Working with Active Directory Domains

Previous page
Table of content
Next page

Although both Active Directory and DNS must be configured on a Windows Server 2003 network, Active Directory domains and DNS domains have different purposes. Active Directory domains help you manage accounts, resources, and security. DNS domains establish a domain hierarchy that's primarily used for name resolution. Windows Server 2003 uses DNS to map host names , such as zeta.microsoft.com, to numeric TCP/IP addresses, such as 172.16.18.8. To learn more about DNS and DNS domains, see Chapter 20.

Active Directory is designed to work with systems running Windows Server 2003 as well as systems running Windows 95, Windows 98, Windows NT, Windows XP, and Windows 2000. If the necessary client software is installed, Windows 95, Windows 98, Windows XP, and Windows 2000 systems access the network as Active Directory clients . Windows NT systems (and Windows 95 systems [or later] not upgraded with Active Directory client software) access the network as if they were in a Windows NT domain, provided Active Directory's domain functional level allows this and a Windows NT domain is configured.

Using Windows Server 2003, Windows XP, and Windows 2000 Computers with Active Directory

Computers running Windows XP Professional and Windows 2000 can make full use of Active Directory. These computers access the network as Active Directory clients and have full use of Active Directory features. As clients, these systems can use transitive trust relationships that exist within the domain tree or forest. A transitive trust is one that isn't established explicitly. Rather, the trust is established automatically based on the forest structure and permissions set in the forest. These relationships allow authorized users to access resources in any domain in the forest.

Systems running Windows Server 2003 provide services to other systems and can act as domain controllers or member servers. A domain controller is distinguished from a member server because it runs Active Directory. You promote member servers to domain controllers by installing Active Directory. You demote domain controllers to member servers by uninstalling Active Directory. You handle both processes through the Active Directory Installation Wizard.

Domains can have one or more domain controllers. When there are multiple domain controllers, the controllers automatically replicate directory data with each other using a multimaster replication model. This model allows any domain controller to process directory changes and then replicate those changes to other domain controllers.

Because of the multimaster domain structure, all domain controllers have equal responsibility by default. You can, however, give some domain controllers precedence over others for certain tasks, such as specifying a bridgehead server that has priority in replicating directory information to other sites. Additionally, some tasks are best performed by a single server. A server that handles this type of task is called an operations master . There are five different operations master roles, and you can assign each to a different domain controller. For more information, see the section of this chapter entitled "Understanding Operations Master Roles."

All Windows 2000, Windows XP Professional, and Windows Server 2003 computers that join a domain have computer accounts. Like other resources, computer accounts are stored in Active Directory as objects. You use computer accounts to control access to the network and its resources. A computer accesses a domain using its account, which is authenticated before the computer can access the network.

Real World

Windows Server 2003 uses Active Directory's global catalog to authenticate both computer and user logons . If the global catalog is unavailable, only members of the Domain Admins group can log on to the domain. The reason for this is that the universal group membership information is stored in the global catalog and this information is required for authentication. In Windows Server 2003, you have the option of caching universal group membership locally, which solves this problem. For more information, see the "Understanding the Directory Structure" section of this chapter.

Using Windows 95 and Windows 98 with Active Directory

Systems running Windows 95 and Windows 98 can work with Active Directory in two ways. They can access the network as part of a Windows NT domain, or they can access the network as part of an Active Directory domain. Both techniques depend on a specific network configuration.

Accessing the Network Through a Windows NT Domain

When Windows 95 and Windows 98 systems are used on the network but Active Directory clients aren't installed, these systems can access the network as part of an existing Windows NT domain. Keep the following in mind:

  • When Active Directory is in mixed-mode operations, a primary domain controller (PDC) emulator or backup domain controller (BDC) must be available to authenticate logons.

  • When Active Directory is in native mode operations, a BDC must be available to authenticate logons.

  • When acting as part of a Windows NT domain, Windows 95 and Windows 98 systems can only access resources available through Windows NT one-way trusts, which must be explicitly established by administrators. This remains true whether the system is using a Windows Server 2003 domain controller or a Windows NT BDC.

Accessing the Network as an Active Directory Client

When using native-mode operations, Windows 95 and Windows 98 systems can access the network as part of an Active Directory domain. To allow a system to access the network as part of an Active Directory domain, you must install Active Directory client software on the system. With the client software, these systems have full use of Active Directory features and can use transitive trust relationships that exist within the domain tree or forest. Transitive trust relationships allow authorized users to access resources in any domain in the domain tree or forest automatically.

