Top 3 Products & Services
Dated: Aug. 11, 2004
Related CategoriesMicrosoft Certifications
- What a Directory Service is?
- Active Directory Structure
- Structure of Active Directory Database
- The Global Catalog
- Organizational Units
- Changing the Active Directory Database Structure (Schema)
- Active Directory Objects
- Active Directory Sites
- Domain Structure and Relationships
- Active Directory Functions
- Active Directory Replication
- Publishing Active Directory Resources
- Moving AD Objects
- Installing,Configuring,Managing,Troubleshooting Change and Configuration Management
- Group Policies
- Understanding Remote Installation Service (RIS)
Windows 2000 is fast becoming the most widely deployed network operating system in the corporate world and as the computer network industry advances in both technology and size, the need for proven skills and expertise is of prime significance. Microsoft has already realized the need of the situation and thus revised its Microsoft Certified Professional (MCP) program to give us appropriate credentials to demonstrate our expertise of Microsoft Windows 2000 family of products and services.
Windows 2000 actually consists of several different flavors including Windows 2000 Server/Advanced Server, Data Center Server, and Windows 2000 Professional depending upon the client server environment requirements.
This study guide provides an overview what you need to pass the exam 70-217 Implementing and Administering a MS Windows 2000 Directory Services Infrastructure and summarize the skills required to install, configure, and troubleshoot Active Directory and DNS for Active Directory, change and configuration management including RIS and Group Policy and Active Directory Security solutions.
What a Directory Service is?
A directory is basically a repository the primary function of which to provide a listing whether it is of any objects, organizations, people like phone directories. In an operating system the file that contains user as well as network objects information along with the program involved in its management together named as the directory service. A directory service is one of the most important components in a networking environment. Users frequently do not know the exact name of the objects they are interested in. If they know one or more attributes of the objects, they can query the directory to get a list of objects that match the attributes. Put it this way, a directory service allows a user to find any object given one of its attributes. Thus AD has been designed to centralize all of the user, group, application, printer, and computer information on your network in one central repository. AD uses TCP/IP as its network protocol. All windows 2000 computers can use AD by default. Non -Win 2000 computers can still log on but cannot use AD features. They must use a Directory service add on client (DSCLIENT.EXE).
Active Directory Structure
The domain is the core unit in the Active Directory structure. Active Directory includes:
- A database of information about network users and resources.
- A service managing the database
Structure of Active Directory Database
All databases have a schema, which is a formal definition (set of rules) which govern the database structure and types of objects and attributes which can be contained in the database. The schema contains a list of all classes and attributes in the forest.
The schema keeps track of:
- Classes (As Active Directory is object oriented. This means that items in active directory is treated as objects.)
- Class attributes
- Class relationships such as subclasses (Child classes that inherit attributes from the super class) and super classes (Parent classes).
- Object relationships such as what objects are contained by other objects or what objects contain other objects.
The Active Directory database is stored in the System Root \NTDS directory. The file "ntds.dit" contains the directory and schema data, and the file "schema.ini" contains the information to control Active Directory security and create the default directory. Changes to the database are stored temporarily in log files in this directory until changes are finalized to the database with replication to other controllers complete.
Microsoft uses the term namespace to refer to any collection of domains with a common DNS root name. Examples of items within the same namespace include:
support.microsoft.com,developer.microsoft.com, and marketing.Microsoft.com.
AD trees consists of a group of domains that share the same configuration. Domains in a directory tree all have a contiguous namespace. Domains in earlier versions of NT made up the entire manageable collection of users, printers, servers and workstations on your network. In Windows 2000,domains are merely a subset of larger tree. A single domain tree consists of a parent domain and all of its child domains. Domains are named in accordance with the internet’s Domain name system standard.if the parent(root) domain is called global.com, a child domain may be called support.global.com.
