Active Directory Articles

Article / Updated 11-07-2022

Active Directory is part of a storage structure you design that provides organization of objects — like users, computers, groups, and an assortment of other objects — in your IT environment. Before you can implement Active Directory, you have to do some planning. Be sure to complete the following steps before creating domains and organizational units (OUs): Using the DNS namespace, identify and name the root domain. Determine whether a tree or a forest is appropriate for your organization. Determine whether you need additional domains. Consult your requirements and environment to decide which domain model is best for your needs and to decide whether you need additional child domains. Analyze business models and processes to determine which OU model is best for your needs. Determine who will administer each OU and the administrative rights they'll need. Delegate the administrative privileges that the OU administrators need. Diagram the logical Active Directory structure.

Article / Updated 11-07-2022

Active Directory uses a multiple-master model, and usually, domain controllers (DCs) are equal with each other in reading and writing directory information. However, certain roles cannot be distributed across all the DCs, meaning that changes can't take place on more than one domain controller at a time. Some domain controllers, therefore, do assume a single-master operations role — known as operations masters in Active Directory. The five categories of operations master roles are: Schema master (one per forest): Maintains the master copy of the schema. PDC emulator (one per domain): Emulates a primary domain controller for backward compatibility with Windows NT. Domain naming master (one per forest): Tracks object names throughout a forest to ensure that they're unique. Also tracks cross-references to objects in other directories. Infrastructure master (one per domain): Tracks object references among domains and maintains a list of deleted child objects. Relative identifier (RID) master (one per domain): Tracks the assignment of SIDs (security identifiers) throughout the domain. Usually, the first domain controller that you create in the first domain assumes the operations master roles. You can assign these roles to other domain controllers in the domain or forest, but only one domain controller at a time can hold each operation's master role.

Article / Updated 11-07-2022

A resource record is the basic data component in the Domain Name Service (DNS). DNS resource records define not only names and IP addresses but domains, servers, zone, and services as well. This list shows you the most common types of resource records: Type Purpose A Address resource records match an IP address to a host name. CNAME Canonical name resource records associate a nickname to a host name. MX Mail exchange resource records identify mail servers for the specified domain. NS Name server resource records identify servers (other than the SOA server) that contain zone information files. PTR Pointer resource records match a host name to a given IP address. This is the opposite of an Address record, which matches an IP address to the supplied host name. SOA Start of authority resource records specify which server contains the zone file for a domain. SRV Service resource records identify servers that provide special services to the domain.

Article / Updated 11-07-2022

Before you arrange and use Active Directory, you need to install the operating system Windows Server 2008. Start by making certain the hardware you plan to use as domain controllers is able to run the operating system. This list shows you the minimum and recommended hardware levels for Windows Server 2008: Component Requirement Processor 1 GHz (x86 CPU) or 1.4 GHz (x64 CPU) Memory 512MB required; 2GB or higher recommended. Hard Disk 10 GB required. 40 GB or more recommended. Video Super VGA or higher video card and monitor. Hardware Must be on the Windows 2008 Hardware Compatibility List.

Article / Updated 11-07-2022

The range of Active Directory (AD) has expanded in Windows Server 2008 and has become an essential part of many information technology (IT) environments. Active Directory has become an umbrella for a multitude of technologies surpassing what AD was in Windows Server 2000 and 2003. Check out the new uses for Active Directory: Active Directory Domain Services: An X.500-based directory service that provides integrated authentication and authorization services for a Windows computing environment. Active Directory Lightweight Directory Services: A stripped down version of Active Directory Domain Services that focuses on providing just the directory services functionality. Active Directory Federation Services: A Web Services–based technology for providing Web single sign-on authentication services between different organizations. Active Directory Certificate Services: Provides digital certification enrollment and revocation services in the support of a public key infrastructure (PKI). Active Directory Rights Management Services: Provides a solution for managing how users can use documents that they're authorized to access.

Cheat Sheet / Updated 11-07-2022

Whether you're new to Active Directory (AD) or just need a refresher, it'll help you enhance your information technology (IT) environment if you understand how Active Directory has expanded in the Windows 2008 Server, the tasks of the domain controllers, necessary steps to design the logical side of Active Directory, the standard resource records used in the Domain Name Service (DNS), and the hardware required to run the Windows 2008 Server.

