Chapter 2 Slides

advertisement
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
Goals
 Install Active Directory
 Verify Active Directory installation
 Introduce operations master roles
 View the operations master role assignments for a domain
 Transfer operations master roles
 Implement an organizational unit structure within a domain
 Examine application data partitions
 Prepare for schema modifications
2.1
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Installing Active Directory
 To organize objects and implement domain structure
 Install Active Directory on a Windows Server 2003
computer using the Active Directory Installation Wizard
 During first time installation
Create the root domain, a new domain tree, and a new
forest
Designate a Windows Server 2003 computer as a domain
controller
2.2
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Installing Active Directory (2)
 Creating a domain
 By default, the domain is configured to run in
Windows 2000 mixed mode
 Windows 2000 mixed mode allows various domain
controllers to coexist
Windows NT 4.0 backup domain controllers (BDCs)
Windows 2000 domain controllers (DCs)
Windows Server 2003 domain controllers (DCs)
2.3
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Installing Active Directory (3)
 If your network consists of only Windows 2000 and
Windows Server 2003 domain controllers, switch to
Windows 2000 native mode
 Windows 2000 native mode supports only
Windows 2000 domain controllers
Windows Server 2003 domain controllers
 Windows 2000 mixed mode and native mode are
identical to those available in Windows 2000
2.4
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Installing Active Directory (4)
 Windows Server 2003 provides two new modes
 Windows Server 2003 mode
Only supports Windows Server 2003 domain controllers
Gives you the additional ability to rename domain
controllers at any time
 Windows Server 2003 interim mode is used when you
upgrade a Windows NT 4.0 primary domain controller
(PDC) to Windows Server 2003
2.5
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Installing Active Directory (5)
 During Active Directory installation, three
components are installed
 Domain Name System (DNS) service
 Database and database log files
 Shared system volume
2.6
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-1 Active Directory
installation
2.7
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-2 Internet Protocol (TCP/IP) Properties dialog box
2.8
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-3 Running Dcpromo
2.9
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-4 Detecting network settings
2.10
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-5 The Server Role screen
2.11
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-6 The Operating System Compatibility screen
2.12
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-7 The Domain Controller Type screen
2.13
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-8 The Create New Domain screen
2.14
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-9 The Permissions screen
2.15
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 1)
Figure 2-10 Adding a client to a domain
2.16
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Verifying Active Directory Installation
 After you install Active Directory on the first domain
controller, you may need to add additional Active
Directory domain controllers
 Before installing additional domain controllers
 You need installation-critical information from Active
Directory
 You must verify the initial installation to make sure certain
components were successfully installed
2.17
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Verifying Active Directory Installation (2)
 Use the Active Directory Users and Computers
console to verify an Active Directory installation
 Use this console, which is an administrative tool, to
create and delete objects, set their permissions, and
modify their properties
 Use this console to control primary objects
Organizational units (OUs)
Windows Server 2003 user accounts, group accounts,
computer accounts
Published printers
2.18
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Verifying Active Directory Installation (3)
 Verifying an Active Directory installation
 Verify the presence of the domain that you specified
during the Active Directory installation
 Verify the presence of your new domain controller in the
domain controllers OU
 The presence of certain administrative tools also
verifies that Active Directory was successfully installed
 Active Directory and Trusts console
 Active Directory Sites and Services console
2.19
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Verifying Active Directory Installation (4)
 Use the Active Directory Domains and Trusts console
 To manage the trust relationships between two or more
domains in the same forest or different forests
 To provide interoperability with other domains
 To raise the domain functional level for a domain
 To transfer the domain naming master role from one
domain controller to another
 To add or remove alternate User Principal Name (UPN)
suffixes to/from user logon names
2.20
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Figure 2-11 The Active Directory Domains and Trusts console
2.21
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Verifying Active Directory Installation (5)
 Use the Active Directory Sites and Services console
 To create sites and subnets
 To move domain controllers to the correct sites
 To configure servers as global catalog servers
 To create site links
 This information is used to decide the replication method
for directory information and to process service requests
2.22
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Figure 2-12 The Active Directory Sites and Services console
2.23
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Figure 2-13 Verifying the presence of a domain controller
2.24
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Figure 2-14 The Sysvol directory
2.25
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Figure 2-15 The Ntds folder
2.26
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Verifying Active Directory Installation (6)
 In addition to the three default consoles, you can also
