Your SlideShare is downloading. ×
  • Like
Active directory intro
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Active directory intro



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Slide Title: Title Slide
    Key Message: This is the session title
    Slide Builds: 0
    Slide Script:
    Hello and welcome to this Microsoft TechNet session on Active Directory Fundamentals. My name is {insert name}.
    Slide Transition: Managing shared resources and network accounts are some of the most important and time-consuming tasks for IT personnel. Planning, deploying, and upgrading complex networks can easily become a real nightmare. In today’s session, we will see how the Active Directory system can simplify the management of network resources while offering enhanced network services.
    Slide Comment:
    Additional Information:
  • Slide Title: What Is a Directory Service?
    Keywords: Active Directory, directory service, overview
    Key Message: A directory service tracks and locates objects on a network.
    Slide Builds: 2
    Slide Script:
    The simplest answer is that a directory service helps users track and locate objects. The core function of any directory service is that it lets you find information on a network and make your own data network-accessible.
    [BUILD1]But Active Directory does much more than allow users to find their information. In fact, the features of Active Directory make it a complete network-management system.
    [BUILD2]Active Directory allows you to group workstations together for easier administration. Using Active Directory, workstations can be updated, configured, and even repaired remotely. A single management interface that is accessible from anywhere on the network means more efficiency for you and less time spent bending over client workstations.
    Active Directory allows users to search for network services, like printers and faxes. Network services can also be managed and configured from a single Control Panel.
    In addition to helping you find and access your files, Active Directory offers several advanced file features that we’ll cover later in this session. These features can:
    Allow mobile users to access network files while offline.
    Improve data security by automatically backing up important files.
    Increase the availability of your files by keeping copies near where they’re needed most.
    Finally, Active Directory provides single sign-on security for users in your network. This means that users won’t have to remember multiple passwords for different applications. Instead, you can easily apply global security and configuration settings to Active Directory user accounts.
    Active Directory adds value to your network by increasing security, adding services, and reducing administration costs.
  • Slide Title: Active Directory Domains
    Keywords: Active Directory, domains
    Key Message: Domains are the key logical units of Active Directory.
    Slide Builds: 4
    Slide Script:
    Domains represent logical partitions within Active Directory for security and directory replication. Domains are unique names, like the domain names we’re all used to seeing on the Web. “” is an example of a domain name, and so is “” There is a one-to-one correspondence between Active Directory domains and DNS domains.
    [BUILD1] Domains function as containers for Active Directory objects. Active Directory objects include users, servers, workstations, and network devices, such as printers. Each domain stores information only about the objects it contains, and theoretically an Active Directory domain can contain up to 10 million objects. One million objects in an Active Directory domain is the supported limit.
    [BUILD2] Because all Active Directory users log on to a domain, domains are boundaries of authentication. Domain controllers are responsible for authenticating user and group passwords, and Active Directory provides single log-on security throughout the domain. Domain-wide authentication means fewer lost passwords and fewer problems with configuring permissions.
    [BUILD3] Domains are also policy boundaries. Security policies that are defined in one domain are not extended to other domains. This means that settings, such as administrative rights, do not cross from one domain to another.
    [BUILD4] Within a domain, information about objects is replicated between all domain controllers for additional security and redundancy. Important files within a domain may also be replicated to provide failover support without requiring expensive additional hardware. However, information is not replicated between domains. This means that domains are also boundaries for data replication.
    In short, domains define the borders of an Active Directory system. Domains provide seamless network services for users within the domain, and offer good security against systems outside of the domain.
  • Slide Title: Active Directory Trees
    Keywords: Active Directory, trees
    Key Message: Trees are groups of domains that share a contiguous namespace.
    Slide Builds: 2
    Slide Script:
    A tree is a grouping of domains that forms a contiguous namespace. A contiguous namespace is a set of domain names in which each child adds one or more identifiers to the beginning of the parent DNS name. For example, if the parent domain was and the child domain was, these two would form a contiguous namespace.
