Basics to Know

7/29/2019 Basics to Know

1/24

Prepared By Lakshmana Prabhu [email protected] Page 1

BASICS TO KNOW

NETWORKING

DISK MANAGEMENT & RAID

OPERATING SYSTEM

ACTIVE DIRECTORY

FSMO ROLES


2/24


Contents

Networking.................................................................................................................................. 3IP ADDRESS - CLASSES ......................................................................................................... 3OSI LAYERS.............................................................................................................................. 4IMPORTANT PORTS:............................................................................................................... 6Windows Server 2003 Hardware Requirements ......................................................................... 7Windows XP Professional Hardware Requirements .................................................................. 7Basic Disk Storage ...................................................................................................................... 9Dynamic Disk Storage ................................................................................................................ 9RAID Terminology Overview .................................................................................................. 11

RAID 0.................................................................................................................................. 11RAID 1.................................................................................................................................. 12RAID 3.................................................................................................................................. 13RAID 5.................................................................................................................................. 13

Windows XP booting process. .................................................................................................. 15Basic divisions of Active Directory ............................................................................. 18The Infrastructure Master and Global Catalog ......................................................... 19Group Policy management and Active Directory .................................................... 20Active Directory Schema ............................................................................................... 20FSMO Roles ....................................................................................................................... 22Transfer the Schema Master Role ............................................................................... 23Transfer the Domain Naming Master Role ................................................................ 23Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles ...... 24


3/24


Networking

IP ADDRESS - CLASSES

Class Address Range Supports

Class A 1.0.0.1 to 126.255.255.254 Supports 16 million hosts on each of 127 networks.

Class B 128.1.0.1 to 191.255.255.254 Supports 65,000 hosts on each of 16,000 networks.

Class C 192.0.1.1 to 223.255.254.254 Supports 254 hosts on each of 2 million networks.

Class D 224.0.0.0 to 239.255.255.255 Reserved formulticast groups.

Class E 240.0.0.0 to 254.255.255.254 Reserved for future use, or Research and Development Purpos

IP Address Class Network and Host Capacities

IP AddressClass

Total #Of Bits

ForNetworkID / Host

ID

First Octetof IP

Address

# OfNetworkID Bits

Used ToIdentifyClass

Usable # OfNetwork ID

Bits

Number ofPossible

Network IDs

# Of Host IDs Per NetwoID

Class A 8 / 24 0xxx xxxx 1 8-1 = 7 27-2 = 126 2

24-2 = 16,277,214

Class B 16 / 16 10xx xxxx 2 16-2 = 14 214 = 16,384 216-2 = 65,534

Class C 24 / 8 110x xxxx 3 24-3 = 21 2 = 2,097,152 2 -2 = 254

What are private IP addresses?

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of theIP address space for private internets (local networks):

10.0.0.0 - 10.255.255.255172.16.0.0 - 172.31.255.255192.168.0.0 - 192.168.255.255

Also, IP addresses in the range of 169.254.0.0 -169.254.255.255 are reserved for AutomaticPrivate IP Addressing.
http://www.computerhope.com/jargon/m/multicast.htmhttp://www.computerhope.com/jargon/m/multicast.htmhttp://www.computerhope.com/jargon/m/multicast.htm


4/24


OSI LAYERS

Application

(Layer 7)

This layer supports application and end-user processes. Communication partners areidentified, quality of service is identified, user authentication and privacy are considered,and any constraints on data syntax are identified. Everything at this layer is application-

specific. This layer provides application services for file transfers, e-mail, and othernetwork software services. Telnet and FTP are applications that exist entirely in theapplication level. Tiered application architectures are part of this layer.

Presentation(Layer 6)

This layer provides independence from differences in data representation (e.g.,encryption) by translating from application to network format, and vice versa. Thepresentation layer works to transform data into the form that the application layer canaccept. This layer formats and encrypts data to be sent across a network, providingfreedom from compatibility problems. It is sometimes called the syntax layer.

Session(Layer 5)

This layer establishes, manages and terminates connections between applications. The

session layer sets up, coordinates, and terminates conversations, exchanges, anddialogues between the applications at each end. It deals with session and connectioncoordination.

Transport(Layer 4)

This layer provides transparent transfer of data between end systems, or hosts, and isresponsible for end-to-end error recovery and flow control. It ensures complete datatransfer.

Network(Layer 3)

This layer provides switching and routing technologies, creating logical paths, known asvirtual circuits, for transmitting data from node to node. Routing and forwarding arefunctions of this layer, as well as addressing, internetworking, error handling, congestioncontrol and packet sequencing.

Data Link(Layer 2)

At this layer, data packets are encoded and decoded into bits. It furnishes transmissionprotocol knowledge and management and handles errors in the physical layer, flowcontrol and frame synchronization. The data link layer is divided into two sublayers: TheMedia Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MACsublayer controls how a computer on the network gains access to the data andpermission to transmit it. The LLC layer controls frame synchronization, flow control anderror checking.

