Computer Performance, Windows Server 2003

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

 

Active Directory in Windows 2003 - Advanced

OpusFlow Exchange
Group Calendar

OpusFlow Exchange Group Calender

 

Windows Server 2003 Active Directory - Advanced

This section assumes that a working knowledge of Active Directory.  If you are not familiar with Forest, Trees and OU's then check out the Active Directory - Intro - if you are up to speed on the basics then read on.

My twin goals are to give you configuration tips and provide background information before you deploy Active Directory.  My greatest wish is that you will be able to make informed decisions for yourself.

Topics

Forest

The Forest is the highest level in Active Directory.   Logically, a forest is a collection of domains all joined by parent child trusts.  Another way is to think of a forest as a group of trees branching from a root domain.  From a technical standpoint, all objects in the forest share the same schema definitions.

What is new in Server 2003 is that you can have trusts between different forests, this was not possible in Windows 2000.  Microsoft are making it easy for companies who merge or take over smaller organizations.

Domains

The domain remains the basic unit of Active Directory.  From a technical point of view, domains are the security boundary of Active Directory.  From a practical point of view this means that that security policies set in at the domain cannot be changed at the OU level.

Users do not need to know which tree, forest or even OU that they belong to, but they should know which domain to select at logon.  The modern way for a user to logon is to enter their User Principle Name (UPN) in the domain logon box.  The UPN name looks like an email address; for example guyt@CP.com.

Domain controller need to replicate directory information with all other domain controllers in their own domain.  If this replications is slow or chokes a slow link, then first try separate sites, if that solution does not work then consider separate domains in each geographic location.

Organizational Units

When planning your Active Directory, divide and rule is a good maxim.  Learn from the mistakes of NT 4.0 where there were too many domains.  With Active Directory keep to a few domains, but create lots of OU's which you then delegate.  The trick is to keep overall control, harness the benefits of belonging to a domain, while allowing local administrators to create users, and reset passwords.

Installing Active Directory

With installations, 7 minutes of planning will save an hour for rework. The secret of troubleshooting Active Directory installs is mastering DNS.  I find NSLookup invaluable, also Ipconfig's new switches /registerdns and /flushdns are handy.

Procedure for creating a Domain Controller

The key to success is preparation.  Decide your DNS and enter the name in the Computer Name Tab in the System Icon (Windows Key DCPROMO + Pause).  Whilst this section deals with the nuts and bolts of an installation, take care to design your Active Directory forest, for example, account naming strategy, top level OUs, group policies.

Now you are ready to run DCPROMO.

DCPROMO decisions

To call for the Active Directory Installation Wizard, Start, Run DCPROMO and answer these questions:

  1. New Domain - or Replica (another DC in the same domain)
  2. Domain Tree in existing forest - or New Domain Tree
  3. Domain in New Forest

TrainSignal - Recommended Training VideosActive Directory Training.  As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Active Directory or go for a combination of modules.  See more about Active Directory training

Active Directory Physical Site Topology

The physical structure of Active Directory is much like sites in Exchange.  Firstly sites are completely independent of the Domain and Tree logical structure.  Secondly sites are defined by the subnet that the servers are on.  Thirdly you need to create and configure a site connector to join and synchronise Active Directory between different sites.

Windows 2003 uses a change notification system to keep all the domain controllers synchronised.  When you have more than one domain controller there will be a delay of 15 seconds in changes reaching the other partners at the same site. (Reduced from 5 minutes in Windows 2000)

The reasons for creating a second site would include, slow network links and the desire to control directory replication.  The site connectors allow you to control the intervals between replication, the default is 3 hours.  Do remember to create subnet objects and to associate them with the appropriate sites.  While Windows 2003 clients automatically work out which subnet they are in, you have to manually assign the server the correct IP and use the Active Directory Sites and Subnets snap-in to configure the server object.

Active Directory Tools

Note that you can install the tools below and run from an XP machine.  What you need is Adminpak.msi from the Server CD.  If your adminpak does not work on your client machine, check Microsoft's web site.  There are a number of permutations of W2K3, W2K, XP, and W2K Professional, fortunately Microsoft have a tool for each combination.  If all else fails, then Remote Desktop into the server from the client.

Three basic Active Directory Tools

  • Active Directory Users and Computers - Create and manage accounts
  • Active Directory Sites and Services - Create Sites and Subnets
  • Active Directory Domains and Trusts - Rare job creating trusts.

Three advanced utilities

  • Active Directory Replication Monitor - Support tools from the CD
  • ADSI - Support tools from the CD
  • Schema Snap-in.   Run regsvr32 schmmgmt.dll,  the Active Directory Schema snap-in will now available in the MMC or Administrative programs 

Check list for further investigation

  • Active Directory Sites and Services. (Administrative Tools)
  • Global Catalog servers
  • Locations especially with printers
  • Active Directory Connections
  • Kerberos Security
  • Switching from Raise Forest Functions Level (Formerly Mixed and  Native Mode
 


   Download your Active Directory 2003 eBook for only $5.25

The extra features you get in your eBook include: lots of examples on 'How to ...'.  New pages with deployment recommendations.  Detailed instructions and screen shots showing the menus to configure.

Go for offline convenience and get a printable version with copy enabled and no expiry date. Released October 2003.  Check out the features.

 

See Also

 .

Google

WebComputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.