    [BUILD1] You can keep adding identifiers to the beginning of a domain name to fit your organization’s structure or to expand Active Directory as your company grows. The name of an Active Directory tree is the name of the domain that is highest in the hierarchy. In this example, the name of the tree is, which is also referred to as the root of the domain tree.
    [BUILD2] Domains in an Active Directory tree share certain elements. They share a schema, which is the definition for all Active Directory objects. The schema also defines relationships between different kinds of objects. Domains in a tree also share configuration information about Active Directory as a whole and a Global Catalog, or GC. These objects are replicated between domain controllers in the tree. This ensures the consistency of your object definitions, settings, and Active Directory configuration across your enterprise.
    Slide Transition: Another important aspect of trees is trust relationships.
    Slide Comment:
    Additional Information:
  • Slide Title: Transitive Trusts
    Keywords: Active Directory, transitive, trusts
    Key Message: Domains within trees have transitive trust relationships.
    Slide Builds: 2
    Slide Script:
    In an Active Directory tree, trust relationships link domains together so that they can be administered as a single logical unit. Every time a new domain is added to the tree, a transitive trust is formed. If domain “A” trusts domain “B,” then domain “A” trusts all the domains that “B” trusts. In this example, there is a trust relationship between and
    [BUILD1] If another domain called is added, a trust relationship is set up between the root of the domain,, and the new child domain.
    [BUILD2] Because trust relationships within a tree are transitive, will also trust, so no additional configuration for each domain in the tree is needed.
    Slide Transition: So what do you get when you have more than one tree?
    Slide Comment:
    Additional Information:
  • Slide Title: Active Directory Forests
    Keywords: Active Directory, forests
    Key Message: A forest contains one or more trees and one or more namespaces.
    Slide Builds: 1
    Slide Script:
    A forest is composed of one or more trees. Unlike a tree, a forest can contain several noncontiguous namespaces. In this example, the forest contains two trees, each of which has its own namespace: and The forest takes the name of the first tree to be installed in that forest. In the same way that transitive trust relationships exist between domains in a tree, there are bidirectional trust relationships between top-level domains in a forest.
    [BUILD1] Just like trees, forests share a common schema, configuration, and Global Catalog.
    Forests provide a way of linking together branches of an enterprise or different enterprises that are collaborating in a joint venture.
    Slide Transition: So let’s look at a demonstration of how all this actually works.
    Slide Comment:
    Additional Information:
  • Slide Title: Organizational Units
    Keywords: Active Directory, Organizational Units
    Key Message: OUs organize objects within a domain, and are distinct administrative units.
    Slide Builds: 4
    Slide Script:
    Domains, trees, and forests are powerful tools for organizing systems in your network. But sometimes administrators need even more flexible control over their network structure. Organizational Units, or OUs, are containers that you can use to group together other objects. OUs can be used to organize users, computers, groups, printers, applications, file shares, and even other OUs. This means that OUs can be customized for virtually any network or enterprise structure.
    [BUILD1] For example, each department of contains a group of users who use desktop workstations to access a specific group of printers, servers, and applications. By combining different types of objects, Organizational Units can be defined to contain all the resources used by each department.
    [BUILD2] Because OUs can have their own administrators, policies, and settings, customized OUs simplify enterprise-wide network management. Objects that should be managed by the same administrator can be grouped together, and authority to manage the specific OU is delegated to an appropriate user by the domain administrator. For example, the Finance department of has its own IT staff, so all directory objects belonging to the Finance department are grouped together and controlled by a Finance department administrator. Delegating administration of OUs can distribute IT demands more efficiently.
    [BUILD3] Group Policy allows you to define settings for each OU in your enterprise. Group Policy allows administrators to implement rules and default settings that are applied to all objects in an OU. By using Organizational Units, you can easily apply changes and updates to specific groups without affecting other systems in the domain.
    [BUILD4] Finally, by applying security configurations on a per-OU basis, you can improve the overall security of your enterprise. For example, hires independent contractors who need limited access to company data. By placing consultants in a single OU, you can easily define security configurations that allow contractors to use the systems they need while consistently limiting their ability to reach other parts of the network.