Physical(Layer 1)

This layer conveys the bit stream - electrical impulse, light or radio signal -- through thenetwork at the electrical and mechanical level. It provides the hardware means of sendingand receiving data on a carrier, including defining cables, cards and physical aspects.Fast Ethernet, RS232, and ATM are protocols with physical layer components.
http://www.webopedia.com/quick_ref/application.htmlhttp://www.webopedia.com/quick_ref/authentication.htmlhttp://www.webopedia.com/quick_ref/syntax.htmlhttp://www.webopedia.com/quick_ref/e_mail.htmlhttp://www.webopedia.com/quick_ref/network.htmlhttp://www.webopedia.com/quick_ref/software.htmlhttp://www.webopedia.com/quick_ref/Telnet.htmlhttp://www.webopedia.com/quick_ref/FTP.htmlhttp://www.webopedia.com/quick_ref/app.arch.htmlhttp://www.webopedia.com/quick_ref/encryption.htmlhttp://www.webopedia.com/quick_ref/transparent.htmlhttp://www.webopedia.com/quick_ref/flow_control.htmlhttp://www.webopedia.com/quick_ref/switch.htmlhttp://www.webopedia.com/quick_ref/routing.htmlhttp://www.webopedia.com/quick_ref/virtual_circuit.htmlhttp://www.webopedia.com/quick_ref/node.htmlhttp://www.webopedia.com/quick_ref/internetworking.htmlhttp://www.webopedia.com/quick_ref/packet.htmlhttp://www.webopedia.com/quick_ref/bit.htmlhttp://www.webopedia.com/quick_ref/MAC_layer.htmlhttp://www.webopedia.com/quick_ref/bit.htmlhttp://www.webopedia.com/quick_ref/hardware.htmlhttp://www.webopedia.com/quick_ref/card.htmlhttp://www.webopedia.com/quick_ref/Fast_Ethernet.htmlhttp://www.webopedia.com/quick_ref/RS_232C.htmlhttp://www.webopedia.com/quick_ref/ATM.htmlhttp://www.webopedia.com/quick_ref/ATM.htmlhttp://www.webopedia.com/quick_ref/RS_232C.htmlhttp://www.webopedia.com/quick_ref/Fast_Ethernet.htmlhttp://www.webopedia.com/quick_ref/card.htmlhttp://www.webopedia.com/quick_ref/hardware.htmlhttp://www.webopedia.com/quick_ref/bit.htmlhttp://www.webopedia.com/quick_ref/MAC_layer.htmlhttp://www.webopedia.com/quick_ref/bit.htmlhttp://www.webopedia.com/quick_ref/packet.htmlhttp://www.webopedia.com/quick_ref/internetworking.htmlhttp://www.webopedia.com/quick_ref/node.htmlhttp://www.webopedia.com/quick_ref/virtual_circuit.htmlhttp://www.webopedia.com/quick_ref/routing.htmlhttp://www.webopedia.com/quick_ref/switch.htmlhttp://www.webopedia.com/quick_ref/flow_control.htmlhttp://www.webopedia.com/quick_ref/transparent.htmlhttp://www.webopedia.com/quick_ref/encryption.htmlhttp://www.webopedia.com/quick_ref/app.arch.htmlhttp://www.webopedia.com/quick_ref/FTP.htmlhttp://www.webopedia.com/quick_ref/Telnet.htmlhttp://www.webopedia.com/quick_ref/software.htmlhttp://www.webopedia.com/quick_ref/network.htmlhttp://www.webopedia.com/quick_ref/e_mail.htmlhttp://www.webopedia.com/quick_ref/syntax.htmlhttp://www.webopedia.com/quick_ref/authentication.htmlhttp://www.webopedia.com/quick_ref/application.html


5/24


Application layer

Refers to standard network services like http, ftp, telnet as well as communicationmethods used by various application programsAlso def ines com pat ible representat ionof all data

Transport layer

Manages the transfer of data by using connection oriented (TCP) and connectionless(UDP) transport protocolsManages the connections between networked applications

Internet layer

Manages addressing of packets and d elivery of p ackets between netw orksFragm ents packetsso that they can be dealt with by lower level layer (NetworkInterface layer Network)

Network Interface layer

Delivers data via physic al l ink(Ethernet is the most common link level protocol )

Provides error detect ion and p acket fram ing


6/24


IMPORTANT PORTS:

21-FTP Control

20-FTP Data

23-Telnet

25-SMTP

53 -TCP

69 -TFTP

80 -HTTP/WWW

109-POP2

110-POP3

123/UDP-NTP

137-NetBIOS

143 - IMAP

443-HTTPS

546-DHCPv6 client

547-DHCPv6 server


7/24


Windows Server 2003 Hardware Requirements

WindowsServer 2003Edition

Number ofProcessors Processor Speed RAM

Available DiskSpace (forSetup) Monitor

Web 12 133 megahertz(MHz) minimum;550 MHzrecommended

128 megabytes(MB) minimum;256 MBrecommended;2 GB maximum

1.5gigabytes(GB)

