How can we help?

You can also find more resources in our Help Center.

Active Directory Domain Services

Microsoft Server 2008
Active Directory Domain Services (AD DS)
Windows Server 2008 service that provides a centralized authenication service for Microsoft Networks.
Active Directory Lightweight Directory Services (AD LDS)
Role that provides devlopers the ability to store data for directory-enabled applications without incurring the overhead of extending the Active Directory schema to support their applications.
Domain Controller (DC)
A server that stores the Active Directory database and authenicates users with the network during logon.
The process of keeping each domain controller in synch with changes that have been made elsewhere on the network.
Outbound replication
Occurs when a domain controller transmits replication information to other domain controllers on the network.
Inbound replication
occurs when a domain controller receives updates to the Active Directory database from other domain controllers on the network.
Major Benefits of AD Services
Centralized resource and security admin
Single logon for access to global resources
Fault tolerance and redundancy
Simplified resource location
Functional Levels
Designed to offer support for AD domain controllers running various supported operating systems by limiting functionality to specific software versions. As legacy DCs are decommissioned, administrators can modify the functional levels to expose new functionality within AD.
Server 2008 AD on DC - what tools are added to Adminstrative Tools folder?
AD Users and Computers
AD Domains and Trusts
AD Sites and Services
Fault Tolerant
The ability torespond geacefully to a software or hardware failure. Specifically, the network continues providing authenication services after the failure of a DC.
Read-Only Domain Controller (RODC)
Introduced in Windows Server 2008, a DC that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other DCs within AD.
AD database information file stored on each DC.
Multimaster database
AD is one. It means that administrators can update the ntds.dit from any DC.
Loose Consistency
Individual DCs in an AD database may contain slightly different information, because it can take anywhere from a few seconds to several hours for changes to replicate throughout a given environment.
An option that allows users to access network resources by searching the Active Directory database for the desired resource.
Container Object
An object that is used to organize other objects.
Leaf object
An object that does not contain other objects and usually refers to a resource such as a printer, folder, user, or group.
What are the Container Objects that are found in Server 2008?
Domain Trees
Organizational Units (OUs)
The largest container object with AD.
Defines the fundamental security boundary with AD - a user can access resources across an entire AD forest using a single logon/ password combination.
Partitions/Naming Contexts (NCs)
AD divided into these portions in order to improve the efficiency in accessing AD.
Minimum number of NCs on a DC. They are called?
Schema NC
Configuration NC
Domain NC
Schema Naming Context
contains the rules and definitions that are used for creating and modifying object classes and attributes with AD.
Configuration Naming Context
contains information regarding the physical topology of the network, as well as other configuration data that must be replicated throughout the forest.
Domain Naming Context
consists of user, computer, and other resource information for a particular AD Domain.
Schema and Configuration NCs are replicated--
Forest-wide - shared by every domain and domain tree within the forest.
Domain Naming Context is replicated --
to each DC within a single domain.
Domain Tree
In AD, a logical grouping of network resources and devices that can contain one or more domains configured in a parent-child relationship.
Forest -- Domain Tree --- Domains structure
Each AD forest can contain one or more Domain trees. Each Domain tree can contain one or more domains.
A grouping of objects in AD that can be managed together. A domain can function as a security boundary for access to resources, such as computers, printers, servers, applications, and file systems.
Global catalog replication
Does not replicate to all DCs, it only replicates to DCs configured to hold the global catalog.
Forest Root Domain
the first domain created with an AD forest.
Organizational Units (OUs)
A container that represents a logical grouping of resources that have similar security or administrative guidelines.
OU structure
Modeled after company's Organizational chart, departments and/or resource needs. security settings of an OU is inherited by all child objects of the container.
delegation of control
Administration of an OU is tasked to a department supervisor or manager, thus allowing that person to manage day-to-day resource access as well as more mundane tasks, such as resetting passwords.
Name the objects that can be contained in an OU.
Users, Groups, Contacts
Printers,Shared folders
Computers, OUs, InetOrgPerson
What is the Fourth Partition type, first introduced in Windows Server 2003?
Application Partition.
Provides fine control in which administrators can direct where information is replicated to a domain or forest.
An element in AD that refers to a resource.
Characteristics associated with an object class in AD that make the object class unique within the database.
Where are the attributes defined?
In the Schema, but the same attribute can be associated with more than one object class.
Master database that contains definitions of all objecta in the AD. It contains two components: object classes and attributes.
Name the Object classes automatically created when AD is installed.
Users, Groups
Computers, DCs
Common Attributes of all Object Classes
Unique Name
Globally Unique ID (GUID)128bitHexidecimal#
Require Object Attributes
Optional Object Attributes
Access Control Lists (ACLs)
Implemented by the administrator and used by the directory to keep track of which users and groups have permission to access specific objects and to what degree they can use or modify them.
one or more IP subnets connect by fast links.
