Chapter 1: Introducing Active Directory

Objectives
• Describe the role of a directory service and the
physical and logical Active Directory structure
• Install Active Directory
• Describe the main Active Directory objects
• Explain configuring and applying group policies

2
 The Role of a Directory Service

• A network directory service stores information

about a computer network and offers features for
retrieving and managing that information
• Generally considered to be an administrative tool,
but users make use of directory services to find
resources
• Directory services provide a centralized
management tool, but due to complexity, require
careful planning prior to setup

3
 Windows Active Directory

• First used by Windows 2000 Server

• Offers the following features:
– Hierarchical organization
– Centralized but distributed database
– Scalability
– Security
– Flexibility
– Policy-based administration

4
 Overview of the Active Directory Structure

• Physical structure
– Consists of sites and servers configured as domain controllers
• Logical structure
– Makes it possible to pattern the directory service’s look and feel
after the organization in which it runs

5
 Active Directory’s Physical Structure
• An Active Directory site is simply a physical
location in which domain controllers communicate
and replicate information regularly
• Each domain controller contains a full replica of the
objects that make up the domain and is responsible
for the following functions:
– Storing a copy of the domain data and replicating changes to
that data to all other domain controllers throughout the domain
– Providing data search and retrieval functions for users
attempting to locate objects in the directory
– Providing authentication and authorization services for users
who log on to the domain and attempt to access network
resources

6
 Active Directory’s Logical Structure

• Organizational Units (OUs)

• Domains
• Trees
• Forests

7
 Active Directory’s Logical Structure (cont.)

• The organizational unit (OU) is an Active Directory

container used to organize a network’s users and
resources into logical administrative units
• An OU contains Active Directory objects, such as:
– User accounts
– Groups
– Computer accounts
– Printers
– Shared folders
– Applications
– Servers
– Domain controllers

8
Active Directory’s Logical Structure (cont.)

9
 Active Directory’s Logical Structure (cont.)

• Domain: The core structural unit of an Active

Directory; contains OUs and represents
administrative, security, and policy boundaries
• Small to medium companies usually have one
domain; larger companies may have several
domains to separate geographical regions or
administrative responsibilities

10
Active Directory’s Logical Structure (cont.)

11
 Active Directory’s Logical Structure (cont.)

• A tree is a grouping of domains that share a

common naming structure
• Can consist of a parent domain and possibly one or
more child domains
• Child domains can also have child domains

12
Active Directory’s Logical Structure (cont.)

13
 Active Directory’s Logical Structure (cont.)

• Forest: A collection of one or more Active Directory

trees; a forest can consist of a single tree with a
single domain, or it can contain several trees, each
with a hierarchy of parent and child domains
• Main purpose is to provide a common Active
Directory environment, in which all domains in all
trees can communicate and share information,
while simultaneously allowing independent
operation and administration

14
Active Directory’s Logical Structure (cont.)

15
 Installing Active Directory

• To install AD DS on a full Windows Server 2008

installation, use Server Manager
• If DNS is not already present on the network, you
must install the DNS Server Role
• Once the Server Manager wizard for installing
Active Directory finishes, you must run
dcpromo.exe

16
 Installing Active Directory (cont.)
• Dcpromo.exe steps to install:
– Step 1: Existing domain or new domain
– Step 2: Fully qualified domain name (FQDN) for new forest root
domain
– Step 3: Choose forest functional level
• The functional level is critical to the feature set available to
administrators after install, as well as the software
requirements for any other DCs
– If you want backwards compatibility with older domain controllers on
the network, choose Windows 2000 functional level
– If you choose Windows Server 2008 functional level, you can’t run
Windows Server 2003 or Windows 2000 domain controllers (but they
can run as member servers)

17
 Installing Active Directory (cont.)

• After step 3, you have three additional options for

the DC
– Install DNS Server
• Recommended for the first domain controller in a new domain
– Global Catalog
• Selected by default (and cannot be disabled) if the server is to be
the first DC in a forest
– Read-only Domain Controller (RODC)
• Not selected by default and disabled for the first DC in the domain

18
 Installing Active Directory (cont.)

• The sysvol folder is a shared folder that stores the

information from Active Directory that’s replicated
to other domain controllers
• Directory Services Restore Mode is used to
perform restore operations on Active Directory if it
becomes corrupted or parts of it are deleted
accidentally

19
 The Active Directory Schema

• An object is a grouping of information that

describes a network resource
• The schema defines the type, organization, and
structure of data stored in the AD database
• Schema classes define the types of objects that
can be stored in Active Directory
• Schema attributes define what type of information
is stored in each object
• The information stored in each attribute is called
the attribute value
20
The Active Directory Schema (cont.)

