Posts Tagged active directory

Active Directory 2008 Notes 2

Posted by Harv in Server 2008 on December 30, 2009

Preparing Active Directory for Server 2008 DC’s

Note: These steps should be completed before promoting or upgrading an existing domain controller.

Run adprep /forestprep on the schema master of the forest. This extends the schema to receive new 2008 features. The changes must replicate through the forest before proceeding.
You must be a member of the Enterprise Admins, Schema Admins, and Domain Admins in the forest root domain.
Any Windows 2000 DC’s must be upgraded to SP2 or later, or SP1 with hotfix QFE265089.
Run adprep /domainprep on the infrastructure master of each domain that will be accepting Server 2008 DC’s.
It adjusts ACL’s on AD objects, and the SYSVOL shared folder.
You must be a member of Domain Admins, and the domain’s functional level must be Windows 2000 server native or higher.
adprep /domainprep /prep can also be run to enable resultant set of policy planning mode functionality.

Originally posted 2009-06-29 00:32:06.

acl, active directory, domain admins, domain controller, domainprep, forest root, forestprep, functional level, infrastructure, master of the forest, root domain, schema master, shared folder, windows 2000, windows 2000 dc, windows 2000 server

No Comments

Active Directory: Groups

Posted by Harv in Server 2003, Server 2008, Windows on December 30, 2009

Distribution Groups

These can not be used to perform any sort of ACL (access control) or permissions, and are therefore ill-suited for anything other than to create a list of users to whom you might want to, say, email. If in doubt, use a security group instead.

Security Groups
There are different types of security group. Note that the type simply defines the scope and replication.

Universal: Objects in this group type are replicated to other domain trees within the forest. Note that global catalog servers have to replicate this information, so heavy use is not encouraged. Can be comprised of users or groups from any domain. See note (1).
Global: Can only contain objects within the domain.
Domain Local: Can contain objects from any domain, but are used to control access only to local resources. See note (2).

(1) – In Server 2008 we now have the UGMC (universal group membership caching) feature, which can counteract some of the overhead associated with using many universal groups. This doesn’t mean it’s okay to ignore common sense and best practises though!

(2) – Domain local is best used to control access to resources. Consider a file share: you create a domain local group called, for example, “Sales Share”. Now you allow the sales share read/write/whatever access. Note that this is domain local. Now instead of modifying the share permissions to add all the associated users/groups, you simply add the sales groups from each relevant domain as members of this group. Now when new sales people come in and go out of the company, your work is already done.

In short:
Domain local – can come from any domain but only access local resources.
Global – can only be from this domain but can access resources in any domain.
Universal – Replicated across the forest, can be from any domain and can have access to resources in any domain.

Originally posted 2009-09-20 01:42:14.

access control, active directory, best practises, common sense, distribution groups, doubt, file share, global catalog servers, group membership, group type, local group, local resources, relevant domain, replication, scope, security group, security groups, universal group, universal objects, users groups

No Comments

Server update

Posted by Harv in Misc on December 30, 2009

Blog’s server has been updated. I’ve immediately noticed an upgrade in speed. Yay!

I will start putting in blog posts with my notes from my current study topic- Windows Server 2008 Active Directory configuration. Stay tuned.

Originally posted 2009-06-08 23:28:37.

active directory, Server, Window, Windows, windows server

No Comments

Active Directory 2008 Notes 3: The Global Catalog

Posted by Harv in Server 2008 on December 30, 2009

Global Catalog Servers

Validates group membership.
Enables forest-wide search for resources or AD objects.
Validates UPN’s across entire forest, allowing logon to other domains.

Promoting a domain controller to a global catalog server

The first domain controller in each domain is automatically set up to be a GC server. Every DC that gets added to an already-existing domain has the option of also serving as a GC. This may be desirable, for example, if one domain is divided into two sites or physical locations.

