Active Directory Facts

You should know the following facts about Active Directory:

• Active Directory is based on the LDAP (Lightweight Directory Access Protocol) standard.
• Active Directory uses DNS for locating and naming objects.
• The tree root domain is the highest level domain in a tree (a tree root domain can also be a forest root domain).
• The tree root domain is the highest Active Directory domain in the tree.
• A tree is a group of domains based on the same name space.
• Domains in a tree:
• Are connected with a two-way transitive trust.
• Share a common schema.
• Have common global catalogs.
• A schema makes up the attributes of an object in a tree.
• The forest root domain is the first domain created in the Active Directory forest.
• There are dedicated and regional forest root domains.
• Container objects are designed to contain other objects, either other containers or leaf objects.
• Domain container objects can contain Organizational Unit (OU) container objects.
• First level OUs can be called parents.
• Second level OUs can be called children.
• OUs can contain other OUs or any type of leaf object (e.g., users, computers, printers).
• You cannot assign rights and permissions to OUs.
• You can assign GPOs (Group Policy Objects) to OUs.
• An Active Directory site is one or more well-connected, highly-reliable, fast TCP/IP subnets.
• All Active Directory sites contain servers and site links (the connection between two sites that allows replication to occur).
• A site link cost is a value assigned to a link that is used to regulate the traffic according to the speed of the link. The higher the site link cost, the slower the link speed.
• Domain controllers are servers that contain copies of the Active Directory database that can be written to. Domain controllers participate in replication.
• The Active Directory database is partitioned and replicated.
• There are four types of Active Directory database partitions:
• Domain
• Configuration
• Schema
• Application
• Users find objects in Active Directory by querying the database.
• The first domain controller installed in the forest automatically becomes the global catalog server for that domain.

Installation Facts

You should know the following facts about Active Directory installation:

• Active Directory requires the following:
• TCP/IP running on the servers and clients.
• A DNS server with SRV support.
• Windows 2000 or 2003 operating systems.
• After installing Windows 2003, you can install Active Directory using the Dcpromo command.
• Members of the Domain Admins group can add domain controllers to a domain.
• Members of the Enterprise Admins group can perform administrative tasks across the entire network, including:
• Change the Active Directory forest configuration by adding/removing domains. (New domains are created when the first domain controller is installed. Domains are removed when the last domain controller is uninstalled.)
• Add/remove sites.
• Change the distribution of subnets or servers in a site.
• Change site link configuration.

Advanced Installation Facts

If you are installing a Windows Server 2003 server into an existing Windows 2000 Active Directory structure, you must first prepare Active Directory for the installation by taking the following steps:

1. Apply Service Pack 2 or later on all domain controllers.
2. Back up your data.
3. On the schema master for the forest, disconnect the server from the network and run Adprep /forestprep.
4. Reconnect the server and wait at least 15 minutes (or as long as a half a day or more) for synchronization to occur.
5. If Active Directory has multiple domains, or if the infrastructure master for the domain is on a different server than the schema master, run Adprep /domainprep on the infrastructure master for the domain.

Keep in mind the following facts about using Adprep:

• To run /forestprep, you must be a member of the Schema Admins or Enterprise Admins group.
• To run /domainprep, you must be a member of the Domain Admins or Enterprise Admins group.
• If you have a single domain, and the infrastructure master is on the same server as the schema master, you do not need to run /domainprep (/forestprep performs all necessary functions to prepare Active Directory).

You should know the following facts about Active Directory advanced installations:

• Installing from a replica media set will create the initial Active Directory database using a backup copy and then replicate in any changes since the backup. This prevents a lot of the replication traffic that is normally created on a network when a server is promoted to a domain controller.
• To rename domain controllers, the domain functional level must be at least Windows 2003 (this means all domain controllers must be running Windows 2003).

Installation Tools

You can use the following tools to troubleshoot an Active Directory installation:

Tool	Description
Directory Services log	Use Event Viewer to examine the log. The log lists informational, warning, and error events.
Netdiag	Run from the command line. Test for domain controller connectivity (in some cases, it can make repairs).
DCDiag	Analyzes domain controller states and tests different functional levels of Active Directory.
Dcpromo log files	Located in %Systemroot%/Debug folder. Dcpromoui gives a detailed progress report of Active Directory installation and removal. Dcpromos is created when a Windows 3.x or NT 4 domain controller is promoted.
Ntdsutil	Can remove orphaned data or a domain controller object from Active Directory.