Article / Updated 03-26-2016

Moving objects around in Active Directory may involve moving objects from one location to another within a domain, or you might have to move objects from one domain to another. You need to know the details associated with either operation for the MCSE Directory Services exam. Fortunately, you just need to remember some simple rules. Moving objects within a domain Moving objects within a domain is a simple process: Just right-click the object and choose Move. Windows 2000 displays a dialog box in which you simply choose the destination container object for the move. (In newer versions of Windows 2000, you can drag and drop Active Directory objects from one OU to another.) A real-world example of moving an object within a domain involves moving a user account from one OU to another when the user transfers from one department to another in your organization. Moving the user's account enables the user to receive the benefits and restrictions you have defined for the new OU. What is not as straightforward (and what you need to know for the exam) is the effect that moving objects has on permissions. Here are the rules you must know: Permissions you assign directly to an Active Directory object remain with the object after you move the object. The object inherits the permissions assigned to the new OU and loses any previously inherited permissions. You may have already figured this one out: An excellent strategy for administering Active Directory objects is to move objects that need similar permission settings into the same OU. By doing so, you can easily manage your network, assigning permissions and delegating authority effectively with just a few mouse clicks. Moving objects between domains In a multiple-domain Windows 2000 forest, you may need to move objects (users, organizational units, groups) between these multiple domains. You use the MOVETREE command line utility to perform many of these operations. When you move users and groups to a new domain, they receive new security identifiers (SIDs). Fortunately, Windows 2000 running in native mode supports an attribute called SIDHistory. As you move a user from domain to domain, Windows 2000 populates SIDHistory so you do not have to reset permissions to objects each time you perform the move operation. MOVETREE assists you with most move operations between domains. And in those cases for which MOVETREE cannot do the job, you can turn to another utility called NETDOM. MOVETREE can Move most Active Directory objects (including nonempty containers) from one domain to another in the same forest. Move domain local and global groups between domains. These groups cannot contain members, however. The domains must exist within the same forest. Move universal groups and their members between domains of the same forest. MOVETREE can move most Active Directory objects. Those that it cannot move when you try to relocate groups of objects become orphaned. Windows 2000 places these orphaned objects in a special container called LostAndFound. You can view this container by using the Advanced View feature of Active Directory Users and Computers. You must have the appropriate administrative permissions to use MOVETREE from the command prompt. This command uses the following syntax: MOVETREE {/start | /startnocheck | /continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain]Username /p Password] [/verbose] [{/? | /help}] The italicized entries in this syntax represent information you must provide. Table 1 describes the switches you can use with the MOVETREE command. Table 1 MOVETREE Command Switches Switch What It Does /start Initiates the move operation. /startnocheck Starts a MOVETREE operation with no /check. /continue Continues the execution of a previously paused or failed MOVETREE operation. /check Performs a test run of the MOVETREE operation. /s SrcDSA Specifies the source server's fully qualified domain name (FQDN). /d DstDSA Specifies the destination server's FQDN. /sdn SrcDN Specifies the distinguished name of the object you are moving from the source. /ddn DstDN Specifies the distinguished name of the object you are moving to the destination. /u Runs MOVETREE under the credentials of the username and password provided. /verbose Causes MOVETREE to display more details as it runs. /? Displays help about MOVETREE. MOVETREE creates log files when operations are performed. You can check these log files for information regarding the success or failure of MOVETREE events: MOVETREE.ERR: Lists any errors encountered. MOVETREE.LOG: Lists statistical results of the operation. MOVETREE.CHK: Lists any errors detected from MOVETREE being executed in check mode. MOVETREE moves computer objects from one domain to another for you, but it cannot disjoin the computer from the source domain and join it to the target domain. This limitation makes NETDOM a much better utility for moving computers between domains in a Windows 2000 Active Directory setting. NETDOM uses the following syntax to move computer accounts: MOVETREE {/NETDOM move /D:domain [/OU:ou_path] [/Ud:User /Pd:{Password|*}] [/Uo:User /Po:{Password|*}] [/Reboot:[time_in_seconds]] Table 2 describes the switches you use with the NETDOM command. Table 2 NETDOM Command Switches Switch What It Does /domain Identifies the target domain. /OU:ou_path Specifies the target OU. /Ud:User Indicates the user account used to make the connection with the target domain. Pd:{Password|*} Enters the password for the user account used to connect to the destination domain; if you use *, NETDOM prompts for the password. /Uo:User Identifies the user account used to make the connection to the source domain. /Po:{Password|*} Enters the password for the user account used to connect to the original domain; if you use *, NETDOM prompts for the password. /Reboot:[time_in_seconds] Specifies that the computer being moved should shut down and reboot automatically in the given number of seconds after the move operation.

