6. Active Directory Concepts
If you are new to Active Directory, it may be difficult to know how to get started. If you've picked it up as you go along, you may want to identify the gaps in your knowledge. This section provides a checklist of the key areas that you will need to understand and some pointers to finding more information. It isn't absolutely exhaustive, but aims to include most major areas.
If you're after a more formal approach, ITS3 sometimes organise on-site Active Directory Design and Implementation courses and Windows Server courses.
- Domain Name System
- A basic understanding of how DNS works is essential, as well as the way computers use it to locate Active Directory services. You will need to know how to configure, monitor and maintain DNS servers that support your chosen Active Directory namespace. See the How to configure DNS for Active Directory within the Oxford University Environment page for more information.
- NetBIOS Naming
- Technically it's on the way out; in reality switching it off may be problematic, particularly if you're reliant on browsing for resources. Understand the essentials is useful, together with the role of WINS servers. If you use the central WINS service, be aware that names must be unique within the whole of the University. See The Central Windows Internet Name Service (WINS) web pages for details.
- Operations Master Roles, or Flexible Single Master Operations (FSMO) Roles
- Not all domain controllers are considered equal. One or more will hold your five or more operations master roles. Microsoft provide a useful summary in their Operations master roles document. Make sure you understand the main functions of the roles, which servers hold them, which ones should not hold them in a multi-domain forest, which ones you can least live without for any length of time, how to move them and what to do if you lose a server that holds one or more of them.
- Global Catalog
- A domain controller that is a global catalog server contains partial information on all objects in an Active Directory installation. It can play a major role in the logging-in process, particularly in a multi-domain environment. Knowing how to assign this role to a server is essential, and some understanding of the part it plays useful. See for example Microsoft's document on The role of the global catalog.
- Backing Up and Restoring Active Directory
- For preference, you probably want to avoid ever needing to restore your Active Directory database from backup by running at least 2 or 3 domain controllers. Cost may be an issue but for small to medium sized units, if you limit the additional services that they run to name resolution services (e.g. DNS and WINS, if used), they may not all need to be of particularly high specification. Limiting the services running on domain controllers also makes them easier to replace if they fail. If you ever need to restore all or part of your Active Directory, it will help to understand the difference between authoritative and non-authoritative restore modes. Also make sure you know the Directory Services Restore Mode passwords set when you installed Active Directory onto your domain controllers. See Microsoft's Introduction to Administering Active Directory Backup and Restore for more information.
- Organisational Units
- Useful for organising your user and computer accounts, and particularly to group accounts for applying Group Policy. For many units, the design of your organisational units will depend primarily on which policies you want to apply to which groups computers and users.
- Group Policy
- Powerful tool for enforcing your chosen configuration for users and workstations. Anything and everything (well, almost) ranging from what appears on the Start menu, which software people can run, the startup mode for services, security and audit settings, logon/logoff scripts, through to software installation and much more. Extensible via templates, group policy can also be used to manage some of the main Microsoft programs such as Office. It's helpful to understand concepts such as inheritance, blocking inheritance, enforcing links, where group policy settings are stored, how they are applied, backing up and restoring etc. One place to start is Microsoft's Group Policy Home Page.
- Domain and Forest Functional Levels
- These depend on the operating systems running on domain controllers in your Active Directory, i.e. whether NT, 2000, 2003, 2008. Different features become available when you raise the functional level, and it's useful to know how to do so. There's normally little reason not to raise the level as high as you can. See Raising domain and forest functional levels and What Are Active Directory Functional Levels?
- Synchronised time is vital to certain types of authentication (Kerberos) and it's useful to know how time is synchronised automatically through domains and forests. The role of the PDC emulator(s) is pivotal. Take extra care if running virtualised Windows servers. See How Windows Time Service Works particularly the Windows Time Service Processes and Interactions section. See also Configure the Windows Time service on the PDC emulator for instructions.
- The replication topology and operation are usually quite straight forward in the single-domain environment that is most common in the University. Even so, it is vital that replication works smoothly. One source of problems is probably DNS configuration. More complex environments such as multiple domains and/or multiple sites warrant more attention. See Replication overview and How Replication Works.
- Particularly important if you're planning on enhancing security, or linking to the central Kerberos infrastructure. See the Authentication protocols overview and Introduction to authentication for some introductory information, and Logon and Authentication Technologies for a more detailed explanation.