You can also check the following settings to begin troubleshooting an Active Directory installation:

• Make sure the DNS name is properly registered.
• Check the spelling in the configuration settings.
• PING the computer to verify connectivity.
• Verify the domain name to which you are authenticating.
• Verify that the username and password are correct.
• Verify the DNS settings.

Backup and Restore Facts

You should know the following facts about backup and restore:

• When you reboot after restoring, Active Directory replication replicates changes.
• Items restored non-authoritatively will be overwritten during replication.
• Use an authoritative restore to restore deleted objects. Objects will be replicated back to other domain controllers on the network.
• Use a nonauthoritative restore to get the DC back online. Items will replicate from other DCs after the restored DC goes back online.
• Active Directory data is restored by restoring the System State data. You cannot selectively restore Active Directory objects from the backup media.
• To restore objects that were added to deleted OUs, move the objects from the LostAndFound container. No restore of objects is necessary.
• Make sure you perform backups more often than the tombstone lifetime setting in Active Directory. For example, if the tombstone lifetime is set to 10 days, you should back up Active Directory at least every 9 days. If your backup interval is larger than the tombstone lifetime, your Active Directory backup can be viewed as expired by the system.

Microsoft gives the following as the best practice procedure for restoring Active Directory from backup media:

1. Reboot into Active Directory restore mode. Log in using the password you specified during setup (not a domain account).
2. Restore the System State data from backup to its original and to an alternate location.
3. Run Ntdsutil to mark the entire Active Directory database (if you're restoring the entire database) or specific Active Directory objects (if you're only restoring selected Active Directory objects) as authoritative.
4. Reboot normally.
5. Restore Sysvol contents by copying the Sysvol directory from the alternate location to the original location to overwrite the existing Sysvol directory (if you're restoring the entire database). Or, copy the policy folders (identified by GUID) from the alternate location to the original location to overwrite the existing policy folders.

You should know the following facts about Sysvol restoration:

• Sysvol is the shared system volume on all domain controllers.
• Sysvol stores scripts and Group Policy objects for the local domain and the network.
• The default location for Sysvol is %Systemroot/Sysvol.
• To ensure that the proper settings are authoritatively restored, copy the Sysvol directory from an alternate location over the existing Sysvol directory. Or, copy the Sysvol policy folders from the alternate location over the original location. (This maintains the integrity of the Group Policy of the computer.)

Security Facts

You should know the following facts about security principals:

• A security principal is an account holder who has a security identifier.
• The Active Directory migration tool allows you to move objects between domains.
• Objects moved to a new domain get a new SID.
• The Active Directory migration tool creates a SID history.
• The SID history allows an object moved to a new domain to keep its original SID.

You should know the following information pertaining to identifiers:

Identifier	Description
GUID	Globally Unique Identifier. 128-bit number guaranteed to be unique across the network. Assigned to objects when they are created. An object's GUID never changes (even if object is renamed or moved).
SID	Security Identifier. Unique number assigned when an account is created. Every account is given a unique SID. System uses the SID to track the account rather than the account's user or group. A deleted account that is recreated will be given a different SID. The SID is composed of the domain SID and a unique RID.
RID	Relative Identifier. Unique to all the SIDs in a domain. Passed out by the RID master.

Group Facts

Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest.

Scope	Description
Global groups	Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global group can contain user and computer accounts and global groups from the domain in which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest.
Domain local groups	Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal groups, and global groups from any domain in the forest. A domain local group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides.
Universal groups	Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, universal groups, and global groups from any domain in the forest. Universal groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.

Built-in Groups

Windows domain controllers include several built-in domain local groups, each of which has predefined rights. These groups are automatically created on domain controllers, and are placed in the Built-in folder in Active Directory Users and Computers.

Built-in Group	Description
Administrators	Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
Server Operators	Share folders and backup files and folders.
Backup Operators	Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
Account Operators	Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.

The basic best practices for user and group security is:

• Create groups based on users' and administrators' needs.
• Assign user accounts to the appropriate groups.

Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network