MCSE Top-Rated Sites


 

Planning and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Global Catalog Servers:

The Global Catalog can be thought of as a database, or master directory, of all Active Directory objects in all of the domains. The global catalog is used during the logon process and to locate resources and objects in different domains. Global Catalog Servers respond to queries and thus it makes sense that response time can be decreased by increasing the number of Global Catalog Servers to include at least one in each large office (allow computers to search locally and not have to cross slow links). You have to be careful, though, because too many GC servers in a network can cause excessive network traffic.

The Global Catalog is automatically created on the first domain controller created in a forest, and other domain controllers can be configured to act as GC serves as well. To provide fault tolerance additional Global Catalog servers should be created and available.

FSMOs:

Special roles can be assigned to domain controllers to act as single master roles. A single master role is not permitted to occur simultaneously at different locations on the network.

The role can be Active Directory related (Domain controllers) or purely service-oriented. Within those that are Active Directory related, there are five FSMOs (Flexible Single Master Operations) roles:

1.      PDC (Primary Domain Controller) emulator – used for backward compatibility

2.      RID (Relative ID) Master  - holds the pool of ID numbers to be used

3.      Infrastructure Master – handles updates and name changes

4.      Domain Naming Master – by default the first domain controller in a forest

5.      Schema Master – oversees all schema operations

The primary domain controller performing one of these roles is known as the role master. Microsoft recommends the PDC emulator and RID master be kept on the same domain controller, and the Domain Naming Master be stored on a Global Catalog server.

The five operations master roles are responsible for keeping track of and originating replication and are divided into two categories: forestwide and domainwide.

Forestwide

Note: Both Schema and Domain naming should be the same domain controller

Schema master

         Only one schema master in forest (can have standbys)

         Controls schema updates and modifications

         Failure of the schema master can go unnoticed until a change is made to the schema

         If schema master role is seized permanently the server must not be brought back online without formatting it and reinstalling the operating system

Domain naming master

         Only one domain naming master in forest (can have standbys)

         The only server responsible for controlling the addition or removal of domains to the forest

         Failure of the domain naming master can go unnoticed until a domain is added or removed from the forest

         If the current Domain Naming Master server is to become unavailable, its role should be seized. If domain naming master role is seized permanently the server must not be brought back online without formatting it and reinstalling the operating system

Domainwide

Relative ID (RID) master

         Each domain will have one relative ID master

         Responsible for management of relative ID’s (object security)

         RID will be generated for each domain object that includes the domain security ID (same for all domain objects) and a unique relative ID

         Responsible for initiating the move when moving objects between domains (MOVETREE is a utility used to move objects between domains).

         Failure of the relative ID master can go unnoticed until an administrator attempts to create domain objects and the domain runs out of available relative identifiers.

         If relative ID master role is seized permanently the server must not be brought back online without formatting it and reinstalling the operating system

Primary Domain Controller PDC emulator

         Each domain will have only one PDC emulator

         Provides support for client systems

         Receives preferential replication of any password changes

         If logon authentication fails at any domain controller, the request is forwarded to the PDC emulator

         Acts as a Windows NT PDC providing updates to any Windows NT BDCs during a migration to Active Directory

         Failure of PDC emulator can immediately affect network users.

         If PDC emulator role is seized permanently the server can be brought back online and returned to the PDC emulator role

Infrastructure master

         Each domain will have only one infrastructure master

         Updates group or user references when supporting group members from a different domain and group membership changes 

         If placed on a Global Catalog server infrastructure master will not be able to do its job properly because out-of-date data will not be detected, therefore replication will not occur; because of this, the Infrastructure Master should not be located on a global catalog server.

         Failure of the infrastructure master can go unnoticed unless a number of changes have been made.

         If infrastructure master is seized the server can be returned to the original infrastructure master when brought back online

The Domain Naming master allows additions, removals, and some modifications of all domains in the forest. It also generates the unique SID for every domain in the forest. The Infrastructure master updates group-to-user references when changes occur. It is recommended that the Infrastructure master be placed on a domain controller that is not the global catalog server to even the load and separate the burden of each role.