install an additional tool called the Active Directory
Schema snap-in
 Permits you to view and modify the schema
 The schema defines the types of objects and the type
of information pertaining to those objects that can be
stored in Active Directory
2.27
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 2)
Figure 2-16 The Active Directory Schema snap-in installed
2.28
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles
 Replication models
 Multi-master replication model
Used to control most functions
All domain controllers have the ability to modify Active
Directory
 Single-master model
Used when a single domain controller modifies data to
control certain types of events in Active Directory
2.29
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (2)
 Each of these special functions is controlled by
FSMO (Flexible Single Masters of Operations)
servers or, more typically, operations masters
 Types of special functions
 Forest-wide operations master roles
 Domain-wide operations master roles
2.30
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (3)
 Forest-wide operations master roles
 Two forest-wide FSMO roles
Schema master role
Domain naming master role
 Each of these roles can reside on only a single server
for the entire forest
 By default, both roles will be held by the first domain
controller created in the root domain of the forest
2.31
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (4)
 Domain-wide operations master roles
 Three domain-wide roles
Primary domain controller (PDC) emulator role
Relative ID (RID) master role
Infrastructure master role
 Each of these roles can reside on only a single domain
controller in each domain
 By default, all three roles will be held by the first domain
controller created in each domain
2.32
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (5)
 When you create the first domain in a new forest, by
default, all five operations master roles are assigned
to the first domain controller in that domain
 Active Directory assigns only the domain-wide
operations master roles to the first domain controller
of any subsequent child domains that you create in
the forest
 The first domain controller in each of the other
domains holds the domain-wide operations master
roles
2.33
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (6)
 Guidelines for planning operations master roles for
per-forest roles
 Assign the two forest-wide roles to a high-uptime
server; backups of this machine are of special
importance
 Assign the schema master and the domain naming
master roles to a single domain controller in one of the
domains in the forest
2.34
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (7)
 Guidelines for planning operations master roles for perdomain roles
 Have at least one additional domain controller act as a
standby operations master for other operations masters
 If a domain controller fails, the standby domain controller
can be manually configured to seize the failed domain
controller’s roles
2.35
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (8)
 Guidelines for planning operations master roles for perdomain roles
 Assign both the RID master and the PDC emulator roles to
the same domain controller
 If the domain is large, these roles can be assigned to
separate domain controllers to reduce the load on the PDC
emulator
 Make sure these servers are always capable of
communicating with each other
2.36
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (9)
 Guidelines for planning operations master roles for
per-domain roles
 If there is more than one domain, do not assign the
infrastructure master role to a domain controller that is
hosting the global catalog service
 Global catalog
Stores information about objects in a tree or a forest
When this information changes, the global catalog updates
the information through replication and always contains the
latest information about objects
2.37
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 3)
Introducing Operations Master Roles (10)
 Guidelines for planning operations master roles for
per-domain roles
 If you assign the infrastructure master role to a
domain controller that is also a global catalog server,
the infrastructure master will not function properly,
because there are no “phantom” references for it to
update
 If possible, try to place the domain naming master on
a server hosting the global catalog
2.38
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 4)
Viewing the Operations Master Role
Assignments for a Domain
 To monitor the operations master roles, you must
identify and view the domain controllers that hold the
roles
 Regular monitoring of the operations masters roles in
a domain or forest
 Enables you to determine the performance and load on
each of the operations masters
 This enables you to decide which roles must be
transferred to other domain controllers
2.39
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 4)
Viewing the Operations Master Role
Assignments for a Domain (2)
 To view all of the domain-wide operations master
role assignments, use the Active Directory Users
and Computers console
 To view the schema master and the domain naming
master roles, use the Active Directory Schema
snap-in and the Active Directory Domains and
Trusts console
2.40
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 4)
Figure 2-17 Viewing the default domain-wide
operations master role assignments
2.41
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 4)
Figure 2-18 The Change Schema Master dialog box
2.42
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 4)
Figure 2-19 The Change Operations Master dialog box
2.43
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 5)
Transferring Operations Master Roles
 After you have identified the domain controllers that
hold the operations master roles, you can easily
transfer roles between domain controllers
 Conditions requiring that you transfer operations
master roles
 When you want to change the default operations
master because the domain controller is unavailable for
replication
 When the performance of the domain controller holding
the operations master role is deteriorating due to
excess load
2.44
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 5)
Transferring Operations Master Roles (2)