  • Slide Title: Organizational Unit Applications
    Keywords: Active Directory, Organizational Units
    Key Message: OUs support flexible organizational structures.
    Slide Builds: 4
    Slide Script:
    OUs can be configured to meet your administrative needs and fit the unique structure of an enterprise.
    [BUILD1] OUs can be built for company departments.
    [BUILD2] Or for geographic locations.
    [BUILD3] Or by different types of devices. By using Organizational Units, you can make Active Directory objects even easier to locate and manage.
    [BUILD4] For even further flexibility, OUs can be nested inside each other.
    Slide Transition: Let’s look at a demonstration of Organizational Units in a real-world scenario.
    Slide Comment:
    Additional Information:
  • Slide Title: Domain Controllers
    Keywords: Active Directory, domain controller, replication
    Key Message: Domain controllers replicate directory information between each other.
    Slide Builds: 2
    Slide Script:
    No matter what type of domain structure you run, there is at least one domain controller. A domain controller is a server that Active Directory system users log in to and that contains information about your directory structure. This information includes configuration settings, the directory schema, and the Global Catalog. To ensure continuous availability of directory services, an Active Directory system should contain at least two domain controllers.
    [BUILD1] In Windows NT, there are two types of domain controllers: primary domain controllers, or PDCs, and backup domain controllers, or BDCs. Since only the PDC holds a read/write copy of the directory, all changes to the directory need to be made on the PDC. The updated data is then replicated to the BDCs.
    [BUILD2] In a Windows 2000 Server or Windows Server 2003 Active Directory system, there’s not a separation between primary and backup domain controllers. Instead, all computers that participate in the authentication process are simply called “domain controllers,” or DCs. They all hold writable copies of the directory information, and they all replicate information between each other. This simplifies the Active Directory structure, eliminates single point-of-failure servers, and improves the flow of network traffic.
    Slide Transition: If domain controllers are the heart of an Active Directory installation, sites are the circulatory system.
    Slide Comment:
    Additional Information:
  • Slide Title: Active Directory Sites
    Keywords: Active Directory, sites
    Key Message: A site is a group of well-connected computers in an Active Directory system.
    Slide Builds: 4
    Slide Script:
    An Active Directory site is a set of TCP/IP subnets that are considered to be “well-connected.” Well-connected generally means a group of computers that are linked through a high-bandwidth LAN, with at least 10 MB of throughput. When planning an Active Directory system, sites are used to optimize network traffic and maximize data availability.
    [BUILD1] In this example, a company has two offices in different locations. The computers in each office, which are connected together on a LAN through a router, are each considered an Active Directory site. The two Active Directory sites are linked together through a slower WAN connection. In an Active Directory system, sites have three main purposes.
    [BUILD2] First, sites are used to locate services, such as logon and DFS services. When a client requests a connection to a DC, sites are used to preferentially allow the client to connect to a DC within the same site. If no DC exists within the user’s site, Active Directory will search for a DC in the closest site on the network. The same is true when a client requests a connection with a network service, like a distributed file. By matching clients with resources inside the same site, Active Directory maximizes network performance.
    [BUILD3] Second, sites are used to control replication throughout an enterprise. Active Directory automatically creates more replication connections between domain controllers in the same site. This results in lower replication latency within a site and lower replication bandwidth costs between sites.
    [BUILD4] Finally, policy objects can be applied to sites as a group, making sites natural boundaries for defining security and configuration settings.
  • Slide Title: Sites and Domains
    Keywords: Active Directory, sites, domains
    Key Message: Sites and domains can overlap.
    Slide Builds: 2
    Slide Script:
    The answer is that sites and domains can be combined to work together however you want. Because sites are a physical construct, they can overlap with domains, which are logical constructs. A site can contain an entire domain, or only part of a domain, or even multiple domains.
    [BUILD1] In this example, our enterprise contains two sites: Site A and Site B. The domain contains one computer from Site A and all the computers from Site B.
    [BUILD2] Site A also contains computers that are part of the child domain.
