Lesson 1 Using Forest Functional Levels

advertisement
Overview of Active
Directory Domain
Services
Lesson 1
Identifying Active Directory’s
Functions and Benefits

Active Directory Domain Services (AD DS)
— Provides the full-fledged directory service that
is referred to as Active Directory in Windows
Server 2008 and previous versions of Windows
Server.
Lesson 1
Identifying Active Directory’s
Functions and Benefits (cont.)

Active Directory Lightweight Directory
Services (AD LDS) — Provides a lightweight,
flexible directory platform that can be used by
Active Directory developers without incurring
the overhead of the full-fledged Active Directory
DS directory service.
Lesson 1
Identifying Active Directory’s
Functions and Benefits (cont.)

Centralized resource and security administration

Single logon for access to global resources

Fault tolerance and redundancy

Simplified resource location
Lesson 1
Centralizing Resource and
Security Administration

Active Directory Users and Computers

Active Directory Sites and Services

Active Directory Domains and Trusts

ADSI Edit
Lesson 1
Categorizing Active Directory
Components

Forests

Domain trees

Domains

Organization units
Lesson 1
Seeing the Forest

The schema partition, or Schema NC, contains
the rules and definitions that are used for
creating and modifying object classes and
attributes within Active Directory.

The configuration partition, or Configuration NC,
contains information regarding the physical
topology of the network, as well as other
configuration data that must be replicated
throughout the forest.
Lesson 1
Working with Organizational
Units

Users

Groups

Contacts

Printers
Lesson 1
Working with Organizational
Units (cont.)

Shared folders

Computers

OUs

InetOrgPerson
Lesson 1
Understanding the Schema

Unique name

Globally unique identifier (GUID)

Required object attributes

Optional object attributes
Lesson 1
Raising Domain Functional
Levels

Windows 2000 Native

Windows Server 2000

Windows Server 2008
Lesson 1
Raising Domain Functional
Levels (cont.)

Windows 2000 Native supports:

Install from media

Application partitions

Drag-and-drop user interface

Global Group nesting and Universal Security
groups

SIDHistory
Lesson 1
Raising Domain Functional
Levels (cont.)

Windows 2003 supports:

lastLogonTimestamp attribute

Passwords for inetOrgPerson objects

Domain rename
Lesson 1
Raising Domain Functional
Levels (cont.)

Windows 2008 supports:

SYSVOL replication using DFSR instead of NTFRS

Additional encryption mechanisms for Active
Directory authentication

Improved auditing of user logon information

Multiple password policies per domain

Read-Only Domain Controller
Lesson 1
Using Forest Functional Levels

To raise the functional level of a forest, you
must be logged on as a member of the
Enterprise Admins group.

The functional level of a forest can be raised
only on a server that holds the Schema Master
role. This server is the authority for all schema
changes.
Lesson 1
Using Forest Functional Levels
(cont.)

All domain controllers in the entire forest must
be running an operating system supported by
the targeted forest functional level.

Raising the forest functional level to the
highest level, Windows Server 2008, requires
that all domains within the forest be at the
Windows Server 2003 functional level.
Lesson 1
Using Forest Functional Levels
(cont.)

During a forest functional level advancement,
all domains will automatically be raised to
support the new forest functional level.

Raising the forest functional level is an
irreversible procedure.
Lesson 1
Understanding Active Directory
Trust Models

When a child domain is created, it
automatically receives a two-way transitive
trust with its parent domain. Because of trust
transitivity, the users in the sales "grandchild"
domain can access resources in the
lucernepublishers.com "grandparent" domain
and vice versa.
Lesson 1
Understanding Active Directory
Trust Models (cont.)

When a new domain tree is created, the root
domain in the new tree automatically receives
a two-way transitive trust with the root
domain of all other domain tree root domains
in the forest. Due to the transitive nature of
the trust, any child domains in the
graphicdesigninstitute.com tree will be able to
access resources in child domains in the
fineartschool.net tree and vice versa.
Lesson 1
You Learned

Active Directory is a database of objects that
are used to organize resources according to a
logical plan. These objects include containers,
such as domains and OUs, in addition to
resources such as users, computers, and
printers.
Summary
You Learned (cont.)

The Active Directory schema includes definitions
of all objects and attributes within a single
forest. Each forest maintains its own Active
Directory schema.

Active Directory requires DNS to support SRV
records. In addition, Microsoft recommends that
DNS support dynamic updates.
Summary
You Learned (cont.)
 Domain and forest functional levels are new
features of Windows Server 2008. The levels
defined for each of these are based on the type
of server operating systems that are required by
the Active Directory design. The Windows Server
2003 forest functional level is the highest
functional level available and includes support
for all Windows Server 2003 features.
Summary
You Learned (cont.)
 Two-way transitive trusts are automatically
generated within the Active Directory domain
structure. Parent and child domains form the
trust path by which all domains in the forest
can traverse to locate resources. The ISTG is
responsible for this process.
Summary
You Learned (cont.)
 Cross-forest trusts are new to Windows Server
2008, and they are only available when the
forest functionality is set to Windows Server
2008. They must be manually created and
maintained.
Summary
Download