Microsoft Active Directory Fundament.ppt

Editor's Notes

• #1: KEY MESSAGE: Introduce yourself and then the session title SLIDE BUILDS: None SLIDE SCRIPT: Hello and Welcome to this TechNet session on Active Directory Fundamentals My name is {state your name and title} SLIDE TRANSITION: What are we going to cover ADDITIONAL INFORMATION FOR PRESENTER:
• #2: KEY MESSAGE: What are we going to cover? SLIDE BUILDS: None SLIDE SCRIPT: So in today’s session, we will be looking at what makes up Active Directory directory service and covering the terms you will hear when people talk about the service. Some of these components are logical in nature, such as Domains, Domain trees, and Forests; some physical in nature, such as Domain Controllers and sites. We will also cover the Domain Naming Service (DNS) and how that plays a part in the Active Directory operations. As well, we will look at site communication and how information is replicated around so that everyone has the same view of the directory. Finally, we cover the Operations Masters. SLIDE TRANSITION:
• #3: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: Since this is a fundamentals session, there are not really product-specific requirements. However, an understanding of what a directory service is will come in handy. SLIDE TRANSITION:
• #4: KEY MESSAGE: Today’s Agenda SLIDE BUILDS: None SLIDE SCRIPT: So as we mentioned in what we will be covering, the agenda divides into the Physical and Logical components of Active Directory. The Domain Naming Service (DNS), Replication, which will include sites and finally the Operations Masters. SLIDE TRANSITION: So let’s start with the Logical Concepts. ADDITIONAL INFORMATION FOR PRESENTER:
• #5: KEY MESSAGE: Define what a Domain is. SLIDE BUILDS: None SLIDE SCRIPT: A domain is the core unit of logical structure in Active Directory. Domains represent a logical partition within the Active Directory for both security and directory replication. Each domain stores information only about the objects it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is the supported (tested) limit. Domains function in several capacities. They serve as boundaries of authentication, replication, namespace, and security policies. Domains are manifested from domain controllers. There is also a one-to-one correspondence between Active Directory Domains and DNS Domains. Since all users in a domain must log on to a domain controller for that domain, a domain is also: A boundary of authentication. Domain controllers are responsible for authenticating users and groups. A boundary of security policies. Certain security policies are applied exclusively at the domain level, including Password Length, Account Lockout, and Kerberos Ticket Lifetime. Security policies that are defined in one Domain are not extended to any other Domain. In addition, access to domain objects is controlled by Discretionary Access Control Lists (DACLs), which are populated with Access Control Entries (ACEs). All security polices and settings, such as administrative rights and Discretionary Access Control Lists (DACLs), do not cross from one domain to another. The domain administrator has the right to set policies only within that domain. So, domains are also boundaries of administration because privileges that are granted in one Domain do not extend to any other Domain. A boundary of replication. All objects that reside in a Domain are fully replicated to all Domain Controllers for that Domain. The Domain Controllers for a Domain each have a complete writeable replica of that Active Directory Partition (i.e. Domain). A unique namespace. An Active Directory Domain is identified by a unique DNS domain name, as well as a downlevel NetBIOS name for downlevel client and server access. A boundary of administration. Administrative privileges that are granted in one Domain do not extend to any other Domain. Domains are manifested in the form of domain controllers. In Windows Server 2003, there are no longer PDCs and BDCs. Instead, every Domain Controller maintains a writeable copy of the domain database (directory information tree: ntds.dit). There are various function levels that a domain can operate in: mixed (default), native or Windows 2003: Mixed. When a Domain is in mixed mode, the Active Directory Domain Controllers in the Domain can coexist and replicate with Domain Controllers in the same Domain that are running previous versions of Windows NT Server (downlevel domain controllers). When a Domain is in mixed mode, it is subject to the restrictions of the downlevel SAM (Security Accounts Manager) database (40MB size, 40,000 account objects), you want to begin operating in Native mode or Windows Server 2003 mode as soon as possible. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #6: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: The next two logical concepts we will address are ways to group domains to form different structures. The first topic is trees. A tree is a hierarchical grouping of Domains that form a contiguous namespace. A contiguous namespace links a child container to its parent by adding one and only one more identifier to the beginning of the DNS name. For example, if the parent Domain was named COMPANY and the child Domain was named AMERICA.COMPANY, then these two domains would form a contiguous namespace. In an Active Directory Tree, transitive trust relationships link Domains such that they can be administered as a single logical unit. With bi-directional Kerberos transitive trusts, permissions can be applied to security principals throughout the Active Directory Tree. Every time a new domain is added to the tree, a transitive trust is formed. If domain “A” trusts domain “B,” then domain “A” trusts all domains that “B” trusts. The name of an Active Directory Tree is the name of the Domain that is highest in the hierarchy. In the example shown here, the name of the Tree is COMPANY, and is referred to as the Root of the Domain Tree. All Domains in an Active Directory Tree share the following: Schema. The schema is the formal definition for all Active Directory objects, including the object classes and object attributes. The schema also defines things such as whether attributes are required for particular object classes and the relationship between object classes. The schema is stored within the Active Directory and is extensible, meaning that new object classes and attributes can be added to the Active Directory. A single schema container exists and applies to all Domains in the Active Directory Tree. The schema is replicated to all Domain Controllers in all Domains in the Active Directory Tree in order to ensure consistency in the object types across the enterprise. Configuration. A single configuration container exists and applies to all Domains in the Active Directory Tree. The configuration container includes information about the Active Directory as a whole, including what Domains exist, what physical Sites are defined, what Domain Controllers are running in what Domains and in what Sites, what Services are available, and so forth. The configuration container is replicated to all Domain Controllers in all Domains in the Active Directory Tree in order to allow Domain Controllers to determine replication partners and develop a replication topology. Global Catalog. The Global Catalog – or GC – contains a partial replica of all objects in the Active Directory Tree (i.e. every object in every Domain in the Tree is represented in the Global Catalog). All GCs in an Active Directory Tree share exactly the same partial replica. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #7: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: A forest is composed of one or more trees. First, let’s define what a forest is. A Forest is an extension of the Domain Tree concept in that the only difference is that a set of Domains in a Forest may form either a contiguous or disjoint namespace. An example of a disjoint namespace is DIV1.COM and DIV2.COM (the namespace does not form a contiguous hierarchy). A Forest is named after the first Domain installed in the Forest (the Forest Root Domain). In addition to the transitive trust relationships that exist between parent and child domains, in a Forest there are also bi-directional transitive trust relationships between peer top-level domains. A Domain Tree is a specific example of a Domain Forest (in which all of the Domains in that Tree form a contiguous namespace). An enterprise directory that consists of a single Domain is another example of a Forest. In a Forest, all Domains still share a common Schema, Configuration, and Global Catalog. If the Forest is in the highest forest function level, Windows 2003, then cross-forest trusts can be established to facilitate administration or resource access between domains in different forests. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #8: KEY MESSAGE: Describe Organizational Units SLIDE BUILDS: None SLIDE SCRIPT: Organizational Units – or OUs – are containers that are used to organize objects within a Domain. For example, OUs can contain Users, Computers, Groups, Printers, File Shares and other OUs. OUs can be logically structured into a hierarchy that models the business. They are distinct logical administrative units that can be used to: 1.) delegate administration within a domain. 2.) apply policies to objects (such as Users or Computers) as a group. The OU hierarchy within a particular Domain is independent of the OU hierarchy in any other Domain. Each Domain can implement its own OU hierarchy. OUs are represented by circles within a Domain. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #9: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: So lets move onto the Physical concepts. SLIDE TRANSITION: Lets start with the Security Model.