When designing the tree, Microsoft allows you break the trees down into sites. A site is a collection of workstations and servers along subnets with fast connections. Within a site, NT replicates information after a regularly defined time. Between sites NT replicates data only at selected times or events to minimize WAN traffic. Don’t confuse trees, forests or sites.Trees and forests are used to manage administration and security in an organization. Sites reflect geographical boundaries. You may choose to arrange a site’s trees and forests using a geographical or an organizational approach but doing so doesn’t affect the sites of the domains.
The Global Catalog
A Global Catalog is a searchable master index with data about all objects in a forest. The schema is stored in the global catalog. Only information required to find an object is stored in the global catalog. When the first domain controller in the forest is established, a default catalog is created automatically on that controller. More than one server can house the global catalog.
A container is a container for a group of objects and other containers. Put it this way, a organization is a container that holds a group of departments. The departments are the objects, and the Organization is the container.
Within the domain, you can create organizational units (OUs).These are the containers that hold objects like users, groups, and printers in the Active directory. You can organize OU s into a logical structure that matches the way you work and organize your business. Additionally you can delegate administration based on permissions assigned to the organizational unit. Therefore it would be wise to use OU s to divide the domain into functional units such as accounting, human resources, and information systems. Using organizational units reduces the number of domains needed to manage the tree.
Changing the Active Directory Database Structure (Schema)
There are several ways to change the schema of Active Directory:
- Application vendors can provide the capability to change the schema.
- MMC - The Microsoft Management Console snap-in is a tool provided by Microsoft to allow the schema to be changed. The Windows 2000 Administration Tools (ADMINPAK) must be installed. The snap-in is called Active Directory Schema. The group that can use this tool is called "Schema Admins". This is a new group for Windows 2000 just for administering the Active Directory database schema.
Active Directory Objects
Active Directory Groups
There are two types of Active Directory groups, each with a different purpose. These are:
- Security principal groups - These objects can be assigned permissions and consist of:
- Distribution groups - Used to group users for applications such as mail.
Every object has a:
- Globally Unique Identifier (GUID) - Uniquely identifies each object. Its size is 128 bits.
- Security Identifier (SID) - A SID is created by the Windows 2000 security subsystem and assigned to security principal objects.
Controlling objects in Active Directory controls access only to objects in Active Directory. Objects outside Active Directory may have their own access control. Permissions on corresponding objects in Active Directory do not affect permissions on external objects. Therefore, the user must have both Active Directory and object access.
When setting object permissions, they can be set so the change applies to all children of the object or only to the object itself. You can also set child objects to inherit permissions from their parent object. Access to specific object properties can be controlled. Object permissions for users and groups include:
- Full Control - Allows full access to the object and its sub objects, with the ability to take ownership of objects and change permissions of objects and sub objects
- Read - Allows object contents and properties to be displayed.
- Write - Allows object contents and properties to be changed except for modifying permissions, configuring auditing, or taking ownership.
- Create All Child Objects - Allows creation of any child objects.
- Delete All Child Objects - Allows deletion of any child objects.
Object access is controlled using the Active Directory Users and Computers tool by clicking on "View", "Advanced Features", Click + next to the domain, right click the object, select "Properties", click the "Security" tab, and continue.
When user and group permissions that the user is in differ for specific objects the least restrictive permissions normally apply. The only exception to this if the user or group is specifically denied one or more specific permissions to the object. When some permissions are denied, the user will have the most restricrictive denials of permissions apply. If the full control permission is denied to a user or group, that user or group will have no permissions. Explicit permissions set at the child object level override permission denial at the parent level even if the child is set to inherit permissions from the parent.
Object identifiers are strings in a dot notation similar to IP addresses. There are authorities that issue object identifiers. Each of these authorities can give an object identifier on a sublevel to other authorities. The International Standards Organization (ISO) is the root authority. The ISO has a number of 1. When it assigns a number to another organization, that number is used to identify that organization. If it assigned Microsoft the number 869037, and CTDP issued 1 to Adam Fisher, and Adam Fisher assigned 10 to an application, the number of the application would be "1.869037.1.10".
