Page 1

Introduction

This step-by-step guide provides instructions for installing Active Directory on servers running the Windows 2003 Enterprise Servers operating system. It is not intended to explain how to install Windows 2003 Server. Rather, it guides you through the process of a basic installation of Active Directory.

What is Active Directory

Active Directory directory service is the distributed directory service that is included with Microsoft? Windows Server 2003 and Microsoft Windows 2000 Server operating systems. Active Directory enables centralized, secure management of an entire network, which might span a building, a city, or multiple locations throughout the world.

Active Directory in Windows Server 2003 includes the following:

• Active Directory on a Windows Server 2003 Network
• Active Directory Application Mode
• Structure and Storage Technologies
• Domain Controller Roles
• Replication Technologies
• Search and Publication Technologies
• Installation, Upgrade, and Migration Technologies

In distributed computing environments, networked computers and other devices communicate over remote connections to accomplish tasks through client/server applications. Distributed environments require a central repository of information and integrated services that provide the means to manage network users, services, devices, and additional information that administrators want to store.

Organizations operating a distributed environment need to have a way to manage network resources and services. As the organization grows, the need for a secure and centralized management system becomes more critical.

A directory service provides a centralized location to store information in a distributed environment about networked devices and services and the people who use them. A directory service also implements the services that make this information available to users, computers, and applications. A directory service is both a database storage system (directory store) and a set of services that provide the means to securely add, modify, delete, and locate data in the directory store.

Active Directory is typically used for one of three purposes:

• Internal directory. Used within the corporate network for publishing information about users and resources within the enterprise. A company?s internal directory may be accessible to employees when they are outside the company network using a secure connection such as a virtual private network (VPN) connection, but it is not accessible to non-employees.
• External directory. These are directories typically located on servers in the perimeter network or demilitarized zone (DMZ) at the boundary between the corporate local area network (LAN) and the public Internet. External directories are typically used to store information about customers, clients, and business partners who access external applications or services. They are also made available to customers, clients, and business partners to provide them with selected business information such as catalogs and so on.
• Application directory. Application directories store ?private? directory data that is relevant only to the application in a local directory, perhaps on the same server as the application, without requiring any additional configuration to Active Directory. The personalization data, which is only interesting to the portal application and does not need to be widely replicated, can be stored solely in the directory associated with the application. This solution reduces replication traffic on the network between domain controllers.

Active Directory is the information hub of the Windows Server 2003 operating system. The following figure shows Active Directory as the focal point of the Windows Server 2003 network used to manage identities and broker relationships between distributed resources so they can work together.

Active Directory provides:

• A central location for network administration and delegation of administrative authority. You have access to objects representing all network users, devices, and resources and the ability to group objects for ease of management and application of security and Group Policy.
• Information security and single sign-on for user access to network resources. Tight integration with security eliminates costly tracking of accounts for authentication and authorization between systems. A single user name and password combination can identify each network user, and this identity follows the user throughout the network.
• Scalability. Active Directory includes one or more domains, each with one or more domain controllers, enabling you to scale the directory to meet any network requirements.
• Flexible and global searching. Users and administrators can use desktop tools to search Active Directory. By default, searches are directed to the global catalog, which provides forest-wide search capabilities.
• Storage for application data. Active Directory provides a central location to store data that is shared between applications and with applications that need to distribute their data across entire Windows networks.
• Systematic synchronization of directory updates. Updates are distributed throughout the network through secure and cost-efficient replication between domain controllers.
• Remote administration. You can connect to any domain controller remotely from any Windows-based computer that has administrative tools installed.
• Single, modifiable, and extensible schema. The schema is a set of objects and rules that provide the structure requirements for Active Directory objects. You can modify the schema to implement new types of objects or object properties.
• Integration of object names with Domain Name System (DNS), the Internet-standard computer location system. Active Directory uses DNS to implement an IP-based naming system so that Active Directory services and domain controllers are locatable over standard IP both on intranets and the Internet.
• Lightweight Directory Access Protocol (LDAP) support. LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

What is a Domain Controller

A domain controller is a server that is running a version of the Windows Server 2003 or Windows 2000 Server operating system and has Active Directory installed.

Implementations of Microsoft Windows NT 3.51 and Microsoft Windows NT 4.0 operating systems also have domain controllers, but they do not support Active Directory.

When you install Windows Server 2003 or Windows 2000 Server on a computer, you can choose to configure a server role for that computer. When you want to create a new forest, a new domain, or an additional domain controller in an existing domain, you configure the server as a domain controller by installing Active Directory.

By default, a domain controller stores one domain directory partition consisting of information about the domain in which it is located, plus the schema and configuration directory partitions for the entire forest. A Windows Server 2003 domain controller can also store one or more application directory partitions.

Whereas every domain controller stores the objects for only one domain, a domain controller that is designated as a global catalog server stores the objects from all domains in the forest. For each object that is not in the domain for which the global catalog server is authoritative as a domain controller, a limited set of attributes is stored in a partial replica of a corresponding domain. The partial replicas on a global catalog server are not writable ? you cannot update an object in a partial replica on a global catalog server, but only on a domain controller that stores a full replica. Thus a global catalog server stores its own full, writable domain replica (all objects and all attributes) plus a partial, read-only replica of every other domain in the forest. The attributes that are replicated to the global catalog servers are the attributes that are most likely to be used to search for the object in Active Directory. These attributes are identified by default in the schema as being included in the partial attribute set of the global catalog.

The global catalog makes it possible for clients to search Active Directory without having to be referred from server to server until the domain controller that has the domain that stores the requested object is found. By default, Active Directory searches are directed to global catalog servers. The first domain controller in a forest is automatically created as a global catalog server. Thereafter, you can designate other domain controllers to be global catalog servers if they are needed.

All domain controllers can receive updates to any writable object that they store (with the exception of schema updates, which can be made only on the one domain controller in the forest that has the role of schema master). The day-to-day operations that are associated with managing users, groups, and computers are typically multimaster operations ? that is, changes to these objects can be made on any domain controller. When a client application updates an object on a domain controller, the domain controller automatically replicates the change to all other domain controllers in the same domain if the change is a domain change or to all other domain controllers in the forest if the change is a configuration or schema change.

There are some operations, however, that are not performed as multimaster operations because they must occur at only one place and time. For these operations, there are specially designated domain controllers that manage the operations singly. Some master operations, required at the forest level, include the schema master and the domain naming master. Others, required at the domain level, include the PDC emulator, RID master and infrastructure master. Domain controllers that hold these special roles are called operations masters.

Installation Checklist

The following is a list of things needed in order to install Active Directory

• An NTFS partition with enough free space
• An Administrator's username and password
• The correct operating system version
• Network Interface Card (NIC)
• Properly configured TCP/IP
• A network connection
• An operational DNS server (which can be installed on the DC itself)
• A Domain name that you want to use
• Windows Server 2003 CD media

<- Previous Page | Next Page ->