Why do i need to know AD ?

Tony Girgenti · Guest

Hello.

I'm really not sure of what AD is or does and why i need to learn it.

I installed an SBS2003 premium system for five users. It's up and running
and working fine. All setup was done through the Server Manager and i never
went into AD. The documentation says that AD is all set up for you when you
do the installation.

So why do i need to know AD ?

Thanks,
Tony

kj · Guest

For SBS2003, if you set it up by the book and don't change anything, you
really need know very little about AD.

But it's a good idea that you have a SBS Specialist's phone number close at
hand that can help you out from time to time.

--
/kj
"Tony Girgenti" <TonyGirgenti@discussions.microsoft.com> wrote in message
news:2AA46958-327A-4F10-8E05-CA01495F63D1@microsoft.com...

rowell.dionicio@gmail.com · Guest

Joe Richards [MVP] · Guest

On SBS AD is pretty close to black box for you, especially with so few users.

If you are interested though, pick up the book in the signature, I wrote the 3rd
edition of it and it is a good book even if I say so. :)

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Tony Girgenti wrote:

Hank Arnold · Guest

You really should learn the basics. If nothing else, you will have an
idea as to what is possible and not. I'd still recommend you get a good
AD reference book and/or admin guide. I can guarantee there will be
times when you'll thank the gods that you have it (especially when the
CEO makes an absurd request based on "I heard...").

Regards,
Hank Arnold

Tony Girgenti wrote:

Jorge Silva · Guest

Hi

If you don't have money to buy books, Check these links for start:
How the Data Store Works

http://technet2.microsoft.com/WindowsServer/en/Library/54094485-71f6-4be8-8ebf-faa45bc5db4c1033.mspx
Data Store Tools and Settings

http://technet2.microsoft.com/WindowsServer/en/Library/54094485-71f6-4be8-8ebf-faa45bc5db4c1033.mspx
What are Operations Masters

http://technet2.microsoft.com/WindowsServer/en/Library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx

DNS Support for Active Directory Technical Reference

http://technet2.microsoft.com/WindowsServer/en/Library/99cffde7-11a5-4c01-9a03-2405c7ead7541033.mspx?mfr=true

Networking Collection
http://technet2.microsoft.com/WindowsServer/en/Library/6bf29b34-c286-41b3-83e3-180d260e749b1033.mspx

Some brief description of AD:

*Active Directory

Provides a method for designing a directory structure that meets the needs
of your organization.

*Active Directory

Is the directory service included in the Windows Server 2000/2003 family.
Active Directory includes the directory (Directory), which stores
information about network resources, as well as all the services that make
the information available and useful.

*A directory is a stored collection of information about objects that are
related to one another in some way.

*A directory service acts as the main switchboard of the network operating
system. It is the central authority that manages the identities and brokers
the relationships between distributed resources, enabling them to work
together. A directory service provides the means to organize and simplify
access to resources of a networked computer system. Users and administrators
might not know the exact name of the objects they need. However, they might
know one or more characteristics of the objects in question.

*Active Directory Objects

An object is a distinct named set of attributes that represents a network
resource. Object attributes are characteristics of objects in the directory.
For example, the attributes of a user account object might include the user's
first name, last name, and logon name, while the attributes of a computer
account object might include the computer name and description.

Some objects, known as containers, can contain other objects. For example, a
domain is a container object that can contain objects such as user and
computer accounts.

*Active Directory Schema

The Active Directory schema defines objects that can be stored in Active
Directory.

*The schema is defined by two types of objects:

Schema class objects (also referred to as schema classes)

Schema attribute objects (also referred to as schema attributes).

Schema objects or metadata (Schema objects or metadata is the Schema class
objects and attribute objects)

Schema class objects describe the possible Active Directory objects that can
be created (A schema class functions as a template for creating new Active
Directory objects. Each schema class is a collection of schema attribute
objects.)

Schema attribute objects define the schema class objects with which they are
associated

Each schema attribute is defined only once and can be used in multiple
schema classes (For example, the Description attribute is used in many
schema classes, but is defined only once in the schema, which ensures
consistency)

A set of basic schema classes and attributes is shipped with Active
Directory (Experienced developers and network administrators can dynamically
extend the schema by defining new classes and attributes for existing
classes).

Active Directory Components

Various Active Directory components are used to build a directory structure
that meets the needs of your organization.