A Distinguished Name (DN) is used to uniquely name an Active Directory Object. All objects can be referenced using a Distinguished Name. A DN has three components:
- DC - Domain Component
- O - Organization
- OU - Organizational Unit
- CN - Common Name
Relative Distinguished Name (RDN)
User Principal Name (UPN)
Active Directory Sites
A site is a grouping of machines based on a subnet of TCP/IP addresses. An administrator determines what a site is. Sites may contain multiple subnets. There can be several domains in a site.
The following may be created:
- Sites - One or more IP subnets. Generally this refers to a physical site such as a portion of the organization in particular city or part of a city, which is linked by leased lines or other media to other parts of the organization.
- Subnets - Subnets must be created in each site object before it is really active. A network address and subnet mask is used to define the subnet.
- Site links - It is a list of two or more connected sites. Whether the link will use RPC or SMTP for passing data must be determined before creating the link since it cannot be changed. Selection IP means selection RPC over IP. Site link information includes:
- Replication schedule - Specify the times the sites can replicate and how often they attempt replication.
- Link cost - High for a low bandwidth link. A high cost link gets lower priority. A lower priority link is normally used if there are more than one link to the same location.
- Member sites - Lists sites that are connected using the site link.
- Transport Mechanism - RPC or SMTP (Mail) is specified.
- SMTP (Mail) - It cannon be used for replication inside the same site and is a form of asynchronous replication.
- RPC - Requires more bandwidth than SMTP.
- Bridgehead server - A domain controller that is used to send replication information to one or more other sites across a site link.
- Site link bridges - Allows one site in a string of sites to replicate through one or two sites to a second or third site. These are only used for fine control of how replication will occur across WAN links. This is actually done automatically by AD, without fine control. To use this feature, automatic bridging of site links must be turned off. You must have three sites to create a site link bridge since it takes three sites and two site links to make a string of sites.
- Global catalog servers - The global catalog is a searchable master index with data about all objects in a forest. The global catalog server maintains this catalog
There is one in each domain by default, and the first domain controller in the domain is originally the global catalog server. It is worthwhile to have a global catalog server on each side of a WAN connection if the domain is spread out across a WAN.
If several domain controllers are placed on the network, and later the network is broken into sites, appropriate servers must be manually moved to the appropriate site that they are on. If the domain controller is created after the site is created, the server is placed automatically in the correct site (based on IP address).
Domain Structure and Relationships
- Domain tree - A hierarchial group of one or more domains with one root domain. Only one domain is required to make a tree.
- Parent domain - One domain above another in a domain tree.
- Child domain - One domain below another in a domain tree. The child inherits the domain name of its parent in a DNS hierarchical naming convention. Example: "child.parent.root.com".
- Forest root domain - The first domain created in a forest.
- Tree root - The first domain created in a tree.
Trusts and Trust Relationships
- One way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
- Two way trust - When two domains allow access to users on the other domain.
- Trusting domain - The domain that allows access to users on another domain.
- Trusted domain - The domain that is trusted, whose users have access to the trusting domain.
- Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree.
- Intransitive trust - A one way trust that does not extend beyond two domains.
- Explicit trust - A trust that an administrator creates. It is not transitive and is one way only.
- Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendent/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 only supports the following types of trusts:
- Two way transitive trusts
- One way non-transitive trusts.
The program "dcpromo.exe" is used to make a Windows 2000 domain member server a domain controller or demote it from domain controller status back to a member server. It can be used to add a domain controller for an existing domain or create a domain controller for a new domain.
Windows 2000 may be operated in one of two modes:
- Native mode - In this mode Active Directory interfaces only with Windows 2000 domain controllers and directory service client software. Windows 2000 is more efficient in native mode. In this case, the PDC emulator will get password changes faster.