Article / Updated 03-26-2016

The terms object, organizational unit, domain, tree, and forest are used to describe the way Active Directory organizes its directory data. Like all directories, Active Directory is essentially a database management system. The Active Directory database is where the individual objects tracked by the directory are stored. Active Directory uses a hierarchical database model, which groups items in a tree-like structure. The following sections explain the meaning of these important Active Directory terms. Objects The basic unit of data in Active Directory is called an object. Active Directory can store information about many different kinds of objects. The objects you work with most are users, groups, computers, and printers. The figure below shows the Active Directory Manager displaying a list of built-in objects that come preconfigured with Windows Server 2008 R2. To get to this management tool, choose Start→Administrative Tools→Active Directory Users and Computers. Then click the Builtin node to show the built-in objects. Objects have descriptive characteristics called properties or attributes. You can call up the properties of an object by double-clicking the object in the management console. Domains A domain is the basic unit for grouping related objects in Active Directory. Typically, domains correspond to departments in a company. For example, a company with separate Accounting, Manufacturing, and Sales departments might have domains named (you guessed it) Accounting, Manufacturing, and Sales. Or the domains correspond to geographical locations. For example, a company with offices in Detroit, Dallas, and Denver might have domains named det, dal, and den. Note that because Active Directory domains use DNS naming conventions, you can create subdomains that are considered to be child domains. You should always create the top-level domain for your entire network before you create any other domain. For example, if your company is named Nimbus Brooms and you’ve registered NimbusBroom.com as your domain name, you should create a top-level domain named NimbusBroom.com before you create any other domains. Then, you can create subdomains such as Accounting.NimbusBroom.com, Manufacturing.NimbusBroom.com, and Sales.NimbusBroom.com. If you have Microsoft Visio, you can use it to draw diagrams for your Active Directory domain structure. Visio includes several templates that provide cool icons for various types of Active Directory objects. For example, the following figure shows a diagram that shows an Active Directory with four domains created with Visio. Note that these domains have little to do with the physical structure of your network. In Windows NT, domains usually are related to the network’s physical structure. Every domain must have at least one domain controller, which is a server that’s responsible for the domain. However, unlike a Windows NT PDC, an Active Directory domain controller doesn’t have unique authority over its domain. In fact, a domain can have two or more domain controllers that share administrative duties. A feature called replication works hard at keeping all the domain controllers in sync with each other. Organizational units Many domains have too many objects to manage all together in a single group. Fortunately, Active Directory lets you create one or more organizational units, also known as OUs. OUs let you organize objects within a domain, without the extra work and inefficiency of creating additional domains. One reason to create OUs within a domain is so that you can assign administrative rights to each OU of different users. Then, these users can perform routine administrative tasks such as creating new user accounts or resetting passwords. For example, suppose the domain for the Denver office, named den, houses the Accounting and Legal departments. Rather than create separate domains for these departments, you could create organizational units for the departments. Trees A tree is a set of Active Directory names that share a common namespace. For example, the domains NimbusBroom.com, Accounting.NimbusBroom.com, Manufacturing.NimbusBroom.com, and Sales.NimbusBroom.com make up a tree that is derived from a common root domain, NimbusBroom.com. The domains that make up a tree are related to each other through transitive trusts. In a transitive trust, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA automatically trusts DomainC. Note that a single domain all by itself is still considered to be a tree. Forests As its name suggests, a forest is a collection of trees. In other words, a forest is a collection of one or more domain trees that do not share a common parent domain. For example, suppose Nimbus Brooms acquires Tracorum Technical Enterprises, which already has its own root domain named TracorumTech.com, with several subdomains of its own. Then, you can create a forest from these two domain trees so the domains can trust each other. The key to Active Directory forests is a database called the global catalog. The global catalog is sort of a super-directory that contains information about all of the objects in a forest, regardless of the domain. Then, if a user account can’t be found in the current domain, the global catalog is searched for the account. The global catalog provides a reference to the domain in which the account is defined.