© 2007 Hell'z Vision Group.

The information in this manual is not binding and may be

modified without prior notice. Supply of the software
described in this manual is subject to a user license. The
software may not be used, copied or reproduced on any
medium whatsoever, except in accordance with this
license. No portion of this manual may be copied,
reproduced or transmitted by any means whatsoever, for
purposes other than the personal use of the buyer, unless
written permission is obtained from Hell'z Vision.

© 2007 Hell'z Vision Group.

All rights reserved.

AllThe products are trademarks or registered trademarks

of Hell'z Group or its affiliated companies. All other
brands and product names are the trademarks of their
respective owners
 User Guide

Active Directory Domain Services

www.hackermohitdhawan.blogspot.com Mohit Dhawan

 Active Directory Domain Service (Windows Server 2008 R2)

Introduction

Gaining associate understanding of the Active Directory™ directory service is that the
opening in understanding however the Windows® 2000 software functions and what it will do
to assist you meet your enterprise goals. This paper appearance at Active Directory from the
subsequent 3perspectives:
• Store. Active Directory, the Windows 2000 Server directory service, hierarchically stores
infoconcerning network objects and makes this info accessible to directors, users, and
applications. the primary section of this paper explains what a directory service is, the
combination of Active Directory service with the Internet's name System (DNS), and the way
Active Directory is actual after youdesignate a server as a website controller1.
• Structure. exploitation Active Directory, the network and its objects ar organized by
constructs likedomains, trees, forests, trust relationships, structure units (OUs), and sites.
subsequent sectionduring this paper describes the structure and performance of those Active
Directory parts, and the way this design lets directors manage the network so users will
accomplish business objectives.
• Inter-communicate. as a result of Active Directory relies on commonplace directory access
protocols, it will interoperate with different directory services and might be accessed by third-
party applications that follow these protocols. the ultimate section describes however Active
Directory
• can communicate with a good type of different technologies.
•
• for full information concerning ....ADDS
Active Directory edges
The introduction of Active Directory within the Windows 2000 software provides the
subsequentbenefits:
• Integration with DNS. Active Directory uses the name System (DNS). DNS is an
onlinecommonplace service that interprets human-readable pc names (such as
mycomputer.microsoft.com) to computer-readable numeric net Protocol (IP) addresses (four
numbers separated by periods). This lets processes running on computers in TCP/IP
networks establish andhook up with each other.
• Flexible querying. Users and directors will use the Search command on the beginning
menu, the My Network Places icon on the desktop, or the Active Directory Users associated
Computers snap-in to quickly notice an object on the network exploitation object properties.
as an example, you'll noticea user by name, last name, e-mail name, workplace location, or
different properties of that person's user account. Finding info is optimized by use of the
world catalog.
• Extensibility. Active Directory is protractile, which implies that directors will add new
categories of objects to the schema and might add new attributes to
existing categories of objects. The schema contains a definition of
every object category, and every object class's attributes, that may be hold on within
the directory. as an example, you may add a buying deal Authority attribute to the User
object then store every user's purchase authority limit as a part of the user's account.
• Policy-based administration. cluster Policies ar configuration settings applied to computers
or users as they're initialized. All cluster Policy settings ar contained in cluster Policy
Objects (GPOs) applied to Active Directory sites, domains,
or structure units. authority settings confirm access to directory objects and domain
resources, what domain resources (such as applications) ar accessible to users,and the
way these domain resources ar designed to be used.
• Scalability. Active Directory includes one or a lot of domains, every with one or a lot
of domain controllers, facultative you to scale the directory to fulfill any network needs.
Multiple domains iscombined into a website tree and multiple domain trees is combined into
a forest. within the simplest structure, one-domain network is at the same time one tree
and one forest.
• Information Replication. Active Directory uses multimaster replication, that enables you
to update the directory at any domain controller. Deploying multiple domain controllers in
one domain provides fault tolerance and cargo reconciliation. If one domain controller at
intervals a website slows, stops, or fails, different domain controllers at
intervals identical domain will give necessary directory access, since they
contain identical directory information.
• Information security. Management of user authentication and
access management, each totallyintegrated with Active Directory, ar key safety
features within the Windows 2000 software. Active Directory centralizes authentication.
Access management is outlined not solely on every objectwithin
the directory, however additionally on every property of every object. additionally, Active
Directory provides each the shop and also the scope of application for security policies.
(For a lot ofconcerning Active Directory logon authentication and access management, see
the "For a lot ofInformation" section at the top of this paper.)
• Interoperability. as a result of Active Directory relies on commonplace directory access
protocols,like light-weight Directory Access Protocol (LDAP), it will interoperate
with different directory services using these protocols. many application programming
interfaces (APIs) —such as Active Directory Service Interfaces (ADSI)—give developers
access to those protocols.
At the top of this document, "Appendix A: Tools" provides a quick summary of the software
packagetools you employ to perform the tasks related to Active Directory.
Top of page
Active Directory Directory Service
Before attending to the most sections of this paper—Active Directory design and
interoperability—this preliminary section takes a fast investigate Active Directory
from 2 terribly totally differentperspectives:
• The 1st is Active Directory at its most abstract, that is, Active Directory as a
namespace that'sintegrated with the Internet's name System (DNS).
• The second is Active Directory at its most mundane, that is, because the software
package that creates a server into a website controller.
In the context of a network, a directory (also referred to as {a data|a knowledge|an info}
store) may be a data structure that stores information concerning objects on the network.
Objects embraceshared resources like servers, shared volumes, and printers; network user
and pc accounts; still as domains, applications, services, security policies, and almost
about everything else in your network. One example of the {particular} types of info a
network directory may store a couple of particularkind of object is that a
directory usually stores a user's name, password, e-mail address, sign, and so on, for a
user account.
A directory service differs from a directory in this it's each the directory info supply and also
theservices creating the knowledge accessible and usable to directors, users, network
services, and applications. Ideally, a directory service makes the physical configuration and
protocols (formats fortransmission information between 2 devices) clear so a
user will access any resource while notknowing wherever or however it's physically
connected. To continue the user account example, it'sthe directory service that
lets different licensed users on identical network access hold on directoryinfo (such
as associate e-mail address) concerning the user account object.
Directory services will support a good type of capabilities. Some directory
services ar integrated withassociate software, et al ar applications like e-mail
directories. software directory services, likeActive Directory, give user, computers, and
shared resource management. Directory services that handle e-mail, like Microsoft
Exchange, alter users to seem up different users and send e-mail.
Active Directory, the new directory service central to the Windows 2000 Server software,
runs solelyon domain controllers. Active Directory, additionally to providing an area to
store information and services to form that information accessible, additionally protects
network objects from unauthorized access and replicates objects across a
network so information isn't lost if one domain controller fails.
Active Directory Incorporates DNS
Active Directory and DNS ar each namespaces. A namespace is any delimited space within
whicha forename is resolved. Name resolution is that the method of translating a
reputation into some object or info that the name represents. A directory forms a
namespace within which the names ofphonephone subscribers is resolved
to phonephone numbers. The Windows 2000 NTFS filing system forms a namespace within
which the name of a file is resolved to the file itself.
DNS and also the net
Understanding however Windows 2000 handles Active Directory and DNS
namespaces needsunderstanding a couple of basics concerning DNS itself and its
relationship to the web and TCP/IP.the web may be a TCP/IP network. The TCP/IP
communications protocols connect computers andallow them to transmit information over
networks. each pc on the web or on the other TCP/IP network (such as several Windows
networks) has associate IP address. DNS locates TCP/IP hosts (computers)
by breakdown the pc names that finish users perceive to the IP addresses that
computers perceive. The IP addresses on the web ar managed by exploitation the globally
distributed DNS information, however DNS may also be enforced domestically to manage
addresses at intervals personal TCP/IP networks.
DNS, that is organized into a hierarchy of domains, makes the complete net into one
namespace. DNS has many superior domains that ar any divided into second-level
domains. the basis of the web domain namespace is managed by an online authority
(currently, the web Network info Center, or InterNIC) that's liable
for authorization body responsibility for the superior domains of the DNS namespace and
for registering second-level domain names.
The superior domains ar the acquainteddomain classes business (.com), academic (.edu),
governmental (.gov), and then forth. Outside theus, two-letter country-region codes ar used,
such as .uk for uk. Second-level domains represent namespaces that ar formally registered
to establishments (and to individuals) to supply them an online presence.
Figure one shows however a company's network connects into the web DNS namespace.

Figure 1: however Microsoft fits into the Internet's DNS namespace

Integration of DNS and Active Directory Namespaces
The integration of DNS and Active Directory may be a central feature of the Windows 2000
Serversoftware. DNS domains and Active Directory domains use identical domain
names for variousnamespaces. as a result of the 2 namespaces share a regular domain
structure, it's necessary to know that they're not identical namespace. every stores
{different|totally totally different|completely different} information and so manages different
objects. DNS stores its zones2 and resource records; Active Directory stores its domains
and domain objects.
Domain names for DNS ar supported the DNS hierarchical naming
structure, that is associateinverted tree structure: one root domain, beneath which may be
parent and kid domains (branches and leaves). as an example, a Windows
2000 name like kid.parent.microsoft.com identifies a websitenamed kid, that may be
a kid domain of the domain named parent, itself a toddler of the domain microsoft.com.
Each pc in a very DNS domain is unambiguously known by
its totally qualified name (FQDN). The FQDN of a pc placed within
the domain kid.parent.microsoft.com iscomputername.child.parent.microsoft.com.
Every Windows 2000 domain features a DNS name (for example, OrgName.com), and
each Windows 2000-based pc features a DNS name (for example,
AcctServer.OrgName.com). Thus, domains and computers ar delineated each as Active
Directory objects and as DNS nodes (a node within the DNS hierarchy represents a
website or a computer).
DNS and Active Directory every uses a information to resolve names:
• DNS may be a name resolution service. DNS resolves domain names and pc names
to IP addresses through requests received by DNS servers as DNS queries to the
DNS information. Specifically, DNS purchasers send DNS name queries to
their designed DNS server. The DNS server receives the name question then either
resolves the name question through domestically hold on files or consults another DNS
server for resolution. DNS doesn't need Active Directory to operate.
• Active Directory may be a directory service. Active Directory resolves domain object
names to object records through requests received by domain controllers as light-
weight Directory Access Protocol (LDAP)3 search or modify requests to the Active
Directory information. Specifically, Active Directorypurchasers use LDAP to send queries to
Active Directory servers. To find a vigorous Directory server, a
vigorous Directory shopper queries DNS. That is, Active Directory uses DNS as
asurveyor service, breakdown Active Directory domain, site, and repair names
to associate IPaddress. as an example, to go online to a vigorous Directory domain, a
vigorous Directory shopperqueries its designed DNS server for the IP address of the LDAP
service running on a websitecontroller for a mere domain. Active Directory will need DNS
to operate.
At the sensible level, to know that the DNS and Active Directory namespaces in a
very Windows 2000 surroundings ar {different|totally totally different|completely different}
is to know that a DNS host record that represents a selected pc in a very DNS zone is in a
very different namespace than the Active Directory domain pc account object that
represents identical pc.
In summary, then, Active Directory is integrated with DNS within the following ways:
• Active Directory domains and DNS domains have identical data structure. though separate
andenforced otherwise for various functions, associate organization's namespace for DNS
and Active Directory domains have a regular structure. as an example, microsoft.com may
be a DNS domain and a vigorous Directory domain.
• DNS zones is hold on in Active Directory. If you're exploitation the Windows 2000 DNS
service, primary zones is hold on in Active Directory for replication to different Active
Directory domain controllers and to supply increased security for the DNS service.
• Active Directory purchasers use DNS to find domain controllers. To find a
website controller for amere domain, Active
Directory purchasers question their designed DNS server for specific resource records.
Active Directory and also the world DNS Namespace
Active Directory is intended so it will exist at intervals the scope of the world net DNS
namespace.once a company exploitation Windows 2000 Server as its
network software needs an onlinepresence, the Active Directory namespace is
maintained jointly or a lot of hierarchical Windows 2000 domains at a lower place a root
domain that's registered as a DNS namespace. (An organization willopt for to not be a part
of the world net DNS namespace, however if it will therefore, the DNS service continues to
be needed to find Windows-2000 primarily based computers.)
According to DNS naming conventions, every a part of a DNS name that's separated by
a amount (.) represents a node within the DNS hierarchical tree structure and a
possible Active Directory namewithin the Windows 2000 domain hierarchical tree structure.
As shown in Figure two, the basis of the DNS hierarchy may be a node that features a null
label (" "). the basis of the Active Directory namespace (the forest root) has no parent, and it
provides the LDAP entry purpose to Active Directory.