Tip

Transitive trusts are automatically configured during installation of a domain controller, and you might not need to configure explicit trust relationships. Still, Windows Server 2003 does support explicit trust relationships, and you can establish these relationships if necessary. The main reasons to establish an explicit trust are to enable user authentication in another domain or to simplify the trust path in a complex domain forest.


Installing Active Directory Clients

You install Active Directory client on a Windows 95 or Windows 98 system by completing the following steps:

  1. Log on to the Windows 95 or Windows 98 system you want to configure as a client. Then insert the Windows 2000 Server or Windows Server 2003 distribution CD-ROM into the CD-ROM drive.

  2. Open the Run dialog box by clicking Start and then clicking Run.

  3. Type E:\Clients\Win9X\Dsclient.exe , where E is the drive letter of the CD-ROM drive, and click OK. Or click Browse to search the distribution CD-ROM. In the Clients folder, you'll find a subfolder called Win9X. This folder should contain the client executable. Select the client executable, click Open, and then click OK.

  4. Running the client executable transfers a few essential files to the client and then starts the Directory Service Client Setup Wizard. Read the welcome page, and then click Next.

  5. Install the client software by clicking Next. The wizard detects the system configuration and then installs the necessary client files on the system.

  6. Click Finish to complete the operation and restart the system.

  7. Click Start, choose Settings, and then click Control Panel. In the Control Panel, double-click Network.

  8. In the Configuration tab, select the Ethernet adapter card entry and then click Properties. Make sure that the TCP/IP settings are configured properly to access the Active Directory domain. Configuring TCP/IP settings is discussed in Chapter 16 , "Managing TCP/IP Networking."

  9. In the Identification tab, check the computer name and workgroup information provided. The computer name and workgroup should be set as explained in Chapter 16.

  10. If you changed settings, you'll probably need to restart the computer. After the computer restarts, log on to the system using an account with access permissions in the Active Directory domain. You should be able to access resources in the domain.

Note

Windows 95 and Windows 98 systems running as clients don't have computer accounts and aren't displayed in Network Neighborhood. You can, however, view session information for Windows 95 and Windows 98 running as Active Directory clients. Start Computer Management, double-click System Tools, double-click Shared Folders, and then select Sessions. Current user and computer sessions are displayed in the view pane. For more information on shared resources, see Chapter 14 , "Data Sharing, Security, and Auditing."


Using Windows NT and Windows 2000 Domains with Active Directory

All Windows NT and Windows 2000 computers must have computer accounts before they can join a domain. To support Windows NT and Windows 2000 domains, Active Directory has several domain functional levels:

  • Windows 2000 mixed mode

    When operating in Windows 2000 mixed mode, the directory can support Windows Server 2003, Windows 2000, and Windows NT domains. Although being able to work with Windows NT, Windows 2000, and Windows Server 2003 is an advantage, domains operating in this mode can't use many of the latest Active Directory features, including universal groups, group nesting, group type conversion, easy domain controller renaming, update logon timestamps, and Kerberos key distribution center (KDC) key version numbers .

  • Windows 2000 native mode

    When operating in Windows 2000 native mode, the directory supports Windows Server 2003 and Windows 2000 domains only. Windows NT domains are no longer supported. Domains operating in this mode aren't able to use easy domain controller renaming, update logon timestamps, and Kerberos KDC key version numbers.

  • Windows Server 2003 interim mode

    When operating in interim mode, the directory supports Windows Server 2003 and Windows NT domains only. Windows 2000 domains aren't supported. This mode allows the upgrade from a Windows NT domain directly to a Windows Server 2003 domain without having to upgrade through Windows 2000. It's similar to the Windows 2000 mixed-mode domain, but it supports only servers running Windows NT and Windows Server 2003.

  • Windows Server 2003 mode

    When operating in Windows Server 2003 mode, the directory supports only Windows Server 2003 domains. Windows NT and Windows 2000 domains are no longer supported. The good news, however, is that a domain operating in Windows Server 2003 mode can use all the latest Active Directory features, including universal groups, group nesting, group type conversion, easy domain controller renaming, update logon timestamps, and Kerberos KDC key version numbers.

Using Windows 2000 Mixed Mode Operations

You set the domain functional level when you install Active Directory on the first Windows Server 2003 domain controller in a domain. If your domain uses Windows NT 4.0 Server, Windows 2000 Server, and Windows Server 2003, you'll want to use mixed-mode operations (at least initially).