21
 Active Directory Container Objects

• Organizational units
• Folder objects
• Domain objects

22
 Organizational Units

• Primary container object for organizing and

managing resources in a domain
• OUs can organize multiple objects into one
administrative group that can be configured with
specific policies relevant to that group
• Authority of an OU can be delegated
• Nesting OUs can build a hierarchical Active
Directory structure that mimics the corporate
structure for easier object management

23
 Folder Objects

• Four created by default:

– Builtin: Houses default groups created by Windows
– Computers: The default location for computer accounts created
when a new computer or server becomes a domain member
– ForeignSecurityPrincipals: Initially empty but later contains user
accounts from other domains added as members of the local
domain’s groups
– Users: Stores two default users (Administrator and Guest) and
several default groups
• New folder objects cannot be created
• Administrative control can be delegated (except on
Builtin folder)
24
 Domain Objects

• Core logical structure in AD; contains OU and

folder container objects, as well as leaf objects
• Larger companies may use multiple domains to
separate administration, define security
boundaries, and define policy boundaries
• Each domain object has a default GPO linked to it
that can affect all objects in the domain

25
 Active Directory Leaf Objects

• User Accounts
– Three types: Local, domain, and built-in
• Groups
– Consist of users with common permissions
• Computer Accounts
– Represent a computer that is a domain controller or domain
member
• Other Leaf Objects
– Contact
– Printer
– Shared folder

26
 Locating Active Directory Objects

• Active Directory objects can be searched for using

the Find Users, Contacts, and Groups dialog box
• Can search a single domain or an entire directory
(all domains)
• Not all objects are available to all users

27
 Introducing Group Policies

• A Group Policy Object (GPO) is a list of settings

that administrators use to configure user and
computer operating environments remotely
• Installing Active Directory creates two GPOs by
default
– Default Domain Policy
– Default Domain Controllers Policy

28
 Introducing Group Policies (cont.)

• You can edit existing GPOs (including defaults)

and create and manage GPOs by using the Group
Policy Management MMC
• Two nodes for every GPO
– Computer Configuration: Used to set policies that apply to
computers within the GPO’s scope
– User Configuration: Used to set policies that apply to all users
within the GPO’s scope

29
Introducing Group Policies (cont.)

30
 The Computer Configuration Node

• Software Settings
– Enable administrators to install and manage applications
remotely
• Windows Settings
– Contain Scripts extension, Security Settings node, and the
Policy-based QoS node
• Administrative Templates
– Contain the Control Panel, Network, Printers, System, and
Windows Components folders

31
Introducing Group Policies (cont.)

32
Introducing Group Policies (cont.)

33
Introducing Group Policies (cont.)

34
 The User Configuration Node
• Policies folder contains the same three folders as in the
Computer Configuration node, but policies defined here
affect domain users within the GPO’s scope, regardless of
which computer the user logs on to
• Software Settings
– Can assign or publish application packages
• Windows Settings – Contain six items
– Remote Installation Services
– Scripts extension
– Security Settings node
– Folder Redirection node
– Policy based QoS node
– Internet Explorer Maintenance node
• Administrative templates
35
 How Group Policies Are Applied

• GPOs can be applied in four places

– Local Computer
– Site
– Domain
– Organizational Unit
• Policies are applied in the above order
– Policies that are not defined or configured are not applied at all
– Last policy to be defined takes precedence; if a policy is
defined at the domain level and OU level, then the OU level’s
setting is the one applied

36
 Chapter Summary

• A directory service is a database that stores

network resource information and can be used to
manage users, computers, and resources
throughout the network
• Active Directory is a hierarchical, distributed
database that’s scalable, secure, and flexible;
Active Directory’s physical structure is composed of
sites and domain controllers, and the logical
structure is composed of organizational units,
domains, trees, and forests

37
 Chapter Summary (cont.)

• Server manager installs the Active Directory

Domain Services role; once Server Manager is
finished, dcpromo.exe is used to finish installation
• The data in Active Directory is organized as objects
– Available objects and their structure are defined by the Active
Directory schema, which is composed of schema classes and
schema attributes
– The data in a schema attribute is called an attribute value

38
 Chapter Summary (cont.)

• Two types of objects in AD: Container objects and

leaf objects
• Leaf objects generally represent security accounts,
network resources, and GPOs
• Active Directory objects can be located easily with
search functions in Active Directory Users and
Computers and Windows Explorer
• GPOs are lists of settings that enable
administrators to configure user and computer
operating environments remotely

39
 Chapter Summary (cont.)

• Policies defined in the Computer Configuration

node affect all computers in the Active Directory
container to which the GPO is linked; policies
defined in the User Configuration node affect all
users in the Active Directory container to which the
GPO is linked

40