Domain
Tree
Forest
OU
DOMAIN ; In Windows 2000,
Microsoft defines a domain as a security boundary or an administrative
boundary, which means that all the users within a domain function under
the same security policy and user-account policy.
- In Windows 2000, a domain is a group of resources that share common
security and administrative boundaries. The geographic location of
resources isn't of primary importance.
- In Windows NT, domain usually consists of either resources that
are grouped geographically or user accounts (all users and groups
for an organization) that are not necessarily grouped
geographically.
- Another reason to consider defining an additional domain is to keep
replication traffic local - confined among domain controllers connected
by a local area network. So, by keeping your replication local,
you can keep replication time to a minimum and ensure that the network
line's available for other traffic.
TREE ; A tree is a hierarchical
grouping of domains within the same namespace. As you add domains
to an Active Directory tree, you automatically create transitive trust
relationship. In an Active Directory tree, all domains are
connected through transitive trusts, so a user in one domain can access
any other domain in the tree.
* A single domain can form a tree.
FOREST ; A forest is a logical
grouping of trees that you join together in a transitive trust
relationship. Users in one tree can access resources in another,
and vise-versa, (as you add the second tree to the forest).
- Each tree in a forest has distinct namespace.
- The trees in a forest share the same schema and global catalog.
OU ; An OU is nothing more than a logical container within a domain. You use OU to store similar objects so that you're in a convenient location for administration and access. You cannot extend an OU across domains. OUs are always completely contained within a single domain. OU can contain objects like printers, file shares, users, groups, application.
* Remember that the best practice dictates that you limit your trees to as few domains as possible. OUs offer a good alternative to domains, and in many cases, you can use OUs in place of child domains. So, you may choose to have a tree that consists of only one domain.
SITE ; A site is a grouping of IP subnets connected by high-speed or high-bandwidth links. Sites are part of your network's physical topology, and each site can contain domain controllers from one or more domains. Sites help confine replication and authentication traffic to local devices so that unnecessary traffic doesn't cross the WAN.
SCHEMA ; Active Directory Schema contains definitions of all object-classes (or object categories) and attributes that you can store in the directory. At the time that you install Active Directory, you also install a base schema by default. The schema affects an entire forests, so any change is replicated to every domain in the forest.
GLOBAL CATALOG ; Global Catalog
is a searchable index that enables users to locate network objects
without needing to know their domain location. It is a partial
replica of the Active Directory, containing all objects in the directory
but not all of an objects' attributes. The default schema settings
determine which objects attributes appear in the global catalog.
All objects appear in the global catalog, but only a small subset of the
objects' attributes are included.
By default, the 1st Domain Controller in a forest becomes the global
catalog server.
* To add additional "attributes" to the global catalog, you
have to modify the "schema".
SRV ; SRV record in DNS is an absolute requirement for Active Directory, whereas DDNS id optional (highly recommended). Before a network client can query the Active Directory database, it must first locate an A.D. server. SRV records in DNS database identify those Active Directory servers.
DDNS ; DDNS enables hosts to write (or register) their own records to the DNS database, similar to the way that WINS lets a computer register a NetBIOS name with the WINS database. (RFC2136)
LDAP ; Network clients use LDAP
to query the Active Directory database. LDAP uses the GUID
(Globally Unique IDentifier) to search for objects in A.D.
(Clients query DNS server to locate LDAP server first. An LDAP
server is then used to locate A.D. database.)
-Building a Domain's first domain controller and creating a new Domain
are exactly the same thing.
-Windows 2000 server enables you to grant administrative rights to portions of the Active Directory tree without having to give administrative rights to the entire domain.
- The Built-In groups are fixed and cannot be deleted, and they can't be made members of other groups.
Other groups you create can be given membership in the Built-In group.
If you want to disable a particular Built-In group, you would do so simply by removing all its member groups.
RRAS (Routing and Remote Access Service) is also a remote-access technology, but it includes routing capabilities that enables connections to the network over a public network - like the Internet - using VPN (Virtual Private Network) technology. A VPN works by setting up a secure "tunnel" between a client and the RRAS server through which encrypted packets pass. The client computer dials up its normal Internet ISP and then forms a VPN connection to the RRAS server over the Internet, in a secure fashion.
WTS (Windows Terminal Service) ........either over a dial-up or LAN/WAN connection, and logs in. From then on, the client computer is only responsible for displaying screens and accepting keyboard and mouse input ; all work is actually being done on the Terminal Server through the creation of a Virtual Windows Machine. A Terminal Server can create many Virtual Windows Machines, each one carrying out its own tasks and running its own programs.