In mixed-mode operations, systems that are configured to use Windows NT domains access the network as if they were part of a Windows NT domain. These systems can include Windows 95 and Windows 98 systems that aren't running the Active Directory client, Windows NT workstations, and Windows NT servers. Although the role of Windows NT workstations doesn't change, Windows NT servers have a slightly different role. Here, Windows NT servers can act as BDCs or member servers only. The Windows NT domain no longer has a PDC. Instead, the Windows NT domain has a Windows Server 2003 domain controller that acts as a PDC to replicate read-only copies of Active Directory and to synchronize security changes to any remaining Windows NT BDCs.

The Windows Server 2003 domain controller acting as a PDC is configured as a PDC emulator operations master. You can assign this role to another Windows Server 2003 domain controller at any time. A controller acting as a PDC emulator supports two authentication protocols:

  • Kerberos

    Kerberos is a standard Internet protocol for authenticating users and systems and the primary authentication mechanism for Windows Server 2003.

  • NTLM

    NT Local Area Network (LAN) Manager (NTLM) is the primary Windows NT authentication protocol. It's used to authenticate computers in a Windows NT domain.

Note

Windows Server 2003 also supports Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication. This authentication mechanism is used with secure Web servers.


Using Windows 2000 Native Mode Operations

After upgrading the PDC, BDCs, and other Windows NT systems, and if you still have Windows 2000 domain resources, you can change to the Windows 2000 native mode operations and then use only Windows 2000 and Windows Server 2003 resources in the domain. Once you set the Windows 2000 native mode operations, however, you can't go back to mixed mode. Because of this, you should use native mode operations only when you're certain that you don't need the old Windows NT domain structure or Windows NT BDCs.

When you change to Windows 2000 native mode, you'll notice that

  • NTLM replication is no longer supported.

  • The PDC emulator can no longer synchronize data with any existing Windows NT BDCs.

  • You can't add any Windows NT domain controllers to the domain.

In Windows Server 2003, you switch from Windows 2000 mixed mode to Windows 2000 native mode operations by raising the domain functional level.

Using Windows Server 2003 Interim Mode Operations

If you're upgrading from a Windows NT domain structure to Windows Server 2003, you don't have to use mixed-mode operations. Instead you can use the Windows Server 2003 interim mode. Interim mode is only an option for the first Windows NT domain controller upgraded to Windows Server 2003. Here, you upgrade the Windows NT 4.0 PDC first and, when prompted during upgrade, you should set the forest functional level to Windows Server 2003 interim mode. This level has all of the features of the Windows 2000 forest functional level.

When your domain is operating in Windows Server 2003 interim mode, the domain functions very similarly to Windows 2000 mixed-mode operations. The exception to this is that Windows 2000 domain controllers aren't supported.

After you upgrade the PDC, you can upgrade the remaining BDCs. Microsoft recommends having a backup BDC offline that you can go back to just in case anything goes wrong. Once you're sure everything is working, you may want to consider raising the domain and forest level functions so that your organization can take advantage of the latest Active Directory enhancements.

Using Windows Server 2003 Mode Operations

Once you've upgraded the Windows NT structures in your organization, you can look to upgrading to Windows Server 2003 domain structures. You do this by upgrading Windows 2000 domain controllers to Windows Server 2003 domain controllers and then, if desired, you can change the functional level to support only Windows Server 2003 domain structures.

Before being allowed to update Windows 2000 domain controllers, you'll be prompted to prepare the domain for Windows Server 2003 before continuing. To do this, you'll need to update the domain forest and the domain schema so that it's compatible with Windows Server 2003 domains. A tool, called Adprep.exe, is provided to automatically perform the upgrade for you. All you need to do is run the tool on the schema operations master and then on the infrastructure operations master for each domain in the forest. As always, you should test out any procedure in the lab before performing it in an operational environment.

The steps you follow to perform the upgrade are as follows :

  1. Check upgrade compatibility on the schema operations master and the infrastructure operations master for each domain in the forest. After inserting the Windows Server 2003 CD-ROM into the CD-ROM drive, click Start and then select Run. Type E:\i386\winnt32.exe /checkupgradeonly , where E is the drive letter for the CD-ROM drive, in the Open field of the Run dialog box, and then click OK. This starts the Microsoft Windows Upgrade Advisor. Select No, Skip This Step and then click Next. The Microsoft Windows Upgrade Advisor searches the hardware for any incompatibilities. You should note and correct any incompatibilities found before continuing.

  2. You should upgrade all Windows 2000 domain controllers in the forest to Service Pack 2 or later before continuing. Access the Control Panel and then double-click System to check the current service pack. You'll find the service pack listed in the General tab.

