Active Directory For Dummies E-Book

Table of Contents

Introduction

This Book Is for You

How This Book Is Organized

Part I: Getting Started

Part II: Planning and Deploying with Active Directory Domain Services

Part III: New Active Directory Features

Part IV: Managing Active Directory

Part V: The Part of Tens

Part VI: Appendixes

Icons Used in This Book

Part I: Getting Started

Chapter 1: Understanding Active Directory

What Is Active Directory?

Active Directory is an umbrella

Active Directory is an information store

Active Directory has a structure (Or hierarchy)

Active Directory can be customized

Getting Hip to Active Directory Lingo

The building blocks of Active Directory

The Active Directory schema

Domain Controllers and the global catalog

The DNS namespace

Because It’s Good for You: The Benefits of Active Directory

Chapter 2: Analyzing Requirements for Active Directory

Why Gather Information?

Gathering Business Information

Surveying the business environment

Determining business goals

Gathering Technical Information

Surveying the technical environment

Determining technical goals

Best Practices

Chapter 3: Designing an Active Directory Implementation Plan

Why You Need an Implementation Plan

Building the Active Directory Planning Team

Creating Active Directory Planning Documents

Business and technical assessments

Vision Statement

Requirements/scope document

Gap analysis

Functional specification

Implementation standards

Risk assessment/contingency plan

Tracking Project Implementation

Creating the Active Directory Design

Best Practices

Part II: Planning and Deploying with Active Directory Domain Services

Chapter 4: Playing the Name Game

The Need for DNS

Essential DNS

Identifying resource records

Active Directory Requirements for DNS

Examining SRV records

/div>Exploring dynamic updates

Storing and replicating DNS information

The Active Directory Namespace

Defining the Active Directory namespace

Comparing an Active Directory namespace to a DNS namespace

Types of Active Directory Naming

Fully qualified domain name

Distinguished name

User principal name

NetBIOS name

Planning the Active Directory Namespace

Understanding domain naming

Understanding OU naming

Understanding computer naming

Understanding user naming

What’s New in Windows Server 2008 DNS?

Support for IPv6

Support for read-only domain controllers

Background loading of zone data

GlobalNames zone

Chapter 5: Creating a Logical Structure

Planting a Tree or a Forest?

Defining Domains: If One Isn’t Enough

Less is more!

Recognizing the divine order of things

The multiple forests model

Organizing with OUs: Containers for Your Trees

Creating a structure

Planning for delegating administration

Chapter 6: Getting Physical

The Physical Side of Active Directory

Active Directory Physical Components

Domain controllers and global catalog servers

Active Directory sites

Subnets

Site links

Designing a Site Topology

Placing domain controllers

Placing global catalog servers

Placing operations masters

Defining Active Directory sites

Creating Active Directory site links

Read-Only Domain Controllers

RODC prerequisites and limitations

Running DNS on an RODC

RODC administrative separation

RODC credential caching

Chapter 7: Ready to Deploy!

Installing Windows Server 2008

To Core or Not to Core

Deploying AD DS on a Full Server

Initial Configuration Tasks Wizard and the Server Manager console

Attended domain controller installation

Unattended domain controller installation

Deploying AD DS on a Core Server

After the install

Miscellaneous Issues

Installing AD DS from media

Deploying an RODC

Part III: New Active Directory Features

Chapter 8: AD LDS: Active Directory on a Diet

The Need for a Lighter AD

/div>AD LDS as a phone book

AD LDS as a consolidation store

AD LDS as a Web authentication service

Working with AD LDS

Security and Replication with AD LDS

Deploying AD LDS

Chapter 9: Federating Active Directory

Authentication Everywhere!

Identities, tokens, and claims

Security token services

Federations

Federation Scenarios

Web single sign-on scenario

Federated Web SSO scenario

Federated Web SSO with forest trust scenario

Deploying Active Directory Federation Services

Chapter 10: AD Certificate Services and Rights Management Services

Active Directory Certificate Services

What is public key infrastructure (PKI)?

Inside AD Certificate Services

Enterprise PKI console

Active Directory Rights Management Services

Managing information usage

Inside Active Directory Rights Management Services

Installing AD RMS

Part IV: Managing Active Directory

Chapter 11: Managing Users, Groups, and Other Objects

Managing Users and Groups

Creating user objects

Editing user objects

Understanding groups

Creating and editing groups

Viewing default users and groups

Managing Organizational Units

Delegating Administrative Control

Chapter 12: Managing Active Directory Replication

Understanding Replication

Intrasite replication

Intersite replication

Propagating updates

Implementing a Site Topology

Creating sites

Creating subnets

Creating site links

Creating a site link bridge

Chapter 13: Schema-ing!