• #10: KEY MESSAGE: In an Active Directory world, we have moved away from the Primary Domain Controller into the Multi-master environment of Domain Controllers SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 0] No matter what type of domain structure you run, there is a Domain Controller, and more than likely there is more than one of them. These Domain controllers hold a copy of the directory. In NT3.51 and 4.0 there are two types, a Primary Domain Controller (PDC) and Backup Domain Controllers (BDCs). The copies of the Directory database these machines hold, usually referred to as the SAM (Security Accounts Manager) database, allows users to be authenticated in the domain. This design is a single master system because only the PDC holds a read/write copy of the directory. What this means is that, if a user wants to change his or her password, that change is performed on the PDC, regardless of which machine authenticated the user. In the case were a user is authenticated by a BDC, that BDC sends the change to the PDC to update the SAM, and the SAM is then replicated back to the BDCs. The BDCs never write to their copy of the SAM outside the replication process. [BUILD 1] In an Active Directory environment there is no single “PDC” and no “BDC.” All machines that participate in the authentication process are simply called Domain Controllers. They all hold copies of the Directory, they can all write to that copy, and they all replicate with each other. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #11: KEY MESSAGE: Describe the Site Concept. SLIDE BUILDS: None SLIDE SCRIPT: So what is a site? An Active Directory Site is a set of TCP/IP subnets that are considered to be “well-connected”. Well-connected generally implies high-bandwidth LAN (10MB minimum) connectivity, possibly involving several hops through routers. Sites are used in the Active Directory as follows: Sites (a physical construct) are not part of the Active Directory namespace (a logical construct). Sites may span multiple Domains. Similarly, Domains may span multiple Sites. Sites serve three main purposes. Sites are used to locate services such as logon and DFS services. When a client requests a connection to a DC (and Global Catalog for Universal Group membership info) Login, sites are used to preferentially allow the client to connect to a Domain Controller within the same site. If there are no Domain Controllers in a site with clients, then another site that does have Domain Controllers can provide “coverage” for the client site. Site links each have a logical cost assigned to them. If a user is searching for the closest DC to log on, they will first look for a DC (and GC) in their site. If none exists, they will search for a DC in the site with the lowest logical cost assigned to the site link. When a client requests a connection to a Service, such as a DFS Replica, sites are used to preferentially allow the client to locate and connect to a Replica within the same site. Sites are also used to control replication throughout an enterprise. The Active Directory automatically creates more replication connections between Domain Controllers in the same site than between Domain Controllers in different sites. This results in lower replication latency within a site, and lower replication bandwidth between sites. Replication between Domain Controllers in different sites is compressed 10-15%, resulting in less network bandwidth utilization over the slower links between sites. Finally, Group Policy objects can be linked to Sites (or, more specifically, to Computer objects that reside in Sites) as a group. Sites are connected using Site Links. Active Directory Site Links are used to define connections between Sites, and together they represent the physical network. A Site Link represents a set of Sites that can communicate with one another. For example, two Sites that are connected with one another with a point-to-point T1 might be represented by a single Site Link. On the other hand, a set of buildings (each in their own Site) that are connected to each other over an ATM backbone might be represented by a Site Link that contains all of those buildings (i.e. Sites). Similarly, a full mesh Frame Relay network might be represented with a single Site Link, assuming each of the Sites had equal cost connectivity to every other Site. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #12: KEY MESSAGE: Explain how Sites and Domains interact SLIDE BUILDS: None SLIDE SCRIPT: Because a Site is a physical construct, there can be overlap with domains, which are a logical construct. A Site can therefore contain an entire domain, or only part of a domain, or even multiple domains. As we see here: Site A. Contains a DC from the root domain company.com and a DC from the child domain america.company.com. Site B. Contains a DC only from america.company.com Site C. Contains DCs from europe.company.com and the root company.com. This is one of the main concepts to remember and one people get confused on: Domains are logical structures, sites are physical structures. SLIDE TRANSITION: On the example here, we have this box call GC, which stands for Global Catalog. The Global Catalog is an important part of the Active Directory, so let me explain what it is. ADDITIONAL INFORMATION FOR PRESENTER:
• #13: KEY MESSAGE: Explain the Global Catalog. SLIDE BUILDS: None SLIDE SCRIPT: You will often here the term Global Catalog, most likely abbreviated to GC, bandied around. When people talk about Active Directory, you’ll here it in two contexts, either as the GC or a GC. What’s the difference? Well, “a GC” is a server on which the global catalog is held. “The GC” is the global catalog itself. In its basic terms, a Global Catalog server is simply a Domain Controller that is also configured to act as a Global Catalog. Global Catalog servers are identified as such in DNS and can be located by clients using DNS. The Global Catalog contains a partial replica (i.e. a subset of attributes) of all objects in the Forest. This means that some attributes of every object in every domain database in the forest are maintained in the Global Catalog. For example, a domain database may contain many attributes for each user object. It may contain the user’s name, e-mail alias, address, office location, position, manager, phone number, etc., while the Global Catalog might only contain a few of these attributes (i.e. name, e-mail, and phone number). The set of attributes for each object class published in the Global Catalog is configurable. The Global Catalog is used for fast forest-wide searches of enterprise objects. The Global Catalog is also used during logon to determine Universal Group Membership, since Universal Groups do not reside within any particular Domain. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #14: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: So we’ve covered the logical and physical components of Active Directory. Let’s move on to the Domain Naming Service, more commonly called DNS. SLIDE TRANSITION:
• #15: KEY MESSAGE: What is DNS? SLIDE BUILDS: None SLIDE SCRIPT: Active Directory requires DNS. This is the way that Active Directory finds services and resources. It does this through the use of Service records or SRV records. Therefore, the DNS Server(s) that manage an Active Directory Domain must support the SRV resource records (RFC 2052). The SRV record allows specific services to be registered in DNS. For example, Domain Controllers and Global Catalogs are explicitly registered in DNS with those specific roles. So, when a client is looking for a DC or GC (e.g. for logon), it can locate an appropriate server that is providing that service. The DNS Server(s) that manage(s) an Active Directory Domain should support the Dynamic Update Protocol (RFC 2136). Windows 2000 or up DNS clients (for A records), as well as DHCP Servers (for PTR records), will dynamically update the Microsoft DNS Server with mappings. Think of this in the same terms as WINS has always worked: clients dynamically update their own information in a WINS database. Well, now DNS allows them to register their IP information in the same way. In addition, Windows 2000 or up servers will register multiple records in DNS based on roles and other criteria. If Dynamic Update were not used, then every time any of the following were modified, DNS would have to be manually updated: DC name, Roles, Sites, IP Addresses, Promotion/Demotion. If your DNS server does not support dynamic updates, you will have a difficult time maintaining the DNS database. It is like trying to manually maintain your WINS today. Windows 2000 and up also provides: Incremental Zone Transfers. The Microsoft DNS server also supports Incremental Zone Transfers (RFC 1995). With standard DNS, full zone transfers between Primary and Secondary name servers must be performed whenever there are any changes made to the database. Management of a single replication topology. Both DNS and AD have databases that are replicated amongst computers. With AD integration of the DNS database, only a single replication topology needs to be managed. Multi-master update. With standard DNS, changes to the DNS database may only be performed on the Primary name server. Secondary name servers always get their copies of the DNS database from a Primary master (or another secondary master). With AD integration, changes to the DNS database can be performed on any DNS server that manages that zone. Secure dynamic update (RFC 2137). Allows authentication of hosts that are dynamically registering their names. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #16: KEY MESSAGE: So how do you go about implementing this? SLIDE BUILDS: None SLIDE SCRIPT: How to go about implementing DNS for AD … As I just mentioned, if there is no pre-existing DNS infrastructure, then the answer is easy. Implement Microsoft DNS (for all of the benefits on the previous slide) and because it’s well-tested with AD and because it’s FREE. If there is a pre-existing DNS infrastructure in the organization, it must be BIND 8.1.2 or higher. This version of BIND supports SRV records (a must) and DDNS (a really important feature to have). The next step is to understand the impact of Dynamic updates on the DNS traffic in your infrastructure. If all of this is fine, then use your existing DNS. If your current DNS does not support these features, then you have three choices: 1. Upgrade your existing DNS servers to a version that supports the items outlined above. 2. Migrate to Microsoft DNS (which supports all of this and more). 3. Delegate a sub-domain to Microsoft DNS. For example, if you have company being managed by DNS servers that don’t meet the requirements, and you don’t want to upgrade or migrate, then create a child domain such as “windows.company” and delegate that zone to a Microsoft DNS server. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #17: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: Now, let’s take a look at replication of Active Directory in more detail. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #18: KEY MESSAGE: Describe the Replication Details SLIDE BUILDS: None SLIDE SCRIPT: There are several replication concepts introduced with Active Directory. The first of these is Naming Contexts. A Naming Context is a partition of Data within the Active Directory. The Active Directory is partitioned up to help reduce what information each Domain Controller holds and therefore what information it has to replicate around. The three predefined naming contexts are: The Schema Naming Context, which is a Forest-wide Naming Context, is replicated among all Domain Controllers in the Forest. Configuration NC. This is a Forest-wide Naming Context and is therefore replicated among all Domain Controllers in the Forest. Domain NC. This is a Domain-wide Naming Context (one per Domain) and is therefore fully replicated to all Domain Controllers in the Domain. In addition, each Domain Naming Context is partially replicated to all Global Catalog Servers in the Forest. Multi-master Replication. This occurs within each Domain, where each Domain Controller maintains and replicates a complete writeable copy of the domain database. This is a big change from NT 4, where all changes to the Domain database had to be made on the PDC. Now, any DC can makes those changes and the information will work its way around the Domain. The Knowledge Consistency Checker (KCC) automatically generates a replication topology based on the definition of Sites and Site Links. Intra-site Ring Topology. Within a Site, the KCC automatically generates a bi-directional ring topology for all Domain Controllers in the same Domain. The KCC also ensures that there are no more than three hops from any Domain Controller in a Site to any other Domain Controller in a Site (by adding additional replication partners where necessary). Intra-site replication is RPC-based, and not compressed, so good network connectivity is assumed. Between Sites, the KCC automatically generates a spanning tree replication topology. For the Inter-site replication topology, the KCC takes into account whether a Domain Controller has been identified as a Bridgehead Sever as well as the “cost” of each Site Link. Inter-site replication can be scheduled and is compressed significantly. Two transports can be used for Inter-Site replication: Synchronous RPC over TCP/IP. This transport can be used to replicate any naming context (Schema, Configuration, Full Domain). Asynchronous over SMTP. This transport can be used to replicate the Schema, Configuration and Partial Domain (i.e. Global Catalog) information. The SMTP transport cannot be used to replicate a complete Domain database (i.e., it cannot be used for Inter-Site Intra-Domain replication). Inter-site replication is compressed significantly. Down to 10-15% of original volume for RPC and 20-30% for SMTP. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #19: KEY MESSAGE: So let’s just spend a bit of time and flesh out Naming Contexts. SLIDE BUILDS: None SLIDE SCRIPT: We’ll start with the Schema Context. The Schema Context contains objects that represent all the classes and attributes that the Active Directory Supports. Because the Schema is a forest-wide definition, it is replicated to every Domain Controller in the forest. The Configuration Naming Context contains all the configuration for the forest. This includes all the information about domains, sites, and where Domain controllers reside. This also is considered forest-wide and replicated to all Domain Controllers. Finally, the Domain Context. This contains only domain-specific information, such as users, groups, OUs, computers, etc. Each Domain has it’s own context and replicates it only to domain controllers within that domain. SLIDE TRANSITION: We’ve mentioned the replication a lot so far, let talk about replication topologies. ADDITIONAL INFORMATION FOR PRESENTER: The script for this slide was taken in part from O’Reilly’s Active Directory 2nd Edition.