  3. Log on to the schema operations master for the first domain you want to upgrade in the forest, and then insert the Windows Server 2003 CD-ROM into the CD-ROM drive. Click Start and then select Run. In the Open field of the Run dialog box, type E:\i386\adprep.exe /forestprep , where E is the drive letter for the CD-ROM drive, and then click OK. This starts a command prompt window. Read the directions carefully before continuing. Type C to continue or press any other letter to quit.

    Note

    To determine which server is the current schema operations master for the domain, start a command prompt and type dsquery server -hasfsmo schema . A directory service path string is returned containing the name of the server, such as: "CN=CORPSERVER01,CN=Servers, CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=microsoft, DC=com." This string tells you that the schema operations master is COPRSERVER01 in the microsoft.com domain.


  4. Log on to the infrastructure operations master for the first domain you want to upgrade in the forest and then insert the Windows Server 2003 CD-ROM into the CD-ROM drive. Click Start and then select Run. In the Open field of the Run dialog box, type E:\i386\adprep.exe /domainprep , where E is the drive letter for the CD-ROM drive, and then click OK. This starts a command prompt window. Read the directions carefully before continuing. Type C to continue or press any other letter to quit.

    Note

    To determine which server is the current infrastructure operations master for the domain, start a command prompt and type dsquery server -hasfsmo infr .


  5. Repeat Steps 3 and 4 for other domains in the forest as necessary.

After upgrading all Windows NT and Windows 2000 domain controllers and member servers, you can raise the domain and forest level functionality to take advantage of the latest Active Directory features. If you do this, however, you can use only Windows Server 2003 resources in the domain. Once you set the Windows Server 2003 domain or forest functional level, however, you can't go back to any other mode. Because of this, you should only use Windows Server 2003 mode when you're certain that you don't need old Windows NT domain structures, Windows NT BDCs, or Windows 2000 domain structures.

Raising Domain and Forest Functionality

Domains operating in Windows Server 2003 functional level can use all the latest enhancements for Active Directory domains, including universal groups, group nesting, group type conversion, update logon timestamps, and Kerberos KDC key version numbers. In this mode, administrators will also be able to:

  • Rename domain controllers without having to demote them first

  • Rename domains running on Windows Server 2003 domain controllers

  • Create extended two-way trusts between two forests

  • Restructure domains in the domain hierarchy by renaming them and putting them at different levels

  • Take advantage of replication enhancements for individual group members and global catalogs

Domain forests operating in Windows Server 2003 functional level can use all the latest enhancements for Active Directory forests, which means improved global catalog replication and intrasite and intersite replication efficiency, as well as the ability to establish one-way, two-way, and transitive forest trusts.

Real World

The domain and forest upgrade process can generate a lot of network traffic as information is being replicated around the network. In some cases it can take 15 minutes or longer for the entire upgrade process to complete. During this time you might experience delayed responsiveness when communicating with servers and higher latency on the network. Because of this, you might want to schedule the upgrade outside of normal business hours. It's also a good idea to thoroughly test compatibility with existing applications ( especially legacy applications) before performing this operation.

You can raise the domain level functionality by completing the following steps:

  1. Click Start, choose Programs or All Programs as appropriate, choose Administrative Tools, and then select Active Directory Domains And Trusts.

  2. Right-click the domain you want to work with in the console tree and then select Raise Domain Functional Level.

  3. The current domain name and functional level is displayed in the Raise Domain Functional Level dialog box.

  4. To change the domain functionality, select the new domain functional level using the selection list provided and then click Raise. However, you can't reverse this action. Consider the implications carefully before you do this.

  5. When you click OK, the new domain functional level will be replicated to each domain controller in the domain. This operation can take some time in a large organization.

You can raise the forest level functionality by completing the following steps:

  1. Click Start, choose Programs or All Programs as appropriate, choose Administrative Tools, and then select Active Directory Domains And Trusts.

  2. Right-click the Active Directory Domains And Trusts node in the console tree and then select Raise Forest Functional Level.

  3. The current forest name and functional level is displayed in the Raise Forest Functional Level dialog box.

  4. To change the forest functionality, select the new forest functional level using the selection list provided and then click Raise. However, you can't reverse this action. Consider the implications carefully before you do this.

  5. When you click OK, the new forest functional level will be replicated to each domain controller in each domain in the forest. This operation can take some time in a large organization.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Systematic Software Testing (Artech House Computer Library)
C & Data Structures (Charles River Media Computer Engineering)
Information Dashboard Design: The Effective Visual Communication of Data
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy