ACTIVE DIRECTORY SERVICES

Modules :

1. Introduction to Active Directory in Windows 2003 Server.

2. Implementing DNS to support ADS.

3. Creating a Windows 2003 Server as domain.

4. Setting up an administering users and groups.

5. Publishing resources in ADS.

6. Delegating administrative control.

7. Implementing Group Policy.

8. Use group policy to manage environment.

9. Use group policy to manage Software.

10. Creating and managing Trees and Forest.

11. Managing Active Directory Replication.

12. Managing Operation Master Roles.

13. Maintaining Active Directory Services.

1
MODULE1 : INTRODUCTION TO ACTIVE DIRECTORY
SERVICES

 Workgroup

Workgroup is Decentralized. Its used for 5-10 machines in a

small network. There is no domain controller. Every PC works individual.

Win2000prof Win98

XP Win2003srv

 NT 4.0 Domain Standard

NT SRV
PDC  PDC

NT SRV NT SRV
BDC BDC  BDC

Win98 NT workstation 95/DOS NTsrv

 Stand-alone

Clients

2
PDC (Primary Domain Controller) : Primary Domain Controller can be only
one.

BDC (Backup Domain Controller) : Backup Domain Controller it’s backup of

Primary Domain Controller. It can be converted to Primary Domain Controller.

Stand-alone : Stand- alone are clients, if the machine is NT server and you want it
as client then during installation of NT server we select stand alone. NT client
cannot be converted into a Domain Controller, we have to re-install NT server again.

In NT 4.0 server 40000 account can be made (ie user/group/computer) in one

Domain Controller. At a time 4000 users can log on in NT server. So we use Backup
Domain Controller

In NT 4.0 srv 40,000 a/c can be made (ie user/group/company) in one DC. At a time
4,000 users can log on in NT Srv. So we use BDC ie by 1 BDC its another 40,000
being added.

 What is Active Directory?

ADS is directory services in a win 2003 network.A directory service is
network services that store information about network resources and make
use of it.
Organize
Manage RESOURCES
Control
ADS provides centralize management ie single point of administration and
full user access to directory resources by a single log-on

 Active Directory Objects

Active Dir stores information about network objects. Active Dir object
represent network resources such as user, group, computer and printer

 ADS Schema
ADS Schema contains definition of all objects such as computer,user, printer.
In win 2003 there is only one schema for entire forest.there are 2 types of
definition in the schema

1) Object class
2) Attributes

Object class describes the possible dir objects that can be created, each object
class is a collection of attributes
Attributes are defined separately from object class.Each attribute is defined once
and can be used in multiple object class

3
Note:- eg of object class is user and Attributes are the details of the users.

SCHEMA

Object Class Attributes

User First name

Group Last name
Printer Full name
Shared folder Display name
OU Description
Email id
Group name
Printer name

Note:-
Few attributes are used by all object class like description and few
attributes are used by specific object only like first name, full name used by
users

 Ldap Light weight dir access protocol

Ldap provides a way to communicate by ADS By specifying unique name

and path for each object in the dir.

MCSE.com

Sale

User 1

CN = user 1, OU = sales, DC = MCSE, DC = com.

Note:- MCSE.com is divided into 2 MCSE and Com

CN = Common Name
OU = Organizational Unit
DC = Domain Component

4
  Active Directory Service Logical Structure
Cisco.com
 Domain
ADS
Master DC

ADS ADS ADS

Additional DC

XP XP XP 2000/03 ser
Member Server

A Domain is centralized. A domain is security boundary. A domain is a unit of

replication.

 Organizational Units (OUs)

A organizational unit is a container object that you use to organize objects

within a domain. A organization unit may contain objects such as users,
group, computer, printer and other organizational unit.

MCSE

Sale

HR

Mkt

 Trees and Forest.

Tree:- A Tree is an hierarchical arrangement of win 2003 domain. Domain in

a tree share a contiguous name space
Forest:- A Forest is one or more tree. Tree in a forest do not share a
contiguous name space but trees in a forest share a common Schema and
Global Catalogue.
Domain in 2003 forest have 2 way Transitive Trust Relationship. Forest/Tree
New Tree MCSE.com
Joint Forest Two -Way DC -Schema
DC Transitive Trust Relationship -Global Catalog
Admin.MCP.com 5
MCP.com HR.MCSE.com MCSE.com
Child Domain Sales.MCSE.com
DC DC
 MCSE.com is the Master Dc. It is the Forest as it is the 1st tree under it. We
have HR and Sales which is child domain of MCSE.com and not a new tree.
MCP.com is a new tree under joint forest MCSE.com under which Admin is
child domain of MCP.com. Forest for it is MCSE.com. If you change MCSE.com
changes have to be made every where. User under each domain or child domain are
stored within themselves.
Schema / Global catalog solve the queries of the domains and users (it is
master Dc)