 You can transfer operations master roles between
domain controllers within a forest, as well as within
domains, with the assistance of the original operations
master
 To transfer an operations master role from one domain
controller to another, make sure that both domain
controllers are available and connected to each other
through the network
2.45
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 5)
Transferring Operations Master Roles (3)
 Transferring an operations master role is a two-stage
process
 Connect to the new domain controller that will hold the
role
 Transfer the role to the domain controller you have
identified
2.46
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 5)
Transferring Operations Master Roles (4)
 You use the Active Directory Users and Computers
console to transfer the relative ID master, PDC
emulator, and infrastructure master roles
 You use the Active Directory Domains and Trusts
console to transfer the domain naming master role
2.47
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 5)
Transferring Operations Master Roles (5)
 Failure of an operations master
 An operations master may be unavailable due to a
system failure
 If there is any chance of recovering it, you should do so
 If you cannot recover it, you can force the transfer of the
operations master role to another Windows Server 2003
domain controller without the cooperation of the existing
owner of the roles
This process is called seizing the role
Use the Ntdsutil.exe utility at the command prompt to seize
any operations master role
2.48
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain
 Planning and creating an organizational unit (OU)
structure is the last activity you perform to complete the
implementation of Active Directory
 OUs are container objects used to organize objects in a
domain into logical groups to centralize and simplify
administration of a large number of objects
 You can manage users easily and efficiently in an OU
 In a multiple-domain model, each domain implements its
own OU hierarchy
2.49
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain (2)
 Advantages of creating OUs
 You can apply Group Policy to a particular group of
users or computers independently of other groups of
users and computers in other OUs
 You can structure a domain
According to the departments and locations in your
organization
Without OUs, all users are maintained in a single list under
a domain
2.50
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain (3)
 Advantages of creating OUs
 You can delegate administrative control over network
resources to users
 You can easily accommodate any changes that take
place in the structure of your organization, for
example, reorganizing users between OUs requires
less time and effort than reorganizing users between
domains
2.51
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain (4)
 Advantages of creating OUs
 OUs simplify the viewing and administration of directory
objects within a domain
 OUs allow administrators to have easy access to all
objects at any level of the hierarchy
 Plan your OU structure carefully so the organizational
units represent your organization in a meaningful and
manageable way
2.52
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain (5)
 Three standard models are typically used to design
an OU hierarchy
 Business function-based
 Geographically-based
 A combination of both business function and
geographically-based
2.53
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain (6)
 Use the business function-based model to create
an OU structure that reflects the various business
functions within an organization
 Use the geographically-based model to create an
OU structure that represents the location of
branches in an organization
2.54
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Figure 2-20 A business function-based OU structure
2.55
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Figure 2-21 A geographically-based OU structure
2.56
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain (7)
 Use a combination of business function and
geographically-based models to create an OU
structure that reflects the various business functions
within the different branches of an organization
2.57
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Figure 2-22 A business function and geographically-based OU structure
2.58
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Figure 2-23 Creating an organizational unit
2.59
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Implementing an Organizational Unit
Structure within a Domain (8)
 Each OU you create contains a set of default properties
 Each OU also has additional properties
 Properties are attributes you use to locate the OU
 Use the Active Directory Users and Computers console
to set the properties
2.60
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 6)
Figure 2-24 MKTG Properties dialog box
2.61
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Understanding Application Data Partitions
 Application data partitions
 Are special database structures within Active Directory
 They hold information specific to a particular application
 To fully understand why they are necessary, you must
first understand how they function in Active Directory
2.62
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Understanding Application Data Partitions (2)
 A partition in Active Directory is a section of the
database
 With its own root name (using LDAP distinguished
names)
 With its own replication topology
The critical principle is replication topology
Since all partitions have their own topology, information
changes in one partition do not force replication to other
partitions
2.63
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Figure 2-25 Using application data partitions
2.64
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Understanding Application Data Partitions (3)
 Application data partitions have their own naming
convention
 Applies to DNS names and LDAP distinguished names
 From the DNS side, an application data partition is
typically configured as a child domain of an Active
Directory domain
 From the LDAP side, the partition has its own LDAP
distinguished name
2.65
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Understanding Application Data Partitions (4)