Figure 2: scrutiny DNS and Active Directory namespace roots

SRV Resource Records and Dynamic Updates
DNS exists severally of Active Directory, whereas Active Directory is intended specifically to
figurewith DNS. For Active Directory to operate properly, DNS servers should support
Service Location (SRV) resource records4. SRV resource records map the name of a
service to the name of a servergiving that service. Active Directory purchasers and domain
controllers use SRV resource records to work out the IP addresses of domain controllers.
Note: For a lot of info concerning designing DNS server preparation in support of your
Active Directory domains still as different preparation problems, see the Microsoft Windows
2000 Serverpreparation designing Guide within the "For a lot of Information" section during
this paper.
In addition to the necessity that DNS servers in a very Windows 2000 network support SRV
resource records, Microsoft additionally recommends that DNS servers give support for
DNS dynamic updates5. DNS dynamic updates outline a protocol for dynamically change a
DNS server with new ormodified values. while not the DNS dynamic update
protocol, directors should manually put together the records created by domain controllers
and hold on by DNS servers.
The new Windows 2000 DNS service supports each SRV resource records and dynamic
updates. Ifyou select to use a non-Windows 2000-based DNS server, you need to verify
that it supports the SRV resource records or upgrade it to a version that will support them.
A gift DNS server that supports SRV resource records however doesn't support dynamic
updates should have its resource records manually updated at the time you promote a
Windows 2000 Server to a website controller. this can be accomplished exploitation the
Netlogon.dns file (located within the%systemroot%\System32\config folder), that is
formed by the Active Directory Installation wizard.
Active Directory Creates Domain Controller
Implementing and administering a network ar tangible activities. to know however Active
Directory fits into the image at the sensible level, the primary factor you wish to grasp is
that putting in Active Directory in a very pc running the Windows 2000 Server software is
that the act that transforms the server into a website controller. a
website controller will host precisely one domain.
Specifically, a website controller may be a pc running Windows 2000 Server that has
been designedexploitation the Active Directory Installation wizard, that installs and
configures parts that give Active Directory directory services to network users and
computers. Domain controllers store domain-wide directory information (such as system
security policies and user authentication data) and manage user-domain interactions, as
well as user logon processes, authentication, and directory searches.
Promoting a server to a website controller exploitation the Active Directory Installation
wizardadditionally either creates a Windows 2000 domain or adds extra domain controllers
to associateexisting domain.
This section describes what a vigorous Directory domain controller is and a few of the most
important roles it plays in your network.
With the introduction of Active Directory, Windows 2000 domain controllers operate as
peers. this can be a amendment from the superior/subordinate roles vie by
Windows nongovernmental organization Server Primary Domain Controllers (PDCs) and
Backup Domain Controllers (BDCs). Peer domain controllers support multimaster
replication, replicating Active Directory info among all domain controllers. The introduction
of multimaster replication means directors will build updates to Active Directory on any
Windows 2000 domain controller within the domain. within the Windowsnongovernmental
organization Server software, solely the PDC features a read-and-write copy of the
directory; the PDC replicates a read-only copy of directory info to the BDCs. (For a lot
ofconcerning multimaster replication, see the section "Multimaster Replication.")
If you're upgrading to the Windows 2000 software from associate existing
domain, you'll perform the upgrade piecemeal and at your convenience. If you're making the
primary domain controller for a
replacement installation, many entities acquire being mechanically at identical time that
Active Directory is loaded. subsequent 2 subsections justify the subsequent aspects of
putting in a vigorous Directory domain controller in a very new network:
• First domain controller may be a world Catalog server.
• First domain controller holds the operations master roles.
Global Catalog
The Windows 2000 software introduces the world catalog, a information unbroken on one
or a lot of domain controllers. the world catalog plays major roles in work on users and
querying.
By default, a world catalog is formed mechanically on the initial domain controller within
theWindows 2000 forest, and every forest should have a minimum of one world catalog.
If you employmultiple sites, you'll would like to assign website} controller in each site to be a
world catalog, as a result of a world catalog (which
determines associate account's cluster membership) is needed to complete the logon
authentication method. This refers to a native-mode domain. Mixed-mode
domainsdon't need a world catalog question for logon.
After extra domain controllers ar put in within the forest, you'll amendment the default
location of the world catalog to a different domain controller exploitation the Active Directory
Sites and Services tool. you'll optionally put together any domain controller to host a
world catalog, supported your organization's needs for sexual union logon requests and
search queries. a lot of world catalog servers give faster responses to user inquiries; the
trade-off is that facultative several domain controllers as world catalog servers will
increase the replication traffic on the network.
The global catalog performs 2 key Active Directory roles, logon and querying:
• Logon. in a very native-mode domain, the world catalog permits network logon for Active
Directorypurchasers by providing universal cluster membership information6for the
account causation the logon request to a website controller. In fact,
not simply users however each object authenticating to Active
Directory should reference the world catalog server, as well as each pc that boots up. in a
very multi-domain setup, a minimum of one domain controller that contains the
world catalog shouldbe running and accessible so as for users to go online. a world catalog
server should even beaccessible once a user logs on with a non-default user principal name
(UPN). (For a lot ofconcerning work on, see the section "Logon Names: UPN and guided
missile Account Names").
If a world catalog isn't accessible once a user initiates a network logon method, the user is
ready togo online solely to the native pc (not to the network). the sole exception to the
current is that usersWorld Health Organization ar members of the domain directors (Domain
Admin) cluster ar able togo online to the network even once a world catalog isn't accessible.
• Querying. in a very forest that contains several domains, the world catalog
lets purchasers quicklyand simply perform searches across all domains, while not having to
look every domain severally.the world catalog makes directory structures at intervals a
forest clear to end-users seeking info. Most Active Directory network traffic is query-related:
users, directors, and programs requesting infoconcerning directory objects. Queries
occur rather more often than updates to the directory.distribution over one domain controller
to be a world catalog server improves reaction time for users seeking
directory info, however you need to balance this advantage against the actual fact that
doing therefore may also increase the replication traffic on your network.
Operations Master Roles
Multimaster replication among peer domain controllers is impractical for a
few sorts changes,therefore only 1 domain controller, referred to as the operations master,
accepts requests for such changes. as a result of multimaster replication plays a crucial role
in a vigorous Directory-based network, it's necessary to grasp what these exceptions ar. In
any Active Directory forest, a minimum of 5 totally different operations master
roles ar assigned to the initial domain controller throughoutinstallation.
When you produce the primary domain in a very new forest, all 5 of the one master
operations rolesar mechanically assigned to the primary domain controller in this domain. in
a very little Active Directory forest with only 1 domain and one domain controller, that
domain controller continues to haveall the operations master roles. in a very larger
network, whether or not with one or multiple domains,you'll re-assign these roles to at least
one or a lot of of the opposite domain controllers. Some
rolesshould seem in each forest. different roles should seem in each domain within
the forest.
The following 2 forest-wide operations master roles should be distinctive within the forest,
that is, there is only 1 of every throughout the complete forest:
• Schema master. The domain controller holding the schema master role controls all
updates and modifications to the schema. The schema defines every object (and its
attributes) that may be hold onwithin the directory. To update the schema of a forest, you
need to have access to the schema master.
• Domain naming master. The domain controller holding the domain naming master role
controls the addition or removal of domains within the forest.
The following 3 domain-wide operations master roles should be distinctive in every domain:
there isonly 1 in every domain within the forest:
• Relative ID (RID) master. The disembarrass master allocates sequences of RIDs to
every domain controller in its domain. Whenever a website controller creates a user, group,
or pc object, it assignsthe article a novel security ID (SID). the safety ID consists of a
website security ID (which is that the same for all security IDs created within the domain),
and a relative ID (which is exclusive for every security ID created within
the domain). once the domain controller has exhausted its pool of RIDs, it requests another
pool from the disembarrass Master.
• Primary domain controller (PDC) human. If the domain contains
computers operational while notWindows 2000 shopper software package or if it contains
Windows nongovernmental organizationbackup domain controllers (BDCs), the
PDC human acts as a Windows nongovernmental organization primary domain controller
(PDC). It processes word changes from purchasers and replicates updates to the BDCs.
The PDC human receives discriminatory replication of wordchanges performed
by different domain controllers within the domain. If a logon authentication fails at another
domain controller attributable to a foul word, that domain controller forwards the
authentication request to the PDC human before rejecting the logon try.
• Infrastructure master. The infrastructure master is liable for change all inter-domain
referencesassociatey time an object documented by another object moves. as an example,
whenever the members of teams ar renamed or modified, the infrastructure master updates
the group-to-user references. after you rename or move a member of a bunch (and that
member resides in a verytotally different domain from the group),
the cluster could quickly seem to not contain that member. The infrastructure master of
the cluster's domain is liable for change the group so it is aware of the new name or location
of the member.
The infrastructure master distributes the update exploitation multimaster replication.
Unless there'sonly 1 domain controller within the domain, don't assign the infrastructure
master role to the domain controller that's hosting the world catalog. If you do, the
infrastructure master won't operate. If all domain controllers in a
very domain additionally host the world catalog (including things whereveronly 1 domain
controller exists), all domain controllers have current information and so the infrastructure
master role isn't required.
Top of page
Architecture
Once you've got put in a vigorous Directory domain controller, you've got at the same
timeadditionally created the initial Windows 2000 domain or else the new domain controller
to associateexisting domain. however do the domain controller and domain match into the
general network architecture?
This section explains the parts of a vigorous Directory-based network and the
way they'reorganized. additionally, it describes however you'll delegate body responsibility
for structure units (OUs), domains, or sites to acceptable people, and the way you'll assign
configuration settings tothose self same 3 Active Directory containers. the
subsequent topics ar covered:
• Objects (including the schema).
• Object naming conventions (including security principal names, SIDs, LDAP-related
names, object GUIDs, and logon names).
• Object commercial enterprise.
• Domains (including, trees, forests, trusts, and structure units).
• Sites (including replication).
• How delegation and cluster Policy apply to OUs, domains, and sites.
Objects
Active Directory objects ar the entities that structure a network. associate object may be
a distinct, named set of attributes that represents one thing concrete, like a user, a printer,
or associateapplication. after you produce a vigorous Directory object, Active Directory
generates values for a few of the object's attributes, others you give. as an example, after
you produce a user object, Active Directory assigns the globally distinctive symbol (GUID),
and you give values for such attributesbecause the user's forename, surname, the
logon symbol, and so on.
The Schema
The schema may be a description of the article categories (the varied styles of objects) and
also the attributes for those object categories. for every category of object, the schema
defines the attributes that object category should have, the extra attributes it's going
to have, and also theobject category that may be its parent. each Active Directory object
is associate instance ofassociate object category. every attribute is outlined just one
occasion and might be employed inmultiple categories. as an example, the outline attribute
is outlined once however is employed inmany various categories.
The schema is hold on in Active Directory. Schema
definitions ar themselves additionally hold on as objects—Class Schema objects and
Attribute Schema objects. This lets Active Directory managecategory and attribute
objects within the same method that it manages different directory objects.
Applications that make or modify Active Directory objects use the schema to work out what
attributesthe article should or might need, and what those attributes will seem like in
terms of informationstructures and syntax constraints.
Objects ar either instrumentality objects or leaf objects (also referred to as noncontainer
objects). Ainstrumentality object stores different objects and a leaf object doesn't. as an
example, a folder may be a instrumentality object for files, that ar leaf objects.
Each category of objects within the Active Directory schema has attributes that ensure:
• Unique identification of every object in a very directory information store.
• For security principals (users, computers, or groups), compatibility with security identifiers
(SIDs)employed in the Windows nongovernmental organization four.0 software and earlier.
• Compatibility with LDAP standards for directory object names.
Schema Attributes and Querying
Using the Active Directory Schema tool, you'll mark associate attribute as indexed.
Doing thereforeadds all instances of that attribute to the index, not simply the instances
that ar members of a specificcategory. assortment associate attribute helps
queries notice objects that have that attribute a lot ofquickly
You can additionally embrace attributes within the world catalog. the world catalog contains
a default set of attributes for each object within the forest, and you'll add your selections to
those.each users and applications use the world catalog to find objects throughout the
forest. embracesolely those attributes that have the subsequent characteristics:
• Globally helpful. The attribute ought to be one that's required for locating objects (even
if only forscan access) that will occur anyplace within the forest.
• Not volatile. The attribute ought to be unchanging or amendment seldom. Attributes in a
very worldcatalog ar replicated to any or all different world catalogs within the forest. If the
attribute changestypically, important replication traffic results.
• Small. Attributes in a very world catalog ar replicated to each world catalog within
the forest. The smaller the attribute, the lower the impact of that replication.
Schema Object Names
As declared earlier, categories and attributes ar each schema objects. Any schema
object isdocumented by every of the subsequent styles of names:
• LDAP show name. The LDAP show name is globally distinctive for every schema object.
The LDAP show name consists of 1 or a lot of words combined, exploitation initial caps for
words whenthe primary word. as an example, mailAddress and
machinePasswordChangeInterval ar the LDAPshow names for 2 schema attributes. Active
Directory Schema and different Windows 2000 bodytools show the LDAP show name of
objects, and programmers and directors use this name to reference the
article programmatically. See next subdivision for info concerning programmatically
extending the schema; see the section "Lightweight Directory Access Protocol" for a lot
of infoconcerning LDAP.
• Common name. The common name for schema objects is additionally globally distinctive.
You specify the common name once making a replacement object category or
attribute within theschema—it is that the relative distinguished name (RDN) of the
article within the schema that represents the article category. For a lot of concerning RDNs,
see the section "LDAP DN and RDN Names." as an example, the common names of the
2 attributes mentioned within the preceding paragraph ar SMTP-Mail-Address and Machine-
Password-Change-Interval.
• Object symbol (OID). A schema object's symbol may be a variety issued
by associate supplyingauthority like the world organisation for Standardization (ISO) and
also the yankee National Standards Institute (ANSI). as an example, the OID for the SMTP-
Mail-Address attribute isone.2.840.113556.1.4.786. OIDs ar bound to be distinctive across
all networks worldwide. Once youacquire a root OID
from associate supplying authority, you'll use it to assign extra OIDs. OIDs typea
hierarchy. as an example, Microsoft has been issued the basis OID of one.2.840.113556.
Microsoft manages any branches from this root internally. one in every of the branches is
employed to assignOIDs for Active Directory schema categories, and another for attributes.
To continue the instance, the OID in Active Directory
is one.2.840.113556.1.5.4, that identifies the Builtin Domain category and might be parsed
as shown in Table one.
Table one Object symbol
Object ID Number Identifies
1 ISO ("root" authority) issued one.2 to ANSI, then…
2 ANSI issued one.2.840 to USA, then…
840 USA issued one.2.840.113556 to Microsoft, then…
113556 Microsoft internally
manages many object symbol branches below one.2.840.113556 that include…
1 a branch referred to as Active Directory that includes…
5 a branch referred to as categories that includes…
4 a branch referred to as Builtin Domain
For a lot of info concerning OIDs and the way to get them, see "For a lot of Information"
at the topof this document.
Extending the Schema
The Windows 2000 Server software provides a default set of object categories and
attributes, that arample for several organizations. though you can not delete schema
objects, you'll mark them as deactivated.
Experienced developers and network directors will dynamically extend the schema
by process newcategories and new attributes for existing categories. The counseled thanks
to extend the Active Directory schema is programmatically, through the Active Directory
Service Interfaces (ADSI). you'lladditionally use the LDAP information Interchange Format
(LDIFDE) utility. (For a lot of concerningADSI and LDIFDE, see the sections "Active
Directory Service Interface" and "Active Directory and LDIFDE.")
For development and testing functions, you'll additionally read and modify the Active
Directory schema with the Active Directory Schema tool.
When considering ever-changing the schema, bear in mind these key points:
• Schema changes ar world throughout the forest.
• Schema extensions don't seem to be reversible (although you'll modify some attributes).
• Microsoft needs anyone extending the schema to stick to the naming rules
(discussed within thepreceding subsection) for each the LDAP show name and also
the common name. Compliance isimplemented by the Certified for
Windows brand program7Microsoft Developer Network computer fora lot of info. .
• All categories within the schema ar derived from the special category prime. With the
exception ofprime, all categories ar subclasses derived from another category. Attribute
inheritancelets you build new categories from existing categories. The new taxonomic
category inherits the attributes of itstaxonomic group (parent class).
Extending the schema is a complicated operation. For careful info concerning the way
to extend the schema programmatically, see the section "For a lot of Information" at the
top of this document.
Object Naming Conventions
Active Directory supports many formats for object names to accommodate the
various forms a reputation will take, betting on the context within which it's getting
used (some of the names arwithin the variety of numbers). the subsequent subsections
describe these styles of naming conventions for Active Directory objects:
• Security principal names.
• Security identifiers (also referred to as security IDs or SIDs).
• LDAP-related names (including DNs, RDNs, URLs, and canonical names).
• Object GUIDs.
• Logon names (including UPN and guided missile account names).
If your organization has many domains, it's doable to use identical user name or pc name in
severaldomains. the safety ID, GUID, LDAP distinguished name, and canonical name
generated by Active Directory unambiguously establish every user or pc within the directory.
If the user or pc object is renamed or stirred to a special domain, the safety ID, LDAP
relative distinguished name, distinguished name, and canonical
name amendment, however the GUID generated by Active Directory doesn't amendment.
Security Principal Names
A security principal may be a Windows 2000 object managed by Active
Directory that's mechanicallyassigned a security symbol (SID) for logon authentication and
for access to resources. A security principal is a user account, pc account, or a
group, therefore a security principal name may be a name that unambiguously identifies a
user, computer, or cluster at intervals one domain. A security principal
