Introducing Active Directory After reading this chapter and completing the exercises, you will be able to: Describe the role of a directory service and the physical and logical Active Directory structure Install Active Directory Describe the main Active Directory objects Explain configuring and applying group policies1423902351_chO3_Final.qxd chapter 3 Introducing Active Directory Windows Server 2008 Active Directory is the core component in a Windows domain environment, The Active Directory Domain Services role provides a single point of wer, desktop, and server administration. To understand Active Directory and its role in a network, you need to know what a directory service is and how it’s used to manage resources and access to resources on a network, Before administrators can use Active Directory to manage user desktops, and servers ina network, they need a good understanding of Active Directorys str ‘ze and underlying components and objects, which ate covered in this chapter. You also learn about installing Active Directory and using the powerful Group Policy tool to set consistent secu- rity, uses, and desktop standards throughout your organization. The Role of a Directory Service A network directory service, a the name suggests, stores information about ac and offers features for retrieving and managing that information. Essentially it’s a database com posed of records or objects describing users and available network resources, such as servers, printers, and applications. Like a database for managing a company’s inventory, a directory serv= ice includes functions to search for, add, modify, and delete information. Unlike an inventory database, a directory service can also manage how its stored resources can be used and by whom. For example, a directory service can be used to specify who has the right to log on to a computer fr restrict what software can be installed on a computer. A directory service is often thought of as an administrator's tool, but users can use it, to. Users might need the dicectory service to locate network resources, such as printers or shared folders, by performing a search. They can even use the directory service as a phone book of sorts to look up information about other users, such as phone numbers, office locations, and e-mail addresses ‘Whether an organization consists of a single facility or has multiple locations, a directory service provides a centralized management tool for users and resources in all locations. This capability does add a certain amount of complexity, so making sure the directory service is strse- tured and designed correctly before using itis critical Windows Active Directory Windows Active Directory became part of the Windows family of server OSs starting with Windows 2000 Server. Before Windows 2000, Windows NT Server had a directory service that was litle more than a usee manages; it included centralized logon and grouped users and com- puters into logical security boundaries called domains. The Windows NT domain system was a Mat database of users and computers with no way to organize users ot resources by department, fanction, oF location, no matter how many users you had. This single, unstructured lst made managing large numbers of users cumbersome. ‘Active Directory’s hierarchieal database enables administrators to organize usets and net- work resources to reflect the organization of the environment in which itis used. For example, if a company identifies its users and resources primarily by department or location, Active Directory can be configured to mirror that structure. You ean structure Aetive Directory ancl ‘organize the objects representing users and resources ina way that makes the most sense. Active Directory offers the following features, among others, that make it a highly flexible direeory + Hierarchical organization—This steucture makes management of network resources and administration of security policies easier, + Centralized bus distributed database—All network data is centrally located, but it ean be distributed among many servers for fast, eary access to information from any location. Automatic replication of information also provides load balancing and fault tolerance. ‘Active Directory replication isthe transfer of information among domain controllers to ‘make sare all domain controllers have consistent and up-to-date information, + Scalability Advanced indexing technology provides high-performance data access, whether Active Directory consists of a few dozen of few million objects.14239023$1_chO3_Pinel.qnd 11/28/08 3:32 mt The Role of #0 tory Service ” + Secwrity—Fine-grained access controls enable administrators to control access to each directory object and its properties. Active Directory also supports secure authentication protocols to maximize compatibility with Internet applications and other systems. + lesibility Active Directory is installed with some predefined objects, such as user accounts and groups, but their properties can be modified, and new objects can be added. for a customized solution. + Policy-based administration Administrators can define policies to ensure a secure and consistent environment for users yet maintain the flexibility ro apply different sets of rales for departments, locations, or user classes as needed. Overview of the Active Directory Structure [As with most things, the best way to understand how Active Ditectory works is to install it and start using i, but fis, knowing the terms used to descebe is structure is helpful There ate two aspects of Active Directory’ stuctute: + Physica strvture + Lopealsteucture Active Directory’s Physical Structure The physical structure consists of sites and servers configured as domain controllers. An Active Directory ste is nothing more than a physical loca tion in which domain controllers communicate and replicate information regulaly. Specifically, Microsoft defines a ste as one or more IP subnets connected by high-speed LAN technology A small business with no branch offices or other locations, for example, consists of single ite However business with a branch office in another part of the city connected tothe main office through a slow WAN link usually has two sites. Typically, cach physical location with a domain controller operating in common domain connected by a WAN constitutes 2 site. The mat tea- sons for defining tultiple sites are to control the frequency of Active Directory replication and 0 ‘assign policies based on physical location, Chapters 4 and 10 discuss sites in more detail “Another component of the physical structure isa server configured as 2 domain controller, whichis a computer running Windows Server 2008 with the Active Directory Domain Services role installed. Although an Active Directory domain ean consist of many domain controllers cach domain controller can service only one domain, Each domain controller contains a fall replica of the objects that make up the domain and is responsible forthe following functions: + Storing a copy of the domain data and replicating changes to that data to all other domain controllers throughout the domain data search and retrieval functions for users attempting to locate objects in the directory + Providing authentication and authorization services for users who log on to the domain, and artempe to access network resources Active Directory’s Logical Structure ‘The logical structure of Aetive Directory makes it possible to pattern the directory service's look and feel after the organization in which it rune "There are four organizing components of Active Directory: + Organizational units (OUs) + Domaine + Trees + Forests ‘These four components can be thought of as containers and are listed from most specific to broadest in terms of what they contain. To use a geographical analogy, an OU represents a city, 1a domain is the state, a tree is the country, and a forest isthe continent.