On the DC, open Active Directory Sites and Services.
Expand Sites, Servers, and the entry for the domain controller which will be designated a global catalog.
Right-click NTDS settings, choose properties.
In the General tab, check the global catalog option. Press OK or apply.
That’s it! Apply the steps in reverse order to demote a DC from GC duty.

UGMC (Universal group membership caching)

If UGMC is enabled, users’ universal group information is cached when the user logs on to the domain for the first time. This allows future requests to be serviced quickly, without the need to contact the GC.
This also allows a lower-spec RODC or DC to be on-site with a high end DC GC server elsewhere.

Enabling it

Open up AD Sites and Services.
Select the site which needs UGMC caching.
Right click NTDS Site Settings, choose properties.
Select Universal Group Memership Caching.
Specific sites can be used for replication. Use the drop-down selector if necessary.
Click ok.

When it’s necessary – or How do I decide between additional GC’s and UGMC?

In a single domain forest, GC servers nor UGMC provide any benefit.
If users complain that logons are slow but resource access is not, go with UGMC.
If users complain that logons are slow and resource access across a link (WAN) is slow, go with GC.
Having additional GC servers and UGMC is not beneficial at the same site.

Originally posted 2009-06-30 09:00:48.

Access, active directory, domain controller, global catalog server, global catalog servers, group membership, logs, ntds, replication, ugmc, universal group, upn

No Comments

Active Directory 2008 Notes 1

Posted by Harv in Server 2008 on December 30, 2009

- X.500 and LDAP rather than flat file.
– Blocks: domains, trees, forests, OU’s. Phyiscal location is represented by including all objects in a given (physical) location in its own site.

- Domain: A logical grouping of computers. They share a common directory database. A series of domains can be organized, through trust relationships, into forests and trees.

- Tree: A group of domains that share a namespace. For example, learnwithharv.com would represent the parent, blog.learnwithharv.com would be a child domain. On the same level could sit thing.learnwithharv.com. A child to these domains might be some.thing.learnwithharv.com or my.blog.learnwithharv.com.
Trust relationships in a tree are two-way, transitive relationships, meaning resources are accessible both ways.
(A forest can contain multiple trees, and trees can contain multiple levels of child domains.)

- Forest: A forest would be a group of domain trees that do not share a namespace. For example, microsoft.com and apple.com. You may find foobar.microsoft.com and foobar.apple.com as children of their respective domains, however while foobar.apple.com shares a transitive two-way relationship with apple.com, it in no way shares any information with microsoft.com or foobar.microsoft.com, and vice versa. The first domain created in a new Active Directory structure is the forest root domain.

- Organization Unit (OU): I think of OU’s as being like folders. They can contain objects of various types (users, computers, distribution groups, etc). They are the smallest type of unit that can be used for organization. Policies and security can be applied to an OU. For example, one might create an OU which contains company departments. The OU name might be Departments. The objects inside might be groups such as Accounting, Administration, and IT. Policies and security options or permissions can be set on each of these groups individually, and/or to the entire OU itself.

- Sites: A site is a grouping of resources within a forest by physical location or subnet. Sites allow for control of replication as well as policy application control. By that I mean- by grouping things physically within a site, the LAN link can be taken advantage of. If one has multiple physical locations and multiple DC’s (patience, we’re getting to a DC) at each location, grouping users/computers/etc by Site allows the DC’s to know which computers should be under their direct control and which they should allow the other DC’s to control. To elaborate further: pushing out a group policy to 200 machines not physically located in the same office as the DC may not be a good idea. Grouping by Site allows DC’s to know where they physically site and therefore who they should spend their time serving.

- Domain Controller (DC): This is any server that has an active directory. All directory objects are that are within the domain, plus the schema and any configuration information for the forest where the domain is located, are located here. If there are multiple DC’s within a domain, data is shared and kept in sync via replication.

- Global Catalog: Sort of like an index, the global catalog server’s role is to allow domain controllers in other domains to access information or resources from another domain in the same forest. IE, files, folders, printers, etc. Universal group membership is also done here, so that someone can be a member of two domains.