    This is one of the main concepts to remember and one people get confused on: Domains are logical structures; sites are physical structures.
    Slide Transition: The last important physical building-block of an Active Directory system is the Global Catalog.
    Slide Comment:
    Additional Information:
  • Slide Title: Global Catalog
    Keywords: Active Directory, Global Catalog
    Key Message: The Global Catalog is a limited, forest-wide database of attributes.
    Slide Builds: 4
    Slide Script:
    When talking about Active Directory systems, you will often hear the term Global Catalog, or GC. Knowing what a GC is and how it works is important to understanding Active Directory.
    [BUILD1] In basic terms, the Global Catalog is a database that contains a set of attributes of all the objects in the forest. This means that some attributes of every object in every domain database in the forest will be maintained in the Global Catalog.
    [BUILD2] For example, a domain database might contain dozens of attributes for each user, such as the user’s e-mail address, office location, manager, phone number, and so on. The Global Catalog might only contain a few of these attributes, such as the user’s e-mail address and phone number. The attributes for each type of object that are published to the Global Catalog can be configured to meet your organization’s needs.
    [BUILD3] The Global Catalog is used for fast forest-wide searches of enterprise objects. By publishing some attributes of each object to the Global Catalog, you can make it easy for anyone in your enterprise to quickly locate important resources. For example, by publishing the e-mail addresses of all users to the Global Catalog, you can create a searchable enterprise-wide employee directory.
    [BUILD4] Typically, an Active Directory system will contain one Global Catalog server, which is simply a domain controller that is also configured to hold the Global Catalog. Global Catalog servers are identified as such in DNS and can be located by clients using DNS. The Global Catalog server is also used during logon to determine universal group membership, since universal groups do not reside within any particular domain.
  • Slide Title: DNS
    Keywords: DNS, Domain Naming System, DNS overview
    Key Message: DNS is used to locate servers and services in Active Directory.
    Slide Builds: 3
    Slide Script:
    DNS is how Active Directory finds services and resources. Most network services, including Active Directory, require DNS to function, and DNS is the key to understanding how traffic flows through a network. Because of this, it’s worth reviewing how the DNS request process works.
    [BUILD1] When an Active Directory client connects to a network service, for example, to log in to the directory or to perform a directory search, it sends a request to a DNS server. The request includes information about what service the client is looking for and the site where the client is located.
    [BUILD2] The DNS server sends back information about the locations of domain controllers in the Active Directory system, and SVR records which list the services that are available on each DC. The information returned by the DNS server is weighted based on the site location of the client, so that clients will always try to connect with the closest service. This information is then cached on the client computer to minimize the need for future DNS requests and reduce network traffic.
    [BUILD3] Finally, the client uses the information returned by the DNS server to connect with a nearby domain controller and the requested network service.
  • Slide Title: DNS Systems and Requirements
    Keywords: DNS, DNS features, Active Directory
    Key Message: Use the Microsoft DNS server for best Active Directory integration.
    Slide Builds: 1
    Slide Script:
    To work with Active Directory, your network’s DNS system needs to support SRV records as well as the Dynamic Update Protocol. This is necessary so that systems in your directory can dynamically update their own DNS mappings and request information about services. Think of this in the same terms as how WINS has always worked: Clients dynamically update their own information in a WINS database.
    [BUILD1] Several common non-Microsoft DNS servers, including Bind 8.1.2 and later, are compatible with Active Directory. To get the most out of Active Directory, however, you’ll want to use Windows 2000 or later.
    Some of the features offered by the Microsoft DNS server that comes with Windows 2000 Server and Windows Server 2003 include:
    Integration with Active Directory. Both DNS and Active Directory have databases that are replicated between computers. With Active Directory integration of the DNS database, only a single replication topology needs to be managed, simplifying administration. We’ll cover replication in more detail during the next section of this presentation.
    Multimaster update. With standard DNS, changes to the DNS database may only be performed on the primary master. Secondary masters always get their copies of the DNS database from a primary master (or from another secondary master). With Active Directory integration, changes to the DNS database can be performed on any DNS server that manages that zone.