Logical structures in an organization: (Forests, Trees, Domains, OUs).

Forests A forest is a grouping or hierarchical arrangement of one or more
separate, completely independent domain trees. As such, forests have the
following characteristics:

All domains in a forest share a common schema.

All domains in a forest share a common global catalog.

All domains in a forest are linked by implicit two-way transitive trusts.

Trees in a forest have different naming structures, according to their
domains.

Domains in a forest operate independently, but the forest enables
communication across the entire organization.

Trees A tree is a grouping or hierarchical arrangement of one or more
Windows Server 2003 domains that you create by adding one or more child
domains to an existing parent domain. Domains in a tree share a contiguous
namespace and a hierarchical naming structure.

Domains The core unit of logical structure in Active Directory is the
domain, which can store millions of objects. Objects stored in a domain are
those considered vital to the network.

OUs An OU is a container used to organize objects within a domain into a
logical administrative group. OUs provide a means for handling
administrative tasks, such as the administration of users and resources, as
they are the smallest scope to which you can delegate administrative
authority. An OU can contain objects such as user accounts, groups,
computers, printers, applications, file shares, and other OUs from the same
domain.

Four domain functional levels are available:

Windows 2000 mixed functional level allows a Windows Server 2003 domain
controller to interact with domain controllers in the same domain running
Windows NT 4, Windows 2000, or the Windows Server 2003 family.

Windows 2000 native functional level allows a Windows Server 2003 domain
controller to interact with domain controllers in the domain running Windows
2000 or Windows Server 2003.

Windows Server 2003 interim functional level allows a Windows Server 2003
domain controller to interact with domain controllers in the domain running
Windows NT 4 or Windows Server 2003.

Windows Server 2003 functional level allows a Windows Server 2003 domain
controller to interact only with domain controllers in the domain running
Windows Server 2003.

Three forest functional levels are available:

Windows 2000 functional level allows a Windows Server 2003 domain controller
to interact with domain controllers in the domain running Windows NT 4,
Windows 2000, or Windows Server 2003.

Windows Server 2003 interim functional level allows a Windows Server 2003
domain controller to interact with domain controllers in the domain running
Windows NT 4 or Windows Server 2003.

Windows Server 2003 functional level allows a Windows Server 2003 domain
controller to interact only with domain controllers in the domain running
Windows Server 2003.

Physical structures in an organization: Sites (physical subnets) and domain
controllers.

Sites A site is a combination of one or more IP subnets connected by a
highly reliable and fast link to localize as much network traffic as
possible.

With Active Directory, sites are not part of the namespace. When you browse
the logical namespace, you see computers and users grouped into domains and
OUs, not sites. Sites contain only computer objects and connection objects
used to configure replication between sites. A single domain can span one or
more geographical sites, and a single site can include user accounts and
computers belonging to multiple domains.

Domain Controllers A domain controller is a computer running Windows Server
2003 that stores a replica of the domain directory (local domain database).
Because a domain can contain one or more domain controllers, each domain
controller in a domain has a complete replica of the domain's portion of the
directory. A domain controller can service only one domain. A domain
controller also authenticates user logon attempts and maintains the security
policy for a domain.

The following list describes the functions of domain controllers:

Each domain controller stores a complete copy of all Active Directory
information for that domain manages changes to that information, and
replicates those changes to other domain controllers in the same domain.

Domain controllers in a domain automatically replicate directory
information for all objects in the domain to each other. When you perform an
action that causes an update to Active Directory, you are actually making
the change at one of the domain controllers. That domain controller then
replicates the change to all other domain controllers within the domain. You
can control replication of traffic between domain controllers in the network
by specifying how often replication occurs and the amount of data that each
domain controller replicates at one time.

Domain controllers immediately replicate certain important updates such as
the disabling of a user account.

Active Directory uses multimaster replication in which no one domain
controller is the master domain controller. Instead, all domain controllers
within a domain are peers, and each domain controller contains a copy of the
directory database that can be written to. Domain controllers can hold
different information for short periods of time until all domain controllers
have synchronized changes to Active Directory.

Although Active Directory supports multimaster replication, some changes
are impractical to perform in multimaster fashion. One or more domain
controllers can be assigned to perform single-master replication (operations
not permitted to occur at different places in a network at the same time).
Operations master roles are special roles assigned to one or more domain
controllers in a domain to per-form single-master replication.

