# &RQWHQWV##
2YHUYLHZ#4#
,QWURGXFWLRQ#WR#$FWLYH#'LUHFWRU\#5#

Win32, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A.
and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead:
David Phillips
Instructional Designers:
Lance Morrison (Wasser), Janet Sheperdigian, Steve Thues
Lead Program Manager:
Mark Adcock
Program Manager:
Lyle Curry, Scott Hay, Janice Howd, Steve Schwartz (Implement.Com),
Bill Wade (Wadeware LLC)

Graphic Artist:
Kimberly Jackson, Andrea Heuston (Artitudes Layout and Design)
Editing Manager:
Lynette Skinner
Editor:
Elizabeth Reese (Write Stuff)
Copy Editor:
Ed Casper (S&T Consulting), Carolyn Emory (S&T Consulting), Patricia Neff
(S&T Consulting), Noelle Robertson (S&T Consulting)
Online Program Manager:

®
Windows
®
2000.
At the end of this module, students will be able to:
„#
Describe the role of Active Directory in Windows 2000.
„#
Describe the logical structure of Active Directory.
„#
Describe the physical structure of Active Directory.
„#
Describe the roles of global catalog servers and operations masters in Active
Directory.
„#
Describe the security subsystem and the role of Active Directory in it.

0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:
•
Microsoft PowerPoint
®
file 1569A_02.ppt

3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
•

organization might find it necessary to have more than one domain. Finally,
discuss the types of trust relationships that are possible in Active Directory.
„#
Physical Structure
Explain that in Active Directory, the physical structure of a network is
completely independent of its logical structure. This means the network
topology can be optimized without compromising the logical structure. Note
that an Active Directory site is completely different than the site concept in
previous versions of Microsoft Exchange.
„#
Specific Domain Controller Roles
Explain the function of roles that are assigned to specific domain
controllers.
„#
Schema Fundamentals
Explain the reasons and methods for changing the schema and the
implications of those changes.
„#
Windows 2000 Security Subsystem
Explain the structure of the security subsystem and the position of Active
Directory within it.

# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##4#2YHUYLHZ#
„
,QWURGXFWLRQ#WR#$FWLYH#'LUHFWRU\
„
/RJLFDO#6WUXFWXUH

„#
Install Active Directory.

6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
WKH#PRGXOH#WRSLFV#DQG#
REMHFWLYHV1#
/HDG0LQ#
,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ#
DERXW#WKH#UROH#RI#$FWLYH#
'LUHFWRU\#LQ#D#
:LQGRZV#5333#QHWZRUN1#
'HOLYHU\#7LS#
(PSKDVL]H#WR#\RXU#VWXGHQWV#
WKDW#WKLV#PRGXOH#LV#PHDQW#WR#
EH#D#UHYLHZ#RI#$FWLYH#
'LUHFWRU\#IXQGDPHQWDOV1#,W#
GRHV#QRW#LQFOXGH#LQIRUPDWLRQ#
DERXW#WKH#UHODWLRQVKLS#
EHWZHHQ#([FKDQJH#5333#
DQG#$FWLYH#'LUHFWRU\/#ZKLFK#
LV#FRYHUHG#LQ#WKH#QH[W#
PRGXOH1#
5# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#‹‹
#
,QWURGXFWLRQ#WR#$FWLYH#'LUHFWRU\#
„

LQWHJUDO#SDUW#RI#D#
:LQGRZV#5333#QHWZRUN1#
# 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\##6#$FWLYH#'LUHFWRU\#2YHUYLHZ#
'LUHFWRU\#6HUYLFH#
)XQFWLRQDOLW\
'LUHFWRU\#6HUYLFH#
'LUHFWRU\#6HUYLFH#
)XQFWLRQDOLW\
)XQFWLRQDOLW\
„
2UJDQL]H
„
0DQDJH
„
&RQWURO
„
2UJDQL]H
„
0DQDJH
„
&RQWURO
&HQWUDOL]HG#0DQDJHPHQW
&HQWUDOL]HG#0DQDJHPHQW
&HQWUDOL]HG#0DQDJHPHQW
„
6LQJOH#SRLQW#RI#DGPLQLVWUDWLRQ
„

Active Directory enables administrators to manage distributed desktops,
network services, and applications from a central location while using a
consistent management interface. Network administrators also have a consistent
way to monitor and manage network devices, such as routers.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#SXUSRVH#RI#
$FWLYH#'LUHFWRU\#DV#D#
QHWZRUN#GLUHFWRU\#VHUYLFH1#
/HDG0LQ#
'LUHFWRU\#VHUYLFHV#VWRUH#
LQIRUPDWLRQ#DERXW#QHWZRUN#
UHVRXUFHV1#
7# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#$FWLYH#'LUHFWRU\#6XSSRUWHG#7HFKQRORJLHV#
'+&3
'+&3
'16
'16
'16
6173
6173
6173
/'$3
/'$3
/'$3
.HUEHURV
.HUEHURV
.HUEHURV


Dynamic Host Configuration
Protocol (DHCP)
Network address
management
RFC 2131
DNS dynamic update
protocol
Host namespace
management
RFC 2052 and 2163
Simple Network Time
Protocol (SNTP)
Distributed time service RFC 1769
Lightweight Directory Access
Protocol (LDAP) v3
Directory access RFC 2251
LDAP ‘C’ Directory API RFC 1823
LDAP Data Interchange
Format (LDIF)
Directory
synchronization
Internet Engineering Task
Force (IETF) Draft
LDAP Directory schema RFC 2247, 2252, and 2256

6OLGH#2EMHFWLYH#
7R#GHVFULEH#WKH#VWDQGDUGV/#
SURWRFROV/#DQG#$3,V#WKDW#
$FWLYH#'LUHFWRU\#DQG#

maximizes the interoperability between applications and directory
services and facilitates directory interoperability through synchronization.
„#
Kerberos v5 and X.509 certificate integration with Active Directory gives
corporations the flexibility to mix and match the security that they deploy—
in both Internet and intranet environments—based on their needs.

9# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#$FWLYH#'LUHFWRU\#1DPLQJ#&RQYHQWLRQV#
„
'LVWLQJXLVKHG#1DPH
„
5HODWLYH#'LVWLQJXLVKHG#1DPH
„
8VHU#3ULQFLSDO#1DPH
„
*OREDOO\#8QLTXH#,GHQWLILHU
„
8QLTXHQHVV#RI#1DPHV
'& FRP/'& FRQWRVR/&1 8VHUV/&1 -DPHV#6PLWK
-DPHV6#FRQWRVR1FRP
-DPHV6#FRQWRVR1FRP
8QLTXH#45;0ELW#QXPEHU
8QLTXH#45;0ELW#QXPEHUUsers and applications are both effected by the naming conventions that
directory services use. To locate network resources, you must know the name or
*OREDOO\#8QLTXH#,GHQWLILHU#
The globally unique identifier (GUID) is a 128-bit number that is guaranteed to
be unique. Windows 2000 assigns a GUID to objects when they are created.
The GUID never changes, even if you move or rename the object. Applications
can store the GUID of an object and retrieve that object even if the
distinguished name of the object changes.
8QLTXHQHVV#RI#1DPHV#
Distinguished names are guaranteed to be unique in the forest. Active Directory
does not permit two objects with the same relative distinguished name under the
same parent container. By definition, GUIDs are unique. User principal names
are required to be unique, but Active Directory does not enforce this
requirement, so it is possible to have duplicate user principal names.
;# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#$FWLYH#'LUHFWRU\#DQG#'RPDLQ#1DPH#6\VWHP#
„
1DPH#5HVROXWLRQ
„
1DPHVSDFH#'HILQLWLRQ
„
/RFDWLQJ#WKH#3K\VLFDO#&RPSRQHQWV#RI#$FWLYH#'LUHFWRU\Active Directory uses Active Directory and Domain Name System (DNS) for
three primary functions:
„#
Name resolution. DNS provides name resolution by translating host names

'RPDLQ
'RPDLQ
'RPDLQ
7UHH
'RPDLQ
'RPDLQ
'RPDLQ
'RPDLQ
'RPDLQ
'RPDLQ
7UHH
)RUHVW
'RPDLQ
'RPDLQ
28
28
28
28
28
28
„
'RPDLQV
„
2UJDQL]DWLRQDO#8QLWV
„
7UHHV#DQG#)RUHVWVThe logical structure of Active Directory is flexible and provides a method for
designing a directory hierarchy that makes sense to its users and to those who

Mixed Mode
Native ModeMixed Mode
'RPDLQ#FRQWUROOHUV#
+:LQGRZV#5333#RQO\,
'RPDLQ#FRQWUROOHUV#
+:LQGRZV#5333#RQO\,
DQG
'RPDLQ#FRQWUROOHU#
+:LQGRZV#5333,
'RPDLQ#FRQWUROOHU#
+:LQGRZV#5333,
'RPDLQ#FRQWUROOHU#
+:LQGRZV#17#713,
'RPDLQ#FRQWUROOHU#
+:LQGRZV#17#713,The core unit of the logical structure in Active Directory is the domain. A
domain is a collection of computers defined by an administrator that share a
common directory database.
6HFXULW\#%RXQGDU\#
In a Windows 2000 network, the domain serves as a security boundary. The
administrator of a domain has the necessary permissions and rights to perform
administration within that domain only, unless the administrator is explicitly
granted those rights in another domain. Every domain has its own security
policies and security relationships with other domains.
8QLW#RI#5HSOLFDWLRQ#
Domains are also units of replication. All domain controllers in a domain
participate in replication and contain a complete copy of all of the directory
information for their domain.

Directory functionality, such as group nesting and security-type universal
groups, requires that the domain be in native mode.

The change from mixed mode to native mode is a one-way process;
you cannot change from native mode to mixed mode. .H\#3RLQWV#
7KH#RSHUDWLQJ#V\VWHP#RQ#WKH#
GRPDLQ#FRQWUROOHUV#
GHWHUPLQHV#WKH#PRGH#WKDW#
\RXU#GRPDLQ#FDQ#XVH1#
&DXWLRQ#
45# # 0RGXOH#5=#2YHUYLHZ#RI#0LFURVRIW#:LQGRZV#5333#$FWLYH#'LUHFWRU\#2UJDQL]DWLRQDO#8QLWV#
„
$UUDQJH#28V#$FFRUGLQJ#WR=
„
'HOHJDWH#$GPLQLVWUDWLYH#&RQWURO#DW#28#/HYHO
„
28V#(QDEOH#6LQJOH#'RPDLQ#0RGHO
„
*HRJUDSKLF#6WUXFWXUH
„
*HRJUDSKLF#6WUXFWXUH
6DOHV
3DULV
5HSDLU

delegate administrative control of an OU, you grant specific permissions for the
OU and the objects that it contains to one or more users and groups.
For an OU, you can assign complete administrative control (for example, full
control over all objects in the OU) or limited administrative control (for
example, the ability to modify e-mail information on user objects in the OU).
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#SXUSRVH#RI#
28V#LQ#$FWLYH#'LUHFWRU\1#
/HDG0LQ#
$Q#28#LV#D#FRQWDLQHU#LQ#
ZKLFK#\RX#RUJDQL]H#REMHFWV1##