object should be echt by a website controller within the domain within which the
safetyprincipal object is found, and it is granted or denied access to network resources.
A security principal name isn't distinctive across domains, but, for backward compatibility,
it shouldbe distinctive at intervals its own domain. Security principal objects is
also renamed, moved, or contained at intervals a nested domain hierarchy.
The names of security principal objects should adapt to the subsequent guidelines:
• The name can't be the image of the other user, computer, or cluster name within
the domain. Itwill contain up to twenty majuscule or lowercase characters apart from the
following: " / \ [ ] : ; | = , + * ? <>
• A user name, pc name, or cluster name cannot consist entirely of periods (.) or areas.
Security IDs (SIDs)
A security symbol (SID) may be a distinctive variety created by the safety system of the
Windows 2000 software, and assigned to security principal objects, that is, to user, group,
and pc accounts.each account on your network is issued a novel SID once that account
is 1st created. Internal processes within the Windows
2000 software ask associate account's SID instead of to the account's user or cluster name.
Each Active Directory object is protected by access management entries (ACEs)
that establish thatusers or teams will access that object. every ACE contains the SID of
every user or cluster World Health Organization has permission to access that object and
defines what level of access is allowed.as an example, a user might need read-only access
to bound files, read-and-write access to others, and no access to others.
If you produce associate account, delete it, then produce associate account
with identical user name, the new account doesn't have the rights or
permissions antecedently granted to the previousaccount, as a result of the accounts
have totally different SID numbers.
LDAP-related Names
Active Directory may be a light-weight Directory Access Protocol (LDAP)-compliant
directory service. within the Windows 2000 software, all access to Active Directory
objects happens through LDAP. LDAP defines what operations is performed so as to
question and modify info in a verydirectory and the way info in a
very directory is firmly accessed. Therefore, it's LDAP that you simply use to seek out or
enumerate directory objects and to question or administer Active Directory. (For a lot
of concerning LDAP, see the section "Lightweight Directory Access Protocol.")
It is doable to question by LDAP distinguished name (which is itself associate attribute of
the object),however as a result of they're troublesome to recollect,
LDAP additionally supports querying bydifferent attributes (for example, color to seek
out color printers). This enables you to noticeassociate object while not having to grasp the
distinguished name.
The following 3 subsections describe Active Directory-supported object-naming formats
that ar allsupported the LDAP distinguished name:
• LDAP DN and RDN names.
• LDAP URLs.
• LDAP-based canonical names.
LDAP DN and RDN Names
LDAP provides distinguished names (DNs) and relative distinguished names (RDNs) for
objects8. Active Directory implements these LDAP naming conventions with the variations
shown in Table two.
Table two LDAP naming conventions and their Active Directory counterparts
LDAP DNRDN Naming Convention Corresponding Active Directory Naming Convention
cn=common name cn=common name
ou=organizational unit ou=organizational unit
o=organization dc=domain part
c=country (not supported)
Note: cn=, ou=, etc ar attribute sorts. The attribute sort wont to describe associate object's
RDN is termed the naming attribute. The Active Directory naming attributes, shown on the
correct higher than, ar for the subsequent Active Directory object classes:
• cn is employed for the user object category
• ou is employed for the structure unit (OU) object category
• dc is employed for the domainDns object category
Every Active Directory object has associate LDAP DN. Objects ar placed at intervals Active
Directory domains in step with a hierarchical path, which has the labels of the Active
Directory nameand every level of instrumentality objects. the total path to the
article is outlined by the DN. The name of the article itself is outlined by the RDN. The RDN
is that phase of associate object's DNthat's associate attribute of the article itself.
By exploitation the total path to associate object, as well as the article name and every
one parent objects to the basis of the domain, the DN identifies a novel object at
intervals the domain hierarchy.every RDN is hold on within the Active
Directory information and contains a respect to its parent.throughout associate LDAP
operation, the complete DN is built by following the references to the basis. in a
very complete LDAP DN, the RDN of the article to be known seems at the left with the
name of the leaf, and it ends at the correct with the name of the basis, as shown during
this example:
cn=JDoe,ou=Widgets,ou=Manufacturing,dc=USRegion,dcOrgName.dc=com
The RDN of the JDoe user object is cn=JDoe, the RDN of contraption (the parent object of
JDoe) is ou=Widgets, and so on.
Active Directory tools don't show the LDAP abbreviations for the naming attributes (dc=,
ou=, or cn=). These abbreviations ar shown solely for
instance however LDAP acknowledges the parts of the DN. Most Active Directory
tools show object names in canonical type (described later). The Windows
2000 software uses the DN to
let associate LDAP shopper retrieve associate object's info from the directory, however no
Windows 2000 computer programme needs you to enter DNs. the expressuse of DNs,
RDNs, and naming attributes is needed only if you're writing LDAP-compliant programs or
scripts.
LDAP uniform resource locator Names
Active Directory supports access exploitation the LDAP protocol from any LDAP-
enabled shopper. RFC 1959 describes a format for associate LDAP Uniform
Resource surveyor (URL) that lets netpurchasers have direct access to the LDAP protocol.
LDAP URLs are employed in scripting.associate LDAP uniform resource locator begins with
the prefix "LDAP," then it names the server holding Active Directory services followed by the
attributed name of the article (the distinguished name). as an example:
LDAP://server1.USRegion.OrgName.com/cn=JDoe,ou=Widgets,ou=Manufacturing,dc=USR
egion,dcOrgName,dc=com
LDAP-based Active Directory Canonical Names
By default, Active Directory body tools show object names exploitation the canonical name
format,that lists the RDNs from the basis downward and while not the RFC 1779 naming
attribute descriptors (dc=, ou=, or cn=). The canonical name uses the DNS name format,
that is, the constituents of the domain labels section of the name ar separated by periods—
USRegion.OrgName.com. Table three contrasts the LDAP DN with identical name in
canonical name format.
Table three LDAP DN format contrasted with the canonical name format
Same Name in 2 Formats
LDAP DN Name:
cn=JDoe,ou=Widgets,ou=Manufacturing,dc=USRegion,dcOrgName.dc=com
Canonical Name: USRegion.OrgName.com/Manufacturing/Widgets/JDoe
Object GUIDs
In addition to its LDAP DN, each object in Active Directory features
a globally distinctive symbol(GUID), a 128-bit variety assigned by the Directory System
Agent once the article is formed. The GUID, that can't be altered or removed, is hold
on in associate attribute, objectGUID, that may be aneeded attribute for each object. in
contrast to a DN or RDN, which may be modified, the GUIDne'er changes.
When storing a respect to a vigorous Directory object in associate external store (for
example, a Microsoft SQL Server™ database), the objectGUID price ought to be used.
Logon Names: UPN and guided missile Account Names
As delineate earlier, security principals ar objects to that Windows-based security is applied
for eachlogon authentication and resource access authorization. Users ar one kind
of security principal. within the Windows 2000 software, user security principals need a
novel logon name to realize access to a website and its
resources. subsequent 2 subsections describe the 2 styles of logon names—UPN
and guided missile account names.
User Principal Name
In Active Directory, every user account features a user principal name (UPN) within
the format @. A UPN may be a friendly name assigned by associate administrator that's shorter than
the LDAP distinguished name employed by the system and easier to recollect. The UPN is freelance of
the user object's DN, therefore a user object is stirred or renamed while not touching the user logon
name. once work on employing a UPN, users now not need to opt for a website from an inventoryon the
logon panel.
The UPN's 3 components ar the UPN prefix (user logon name), the @ character, and also the UPN suffix
(usually, a website name). The default UPN suffix for a user account is that the DNS name of the Active
Directory domain wherever the user account is located9. as an example, the UPN for user John
Doe, World Health Organization features a user account within the OrgName.com domain (if
OrgName.com is that the solely domain within the tree), is [email protected] UPN
isassociate attribute (userPrincipalName) of the safety principal object. If a user object's
userPrincipalName attribute has no price, the user object features a default UPN of
userName@DnsDomainName.
If your organization has several domains forming a deep domain tree, organized by department and
region, default UPN names will become unwieldy. as an example, the default UPN for a user could
besales.westcoast.microsoft.com. The logon name for a user in this domain is
[email protected]. rather than acceptive the default DNS name because theUPN
suffix, you'll modify each administration and user logon processes by providing one UPN suffix for all
users. (The UPN suffix is employed solely at intervals the Windows 2000 domain and isn'tneeded to be a
legitimate DNS name.) you'll like better to use your e-mail name because the UPN suffix—
[email protected]. this provides the user within the example the UPN name of
[email protected].
For a UPN–based logon, a world catalog is also necessary, betting on the user work on, and also
the domain membership of the user's pc. a world catalog is required if the user logs on with a non-
default UPN and also the user's machine account is in a very totally different domain than the user's
user account. That is, if, rather than acceptive the default DNS name because the UPN suffix (aswithin
the example simply given, [email protected]), you give one UPN suffix for all users
(so that the user then becomes merely user@ microsoft.com), a world catalog is needed for logon.
You use the Active Directory Domains and Trusts tool to manage UPN suffixes for a website.
UPNs arassigned at the time a user is formed. If you've got created extra suffixes for the
domain, you'llchoose from the list of obtainable suffixes after you produce the user or cluster account.
The suffixes seem within the list within the following order:
• Alternate suffixes (if any; last one created seems first).
• Root domain.
• The current domain.
SAM Account Name
A Security Account Manager (SAM) account name is needed for compatibility with
Windowsnongovernmental organization three.x and Windows nongovernmental organization four.0
domains. The Windows 2000 computer programme refers to the guided missile account namebecause
the "User logon name (pre-Windows 2000)."
SAM account names ar generally cited as flat names because—unlike DNS names—SAM account
names don't use hierarchical naming. as a result of guided
missile names ar flat, each should bedistinctive within the domain.
Object commercial enterprise
Publishing is that the act of making objects within the directory that either directly contain the
knowledge you wish to form accessible or give a respect to it. as an example, a user object
contains helpful info concerning users, like their phonephone numbers and e-mail addresses, and a
volume object contains a respect to a shared filing system volume.
Here ar 2 examples—publishing file and print objects in Active Directory:
• Share commercial enterprise. you'll publish a shared folder as a volume object (also referred to asa
shared folder object) in Active Directory, exploitation the Active Directory Users and teams snap-in.this
suggests that users will currently simply and quickly question Active Directory for that shared folder.
• Printer commercial enterprise. in a very Windows 2000 domain, the best thanks to manage, locate,
and hook up with printers is thru Active Directory. By default10, after you add a printer exploitationthe
Add Printer wizard and elect to share the printer, Windows 2000 Server publishes it within thedomain
as associate object in Active Directory. commercial enterprise (listing) printers in Active Directory lets
users find the foremost convenient printer. Users will currently simply questionActive Directory for
any of those printers, looking out by printer attributes like sort (PostScript, color, legal-sized paper, and
then on) and placement. once a printer is far from the server, it'sunpublished by the server.
You can additionally publish non-Windows 2000-based printers (that is, printers on non-Windows 2000-
based print servers) in Active Directory. To do so, use the Active Directory Users and Computers tool to
enter the universal naming convention (UNC) path for the printer. instead, use the Pubprn.vbs script
provided within the System32 folder. The cluster Policy Downlevel Printer Pruning
determineshowever the pruning service (automatic removal of printers) handles printers on non-
Windows 2000-based print servers once a printer isn't accessible.
When to Publish
You should publish info in Active Directory once it's helpful or fascinating to an outsized a part ofthe
user community and once it has to be extremely accessible.
Information printed within the Active Directory has 2 major characteristics:
• Relatively static. Publish solely info that changes occasionally. phonephone numbers and e-mail
addresses ar samples of comparatively static info appropriate for commercial enterprise. The
user's presently elite e-mail message is associate example of extremely volatile info.
• Structured. Publish info that's structured and might be delineated as a group of separateattributes. A
user's address is associate example of structured info appropriate for commercial
enterprise. associate audio clip of the user's voice is associate example of unstructured info highersuited
to the filing system.
Operational info employed by applications is a superb candidate for commercial enterprise in Active
Directory. This includes world configuration info that applies to any or all instances of a given
application. as an example, a {relational information|electronic database|on-line database|computer
database|electronic information service} product might store the default configuration for database
servers as associate object in Active Directory. New installations of that product will then collect the
default configuration from the article, simplifying the installation method associated enhancing the
consistency of installations in an enterprise.
Applications may also publish their affiliation points in Active Directory. affiliation points ar used for a
client/server rendezvous. Active Directory defines associate design for integrated service
administration exploitation Service Administration purpose objects and
provides commonplaceaffiliation points for Remote Procedure decision (RPC), Winsock, and part Object
Model (COM)-based applications. Applications that don't use the RPC or Winsock interfaces
for commercial enterprise their affiliation points will expressly publish Service affiliation purpose objects
in Active Directory.
Application information may also be printed within the directory exploitation application-specific
objects. Application-specific information ought to meet the factors mentioned higher
than.information ought to be globally fascinating, comparatively non-volatile, and structured.
How to Publish
The suggests that of commercial enterprise info varies in step with the appliance or service:
• Remote Procedure decision (RPC). RPC applications use the RpcNs* family of arthropod genus to
publish their affiliation points within the directory and to question for the affiliation points of services
that have printed theirs.
• Windows Sockets. Windows Sockets applications use the Registration and determination family
ofarthropod genus accessible in Winsock two.0 to publish their affiliation points and question for
theaffiliation points of services that have printed theirs.
• Distributed part Object Model (DCOM). DCOM services publish their affiliation points exploitationthe
DCOM category Store, that resides in Active Directory. DCOM is that the Microsoft part Object Model
(COM) specification that defines however parts communicate over Windows-based networks. Use the
DCOM Configuration tool to integrate client/server applications across multiple computers. DCOM may
also be wont to integrate sturdy browser applications.
Domains: Trees, Forests, Trusts, and OUs
Active Directory is formed of one or a lot of domains. making the initial domain controller in a
verynetwork additionally creates the domain—you cannot have a website while not a minimum of one
domain controller. every domain within the directory is known by a DNS name. you employ the Active
Directory Domains and Trusts tool to manage domains.
You use domains to accomplish the subsequent network management goals:
• Administrative Boundaries.A Windows 2000 domain defines associate body boundary. Security policies
and settings (such as account policies and cluster policies) don't cross from one domain to a different.
Active Directory will embrace one or a lot of domains, every having its own security policies. However,
domains in Active Directory don't give isolation from one another, and ar so no security
boundaries. solely the forest constitutes a security boundary.
• Replicate info. a website may be a Windows 2000 directory partition (also referred to as a Naming
Context). These directory partitions ar the units of replication. every domain stores solely the
knowledge concerning the objects placed in this domain. All of a domain's domain controllers willreceive
changes created to things, and might replicate those changes to any or all different domain
controllers in this domain.
• Apply cluster Policy. a website defines one doable scope for policy (Group Policy settings may alsobe
applied to structure units or sites). Applying a bunch Policy object (GPO) to the domain
establisheshowever domain resources is designed and used. as an example, you'll use cluster Policy to
regulate desktop settings, like desktop imprisonment and application preparation. These
policies arapplied solely at intervals the domain and not across domains.
• Structure the network. as a result of one Active Directory domain will span multiple sites and
mightcontain scores of objects11, most organizations don't ought to produce separate domains
toreplicate the company's divisions and departments. It ought to ne'er be necessary to
form extradomains to handle extra objects. However, some organizations do need over one domain to
accommodate, as an example, freelance or fully autonomous business units that don't need anyone
external to their unit to own authority over their objects. Such organizations will produce extradomains
and organize them into a vigorous Directory forest. one more reason to separate the network into
separate domains is that if 2 components of your network ar separated by a linktherefore slow that you
simply ne'er need complete replication traffic to cross it. (For slow links that may still handle replication
traffic on a less frequent schedule, you'll put together one domain with multiple sites.)
• Delegate body authority. In networks running Windows 2000, you'll narrowly delegate body authority
for individual structure units still as for individual domains, that reduces the
amount of directorsrequired with wide body authority. as a result of a
website is associate body boundary, bodypermissions for a website ar restricted to the domain by
default. as an example, associateadministrator with permissions to line security policies in one
domain isn't mechanically granted authority to line security policies in the other domain within
the directory. However, domains in a vigorous Directory forest ar tightly
coupled. associate administrator in one domain will perpetuallynotice ways that to grant himself access
to resources in different domains within the forest, albeitthe administrator of the opposite domain has
not specifically allowed the access.
Understanding domains includes understanding trees, forests, trusts, and structure units, and the
wayevery of those structures relates to domains. every of those domain parts is delineate within
thefollowing subsections:
• Trees
• Forests
• Trust Relationships
• Organizational units
The Windows 2000 software additionally introduces the connected conception of
websites,however web site structure and domain structure ar separate—
to give for versatile administration—so sites ar handled in a very later section. This paper presents the
fundamentals concerningWindows 2000-based domains and sites. For careful info concerning the way
to arrange their structure and preparation, see the Microsoft Windows 2000
Server preparation designing Guide in "For a lot of Information" at the top of this document.
When reading the subsequent subsections describing doable domain structures, confine mind thatfor
several organizations, a structure consisting of 1 domain that's at the same time one forest consisting of
1 tree isn't solely doable, however is also the optimum thanks to organize your
network. perpetually begin with the best structure and add complexness only if you'll justify
doingtherefore.
Trees
In the Windows 2000 software, a tree may be a set of 1 or a lot of domains with contiguous names.
Ifover one domain exists, you'll mix the multiple domains into hierarchical tree structures.
One doablereason to own over one tree in your forest is that if a division of your organization has its
own registered DNS name and runs its own DNS servers.
The first domain created is that the root domain of the primary tree. extra domains within the same
domain tree ar kid domains. a website directly higher than another domain within the same domain tree
is its parent.
All domains that have a standard root domain ar aforementioned to make a contiguous namespace.
Domains in a very contiguous namespace (that is, in a very single tree) have contiguous DNS names
that ar shaped within the following way: The domain name of the kid domain seems at the left,
separated from the name of its parent domain to its right by
a amount. once there ar over 2 domains,every domain has its parent to its right within the name, as
shown in Figure three. Windows 2000-based domains that type a tree ar coupled by trust relationships
that ar each two-way and transitive. These trust relationships ar delineate later.

