Active Directory in Windows Server 2003/8 - Advanced
Windows
Server 2003/8 Active Directory - Advanced
This section assumes that a working knowledge of Active Directory. If
you are not familiar with Forest, Trees and OU's then check out the Active Directory - Intro
- if you are up to speed on the basics then read on.
My twin goals are to give you configuration tips and provide background
information before you deploy Active Directory. My greatest wish is that you will be
able to make informed decisions for yourself.
The Forest is the highest level in Active Directory. Logically, a
forest is a collection of domains all joined by parent child trusts. Another
way is to think of a forest as a group of trees branching from a root domain.
From a technical standpoint, all objects in the forest share the same schema
definitions.
What is new in Server 2003 is that you can have trusts between different
forests, this was not possible in Windows 2000. Microsoft are making it
easy for companies who merge or take over smaller organizations.
The domain remains the basic unit of Active Directory. From a technical point of view, domains are the security boundary
of Active Directory. From a practical point of view this means that that security policies
set in at the domain cannot be changed at the OU level.
Users do not need to know which tree, forest or even OU that they belong to,
but they should know which domain to select at logon. The modern way for a
user to
logon is to enter their User Principle Name (UPN) in the domain logon box.
The UPN name looks like an email address; for
example guyt@CP.com.
Domain controller need to replicate directory information with all other domain controllers in
their own domain. If this replications is slow or chokes a slow link, then
first try separate sites, if that solution does not work then consider separate
domains in each geographic location.
When planning your Active Directory, divide and rule is a good maxim.
Learn from the mistakes of NT 4.0 where there were too many domains. With
Active Directory keep to a few domains, but create lots of OU's which you then
delegate. The trick is to keep overall control, harness the benefits of
belonging to a domain, while allowing local administrators to create users, and
reset passwords.
Guy Recommends 3 Free Active Directory Tools
Solarwinds have produced three Active Directory add-ons. These free utilities
have been approved by Microsoft, and will help to manage your domain by:
With installations, 7 minutes of planning will save an hour for rework. The
secret of troubleshooting Active Directory installs is mastering DNS. I
find NSLookup invaluable, also Ipconfig's new switches /registerdns and /flushdns
are handy.
Procedure for Creating
a Domain Controller
The key to success is preparation. Decide your DNS and enter the name in the Computer Name Tab in the System
Icon (Windows Key
+ Pause). Whilst
this section deals with the nuts and bolts of an installation, take care to
design your Active Directory forest, for example, account naming strategy, top
level OUs, group policies.
Now you are ready to run DCPROMO.
DCPROMO decisions
To call for the Active Directory Installation Wizard, Start, Run DCPROMO and
answer these questions:
New Domain - or Replica (another DC in the same domain)
Domain Tree in existing forest - or New Domain Tree
The physical structure of Active Directory is much like sites in Exchange.
Firstly sites are completely independent of the Domain and Tree logical structure. Secondly sites are defined by the subnet that the servers are on. Thirdly you
need to create and configure a site connector to join and synchronise Active Directory between different sites.
Windows Server 2003/8 uses a change notification system to keep all the domain
controllers synchronised. When you have more than one domain controller
there will be a delay of 15 seconds in changes reaching the other partners at the
same site. (Reduced from 5 minutes in Windows 2000.)
The reasons for creating a second site would include, slow network links and
the desire to control directory replication. The site connectors allow you
to control the intervals between replication, the default is 3 hours. Do
remember to create subnet objects and to associate them with the appropriate
sites. While Windows Server 2003/8 clients automatically work out which subnet they
are in, you have to manually assign the server the correct IP and use the Active Directory Sites and Subnets snap-in to configure the server object.
Note that you can install the tools below and run from an XP machine.
What you need is Adminpak.msi from the Server CD. If your adminpak does
not work on your client machine, check Microsoft's web site. There are a
number of permutations of W2K3, W2K, XP, and W2K Professional, fortunately
Microsoft have a tool for each combination. If all else fails, then Remote
Desktop into the server from the client.
Three Basic Active Directory Tools
Active Directory Users and Computers - Create and manage accounts
Active Directory Sites and Services - Create Sites and Subnets
Active Directory Domains and Trusts - Rare job creating trusts.
Three Advanced Utilities
Active Directory Replication Monitor - Support tools from the CD
Schema Snap-in. Run regsvr32 schmmgmt.dll, the Active Directory Schema snap-in will now available in the MMC or Administrative
programs
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
Train Signal have an excellent Windows Server 2008 course. You get over 70
hrs instruction with Ed Liberman and Ben "Coach" Culbertson. Try their
step-by-step videos and master Windows Server 2008 Enterprise Admin.
The package includes the Transcender exams, which are the key to gaining the
coverted Microsoft Certified IT Professional certification. However, the
course also builds practical experience so that you can manage your network
effectively once you complete the course.
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
+ Pause). Whilst
this section deals with the nuts and bolts of an installation, take care to
design your Active Directory forest, for example, account naming strategy, top
level OUs, group policies.