The PDC Emulator master is used for interoperability with older clients. The RID master and PDC Emulator roles should be placed on the same domain controller (if it is not overloaded)—or, if not, on separate primary operations master domain controllers (making sure they both have direct connection objects to the standby PDC emulator and RID master servers).

The RID (Relative ID) master issues IDs to domain controllers, as needed (10,000 at a time). The Schema master controls all updates to the schema. The Schema master and Domain Naming master are forest-wide in nature, whereas the RID, Infrastructure, and PDC Emulator masters are domain-based. (Only one server in each domain is needed for these operations.)

Active Directory Structure:

Active Directory is a database that stores information about objects in the network—such as users, computers, printers, and shared folders—in a central location. The Active Directory naming scheme follows the path: forest, tree(s), domains. Active Directory depends on DNS (Domain Name System) for it to work. In the absence of DNS, there is – effectively – no Active Directory. Active Directory is created to be scalable and interoperate with other name services. 

Active Directory names are equivalent to DNS names and use the SRV records of DNS to store information about services, thereby creating "dynamic DNS." To refer to a host in a domain, you use a fully qualified domain name (FQDN). It is recommended that the registered DNS name your company already has, if they are connected to the Internet, be used as the Active Directory root domain.

A forest can consist of either a single domain or multiple domains. (Therefore, by definition, a single domain can also be a tree). A tree is a contiguous namespace, meaning the child has the parent as part of its name. Each tree has its own identity within the forest. Domains are partitions; that is, entities that can be combined into trees and forests, but that operate with some autonomy. Domains contain objects, and/or organizational units (OUs). An OU is a container for organizing objects within a domain into logical sub-groupings. A domain is an administrative as well as security boundary since administrative privileges do not extend past domain boundaries. The Active Directory root domain has to be unique within the DNS realm it works with.

Reasons for creating OUs (organizational units) include: to control access to resources, to create group policy objects, to delegate administration, and/or to group common objects.

The simplest network is a network with one domain. Reasons for creating additional domains include: to isolate replication traffic, to retain existing NT domain structures, to support decentralized administration, to support international boundaries, and/or to support more than one domain policy. Factors to consider when deciding to create more than one domain include replication, security, and overhead.

Objects are organized in a hierarchical structure rather than physical location and can include:

        Users

        Groups

        Computers

        Shared resources

        Security information

Active Directory key concepts to focus on are:

        Objects: Object classes such as users, groups, computers, services, printers, security policies, etc. are a collection of object attributes.

        Schema: A database structure made up of attribute definitions and object definitions known as schema objects or metadata (data about data). Adding new attributes can extend a schema, however once an object is created it can be disabled but not deleted. Write access to the schema is restricted to the Administrators group.

Active Directory Schema Objects

          stored in Active Directory

          arranged in a logical hierarchy - Directory Information Tree (DIT)

          includes a preconfigured database – base DIT - that contains the information that is required to install and run the operating system and Active Directory

          one section of the base DIT holds the base schema.

          schema objects are located in the Schema container

Active Directory Schema Container

          a special purpose object class

          the topmost object of the schema directory partition.

          (cn=schema,cn=configuration,dc=< forest root domainName>)

          contains all of the class and attribute definitions that are required to locate objects in Active Directory and to create new objects

Active Directory DIT and partition

          DIT = Directory Information Tree

          divided into directory partitions

          directory partition is a tree of directory objects

          directory partition forms a unit of replication in Active Directory.

Site link bridges are used to connect sites together and to model the routing behavior of a network. Within a site, replication traffic is carried out via Remote Procedure Calls over IP, while between sites it is done through either RPC or SMTP.

The purpose of the Knowledge Consistency Checker (KCC) is to generate a replication topology for both intra-site and inter-site replication.  Windows Server 2003 uses a different calculation that was used with Windows 2000 in order to speed intersite replication.

The REPADMIN command-line utility allows you to do such things as check the KCC status, see when the last partner replication took place, and disable compression on intersite replication.