 Global Catalogs:-

A global catalogue is a repository of information that contains a subset of

attribute of all objects in the active dir global catalog perform important
function like
1) Find ADS information in the entire forest
2) Use universal group membership to log on to the network ADS physical
structure and Dc

The Root domain have Global catalog. When any information is send to
Global catalogue. Global catalog will send that information every where. After
receiving response, it will send that information back to domain where request had
been sent.

(Global catalogue) First time it will search for information and next time onwards it
will not search, if information is there. Otherwise it will search.

6
  Active Directory Services Physical Structure

 Domain controller

DC

Replication Additional DC

A Domain controller is a computer running win 2003 server, that stores replica of
the directory. Changes made on one DC are replicated to another DC on the same
Domain.

 Site
A site consist of IP, sub-net. Site are connected by high speed link. Sites
control network traffic (on lease line) and work station log on traffic

Site 1

DC
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.pcbypaul.com/w

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYco

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1c
Site 2
Lease Line

DC
INCLUDEPICTURE "http://images.google.co.in

INCLUDEPICTU

INCLUDEPICTURE "htt

Site1 and site2 share a common DC so everytime some1 logs in it takes time to log in
from site 2. So to reduce time and traffic.

7
MODULE : IMPLEMENTING DNS TO SUPPORT ADS

 Role of DNS

1) DNS translate computer name to IP address. Computer use DNS to locate

each other on network.
2) Win 2003 use DNS naming standard for Domain names.
3) DNS domain and ADS domain share common naming structure

 DNS and ADS name space

DNS ADS
Microsoft.com
Microsoft

Sales Training Child

Sales.Microsoft.com Training.Microsoft.com
Child
Comp1
Comp1mp1

FQDN = Fully Qualified Domain Name

Comp1.Traning.Microsoft.com

It is same for DNS and ADS.

DNS host record and ADS object represent the same physical comp.

 Service Records (SRV)

SRV Records allow computer to locate the DC. Wins 2003 use SRV records
to locate

1) A Dc in a domain or forest
2) A Dc in the same site of client computer
3) Dc configure as global catalogue server

8
 DC1 DC2 MailSrv WebSrv Comp1 Comp2

SRV1 SRV2 SRV3 SRV4 SRV5 SRV6

DNS

SRV Record
C1 --- IP
C3 --- IP S1 -- DC -- Ldap
S1 --- IP S2 -- DC -- Ldap
S2 --- IP S3 -- HTTP
C2 --- IP S4 -- Web - MX
S3 --- IP

Note:-
SRV Records are special records specially made to store the information of the
server computers only. We add the computer name, IP add again in a different
folder but this time with more details like protocol, DC…..
SRV Records are created so that its easy for the DNS to provide the IP of the
server faster and not checking in all the other records where there are clients
also.

 Creating SRV Records

DNS server right lick other new records select server create a new
record.
The new records is created in a folder where all SRV records are stored. Its in DNS

9
MODULE : CREATING WINS 2003 DOMAIN

Domain are the core administrative units. The 1st domain created is root
domain for the entire forest. Use DCPROMO to create and remove domain and
domain controller

 Preparing ADS Installation (Requirements)

1) Win 2003 srv (except web addition)

2) TCP/IP (static IP address)
3) DNS installed and configured
4) 300 mb disk space for ADS database and 50 mb for log files
5) NTFS volume
6) Administrative Rights

 Verifying ADS Installation.

 Verify DNS Srv records

DNS zone
-msdcs
- tcp
- udp
- sites
- domain DNS name
- forest DNS name

Use Nslookup cmd to query the registered Srv records. As you give cmd Nslookup
(you get a reply) : ls –t srv domain name.

Domain name will be the same name given during installating DNS
eg:- MCSE. This means DNS is properly installed.

 Verify SYSVOL Folder

\windows \ Sysvol - domain
- staging
- Staging areas
- sysvol

 Verify NTDS Folder

\windows\ NTDS - ntds.dit
- edb*log
- edb.chk
- res*log

10
Ntds.dit file is where all the user information is stored. Its an important file.
 Verify Shared Folder - Netlogon
- Sysvol

These 2 folders are shared by default after installing ADS.

