Active Directory Database Information That Is Stored on Each Domain Controller in a File Named NTDS.Dit
Total Page:16
File Type:pdf, Size:1020Kb
Active Directory database information that is stored on each domain controller in a file named NTDS.dit. Active Directory builds in fault tolerance through its multi-master domain con-troller design. In a Windows Server 2003 environment, Active Directory provides fault tolerance using a multi-master replication system, where multiple servers, installed as domain controllers, share a common database In Active Directory, each object is defined in a schema. A schema is a master database that contains definitions of all objects in the Active DirectoryͶit is the Active Directory. There are two parts to the schema, object classes and attributes. The GUID is a 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change even when the object itself is renamed. An organizational unit is a container that represents a logical grouping of resources that have similar security guidelines. OUs can contain the following objects: Ŷ Users Ŷ Groups Ŷ Contacts Ŷ Printers Ŷ Shared folders Ŷ Computers Ŷ OUs Ŷ InetOrgPerson A domain tree is a grouping of domains that have the same parental hierarchy and share part of the name of the parent domain. Each tree contains a domain family. A forest is the highest level in the Active Directory domain hierarchy. Administrative security implemented at the forest level flows down through the hierarchy to all domain trees below. In a forest, Active Directory uses directory partitions to store and replicate information The forest-wide directory partitions include the schema and configuration partitions. They are defined as follows: ɶ Schema partition Contains the rules and definitions that are used for creating and modifying object classes and attributes. Ŷ Configuration partition Contains the replication topology and other configuration data that must be replicated throughout the forest. A site is defined as one or more IP subnets that are connected by fast links. In most circumstances, the LAN constitutes a site. Sites are created to facilitate the replication of Active Directory information. All domain controllers within the same site replicate information at regular intervals, while domain controllers at external sites replicate less frequently. As Within a site, the knowledge consistency checker (KCC) is responsible for assisting in this optimization by creating and maintaining the replication topology. The KCC does its job based on the information provided by the administrator in the Active Directory Sites And Services snap-in. Administrators can add connections and force replication in particular situations, but the KCC can generally take care of all replication topology issues. Windows Server 2003 has a specific service that must be supported by DNS for the Active Directory infrastructure to function properly. This service is as follows: Ŷ Support for SRV records SRV records are locator records within DNS to provide a mapping to a host providing a service. For example, a client requesting access to Active Directory via the logon process would need to locate an Active Directory server. This query would be resolved by the appropriate SRV resource record. Dynamic updates Dynamic updates permit DNS clients to automatically register and update their information in the DNS database. When a domain controller is added to the forest, the SRV and A records are added dynamically to the DNS database to permit the locator service to function. Dynamic DNS provides a convenient method to assist in keeping the database current. However, some security-minded companies will disable this ability so that changes to the database cannot be made without administrative intervention. The domain functional levels include: ɶ Windows 2000 mixed This level allows for backward compatibility with Microsoft Windows NT 4.0 and Microsoft Windows 2000. ɶ Windows 2000 native This level allows for backward compatibility with Microsoft Windows 2000. ɶ Windows Server 2003 interim This level provides an upgrade path to Windows Server 2003 for Microsoft Windows NT 4.0 domains. Ŷ Windows Server 2003 This level provides the highest functionality and does not provide any backward compatibility with older operating systems. Requirements for Raising Domain Functional Levels Raising the domain functional levels has a number of important guidelines, as follows: ɶ To raise the functional level of a domain, you must be a member of the Domain Admins group. ɶ The functional level of a domain can be raised only on the server that holds the Primary Domain Controller (PDC) emulator role. ɶ The functional level of a domain can be raised only if all domain controllers in the target domain are running supported versions of the operating system. ɶ Raising the functional level is an irreversible procedure. There are three levels of forest functionality. They include Windows 2000, Windows Server 2003 interim, and Windows Server 2003. Windows Requirements for Raising Forest Functional Levels Raising the forest functional level has a number of important guidelines, as follows: ɶ To raise the functional level of a forest, you must be logged on as a member of the Enterprise Admins group. ɶ The functional level of a forest can be raised only on a server that holds the Flexible Single Master Operations Schema Master role. This server is the authority for all schema changes. With regard to Windows 2000 and Windows Server 2003, interdomain and intraforest trust relationships are considered transitive. Transitive is defined by Merriam-Webster as ͞being or relating to a relation with the property such that, if the relation holds between a first element and a second, and between the second element and a third, it holds between the first and third elements.͟ When a resource is accessed via the cross-forest trust, a secure link is established using the Kerberos authentication protocol. Active Directory Fails When Out of Disk Space If you are planning to migrate users from another directory service, it is important to allocate enough free space to accommodate each user object. If Active Directory runs out of space, the directory service will not start. Before installing Active Directory, consider these hardware, software, and administrative requirements: ɶ A server running Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition. NOTE Windows Server 2003 Web Edition Active Directory cannot run on Windows Server 2003 Web Edition. Ŷ An administrator account and password on the local machine. ɶ An NT file system (NTFS) partition for the Sysvol folder structure. ɶ 200 MB minimum free space on the previously mentioned partition for Active Directory database files. ɶ 50 MB minimum free space for the transaction log files. These files can be located on the same partition as the database files or elsewhere. How-ever, to achieve optimal performance, these files should be located on a physical drive other than the one holding the operating system. Placing the database and log files on separate hard drives results in better performance, since they do not need to compete for the input/output (I/O) processes of a single drive. CAUTION Active Directory Fails When Out of Disk Space If you are planning to migrate users from another directory service, it is important to allocate enough free space to accommodate each user object. If Active Directory runs out of space, the directory service will not start. Ŷ Transmission Control Protocol/Internet Protocol (TCP/IP) must be installed and configured to use DNS. Ŷ An authoritative DNS server for the DNS domain must be installed to sup-port service resource (SRV) records. In addition, Microsoft recommends that the server providing DNS for Active Directory support incremental zone transfers and dynamic updates. Zone transfer is the process of replicating DNS information from one DNS server to another. With an incremental zone transfer, bandwidth is conserved because the entire zone does not have to be transferred; only the changes are transferred. When the Internet Protocol (IP) address of a host changes, dynamic updates allow the DNS database to be updated with the changed information. This allows for more efficiency in the maintenance of the database, resulting in fewer resolution problems for clients This checklist should include the following: Ŷ Local administrator password Ŷ Domain controller type Ŷ Domain name 30 CHAPTER 2: IMPLEMENTING ACTIVE DIRECTORY Ŷ Desired location for database and log files if using other than the default locations Ŷ Desired location for the Sysvol folder structure if using other than the default location Ŷ DNS installation information such as whether or not DNS will reside on this server. If not, then an IP address and name of a preferred DNS server should be available. Ŷ Permissions settings Ŷ Desired Directory Services Restore Mode password Ŷ The installation CD-ROM or the location of the installation files Ŷ Any relevant service packs or hotfixes The first Active Directory domain on the network is the forest root domain. The forest root domain is the parent domain to any child domains within the Active Directory infrastructure. The first server in this domain is named the forest root domain controller. This controller holds all of the flexible single master operation roles until replica domain controllers are added to the domain. Flexible single master operation roles are specific server roles that work together to enable the multi-master functionality of Active Directory. The Sysvol folder is a shared system folder that contains the domain͛s public files. The folder structure within the Sysvol share contains replicated data such as logon scripts and policies. The Sysvol folder must be stored on an NTFS partition. This page allows you to accept the default location of C:\WINDOWS\SYSVOL or select a different folder for these files. Directory Services Restore Mode Password Directory Services Restore Mode is one of the methods used for disaster recovery.