ACTIVE DIRECTORY CONCEPTS
DESCRIPTION
This tutorial is taken from the first module in our full taining course MCSE - Supporting Exchange Server 2000.
TUTORIAL TAKEN FROM COURSE : MCSE - SUPPORTING EXCHANGE SERVER 2000
FULL COURSE DETAILS
This course will teach support professionals the skills necessary to support Microsoft Exchange Server 2000. Learning is reinforced by practical, hands-on lab sessions and review questions throughout the course. This course will help students to prepare for the following Microsoft Certified Professional exam: (70-224) Installing, configuring and administering Microsoft Exchange 2000 Server.
This tutorial is taken from the first module in our full taining course MCSE - Supporting Exchange Server 2000.
TUTORIAL TAKEN FROM COURSE : MCSE - SUPPORTING EXCHANGE SERVER 2000
FULL COURSE DETAILS
This course will teach support professionals the skills necessary to support Microsoft Exchange Server 2000. Learning is reinforced by practical, hands-on lab sessions and review questions throughout the course. This course will help students to prepare for the following Microsoft Certified Professional exam: (70-224) Installing, configuring and administering Microsoft Exchange 2000 Server.
What you will learn in this module:
- Overview of Active Directory components
- Active Directory naming standards
- Choose when to implement a domain or an OU
- Understand about the roles
of servers
Global Catalogue
Trusts
In Windows 2000, once you have created a domain, other domains can be linked to it to create an Enterprise network simply by defining the relationship between them.In the graphic above, once the comsurf.co.uk domain had been created, the Glasgow.comsurf.co.uk domain could be created, defining the latter as a child domain of the former.
Once the first relationship had been defined, then subsequent domains could be added. For example, sales.glasgow.comsurf.co.uk is a sub-domain of Glasgow, which in turn is a sub domain of comsurf.Trust relationships bind these domains together. The trusts in Windows 2000 are Kerberos two way transitive trusts. This means that the trust between glasgow and comsurf is in both directions, so that user accounts in either domain have the potential ability to access resources in the other domain.
Sales trusts glasgow and glasgow trusts comsurf (and vice versa). In Windows 2000, this also means that sales trusts comsurf, and comsurf trusts sales - because the trusts are transitive.As you add domains, and establish their parental relationships (thereby creating trusts), you are building a domain tree. A domain tree is a group of domains with a contiguous namespace. In this case all domains share a common root.
Forests
As the Enterprise network grows, it may be desirable to create more than one tree. In this situation, you will have built at least the root and first domain of one tree.As you add your next domain, you indicate that it has no appropriate parent within the current tree, and that you are adding a new tree.This will create a forest of trees. A forest of trees shares a common root, a common schema but has a non-contiguous name space.This arrangement is typical only for very large organisations, and is desirable because a certain degree of inter-operability is required, but most administrative function needs to be kept separate.A trust relationship binds the top level domains together, so that comsurf trusts bootkamp and vice versa. Because the trust is a two way transitive link, then all sub domains trusts all other sub domains within the forest - so once again, a user account anywhere in the forest could be granted access to a resource anywhere else in the forest.
What is a Directory?
The term 'Directory' means a container for some sort of information, for example a telephone directory contains telephone numbers and other addressing information.Windows NT's directory, also called the SAM (or Security Accounts Manager database) contained user, group and machine accounts. This was a single master database, which essentially means that the database can be edited at one machine only : The Primary Domain Controller, or PDC. This database is replicated to Backup Domain Controllers (or BDCs) on a scheduled and regular basis. The BDCs maintain a read only copy of the directory. By contrast, Windows 2000 has a multi-master Directory service. Domain Controllers are neither Primary, nor backup, but simply controllers. Changes can be made to any instance of the database, and the replication process handles this transparently. In Windows NT, the domain was the unit of administration, a geographic and replication boundary. This presented designers with problems, and typically more domains were created than was required simply to address limitations in the NT Directory structure. In Windows 2000, the Domain can be all those things, too. But it is also possible to delegate administration within a domain to other containers called OUs. A domain need not be an administrative boundary. Replication is handled between sites, and a site is a geographic area. Therefore, the domain is now longer a geographic or replication boundary. The Windows 2000 Directory Service simplifies things for the network designer by allowing a greater degree of flexibility. In this Unit we will look more closely at Active Directory, covering planning and design issues; implementation and maintenance and troubleshooting. Domains The domain is the basic building block of our Windows 2000 Enterprise network. By default, it functions as an administrative boundary, replication boundary and geographic boundary. A domain consists of a least one domain controller, and this machine will typically be the first on the network. Any Windows 2000 server machine can be promoted to domain controller (DC) at any time using the DCPROMO command. Multiple Domains Trees
In Windows 2000, once you have created a domain, other domains can be linked to it to create an Enterprise network simply by defining the relationship between them.In the graphic above, once the comsurf.co.uk domain had been created, the Glasgow.comsurf.co.uk domain could be created, defining the latter as a child domain of the former.
Once the first relationship had been defined, then subsequent domains could be added. For example, sales.glasgow.comsurf.co.uk is a sub-domain of Glasgow, which in turn is a sub domain of comsurf.Trust relationships bind these domains together. The trusts in Windows 2000 are Kerberos two way transitive trusts. This means that the trust between glasgow and comsurf is in both directions, so that user accounts in either domain have the potential ability to access resources in the other domain.
Sales trusts glasgow and glasgow trusts comsurf (and vice versa). In Windows 2000, this also means that sales trusts comsurf, and comsurf trusts sales - because the trusts are transitive.As you add domains, and establish their parental relationships (thereby creating trusts), you are building a domain tree. A domain tree is a group of domains with a contiguous namespace. In this case all domains share a common root.
Forests
As the Enterprise network grows, it may be desirable to create more than one tree. In this situation, you will have built at least the root and first domain of one tree.As you add your next domain, you indicate that it has no appropriate parent within the current tree, and that you are adding a new tree.This will create a forest of trees. A forest of trees shares a common root, a common schema but has a non-contiguous name space.This arrangement is typical only for very large organisations, and is desirable because a certain degree of inter-operability is required, but most administrative function needs to be kept separate.A trust relationship binds the top level domains together, so that comsurf trusts bootkamp and vice versa. Because the trust is a two way transitive link, then all sub domains trusts all other sub domains within the forest - so once again, a user account anywhere in the forest could be granted access to a resource anywhere else in the forest.
Leave a Reply