PATH:- Computer Management – shared folders – shared.

In DNS you get an option Active Directory Integrated Zone after installing ADS

 Default Password Policy

Once a PC is made a Dc by installing ADS. Passwords policies get enabled.

We have to disable them from 2 places on the Dc

1st Programs – administrative tools – AD user and comp – right click MCSE.com
– properties – group policy – select and edit – comp comfiguration – win setting –
security - a/c policy – password policy – change password –policy to not defined.

2nd Run – gpedit.msc – computer configuration – win settings – security – a/c

policy – password policy – not defined.

 Log in a normal user on Domain

Once ADS is installed. No one can log in on the DC except the administrator
by Default Domain Policy. Therefore for others to log-on on DC changes have to be
made from 2 places

1st On DC – administrative tools – AD user and comp – right click MCSE.com –

properties – group policy – default domain policy - edit – computer configuration –
win setting – security setting – local policy – user rights assignment – log on locally –
add user or group – advance – find now – select administrators – everyone – ok

2nd Administrative tools – domain controller – security policy – local policy – user
rights assignment – allow log on locally – add everyone – apply – ok.

 Domain Mode in win 2003

 Mixed Mode

DC
Win2000Srv

2000srv ADS NT4.0

BDC BDC

XP NT

11
 win98 2000prof
 Native mode
DC
Win2000Srv

2000srv ADS 2000srv

Additional DC Additional DC

win98 XP 2000prof NT

 Functional level in win 2003

 Win 2000 Mixed DC

Win2003Srv

2003srv ADS NT4.0

Additional DC BDC
win98 XP 2000prof NT

 Win 2000 Native

DC
Win2003Srv

2000srv ADS 2003Srv Additional DC

Additional DC
win98 XP 2000prof NT

12
  Win 2003 SRV
DC
Win2003Srv

2003srv ADS 2003Srv Additional DC

Additional DC
win98 XP 2000prof NT

Once you change functional from lower to higher. You cannot revert the higher
functional level to lower functional level.

Raise 3 win 2003 srv

2 win 2000 native
1 win 2000 mixed

Use Active Dir Domain and trust to view and raise the function level
The default functional level in win 2003 is win 2000 Mixed level 1.

 Active Dir User and Computer

It is the most important tool for managing users and groups on the
domain. This tool contains the following options by default.

1) Built in
It is a container. It contains the default built-in securities group.

2) Computer
It is a container. It is a default location for the computer a/c for the domain
(ie the client comp are added here by default)

3) Domain Controller
It is an OU. It is a default location of domain controller computer a/c

4) Foreign Security Principal

It is a container. It stores SID (security identifier) of external trusted Domain.

5) Users
It is a container. It is default location of user a/c.

13
 MCSE.com
Built-in
Computer
These 5 folders Domain Controller
are by default Foreign Security Principal
Users

Note:- you can assign group policies only to the OUs and not containers. You
can create OUs but not containers.

14
 MODULE : SETTING UP AND ADMINISTRATIVE USER
AND GROUPS

 Introduction:-
- Create user A/c for each person who regularly use the network
- Create multiple user a/c in a single batch processed – grouped user a/c
to manage user access to share resources
- Nest group with another group to reduce administration

 User Logon Name

1. User Principal name

Abc @mcse.com

Prefix Suffix

The suffix default to the name of root domain but it can be changed and
other can be added. Additional suffix are created from active directory
domain and trust. The 1st name is user principal name.

2. Use log on name

It is mainly used for pre win 2000 comp. a user selects the domain when
login on pre 2000

 Creating Multiple user accounts in a single batch process

ADS
Import
Text file
----------
User
info..

For each object the file:-

1) must include the path to the user a/c OU, object type and user log on name.
2) The file should include the user principal name and if the user a/c is enabled
or disabled
3) Can include personal user information eg telephone no, email id ,dept….
4) Cannot include password of users.

15
Format for text file for Multiple user in a single batch process
CSVDE file
Comma Separate Value Dir Enchange

1st line will be syntax (heading)

User 1 ----------------- 2nd line is user information.
User 2 -----------------

Each user information in 1 line

DN,Object class, SAMaccountname, userprincipalname, displayname,

useraccountcontrol.

