Notes to prepare for Active Directory Certification (70-294)__Part I

Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
**********************
1. Directory Services

A directory service stores all the information needed to use and manage these objects in a centralized location and simplifies the locating and managing process.
**********************
Domain Name System (DNS)
Active Directory Service Interfaces (ADSI)
Lightweight Directory Access Protocol (LDAP)
Objects known as containers

LDAP standards determine how the objects are named.
Object naming conventions: Distinguished names
Relative distinguished names
Globally unique identifiers
User principal names

Distinguished name (DN)
Relative Distinguished name (RDN)
Globally Unique identifier (GUID)
User Principal name (UPN)

The GUID never changes.
**********************
Active Directory Schema

The schema is defined by two types of objects:
Schema class objects
Schema attribute objects

Schema class objects describe the Active Directory objects that can be created.
Schema attribute objects define the schema class objects they are associated with.
**********************
Active Directory Components

Domains, organizational units (Ous), trees and forests are logical structures
Sites and Domain controllers are physical structures
**********************
Domains

The first domain that is created in Windows Server 2003 network is called the forest root domain.
**********************
There are two types of namespaces:
Contiguous namespace
A tree is a contiguous namespace because the name of any child object in a tree always contains the name of the parent tree.

Disjointed namespace
A forest is a disjointed namespace because all trees in a forest do not share a common naming structure.
**********************
Organizational Units

An OU is a container objects such as user accounts, groups, computers, printers, applications, file shares, and other Ous from the same domain.

The primary reason for defining an OU is to delegate administration.
**********************
An access control list (ACL) is the mechanism for limiting access to certain items of information or certain controls based on users identity and their membership in various groups.
**********************
Forests

Three forest functional levels are available:

Windows 2000 (default)
Windows Server 2003 interim
Windows Server 2003
**********************
Domain Controllers

Operations master roles are special roles assigned to one or more domain controllers in a domain to perform single-master replication.
**********************
The Global Catalog

The Global Catalog is the catalog service provided by Active Directory.
A domain controller that holds a copy of the global catalog is called a global catalog server.

Global Catalog Functions

The global catalog (GC) allows a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated and it enables finding directory information regardless of which domain in the forest actually contains the data.

The query process

The client queries the IP address of the GC server to port 3268 on the GC

Cache universal group membership lookups
**********************
Active Directory Replication

Replication enables changes to a domain controller to be reflected in all domain controllers.
**********************
The directory contains the following partitions:

Schema partition
Configuration partition
Domain partition
Application Directory partition

A domain controller stores and replicates the schema partition data and the configuration partition data for a forest, as well as the domain partition data for its domain.

The global catalog stores and replicates the schema partition data and the configuration partition data for a forest, as well as a partial replica containing commonly used attributes for all directory objects in the forest.

Active directory replicates information either within a site, in which case it is called intrasite replication; or between sites, which is called intersite replication.

Knowledge Consistency Checker (KCC)

The KCC analyzes the replication topology within a site every 15 minutes.
**********************
Trust Relationships

A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain.

Manually (explicitly)
Automatically (implicitly)

Active Directory supports the following forms of trust relationships:

Tree-root trust
Parent-child trust
Shortcut trust
External
Forest trust (available only when the forests are at the Windows Server 2003 functional level)
Realm trust
**********************
Configuration and Change Management

Configuration and change management is a set of Windows Server 2003 features that simplify computer management tasks.

It includes the User data management, Software Installation and Maintenance, User Settings Management, and Computer Settings Management features, collectively called the IntelliMirror management technologies.
**********************
Group Policies

Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OU to specify the behavior of users desktops.
Group Policy Objects (GPOs): Collections of Group Policy settings.

Resultant Set of Policy (RsoP):
Query engine working in two modes: logging mode and planning mode.
**********************
The Design Process

Creating a forest plan
Creating a domain plan
Creating an OU plan
Creating a site topology plan

The end result of a domain plan is a domain hierarchy diagram including domain names and planned zones

The primary reason for defining an OU is to delegate administration.

The end result of an OU plan is a diagram of OU structures for each domain and a list of users in each OU.

The main concern of a site is to physically group computers to optimize network traffic.

The end result of a site topology plan is a site diagram that includes site links and a site link table that provides details about site link configuration, as well as locations of domain controllers and operations masters’ role.
**********************
Administering Active Directory Objects

Locating Active Directory Objects

Dsquery command line tool find computers, contacts, subnets, groups, Ous, sites, servers, and users in Active Directory according to criteria you specify.
**********************
Active Directory Users and Computers console file (dsa.msc)
**********************
Moving Active Directory Objects

The process of moving Active Directory objects between domains that belong to different forests is migrating objects.

MoveTree command line utility
The ClonePrincipal
The Active Directory Migration Tool (ADMT)

All of the utilities are included in the /Support/Tools folder on the Windows Server 2003 Installation CD, except the ADMT, which is available in the /i386/ADMT folder.
**********************
The MoveTree Utility

MoveTree command-line utility (MoveTree.exe)

The MoveTree command line utility cannot be used to move computer accounts, system objects, or domain controllers.

Microsoft, however, recommends that you use the ADMT instead of the MoveTree command line utility, except for moving contracts which cannot be handled by the ADMT.
**********************
The ClonePrincipal

The ClonePrincipal is a set of scripts that allows administrators to perform inter-forest migration.

The ClonePrincipal cannot be used to duplicate computer accounts; inter-domain trusts; and accounts with well-known SODs since these accounts have identical SIDs in every domain.

Accounts with well-known SIDs are: Account Operators; Administrators; Backup Operators; Guests; Power Users; Print Operators; Replicator; Server Operators; and Users.
**********************
The Active Directory Migration Tool

When you perform inter-forests migrations, you must run ADMT on a domain controller that belongs to the target domain.

When you perform intra-forest migrations, you must rum ADMI on the RID Master in the target domain.
**********************
Controlling Access to Active Directory Objects

Each Active Directory object has a security descriptor that defines the permissions to the object and the type of access that is allowed.

Windows Server 2003 stores a list of these assigned user access permissions for every
Active Directory object in the access control list (ACL).

The Deny permission takes precedence over any permission that you otherwise allow for user accounts and groups.

Standard Permissions and Special Permissions.
**********************
Delegating Administrative Control

You can delegate:
Permissions for specific organizational units to different administrators.
The permissions to modify specific attributes of an object in a single organizational unit.
The permission to perform particular tasks in all organizational units of a domain.
**********************
Publishing Resources

Discretionary Access Control List (DACL)
A user requires Read permission on the DACL of a published object to view the published object in the result list when searching for a published resource but may not be able to access the shared resource, depending on the DACL on the shared resouce.
**********************
Setting Up and Managing Published Printers

To view printer objects, you enable the option in Active Directory Users and Computers to view objects as containers.

You configure the Automatically publish new printers in Active Directory Group Policy setting in Computer Configuration\Administrative Templates\Printers in Group Policy to disable or enable automatic publishing of printers.
**********************
Sending Administrative Messages to Users

You can use the Shared Folders snap-in to send administrative messages to users.
**********************