Contents Overview 1 Overview of Active Directory 2 Active Directory Logical Structure 11 Active Directory Physical Structure 17 Managing a Windows 2000 Network 21 Review 27 Module 1: Introduction to Managing a Windows 2000 Network Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, places or events is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles. The publications specialist replaces this example list with the list of trademarks provided by the copy editor. Microsoft, MS-DOS, Windows, and Windows NT are listed first, followed by all other Microsoft trademarks listed in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. <The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor> The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 1: Introduction to Managing a Windows 2000 Network iii Instructor Notes This module provides students with an introduction to implementing and administering a Microsoft ® Windows ® 2000 network. The module provides a foundation for the course by introducing the concepts of Active Directory ™ directory service and its logical and physical structures. This module also provides an overview of how Active Directory enables the centralized management and decentralized administration of a Windows 2000 network. After completing this module, students will be able to: ! Describe the function of Active Directory. ! Describe the logical structure of Active Directory. ! Describe the physical structure of Active Directory. ! Describe the methods of administering a Windows 2000 network. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the following materials: ! Microsoft PowerPoint® file 2126A_01.ppt ! The multimedia file AdConcep.avi, Concepts of Active Directory in Windows 2000 Preparation Tasks To prepare for this module: ! Read all of the materials for this module. ! View the multimedia presentation, Concepts of Active Directory in Windows 2000, under Multimedia Presentations on the Web page on the Trainer Materials compact disc. ! Read the white paper, Active Directory Architecture, under Additional Reading on the Student Materials compact disc. Presentation: 60 Minutes Lab: 00 Minutes iv Module 1: Introduction to Managing a Windows 2000 Network Module Strategy Use the following strategy to present this module: ! Overview of Active Directory In this topic, you will introduce Windows 2000 Active Directory. Begin by illustrating to students the purpose of Active Directory as a network directory service. Show the multimedia file. Explain how the Active Directory client extensions enable some Active Directory functionality for non-Windows 2000 client computers. Explain the purpose of Active Directory objects and their attributes. Discuss the Active Directory schema and emphasize how Lightweight Directory Access Protocol (LDAP) is used to communicate with Active Directory. ! Active Directory Logical Structure In this topic, you will introduce the logical structure of Active Directory. Begin by illustrating the purpose of domains in Active Directory. Explain how organizational units can be used to group objects into a logical hierarchy in a domain and to delegate administrative control over the objects. Illustrate how domains are used to form trees and forests that help in sharing network resources and administrative functions. Discuss the global catalog and how it is used to find information about directory objects and to log on to the network. ! Active Directory Physical Structure In this topic, you will introduce the physical structure of Active Directory. Begin by illustrating how domain controllers are used to replicate in Active Directory and perform multi-master and single master operations roles. Explain the concept of sites as physically discrete objects and emphasize how they optimize replication and logon traffic. ! Managing a Windows 2000 Network In this topic, you will introduce the methods for managing a Windows 2000 network. Explain how Active Directory and Group Policy can be used to centralize management of network resources. Discuss how Group Policy is used to manage the user environment. Emphasize the purpose of delegating administrative control of objects and customizing administrative tools to delegate administrative control . Module 1: Introduction to Managing a Windows 2000 Network 1 Overview ! Overview of Active Directory ! Active Directory Logical Structure ! Active Directory Physical Structure ! Managing a Windows 2000 Network In a Microsoft ® Windows ® 2000 network, Active Directory ™ directory service provides the structure and functions for organizing, managing, and controlling network resources. To implement and administer a Windows 2000 network, you must understand the purpose and structure of Active Directory. Active Directory also provides the capability to centrally manage your Windows 2000 network. This capability means that you can centrally store information about the enterprise, and administrators can manage the network from a single location. Active Directory supports the delegation of administrative control over Active Directory objects. This delegation enables administrators to assign specific administrative permissions for objects, such as user or computer accounts, to other users and administrators. After completing this module, you will be able to: ! Describe the function of Active Directory. ! Describe the logical structure of Active Directory. ! Describe the physical structure of Active Directory. ! Describe the methods for administering a Windows 2000 network. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about managing a Windows 2000 network. 