This chapter includes the following sections, which address various topics covered on the Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure MCSE exam:
- Introduction to Active Directory
Introduces the vocabulary and concepts needed to understand the Windows 2000 Active Directory architecture.
- Installing Active Directory
Discusses the steps necessary to plan for and install Active Directory. It also describes how to verify that the installation was successfully completed.
- Configuring Active Directory
Describes how to set up the Organizational Unit (OU) structure and discusses the creation and management of Active Directory components.
- Active Directory Objects
Describes the building blocks of Active Directory objects. Discusses how to create, manage, and move objects through the use of Group Policies, administrative templates, and software policies.
- DNS for Active Directory
Describes the creation and integration of DNS zones. Includes dynamic updates, DNS monitoring, and replication.
- Directory Maintenance and Replication
Describes both intersite and intrasite replication.
- Remote Installation Service (RIS)
Describes the steps necessary to automatically deploy Windows 2000, including disk images, security, and troubleshooting Remote Installation Service.
- Active Directory Security
Discusses issues related to Directory Services infrastructure and Group Policy security. Describes security templates, audit policies, and security events.
- Active Directory Maintenance
Describes techniques for managing accounts and backing up and restoring Active Directory. Discusses how to optimize the performance of both Active Directory and the domain controllers that support it.
- Troubleshooting Active Directory
Discusses how to troubleshoot problems with DNS, Group Policies, Active Directory components, and software deployment. Describes how to recover from a system failure.
Active Directory replaces the Windows NT domain model. It is designed to simplify access to network resources by providing network administrators with the ability to add, modify, and remove both users and resources from a single, hierarchical database. There are many new concepts to learn, but if you keep in mind that its two main functions are to keep track of all the available network resources and to provide access only to authorized users, you’ll have no trouble getting up to speed with Active Directory.
Active Directory is stored on Windows 2000 domain controllers. Only Windows 2000 Servers can be Windows 2000 domain controllers. One major change between Windows NT and Windows 2000 is that there are no primary or backup domain controllers on a Windows 2000 network. All Windows 2000 domain controllers are equal and replicate the Active Directory database using a virtual ring topology.
The following terms relating to Microsoft Active Directory will be useful in understanding how Active Directory works. A solid understanding of the vocabulary will help make an abstract concept like Active Directory a lot easier to grasp:
- Domain
A network of computers and related hardware that share a user database. This user database is replicated among all the domain controllers. The main benefits of a domain are centralized administration of network resources and a single user logon to access those resources, regardless of where the resources are physically located in the domain.
- Organizational Unit (OU)
A tool for dividing domain resources into groups that match the actual structure of your business. For example, the Accounting Organizational Unit can contain the user accounts of employees in the accounting department, the folders that store financial data, the printers used for invoices, and the billing software. Permissions can then be granted to the OU as a whole.
- Tree
A collection of Windows 2000 domains with two-way trust relationships. These domains share a common root domain, such as oreilly.com. Subdomains of the root domain are named in DNS dotted format, to the left of the root domain. Two examples of this naming scheme would be linux.oreilly.com and windows.oreilly.com.
- Forest
A collection of two or more trees, each with its own root domain name. The trees in the forest automatically have transitive trust relationships. This means that if tree A trusts tree B and tree B trusts tree C, tree A automatically trusts tree C and vice-versa, without any separate trust relationships between A and C.
- Site
A section of the network that has a fast enough TCP/IP connection to allow for efficient replication of files. Microsoft recommends a minimum of 512 Kbps for efficient replication. Because the main requirement is speed, a single site can span multiple domains or a domain can have multiple sites, depending on the network bandwidth available.
- Object
Any individual component on the network, including files, folders, scanners, printers, tape backup devices, and even user accounts.
- Container
An object that contains other objects is called a container. A folder that contains files would be a container because the folder is an object and its files are also objects.
- Attribute
An object is described by its attributes. A file’s attributes would include its name, size, location, and permissions.
- Class
A way to describe objects within the Active Directory schema. A class is just the list of attributes that describe an object. Basically, the file object is the physical file itself. The file class is the logical definition of the file’s properties, such as name, size, and location.
- Schema
A list of what types of objects can be managed in the Active Directory database. The schema is made up of classes (definitions of objects) and attributes (containers for the descriptions of objects). The schema can theoretically be modified by a qualified programmer to customize and extend Active Directory to meet their individual needs.