- Operations masters: Specialialized roles. Only one DC can fulfill any given one of these roles;
– Schema Master: The only writable copy of the AD Schema. All objects in a forest are held in the schema.
One DC in the forest does this.

- Domain naming master: Ensures that any new domains adhere to the naming conventions for new trees or child domains in existing trees.
One DC in the forest does this.

- PDC emulator: Serves as a primary domain controller for NT 4 client computers authenticating to the domain.
One DC in each domain does this.

- Infrastructure master: updates other domains as to changes in it’s own domain. This is a middle-man; it receives and processes changes in the forest received from GC servers and replicates the changes to other DC’s in its domain.
One DC in each domain does this.

- RID master: Assigns SID’s (security ID) to objects in its domain. Each SID is comprized of a non-unique domain identifier to idenfity which domain the object belongs to, as well as an RID (relative ID) that is unique to each object. This particular server (RID Master) ensures no two objects have the same RID. It also serves out pools of RIDS to every DC in its domain.
One DC in each domain does this.

- RODC: Read-Only Domain Controller: A DC that is read only. Useful for a branch office where personell don’t necessarily need to make updates. A good security practise is to use these if possible. They are perfect to put in place if you simply need authentication and a new on-site DC for purposes of pushing out GPO’s etc over a LAN link.

Originally posted 2009-06-26 00:40:52.

active directory, directory database, directory structure, distribution groups, domain organization, example microsoft, foobar, forest root, grou, logical grouping, namespace, organization policies, organization unit, phyiscal, physical location, root domain, security options, trust relationships, users computers

No Comments

Active Directory: Operations Master Roles, Overview

Posted by Harv in Server 2008, Windows on December 30, 2009

There are 5 master roles.

Schema Master: Holds the schema.
Domain Naming Master: Responsible for adding/removing a DC to/from the domain.
RID Master: Dishes out SID’s. An SID is used to uniquely identify any AD object. This way it can be renamed and all the data changed without the reference to it breaking.
PDC Emulator: For backwards compatibilty to NT4 domains. Also allows for time services.
Infrastructure Master: Mapping of container objects.

Note that the schema master and domain naming master work on the forest level, the other three roles work on the domain level.

Originally posted 2009-09-19 21:28:05.

active directory, container objects, directory operations, schema master, services infrastructure, sid, time services

No Comments

Active Directory Structure: Forests, Trees, Domains & Trusts

Posted by Harv in Server 2003, Server 2008, Windows on December 30, 2009

Forest - forests define the trust relationships between different domains.
Forest Root Domain – The first domain in a forest.
Tree Root Domain – The top-level domain in a domain tree.
Domain Tree - a tree root domain and a collection of one or more child domains. Child domains inherit the parent domain, hence forming a tree.
Top-level Domain – Also called the parent domain. See tree root domain.
Child Domain – Second-level domains. They sit directly under the top-level domain.

Some other quick notes:
– Within a domain tree, all domains have 2-way transitive trusts, share a common schema and share a common global catalog.
– Replication describes the rules that govern the updating of the AD database across domain controllers.

That’s it, pretty simple really. Diagram coming soon – this is even simpler with the help of a diagram.

Originally posted 2009-09-18 03:00:20.

70-640, active directory, directory forests, domain controllers, domain tree, forest root, forest tree, global catalog, level domains, parent domain, replication, root domain, schema, top level domain, tree domain, tree root, trees, trust relationships, trusts

No Comments

M	T	W	T	F	S	S
« Jan
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Learn With Harv: Blog

Posts Tagged active directory

Active Directory 2008 Notes 2

Preparing Active Directory for Server 2008 DC’s

Server update

Active Directory 2008 Notes 1

Active Directory: Operations Master Roles, Overview

Active Directory Structure: Forests, Trees, Domains & Trusts

Calendar

Recent Comments

Recent posts

Anti-Malware

Friends

PC Maintenance

Useful Tools

Meta