 LDAP distinguished name
 An LDAP naming convention that is used in most, if not
all, LDAP compliant databases
 Think of it as a path name describing the entire path to
the object from within the database
 LDAP names are particularly important because some
of the advanced Active Directory utilities (such as
Ntdsutil) require them
2.66
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Understanding Application Data Partitions (5)
 Administering application data partitions
 Typically, you will not need to perform any real
administration
 Your application will usually create the partition for you,
and perform all writes and changes
 Common current applications that make use of
application data partitions are DNS and TAPI
 In certain cases, you may be required to create an
application data partition
2.67
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Understanding Application Data Partitions (6)
 To create an application data partition, you can use
Ntdsutil.exe, a raw LDAP editor, or Active Directory
Services Interface (ADSI)
 Ntdsutil is the most accessible of these tools
 It is a powerful and versatile tool for making major
modifications to the Active Directory database
 Since it is a very powerful application, you have the
potential for making major mistakes very quickly
2.68
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 7)
Understanding Application Data Partitions (7)
 Ntdsutil command line utility
 Must be run in Directory Services Restore Mode on the
domain controller on which you wish to make a change
 Application data partitions can only be created by
Enterprise Administrators
 By default, the only Enterprise Administrator is the
Administrator account in the forest root domain
2.69
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications
 Schema
 Considered the blueprint or rulebook for Active
Directory
 Defines the structure and rules for the Active Directory
database
 To understand more specifically what the schema
does, you need to understand more about the
structure of Active Directory
2.70
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (2)
 Active Directory is composed of various types of
objects
 Each object is defined by its type, which is referred to
as the object class
 Each object class is defined by the attributes included
in the class
 Attributes are specific fields for the object that store a
particular type of information
 Different object classes can have different attributes,
which are suited to the needs of the object
2.71
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Figure 2-26 Object classes and attributes
2.72
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (3)
 You can examine and change most of the attributes for
an object class by opening the object class in the
Active Directory Schema snap-in
 You can add attributes to an existing class
 You can create a new class using new or existing
attributes to drastically change the functionality of Active
Directory
 This allows Active Directory to support your own
customized applications and data
2.73
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (4)
 A mistake made in the schema can have very severe
consequences
 Microsoft has put several safeguards in place to
reduce the chance that mistakes may occur when
you are viewing or editing the schema
2.74
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (5)
 Some of Microsoft’s safeguards
 Object classes and attributes can be deactivated, but
they cannot be deleted
Deactivating a class results in the inability to create new
objects in that class.
Deactivating an attribute results in the inability to add the
attribute to other classes
 Mandatory attributes of an existing class cannot be
deactivated
2.75
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (6)
 Some of Microsoft’s safeguards
 Default attributes, which are required for Active
Directory to function properly, cannot be deactivated
 The schema can only be modified on the schema
master
 Only members of the Schema Admins group have
permission to modify the schema, by default
 The Active Directory Schema snap-in is not installed by
default
2.76
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (7)
 Precautions exist because of the scope of schema
modifications
 However, there are a few instances in which a
schema modification is warranted
2.77
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (8)
 Most commonly, schema modifications are performed
for one of two reasons
 To support business requirements, you may need to
add a new attribute or class to the schema
 To support new Active Directory-integrated applications
that store a portion of their data in the Active Directory
database, you may need to supply new attributes or
classes
2.78
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (9)
 If you choose to modify the schema in the Active
Directory Schema snap-in, follow these precautions
 Thoroughly evaluate the need for the schema
modification and make sure that modifying the schema is
the best solution
 Specifically define the modification to be performed
 Create a script or use another programmatic method to
apply the modification and test it thoroughly in an offline
environment
2.79
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (10)
 Steps to modify the schema
 Connect to the schema operations master, preferably using
an account that is not a member of the Schema Admins
group
 Use the Run as facility to launch the application you are
using to modify the schema as a member of the Schema
Admins group
2.80
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Preparing for Schema Modifications (11)
 Steps to modify the schema
 If the operations master is a Windows 2000 domain
controller, enable writes on the schema
 Modify the schema
 If the operations master is a Windows 2000 domain
controller, disable writes on the schema
 Disconnect from the schema operations master
2.81
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 2: Implementing Active Directory
(Skill 8)
Figure 2-27 Viewing an object class in the Schema console
2.82
© 2004 Pearson Education, Inc.
Download
Related flashcards

Classes of computers

19 cards

Computer science

25 cards

ARM architecture

23 cards

MSN

28 cards

Create Flashcards