A forest is a collection of Active Directory domains. All trees within a forest have different naming structures but share common schema.

Trees are groupings of domains that share contiguous namespaces and a hierarchical naming structure.

         Single Domain: One domain that is the first and only tree’s root domain as well as the forest’s root. OU’s are used to build Active Directory and should be kept to a minimum.

         Tree with Multiple Domains: Used when implementing different security policies in remote offices, or limit administrative control between different locations.

        Forest with Multiple Trees: Each tree has its own unique namespace and are all part of the same Active Directory. Its root domain DNS name identifies each tree. The trees share a common schema, configuration information and Global Catalog

Naming of objects in Active Directory is a critical issue.

         Each Active Directory object must be uniquely identified.

         Domain Name System (DNS) is required for Active Directory. NETLOGON.DNS is the file that holds DNS entries for Active Directory. It resides beneath the System32\Config folder.

         Object names must follow an established naming convention.

The following are common name formats:

         LDAP Distinguished Name (DN). A DN exists for every object in Active Directory. The values cannot be duplicates; they must be unique.

         LDAP Relative Distinguished Name (RDN). RDNs need not be unique if they exist in separate OUs.

         User Principal Name (UPN). These are often referred to as “friendly names.”

LDAP functionality is a key component of Active Directory, employing similar naming standards. LDAP functionality makes Active Directory compatible with other naming strategies (such as BIND). LDAP is a derivative of X.500. LDAP uses four different name types: 1) Distinguished name, 2) Relative Distinguished name, 3) User Principal name, and 4) Canonical name.

The Distinguished name, in LDAP, is the full path, including containers, of the object. The Relative Distinguished name (RDN), in LDAP, is the portion of the name that’s unique within its container. The User Principal name, in LDAP, is the user-friendly name. The Canonical name, in LDAP, is a top-down notation of the Distinguished name.

Real-time LDAP is now supported, also known as LDAPv3, and security for digest authentication is now available for secure queries to a domain controller.

Sites

            Groups of subnets and domain controllers  connected through a reliable high-speed connection used to partition Active Directory into logical groups.

            A set of one or more IP Subnetwork addresses

            Controls how replication is managed, logon traffic and DFS topology

Active Directory Sites

            Domain controllers get added to Default-First-Site-Name object which is automatically created

            Intersite replication occurs between two or more sites over manually created links based on a replication schedule

            To minimize network traffic data is compressed to about 10-15% of its volume before intersite replication is transmitted

            Active Directory domains are defined by the network’s logical structure

            Sites are based on the network’s physical structure

            Sites can include:

o        All Active Directory domain controllers

o        Some of Active Directory domain controllers

o        Domain controllers from different Active Directory domains

Site Links

Site links specify how Active Directory will connect sites within the network and inform Active Directory of favorable replication links. “Active Directory Sites and Services” is used to create sites and site links.

            When Active Directory is installed a default site link (DEFAULTIPSITELINK) is created

            The transport used for transferring data between sites:

o        Remote Procedure Call (RPC) over TCP/IP [seen as IP] – required for File Replication Services

o        Simple Mail Transfer Protocol (SMTP) – used for schema partition, configuration partition and Global Catalog replication. Does not support replication between domain controllers in the same domain. SMTP is asynchronous, whereas RPC is synchronous.

            Cost value determines which site link to use when multiple paths are available

o        Lower the cost, higher the priority

o        Based on bandwidth and priority

o        Default cost is 100

            Scheduling controls when replication occurs

o        Set through the link schedule

o        Replicate every property determines how long a connection waits before checking for updates (15-10,080 minutes)

o        By default a link is always available

Active Directory Infrastructure:

LDAP is the main access protocol for Active Directory.   LDAP is an Internet standard used to exchange information between applications and directories.

·        Replication: automatic updates of active directory between servers. The Knowledge Consistency Checker (KCC) is responsible for generating replication information within a forest. The KCC runs on each domain controller automatically. REPLMON is used to show replication topology and monitor status. It can also be used to force replication or KCC recalculation.