(2nd line) “CN=user1,OU=sales,DC=MCSE,DC = COM”, User,user1,user1@mcse.com, bill

gates, 512 – enable user
514 – disable user

Cmd to transfer this text file to ADS

Cmd E:\> CSVDE –I –f new.text

Where the fife is created Import File File name

 Using LDIFDE

DN = is description name
Object class = it’s a user or group
Samaccoutname = log on name
Userprinciplename =
Displayname = full name
Useraccountcontrol = enable or disable user

 Managing Administrative task

(Active dir user and computer)
- Creating of user account
- Resting of user password
- Enable / disable user a/c
- Unlocke user a/c
- Renaming user a/c
- Moving user between OU
- Deleting user a/c

2 new options introduced in win 2003

- Drag and drop users and object between different organizational
unit
- Multiple user common properties

16
  Intrduction to Group in Active Directory

A group is a collection of users, Group simplifies assinigning permissions to the

resourses.Users can be a member of multiple group. Group can be nested inside
another group.

There are 3types of groups on Domain

1. Global Group

Membership
-Mixed Mode:User are from the same domain
-Native mode; Users a/c &global a/c are from the same domain

Can be a member of:

Mixed model Domain local group(anywhere ther is a local group this group
will go under it)

Native mode: Universal & Domain local groups in any domain and global
group in the same domain.

Scope :Visible in its own domain & all trusted domains.

Permission: All domain in the forest.

2. Domain local Group

Membership
Mixed Mode:- user a/c &global groups from any domain
Native Mode :- User A/C ,Global Group & universal group from
any domain in the forest & any domain in
the forest and the domain in the forest and
domain local group from the same domain.

Can be made member of:

Mixed mode: Not a member of any group
Native mode: Domain local group of same domain

Scope: Only visible in its own domain

Permissions :Domain in which the domain local group exits(ie only the
same domain member can se)

17
3. Using Universal Group

Membership
Mixed mode: Not applicable (ie there is no universal group)
Native mode: User a/c Global group & other univesal group from
any domain in the forest.
Can be a member of:
Mixed mode: not applicable
Native mode:Domain local and universal group an any domain

Scope: visible in all domain in a forest

Permissions: All domains in a forest

Sales

Global Marketin
Local Group
g

HR By giving permission to
Hr5 local we indirectly give
permission to Sales & HR
After adding HR OU user users also.
Hr 5 can be denied

Rules

1. Add domain user a/c to global group

2. Add the global group to the domain
3. Asssingn resourses permissions to domain local group

18
 MODULE : PUBLISHING RESOURSE IN ADS

 INTRODUCTION:-

We publish resourses
1. To create object in ADS that contains a required information &
provide a reference to the required information.
2. That do not exist in active directory .
3. That are static (fixed) & changed in frequently.
ADS

Publish
Publish

Shared Data Shared Printer

Shared Soft Shared Printer2

Client Find Printer

XP XP

1) Any printer share by win 2000/03 based print server is published in ADS
it self.
2) Any printer is automatically removed from Activ directry when a print
server is removed from the network.
3) Each printserver is responsible for its printers being published in ADS.

ADS

Manually Automatically
Publish
Publish

NT4.0 /98 Win2000/03

In Win 2000/03 printer server is automatically published & remaining like NT

4.0/98 are to be manually published in case of printer server.

19
  MANAGING PUBLISHED PRINTER

On a 2000/03 comp a shared printer is by default published

To stop publishing a shared printer

PATH: Printers ->properties->clear the option list in the directory.

View published printer:-

Active dir user & comp->view->user,groub&computer as containers.
This will show all shared printer which are published.

 PUBLISHING PRINTER FROM PRE WINDOWS 2000

COMPUTER

1) Install & share the printers on the pre win 2000.

2) On the domain go to active dir user & comp – specify the UNC path
i.e. \\computer name\printername.

Printer publishaed from pre win 2000 is to be removed from publishing

manually.

 PUBLISHING SHARE FOLDER

To publish share folders on the ADS has to be done manually for any
operating system.
1) Creat & share the folder from the client.
2) On demand
Path : Active dir user & computer ->right click->container->new->shared
folder->specify the UNC path.
i.e. \\computer name\share folder name.

NOTE:- conainer can be any thing the comp name or group like sale

20
MODULE : DELEGATING ADMINISTRATIVE CONTROL

 Active dir security components

1) Security principle:- It is an a/c holder to which you can assign
permission eg. User ,group& computer.
2) Security identifier (sids) :- Side identifiers the security principal sids
are never reused.
3) Security Descriptor:- It s security information associated with an
object that contains DACL & SACL

DALL:- Discretionary Access control List.

It identifies in security permission that allows or deny access & the
level of access being allows or denied.
SACL:- System Access Control List
It controls how object access be audited .