Video GraphicsAdapter (VGA) orhigher; Super VGA(SVGA) (800 600) orhigher recommended

Standard 14 133 MHzminimum;550 MHzrecommended

128 MBminimum;256 MBrecommended;4 GB maximum

1.5 GB VGA or higher; SVGA(800 600) or higherrecommended

Enterprise 18 133 MHzminimum;550 MHzrecommended

128 MBminimum;256 MBrecommended;32 GB maximum


Datacenter 832 400 MHzminimum

512 MBminimum; 64 GBmaximum


Windows XP Professional Hardware Requirements

Minimum Requirements Recommended Requirements

Intel Pentium (or compatible) 233 MHz or higher processor Intel Pentium II (or compatible) 300 MHzor higher processor

64 MB of RAM 128 MB (4 GB maximum) of RAM

2 GB hard disk with 650 MB of free disk space (additionaldisk space required if installing over a network)

2 GB of free disk space

VGA or higher video adapter SVGA video adapter and Plug and Playmonitor

Keyboard, mouse, or other pointing device Keyboard, mouse, or other pointingdevice

CD-ROM or DVD-ROM drive (required for CD installations) CD-ROM or DVD-ROM drive (12X orfaster)

Network adapter (required for network installation) Network adapter (required for networkinstallation


8/24



9/24


10/24


WARNING: After you convert a basic disk to a dynamic disk, local access to the dynamic disk is

limited to Windows 2000 and Windows XP Professional. Additionally, after you convert a basicdisk to a dynamic disk, the dynamic volumes cannot be changed back to partitions. You mustfirst delete all dynamic volumes on the disk and then convert the dynamic disk back to a basicdisk. If you want to keep your data, you must first back up the data or move it to another volume

Dynamic Storage Terms:

A vo lume is a storage unit made from free space on one or more disks. It can beformatted with a file system and assigned a drive letter. Volumes on dynamic disks canhave any of the following layouts: simple, spanned, mirrored, striped, or RAID-5.

A simple volum euses free space from a single disk. It can be a single region on a disk

or consist of multiple, concatenated regions. A simple volume can be extended within

the same disk or onto additional disks. If a simple volume is extended across multiple

disks, it becomes a spanned volume.

A spanned volum eis created from free disk space that is linked together from multiple

disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned

volume cannot be mirrored and is not fault-tolerant.

A st r iped volum e is a volume whose data is interleaved across two or more physical

disks. The data on this type of volume is allocated alternately and evenly to each of the

physical disks. A striped volume cannot be mirrored or extended and is not fault-tolerant.

Striping is also known as RAID-0.

A m irrored volumeis a fault-tolerant volume whose data is duplicated on two physical

disks. All of the data on one volume is copied to another disk to provide dataredundancy. If one of the disks fails, the data can still be accessed from the remaining

disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.

A RAID-5 volum eis a fault-tolerant volume whose data is striped across an array of

three or more disks. Parity (a calculated value that can be used to reconstruct data after

a failure) is also striped across the disk array. If a physical disk fails, the portion of the

RAID-5 volume that was on that failed disk can be re-created from the remaining data

and the parity. A RAID-5 volume cannot be mirrored or extended.

The system volume contains the hardware-specific files that are needed to load

Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be,

but does not have to be, the same as the boot volume.

The boot vo lum econtains the Windows operating system files that are located in the

%Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but

does not have to be, the same as the system volume.


11/24


RAID Terminology Overview

Redundant array of independent disks (RAID) is a storage technology used to improve theprocessing capability of storage systems. This technology is designed to provide reliability indisk array systems and to take advantage of the performance gains offered by an array ofmultiple disks over single-disk storage.

RAID's two primary underlying concepts are:

distributing data over multiple hard drives improves performanceusing multiple drives properly allows for any one drive to fail without loss of data andwithout system downtime

In the event of a disk failure, disk access continues normally and the failure is transparent to thehost systemRAID Levels

There are several ways to implement a RAID array, using a combination of mirroring, striping,

duplexing, and parity technologies. These various techniques are referred to as RAID levels.Each level offers a mix of performance, reliability, and cost. Each level uses a distinct algorithmto implement fault tolerance.

There are several RAID level choices: RAID 0, 1, 3, 5, 1+0, 3+0 (30), and 5+0 (50). RAID levels1, 3, and 5 are the most commonly used.

RAID 0RAID 0 implements block striping, where data is broken into logical blocks and is striped acrossseveral drives. Unlike other RAID levels, there is no facility for redundancy. In the event of adisk failure, data is lost.

In block striping, the total disk capacity is equivalent to the sum of the capacities of all drives inthe array. This combination of drives appears to the system as a single logical drive.

RAID 0 provides the highest performance. It is fast because data can be simultaneouslytransferred to or from every disk in the array. Furthermore, read/writes to separate drives can beprocessed concurrently.

RAID 0 Configuration


12/24


RAID 1RAID 1 implements disk mirroring, where a copy of the same data is recorded onto two drives.

