
to network administrators either, unless they are trying to add a domain to the forest or remove a
domain from the forest.
Relative ID Master Failure
Temporary loss of the relative identifier operations master is not visible to network users. It will not
be visible to network administrators either, unless they are creating objects and the domain in which
hey are creating the objects runs out of relative identifiers.
=====================================================================
winads4.html
PAGE 17 2002/02/08
PDC Emulator Failure
The loss of the primary domain controller (PDC) emulator effects network users.
NTDUTIL – to seize
the role, you must be good at documenting it also.
If the current PDC emulator master will be unavailable for an unacceptable length of time and its
domain has clients without Windows 2000 client software, or if it contains Windows NT backup
domain controllers, seize the PDC emulator master role to the standby operations master. When
the original PDC emulator master is returned to service, you can return the role to the original
domain controller.
Users will know if the PDC Emulator is down, because they will have a problem logging on, the
PDC Emulator authenticates the logons. If seized within a company, wait 2-3 days to reverse, to
ensure all the changes within Active Directory have replicated. Otherwise, if across a country, and
WAN links, you may have to wait up to one month.
Infrastructure Master Failure
Temporary loss of the infrastructure master is not visible to network users.
If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the
role to a domain controller that is not a global catalog but is well connected to a global catalog
(from any domain), ideally in the same site as the current global catalog.
Lesson Summary:
master.
emulator,
and the infrastructure master.
Lesson 4:
Implementing and Organizational Unit Structure
You should create OUs that mirror your organization’s functional or business structure. Each domain
can implement its own OU hierarchy. If your enterprise contains several domains, you can create OU
structures within each domain, independent of the structures in the other domains.
=====================================================================
winads4.html PAGE 18 2002/02/08
OUs are not assigned permissions, they are there for a security boundary. You assign group policies to
the OU.
Creating OUs
Use the Active Directory Users and Computers console to create OUs. When you create an OU, it is
always created on the first available domain controller that is contacted by MMC, and then the OU is
replicated to all other domain controllers.
Setting OU Properties
A set of default properties is associated with each OU that you create. These properties equate to the
object attributes.
You can use the properties that you define for an OU to search for OUs in the directory.
Lesson Summary:
that is contacted by