 LOG ON PROCESS (STEP WHEN USER LOGIN)

1) The user log on.

2) The LSS (local security sub system)
Service obtaines a ticket for the user.
3) The LSS request a workstation ticket
4) Kerboros service send,the workstation ticket.
5) The LSS service creates an access ticket.
6) Access ticket is attached to the user process.
Eg. Access token.

Security ID of user : 5-2-00-68

Group ID – sales,hr,mkts
Rights-FC.

 ADS PERMISSION FOR FOLDERS

There are two type of permission

1) Implicit:-
Which a problem to perform an application is not explicitly assigned. It is
implicitly denied.
Eg. Sales have allow read permission to folder
Mkts is not added so it is not allowed.

21
2) Explicit:-
Permission can also be explicitly denied.
Sales-------allow read-----------\Data
Mkts--------Deny read----------\Data
i.e. mkts is added and then denyed read permission.

 INTRODUCTION TO DELEGATION

(Administrator) MCSE

Sales - admin1

Hr - admin2

Mkts - admin3

NOTE:- Administrator has full control over all OU’s (sales ,hr, mkts) admin1 has
control only on sales parallaly admin2 on hr & admin3 on mkts.
Delegatoin allows to

1. Change properties on a particular cotiner.

2. Create & delete object of a specific type under an OU .
3. Update specific properties of an object under an OU.

To delegate:
Steps: Right click OUDelegate controladd user or groupselect the
permission to delegate.

Removing delegation
Steps: Go o Active dir user & computer view select advance feature
right click on OUpropertiessecurityselect the user&
remove.

22
MODULE : IMPIMENTING GROUP POLICY

 Introduction:-

Group policy enables you to

1. set centraalised & decentralised policy i.e. for every group or specifically.
2. Ensure that user have their required environment.
3. And force co oprate policies .

 GROUP POLICIES STRUCTURE

Type of GP settings
1. Administrative templates : registry based GP settings
2. Security settings for local domain & network security.
3. Software Installation : setting for central management of software
installation.
4. Scripts: start up ,shut down,log on ,log off.
5. RIS: settings that control the options available to user when runnings the
client installation used by RIS.
6. IE maintainance: settings to administrator to Microsoft IE(Internet
expolorer)
7. Folder redirection:setting for storing of user older on a network server.

 Group Policy Object (GPO)

The content of GPO is stored in 2 difference locations

1. GPC :- (Group Policy Container)

It is located in ADS . It provides version information used by DC.

2. GPT :- (Group Policy Templates)

It is located in the shared sysvol folder. It provides policy setting
for 2000,2003 computers.

Group Policy contains two settings

• G P setting for computer

Specifies OS behaviour ,desktop behaviour , security setting,
computer start up and shut down script computer assign application object and
application setting

23
• G P setting for users
Specify OS behaviour desktop behaviour ,security setting assign
&publish application object ,user log on & log off scripts &folder redirection

GP setting for computer apply when the machine starts & during the periodic
refresh cycle ( 90 min )
GP setting for the user applies when the user logs on on the computer

Linking GPO

• Sites
• Domain
• OU’s

Mcse.com

Sales S1, S2, S3

No Controll
\Sysvol
Default Policy No Display Mkt M1, M2, M3
No Run
No Control No Cmd HR H1, H2, H3
No Display
No Cmd
No Control

No run is given to MCSE.com ie . domain so it is centerlized & no run for all

Sales :- No run, no control

Mkts :- No run, no display
Hr :- No run , no cmd

Later you wants give control hr also so you don’t have to create new a new policy
again for no control instead we go to sales and we add no control policy to it.

 Applying Group Policy

(1) The sales department people don’t have right for control panel

• Start
• Administrator tools
• Active directory users & computer
• Click plus sign (Domain name)

24
• Sales (properties)
• Group policy
• New (Give any name) (NO control)
• Double Click that given name
• User configuration
• Administrative templates
• Control panel
• Prohibit access to control panel
• Enable
• Ok
• Close
• Close

There are two rules of policy

1. You can link 1 group policy to multipale site ,domain & Organizational unit
2. You can link multiple GPO to one site, domain & organizational unit.

Creating new Group Policy:

-Right click Domain / OU
-Properties
-Group policy
-New

Adding Groups Policy:

-Right click Domain /OU
-Properties
-Group Policy
-Add

Group Policy is stored in the SYSVOL folder on the domain

Group Policy Inheritance:

The domain policy is applied to all the domain users & child OU’s.