By keeping two copies of data on separate disks, data is protected against a disk failure. If, atany time, a disk in the RAID 1 array fails, the remaining good disk (copy) can provide all of thedata needed, thus preventing downtime.

In disk mirroring, the total usable capacity is equivalent to the capacity of one drive in the RAID1 array. Thus, combining two 1-Gbyte drives, for example, creates a single logical drive with atotal usable capacity of 1 Gbyte. This combination of drives appears to the system as a singlelogical drive.

Note - RAID 1 does not allow expansion. RAID levels 3 and 5 permit expansion by addingdrives to an existing array.


In addition to the data protection that RAID 1 provides, this RAID level also improvesperformance. In cases where multiple concurrent I/O is occurring, that I/O can be dis tributedbetween disk copies, thus reducing total effective data access time.

RAID 1+0RAID 1+0 combines RAID 0 and RAID 1 to offer mirroring and disk striping. Using RAID 1+0 isa time-saving feature that enables you to configure a large number of disks for mirroring in onestep. It is not a standard RAID level option that you can select; it does not appear in the list ofRAID level options supported by the controller. If four or more disk drives are chosen for a RAID1 logical drive, RAID 1+0 is performed automatically.

RAID 1+0 Configuration


13/24


RAID 3RAID 3 implements block striping with dedicated parity. This RAID level breaks data into logicalblocks, the size of a disk block, and then stripes these blocks across several drives. One drive isdedicated to parity. In the event that a disk fails, the original data can be reconstructed using theparity information and the information on the remaining disks.

In RAID 3, the total disk capacity is equivalent to the sum of the capacities of all drives in thecombination, excluding the parity drive. Thus, combining four 1-Gbyte drives, for example,creates a single logical drive with a total usable capacity of 3 Gbyte. This combination appearsto the system as a single logical drive.

RAID 3 provides increased data transfer rates when data is being read in small chunks orsequentially. However, in write operations that do not span every drive, performance is reducedbecause the information stored in the parity drive needs to be recalculated and rewritten everytime new data is written, limiting simultaneous I/O.RAID 3 Configuration

RAID 5

RAID 5 implements multiple-block striping with distributed parity. This RAID level offersredundancy with the parity information distributed across all disks in the array. Data and itsparity are never stored on the same disk. In the event that a disk fails, original data can bereconstructed using the parity information and the information on the remaining disks.


RAID 5 offers increased data transfer rates when data is accessed in large chunks, or randomlyand reduced data access time during many simultaneous I/O cycles.


14/24


. RAID Level Overview

RAID

Level Description

Number of Drives

Supported Capacity Redundancy

0 Striping 2-36 N No

1 Mirror ing 2 N/2 Yes

1+0 Mirroring and striping 4-36 (even numberonly)

N/2 Yes

3 Striping withdedicated parity

3-31 N-1 Yes

5 Striping withdistributed parity

3-31 N-1 Yes

3+0 (30) Striping of RAID 3logical drives

2-8 logical drives N-# of logicaldrives

Yes

5+0 (50) Striping of RAID 5logical drives

2-8 logical drives N-# of logicaldrives

Yes

Capacityrefers to the total number (N) of physical drives available for data storage. Forexample, if the capacity is N-1 and the total number of disk drives in the logical drive is six 36-Mbyte drives, the disk space available for storage is equal to five disk drives--(5 x 36 Mbyte or180 Mbyte. The -1 refers to the amount of striping across six drives, which provides redundancyof data and is equal to the size of one of the disk drives.

For RAID 3+0 (30) and 5+0 (50), capacity refers to the total number of physical drives (N) minusone physical drive (#) for each logical drive in the volume. For example, if the total number ofdisk drives in the logical drive is twenty 36-Mbyte drives and the total number of logical drives is2, the disk space available for storage is equal to 18 disk drives--18 x 36 Mbyte (648 Mbyte).


15/24


Windows XP booting process.

As with other Windows Operating Systems, when you turn on your PC, it goes through anelaborate boot up process. It begins when the computer performs the POST (power-on selftest), followed by the POST for each adapter card that has a BIOS, for example, your videocard. The BIOS then reads the MBR (Master Boot Record) which is in the first sector of the firsthard disk and transfers control to the code in the MBR which is created by the XP Setup. This iswhere Windows takes over the startup process.

What comes next? Here's what happens:

1. The MBR reads the boot sectorwhich is the first sector of the active partition.

This sector contains the code that starts Ntldr which is the boot strap loader for

Windows XP.

The first role of Ntldr is to allow full memory addressing, start the file system, read

boot.ini and put up the boot menu.

IMPORTANT: Ntldr must be located in root folder of the active partition along withNtdetect.com, boot.ini, bootsect.dos (for dual booting) and Ntbootdd.sys (needed with

some SCSI adapters).