- Mixed mode - Used to support domains where there are still Windows NT domain controllers. Mixed mode occurs when Active Directory interfaces with NT 4.0 BDCs or ones without Windows 2000 Directory Service client software. In mixed mode, computers without Windows 2000 client software must contact the PDC emulator to change user account information
Active Directory Functions
Flexible Single Master Operations (FSMO)
Windows 2000 Domains work using a multiple master design with restricted master operations on a master domain controller. This was done to distribute the load on domain controllers but there are some operations that can only be done on a single or "master" controller.
There is a set of Flexible Single Master Operations (FSMO) which can only be done on a single controller. An administrator determines which operations must be done on the master controller. These operations are all set up on the master controller by default and can be transferred later. FSMO operations types include:
- Schema Master - Makes changes to the database schema. Applications may remotely connect to the schema master.
- Domain Naming Master - Adds or removes domains to or from the forest.
- PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain controller takes the role of PDC emulator by default. Functions performed by the PDC emulator:
- User account changes and password changes.
- SAM directory replication requests.
- Domain master browser requests
- Authentication requests.
- Relative ID Master (RID Master) - All objects have a Security Identifier (SID) and a domain SID. The RID assigns relative IDs to each domain controller.
- Infrastructure Master - Updates group membership information when users from other domains are moved or renamed. If you transfer this function, it should not be transferred to the domain controller that is the global catalog server. If this is done, the Infrastructure Master will not function.
- An Operation Master performs one or more of the flexible single master operations listed above.
Active Directory Replication
The Active Directory database is replicated between domain controllers. Only the changes are replicated, once a domain controller has been established. Active Directory uses a multimaster model which means changes can be made on any controller and the changes are sent to all other controllers. The replication path in Active Directory forms a ring which adds reliability to the replication.
- Latency - The required time for all updates to be completed throughout all domain controllers on the network domain or forest.
- Convergence - The state at which all domain controllers have the same replica contents of the Active directory database.
- Loose consistency - The state at which all changes to the database are not yet replicated throughout all controllers in the database (not converged).
The replication path that domain controller Active Directory replicated data travels through an enterprise is called the replication topology. Connection objects are used to define the replication paths between domain controllers. Active Directory, by default, sets up a two-way ring replication path. The data can travel in both directions around the ring, which provides redundancy and reliability. Two types of replication occur in the path:
- Direct replication - When replication is done from a primary source of data.
- Transitive replication - When replication is done from a secondhand or replicated source of data.
The Knowledge Consistency Checker (KCC)
The Knowledge Consistency Checker (KCC) (running on all domain controllers) generates the replication topology by specifying what domain controllers will replicate to which other domain controllers in the site. The KCC maintains a list of connections, called a replication topology, to other domain controllers in the site. The KCC ensures that changes to any object are replicated to all site domain controllers and updates go through no more than three connections. Also an administrator can configure connection objects. The KCC uses information provided by the administrator about sites and subnets to automatically build the Active Directory replication topology.
File Replication Service
In Windows 2000, the SYSVOL share is used to to authenticate users. The SYSVOL share includes group policy information which is replicated to all local domain controllers. File replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users and Computers" tool is used to change the file replication service schedule.
Replication that happens between controllers inside one site. All of the subnets inside the site should be connected by high speed network wires. Replication between two sites may need to be sent over a slower WAN link or leased line. Intrasite replication data is sent uncompressed.
Site replication is done using Remote Procedure Call (RPC). If a change is made, replication occurs within five minutes, and replication is done every six hours if no changes were made. Domain controllers that receive updates replicate that information to other domain controllers on their route list. All changes are therefore completed within a site within 15 minutes since there can only be three hops.
Publishing Active Directory Resources
Publishing is the act of making an object publicly browseable and accessible using Active directory. Most objects are automatically listed in Active Directory when they are created, but some objects must be published to be made available. Things that are not automatically published:
- Windows NT shared printers
- Computers outside the domain.