    Secure dynamic update. This improves DNS security by authenticating hosts that are dynamically registering their names.
  • Slide Title: Replication Scope
    Keywords: Active Directory, replication, naming context
    Key Message: Replication scope is governed by naming context.
    Slide Builds: 3
    Slide Script:
    By dividing up directory information and storing it where needed, Active Directory reduces the data that each domain controller holds and helps to decrease network traffic. At the same time, by replicating directory information to several DCs, Active Directory ensures that users always have a consistent view of the directory; it also provides failover support.
    Active Directory uses a sophisticated replication scheme based on several different concepts. The first of these is naming context. Naming context governs how widely information is replicated, and there are three predefined naming contexts.
    [BUILD1] The schema naming context contains objects that represent all the classes and attributes that Active Directory supports. Because the schema is a forest-wide definition, it is replicated to every domain controller in the forest.
    [BUILD2] The configuration naming context is also considered forest-wide and is replicated to all domain controllers. The configuration naming context contains all the information for the forest about domains, sites, and where domain controllers reside.
    [BUILD3] Finally, the domain naming context. This contains only domain-specific information, such as users, groups, OUs, and computers. Each domain has its own context that it replicates only to domain controllers within the domain.
  • Slide Transition: In addition to naming context, Active Directory also uses the logical and physical location of domain controllers to efficiently manage replication.
    Slide Comment:
    Additional Information:
  • Slide Title: More Replication Scope
    Keywords: Active Directory, replication, intersite, intrasite, sites
    Key Message: Replication topologies are automatically generated. Data replicated between sites is compressed.
    Slide Builds: 2
    Slide Script:
    As discussed previously, each domain controller in an Active Directory system maintains and replicates a complete writeable copy of the domain database. This is a big change from NT 4, in which all changes to the domain database had to be made on the PDC. Now, any DC can make those changes, and the information will work its way around the domain. The Knowledge Consistency Checker, or KCC, automatically generates an optimized replication topology based on the definition of sites and site links. Here’s how it works:
    [BUILD1] Within a site, the KCC automatically generates a bidirectional ring topology for all domain controllers in the same domain. The KCC also ensures that there are no more than three hops from any domain controller in a site to any other domain controller in a site by adding additional replication partners where necessary. Intrasite replication is RPC-based and not compressed, so good network connectivity is assumed.
    [BUILD2] Between sites, the KCC automatically generates a spanning tree-replication topology. To make the most efficient use of your network, you can associate a cost factor with the link between each site and designate one or more DCs in a site to be a bridgehead server for that site. Bridgehead servers act as channels for all intersite replication traffic. Based on all this configuration, the KCC generates a minimum-cost topology for replication. Intersite replication can be scheduled and is also compressed significantly, up to 15 percent of the original data volume for RPC and 30 percent for SMTP, reducing expensive network traffic.
    By automatically generating an intelligent replication scheme that takes into account your existing network topology, Active Directory eliminates the need for complex manual configuration and reduces administration overhead.
  • Slide Title: Operations Masters
    Keywords: Operations Masters
    Key Message: Operations Masters perform a network function exclusively.
    Slide Builds: 3
    Slide Script:
    We mentioned earlier that Active Directory is a multimaster directory service. All domain controllers can write to the database. However, there are times when the ability for anyone to write to the database is not ideal, and the best way to approach this situation is in a single-master mode.
    [BUILD1] This is handled in Active Directory with Operations Masters. Operations Masters are servers that are nominated to perform an Active Directory operation exclusively. There are five functions within Active Directory, and only one server can perform that function (we’ll cover those functions in a moment). These functions are collectively called Flexible Single Master Operations, or FSMOs for short.
    [BUILD2] As with naming contexts, some FSMOs are domain-wide and some are forest-wide. Operations Masters perform their exclusive function within a specific scope, either a domain or a forest.
    [BUILD3] The last point to make about Operations Masters is that by default, the first domain controller to be installed is the Operations Master for all FSMOs in the forest. You can manually assign Operations Masters roles to other domain controllers as you’re configuring your Active Directory system.