 BLOCK INHERITANCE
If an OU requires some settings but those settings are disabled by the Parent Group
Policy Inheritance.
Enable Block Policy Inheritance on the whole domain, but the sales want access to
run so we block Policy Inheritance i.e. no policy from the parents come to the child.

-Right click Domain /OU

-Properties
-Group Policy
-Click Block Policy Inheritance

25
Applying Policy to whole domain
-Start
-Programme
-Administrative Tools
-Active Directory Users & Comps
-Microsoft.com (Domain name)
-Right click Properties
-Group Policy
-New –Name
-Double click name
-User configuration
-Administrative Templates
-Start Menu & Task bar
-Remove Run from Start Menu
-Properties
-Enable OK close window
-OK (in Group Policy)

 Using no Override (forced)

This option is mainly used on the parent (Domain /OU) so that the GPO is
forced on the child OU even if the child OU is enabled with Group OU is enabled
with Group Policy Inheritance (Blocked)

 Filter Group Policy

You can filter the GPO in case you do not want the policies to be applied to a user
under an OU.

PATH:- -Right click

-Domain /OU
-Properties-Group Policy
-Select the GP
-Properties
-Security
-Add the user & give
-Apply Group Policy
-Denie Permission

 Folder Redirection
In folder Redirection. A user saves his data in my documents on comp2 Later
if he logs-in on any other PC he can find the same date on my documents of that
PC(Its like personal My Documents)

26
In Folder Redirection we create a shared folder in any PC eg COMP10 when ever a user sitting
on any PC saves his data in My Documents it gets saved in the shared folders in COMP10 the
user can access to this data from my documents on any PC
Group Policy supports diff. Types of folders to Redirct.
My Documents
Start Menu
Desktop
Application Data

Advantages :
1. Data is always available to user irrespective of the computer loged-in.
2. Data is centrally stored for use fo management.(In some other pc)
3. Network Traffic is generated only when user gain access to files.
4. Files are not saved on the client computer.

PATH:-- GPO
User Configuration
Windows Setting
Folder Redirection
My Documents
PATH
On DC
Create a new folder XYZ
Share the folder & give full permission
Active Dir user & Comp
Ritht Click on domain(Microsoft.com)
Properties
Group Policy
Edit
User Configuration
Windows Setting
Folder Redirection
Right Click on My Documents
Properties

27
 Folder Redirection provides 2 option
1. Basic- Redirection all user data to one Location(ie save data of all user in 1
folder)
2. Advance- Redirection various group data to diff location (ie save data group
wise in diff folders)

 Intoduction -

In windows 2003 you can use group policy to manage deployment software
development centrally.

The Task used for deploying software installation & maintaince are :

1) Preparation :
Prepare the files that enable the applications to deploy the applications to
deploy for the Group policy , copy the windows installation package file to a
Distribution point.

2) Deployment :
Create a GPO that install the software on the client computer and link
that GPO to the proper ADS container (OU).

3) Maintainance :
Deploy software is upgraded with the new version or redeployed with
service files and patch files..

4) Removal :
TO remove software that is no longer required remove the software packages
from GPO.

 Benifits of Windows Installer :

a) Resilient Application :
If a critical file is deleted or become currupt the application will return to the
installation source and get a new copy of the file.

b) Clean Removal :
Applications are uninstalled without leaving an orphaned files.

28
Assigning Software :

you assign software to make sure that users have all the applications
that they need , installed on their computer. The next time the user
logon , the newly installed software is advertised on their desktop.
Note : Assigned software are installed from Start -> Program->

Publishing software :
When u publish software it becomes avalaible to
user to install on their computer. Publish software are not advertised on the
desktop,
Published software are available in control-panel - > Add/Remove Program-
-> New Program

Assigning software support software resilient and publishing software support

document activation.

Removing Software :
When u remove the assigned or published software , you can remove
completely from all computer or do not allow new installation for new users.

Path :
Group Policy
Computer configuration
Software settings
Software installation
New
Package.

29
 MODULE : CREATING AND MANAGING TREES AND
FOREST

 Introduction :

Tree :
Trees are heirarchical arrangement of windows 2003 domains.
that share an contiguous name space.
MCSE.com
New Domain
New Tree
New Forest

New Domain
New Domain Child Domain
Child Domain In a Tree
In a Tree

HR.MCSE.com Sales.MCSE.com

FOREST :

A forest is one or more tree. Tree in a forest do not share an contiguous

name space.Trees in a forest share a common schema, configuration.
and global catalog.