Replication

         Replication to all domain controllers occurs every 15 minutes by default but can be forced through Active Directory Sites and Services.

         When the domain controller is expanded under Sites\Default-First-Site-Name\Servers, select NTDS Settings. Right-click and select Replicate Now.

Compression is used when replication is between sites. Multimaster replication is employed by Active Directory to keep all domain controllers as peers.

Active Directory Connector (ADC) is used for replication between Exchange and Active Directory.

Active Directory Replication

    Changes made to Active Directory need to be propagated to all Domain Controllers

    Uses a multiple-master replication model whereby all domain controllers are equal

Intrasite Replication

              Automatic replication between domain controllers in the same site

              Uses Remote Procedure Calls (RPC) communication to control notification

RPC is used for replication traffic within a site, and the data it sends is uncompressed.

o        Replication latency is the delay between when a change is made to one domain controller then replicated to other domain controllers.

o        Replication convergence occurs after replication has taken place, all domain controllers are up to date and no new changes are to be sent.

Event Viewer is the primary tool used for viewing log files. In addition to the three log files that have always existed (Application, System – which contains information about services and drivers that fail to start -  and Security), there are now log files for: Directory Services, File Replication Service, and DNS, if those services are in use.

Group Strategy:

It is highly recommended to put users into groups and give permissions to the groups.  In Windows Server 2003, the following types of groups exist:

·        Machine local

·        Domain local

·        Global

·        Universal

·        Builtin – these are Domain local groups that exists for compatibility with Windows NT. Be default, the following groups are found on all Windows Server 2003 systems: Administrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Print Operators, Remote Desktop Users, Replicator, and Users. These built-in users and groups cannot be deleted.

By default, the Everyone group is given read permission when a file is shared.  This differs from earlier operating systems in which Everyone was assigned full control permissions on all new shares.

Distribution groups are used for nonsecurity-related purposes. Security groups are used to assign permissions to a grouping of users for accessing one or more objects.

Active Directory Structures:

When deciding whether to implement Active Directory in an existing or planned network, it is important to detail the possible impact of so doing.

Access patterns need to be taken into account during an analysis: Are all the resources centralized, or are they disbursed? When users need to access a resource, is it within their LAN 80% of the time, or only 20% (meaning they access the WAN 80% of the time)? What are the implications of the resources being centralized versus being disbursed? What are the implications of the resource being within the LAN 80% of the time versus 20%?

The geographic scope as well as the owner or organization responsible for the company fall beneath company size analysis.

When doing user and resource distribution analysis, the main question is: Where are the users? How are they serviced? How do they reach the resources (servers, printers, etc.)? Do they reach them via hubs, switches, routers, or bridges? Via modems or proxy servers?

Connectivity between sites must be factored in. What bandwidth is employed? Are there leased lines or dial-up connections (with or without multilink)?

Speeds employed on WANs differ by technologies. The most common technologies are modems (analog, ISDN, DSL, and cable) and leased lines (T1, T3, E1, E3). An analog/traditional modem requires a single phone line for a connection and is limited in speed to approximately 57,600bps. ISDN (Integrated Services Digital Network) requires two phone lines and can reach a speed of approximately 128,000bps. DSL (Digital Subscriber Line) uses existing phone lines (copper) and is available only in certain areas. You must be within a short distance of a switching station, and speeds can reach 9Mbps. The closer you are to the central office, the faster the speed which is possible (and the different the type of DSL available – ADSL, HDSL, etc.) Cable modems work with the coaxial from the cable television company. The speed, though reduced with the number of users, is approximately 2Mbps. T1 is a dedicated line that operates across 24 channels at 1.544Mbps. T3 is a dedicated line of 672 channels able to run at speeds of 43Mbps. E1 is the European counterpart to T1; it uses 32 channels and can run at 2.048Mbps. E3 is the European counterpart to T3.

Connectivity can include hubs, switches, bridges, routers. You must determine which topologies are employed (star versus mesh, etc.).

User Authentication: