Computer Performance, Windows Server 2003

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

 

Active Directory in Windows 2003 - Introduction

Guy's Top 10 Free Tools

1) FreePing
2) Network Monitor
3) Xobni
4) PuTTY (UNIX)
5) IP SLA Monitor
6) BgInfo
7) Net-SNMP
8) CatTools 
9) Exchange Monitor
10) WinDiff

Active Directory in Windows Server 2003

This page is designed to help those who are new to Microsoft's Active Directory.   My goal is to get you started with the key terms and concepts.   For those with some experience already, I want to help plug gaps in your knowledge.

Just as you might get the perspective of a diamond by looking at its different facets, so I want you to build up a picture of Active Directory by examining its many aspects.

Seven aspects of Active Directory

  1. Active Directory as the Successor to NT 4.0’s SAM database
  2. An object based system, e.g. Object (User), Attribute (Logon name), Value (GuyT)
  3. A Search mechanism to retrieve those resources from its database
  4. The Physical side of Active Directory, sites, subnets and site links
  5. Logical Structure - Forest, Tree, Domain and Organizational Units
  6. The Schema and how it defines the Active Directory objects and attributes
  7. Group Policy - Thanks to Active Directory we can lock down the desktop and assign software

  ‡

1) Active Directory as the Successor to NT 4.0's SAM database

Every successful operating system needs an authentication mechanism.  Novell developed the marvellous NDS tree, while UNIX has the powerful directory services to manage their users.  By the year 2000, NT 4.0's SAM had become an embarrassment and Microsoft developed their directory service we know as Active Directory.  As a matter of interest the physical file corresponding to NT 4.0's SAM is called NTDS.DIT (Directory Information Tree).

2) Active Directory as an object based system

The NT 4.0 SAM database was very thin, both in respect to the number of users it could hold and their range of properties.  The only information SAM stored was usernames and their passwords.  Active Directory on the other hand, can store many many more attributes of the user object.  To examine and configure these attributes, launch the Active Directory Users and Computers and browse through a user's Properties tabs.  There you will discover a whole range of attributes, for example, telephone number, manager, email address, certificates, dial-in properties.

3) Active Directory's search mechanism

Microsoft do not change menu names without good reason; if you go to the Start Menu in Windows Server 2003 you will see that Find (NT 4.0) has been replaced by Search.  Once you launch Search, you will see the file system in the upper window, however, it is the lower section that I am interested in, because this where you can search for Computers, Printers or People.  Using this part of Search, you are actually querying Active Directory to retrieve the objects you are interested in.

Technically you are using a protocol, or query language called LDAP (Lightweight Directory Access Protocol).  What LDAP does is to provide directions and so find objects in the Active Directory database.  LDAP is an important language particularly useful for advanced troubleshooting and making changes suggested by TechNet articles.

To learn more about LDAP install the support tools from the Server CD, and experiment with ADSI

4) The physical side of Active Directory

The physical side of Active Directory means your sites and subnets.  If you are familiar with Exchange then the site concept is the same in Server 2003.  SUB NET = split the network, so you split your network into subnets.   The network routers join these subnets to form sites.   Your practical task is to tell Active Directory about the physical sites; Microsoft provide a snap-in to help you define the sites.  Once the sites are created, you configure the Active Directory replication through Site Links.  Lastly, double check that the domain controller objects are in the correct subnet of the correct site.

Their are two main reasons for creating a site, slow network connections and the need to control Active Directory replication traffic.  What confuses beginners is that there is no relationship between sites and domains.  Amateurs think there is a one to one relationship between a site and a domain - wrong.  You can have one domain with many sites.  Multi-nationals may need one site to have domain controller from three different domains.

Plan your sites with a TCP/IP and router expert; thereafter you will only need an occasional change to the configuration.  Users and computer on the other hand, always seem to need their Active Directory settings changing.

5) The logical structure of Active Directory

How you view the logical side of Active Directory depends on your company background.  Small companies will start with just one Domain and focus their efforts on how many Organization Units they need.  A network architect of a large companies will be primarily concerned with how to link DNS names with Domain names, should they have a blank root domain, would that subsidiary be best in its own tree.

Logical Components

  • Forest - Two or more trees.  Each tree has a distinct name e.g. OurCompany.com and SubsiaryCo.org
  • Tree - Two or more domains with the same namespace e.g. OurCompany.com and son.OurCompany.com
  • Domain - Remains the basic unit of security and replication
  • Organization Unit - Sub division of a Domain.  Used with delegation, management and Group Policy
  • Parent / Child - The two way, transitive trust relationship between two domains
  • Root Domain - The first domain that you create, has additional powerful groups e.g. Enterprise Admins
  • Contiguous namespace - Catchphrase to describe a tree where all the domains have a common word
  • Schema - The definition of objects and attributes for the whole forest.  Every every domain, in every tree has the same schema partition in Active Directory.

6) The Active Directory Schema

At its heart, Active Directory is an object based system.  The main objects are Users, Computers, Sites and Printers.  Microsoft have built these objects using attributes, for example Common name (CN), Location, Department and many more.  The role of we the administrators, is to set the values, for example Common name = guyt, Location = Worcester.  At this stage in our education, all we need to know is: we just configure the values through the Active Directory Users and Computers, we do not mess with the Schema itself - that is a job for a developer.

The only other practical point we need to be aware of is that when you install Exchange 2000 or 2003, you have to be a member of the Schema Admins and Enterprise Admins.  Also, once Exchange is installed the User objects will have more tabs with attributes like Mailbox, email address and instant messaging.

7) Group Policy and Active Directory

My first point is that without Active Directory, there would be no Group Policies.  Group policies encourage central control of the desktop.  Your mantra should be 'prevention is better than cure'.  My vision of a group policy is to pamper users with all the software they need, yet deny them access to any part of the computer where they have no business to roam.

The best kept secret of group policy is the chance to assign software to users.  Many administrators get so carried away locking down the desktop that they overlook the change to deploy software.  The advantage of this method of rolling out software is the ease with which you can service pack or update the .MSI installer files.

Do you remember the Organization Units?  Well part of the reason for creating them was so that you could apply group polices.  I mention this as a justification for studying all the facets to Active Directory before you start configuring.  The one group policy that you need to apply at the domain level is the security policy.  Reluctantly, I will leave further discussion to the Group Policy 2003 section.

TrainSignal - Recommended Training VideosActive Directory Training

As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Active Directory or go for a combination of modules.  See more about Active Directory training


   Download your Active Directory 2003 eBook for only $5.25

The extra features you get in your eBook include: lots of examples on 'How to ...'.  New pages with deployment recommendations.  Detailed instructions and screen shots showing the menus to configure.

Go for offline convenience and get a printable version with copy enabled and no expiry date. Released October 2003.  Check out the features.

 

See Also

 *

Google

Web  This website

Review of Orion NPMGuy Recommends: Orion's Network Performance Monitor (NPM)

Orion NPM is designed for detecting network outages.

Network-centric views (screenshot) make it easy to see what's working, and what needs your attention.

Download your free trial of Orion's network performance monitor

 

Home Copyright © 1999-2009 Computer Performance LTD All rights reserved

Please report a broken link, or an error.