Many books have been devoted to the planning, implementation, and support of Active Directory. If you’re experienced with Active Directory, you will recognize that the following discussion has been simplified solely because it would take many books to discuss all the detail. The goal of this section is to distill that information to what you should know to approach the 70-290 exam.
Networks, Directory Services, and Domain Controllers
Networks were created on the day when the first user decided he or she didn’t want to walk down the hall to get something from another user. In the end, networks are all about providing resources remotely. Those resources are often files, folders, and printers. Over time those resources have come to include many things, most significantly, e-mail, databases, and applications. There has to be some mechanism to keep track of these resources, providing, at a minimum, a directory of users and groups so that the resources can be secured against undesired access.
Microsoft Windows networks support two directory service models: the workgroup and the domain. The domain model is by far the more common in organizations implementing Windows Server 2003. The domain model is characterized by a single directory of enterprise resources—Active Directory—that is trusted by all secure systems that belong to the domain. Those systems can therefore use the security principals (user, group, and computer accounts) in the directory to secure their resources. Active Directory thus acts as an identity store, providing a single trusted list of Who’s Who in the domain.
Active Directory itself is more than just a database, though. It is a collection of supporting files including transaction logs and the system volume, or Sysvol, that contains logon scripts and group policy information. It is the services that support and use the database, including Lightweight Directory Access Protocol (LDAP), Kerberos security protocol, replication processes, and the File Replication Service (FRS). The database and its services are installed on one or more domain controllers. A domain controller is a server that has been promoted by running the Active Directory Installation Wizard by running DCPROMO from the command line or, as you will do in Exercise 2, by running the Configure Your Server Wizard. Once a server has become a domain controller, it hosts a copy, or replica, of Active Directory and changes to the database on any domain controller are replicated to all domain controllers within the domain.
1-12 Chapter 1 Introducing Microsoft Windows Server 2003 Domains, Trees and Forests
Active Directory cannot exist without at least one domain, and vice versa. A domain is the core administrative unit of the Windows Server 2003 directory service. However, an enterprise may have more than one domain in its Active Directory. Multiple domain models create logical structures called trees when they share contiguous DNS names. For example contoso.com, us.contoso.com, and europe.contoso.com share contiguous DNS namespace, and would therefore be referred to as a tree.
If domains in an Active Directory do not share a common root domain, they create multiple trees. That leads you to the largest structure in an Active Directory: the forest. An Active Directory forest includes all domains within that Active Directory. A forest may contain multiple domains in multiple trees, or just one domain. When more than one domain exists, a component of Active Directory called the Global Catalog becomes important because it provides information about objects that are located in other domains in the forest.
Objects and Organizational Units (OUs)
Enterprise resources are represented in Active Directory as objects, or records in the database. Each object has numerous attributes, or properties, that define it. For example, a user object includes the user name and password; a group object includes the group name and a list of its members.
To create an object in Active Directory, open the Active Directory Users And Computers console from the Administrative Tools program group. Expand the domain to reveal its containers and OUs. Right-click a container or OU and select New object_type.
Active Directory is capable of hosting millions of objects, including users, groups, computers, printers, shared folders, sites, site links, Group Policy Objects (GPOs), and even DNS zones and host records. You can imagine that without some kind of structure, accessing and administering the directory would be a nightmare.
Structure is the function of a specific object type called an organizational unit, or OU. OUs are containers within a domain that allow you to group objects that share common administration or configuration. But they do more than just organize Active Directory objects. They provide important administrative capabilities, as they provide a point at which administrative functions can be delegated and to which group policies can be linked.
Administrative delegation relates to the simple idea that you might want a front-line administrator to be able to change the password for a certain subset of users. Each
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-13 object in Active Directory (in this case, the user objects) includes an access control list (ACL) that defines permissions for that object, just as files on a disk volume have ACLs that define access for those files. So, for example, a user object’s ACL will define what groups are allowed to reset its password. It would get complicated to assign the front-line administrator permissions to change each individual user’s password, so instead you can put all of those users in a single OU and assign that administrator the reset password permission on the OU. That permission will be inherited by all user objects in the OU, thereby allowing that administrator to modify permissions for all users.
Resetting user passwords is just one example of administrative delegation. There are thousands of combinations of permissions that could be assigned to groups administering and supporting Active Directory. OUs allow an enterprise to create an active representation of its administrative model, and to specify who can do what to objects in the domain.
OUs are also used to collect objects—computers and users—that are configured similarly. Just about any configuration you can make to a system can be managed centrally through a feature of Active Directory called Group Policy. Group Policy allows you to specify security settings, deploy software, and configure operating system and application behavior without ever touching a machine. You simply implement your configuration within a GPO.
GPOs are collections of hundreds of possible configuration settings, from user logon rights and privileges to the software that is allowed to be run on a system. A GPO is linked to a container within Active Directory—typically to an OU, but can also be domains, or even sites—and all the users and computers beneath that container are affected by the settings contained in the GPO.
You will likely see Group Policy referred to on the 70-290 exam. The important things to remember about Group Policy are that it is a tool that can centrally implement con-figuration; that some settings apply to computers only and some settings apply to users only; and that the only computers or users that will be affected by a policy are those that are beneath the OU to which the policy is linked.
As suggested earlier in this section, Active Directory is a large and complex topic that deserves significant examination if you are going to implement Windows Server 2003 as a domain controller. The following Microsoft Press titles are recommended reading:
■ Active Directory for Microsoft Windows Server 2003 Technical Reference
■ MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元