* WTS : remote-control approach * RRAS,RRAS : remote-node approach
WTS(1)-The remote computer doesn't have adequate resources to run some application or perform some task. By running its programs on the Terminal Server, the remote computer can take advantage of the Terminal Server's resources.
WTS(2)-....Because a remote computer connected to a Terminal Server only has to transfer display and input information, the application running on the Terminal Server can run much faster than it could over a remote-node connection.
WTS(3)-.....performing an administrative tool.....
Microsoft Management Consoles
* MMC (mmc.exe) is a framework for management application,
providing a user-interface ; it doesn't change how the snap-ins
function.
- mmc.exe is a program that presents administrators
with a blank console to work with.
* Console (.msc) is one or more administrative tools in an MMC framework. The prebuilt admin tools, like Active Directory Users and Computers, are console files. You can also make your own consoles without any programing tools.
* Snap-Ins are what we call administrative tools that can be added to the console. (Examples ; DHCP admin tool, Disk Defragmenter...) Snap-Ins can be made by Microsoft or by other software vendors. A snap-in can contain components called nodes, or containers, or even leaves.
* An Extension is basically a snap-in that can't live by itself on the console but depends on a stand-alone snap-ins.
--- The mmc.exe plus the defined snap-ins create the tool interface.
Registry (Subtree > Keys > Subkeys > Value)
* 5 Subtrees ; HKLM, HKCU, HKU, HKCR, HKCC
Examples ; SubTree(HKLM) -> Keys(System) -> Subkey(CurrentControlSet) -> ValueEntry(IsDomainMaster)
* Value Entry consists of (1) Name, (2) Data Type and (3) Value
Examples ; (1) IsDomainMaster (1) REG_MULTI_SZ (3) ....
** Hives vs. Subtrees
Windows 2000's registry is spread out physically as it
is saved in several separate files called HIVEs, and the Registry is
also spread out logically into separate parts called
SUBTREEs. (HIVEs ; where the Registry lives)
* The machine-specific hive files are in the \winnt\system32\config
directory.
* The user-specific hive files are in the \winnt\documents
and settings\user id directory.
(The Regisrty is mostly contained in a set of files called the HIVEs.)
* HKCR(HKEY_CLASSES_ROOT) subtree is copied from HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
at boot time.
Disk Management
* Partition Table : a 64-byte-file in the first sector of any disk.
The partition table lists the physical locations of any logical
partitions on the disk but can only describe 4 partitions because each
description takes up 16 bytes.
* Free Space is an Extended Partition that doesn't yet have any logical drives in it, or the space within that (exteneded) partition not yet divided into a logical drive.
* Unallocated Space is space on a disk that is not part of volume. It's not committed to be part of any volume or partition.
* Volume set vs. Striping without parity
Disk Striping has a speed advantage over nonparity stripe sets, but.....
you can not extend a stripe set and can not mirror a stripe set,
although you can mirror a simple volume. (There is simply no way
to make a stripe set fault tolerant other than backing it up.)
If you're looking for performance, use nonparity stripe sets. If you're
looking for flexibility, expandability, or fault tolerance, use simple
or spanned volume sets.
(....summarized on 07/31/00)
I am struggling with a pretty thick book of "Mastering Windows 2000
Server" written by Mark Minasi. And I am supposed to take an
upgrade test for windows 2000 track soon!!
AD, GPO, OU, RSOP, SDOU, ................................
Written by Gary Goh ..... June 2000
Active Directory Integrated DNS zone helps avoid problems with dynamic
update and zone transfer when a single DNS server becomes
unavailable. (Dynamic Update and Zone Transfer require Primary DNS
server)
Remote Access protocol vs. Transport protocol
For remote access to work, a new protocol, called a
"communications protocol" or "remote access
protocol", is necessary - one that handles the establishment of the
connection between the two communicating computers. In regular
permanent LAN connection, the connection is permanent and needs no
separate establishment.
After the remote access protocol sets up the connection, communication
between computers takes place with "normal" LAN protocols
(=transport protocols ; TCP/IP, NetBEUI, NWLink, AppleTalk).
The remote access protocols that VPNs use are PPTP, L2TP. L2TP provides tunneling but not encryption. You would therefore normally use L2TP in combination with IPSec. PPTP provides encryption via PPP.