    Slide Transition: So what are the FSMOs ?
    Slide Comment:
    Additional Information:
  • Slide Title: Operations Master Roles
    Keywords: Operations Masters, roles, FSMO
    Key Message: Here are the list of FSMOs in Active Directory.
    Slide Builds: 2
    Slide Script:
    [BUILD1] The first two roles we will talk about are forest-wide functions. The DC nominated as the schema master is the only computer in the forest allowed to make changes to the schema, such as adding classes or attributes. If you go from here to work with Exchange 2000 or 2003, you will know the schema master well because the first part of an Exchange install must be performed on the schema master to extend the schema. The other forest-wide FSMO role is the domain master. This DC is allowed to make changes to the namespace—in other words, adding or removing domains.
    [BUILD2] There are three domain-wide single-master roles. The first is the PDC emulator. This DC acts as the PDC for older NT clients. If, for example, you upgrade an NT 4 domain that has a number of BDCs, the PDC emulator is the connection between the BDCs and Active Directory. Changes such as password updates and account lockouts are replicated to these down-level clients. To a BDC, this DC looks and acts like a PDC.
    The Relative Identifier, or RID Master, generates pools of Security Identifiers, or SIDs. Whenever a security-enabled object is created in a domain, it needs a SID so it can be uniquely identified. Because there can be any number of domain controllers, a system of ensuring that only unique SIDs are allocated is needed. The RID Master creates a pool of unique identifiers and passes them out to each DC. The DCs then use this pool to assign SIDs to objects. When a DC starts to get low in its pool, it asks the RID Master for more.
    The final single-master function is the Infrastructure Master. This master is used to maintain references to objects in other domains. It is the Infrastructure Master’s responsibility to ensure references for objects across domains are maintained and always up-to-date.


  • 1. Active Directory Fundamentals
  • 2. What Is a Directory Service? A service that helps track and locate objects on a network Active Directory Management Workstations Services Files Users
  • 3. Active Directory Domains Boundary of Policies Boundary of Authentication CONTOSO.COM Boundary of Replication
  • 4. Active Directory Trees Shared Schema CONTOSO.COM Configuration US.CONTOSO.COM OHIO.US.CONTOSO.COM Global Catalog
  • 6. Active Directory Forests FABRIKAM.COM CONTOSO.COM US.CONTOSO.COM UK.FABRIKAM.COM Schema Global Configuration Catalog
  • 7. Organizational Units Organized For: •Administration •Same Requirements •Delegation •Group Policy •Configuration •Security OU Admin OU Security CONTOSO.COM OU Policy
  • 8. Organizational Unit Applications Sales Department London Desktops Marketing Department New York Printers Hardware Devices
  • 9. Domain Controllers DC PDC DC BDC BDC Windows NT 4.0 DC Windows Server 2003
  • 10. Active Directory Sites Site A WAN Link Sites Used To: •Locate Services •Optimize Replication •Define Policies Site B
  • 11. Sites and Domains Site A US.CONTOSO.COM CONTOSO.COM Site B
  • 12. Global Catalog • Spans all domains • Contains object attributes • Used for searches • Exists on domain controllers
  • 13. DNS Domain Naming System locates network services and resources. DNS Request Process •Requested Service •Site Information DNS Server •IP Addresses •SVR Records DC Cache
  • 14. DNS Systems and Requirements BIND 8.1.2 Windows NT Windows 2000 Dynamic Update* AD Integration Secure Update SRV Records* * Required for Active Directory Windows Server 2003
  • 15. Replication Scope Across Domain •Domain NC Across Forest: •Schema NC •Configuration NC
  • 16. More Replication Scope Intersite (Compressed) Intrasite (Token Ring)
  • 17. Operations Masters • Performs operation exclusively • Within designated scope • Defaults to first domain controller
  • 18. Operations Master Roles Forest Roles Domain Roles Schema Master PDC Emulator Domain Master RID Master Infrastructure