2 Module 1: Introduction to Managing a Windows 2000 Network " "" " Overview of Active Directory ! What Is Active Directory? ! Active Directory Support for Client Computers ! Active Directory Objects ! Active Directory Schema ! Lightweight Directory Access Protocol (LDAP) Active Directory stores information about resources on the entire network and makes it easy for users to locate, manage, and use these resources. Active Directory is made up of multiple components. You must understand the components and how to use them to administer Active Directory. Topic Objective To introduce Active Directory. Lead-in Active Directory stores information about resources on the entire network. Module 1: Introduction to Managing a Windows 2000 Network 3 What Is Active Directory? Directory Service Functionality Directory Service Directory Service Functionality Functionality ! Organize ! Manage ! Control ! Organize ! Manage ! Control Resources Resources Centralized Management Centralized Management Centralized Management ! Single point of administration ! Full user access to directory resources by a single logon ! Single point of administration ! Full user access to directory resources by a single logon Active Directory is the directory service in a Windows 2000 network. A directory service is a network service that stores information about network resources and makes the resources accessible to users and applications. Directory services provide a consistent way to name, describe, locate, access, manage, and secure information about these resources. Directory Service Functionality Active Directory provides directory service functionality, including a means of centrally organizing, managing, and controlling access to network resources. Active Directory makes the physical network topology and protocols transparent, so that a user on a network can gain access to any resource without knowing where the resource is or how it is physically connected to the network. An example of this type of resource would be a printer. Active Directory is organized into sections that permit storage for a very large number of objects. As a result, Active Directory can expand as an organization grows, so that an organization that has a single server with a few hundred objects can grow to having thousands of servers and millions of objects. Centralized Management A server running Windows 2000 stores system configuration, user profiles, and application information in Active Directory. Combined with Group Policy, Active Directory enables administrators to manage distributed desktops, network services, and applications from a central location while using a consistent management interface. Active Directory also provides centralized control of access to network resources by allowing users to log on only once to gain full access to resources throughout Active Directory. Topic Objective To illustrate the purpose of Active Directory as a network directory service. Lead-in Active Directory stores information about resources in a Windows 2000 network and makes the resources accessible to users and applications. Key Points Active Directory provides directory service functionality, including a means of centrally organizing, managing, and controlling access to network resources. Active Directory enables administrators to manage distributed desktops, network services, and applications from a central location while using a consistent management interface. 4 Module 1: Introduction to Managing a Windows 2000 Network Multimedia: Concepts of Active Directory in Windows 2000 This multimedia presentation describes basic Active Directory concepts, such as organizational units, trees, forests, Domain Name System (DNS) naming conventions, and sites. Topic Objective To introduce the multimedia presentation about the concepts of Active Directory in Windows 2000. Lead-in Before we get started, let’s look at a multimedia presentation that introduces the important concepts of Active Directory. Start this presentation from the instructor computer. To view the presentation, open the Web page on the Trainer Materials compact disc, click Multimedia Presentations, and then click the title of the presentation. The estimated time to complete this presentation is seven minutes. Tell students that a copy of the presentation is included on the Student Materials compact disc. Module 1: Introduction to Managing a Windows 2000 Network 5 Active Directory Support for Client Computers ! Active Directory Client Features ! Features Not Supported ! Obtaining the Active Directory Client Software Computers running Windows 2000 Professional can access the full features of Active Directory. Client extensions for Microsoft Windows 95, Windows 98, and Windows NT ® 4.0 enable computers running those operating systems to take advantage of features provided by Active Directory. Active Directory Client Features The Active Directory client is available for Windows 95, Windows 98, and Windows NT 4.0. It enables these clients to support the following features of Active Directory: ! Site Awareness Users can log on to domain controllers in the same site. This reduces bandwidth usage across wide area network (WAN) links. ! Active Directory Services Interface (ADSI) ADSI is a programmatic interface that enables scripting to the Active Directory and other directory services. Any code written for this interface requires ADSI on the local computer to run. ! Distributed File System (DFS) Fault Tolerance Client The Active Directory Client Extensions enable access to the fault-tolerant file shares that are specified in Active Directory. ! Active Directory Windows Address Book Property Pages These property pages enable users who have permission to change properties on user objects. ! NTLM Version 2 Authentication The client extensions take advantage of the improved authentication features that are available in NTLM version 2. Topic Objective To describe the client software that is available to enable different versions of Windows to make use of Active Directory. Lead-in Which operating systems can use the features of Active Directory? 6 Module 1: Introduction to Managing a Windows 2000 Network Features Not Supported The following features, available to Windows 2000 Professional users, are not provided by the Active Directory client: ! Kerberos Authentication Protocol ! Group Policy Support ! Internet Protocol security (IPSec) and Layer Two Tunneling Protocol (L2TP) ! Service Principal Name (SPN) or mutual authentication. Obtaining the Active Directory Client Software The Active Directory Client Extensions for Windows 95 and Windows 98 are distributed on the Microsoft Windows 2000 CD. You can download the Active Directory Client Extensions for Windows NT 4.0 Workstation at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adex tension.asp. [...]... local area network (LAN) might need only one domain with two domain controllers to provide adequate availability and fault tolerance, whereas a large organization with many geographical locations needs one or more domain controllers in each location to provide adequate availability and fault tolerance Active Directory Replication Domain controllers in a domain and in a forest automatically replicate any... Network Topic Objective To introduce the methods of administering a Windows 2000 network ! Windows 2000 Network Management Tasks Lead-in ! Using Active Directory for Centralized Management ! Delegating Administrative Control ! Managing Network Resources As an administrator, you can take advantage of the Active Directory and Group Policy features to centrally manage all computers in your organization and to. .. delegate administrative control Key Points Administrators use Active Directory and Group Policy to centrally manage a large number of users, computers, and network resources Senior administrators can delegate administrative tasks to other administrators Administrators can customize administrative tools for specific administrative tasks and distribute them to other administrators Windows 2000 and Active... domain A domain is a collection of computers, defined by an administrator, which share a common directory database A domain has a unique name and provides access to the centralized user accounts and group accounts maintained by the domain administrator Security Boundary In a Windows 2000 network, the domain serves as a security boundary The purpose of a security boundary is to ensure that an administrator... many object classes but is defined only once in the schema to ensure consistency The Active Directory database stores the schema Storing the schema in a database means that the schema: ! Is dynamically available to user applications, which enables user applications to read the schema to discover which objects and properties are available for use ! Is dynamically updateable, which enables an application... Active Directory: # # # # Printer1 Enables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to group objects into organizational units Uses Group Policy to specify policy-based settings Active Directory provides administrators with the capability to manage resources centrally The advantages of managing resources centrally are: Delivery... Directory All of the domain controllers in a particular domain can receive changes to information in Active Directory and replicate these changes to all of the other domain controllers in the domain Module 1: Introduction to Managing a Windows 2000 Network 13 Organizational Units Topic Objective To illustrate the purpose of organizational units in Active Directory Network administrative model Network administrative... running Windows 2000 Server that stores a replica of the directory A domain controller also manages the changes to directory information and replicates these changes to other domain controllers in the same domain Domain controllers store directory data and manage user logon processes, authentication, and directory searches A domain can have one or more domain controllers A small organization that uses a. .. Traders Contoso, Ltd decides to create a new Active Directory domain name for Northwind Traders, called nwtraders.msft Although the two organizations do not share a common namespace, adding the new Active Directory domain as a new tree in an existing forest enables the two organizations to share resources and administrative functions 16 Module 1: Introduction to Managing a Windows 2000 Network Global... organizational units of a domain Windows 2000 also provides you with the capability to customize administrative tools, so that the tools match the administrative tasks that you delegate to other administrators You can create customized administrative tools by using Microsoft Management Console (MMC) to: ! Map to the permissions that have been assigned to a user for an administrative task ! Simplify interface . schema. Storing the schema in a database means that the schema: ! Is dynamically available to user applications, which enables user applications to read. the module topics and objectives. Lead-in In this module, you will learn about managing a Windows 2000 network. 2 Module 1: Introduction to Managing