Overview of Active Directory Domain Services Lesson 1 Identifying Active Directory’s Functions and Benefits Active Directory Domain Services (AD DS) — Provides the full-fledged directory service that is referred to as Active Directory in Windows Server 2008 and previous versions of Windows Server. Lesson 1 Identifying Active Directory’s Functions and Benefits (cont.) Active Directory Lightweight Directory Services (AD LDS) — Provides a lightweight, flexible directory platform that can be used by Active Directory developers without incurring the overhead of the full-fledged Active Directory DS directory service. Lesson 1 Identifying Active Directory’s Functions and Benefits (cont.) Centralized resource and security administration Single logon for access to global resources Fault tolerance and redundancy Simplified resource location Lesson 1 Centralizing Resource and Security Administration Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts ADSI Edit Lesson 1 Categorizing Active Directory Components Forests Domain trees Domains Organization units Lesson 1 Seeing the Forest The schema partition, or Schema NC, contains the rules and definitions that are used for creating and modifying object classes and attributes within Active Directory. The configuration partition, or Configuration NC, contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest. Lesson 1 Working with Organizational Units Users Groups Contacts Printers Lesson 1 Working with Organizational Units (cont.) Shared folders Computers OUs InetOrgPerson Lesson 1 Understanding the Schema Unique name Globally unique identifier (GUID) Required object attributes Optional object attributes Lesson 1 Raising Domain Functional Levels Windows 2000 Native Windows Server 2000 Windows Server 2008 Lesson 1 Raising Domain Functional Levels (cont.) Windows 2000 Native supports: Install from media Application partitions Drag-and-drop user interface Global Group nesting and Universal Security groups SIDHistory Lesson 1 Raising Domain Functional Levels (cont.) Windows 2003 supports: lastLogonTimestamp attribute Passwords for inetOrgPerson objects Domain rename Lesson 1 Raising Domain Functional Levels (cont.) Windows 2008 supports: SYSVOL replication using DFSR instead of NTFRS Additional encryption mechanisms for Active Directory authentication Improved auditing of user logon information Multiple password policies per domain Read-Only Domain Controller Lesson 1 Using Forest Functional Levels To raise the functional level of a forest, you must be logged on as a member of the Enterprise Admins group. The functional level of a forest can be raised only on a server that holds the Schema Master role. This server is the authority for all schema changes. Lesson 1 Using Forest Functional Levels (cont.) All domain controllers in the entire forest must be running an operating system supported by the targeted forest functional level. Raising the forest functional level to the highest level, Windows Server 2008, requires that all domains within the forest be at the Windows Server 2003 functional level. Lesson 1 Using Forest Functional Levels (cont.) During a forest functional level advancement, all domains will automatically be raised to support the new forest functional level. Raising the forest functional level is an irreversible procedure. Lesson 1 Understanding Active Directory Trust Models When a child domain is created, it automatically receives a two-way transitive trust with its parent domain. Because of trust transitivity, the users in the sales "grandchild" domain can access resources in the lucernepublishers.com "grandparent" domain and vice versa. Lesson 1 Understanding Active Directory Trust Models (cont.) When a new domain tree is created, the root domain in the new tree automatically receives a two-way transitive trust with the root domain of all other domain tree root domains in the forest. Due to the transitive nature of the trust, any child domains in the graphicdesigninstitute.com tree will be able to access resources in child domains in the fineartschool.net tree and vice versa. Lesson 1 You Learned Active Directory is a database of objects that are used to organize resources according to a logical plan. These objects include containers, such as domains and OUs, in addition to resources such as users, computers, and printers. Summary You Learned (cont.) The Active Directory schema includes definitions of all objects and attributes within a single forest. Each forest maintains its own Active Directory schema. Active Directory requires DNS to support SRV records. In addition, Microsoft recommends that DNS support dynamic updates. Summary You Learned (cont.) Domain and forest functional levels are new features of Windows Server 2008. The levels defined for each of these are based on the type of server operating systems that are required by the Active Directory design. The Windows Server 2003 forest functional level is the highest functional level available and includes support for all Windows Server 2003 features. Summary You Learned (cont.) Two-way transitive trusts are automatically generated within the Active Directory domain structure. Parent and child domains form the trust path by which all domains in the forest can traverse to locate resources. The ISTG is responsible for this process. Summary You Learned (cont.) Cross-forest trusts are new to Windows Server 2008, and they are only available when the forest functionality is set to Windows Server 2008. They must be manually created and maintained. Summary