Active Directory in Windows 2000

This page is designed to help you understand Microsoft’s Active Directory.  Just as you might admire a diamond by looking at its different facets, so you can build up a picture of Active Directory by examining its many sides.

The seven sides of Active Directory

  1. The Successor to NT 4.0�s SAM database

  2. Directory services containing users, computers and printers

  3. ASearch mechanism to find those resources

  4. Logical Structure – Domain, Tree & Forest and Organisational Units

  5. Group Policy – Thanks to Active Directory we can lock down the desktop and assign software

  6. Physical Sites, Subnets and Locations

  7. The Schema and how it defines Active Directory objects


What is Active Directory?

Active Directory will be the backbone and nerve centre of Microsoft’s operating systems for the foreseeable future.  The best way to understand Active Directory (AD) is to answer these questions.

  1. Where did AD come from?  Active Directory is a replacement of NT 4.0’s  primitive SAM database.

  2. What is the equivalent in other operating systems?  AD is equivalent to Novell’s NDS or Unix’s Directory Services.

  3. How is Active Directory structured?  The domain is still the basic unit. Domains can be joined to form Trees and Trees joined to form a Forest.Forest Tree Domain OU

  4. Which utilities do you use to see and configure AD?  The replacement of NT 4.0’s  User Manager for Domains is Active Directory Users and Computers.  There is also an interface for Active Directory Sites and Services.

  5. What else is new in AD?  Organisational Units revolutionise organising users and allow for delegating permissions.  The new way is to have few domains, but lots of OUs.

  6. How is AD constructed?  Active Directory is an object based system.  AD is defined by a Schema of classes and attributes. For example, a User class has attributes like CN, department and those attribute have values such as Guy Thomas, Training.

  7. What else is good about Active Directory.  Group Policies can only be configured if you have AD.

One Domain Plan to have as few domains as possible.  Learn from the mistakes of NT where there were far to many domains. Technically a domain can contain 1 million objects.


Installing Active Directory

Remember that when ever you installWindows 2000 Server it begins life as a member server.  To install AD on a Server, you go to the Start Menu, then Run, DCPROMO.  That part is easy.  The difficult part is planning the names of your domains, trees and OUs.  To do this you must understand DNS and be proficient in LDAP.

One Domain Try out VISIO apowerful program to model your AD structure.

Migration from NT 4.0 is a separate topic from pure installation.  In brief there are two main strategies, upgrade the PDC in an existing domain or start with a new domain and import the users from NT 4.0 using a bulk import program like CSVDE.

Importance of Naming and DNS

Now that you are building up an understanding of AD, I would like to stressthe importance of naming.  It is vital to understand all the ramificationsof your namespace e.g. domain name, e-mail names and DNS names.  Learn fromthe mistakes of others.  It is claimed that all those who were at the leading edge of themigration to Windows 2000 Active Directory, have by now ripped out their first installation and started again. Why?  Because somewhere along the line they got their naming wrong.

Benefits of OU’s delegation and System Polices

Two of the extra benefits of Active Directory are OU’s (Organisation Units) anddelegation.  The idea isto manage users through OUs. Typically this can be done to reflect your organisation tree, or by creating anOU for each geographic site.  You could get help from a network architect,or plan yourself with VISIO.

Use Group policies and software deployment to control the desktop.  Group Policies started life asSystem Policies in NT 4.0.  In Windows 2000 Group Policies are an essential part of your battle to win control of the desk top and to reduce expensive support calls for users who ‘break’ their systems.  What is more, the idea of controlling the desktop has extended to almost all areas e.g. RAS dial-up control, Exchange 2000 mailbox limits.  Everynetwork administrator likes being ‘Mr Nasty’ and screwing down the desktop, butthere is now a new role – ‘Mr Nice’.  ‘Mr Nice’ uses Group policies to deploythe software that users need to do their job.  Group policies are a topicin their own right, be sure to give yourself plenty of time for testing.

SEARCH (Replaces FIND)

So far we have described the object based nature of AD, but it also providesa Search mechanism for you to find users or printers on your network. Microsoft do not change names without good reason, you will notice in Windows 2000 that on the Startmenu, Find has been replaced with Search.

Do thoroughly test your Active Directory network.  My point is many companies have a defined product or service and they would not dream of releasing a new product without thorough testing.  So make sure your technical department has the same testing facilities for their network,which you would have for a new product. Another use of the test network is to act as a backup, in an emergency you can quickly replace a faulty server with one from thetest network.

Active Directory Physical Site Topology

The physical structure of Active Directory is much like sites in Exchange.  Firstly sites are completely independent of the Domain and Tree logical structure.  Secondly sites are defined by the subnet that the servers are on.  Thirdly you need to create and configure a site connector to join and synchronise Active Directory between different sites.

Windows 2000 uses a change notification system to keep all the domain controllers synchronised.  When you have more than one domain controller there will be a delay of 5 minutes in changes reaching the other partners at the same site.

The reasons for creating a second site would include slow network links and the desire to control directory replication.  The site connectors allow you to control the intervals between replication, the default is 3 hours.  Do remember to create subnet objects and to associate them with the appropriate sites.  While Windows 2000 clients automatically work out which subnet they are in, you have to manually assign the server the correct IP and use the Active Directory Sites and Subnets snap-in to configure the server object.

Group Policy

The concept behind Group Policies is that administrators configure settings once, and then they apply continuously to the users.  Furthermore, Group Policy can be applied to computers, so you can control the settings no matter who logs on.  The way that Group Policies works is to alter settings in the registry.

The old saying "Prevention is better than cure", certainly applies to Group Policies.  A good Group Policy will give greater productivity for the users, and save you time on routine administration.  Think of all the damage and time wasting a user could spend trying out different control panel settings.  The worst case that I have seen was a user who set the refresh rate too fast on a monitor, his screen literally went up in smoke!

Just wading through the 100’s of Policies is a Herculean task.  My suggestion is to commission two opposite approaches.  Get a ‘Techie’ who understands Windows 2000 to go through the policy and select those settings that he thinks appropriate.  Then ask a manager to produce a vision or wish list of what the desktop should look like.  Finally, bring the two disparate mind sets together weld them into your Group Policy.  Click here for more on Group Policy




Download your Active Directory eBook for only $4.95

The extra features you get in your eBook include: lots of examples on ‘How to create Group Policies’.  New pages with detailed instructions and screen shots showing the menus to use.

Go for Guy’s eBook with offline convenience and get a printable version with copy enabled and no expiry date.



Active Directory Tools

  • Active Directory Replication Monitor – Support tools from the CD
  • ADSI – Support tools from the CD
  • Schema Snap-in.   Run regsvr32 schmmgmt.dll,  the Active Directory Schema snap-in will now available in the MMC or Administrative programs 

Check list for further investigation

  • Active Directory Sites and Services. (Administrative Tools)
  • Global Catalog servers
  • Locations especially with printers
  • Active Directory Connections
  • Kerberos Security
  • Switching from Mixed to Native Mode