Forest root domain :

The first domain created in the forest is called Forest root. The name of the forest
root domain is used to refer to the entire forest.

Forest root domain contains 2 predefined groups :

* Schema Admins
* Enterprise Admins

CREATING THE FIRST DOMAIN (ROOT)

DCPROMP
* Domain controller type - DC for a New Domain

30
* Create a New DC - Domain in a new forest

CREATING NEW CHILD DOMAIN

DCPROMP
* Domain controller type - DC for a New Domain
* Create a New DC - Child Domain in an existing Domain tree.
* Network Crenditials - specify Domain user name and passowrd.

CREATING NEW TREE IN FOREST

DCPROMP
* Domain controller type - DC for a New Domain
* Create a New DC - Domain Tree in a new existing forest.
* Network Crenditials - specify Domain user name and passowrd

CREATING ADDITIONAL DC.

DCPROMP
* Domain controller type - Additional DC for an existing domain
* Network Crenditials - specify Domain user name and passowrd

 Benifts of creating multiple domains.

1. Reduce Replication traffice.

2. Maintain Separate policy between domain
3. Preserve domain structure for Win NT.
4. separate Administrative control.

 Installing Additional Dc requirement

• Master Dc Installed
• Win 2003 server. Static Ip
• DNS server
• NTFS volume
• Administrator password of master DC

 Managing ADS Replication

Replication is a process of updating information in ADS from DC to another DC

within a domain

31
 The DC keep talking (Replicate within them self’s)

DC

Addional DC

How Replication Works

ADS can be update is the following base
• Additional object
• Modifying object
• Moving object
• Deleting objects

 Replication Latency
It is a time needed for a change made to replicate from DC & to be received
by another DC.
The default Replication latency is 5 min.

 Replication Conflict
There are types of confects
• Attributes value (i.e. User tel no , inf. etc )
• Add or remove object under a deleted container
E.g. Other Admin has deleted container mkt & we are creating user
under Mkt at same time.
• Sibling name
E.g. other admin is creating s1 in sales & we are creating s1 in Mkt at the
same time on other pc.

32
 Active Directory Services Sites

1. The First Site is Set Up Automatically and is called Default-First-Site-

Name
2. Sites can consist of Zero, One, or more Subnets.
3. Sites are used to control Replication Traffic and Logon Traffic.
4. Sites contain server Object and are Associated with IP Subnet Object.

 Active Directory Services Replication Within Sites

1. Occurs between Domain Controller in the Same Site.
2. Assumes fast and highly reliable network links.
3. Does not compress Replication Traffic.
4. Uses change notification mechanism .

 Active Directory Services Replication Between Sites

1. Occurs on a manually defined schedule.
2. It is used to optimized bandwidth.
3. One or more replicas in each sites act as Bridgeheads Servers.

SITE

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p
DC

INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p

SITE
INCLUDEPICTURE "http://images.google.co.in/images?q=tbn:b9meYcoAM1cL7M:www.p
DC

DC
INCLUDEPICTURE "http://images.google.co.in/i

INCLUDEPICTUR

INCLUDEPICTURE "http

DC

33
 Replication Protocol

1. RPC (Remote Procedure Protocol):

Active Directory replication uses RPC over IP for replication within
site and between sites.

2. SMTP (Simple Mail Transfer Protocol):

SMTP supports schema configuration and global catalog replication
but
can not be used to replicate the domain partition to domain
controllers of
the same domain.

 Configuring Site Link

1. Transport: The networking technology that is used to transfer the

data
that is replicated.

2. Member Site: Two or more site that will be connected through the site
link.

3. Cost: Site link cost is a number that represents the priority an

organization assigns to replication traffic between the sites.

4. Schedule: The times when replication will occur.

5. Replication Interval: This is the time how long the replication will
occur.

 Managing Operation Masters

34
 An Operation Master is a Domain Controller that performs specific role in
windows 2003 Active Directory and may control a specific set of directory
changes.

 Introduction to Operation Master

1. Only a DC that holds a specific Operation Master Role can

perform associated Active Directory changes.
2. Changes made by an Operation Master are replicated to other
domain controllers.
3. Any Domain Controller can hold an Operation Master Role .
4. Operation Master Role can be moved to other Domain
Controllers.