Moving AD Objects
From Active Directory Users and Computers click the + next to the domain name, and highlight the object. Right click on the object in the right pane to be moved, and select Move. Expand any container objects required, and highlight the container to move the object to, then click "OK".
To move an object to another directory, use the command line program called MoveTree.exe. This program is part of the "Windows 2000 Support Tools "on the Windows 2000 Server or above CD in \Support\Tools.
Active Directory Storage and Restoration
The Extensible Storage Engine is used by Active Directory to provide a transaction based database with fault tolerance. This means that partial transactions will not be stored but only complete transactions are logged. Log files are used to provide fault tolerance by writing the transaction to the log file before commiting it to the Active Directory database. There are three steps to saving a transaction:
- The transaction is written to a log file.
- The transaction is written to an Active Directory database page in memory.
- The transaction is committed to disk storage.
The AD restores are done by starting the computer in Directory Service Restore mode .
- Non-Authoritative Restore - Changes are accepted from other domain controllers after the backup is done.
- Authoritative Restore - Changes are NOT accepted from other domain controllers after the backup is done.
- Recovery without Restore - Transaction logs are used to recover uncommitted AD changes after a system crash. This is done by the system automatically without using a restore from a tape backup.
Installing,Configuring,Managing,Troubleshooting Change and Configuration Management
Group policy is the way through which we can accomplish different kinds of controls in an Active Directory.Through group policies we can set user's rights,deploy software,restrict user's desktop settings,control system settings, simplify and restrict programs etc.Group Policy Objects (GPOs) are used to configure group policies which are applied to sites, domains, and organizational units (OUs). Group policy may be blocked or set so it cannot be overridden. The default is for subobjects to inherit the policy of their parents. There is a maximum of 1000 applicable group policies.
Group policies are linked to domains, organizational units, or sites in Active Directory. A policy must be linked to a container object in Active Directory to be effective. They are stored in any domain for storage but can be linked to other domains to make them effective there also. The policy must be linked to the container (site, domain, or OU) that it is stored in to be effective in that container. One policy object can be linked to several containers. Several policy objects can be linked to one container.
Group Policy Types
Group policy types and their order of application are:
- Local Policy
- Site Linked Policies
- Domain Linked Policies
- Organizational Unit Policies
Group Policy Priorities
Group policy is inherited by children objects of parents. If a parent object has group policy, then the children have the same policy. Group policies are applied down from the higher level objects to the lower level objects. The policies are cumulative unless they conflict, in which case the lower level policy applies to the object.
Policies normal behavior can be modified with the following settings:
- No Override - Normally the local policies or lower level policies will take precedence. If this setting is made on a higher-level policy, the lower level policy cannot modify it and the policy associated with this setting will take precedence.
- Block Policy - Group Policy Objects (GPOs) are entirely blocked or applied. The No Override option takes priority over the Block Policy option.
Setting Group Policy
The creator of a policy and administrators has Full Control permission for policies. To set Group Policy, the user must have permission to log on Locally on a domain controller
All group policy object containers have a default policy. Group policies can be managed using the Group Policy Editor. There are two default policy nodes:
- Computer configuration - Settings are applied to the computer and the user on the computer does not affect the settings.
- User configuration
Creating Group Policy Objects
There are several tools used to create and manage group policy objects. The most appropriate tool to use depends on the level the group policy object is at. The tools are as follows:
- Active Directory Sites and Services Administrative tool - Used to create and manage Group Policy Objects (GPOs) that are associated with a site.
- Active Directory Users and Computers Administrative tool - Used to create Group Policy Objects (GPOs) that are associated with an OU or domain.
- MMC Group Policy snap-in - This tool, also called the "Group Policy Console" can be used to manage GPOs at any level.
GPO security is used to specify the users and groups that can modify the GPO settings and to specify those to whom they apply as follows:
- The Group Policy settings apply to users and groups that have the Active Directory read and apply group policy permissions to the GPO.Authenticated Users have these settings apply by default.
