PAGE 1

Home Up APLUS WIN2K NT 4.0 CISCO NETPLUS FEED BACK BRAINDUMPS WEBRING SPONSORS

PAGE 2

Active Directory Concepts:

Schema - contains a formal definition of contents and structure of AD such as attributes, classes and class properties. For an object class, the schema defines what attributes an instance of a class must have, additional attributes that are allowed and which object class can be its parent. Installing AD on the first computer in a network creates the domain and default schema which contains commonly used objects. Extensions can be made to the schema whenever needed. By default, write access to the schema is limited to members of the Administrators group. (KB# Q229691)

Global Catalog - a central repository of info about objects in a tree or forest. AD automatically creates a global catalog from the domains that make up AD through the replication process. Attributes stored in the global catalog are usually those most often used in Search operations (like user names, logon names, etc.) and are used to locate a full replica of the object. Because of this, the global catalog can be used to find objects anywhere in the network without replication of all information between DCs.

Active Directory Naming Conventions:

  • Distinguished Name (DN) - every object in AD has one. Uniquely identifies object and contains sufficient info for an AD client to retrieve it from the Directory. Includes the name of the domain that holds the object and also the complete path through the container hierarchy to it. DNs must be unique - AD will not allow duplicates.
  • Relative Distingushed Name (RDN) - if the DN is unknown, you can still query an object by its attributes. The RDN is a part of the name that is an attribute of the object itself (e.g., a user's first name and location).
  • Globally Unique Identifier (GUID) - unique 128-bit number assigned to objects when they are created. The GUID never changes so even if the object is renamed or moved, the GUID can be used to locate it.
  • User Principal Name (UPN) - "friendly name" given to a user account (e.g., johndoe@brainbuzz.com). (KB# Q243280)

Trust Relationships:

  • Implicit two-way trust - default in Windows 2000 AD. Trust relationships between domains in a tree are established and maintained automatically (implicitly). Feature of Kerberos authentication protocol.
  • Explicit one-way nontransitive trush - default in Windows NT 4.0 domains. Trust is limited to the two domains in the relationship and does not flow to others. Must be manually (explicitly) created. Are the only form of trust possible with:
    • Windows NT 4.0 domains
    • Windows 2000 domains in a separate forest
    • Windows 2000 domains and MIT Kerberos 5 authentication realms.

Planning an Active Directory Implementation:

Logical environment:

  • Examine the functional divisions in the target organization such as Administration, Sales, Purchasing, Training, Research and Develpment, etc.
  • Functional divisions are usually represented as Organizational Units in Active Directory. Multiple OUs can be placed in each domain and OUs can be placed within each other as well.

Physical environment:

  • User requirements - for each geographical and functional division you must determine the number of employees, the growth rate and any plans for expansion.
  • Network requirements - determine how network connections are organized, network connection speeds, utilization of network connections and TCP/IP subnetting.

Administrative requirements:

  • Centralized administration - a single admin team handles network services. Appropriate for smaller companies with fewer locations.
  • Decentralized administration - network services provided by a number of administrators or admin teams which may be divided by location or function.
  • Customized administration - administration for some resources is centralized and others are decentralized depending on business needs.

Domain requirements:

  • A single domain can contain millions of objects and span multiple sites. It is the easiest structure to administer. MS recommends that organizations start with a single domain and only add domains when necessary.
  • Domain and site structures are separate and flexible.
  • Do not create separate domains to reflect your organizations functional divisions, create OUs for these instead.
  • MS recommends creating separate domains for the following reasons:
    • Massive numbers of objects (over several million)
    • Different password requirements between organizations
    • Decentralized network administration
    • Replication control
    • Different Internet names (non-contiguous name space)
    • Internal political requirements
    • International requirements