2. Selecting XP from the boot menu causes Ntldr to run Ntdetect.com to get informationabout installed hardware. Ntldr then uses the ARC path specified in the boot.ini to findthe boot partition. The one where Windows XP is installed. It might look like this:

o default=multi (0)disk (0)partiton (2) WINDOWS

o [operating systems]

o multi(0)disk(0)partiton(2)WINDOWS="Microsoft Windows XP Home" /fastdetect

Ntldr, then, loads the two files that make up the core of XP: Ntoskrnl.exe and Hal.dll. These filesmust be located in the %SystemRoot%System32 folder.

1. Ntldr reads the registry files, selects a hardware profile, control set and loads device

drivers, in that order.

2. Then, Ntoskrnl.exe takes over and starts Winlogon.exe which starts Lsass.exe (Local

Security Administration), this is the program that displays the Welcome screen (If

Professional Edition-the Windows Log On dialog box), and allows the user to log on withhis/her user name and password.


16/24


This is the (simplified) boot sequence for Windows NT, 2000, XP and 2003:

BIOS: performs Power On Self Test (POST) & loads MBR from the boot device

specified/selected by the BIOS

MBR: contains a small amount of code that reads the partition table, the first partition marked as

active is determined to be the system volume & loads the boot sector from the system volume

BOOT SECTOR: reads the root directory of the system volume at loads NTLDR

NTLDR: reads BOOT.INI from the system volume to determine the boot drive (presenting a

menu if more than 1 entry is defined)NTLDR: loads and executes NTDETECT.COM from the system volume to perform BIOS

hardware detectionNTLDR: loads NTOSKRNL.EXE, HAL.DLL, BOOTVID.DLL (and KDCOM.DLL for XP upwards)

from the boot (Windows) volumeNTLDR: loads \WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive

HKEY_LOCAL_MACHINE\System

NTLDR: loads drivers flagged as "boot" defined in the system hive, then passes control toNTOSKRNL.EXE

NTOSKRNL.EXE: brings up the loading splash screen and initializes the kernel subsystemNTOSKRNL.EXE: starts the boot-start drivers and then loads & starts the system-start driversNTOSKRNL.EXE: creates the Session Manager process (SMSS.EXE)

SMSS.EXE: runs any programs specified in Boot Execute (e.g. AUTOCHK, the native API

version of CHKDSK)SMSS.EXE: processes any delayed move/rename operations from hot fixes/service packs

replacing in-use system filesSMSS.EXE: initializes the paging file(s) and the remaining registry hives

** before this step completes, bug checks will not result in a memory dump as we need aworking page file on the boot (Windows) volume **SMSS.EXE: starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS)SMSS.EXE: starts the user-mode portion of the Win32 subsystem (CSRSS.EXE)SMSS.EXE: starts WINLOGON.EXE

WINLOGON.EXE: starts the Local Security Authority (LSASS.EXE)WINLOGON.EXE: loads the Graphical User Identification and Authentication DLL(MSGINA.DLL by default)WINLOGON.EXE: displays the logon windowWINLOGON.EXE: starts the services controller (SERVICES.EXE) ** at this point users can

logon **

SERVICES.EXE: starts all services marks as automatic

The SYSTEMvolume is the partition from which the boot process starts, containing the MBR,

boot sector, NTLDR, NTDETECT.COM & BOOT.INI

the BOOTvolume is the partition which contains the Windows folder - this can be a logical

partition


17/24


What is Active Directory?Active Directory is Microsoft's trademarked directory service, anintegral part of the Windows 2000 architecture. Like other directory services, such as NovellDirectory Services (NDS), Active Directory is a centralized and standardized system thatautomates network management of user data, security, and distributed resources, and enablesinteroperation with other directories. Active Directory is designed especially for distributednetworking environments.

Active Directory was new to Windows 2000 Server and further enhanced for Windows Server2003, making it an even more important part of the operating system. Windows Server 2003Active Directory provides a single reference, called a directory service, to all the objects in anetwork, including users, groups, computers, printers, policies and permissions.

For a user or an administrator, Active Directory provides a single hierarchical view from which toaccess and manage all of the network's resources.

Active Directory features include:

Support for the X.500 standard for global directories

The capability for secure extension of network operations to the Web

A hierarchical organization that provides a single point of access for system administration(management of user accounts, clients, servers, and applications, for example) to reduceredundancy and errors

An object-oriented storage organization, which allows easier access to information

Support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directoryoperability

Designed to be both backward compatible and forward compatible

Why implement Active Directory? There are many reasons to implement Active Directory.First and foremost, Microsoft Active Directory is generally considered to be a significantimprovement over Windows NT Server 4.0 domains or even standalone server networks. ActiveDirectory has a centralized administration mechanism over the entire network. It also providesfor redundancy and fault tolerance when two or more domain controllers are deployed within adomain.

Active Directory automatically manages the communications between domain controllers toensure the network remains viable. Users can access all resources on the network for whichthey are authorized through a single sign-on. All resources in the network are protected by arobust security mechanism that verifies the identity of users and the authorizations of resourceson each access.