Schema 101

Introducing object classes

Examining object attributes

Extending the Schema

Adding classes and attributes

Deactivating objects

Transferring the Schema Master

Reloading the Schema Cache

Chapter 14: Managing Security with Active Directory Domain Services

NTLM and Kerberos

NTLM authentication

Meet Kerberos, the guard dog

Implementing Group Policies

Using GPOs within Active Directory

GPO inheritance and blocking

Group policy management

Group policy reporting and modeling

Fine-Grained Password and Account Lockout Policies

Active Directory Auditing

Chapter 15: Maintaining Active Directory

Database Files

Specifying the location of the database files

How the database and log files work together

Defragmenting the Database

Online defragmentation

Offline defragmentation

Backing Up the Active Directory Database

Restoring Active Directory

Non-authoritative restore

Authoritative restore

Preventing accidental deletions

Restartable Active Directory

Other Tools for Maintaining AD

Event Viewer

Snapshots and the AD Database Mounting Tool

REPADMIN

Part V: The Part of Tens

Chapter 16: The Ten Most Important Active Directory Design Points

Plan, Plan, Plan!

Design AD for the Administrators

What’s Your Forest Scope?

Often a Single Domain Is Enough!

Active Directory Is Built on DNS

Your Logical Active Directory Structure Isn’t Based on Your Network Topology

Limit Active Directory Schema Modifications

Understand Your Identity Management Needs

Place Domain Controllers and Global Catalogs Near Users

Keep Improving Your Design

Chapter 17: Ten Cool Web Sites for Active Directory Info

Microsoft’s Windows Server 2008 Web Site

Windows Server 2008 TechCenter

TechNet Magazine

Directory Services Team Blog

Exchange Server Team Blog

Windows IT Pro Magazine

Windows Server Team Blog

Windows Server 2008 Most Recent Knowledge Base Articles Feed

Windows Server 2008 Most Popular Downloads

My Blog

Chapter 18: Ten Troubleshooting Tips for Active Directory

Domain Controller Promotion Issues

Network Issues

What Time Is It?

Can’t Log On to a Domain

Monitoring Active Directory Resources

Can’t Modify the Schema

Replication Issues

Working with Certificates

Group Policy Issues

Branch Office Users Logging In for the First Time

Part VI: Appendixes

Appendix A: Windows 2008 AD Command Line Tools

NTDSUTIL Activate Instance

NTDSUTIL Authoritative Restore

NTDSUTIL Files

NTDSUTIL IFM

NTDSUTIL Local Roles

NTDSUTIL Roles

NTDSUTIL Set DSRM Password

NTDSUTIL Snapshot

Appendix B: Glossary

Introduction

Welcome to the wonderful world of Active Directory! Over the last eight years since Active Directory (AD) was released in Microsoft’s Windows 2000 Server product, AD has become one of the most (if not the most) popular directory service products in the world. It has also become one of the central technologies on top of which many other Microsoft products are built. If you are an Information Technology (IT) professional who designs and supports directory services or solutions created with Microsoft products, then you really need to have an understanding of what AD is and how it works. That’s where this book comes in.

My goal with this book is to take the anxiety and stress out of mastering this complex technology. I hope that you find the book a clear, straightforward resource for exploring Active Directory.

This Book Is for You

Whether you’ve purchased this book or are browsing through it in the bookstore, know that you’ve come to the right place. Maybe you are like me. When I’m looking through a book that I’m considering purchasing, I always look at the first sections to try to get an idea of who the book is written for and exactly what it’s going to cover. So let me just get this out of the way right now. This book is for you if you’re any of the following:

A savvy system administrator with previous NT experience who needs to find out about Active Directory

An administrator that has AD experience with previous releases in Windows 2000 Server and Windows Server 2003

Someone who wants to know more about Active Directory Domain Services in Windows Server 2008

Someone who wants to find out about the new components of Active Directory in Windows Server 2008, including Active Directory Lightweight Directory Services, Active Directory Federation Services, Active Directory Certificate Services, and Active Directory Rights Management Services

A newbie (to networking or to information technology) who wants to pick up information on Active Directory

A student preparing for AD certification exams

Someone who’s merely interested in intelligently discussing Active Directory

For the experienced Windows Server administrator or other IT professional, Active Directory For Dummies provides you with an unpretentious resource containing exactly what you need to know. It presents the fundamentals of the program and then moves right into planning, implementing, and managing Active Directory — what you’re most interested in knowing right now!