- Users or groups that have the Active Directory read and write permissions to the GPO can modify the GPO settings.
A GPO may be linked to another container. When this is done a new GPO, pointing to the original GPO, is created. The GPO settings of the original GPO apply to all objects it is linked to. At this point the new GPO may be modified and the new settings will apply only to the new GPO. If settings in the original GPO are modified, the settings in the linked GPOs will also be changed.
Using Group Policy for Software Deployment
- Assign the application to a computer -The application shortcut appears in the user start menu, and the application is installed the first time the user runs it.
- Assign the application to a user - The application is installed the next time the computer is booted.
- Publish the application to the user - The application is installed the first time the user opens a document that is associated with the application. Once installed, the start menu lists the application.
Policy Refresh Intervals
The default refresh interval for policies is 90 minutes. The default refresh interval for domain controllers is 5 minutes. Group policy object's group policy refresh intervals may be changed in the group policy object. The appropriate refresh interval depends on link speed. A slow network should have longer refresh intervals. A slow link is defined as one slower than 500Kbps.
Understanding Remote Installation Service (RIS)
RIS can be used to deploy Windows 2000 operating systems. It can install the operating system with applications. It provides the following additional capabilities:
- Other technical personnel that are not administrators may install Windows 2000 Professional.
- It provides an extra way to fix failed networked computers.
- Specific hardware images do not need to be provided since Windows 2000 supports plug and play devices.
A Windows 2000 computer can have remote installation files for Windows 2000 Professional computers then send those files out to the appropriate computers and provide a unique security identifier for the new computer. The "Add/Remove Programs" applet in the control panel is used to install RIS. It is installed as a "Component" and is called "Remote Installation Services".
Requirements/steps for using RIS:
- The RIS server must have at least two volumes. The second volume contains the RIS installation information, which is separate from the Windows 2000 Server installation volume.
- The RIS volume must be NTFS.
- The network must use DNS, DHCP, and Active Directory to use this service.
- The RIS server must be authorized in Active Directory using the DHCP administrative tool. It is easier if the RIS server is the DHCP server and is already authorized.
- Assign appropriate users the authority to "Create Computer Objects" in Active Directory using the administrative tool "Active Directory Users and Computers".
RIS Additional Services
Additional services installed on servers when RIS is installed on servers:
- BINL - Boot Information Negotiation Layer is used to be sure the installation using RIS is being done on the correct computer.
- SIS - Single Instance Store is used to reduce storage space for installation images on the server by using links to files that are the same in various images.
- TFTPD - Trivial File Transfer Protocol Daemon is used to send files to the client when they are requested. There is no logon with TFTP services.
RIS Security and Prestaging RIS Clients
An Active Directory computer object is created and the users of the new computer are assigned appropriate Active Directory permissions. Group Policy can also be used for security to restrict RIS installation options and choices. The "Active Directory Users and Computers" tool is used to set this policy. To set up prestaging so specific clients will get the correct RIS images do the following:
- Get the GUID from the computer, which is in the computer system BIOS, or on a label on the computer case. This is a 32-character number
- Create a client account on the server and provide the computer GUID during client account creation.
- CD image - A CD image is made and an RIS answer file is associated with the image.
- Remote Installation Preparation (RIPrep) wizard images - A copy of a master computer hard drive, which is prepared for installation. Mass storage controllers and disk sizes don't need to be the same on both the master and duplicate computer. The RIPREP utility is in \\RIS_server\Reminst\Admin\i386\riprep.exe. Some services cannot be run while this utility is run. The wizard will notify you of any not allowed services that are running
- Windows 2000 Professional images
The RIPrep tool is used to make RIS images containing both an operating system and applications.
Now that you've gotten free know-how on this topic, try to grow your skills even faster with online video training. Then finally, put these skills to the test and make a name for yourself by offering these skills to others by becoming a freelancer. There are literally 2000+ new projects that are posted every single freakin' day, no lie!