Domain controllers detect collisions which can occur when an attribute is
modified on a domain controller before a change to the same attribute on
another domain controller is completely propagated.

Collisions are detected:

Domain controllers use update sequence numbers (USNs) to see if replication
partners are up to date. In the case of collisions (when the same attribute
of the same object is manipulated on two domain controllers at the same
time) the last writer wins.

To determine last writer status, an algorithm checks:

attribute version number, then attribute timestamp, then the GUIDs (Global
Unique Identifier the only attribute that cannot be changed) of the domain
controllers that performed the write operation. This ensures that the
attribute value is determined consistently and locally, reducing
communication between domain controllers. Active Directory resolves the
collision by replicating the changed attribute with the higher property
version number.

? Having more than one domain controller in a domain provides fault
tolerance If one domain controller is offline, another domain controller can
provide all required functions, such as recording changes to Active
Directory.

Domain controllers manage all aspects of users' domain interaction such as
locating Active Directory objects and validating user logon attempts. As an
administrator, you must place domain controllers in sites to reflect your
organization's physical structure and optimize replication and
authentication.

Catalog Services-The Global Catalog

The global catalog is the central repository of information about objects in
a tree or forest.

Active Directory uses multimaster replication to replicate the global
catalog information between global catalog servers in other domains.

Stores a full replica of all object attributes in the directory for its host
domain and a partial replica of all object attributes contained in the
directory for every domain in the forest. The partial replica stores
attributes most frequently used in search operations (such as a user's first
and last names, logon name, and so on). Attributes are marked or unmarked
for replication in the global catalog when they are defined in the Active
Directory schema. Object attributes replicated to the global catalog inherit
the same permissions as in source domains, ensuring that data in the global
catalog is secure.

Global Catalog Functions

The global catalog performs the following two key functions:

It enables a user to log on to a network by providing universal group
membership information to a domain controller when a logon process is
initiated.

It enables finding directory information regardless of which domain in the
forest actually contains the data.

If a global catalog is not available when a user initiates a network logon
process, the user is able to log on only to the local computer unless the
site has been specifically configured to cache universal group membership
lookups when processing user logon attempts.

The Query Process

A query is a specific request made by a user to the global catalog in order
to retrieve, modify, or delete Active Directory data. The following steps,
illustrated in Figure 1-9, describe the query process:

1. The client queries its DNS server for the location of the global catalog
server.

2. The DNS server searches for the global catalog server location and
returns the IP address of the domain controller designated as the global
catalog server.

3. The client queries the IP address of the domain controller designated as
the global catalog server. The query is sent to port 3268 on the domain
controller; standard Active Directory queries are sent to port 389.

4. The global catalog server processes the query. If the global catalog
contains the attribute of the object being searched for, the global catalog
server provides a response to the client. If the global catalog does not
contain the attribute of the object being searched for, the query is
referred to Active Directory.

Object Naming

Because Active Directory is an LDAP-compliant directory service, network
clients use LDAP to query the Active Directory database. Every object in
Active Directory is identified by a name, and LDAP standards determine how
the objects are named.

Naming conventions:

Distinguished names (DN) Uses LDAP Abbreviations CN (Common Name), OU
(Organizational Unit), DC (Domain Common Name). Every object in Active
Directory has a distinguished name (DN) that uniquely identifies the object
and contains sufficient information for a client to retrieve the object from
the directory.

Relative distinguished names (RDN) The relative distinguished name (RDN) of
an object is the part of the name that is an attribute of the object itself.
In the preceding example, the RDN of the Scott Cooper user object is Scott
Cooper. The RDN of the parent object is Promotions.

Globally unique identifiers (GUID) A globally unique identifier (GUID) is a
128-bit hexadecimal number that is guaranteed to be unique within the
enterprise. GUIDs are assigned to objects when the objects are created. The
GUID never changes, even if you move or rename the object.

User principal names (UPN) Each user account has a "friendly" name, known as
the user principal name (UPN). The UPN consists of a user account name
(sometimes referred to as the user logon name) and a domain name identifying
the domain in which the user account is located. For example, the user
object Scott Cooper in the microsoft.com tree might have a UPN of
ScottC@domain.com (using the full first name and the first letter of the
last name).

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Tony Girgenti" <TonyGirgenti@discussions.microsoft.com> wrote in message
news:2AA46958-327A-4F10-8E05-CA01495F63D1@microsoft.com...