Welcome! And, thanks for making Active Directory For Dummies your first resource for figuring out one of Microsoft’s hottest technologies!

How This Book Is Organized

I’ve divided this book into six parts, organized by topic. The parts take you sequentially from Active Directory fundamentals through planning, deploying, and managing Active Directory. If you’re looking for information on a specific Active Directory topic, check the headings in the table of contents. By design, you find that you can use Active Directory For Dummies as a reference that you reach for again and again.

Part I: Getting Started

Part I contains the “getting to know you” chapters. These chapters contain the answers to your most fundamental questions:

What is Active Directory?

What are its benefits?

What are the buzzwords?

The information you find here helps you determine what you must do to prepare for Active Directory in your environment. Also, in this part, I provide you information that can help you gather information about the environment you’re deploying AD in and how to develop the requirements that will drive your Active Directory design.

Part II: Planning and Deploying with Active Directory Domain Services

Active Directory Domain Services contains both a logical and a physical structure that you must carefully design before deployment. The logical structure comes first and includes the following steps:

Planning the DNS namespace

Designing the forest/domain/organizational unit (OU) model

After you plan your logical structure, you move on to developing a plan for your physical structure. This part ends with you putting all this planning into action as you build your Active Directory forest by creating domain controllers.

Part III: New Active Directory Features

In Windows Server 2008, Microsoft has added a number of new components to Active Directory that expand the product beyond being simply a directory service. Many of these components can be used to develop an overall identity and access management solution. These components support interaction between external users — even other companies — and your internal AD environment. If you’re familiar with Active Directory from a previous Windows Server release and need to find out about the new parts of AD in Windows Server 2008, this is one part you want to check out!

Part IV: Managing Active Directory

Part IV covers the daily management of an Active Directory environment. Active Directory introduces the capability of delegating administrative authority and also introduces security concepts. The chapters in this part prepare you for managing security, users, and resources within the Active Directory tree.

Part IV also covers managing replication traffic. Optimized replication traffic is vitally important to the Active Directory environment. In these chapters, you discover how to propagate updates, schedule replication traffic, work with the Active Directory schema, and maintain the Active Directory database.

Part V: The Part of Tens

In true For Dummies style, this book includes a Part of Tens. These chapters introduce lists of ten items about a variety of informative topics. Here you find additional resources, hints, and tips, plus other nuggets of knowledge.

Part VI: Appendixes

In the appendixes, you find information that adds depth to your understanding and use of Active Directory. I provide a listing of command line utilities for managing Active Directory as well as a glossary of terminology.

Icons Used in This Book

To make using this book easier, I use various icons in the margins to indicate particular points of interest.

Sometimes I feel obligated to give you some technical information, although it doesn’t really affect how you use Active Directory. I mark that stuff with this geeky fellow so that you know it’s just background information.

Ouch! I mark important directions to keep you out of trouble with this icon. These paragraphs contain facts that can keep you from having nightmares.

Any time that I can give you a hint or a tip that makes a subject or task easier, I mark it with this little thingie for additional emphasis — just my way of showing you that I’m on your side.

This icon is a friendly reminder for something that you want to make sure that you cache in your memory for later use.

Part I

Getting Started

In this part . . .

For many things in life, you have to start at the beginning before you can move on to the rest. That start for Active Directory is here. The first chapter is an introduction to Active Directory and its terminology. Chapters 2 and 3 step back from the technology of Active Directory and instead discuss how to prepare for an Active Directory design and deployment by looking at what requirements you have and developing an implementation plan. Welcome to Active Directory!

Chapter 1

Understanding Active Directory

In This Chapter

Defining Active Directory

Examining the origins of Active Directory: X.500

Understanding Active Directory terms

Investigating the benefits of Active Directory: What’s in it for you?

Since the release of Active Directory in Windows 2000 Server, Active Directory has become a very integral part of many information technology (IT) environments. As such, Active Directory has become a very popular topic with the people that have to design and support it. Because of all the terms and technology surrounding Active Directory, you might already be a bit intimidated by the prospect of working with it yourself.