Ch 8-1

Working with domains and Active Directory

Objectives

• Introduction to domains and domain controllers

• Pros and cons of using domains• Factors to choose between domains and

workgroup• Domains, subdomains, trees and forests

Introduction to domains

• The main reason to choose building a network , either workgroup or domain, is to have control over what users can and cannot do on the network

• Using a workgroup , the administrator have to configure the settings(security and file sharing permissions ) on each machine individually

• Using a domain one machine called a Domain Controller is responsible for security and permissions

Introduction to domains

• Windows Server 2008 supports two kinds of network using two different server configurations:– for smaller numbers of users,it relies on the workgroup– for larger numbers of users,it relies on the domain

• The same machine can act as either a workgroup server or a domain server

• Having a domain server means that this server is responsible for dealing with security and permissions on the network

Advantages of using a Domain

1. Better security2. Centralization of control over users,

machines, and resources3. Improved organizational capability4. Enhanced performance through efficient

resource usage5. better reliability on large networks

Cost of using domains

• Increased complexity, which can increase administration time and result in more errors

• Loss of certain Windows Server 2008 features, such as Internet Connection Sharing (ICS)

• Required use of some features, such as Active Directory

• Significantly increased training costs

Factors to choose between a domain or workgroup

• The number of users• Application types, such as databases, require

better security and control, which means that you may need a domain with fewer users.

• High-security applications normally require a domain no matter how few or many users

• Shared resource applications, such as word processing, don’t require a domain in most cases unless you have a large number of users that must collaborate on content.

Factors to choose between a domain or workgroup

• Services such as file sharing and printing don’t usually require a domain.

• Power users generally work better in a workgroup setup.

• Novice users may not require a domain, but the domain environment can sometimes prevent them from making as many mistakes.

• Networks with high growth rates may not require a domain today, but will likely need one tomorrow

Domain controller• The decision to create a domain means promoting

the server to a domain controller• Domain controllers (DCs): Servers that have the

Active Directory Directory Services (AD DS) server role installed and the same Active Directory information is replicated to every DC.

• Multimaster replication– Each DC is equal to every other DC in that it contains the full range of

information that composes Active Directory– If information on one DC changes, such as the creation of an account, it

is replicated to all other DCs in a process called multimaster replication.

• In case of DC failure, users can still access resources

10

Active Directory Basics• Active Directory– Directory service that contains information about all

network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information

• Directory service– Responsible for providing:

• a central listing of resources • and ways to quickly find and access specific resources • and for providing a way to manage network resources

• AD DS is like a central management center for a Windows Server network.

11

Schema

• Active Directory schema– Part of AD DS , It is simply a database of how data is stored in

the domain controller and what information is stored in the domain controller about users and computers and other objects in the network.

• User account– One class of object in Active Directory that is defined through

schema elements unique to that class– Foe example for the user accounts schema there will be user

names and password and email address• Schemas are expandable , you can add more data when

needed

Groups and permissions

• Security is the main issue when managing user accounts in the active directory

• Instead of giving certain permissions to each account individually it is better to create Groups to deal with security

• With groups the administrator can add the permissions to different resources on the network one time and then assign users to be a member of the groups

Organizational Unit• Organizational unit (OU)

– Offers a way to achieve more flexibility in managing the resources associated with a business unit, department, or division• Than is possible through domain administration alone

• An OU is a grouping of related objects within a domain similar to the idea of having subfolders within a folder– OUs allow the grouping of objects so that they can be

administered using the same group policies• OUs can be nested within Ous• Groups are made of users• OUs are made of groups , users and other resources

such as printers

15

Organizational Unit (continued)

• When you plan to create OUs, keep three concerns in mind:– Microsoft recommends that you limit OUs to 10

levels or fewer– Active Directory works more efficiently when OUs

are set up horizontally instead of vertically– The creation of OUs involves more processing

resources because each request through an OU requires CPU time

The Domain

• The Domain is basically all the computers and users and objects that are tied to the domain controller AD DS

• On a local area network (LAN), a domain is a sub-network made up of a group of clients and servers under the control of one central security database

• On the Internet, a domain is part of every network address, including web site addresses, email addresses

Sub domain

• A sub domain is a domain that is part of a larger domain; the only domain that is not also a sub domain is the root domain– Example: googel.com, europe.google.com

• When you create sub domains from the original domain we will have what is called “a Tree”

18

Namespace• Namespace

– A logical area on a network that contains directory services and named objects

• Active Directory employs two kinds of namespaces: contiguous and disjointed

• A contiguous namespace is one in which every child object contains the name of the parent object, such as in the example of the child object msdn2.microsoft.com and its parent object microsoft.com

• When the child name does not resemble the name of its parent object, this is called a disjointed name space, such as when the parent for a university is uni.edu, and a child is bio.ethicsresearch.com.

19

Tree

• Tree– Contains one or more domains that are in a

common relationship• Tree has the following characteristics:– Domains are represented in a contiguous

namespace and can be in a hierarchy– Two-way trust relationships exist between parent

domains and child domains– All domains use the same global catalog

20

Forest• Forest– Consists of one or more Active Directory trees that

are in a common relationship• Forests have the following characteristics:– The trees can use a disjointed namespace– Two-way transitive trusts are automatically

configured between domains within a single forest

21Hands-On Microsoft Windows Server 2008

22

Forest (continued)

• Forest provides a means to relate trees that use a contiguous namespace in domains within each tree – But that have disjointed namespaces in

relationship to each other• The advantage of joining trees into a forest is

that all domains share the same schema and global catalog

Hands-On Microsoft Windows Server 2008 23

Forest (continued)

Hands-On Microsoft Windows Server 2008 - edited by Nada Almohaimeed 24

Global Catalog• Global catalog– Stores information about every object within a forest– Store a full replica of every object within its own

domain and a partial replica of each object within every domain in the forest

• The first DC configured in a forest becomes the global catalog server

• The global catalog server enables forest-wide searches of data

Homework

• Download homework 8-1 from the site , solve it, PRINT IT and submit it on the due date