Figure 3: Parent and kid domains in a very domain tree. Double-headed arrows indicate two-
waytransitive trust relationships
The parent-child relationship between domains in a very domain tree may be a naming relationship and
a trust relationship solely. directors in a very parent domain don't seem to be mechanicallydirectors of a
toddler domain, and policies set in a very parent domain don't mechanically apply tokid domains.
Forests
An Active Directory forest may be a distributed information, that may be
a information created ofseveral partial databases unfold across multiple computers. Distributing
{the information|the info|the information}base will increase network potency by lease the data
be placed wherever it's most used. The forest's information partitions ar outlined by domains, that is, a
forest consists of 1 or a lot of domains.
All domain controllers in a very forest host a duplicate of the forest Configuration and Schema
containers additionally to a website information. a website information is one a part of a
forestinformation. every domain information contains directory objects, like security principal objects
(users, computers, and groups) to that you'll grant or deny access to network resources.
Often, a single forest, that is easy to form and maintain, will meet associate organization's desires.
With one forest, users don't ought to bear in mind of directory structure as a result of all users
seeone directory through the world catalog. once adding a replacement domain to the forest,
no extratrust configuration is needed as a result of all domains in a very forest ar connected by two-
way,transitive trust. in a very forest with multiple domains, configuration changes would like be
appliedjust one occasion to have an effect on all domains.
You should not produce extra forests unless you've got a transparent ought to do therefore, as a result
of every forest you produce ends up in extra management overhead12. One doable reason to
form over one forest is that if administration of your network is distributed among multiple autonomous
divisions that can't agree on the common management of the schema and configuration containers.one
more reason to form a separate forest is to confirm that specific users will ne'er be granted access
to bound resources (in one forest, every user is enclosed in any cluster or will seem on a discretionary
access management list, or DACL13, on any pc within the forest). With separate
forests, you'll outline express trust relationships to grant users in one forest access
to boundresources within the different forest. (For associate example of 2 forests, see
Figure seven within the section "Example: Mixed surroundings of 2 Forests and One Extranet.")
Multiple domain trees at intervals one forest don't type a contiguous namespace; that's, they
neednoncontiguous DNS domain names. though trees in a very forest don't share a namespace, a
forestwill have one root domain, referred to as the forest root domain. The forest root domain is, by
definition, the primary domain created within the forest. the 2 forest-wide predefined groups—
Enterprise directors and Schema administrators—reside during this domain.
For example, as shown in Figure four, though 3 domain trees (HQ-Root.com, EuropeRoot.com, and
AsiaRoot.com) every have a toddler domain for Accounting named "Acct", the DNS names for
thesekid domains ar Acct.HQ-Root.com, Acct.EuropeRoot.com, and
Acct.AsiaRoot.com, severally. there'sno shared namespace.