• #20: KEY MESSAGE: Introduce the 2 topologies SLIDE BUILDS: None SLIDE SCRIPT: We have two replication topologies available in AD. The first one is the Intra-Site Replication. All DCs present in a site, and which therefore are well connected, replicate using this method. The second one is the Inter-Site Replication. DCs between two sites replicate using this method. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #21: KEY MESSAGE: Go into more detail about Intra-site. SLIDE BUILDS: None SLIDE SCRIPT: Replication within a site is done using RPC. Since connectivity between DCs in a site is good, no compression of replication data is done. Intra-site replication also uses a change notification process. However, after being notified, replication starts only after a 5 minute pause if the domain controllers are Windows 2000. This pause, known as replication latency is reduced to a matter of seconds in Windows Server 2003 This is done for optimization purposes: gather all changes during this interval since the first change and replicate. How does each DC know from which DC to replicate? On each DC, it is the job of the Knowledge Consistency Checker (KCC) to generate the appropriate topology based on many factors. For intra-site, it generates a bi-directional ring but with extra edges to minimize hops. One may create connection objects manually to construct the topology. However, it is best left to the KCC to generate the topology. SLIDE TRANSITION: Let’s look at Inter-site. ADDITIONAL INFORMATION FOR PRESENTER:
• #22: KEY MESSAGE: Go into More detail about Inter-site. SLIDE BUILDS: None SLIDE SCRIPT: The DCs between sites use Inter-site replication. One has two options to use, either the DS-RPC protocol or the SMTP transport for Inter-site replication. However, SMTP can only be used for replication between GCs in different sites and between DCs of two different domains in different sites—in other words, only for configuration and schema NCs. The reason is that there are other critical NT services like FRS which cannot replicate by mail. Since any DCs in two different sites are not well connected, compression is used in inter-site replication. Inter-site replication is scheduled, unlike the notification process used in intra-site. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:
• #23: KEY MESSAGE: What connects sites so that replication can take place? SLIDE BUILDS: None SLIDE SCRIPT: Inter-site replication is configured using site-links, site-link-bridges, and bridgehead servers. In our next demo, we will show you how to configure all these, but here is a brief description of these. Site-links link two or more sites. You can associate a cost factor to each site link. This is used by the KCC to generate a replication topology. Site-links are also associated with schedules. Schedules open one or many windows when replication is allowed. Site-links are transitive by default. If there is a link connecting sites A and B, and another link connecting sites B and C, then replication is possible from site A to site C. This is the case if the entire network is IP-routed. Site-link Bridges are not necessary if site-links are transitive. They are useful if transitivity of Site-links is disabled and must be used in some complex scenarios. They work like bridges or routers in a partitioned network. You can designate one or more DCs in a site to be a bridgehead server for that site. All inter-site replication traffic would then be chanelled through that DC. Based on all this configuration, the KCC generates a minimum-cost spanning tree for inter-site replication topology. You can manually add connection objects to construct a topology, but it is always better to let the KCC generate the topology. SLIDE TRANSITION: Let’s have a quick look at replication in action – DEMO. ADDITIONAL INFORMATION FOR PRESENTER:
• #24: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: Let’s tackle our last topic: Operations Masters. SLIDE TRANSITION:
• #25: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: We mentioned earlier that the Active Directory is a Multi-master Directory service; all domain controllers can write to the database. However, there are times when this ability for more than one administrator to write to the database is not ideal, and the best way to handle this situation is in a single-master replication model. The way this is handled within the Active Directory is via Operation Masters, or, put another way, one or more servers nominated to perform the operation exclusively. There are five such functions within the Active Directory that require that only one server can perform that function. These functions are collectively call Flexible Single Master Operations, or FSMOs for short. As with Naming Contexts, some FSMOs are domain-wide and some forest-wide. The first two on the slide here are the forest-wide functions. The DC nominated as the Schema Master is the only machine in the forest allowed to make changes to the schema, i.e. to add classes or attributes. If you go from here to work with Exchange 2000 or 2003, you will know the schema master well because the first part of an Exchange install must be performed on the Schema master to extend the schema. The default schema master is the first DC installed. The other Forest-wide FMSO role owner is the Domain Master. This DC is allows to make changes to the namespace, in other words, adding or removing domains. This, like the Schema master, is usually the first DC that is installed. SLIDE TRANSITION: What are the Domain-wide roles? ADDITIONAL INFORMATION FOR PRESENTER:
• #26: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: The first Domain-wide FSMO is the PDC Emulator. This DC acts as the PDC for NT clients. If, for example, you upgrade an NT 4 domain that has a number of BDCs, the PDC emulator is the connection between the BDCs and the Active Directory. Changes such as password changes, account lockouts, etc. are replicated to these downlevel clients. To a BDC, this DC looks like and acts like a PDC. The Relative Identifier, or RID Master, generates pools of Security Identifiers or SIDs. Whenever a security enabled object is created in a domain, it needs an SID so it can be uniquely identified. Because there can be any number of domain controllers, a system of ensuring that only unique SIDs are allocated is needed. The RID Master creates a pool of unique identifiers and passes them out to each DC in blocks of 512. The DCs then use this pool to assign SIDs to objects. When a DC starts to get low in its pool— below 100 — it asks the RID Master for more. The final Single Master Function is the Infrastructure Master. This master is used to maintain references to objects in other domains. It is the Infrastructure Master’s responsibility to ensure reference for objects across domains are maintained and always up to date. One final thing about Operation Masters: If the machine that holds FMSO role goes offline, another machine is not automatically promoted. This is a manual operation that can be done using tools like NTDSUTIL. NTDSUTIL is the only tool that can forcibly move a role around. At any other time, you can use the Active Directory Users and Computers, Active Directory Domains and Trusts or Active Directory Schema consoles to transfer roles. The Active Directory will function for some time if all the roles are offline, but it is not recommended and you should always be aware of your FSMO role owner’s state. SLIDE TRANSITION: So lets wrap up. ADDITIONAL INFORMATION FOR PRESENTER:
• #27: KEY MESSAGE: So these are the topics we’ve covered in today’s session. SLIDE BUILDS: None SLIDE SCRIPT: That brings us to the end of session. I’d like to round off with a couple of things for you to remember. The Active Directory has two main concept types: there are logical concepts and there are physical, and each in their way is treated separately. Because Active Directory is a Directory Service, it needs a lookup system. That system is DNS, so if you are unfamiliar with that system, it would be good to read up on it. And finally, don’t be scared of it. It may seem daunting now, especially if NT 4 is your only experience with a directory service. But there is a wealth of information out there about Active Directory and lots of people who have been working with it for a long time who can help and pass on information that will help you. SLIDE TRANSITION: So, to help with that last point here are some place to start mining that information.
• #28: KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: TechNet has it’s own Active Directory section under the Products and Technologies section. We’ve also put some of the more key links on this session’s resource page at that mail URL on the bottom. SLIDE TRANSITION: If you want physical material, we have both MS Press books and also publications from other authors and vendors.
• #29: Key Message: Talk about MS Press books and introduce the build-your-own-book feature. SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] (Add book script here) SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER:
• #30: Key Message: Talk about the third Party books to show we do provide a balanced view in areas where our publications are diluted or we do not cover. SLIDE BUILDS: None SLIDE SCRIPT: [BUILD 1] (Add book script here) SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER:
• #31: Microsoft Learning (formerly MS Training & Certification and MS Press, the book division) develops the courseware called Microsoft Official Curriculum (MOC), including MSDN Training courses, eLearning, MS Press Books, Workshops, Clinics, and Microsoft Skills Assessment. MOC is offered in instructor-led environments; it offers comprehensive training courses for both IT professionals and developers who build, support, and implement solutions using Microsoft products and technologies. Please be sure to tell the audience that these training courses are related to the subject that was just covered in the slides, but they do not necessarily provide in-depth coverage of this exact subject as it may include other topics. Anyone interested in more information about the course(s) listed should visit the Microsoft Training & Certification Web site at www.microsoft.com/learning and review the syllabus. All MOC courses are delivered by Microsoft’s premier training channel, Microsoft Certified Technical Education Centers (CTEC) and classes are taught by Microsoft Certified Trainers (MCT).