 Operation Master Roles

1. Schema Master
2. Domain Naming Master
3. PDC Emulator
4. RID Master
5. Infrastructure Master

 Operation Master Default Location

Forest-wide Role Domain-wide Role

Schema Master PDC Emulator
Domain Naming Master RID Master

DC Infrastructure Master

Child DC Child
DC

Domain-wide Role
PDC Emulator
RID Master
Infrastructure Master

35
 Schema Master:
It controls all updates to the schema. Replicate Domain
Controller to all domains in the forest.

 Domain Naming Master:

The Domain Naming Master controls the addion or removal of
domians in the Forest. There is only one Domain Naming
Master per forest.

36
  PDC Emulator:
Acts as a PDC to support Wndows NT BDCs and Pre-Windows
2000-based client computer. Updates password changes from
Pre-windows 2000- based client computer. Prevent the
possibilities of overwriting GPOs.
 RID Master:
Relative Identifier Master allocatesblocks of RIDs to each
domain controller in the domain.Whenever a domain
controller creates a new security principle, such as a user,
group, or computer object, it assigns the object a unique
Securty Identifier (SID). Prevent object duplication if object
move from one domain controller to another.

 Infrastructure Master:
Infrastructure Masterupdates references to object and group
membership from other domain.

 Seize Operation Master Role

(If the main DC crashed or down)
Master DC

Down

Seize the OM Role

Additional DC

If the master DC is crashed or down you can make the additional DC as the
master DC by seizing the Operation Master Roles.

Note:- Once you seize the OM roles on the additional DC and make it as master
DC then you can not bring up the original matser DC, you have to re-install
the original master DC.

37
  Steps to Seize the OM Roles

o Restart the machin in Restore Active Directory Mode.

o In command prompt write the following commands
o Ntdsutil ↵
o Ntdsutil : ? ↵
o Ntdsutil : roles ↵
o Fsmo maintainance : connections ↵
o Server connection:connect to server
computername.domain.com↵
o Server connection : quit ↵

o Fsmo maintainance : seize PDC ↵

Ok
o Fsmo maintainance : seize RID Master ↵
Ok
o Fsmo maintainance : seize Infrastructure Master ↵
Ok
o Fsmo maintainance : seize Domain Naming Master ↵
Ok
o Fsmo maintainance : seize Schema Master ↵
Ok
o Fsmo maintainance : quit ↵
o Ntdsutil : quit ↵
o Verify the new holder of the operations master role that you
seized

 Managing Active Directory Database

Active Directory Database is manage in the following ways.

o Backup Active Directory Database

o Restore Active Directory Database
o Defrag Active Directory Database

38
o Move Active Directory Database

39
 The Files in Active Directory

o Ntds.dit : This single file is the Active Directory database and

stores all of the Active Directory objects on the domain controller.
The .dit extension means directory information tree.

o Edb.log : This is a transaction log file, each log file is of 10 mb.

The first file is edb1.log.

o Edb.chk : This is a checkpoint file used by the database engine

to track the data not yet written to the Active Directory
database file.

o Res1.log & Res2.log : These are reserve transaction log files

each of 20 mb, these log file space is used in case if you
have less space disk space.

 Backup Active Directory Database

You can backup ADS database by using the system state
data option data option in windows backup.

System State Data :- 1. ADS database (only on DC)

2. Sysvol folder.
3. Registry
4. System Startup Files
5. Class Registration Files
6. Certificate Server Database
(if certificate service installed)

40
  Restore Active Directory Service Database

There are two types of restore

1. Non Authorative Restore : It is the restore which brings back the system to the
state where it was backed up

Steps: 1. Restart the DC in Directory services Restore Mode.

2. Logon using SAM account.
3. Go to windows backup and restore the backup

2. Authoritative Restore : It is a restore in which you can select specific object

from the backup.
Steps: 1. Restart the DC in Directory services Restore Mode.
2. Restore Active Directory but do not restart the Computer.
3. Run the Ntdsutil.exe
4. Switch to the authoritative restore prompt
5. Provide the distinguished name of the object
6. exit Ntdsutil
7. Restart the domain controller normally.

 Defrag Active Directory Service Database

You should defrag the Active Directory Database on periodic basis.

Steps: 1. Restart the DC in Directory services Restore Mode.
2. Logon using the SAM account
3. Go to Ntdsutil.exe
Ntdsutil : files
Files Maintainance : Compact to z:/
Then copy the file to the original location.

41
  Moving Active Directory Database

Steps : 1. Restart the DC in Directory services Restore Mode.

2. Logon using SAM account
3. Go to Ntdsutil.exe
Ntdsutil : files
Files Maintainance : move database to c:/

42