Figure 4: One forest with 3 domain trees. The 3 root domains don't seem to be contiguous with one
another, however EuropeRoot.com and AsiaRoot.com ar kid domains of HQ-Root.com.
The root domain of every domain tree within the forest establishes a transitive trust relationship
(explained in additional detail within the next section) with the forest root domain. In Figure four, HQ-
Root.com is that the forest root domain. the basis domains of the opposite domain trees,
EuropeRoot.com and AsiaRoot.com, have transitive trust relationships with HQ-Root.com. This
establishes trust across all the domain trees within the forest.
All Windows 2000 domains altogether of the domain trees in a very forest possess the subsequenttraits:
• Have transitive trust relationships among the domains at intervals every tree.
• Have transitive trust relationships among the domain trees in a very forest.
• Share common configuration info.
• Share a standard schema.
• Share a standard world catalog.
Important: Adding new domains to a forest is simple. However, you can not move existing Windows
2000 Active Directory domains between forests. you'll take away a website from the forest provided
that it's no kid domains. when a tree root domain has been established, you can not add a websitewith a
higher-level name to the forest. you can not produce a parent of associate existing
domain;you'll solely produce a toddler.
Implementing each domain trees and forests enables you to use each contiguous and noncontiguous
naming conventions. This flexibility is helpful, as an example, in firms with freelance divisions that
every needs to keep up its own DNS name, like Microsoft.com and MSNBC.com.
Trust Relationships
A trust relationship may be a relationship established between 2 domains that enables users in one
domain to be recognized by a website controller within the different domain. Trusts let users access
resources within the different domain and additionally let directors administer user rights for
userswithin the different domain. For computers running Windows 2000, account authentication
between domains is enabled by two-way, transitive trust relationships.
All domain trusts in a very Windows 2000-based forest ar two-way and transitive, outlined within
thefollowing way:
• Two-way. after you produce a replacement kid domain, the kid domain mechanically trusts the parent
domain, and contrariwise. At the sensible level, this suggests that authentication requests ispassed
between the 2 domains in each directions.
• Transitive. A transitive trust reaches on the far side the 2 domains within the initial trust relationship.
Here is however it works: If Domain A and Domain B (parent and child) trust one anotherand if Domain
B and Domain C (also parent and child) trust one another, then Domain A and Domain C trust one
another (implicitly), although no express trust relationship between them exists. At the extent of the
forest, a trust relationship is formed mechanically between the forest root domain and also the root
domain of every domain tree else to the forest, with the result that complete trust exists between all
domains in a vigorous Directory forest. At the sensible level, as a result of trust
relationships ar transitive, one logon method lets the system evidence a user (or computer) in any
domain within the forest. This single logon method probably lets the account access resources on any
domain within the forest.
Note, however, that the one logon enabled by trusts doesn't essentially imply that the echt user has
rights and permissions altogether domains within the forest.
In addition to the forest-wide two-way transitive trusts generated mechanically within the Windows
2000 software, you'll expressly produce the subsequent 2 extra styles of trust relationships:
• Shortcut Trusts. Before associate account is granted access to resources by a website controller in
another domain, Windows 2000 computes the trust path between the domain controllers for
the supplydomain (where the account is located) and also the target domain (where the
required resource is located). A trust path is that the series of domain trust relationships Windows 2000
security traversesso as to pass authentication requests between any 2 domains. Computing and
traversing a trust path between domain trees in a very complicated forest will take time. to
enhance performance, you'llexpressly (manually) produce a road trust between non-adjacent Windows
2000 domains within thesame forest. road trusts ar unidirectional transitive trusts that alter you to
shorten the trail, as shown in Figure five. you'll mix 2 unidirectional trusts to form a two-way trust
relationship. thoughyou can not revoke the default two-way transitive trusts mechanically established
among all domainsin a very Windows 2000 forest, you'll delete expressly created road trusts.

Figure 5: road trusts between Domains B and D, and between Domains D and a pair of
• External Trusts. External trusts produce trust relationships to domains in a very totally
differentWindows 2000 forest or to a non-Windows 2000 domain (either a Windows nongovernmental
organization domain or a Kerberos version five realm14). External trusts alter user authentication
toassociate external domain. All external trusts ar unidirectional non-transitive trusts, as shown in
Figure six. Again, you'll mix 2 unidirectional trusts to form a two-way trust relationship.

Figure 6: unidirectional external non-transitive trust

In the Windows nongovernmental organization four.0 (and earlier) software, trust
relationships arunidirectional, and trust is restricted to the 2 domains between that the trust is
established (they arnon-transitive). after you upgrade a Windows NT–based domain to a Windows
2000–based one, the prevailing unidirectional trust relationships between that domain and the
other Windowsnongovernmental organization domains ar maintained. If you put in a
replacement Windows 2000 domain and need to ascertain trust relationships with
Windows nongovernmental organizationdomains, you need to produce Windows 2000 external trusts
with those domains. To expresslyestablish a trust relationship, you employ the Active Directory Domains
and Trusts tool.
Example: Mixed surroundings of 2 Forests and One Extranet
Figure seven illustrates a mixed surroundings with 2 Windows 2000 forests and a
Windowsnongovernmental organization four.0 domain. within the figure, four separate
namespaces arimplemented: A.com, D.com, G.com, and F.

Figure 7: A network with 2 forests and one extranet

Figure seven illustrates the subsequent state of affairs:
• A.com and D.com ar the roots of separate trees in Forest one. (A.com is that the forest root domain.)
The two-way, transitive, tree-root trust between them (automatically generated by Windows 2000)
provides complete trust between all domains within the 2 trees of Forest one.
• E.D.com often uses resources in C.A.com. To shorten the trust path between the 2 domains, C.A.com
trusts E.D.com directly. This unidirectional, transitive road trust shortens the trust path (reduces the
amount of hops) for authenticating E.D.com users in order that they will expeditiouslyuse resources in
C.A.com.
• G.com is that the root of one tree that creates up Forest two. the automated two-way, transitivetrust
between G.com and H.G.com lets users, computers, and teams in each domains be granted access to
every others' resources.
• Domain G.com in Forest two implements a certain unidirectional external trust relationship with
domain D.com in Forest one so users in domain D.com is granted access to resources in domain
G.com. as a result of the trust is nontransitive, no different domains in Forest one is granted access to
resources in G.com, and users, groups, and computers from D.com can't be granted access to resources
in H.G.com.
• Domain F may be a Windows nongovernmental organization four.0 domain that gives support services
to the users in E.D.com. This unidirectional nontransitive trust doesn't be the otherdomains in
Forest one. during this state of affairs, the Windows nongovernmental organizationfour.0 domain
is associate extranet. (An extranet is associate computer network that's partaccessible
to licensed outsiders. associate computer network resides behind a firewall and is
inaccessible, however associate extranet provides restricted access to individuals outside the
organization.)
Organizational Units
New within the Windows 2000 software, structure units (also referred to as OUs) ar a sort of directory
object into that you'll place users, groups, computers, printers, shared folders,
and differentstructure units at intervals one domain. associate structure unit (represented as a
folder within theActive Directory Users and Computers interface) enables you to logically organize and
store objectswithin the domain. If you've got multiple domains, every domain will implement its
own structure unit hierarchy.
As Figure eight illustrates, structure units will contain different structure units.

Figure 8: structure unit hierarchy within one domain

You use structure units primarily to delegate body authority over sets of users, groups, and resources. as
an example, you may produce associate structure unit to contain all user accounts for your entire
company. when making structure units to delegate administration, apply cluster Policy settings to
the structure units to outline desktop configurations for users and computers. as a result of you
employ structure units to delegate administration, the structure you produce can most
likelyreplicate your body model over your concern.
Although it's doable for users to navigate a domain's structure unit structure once craving forresources,
querying the world catalog to seek out resources is way a lot of economical. Therefore,it's not
necessary to form associate structure unit structure that appeals to end-users. it'sadditionally doable to
form associate structure unit structure that mirrors
your concern, howeverdoing therefore will prove troublesome and dear to manage. rather
than making associatestructure unit structure to replicate resource location
or division organization, style structure units with body delegation and cluster Policy settings in mind.
For a lot of info concerning establishing delegation and cluster Policy exploitation structure units, see
the section "Use Delegation and cluster Policy with OUs, Domains, and Sites."
For careful infoconcerning the way to style associate structure unit structure once designing the way
toimplement Windows 2000, see the Microsoft Windows 2000
Server preparation designing Guidewithin the section "For a lot of Information" at the top of this
document.
Sites: Service purchasers and Replicate information
You can consider a Windows 2000-based web site as a group of computers in one or a lot of IPsubnets
connected exploitation native space Network (LAN) technologies, or as a group of LANs connected by a
high-speed backbone. Computers in a very single web site ought to be socially connected, that is
mostly a characteristic of computers at intervals a subnet. In distinction, separate sites ar connected by
a link that's slower than local area network speed. you employ the Active Directory Sites and Services
tool to put together connections each at intervals a web site(within a local area network or a
group of socially connected LANs) and between sites (in a WAN).
In the Windows 2000 software, sites give the subsequent services:
• Clients will request service from website} controller within the same site (if one exists).
• Active Directory tries to reduce replication latency for intra-site replication.
• Active Directory tries to reduce information measure consumption for inter-site replication.
• Sites allow you to schedule inter-site replication.
Users and services ought to be able to access directory info at any time from any pc within theforest. to
form this doable, additions, modifications, and deletions of directory information should be relayed
(replicated) from the originating domain controller to different domain controllers within theforest.
However, the requirement to wide distribute directory info should be balanced against the
requirement to optimize network performance. Active Directory sites facilitate maintain this balance.
It is necessary to know that sites ar freelance of domains. Sites map the organic structure of your
network, whereas domains (if you employ over one) usually map the logical structure of your
organization. Logical and physical structures ar freelance of every different, that has the
subsequent consequences:
• There isn't any necessary affiliation between sites and domain namespaces.
• There isn't any necessary correlation between your network's organic structure and its domain
structure. However, in several organizations, domains ar originated to replicate physical network
structure. this can be as a result of domains ar partitions, and partitioning influences replication—
partitioning the forest into multiple, smaller domains will cut back the number of replication traffic.
• Active Directory lets multiple domains seem in a very single web site and one domain seem in multiple
sites.
How Active Directory Uses web site info
You specify web site info exploitation Active Directory web site and Services, then Active Directory uses
this info to work out however best to use accessible network resources. exploitation sites makes the
subsequent styles of operations a lot of efficient:
• Servicing shopper requests. once a shopper requests a service from a website controller, it directs the
request to website} controller within the same site, if one is offered. choosing a
websitecontroller that's well connected to the shopper that placed the request makes handling the
request a lot of economical. as an example, once a shopper logs on employing a domain account, the
logon mechanism 1st searches for domain controllers that ar within the same web site because
theshopper. making an attempt to use domain controllers within the client's web site 1st localizes
network traffic, increasing the potency of the authentication method.
• Replicating directory information. Sites alter the replication of directory information each at
intervals and among sites. Active Directory replicates info at intervals a web site a lot of often than
across sites, which implies that the best-connected domain controllers, those presumably to
wantexplicit directory info, receive replications 1st. The domain controllers in different sites receive all
changes to the directory, however less often, reducing network information measure consumption.
Replicating Active Directory information among domain controllers provides info convenience, fault
tolerance, load reconciliation, and performance edges. (For a proof of however the Windows
2000software implements replication, see the subdivision "Multimaster Replication" at the top of this
section on Sites.)
Domain Controllers, world Catalogs, and Replicated information
The information hold on in Active Directory on each domain controller (whether or not it's a
worldcatalog server) is partitioned off into 3 categories: domain, schema, and
configuration information.every of those classes is in a very separate directory partition, that is
additionally referred to as a Naming Context. These directory partitions ar the units of replication.
The 3 directory partitions that every Active Directory server holds ar outlined as follows:
• Domain information directory partition. Contains all of the objects within the directory for this
domain. Domain information in every domain is replicated to each domain controller in
this domain,however not on the far side its domain.
• Schema information directory partition. Contains all object sorts (and their attributes) that may be
created in Active Directory. This information is common to any or all domains within the domain tree or
forest. Schema information is replicated to any or all domain controllers within the forest.
• Configuration information directory partition. Contains replication topology
and connectedinformation. Active Directory-aware applications store info within the Configuration
directory partition. This information is common to any or all domains within the domain tree or forest.
Configuration information is replicated to any or all domain controllers within the forest.
If the domain controller may be a world catalog server, it additionally holds a fourth class of
information:
• Partial reproduction of domain information directory partition for all domains. additionally to storing
and replicating an entire set of all objects within the directory for its own host domain, a world catalog
server stores and reproductiontes a partial replica of the domain directory partition for
all differentdomains within the forest. This partial reproduction, by definition, contains a set of the
properties for all objects altogether domains within the forest. (A partial reproduction is read-only,
whereas an entire reproduction is read/write.)
If a website contains a world catalog, different domain controllers replicate all objects in this domain
(with a set of their properties) to the world catalog, then partial reproduction replication takes place
between world catalogs. If a website has no world catalog, an everyday domain
controller is thesupply of the partial reproduction.
By default, the partial set of attributes hold on within the world catalog includes those attributes most
often employed in search operations, as a result of one in every of the first functions of the worldcatalog
is to support purchasers querying the directory. exploitation world catalogs to perform partial domain
replication rather than doing full domain replication reduces WAN traffic.
Replication at intervals a web site
If your network consists of one native space network (LAN) or a group of LANs connected by a high-
speed backbone, the complete network is one web site. the primary domain controller you put
inmechanically creates the primary web site, referred to as the Default-First-Site-Name. whenputting
in the primary domain controller, all extra domain controllers ar mechanically else toidentical web
site because the original domain controller. (Later, if you would like, you'll move them to different sites).
Here is that the solely exception: If, at the time you put in a website controller, itsIP address falls at
intervals the subnet antecedently per an alternate web site, the domain controller is then else to the
current different web site.
Directory info at intervals a web site is replicated often and mechanically. Intra-site replication is
tuned to reduce replication latency, that is, to stay the information as up-to-date as doable. Intra-site
directory updates don't seem to be compressed. Uncompressed exchanges utilize a lot of network
resources however need less domain controller process power.
Figure nine illustrates replication at intervals a web site. 3 domain controllers (one of that may be
aworld catalog) replicate the forest's schema information and configuration information, still as all
directory objects (with an entire set of every object's attributes).

Figure 9: Intra-site replication with only 1 domain

The configuration shaped by the connections wont to replicate directory info between domain
controllers, referred to as the replication topology, is mechanically generated by
the informationConsistency Checker (KCC) service in Active Directory. Active Directory web
site topology may be alogical illustration of a physical network and is outlined on a per-forest basis.
Active Directory makes an attempt to ascertain a topology that enables a minimum of 2 connections to
each domain controller, therefore if a website controller becomes out of stock, directory info will still
reach all on-line domain controllers through the opposite affiliation.
Active Directory mechanically evaluates and adjusts the replication topology to fulfill the ever-
changing state of the network. as an example, once website} controller is else to a site, the replication
topology is adjusted to include this new addition expeditiously.
Active Directory purchasers and servers use the forest's web site topology to route question and
replication traffic expeditiously.
If you expand your preparation from the primary domain controller in one domain to multiple domain
controllers in multiple domains (still at intervals one site), the directory info that's reproductionted
changes to incorporate the replication of the partial replica between world catalogs in severaldomains.
Figure ten shows 2 domains, every containing 3 domain controllers. One domain controller inevery web
site is additionally a world catalog server. at intervals every domain, the domain controllers replicate the
forest's schema information and configuration information, still as all directory objects (with an
entire set of every object's attributes), even as in Figure nine. additionally,every world catalog replicates
the directory objects (with solely a set of their attributes) for its own domain to the
opposite world catalog.

Figure 10: Intra-site replication with 2 domains and 2 world catalogs

Replication between Sites
Create multiple sites to optimize each server-to-server and client-to-server traffic over WAN links.within
the Windows 2000 software, inter-site replication mechanically minimizes information
measure consumption between sites.
Recommended practices once putting in multiple sites embrace the following:
• Geography. Establish each geographic region that needs quick access to the most
recentdirectory info as a web site. Establishing areas that need immediate access to up-to-date Active
Directory info as separate sites provides the resources needed to fulfill your users' desires.
• Domain controllers and world catalogs. Place a minimum of one domain controller in each web site,
and build a minimum of one domain controller in every web site a world catalog. Sites that don'thave
their own domain controllers and a minimum of one world catalog ar passionate aboutdifferent sites for
directory info and ar less economical.
How Sites ar Connected
Network connections between web sites ar delineated by site links. A web site link may be a low-
bandwidth or unreliable affiliation between 2 or a lot of sites. A WAN that connects 2 quick networks
is associate example of a web site link. Generally, contemplate any 2 networks connected by a
linkthat's slower than local area network speed to be connected by a web site link. additionally, a
quicklink that's close to capability features a low effective information measure and is
additionallythought-about a web site link. after you have multiple sites, web sites connected by site links
become a part of the replication topology.
In a Windows 2000-based network, web site links don't seem to be mechanically generated—
youshould produce them exploitation Active Directory Sites and Services. By making web site links and
configuring their replication convenience, relative value, and replication frequency, you give Active
Directory with info concerning what affiliation objects to form to copy directory information. Active
Directory uses web site links as indicators for wherever it ought to produce affiliation objects,
andaffiliation objects use the particular network connections to exchange directory info.
A web site link has associate associated schedule that indicates at what times of day the link is
offered to hold replication traffic.
By default, web site links ar transitive, which implies that {a domain|a website|a {site|website|webweb
site}} controller in one site will build replication connections with domain controllers in the othersite.
That is, if {site|website|web web site} A is connected to site B, and {site|website|web web site} B is
connected to site C, then domain controllers in {site|website|web web site} A will communicate with
domain controllers in site C. after you produce a web site, you'll need to form extra links to alterspecific
connections between web sites and customise existing site links connecting the sites.
Figure eleven shows 2 web sites connected by a site link. Of the six domain controllers within
thefigure, 2 ar bridgehead servers (the bridgehead server role is assigned mechanically by the system).

Figure 11: 2 web sites connected by a site link. every site's most well-liked bridgehead server is
employed preferentially for inter-site info exchange.
The bridgehead servers ar the popular servers for replication, however you'll additionally put
together the opposite domain controllers within the web site to copy directory changes between sites.
After updates ar replicated from one {site|website|web web site} to the bridgehead server within
thedifferent site, the updates ar then replicated to different domain controllers at intervals the
locationthrough intra-site replication. though one domain controller receives the initial inter-site
directory update, all domain controllers service shopper requests.
Replication Protocols
Directory info is changed exploitation the subsequent network protocols:
• IP replication. IP replication uses remote procedure calls (RPC) for replication at intervals a
{site|website|web web site} (intra-site) and over site links (inter-site). By default, inter-site IP replication
adheres to replication schedules. IP replication doesn't need a certification authority (CA).
• SMTP replication. If you've got a web site that has no physical affiliation to the remainder of you
network however that may be reached via easy Mail Transfer protocol (SMTP), that web site has mail-
based property solely. SMTP replication is employed just for replication between sites. you can not use
SMTP replication to copy between domain controllers within the same domain—only inter-domain
replication is supported over SMTP (that is, SMTP is used just for inter-site, inter-domain replication).
SMTP replication is used just for schema, configuration, and world catalog
partialreproduction replication. SMTP replication observes the mechanically generated replication
schedule.
If you select to use SMTP over web site links, you need to install associated put together an enterprise
certification authority (CA). The domain controllers acquire certificates from the CA, that the domain
controllers then use to sign and encipher the mail messages that contain directory
replicationinfo, making certain the genuineness of directory updates. SMTP replication uses 56-
bitcryptography.
Multimaster Replication
Active Directory domain controllers support multimaster replication,
synchronizing information onevery domain controller, and making certain consistency of
knowledge over time. Multimaster replication replicates Active Directory info among peer domain
controllers, every of that features aread-and-write copy of the directory. this can be a amendment from
the Windows nongovernmental organization Server software, within which solely the PDC had a read-
and-write copy of the directory (the BDCs received read-only copies from the PDC). Once designed,
replication is automatic and clear.
Update Propagation and Update Sequence Numbers
Some directory services use timestamps to sight and propagate changes. In these
systems, it'sessential to stay the clocks on all directory servers synchronous . Time synchronization in a
verynetwork is incredibly troublesome. Even with wonderful network time
synchronization, it's doablefor the time at a given directory server to be incorrectly set. this
could cause lost updates.
The Active Directory replication system doesn't rely upon time for update propagation. Instead, it uses
Update Sequence Numbers (USNs). A USN may be a 64-bit variety maintained by every Active Directory
domain controller to trace updates. once the server writes to any attribute, or property, on a
vigorous Directory object (including the originating write or a replicated write), the USN is advanced
and hold on with the updated property and with a property that's specific to the domain controller. This
operation is performed atomically—that is, the incrementing and storage of the USN and also the write
about the property price succeed or fail as one unit.
Each Active Directory-based server additionally maintains a table of USNs received from replication
partners. the best USN received from every partner is hold on during this table. once a given partner
notifies the directory server that replication is needed, that server requests all changes with
USNsbigger than the last price received. this easy approach doesn't rely upon the accuracy of
timestamps.
Because the USN hold on within the table is updated atomically for every update received,
recoverywhen a failure is additionally easy. To restart replication, a server merely asks its partners for all
changes with USNs bigger than the last valid entry within the table. as a result of the table is updated
atomically because the changes ar applied, associate interrupted replication cycle perpetually picks
up precisely wherever it left off, with no loss or duplication of updates.
Collision Detection and Property Version Numbers
In a multimaster replication system like Active Directory, it's doable for identical property to be updated
at 2 or a lot of totally different replicas. once a property changes in a very second (or third, or
fourth, and then on) reproduction before a amendment from the primary reproduction has
beentotally propagated, a replication collision happens. Collisions ar detected exploitation property
version numbers. in contrast to USNs, that ar server-specific values, a property version variety is
restricted to the property on a vigorous Directory object. once a property is 1st written to a
vigorousDirectory object, the property version variety is initialized.
Originating writes advance the property version variety. associate originating write may be a write to a
property at the system initiating the amendment. Property writes caused by replication don't seem to
be originating writes and don't advance the property version variety. as an example, once a user
updates his or her word, associate originating write happens and also the word property
versionvariety is advanced. Replication writes of the modified word at different servers don't advance
the property version variety.
A collision is detected once a amendment is received by replication within which the property
versionvariety received is up to the domestically hold on version variety, and also the received and hold
on values ar totally different. once this happens, the receiver applies the update that has the later
timestamp. this can be the sole scenario wherever time is employed in replication.
When the received property version variety is not up to the domestically hold on version variety, the
update is likely stale and discarded. once the received property
version variety is over thedomestically hold on version variety, the update is accepted.
Propagation moistening
The Active Directory replication system permits loops within the replication topology. this permits the
administrator to put together a replication topology with multiple methods among the servers for
performance and convenience. The Active Directory replication system performs
propagationmoistening to stop changes from propagating endlessly and to eliminate redundant
transmission of changes to replicas that ar already up-to-date.
The Active Directory replication system employs up-to-date vectors to dampen propagation. The up-to-
date vector may be a list of server–USN pairs control by every server. The up-to-date vector
at everyserver indicates the best USN of originating writes received from the server within the server–
USNcombine. associate up-to-date vector for a server in a very given web site lists all the
oppositeservers in this site15.
When a replication cycle begins, the requesting server sends its up-to-date vector to
the causationserver. The causation server uses the up-to-date vector to filter changes sent to the
requesting server. If the high USN for a given originating author is bigger than or up to the originating
write USN for a specific update, the causation server doesn't ought to send the change; the requesting
server is already up-to-date with relevance the originating author.
Use Delegation and cluster Policy with OUs, Domains, and Sites
You can delegate body permissions for, and associate cluster Policy with, the subsequent Active
Directory containers:
• Organizational units
• Domains
• Sites
An structure unit is that the smallest Windows 2000 instrumentality to that you'll delegate authority or
apply cluster Policy16. each delegation and cluster Policy ar safety features of the Windows
2000software. This paper concisely discusses them within the restricted context of design to
indicatethat Active Directory structure determines however you employ instrumentality delegation
andcluster Policy.
Assigning body authority over structure units, domains, or sites enables you to delegate administration
of users and resources. distribution cluster Policy Objects (GPOs) to any of those 3styles
of instrumentalitys enables you to set desktop configurations and security policy for the users and
computers within the container. subsequent 2 subsections discuss these topics in additionaldetail.
Container Delegation
In the Windows 2000 software, delegation permits a better body authority to grant specific bodyrights
for structure units, domains, or sites to teams (or individuals). This greatly reduces the
amountof directors required with sweeping authority over giant segments of the user
population.authorization management of a instrumentality enables you to specify World Health
Organization has permissions to access or modify that object or its kid objects. Delegation is one in every
of the foremost necessary safety features of Active Directory.
Domain and OU Delegation
In the Windows nongovernmental organization four.0 software, directors generally delegate
administration by making multiple domains so as to own distinct sets of domain directors. within
theWindows 2000 software, structure units ar easier to form, delete, move, and modify than
domains,and that they ar so higher suited to the delegation role.
To delegate body authority (other than authority over sites, lined next), you grant a bunch specific rights
over a website or structure unit by modifying the container's discretionary access managementlist
(DACL)17. By default, members of the domain directors (Domain Admin) security cluster have authority
over the complete domain, however you'll prohibit membership during this cluster to
arestricted variety of extremely trusty directors. to ascertain directors with lesser scope, you'lldelegate
authority right down to very cheap level of your organization by making a tree of structureunits at
intervals every domain and authorization authority for components of the structure unit subtree.
Domain directors have full management over each object in their domain. However, they are doingnot
have body rights over objects in different domains18.
You delegate administration of a website or structure unit by exploitation the Delegation
ofmanagement wizard accessible within the Active Directory Users and Computers snap-in. Right-click
the domain or structure unit, choose Delegate management, add the teams (or users) to whomyou
wish to delegate management, then either delegate the listed common tasks, or produce a custom task
to delegate. The common tasks you'll delegate ar listed within the following table.

Domain Common Tasks you'll Delegate Organizational Unit Common Tasks you'll Delegate
• be part of a pc to a website
• Manage cluster Policy links • produce, delete, and manage user accounts
• Reset passwords for user accounts
• scan all user info
• Create, delete, and manage teams
• Modify the membership of a bunch
• Manage printers
• produce and delete printers
• Manage cluster Policy links
Using a combination of structure units, groups, and permissions, you'll outline the
foremostacceptable body scope for a specific group: a whole domain, a subtree of structure units,
or onestructure unit. as an example, you'll need to form associate structure unit that enables you
togrant body management for all user and pc accounts altogether branches
of one department, likeassociate Accounting department. instead, you'll need to
grant body management solely to some resources at intervals the department, like pc accounts. a
3rd example is to grant body managementfor the Accounting structure unit, however to
not any structure units contained at intervals the Accounting structure unit.
Because structure units ar used for body delegation and don't seem to be security principals themselves,
the parent structure unit of a user object indicates World Health Organization manages the user object.
It doesn't indicate that resources that individual user will access.
Site Delegation
You use Active Directory Sites and Services to delegate management for sites, server containers, inter-
site transports (IP or SMTP), or subnets. authorization management of 1 of those entitiesoffers the
delegated administrator the power to control that entity, however it doesn't provide the
administrator the power to manage the users or computers placed in it.
For example, after you delegate management of a web site, you'll like better to delegatemanagement of
all objects, otherwise you will delegate management for one or a lot of objectsplaced in this web site.
The objects that you'll delegate management embrace User objects, pcobjects, cluster objects, Printer
objects, structure Unit objects, Shared Folder objects, web siteobjects, web site Link objects, web
site Link Bridge objects, and so on. Then, you're prompted to pickthe scope of the permissions you
wish to delegate (general, property-specific, or just the creation/deletion of specific kid objects). If you
specify general, {you ar|you're} then are prompted to grant one or a lot of of the
subsequent permissions: Full management, Read, Write, produce All kidobjects, Delete
All kid objects, scan All Properties, or Write All Properties.
Group Policy
In Windows nongovernmental organization four.0, you employ the System Policy Editor to outlineuser,
group, and pc configurations hold on within the Windows nongovernmental organizationwritten
record information. within the Windows 2000 software, cluster Policy defines a wider type
of parts within the user's surroundings that directors will manage. These parts embrace settings for
registry-based policies, security choices, software package preparation choices, scripts (for pcstartup
and ending and for user go online and log off), and redirection of special folders19.
The system applies cluster Policy configuration settings to computers at boot time or to users after
they go online. cluster Policy settings ar applied to the users or computers in sites, domains,
andstructure units by linking the authority to the Active Directory instrumentality holding the users or
computers.
By default, cluster Policy affects all users and computers within the coupled instrumentality. you
employ membership in security teams to filter that GPOs {affect|have associate effect on} the users and
computers in an structure unit, domain, or site. This enables you to apply policy at a a lot ofgranular
level; that's, exploitation security teams enables you to apply policy to specific sets of objects at
intervals a instrumentality. To filter cluster policy during this method, you employ the safety tab on
a authority's Properties page to regulate World Health Organization will scan the GPO. people
who don't have Apply cluster Policy and skim each set to permit as members of a
security cluster won't have that authority applied to them. However, as a result of standard users have
these permissions by default, cluster Policy affects all users and computers within
the coupledinstrumentality unless you expressly amendment these permissions.
The location of a security cluster in Active Directory is irrelevant to cluster Policy. For the
preciseinstrumentality to that the authority is applied, authority settings confirm the following:
• What domain resources (such as applications) ar accessible to users.
• How these domain resources ar designed to be used.
For example, a authority will confirm what applications users have accessible on their pc after theygo
online, what number users will hook up with Microsoft SQL Server once it starts on a server, or what
services users will access after they move to totally different departments
or teams. clusterPolicy enables you to manage alittle variety of GPOs instead of an outsized variety of
users and computers.
Sites, domains, and structure units, in contrast to security teams, don't confer membership. Instead,
they contain and organize directory objects. Use security teams to grant rights and permissions to
users, then use the 3 styles of Active Directory containers to contain the users and computers and to
assign cluster Policy settings.
Because resource access is granted exploitation security teams, you
may notice that exploitationsecurity teams to represent your business structure structure is a lot
of economical thanexploitation domains or structure units to mirror business structure.
By default, policy settings that ar domain-wide or that ar applied to associate structure unit
containingdifferent structure units ar familial by the kid containers, unless the
administrator expresslyspecifies that inheritance doesn't apply to at least one or a lot of kid containers.
Delegating management of cluster Policy
Network directors (members of the Enterprise directors or Domain directors group) will use the
safety tab on the authority Properties page to work out that different administrator teams willmodify
policy settings in GPOs. To do this, a network administrator 1st defines teams of directors (for
example, selling administrators), then provides them with Read/Write access to chose GPOs. Having
full management of a authority doesn't alter associate administrator to link it to a web site, domain,
or structure unit. However, network directors may also grant that ability exploitation the Delegation
of management wizard.
In the Windows 2000 software, you'll severally delegate the subsequent 3 cluster Policy tasks:
• Managing cluster Policy links for a web site, domain, or structure unit.
• Creating cluster Policy objects.
• Editing cluster Policy objects.
Group Policy, like most different Windows 2000 body tools, is hosted in MMC consoles. The rights to
form, configure, and use MMC consoles, therefore, have policy implications. you'll managementthese
rights through cluster Policy below
/User Configuration/Administrative
Templates/Windows Components/Microsoft Management Console/
and its subfolders.
Table four lists the safety permission settings for a bunch Policy object.
Table four Security Permission Settings for a authority
Groups (or Users) Security Permission
Authenticated User Read with Apply cluster Policy ACE
Domain directors
Enterprise directors
Creator Owner native System Full management while not Apply cluster Policy ACE
Note: By default, directors are echt users, which implies that they need the Apply cluster Policy attribute
set.
For careful info concerning cluster Policy, see the section "For a lot of Information" at the top of this
document.
Top of page
Interoperability
Many firms rely upon a various assortment of technologies that has to work along. Active Directory
supports variety of standards to confirm ability of the Windows
2000 surroundings with differentMicrosoft merchandise and with a good type
of merchandise from different vendors.
This section describes the subsequent styles of ability supported by Active Directory:
• LDAP protocol.
• Application Programming Interfaces.
• Synchronizing Active Directory with different directory services.
• Virtual and foreign containers' role in ability.
• Kerberos role in ability.
• Backward compatibility with the Windows nongovernmental organization software.
Lightweight Directory Access Protocol
The light-weight Directory Access Protocol (LDAP) is that the trade commonplace for directory access.
LDAP is on the web Engineering Task Force (IETF) track for turning into an onlinecommonplace.
Active Directory and LDAP
LDAP is that the primary directory access protocol wont to add, modify, and delete info hold on in Active
Directory, still on question and retrieve information from Active Directory. The
Windowstwo000 software supports LDAP versions 2 and 320. LDAP defines however a
directory shopperwill access a directory server and the way the shopper will perform directory
operations and share directory information. That is, Active Directory purchasers should use LDAP to
get info from Active Directory or to keep up info in Active Directory.
Active Directory uses LDAP to alter ability with different LDAP-compatible shopper applications.
Given the suitable permission, you'll use any LDAP-compatible shopper application to browse, query,
add, modify, or delete info in Active Directory.
Application Programming Interfaces
You can use the subsequent application programming interfaces (APIs) to access info in Active Directory:
• Active Directory Service Interface (ADSI).
• LDAP C API.
These arthropod genus ar delineate within the next 2 subsections.
Active Directory Service Interface
Active Directory Service Interface (ADSI) permits access to Active Directory by exposing objectshold
on within the directory as part Object Model (COM) objects. A directory object is
manipulatedexploitation the ways accessible on one or a lot of COM interfaces. ADSI features a supplier-
baseddesign that enables COM access to differing kinds of directories that a provider exists.
Currently, Microsoft provides ADSI suppliers for Novell NetWare Directory Services (NDS) and
NetWare three, Windows NT, LDAP, and also the net info Services (IIS) metabase. (The IIS metabase is
that the IIS configuration settings.) The LDAP supplier is used with any LDAP directory,as well as Active
Directory, Microsoft Exchange five.5, or browser.
You can use ADSI from several tools, starting from Microsoft workplace applications to C/C++. ADSI
supports extensibility so you'll add practicality to associate ADSI object to support new properties
and ways. For example, you'll add a way to the user object that makes associate Exchange mailbox for a
user once the strategy is invoked. ADSI features a terribly easy programming model. It abstracts the
information management overhead that's characteristic of non-COM interfaces, likeLDAP C arthropod
genus. as a result of ADSI is totally scriptable, it's simple to develop madeinternet applications. ADSI
supports ActiveX® information Objects (ADO) and object linking and embedding information (OLE DB)
for querying.
Developers and directors will add objects and attributes to Active Directory
by making scriptssupported ADSI (as well as scripts supported LDIFDE, lined later during this document).
LDAP C API
The LDAP C API, outlined in net commonplace RFC 1823, may be a set of low-level C-languagearthropod
genus to the LDAP protocol. Microsoft supports LDAP C arthropod genus on all Windows platforms.
Developers have the selection of writing Active Directory-enabled applications exploitation LDAP
Carthropod genus or ADSI. LDAP C arthropod genus ar most frequently wont to ease movabilityof
directory-enabled applications to the Windows platform. On the opposite hand, ADSI may be a a lot
of powerful language and is a lot of acceptable for developers writing directory-enabled code on the
Windows platform.
Synchronizing Active Directory with different Directory Services
Microsoft provides directory synchronization services that allow you synchronize Active
Directoryinfo with Microsoft Exchange five.5, Novell NDS and NetWare, Lotus Notes, and
GroupWise.additionally, command-line utilities allow you to import and export
directory info from differentdirectory services.
Active Directory and Microsoft Exchange
The Windows 2000 software contains a service referred to as the Active Directory instrumentationthat
gives bi-directional synchronization with Microsoft Exchange five.5. Active
Directoryinstrumentation provides a fashionable mapping of objects and attributes once it
synchronizes the information between the 2 directories. For a lot of concerning Active
Directory instrumentation, see the section "For a lot of Information" at the top of this paper.
Active Directory and Novell NDS and NetWare
As a part of Services for Netware five.0, Microsoft intends to ship a directory synchronization service
that performs bi-directional synchronization with Novell NDS and NetWare.
Active Directory and Lotus Notes
As a part of Microsoft Exchange 2000 Server, antecedently code-named "Platinum", Microsoft intends to
ship a directory synchronization service that performs bi-directional synchronization with Lotus Notes
for functions of synchronizing e-mail and different common attributes.
Active Directory and GroupWise
As a part of Microsoft Exchange 2000 Server, antecedently code-named "Platinum", Microsoft intends to
ship a directory synchronization service that performs bi-directional synchronization with GroupWise
for functions of synchronizing e-mail and different common attributes.
Active Directory and LDIFDE
The Windows 2000 software provides the command-line utility LDAP information Interchange Format
(LDIFDE) to support mercantilism and exportation of directory info. LDAP information Interchange
Format (LDIF) is an online Draft that's associate trade commonplace, that defines the file format used
for exchanging directory info. The Windows 2000-based utility that supports import/export to the
directory exploitation LDIF is termed LDIFDE. LDIFDE enables you to export Active Directory infoin LDIF
format so it will later be foreign into another directory. you'll additionally use LDIFDE to import
directory info from another directory.
You can use LDIFDE to perform batch operations, like add, delete, rename, or
modify. you'lladditionally populate Active Directory with info obtained
from different sources, like differentdirectory services. additionally, as a result of the schema in Active
Directory is hold on within the directory itself, you'll use LDIFDE to keep a copy or extend the schema.
For an inventory of LDIFDE parameters and what they are doing, see Windows 2000 facilitate.
For info concerning the way touse LDIFDE for batch operations with Active Directory, see the section
"For a lot of Information" at the top of this document.
Internal and External References
An administrator will produce a citation object (cross-ref) that points to a server in a very directory
external to the forest. once a user searches a subtree that contains this citation object, Active Directory
returns a referral to it server as a part of the result set, and also the LDAP shopper then chases the
referral to induce the information requested by the user.
Such references ar Active Directory instrumentality objects that reference a directory external to the
forest. The distinction is that an indoor reference references associate external directory
that willseem within the Active Directory namespace as a toddler of associate existing Active Directory
object, whereas associate external reference references associate external directory
that doesn'tseem within the Active Directory namespace as a toddler.
For each internal and external references, Active Directory contains the DNS name of a server holdinga
duplicate of the external directory and also the distinguished name of the basis of the external directory
at that to start search operations within the external directory.
Kerberos Role in ability
The Windows 2000 software supports multiple configurations for cross-platform interoperability:
• Clients. A Windows 2000 domain controller will give authentication for shopper systems running
implementations of RFC-1510 Kerberos, as well as purchasers running associate software aside
from Windows 2000. Windows 2000-based user and pc accounts is used as Kerberos principals for Unix-
based services.
• Unix purchasers and services. at intervals a Windows 2000 domain, UNIX purchasers and
serverswill have Active Directory accounts and might so acquire authentication from a
website controller.during this state of affairs, a Kerberos principal is mapped to a Windows 2000 user
or pc account.
• Applications and operational systems. shopper applications for Win32® and operational systemsaside
from Windows 2000 that ar supported the final MI computer programme Interface (GSS