Usually means all computers that are connect via a single LAN.
Knowledge Consistency Checker (KCC)
An internal AD process that automatically creates and maintains the replication topology.
KCC operates under which snap-in?
The AD Sites and Services Snap-in located in the Administrator Tools folder on the DC or Administrative Workstation with Administrative Tools installed.
Lightweight Directory Access Protocol (LDAP)
Industry standard that enables data exchange between directory services and applications.
What defines the naming of all objects in the AD database?
LDAP standard and therfore, provides a directory that can be integrated with other directory services, such as Novell eDirectory, and AD-aware applications, such as MS Exchange.
Distinguished Name (DN)
Used by LDAP to refer to an object. The DN references an object in the AD directory structure using its entire hierarchical path, starting with the object itself and including all parent objects up to the root of the domain.
LDAP naming attributes defined
Cn=common name
Ou=Organizational unit name
Dc=Domain components, one for each part of the DNS name.
JSmith of the sales department of - what is the DN?
cn=JSmith, ou=sales, dc=lucernepublishing, dc=com
User Principal Names (UPNs)
In Windows 2008, follows the format of Provides consistency between user log on name and user's email name.
Domain Name System (DNS)
The name resolution mechanism computers use for all Internet communications and for private networks that use the AD domain services included with MS Windows Server 2008 and earlier server versions.
What provides the translation of the host name to its IP Address?
What is a foundational requirement for AD?
DNS, the DC role cannot be installed onto a server unless that server can locate an appropriate DNS server on the same machine or somewhere on the network.
Locator Service
AD DNS provides direction for network clients that need to know which server performs what function.
SRV Records
The locator records within DNS that allow clients to locatw an AD domain controller or global catalog.
The ability to resolve SRV records allows clients to do what?
Authenticate into the AD.
What does dynamic updates permit the DNS clients to do?
To automatically register and update their information in the DNS database.
Forest and Domain Functional Levels
Designed to offer support for AD DCs running various supported operating systems. As you decommission legacy controllers, you can modify these functional levels to expose new functionality within AD.
Rolling Upgrades
Upgrade strategy based on functional levels that allows enterprises to migrate their AD DCs gradually, based on the need and desire for the new functionality.
How are changes to functional level performed?
An adminstrator makes the change manually. Note that once the change has taken place, it is not reversible. you will have to perform a domain- or forest-wide restore of the AD database to return yoyr network to the previous fun tional level.
What are the three domain functional levels supported in Windows Server 2008?
Windows 2000 Native
Windows Server 2003
Windows Server 2008
What is allowed in Windows 2000 Native domain functional level?
backward compatibility with MS Windows 2000
allows Windows 2000, Windows Server 2003, and Windows Server 2008 DCs.
What is allowed in Windows Server 2003 domain functional level?
Windiws Server 2003 and 2008 DCs only allowed.
What is allowed in Windows Server 2008 domain functional level?
No backward compatiability. Only Windows Server 2008 DCs supported.
Windows 2000 Native Domain Functional Level features
Install from Media
Application Directory Partitions
Drag-and-drop User Interface
Universal groups
Windows Server 2003 Domain Functional Level features
All listed in Windows 2000 Native
Replicated lastLogonTimestamp attribute
User password on inetOrgPerson
Domain rename
Windows Server 2008 Domain Functional Level features
All listed in Windows Server 2003
Improved SYSVOL replication
Improved encryption 4 authentication methods
Improved auditing of users logons
Multiple password policies per domain.
Name the three forest functional levels
Windows 2000
Windows Server 2003
Windows Server 2008
What is the default forest functionality enabled when Windows Server 2008 DC is introduced into the network?
Windows 2000
Windows 2000 Forest Functional features
Install from Media
Universal Group Caching
Application Directory Partitions
Enchanced User Interface.
Windows Server 2003 Forest Functional features
All listed in Windows 2000
Improved replication of group objects
Improved ISTG functionality
Conversion to inetOrgPerson objects
Schema deactivations to attributes & classes
Dynamic Auxillary class objects
Domain renaming
Cross-forest trusts
All new domains at Windows Server 2003 domain functional level
Windows Server 2008 forest functional features
All listed in Windows Server 2003
All new domains at Windows Server 2008 domain functional level
Guidelines to raise the forest functional level
Log on as member -Enterprise Admins Group
Connect to DC with Schema Master Role.
Check that all DCs are running an OS supported by the targeted forest functional level
Raising the forest functional level irreversible.
trust relationship
Enables administration from a particular domain to grant access to their domain's resources to users in other domains.
describe the trust relationships in an AD forest
when a child domain is created it automatically receives a two-way transitive trust with its parent domain
when a new domain tree is created, the root domain in the new tree automatically receives a two-way trust with the root domain.
shortcut trust
A manually created no transitive trust that allows child domains in separate trees to communicate more efficiently by eliminating the tree-walking of a trust path.
the trust path up a domain tree through the child domains and parent domains to the root domain and then down the other parent domain to the desired child domain"
external trust
A one-way, nontransitive trust that is established with a Windows NT domain or a Windows 2000 domain in a separate forest.
cross-forest trust
Transitive Trust type (one-way or two-way) that allows resources to be shared between AD forests.