RRAS/DHCP integration (** see RRAS below explained in detail)
(How to configure RRAS to let RAS clients get IP addressing from DHCP?)
If your RRAS system has multple network adapters, an additional field
appears at the bottom of the IP tab asking you to pick the adapter that
has a DHCP server.
RRAS grabs 10 IP addresses from the DHCP to start with (taking the first
one for its own server adapter), and grabs additional batches of ten
addresses if and when needed. (You can change the number of addresses in
a batch by editing Registry.) When the RRAS server stops, it
releases all the addresses that it borrowed from the DHCP server.
# Two ways of IP addressing for remote access users ; (1) DHCP, (2)
Static, predefined address pool
Demand-Dial Routing
The user name in the authentication credentials sent by calling router must exactly match the name of a demand-dial interface on the answering router. If the user name does not match on a demand-dial interface name, the answering router will assume that the incoming call is a RAS user, not a remote router.
Microsoft DNS saves its DNS data within the Active Directory
database. Thus the DNS data replicates along with the A.D.
data. Other DNS versions can't store their data within A.D. and,
therefore, require DNS replication on the network as well.
* Two advantages when using Microsoft DNS integrating in A.D. tree
(1) Fault Tolerance (because the information is available for every
domain contrller), (2) More efficient replication traffic.
BridgeHead Server ; A bridgehead server is a domain controller that is specifically assigned the role of passing replication traffic to other sites. Only the bridgehead server participates in replications across WAN links ; other domain controllers do not. Active Directory can assign the role of replicating across WAN links to a bridgehead server.
Operations Master and FSMO
(Flexible Single Master Operations)
All domain controllers are the same in Windows 2000 and no domain
controllers has a special role over any of the other domain controllers
-> This statement isn't strictly true!!!
Some services can't function in a multiple-master environment, meaning
that changes can't take place on more than one domain controller at a
time. Some domain controllers, therefore, do assume a
single-master operations role and are known as "operations
master".
| Domain-level FSMO | (one per domain) |
| PDC emulator | Password change |
| RID master | |
| Infrastructure master | |
| Forest-wide FSMO | (one per forest) |
| Schema master | maintains the master copy of schema |
| Domain Naming master | oversees the creation/deletion of domain in the forest |
Example ; The first Active Directory domain controller in a new forest assumes all 5 operations master roles. If additional domains are added to the forest, the first domain controller in the new domain assumes the 3 domain-level operations master role for the new domain.
RRAS (Routing and Remote Access Service)
* Remote access allows users who are physically separated from the company network to access company resources on either just RRAS server itself, or on the whole network.
* Remote access connections are either dial-up or use a virtual private network (VPN).
* The RRAS Setup Wizard guide you through choices of connection services, including Remote Access Server, Virtual Private Network, Routing, Network Address Translation, and Internet Connection Sharing.
* A VPN connection uses encapsulated, encrypted, and authenticated links across a shared or public network.
* A VPN offers a low-cost solution, because it only incurs local charges to the user's ISP, rather than long distance charges from user to server.
* VPNs require a tunneling protocol, either PPTP or L2TP with IPSec.
* Multilink is when you combine multiple physical links into a single logical link for greater throughput. It needs to be supported at both ends of the connection - enable multilink for the server and you can fine-tune settings with remote access policies. Multilink now supports the Bandwidth Allocation Protocol (BAP), which dynamically adds or removes links in a multilink connection.
* When configured for the DHCP, the RRAS server precaches a pool of addresses from a DHCP when the service first starts, and the RRAS server then manages these leases - assigning IP addresses to remote access clients when they connect.
* When using DHCP with RRAS, only the IP address is passed from the DHCP server to the remote access clients ; other configured options on the DHCP are discarded by the RRAS server. Remote access clients inherit other IP configuration options such as those for DNS and/or WINS from the RRAS server.
* If you want remote access clients to obtain DHCP scope options, configure the DHCP relay agent on the internal interface on the RRAS server.
* If you subnet your network, there may be considerations that have to be taken into account when using DCHP for remote access clients, such as assigning static routes or enabling reouting protocols, a relay agent, and the consequences of APIPA.
* The two security providers supported for remote access are Windows
and RADIUS.
With Windows 2000 security verifies the authentication, the dial-up
properties of the user account, and any locally stored remote access
policies.
With RADIUS authentication, the credentials of the connection attempt
will be passed to a specified RADIUS server for authentication and
authorization, and if accepted, it will pass this confirmation back to
the RRAS server.
Internet Information Service (IIS5.0)