API)will acquire session tickets for services at intervals a Windows 2000 domain.
In associate surroundings that already uses a Kerberos realm, the Windows
2000 software supportsability with Kerberos services:
• Kerberos Realm. Windows 2000 Professional-based systems will evidence to associate RFC-1510
Kerberos server at intervals a realm, with one sign-on to each the server and an area Windows
2000skilled account.
• Trust relationships with Kerberos realms. A trust relationship is established between a website and a
Kerberos realm. this suggests that a shopper in a very Kerberos realm will evidence to a
vigorousDirectory domain to access network resources in this domain.
Backward Compatibility with the Windows nongovernmental organization software
A special kind of ability is to keep up backward compatibility with earlier versions of the
presentsoftware. The Windows 2000 software installs, by default, in a very mixed-mode network
configuration. A mixed-mode domain may be a networked set of computers
running each Windowsnongovernmental organization and Windows 2000 domain controllers. as a result
of Active Directory supports mixed-mode, you'll upgrade domains and computers at no matter rate you
select,supported your organization's desires.
Active Directory supports the Windows nongovernmental organization local area network Manager
(NTLM) authentication protocol employed by the Windows nongovernmental
organization software,which implies that licensed Windows nongovernmental organization users and
computers will go online to and access resources in a very Windows 2000 domain. To
Windows nongovernmental organization purchasers and Windows ninety five or ninety
eight purchasers that don't seem to be running Active Directory shopper software package, a Windows
2000 domain seems to be a Windows nongovernmental organization Server four.0 domain.
Top of page
Summary
Of the numerous enhancements to the Windows 2000 Server software, the introduction of the Active
Directory directory service is one in every of the foremost important. Active Directory
helps alterand modify network flexibility and so improves the network's ability to support enterprise
objectives.
Active Directory stores info concerning network objects and makes this info accessible to directors,
users, and applications. it's a namespace that's integrated with the Internet's name System (DNS), and,
at identical time, it's the software package that defines a server as a website controller.
You use domains, trees, forests, trust relationships, structure units, and sites to structure the Active
Directory network and its objects. you'll delegate body responsibility for structure units, domains, or
sites to acceptable people or teams, and you'll assign configuration settings to those self same 3Active
Directory containers. This design lets directors manage the network so users will consideraccomplishing
business goals.
Today, it's the norm instead of the exception that firms rely upon various technologies that requireto
figure along. Active Directory is constructed on commonplace directory access protocols, which,in
conjunction with many arthropod genus, alter Active Directory to interoperate with differentdirectory
services and a good type of third-party applications. additionally, Active
Directory willsynchronize information with Microsoft Exchange and provides command-line utilities
formercantilism and exportation information to and from different directory services.
For a lot of info
For the most recent info on the Windows 2000 software, look at the Microsoft Windows 2000
Servercomputer . additionally, you'll investigate the subsequent links for a lot of information:
• Windows 2000 Product Help—How to get a schema object ID (OID).
• Windows 2000 Platform software package Development Kit—How to use ADSI to increase the schema
programmatically.
• net Engineering Task Force (IETF) internet site—For IETF RFCs and Internet Drafts.
The Microsoft Windows 2000 Server preparation designing Guide, that discusses the way toarrange the
structure and preparation of Windows 2000 domains and sites, are going to beaccessible in bookstores
in early 2000. it's additionally placed on the Windows 2000 Server, and Windows 2000 Advanced Server
CDs as a part of the Support Tools. And it's accessible on the Windows
2000 computer http://www.microsoft.com/windows2000/techinfo/planning/default.asp
Top of page
Appendix A: Tools
This appendix provides a quick summary of the software package tools you employ to perform the
tasks related to Active Directory.
Microsoft Management Console
In the Windows 2000 Server software, Microsoft Management Console (MMC) provides consistent
interfaces that allow directors read network functions and
use body tools. directors use identicalconsole whether or not they ar liable for one digital computer or a
whole network of computers. The MMC hosts programs referred to as snap-ins, every of that handles
specific network administration tasks. Four of those snap-ins ar Active Directory tools.
Active Directory Snap-ins
The Active Directory body tools that ar enclosed with the Windows 2000
Server software modifydirectory service administration. you'll use the quality tools or use MMC to
form custom tools thatspecialize in single management tasks. you'll mix many tools into one
console. you'll additionallyassign custom tools to individual directors with specific body responsibilities.
The following Active Directory snap-ins ar accessible on the Windows 2000 Server body Tools menu of
all Windows 2000 domain controllers:
• Active Directory Users and Computers
• Active Directory Domains and Trusts
• Active Directory Sites and Services
The fourth Active Directory snap-in is:
• Active Directory Schema
The counseled thanks to extend the Active Directory schema is programmatically, through the Active
Directory Service Interfaces (ADSI) or the LDAP information Interchange Format (LDIFDE) utility.
However, for development and testing functions, you'll additionally read and modify the Active
Directory schema with the Active Directory Schema snap-in.
Active Directory Schema isn't accessible on the Windows 2000 Server body Tools menu. you need
to install the Windows 2000 Administration Tools from the Windows 2000 Server CD associated add it to
an MMC console.
A fifth snap-in, that is expounded to Active Directory tasks, is:
• Group Policy snap-in
Setting cluster policies may be a task associated with Active Directory management of users, computers,
and groups. cluster Policy objects (GPOs), that contain policy settings, managementsettings for users
and computers in sites, domains, and structure units. to form or edit GPOs, use thecluster Policy snap-
in, that is accessed either through Active Directory Users and Computers or through Active Directory
Sites and Services (depending on that task you wish to perform).
To use the Active Directory body tools remotely, from a pc that's not a website controller
(suchjointly running Windows 2000 Professional), you need to install Windows 2000 body Tools.
New ways that to try to to acquainted Tasks
Table five lists common tasks you'll perform exploitation Active Directory snap-ins
and connectedbody tools. For users of the Windows nongovernmental organization Server software, the
tableadditionally shows wherever these tasks ar performed once exploitation the management
toolsgiven Windows nongovernmental organization Server four.0.
Table five Tasks performed exploitation Active Directory and cluster Policy tools
If you wish to: In Windows nongovernmental organization four.0, use: In Windows 2000, use:
Install a website controller Windows setup Active Directory Installation wizard (accessed from put
together Your Server).
Manage user accounts User Manager Active Directory Users and Computers
Manage groups User Manager Active Directory Users and Computers
Manage pc accounts Server Manager Active Directory Users and Computers
Add a pc to a domain Server Manager Active Directory Users and Computers
Create or manage trust relationships User Manager Active Directory Domains and Trusts.
Manage account policy User Manager Active Directory Users and Computers
Manage user rights User Manager Active Directory Users and Computers:
Edit the cluster Policy object for the domain or structure unit containing the computers to that the user
rights apply.
Manage audit policy User Manager Active Directory Users and Computers:
Edit the cluster Policy object assigned to the Domain Controllers structure unit.
Set policies on users and computers in a very site System Policy Editor Group Policy, accessed through
Active Directory Sites and Services
Set policies on users and computes in a very domain System Policy Editor Group Policy, accessed
through Active Directory Users and Computers
Set policies on users associated computers in an structure unit Not applicable Group Policy, accessed
through Active Directory Users and Computers
Use Security teams to filter the scope of policy Not applicable Edit the permission entry for
Applycluster Policy on the safety tab of the cluster Policy Object's properties sheet.
Active Directory Command-line Tools
Advanced directors and network support specialists may also use a range of command-line tools toput
together, manage, and troubleshoot Active Directory. These tools ar referred to as the Support Tools
and ar accessible on the Windows 2000 Server CD within the \SUPPORT\RESKIT
folder.they're delineate in Table six.
Table six Active Directory-related command-line tools
Tool Description
MoveTree Move objects from one domain to a different.
SIDWalker Set the access management lists on objects antecedently owned by accounts that
werestirred, orphaned, or deleted.
LDP Allows LDAP operations to be performed against Active Directory. This tool features
a graphicalcomputer programme.
DNSCMD Check dynamic registration of DNS resource records, as well as Secure DNS update, stillas
deregistration of resource records.
DSACLS View or modify the access management lists of directory objects.
NETDOM Batch management of trusts, connection computers to domains, verificatory trusts and secure
channels.
NETDIAG Check end-to-end network and distributed services functions.
NLTest Check that the surveyor and secure channel ar functioning.
REPAdmin Check replication consistency between replication partners, monitor
replication standing,show replication information, force replication events and information consistency
checker (KCC)computation.
REPLMon Display replication topology, monitor replication standing (including cluster policies), force
replication events and information consistency checker computation. This tool features
a graphicalcomputer programme.
DSAStat Compare directory info on domain controllers and sight variations.
ADSIEdit A Microsoft Management Console (MMC) snap-in wont to read all objects within thedirectory
(including schema and configuration information), modify objects and set accessmanagement lists on
objects.
SDCheck Check access management list propagation and replication for mere objects within
thedirectory. This tool permits associate administrator to work out if
access management lists ar beingfamilial properly and if access management list changes ar being
replicated from one domain controller to a different.
ACLDiag Determine whether or not a user has been granted or denied access to a directory object. Itmay
also be wont to reset access management lists to their default state.
DFSCheck Command-line utility for managing all aspects of Distributed filing system (Dfs), checking the
configuration concurrency of Dfs servers, and displaying the Dfs topology.
Windows 2000 Command Reference Page
You can notice an entire list of Windows 2000 commands, with info concerning the way to useeach, in
Windows 2000 facilitate. simply sort "command reference" at either theIndex tab or the Search tab.
Active Directory Service Interface
You can use Active Directory Service Interfaces (ADSI) to form scripts for a good type of functions. The
Windows 2000 Server CD contains many sample ADSI scripts. For a lot of concerning ADSI, see the
sections "Active Directory Service Interface" and "For a lot of info."
Top of page
1 In a Windows 2000 Server domain, a website controller may be a pc running the Windows 2000
Server software that manages user access to a network, which has work on, authentication, and access
to the directory and shared resources.
2 A DNS zone may be a contiguous partition of the DNS namespace that contains the resource records
for that zone's DNS domains
3 LDAP may be a protocol wont to access a directory service; see the sections "LDAP-related Names"
and "Lightweight Directory Access Protocol."
4 Described within the net Engineering Task Force (IETF) net Draft referred to as draft-ietf-dnsind-
rfc2052bis-02.txt, "A DNS RR for specifying the placement of services (DNS SRV)". (Internet-
Draftsar operating documents of the web Engineering Task Force (IETF), its areas, and
its operatingteams.)
5 Described in RFC 2136, Observations on the employment of parts of the category A Addresshouse at
intervals the web.
6 Windows 2000 teams ar outlined somewhat otherwise than in Windows nongovernmental
organization. Windows 2000 includes 2 cluster types: one. Security teams (to manage user and pcaccess
to shared resources and to filter cluster policy settings); and a pair of. Distribution teams (toproduce e-
mail distribution lists). Windows 2000 additionally includes 3 cluster scopes: one. teamswith
domain native scope (to outline and manage access to resources at
intervals one domain); two.teams with world scope (to manage directory objects that need daily
maintenance, like user and pcaccounts; you employ world scope to cluster accounts at intervals a
domain); and three. teamswith universal scope (to consolidate teams that span domains; you'll add user
accounts to teams withworld scope then nest these teams at intervals teams having universal scope).
(For a lot ofconcerning Windows 2000 teams, as well as the new universal cluster sort, see the "For a lot
ofInformation" section at the top of this paper.)
7 To qualify for the Certified for Windows brand, your application should be tested by VeriTest for
compliance with the appliance Specification for Windows 2000. you'll opt for any combination of
platforms, given that a minimum of one in every of the Windows 2000 operational systems isenclosed.
Applications could carry the "Certified for Microsoft Windows" brand once they needpassed compliance
testing and have dead a brand license agreement with Microsoft. the emblem you receive can indicate
the version(s) of Windows that your product is certified. See the
8 Active Directory supports LDAP v2 and LDAP v3, that acknowledge the RFC 1779 and RFC 2247 naming
conventions.
9 If no UPN was else, users will go online by expressly providing their user name and also the DNS name
of the basis domain.
10 The cluster policies that management printer defaults with relevance commercial
enterpriseprinters ar mechanically publish new printers in Active Directory and permit printers to
be printed(this latter cluster policy controls whether or not or not
printers thereon machine is published).
11 Compare this to earlier versions of Windows nongovernmental
organization Server, whereverthe guided missile information had a limit of concerning forty,000 objects
per domain.
12 For an outline of this extra overhead, see the "Microsoft Windows 2000
Server preparationdesigning Guide," that discusses the way to arrange the structure and preparation of
Windows 2000 domains and sites, within the section "For a lot of Information" at the top of this
document.
13 A DACL permits or denies permissions on associate object to specific users or teams.
14 For a lot of concerning ability with Kerberos realms, see the section "Kerberos Role in ability."
15 Up-to-date vectors don't seem to be site-specific. associate up-to-date vector
holds associateentry for each server on that the directory partition (Naming Context) is writeable.
16 In addition to authorization authority over containers, you'll additionally grant permissions (such as
read/write) right down to the attribute level of associate object.
17 The access management entries (ACEs) in associate object's DACL confirm World Health
Organization will access that object and what reasonably access they need. once associate objectis
formed within the directory, a default DACL (defined within the schema) is applied to that.
18 By default, the Enterprise Admins cluster is granted Full management over all objects in a veryforest.
19 You use the Folder Redirection extension to direct associatey of the subsequent special folders in a
very user profile to an alternate location (such as a network share): Application information, Desktop,
My Documents (and/or My Pictures), Start Menu.
20 LDAP version two is delineate in RFC 1777; LDAP version three is delineate in RFC 2251

BY:- Mohit Dhawan

This Is Only For Training Purpose, Admin
Is Not Responsible Any Thing.
For More Tricks :-
www.hackermohitdhawan.blogspot.com