Even with Active Directory's improved security and control over the network, most of its featuresare invisible to end users; therefore, migrating users to an Active Directory network will requirelittle re-training. Active Directory offers a means of easily promoting and demoting domaincontrollers and member servers. Systems can be managed and secured via Group Policies. It isa flexible hierarchical organizational model that allows for easy management and detailedspecific delegation of administrative responsibilities. Perhaps most importantly, however, is thatActive Directory is capable of managing millions of objects within a single domain.
http://searchwinit.techtarget.com/gDefinition/0,294236,sid1_gci341983,00.htmlhttp://searchwinit.techtarget.com/gDefinition/0,294236,sid1_gci341983,00.htmlhttp://searchwinit.techtarget.com/gDefinition/0,294236,sid1_gci341983,00.html


18/24


Basic divisions of Active Directory

Active Directory networks are organized using four types of divisions or container structures.These four divisions are forests, domains, organizational units and sites.

Forests are not limited in geography or network topology. A single forest can contain numerous

domains, each sharing a common schema. Domain members of the same forest need not evenhave a dedicated LAN or WAN connection between them. A single network can also be thehome of multiple independent forests. In general, a single forest should be used for eachcorporate entity. However, additional forests may be desired for testing and research purposesoutside of the production forest.

Domains serve as containers for security policies and administrative assignments. All objects

within a domain are subject to domain-wide Group Policies by default. Likewise, any domainadministrator can manage all objects within a domain. Furthermore, each domain has its ownunique accounts database. Thus, authentication is on a domain basis. Once a user account isauthenticated to a domain, that user account has access to resources within that domain.

Active Directory requires one or more domains in which to operate. As mentioned before, anActive Directory domain is a collection of computers that share a common set of policies, aname and a database of their members. A domain must have one or more servers that serve asdomain controllers (DCs) and store the database, maintain the policies and provide theauthentication of domain logons.

With Windows NT, primary domain controller (PDC) and backup domain controller (BDC) wereroles that could be assigned to a server in a network of computers that used a Windowsoperating system. Windows used the idea of a domain to manage access to a set of networkresources (applications, printers and so forth) for a group of users. The user need only to log into the domain to gain access to the resources, which may be located on a number of differentservers in the network.

One server, known as the primary domain controller, managed the master user database for thedomain. One or more other servers were designated as backup domain controllers. The primarydomain controller periodically sent copies of the database to the backup domain controllers. Abackup domain controller could step in as primary domain controller if the PDC server failed andcould also help balance the workload if the network was busy enough.

With Windows 2000 Server, while domain controllers were retained, the PDC and BDC serverroles were basically replaced by Active Directory. It is no longer necessary to create separatedomains to divide administrative privileges. Within Active Directory, it is possible to delegateadministrative privileges based on organizational units. Domains are no longer restricted by a

40,000-user limit. Active Directory domains can manage millions of objects. As there are nolonger PDCs and BDCs, Active Directory uses multi-master replication and all domaincontrollers are peers.

Organizational units are much more flexible and easier overall to manage than domains. OUs

grant you nearly infinite flexibility as you can move them, delete them and create new OUs asneeded. However, domains are much more rigid in their existence. Domains can be deleted andnew ones created, but this process is more disruptive of an environment than is the case withOUs and should be avoided whenever possible.


19/24


By definition, sites are collections of IP subnets that have fast and reliable communication links

between all hosts. Another way of putting this is a site contains LAN connections, but not WANconnections, with the general understanding that WAN connections are significantly slower andless reliable than LAN connections. By using sites, you can control and reduce the amount oftraffic that flows over your slower WAN links. This can result in more efficient traffic flow forproductivity tasks. It can also keep WAN link costs down for pay-by-the-bit services.

The Infrastructure Master and Global Catalog

Among the other key components within Active Directory is the Infrastructure Master. TheInfrastructure Master (IM) is a domain-wide FSMO (Flexible Single Master of Operations) roleresponsible for an unattended process that "fixes-up" stale references, known as phantoms,within the Active Directory database.

Phantoms are created on DCs that require a database cross-reference between an object withintheir own database and an object from another domain within the forest. This occurs, forexample, when you add a user from one domain to a group within another domain in the sameforest. Phantoms are deemed stale when they no longer contain up-to-date data, which occursbecause of changes that have been made to the foreign object the phantom represents, e.g.,when the target object is renamed, moved, migrated between domains or deleted. TheInfrastructure Master is exclusively responsible for locating and fixing stale phantoms. Anychanges introduced as a result of the "fix-up" process must then be replicated to all remainingDCs within the domain.

The Infrastructure Master is sometimes confused with the Global Catalog (GC), which maintainsa partial, read-only copy of every domain in a forest and is used for universal group storage andlogon processing, among other things. Since GCs store a partial copy of all objects within theforest, they are able to create cross-domain references without the need for phantoms.

Active Directory and LDAPMicrosoft includes LDAP (Lightweight Directory Access Protocol) as part of Active Directory.

LDAP is a software protocol for enabling anyone to locate organizations, individuals and otherresources such as files and devices in a network, whether on the public Internet or on acorporate intranet.

In a network, a directory tells you where in the network something is located. On TCP/IPnetworks (including the Internet), the domain name system (DNS) is the directory system usedto relate the domain name to a specific network address (a unique location on the network).However, you may not know the domain name. LDAP allows you to search for individualswithout knowing where they're located (although additional information will help with thesearch).

An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:

An LDAP directory can be distributed among many servers. Each server can have a replicatedversion of the total directory that is synchronized periodically.

It is important for every administrator to have an understanding of what LDAP is when searchingfor information in Active Directory and to be able to create LDAP queries is especially usefulwhen looking for information stored in your Active Directory database. For this reason, manyadmins go to great lengths to master the LDAP search filter.


20/24


Group Policy management and Active Directory

It's difficult to discuss Active Directory without mentioning Group Policy. Admins can use GroupPolicies in Microsoft Active Directory to define settings for users and computers throughout anetwork. These setting are configured and stored in what are called Group Policy Objects(GPOs), which are then associated with Active Directory objects, including domains and sites. It

is the primary mechanism for applying changes to computers and users throughout a Windowsenvironment.

Through Group Policy management, administrators can globally configure desktop settings onuser computers, restrict/allow access to certain files and folders within a network and more.

It is important to understand how GPOs are used and applied. Group Policy Objects are appliedin the following order: Local machine policies are applied first, followed by site policies, followedby domain policies, followed by policies applied to individual organizational units. A user orcomputer object can only belong to a single site and a single domain at any one time, so theywill receive only GPOs that are linked to that site or domain.

GPOs are split into two distinct parts: the Group Policy Template (GPT) and the Group PolicyContainer (GPC). The Group Policy Template is responsible for storing the specific settingscreated within the GPO and is essential to its success. It stores these settings in a largestructure of folders and files. In order for the settings to apply successfully to all user andcomputer objects, the GPT must be replicated to all domain controllers within the domain.

The Group Policy Container is the portion of a GPO stored in Active Directory that resides oneach domain controller in the domain. The GPC is responsible for keeping references to ClientSide Extensions (CSEs), the path to the GPT, paths to software installation packages, and otherreferential aspects of the GPO. The GPC does not contain a wealth of information related to itscorresponding GPO, but it is essential to the functionality of Group Policy. When softwareinstallation policies are configured, the GPC helps keep the links associated within the GPO.The GPC also keeps other relational links and paths stored within the object attributes. Knowingthe structure of the GPC and how to access the hidden information stored in the attributes willpay off when you need to track down an issue related to Group Policy.

For Windows Server 2003, Microsoft released a Group Policy management solution as a meansof unifying management of Group Policy in the form of a snap-in known as the Group PolicyManagement Console (GPMC). The GPMC provides a GPO-focused management interface,thus making the administration, management and location of GPOs much simpler. ThroughGPMC you can create new GPOs, modify and edit GPOs, cut/copy/paste GPOs, back up GPOsand perform Resultant Set of Policy modeling.

Active Directory Schema

The Microsoft Active Directory schema contains formal definitions of every object class that canbe created in an Active Directory forest. The schema also contains formal definitions of everyattribute that can exist in an Active Directory object. This section provides the reference for eachschema object and provides a brief explanation of the attributes, classes, and other objects thatcomprise the Active Directory schema.
http://searchwinit.techtarget.com/tip/1,289483,sid1_gci1155575,00.htmlhttp://searchwinit.techtarget.com/tip/1,289483,sid1_gci1155575,00.html


21/24


Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called"Schema". The Schema is defines as the formal definition of all object classes, and theattributes that make up those object classes, that can be stored in the directory. As mentionedearlier, the Active Directory database includes a default Schema, which defines many objectclasses, such as users, groups, computers, domains, organizational units, and so on. Theseobjects are also known as "Classes". The Active Directory Schema can be dynamically

extensible, meaning that you can modify the schema by defining new object types and theirattributes and by defining new attributes for existing objects. You can do this either with theSchema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically.

The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a

few properties for each object. An entire forest shares a GC, with multiple servers holdingcopies. You can perform an enterprise wide forest search only on the properties in the GC,whereas you can search for any property in a users domain tree. Only Directory Services (DS)or Domain Controller (DC) can hold a copy of the GC.

Configuring an excessive number of GCs in a domain wastes network bandwidth duringreplication. One GC server per domain in each physical location is sufficient. Windows NT sets

servers as GCs as necessary, so you dont need to configure additional GCs unless you noticeslow query response times.

Because full searches involve querying the whole domain tree rather than the GC, grouping theenterprise into one tree will improve your searches. Thus, you can search for items not in theGC.

By default, the first DC in the First Domain in the First Tree in the AD Forest (the root domain)will be configured as the GC.

You can configure another DC to become the GC, or even add it as another GC while keepingthe first default one.

Reasons for such an action might be the need to place a GC in each AD Site.

To configure a Windows 2000/2003 Domain Controller as a GC server, perform the followingsteps:

1. Start the Microsoft Management Console (MMC) Active Directory Sites and ServicesManager. (From the Start menu, select Programs, Administrative Tools, ActiveDirectory Sites and Services Manager).

2. Select the Sites branch.3. Select the site that owns the server, and expand the Servers branch.4. Select the server you want to configure.5. Right-click NTDS Settings, and select Properties.

Select or clear the Global Catalog Server checkbox, which the Screen shows.

Click Apply, OK.

You must allow for the GC to replicate itself throughout the forest. This process might takeanywhere between 10-15 minutes to even several days, all depending on your ADinfrastructure.


22/24


Standard Active Directory Management Consoles

Windows Server 2003 comes with three standard MMC-based consoles for viewing andmanaging Active Directory objects. MMC console files have an .msc extension. Themanagement consoles can be differentiated by the naming context they are used to manage:

AD Users and Computers . This console is used to manage the contents of a Domainnaming context. The console name is Dsa.msc.

AD Sites and Services Snap in. This console is used to manage the Sites and Servicescontainers inside the Configuration naming context. The console filename is Dssite.msc.

AD Domains and Trusts. This console is used to manage the contents of the Partitions

container inside the Configuration naming context. It uses the CrossRef objects in thePartitions container to identify domains in the forest in their assigned hierarchy. The consolefilename is Domain.msc.

FSMO Roles

In a forest, there are at least five FSMO roles that are assigned to one or more domaincontrollers. The five FSMO roles are:

Schema Master: The schema master domain controller controls all updates and

modifications to the schema. To update the schema of a forest, you must have access tothe schema master. There can be only one schema master in the whole forest.

Domain naming master: The domain naming master domain controller controls the

addition or removal of domains in the forest. There can be only one domain namingmaster in the whole forest.

Infrastructure Master: The infrastructure is responsible for updating references from

objects in its domain to objects in other domains. At any one time, there can be only onedomain controller acting as the infrastructure master in each domain.

Relative ID (RID) Master: The RID master is responsible for processing RID pool

requests from all domain controllers in a particular domain. At any one time, there canbe only one domain controller acting as the RID master in the domain.

PDC Emulator: The PDC emulator is a domain controller that advertises itself as the

primary domain controller (PDC) to workstations, member servers, and domaincontrollers that are running earlier versions of Windows. For example, if the domaincontains computers that are not running Microsoft Windows XP Professional or MicrosoftWindows 2000 client software, or if it contains Microsoft Windows NT backup domaincontrollers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain

Master Browser, and it handles password discrepancies. At any one time, there can beonly one domain controller acting as the PDC emulator master in each domain in theforest.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMCsnap-in tool. Depending on the FSMO role that you want to transfer, you can use one of thethree MMC snap-in tools:

If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exeutility.


23/24


Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master role. Before youcan use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

1. Click Start, and then click Run. Type regsvr32 schmmgmt.dll in the Open box, and thenclick OK. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

1. Click Start, click Run, type mmc in the Open box, and then click OK.

2. On the File, menu click Add/Remove Snap-in. Click Add.

3. Click Active Directory Schema, click Add, click Close, and then click OK.

4. In the console tree, right-click Active Directory Schema, and then click ChangeDomain Controller. Click Specify Name, type the name of the domain controller that

will be the new role holder, and then click OK.5. In the console tree, right-click Active Directory Schema, and then click Operations

Master.

6. Click Change. Click OK to confirm that you want to transfer the role, and then clickClose.

Transfer the Domain Naming Master Role

1. Click Start, point to Administrative Tools, and then click Active Directory Domainsand Trusts.

2. Right-click Active Directory Domains and Trusts, and then click Connect to DomainController.

NOTE: You must perform this step if you are not on the domain controller to which you

want to transfer the role. You do not have to perform this step if you are alreadyconnected to the domain controller whose role you want to transfer.

3. Do one of the following:

o In the Enter the name of another domain controllerbox, type the name of thedomain controller that will be the new role holder, and then click OK.

-or-o In the Or, select an available domain controller list, click the domain controller

that will be the new role holder, and then click OK.

4. In the console tree, right-click Active Directory Domains and Trusts, and then clickOperations Master.

5. Click Change.

6. Click OK to confirm that you want to transfer the role, and then click Close.


24/24

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

1. Click Start, point to Administrative Tools, and then click Active Directory Users andComputers.

2. Right-click Active Directory Users and Computers, and then click Connect to

Domain Controller.

NOTE: You must perform this step if you are not on the domain controller to which you

want to transfer the role. You do not have to perform this step if you are alreadyconnected to the domain controller whose role you want to transfer.

3. Do one of the following:

o In the Enter the name of another domain controllerbox, type the name of thedomain controller that will be the new role holder, and then click OK.

-or-

o In the Or, select an available domain controller list, click the domain controller

that will be the new role holder, and then click OK.

4. In the console tree, right-click Active Directory Users and Computers, point to AllTasks, and then click Operations Master.

5. Click the appropriate tab for the role that you want to transfer (RID, PDC, orInfrastructure), and then click Change.

6. Click OK to confirm that you want to transfer the role, and then click Close.

Basics to Know

Documents

Transcript of Basics to Know