• #32: OPENING TRANSITION: And now, for an exciting, new product also from Microsoft Learning… KEY MESSAGE: Microsoft Skills Assessment SLIDE SCRIPT: Microsoft Skills Assessment is a free online learning tool. It’s an easy way for IT professionals, developers, and trainers to check your skills. You can quickly check your skills for implementing or managing Microsoft product or business solutions. Just take a short, 30 question assessment and see how well you know your stuff. Benefits include a Personalized Learning Plan, which includes links to Microsoft Official Curriculum, specific TechNet articles, Press books, and other Microsoft learning content. There’s also a way to measure how well you did compared with others who took the same assessment. Microsoft Skills Assessment is an expanding learning platform. Available now are assessments for Windows Server 2003 including security and patch management, Exchange Server 2003, Windows Storage Server, Office 2003, and Visual Studio .NET. SLIDE TRANSISTION: TechNet can also help prepare for Exams as well as a lot more, so what it is? ADDITIONAL INFORMATION FOR PRESENTER: http://www.microsoft.com/assessment
• #33: KEY MESSAGE: Explain the MCSA program SLIDE BUILDS: None SLIDE SCRIPT: The Microsoft Certified Systems Administrator (MCSA) certification is designed for professionals who implement, manage, and troubleshoot existing network and system environments based on Microsoft Windows® Server 2003. Implementation responsibilities include installing and configuring parts of the systems. Management responsibilities include administering and supporting the systems. For more information about the MCSA certification, please visit: www.microsoft.com/mcsa. TYPICAL JOB TITLES FOR MCSA Network Administrator, Systems Administrator, Information Technology Engineer, Information Systems Administrator, Network Technician UPGRADE PATH FROM MCSA ON WINDOWS 2000 One exam required: Exam 70-292: Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 SLIDE TRANSISTION: That’s it. Signoff in you own way.
• #34: KEY MESSAGE: Explain the MCSE program SLIDE BUILDS: None SLIDE SCRIPT: The Microsoft® Certified Systems Engineer (MCSE) credential is the premier certification for professionals who analyze the business requirements and design, plan, and implement the infrastructure for business solutions based on the Microsoft Windows Server System integrated server software. Implementation responsibilities include installing, configuring, and troubleshooting network systems. For more information about the MCSE certification, please visit: www.microsoft.com/mcse MCSE candidates should have at least one year of experience planning, implementing, and analyzing business solutions with Microsoft products and technologies UPGRADE FROM MCSE ON WINDOWS 2000 Two exams required These 2 exams satisfy the core networking exams. Exam 70-292: Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 Exam 70-296: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 SLIDE TRANSISTION: That’s it. Signoff in you own way. ADDITIONAL INFORMATION FOR PRESENTER: http://www.microsoft.com/mcse
• #35: KEY MESSAGE: Explain the MCSE and MCSA Security and Messaging Specialization program SLIDE BUILDS: None SLIDE SCRIPT:The Microsoft® Certified Systems Engineer and Systems Administrator specializations allow IT professionals to highlight specific expertise or technical focus within their job role. Which Specializations are available? There are two types of specializations available: Security and Messaging for Windows Server 2003. SLIDE TRANSISTION: That’s it. Signoff in you own way. ADDITIONAL INFORMATION FOR PRESENTER: http://www.microsoft.com/Traincert/mcp/mcsa/messaging/windowsserver2003.asp http://www.microsoft.com/Traincert/mcp/mcse/messaging/windowsserver2003.asp
• #36: While the monthly subscription software is the most obvious component of TechNet, there’s also much more. The TechNet website gives subscribers access to valuable information as well as threaded discussion pages and online seminars. Many subscribers use the Web as frequently as they use the software. In the subscribers-only section, subscribers can access the Online Concierge Chat Support service—a Microsoft support special that can help them locate technical information quickly and easily. TechNet Plus subscribers also get access to our Managed Newsgroup Support Service. You can post questions in over 90 IT-related public newsgroups, and Microsoft will ensure that you get a response within 72 hours TechNet Flash is a bi-weekly newsletter subscribers can register for. It gives them up-to-date information on the latest postings to the website TechNet Events—TechNet subscribers have access to free events that explain how to use Microsoft products and technologies at a technical level TechNet Communities ?????
• #37: KEY MESSAGE: Purpose of this slide is to educate IT Pros on where to go and how to be a part of TechNet. SLIDE BUILDS: None SLIDE SCRIPT: There is one place you should go to start: WW.MICROSOFT.COM/TECHNET. There is one communication you should subscribe to: TechNet Flash. Published every other week for the IT Pro community, it focuses on news, information, resources and events. Post questions on the discussion forum. Subscribe online. Look for TechNet branded events – feature. SLIDE TRANSITION: Last slide in the deck. Round off however you like. ADDITIONAL INFORMATION FOR PRESENTER: