What is a Directory? The term 'Directory' means a container for some sort of information, for example a telephone directory contains telephone numbers and other addressing information. Windows NT's directory, also called the SAM (or Security Accounts Manager database) contained user, group and machine accounts. This was a single master database, which essentially means that the database can be edited at one machine only : The Primary Domain Controller, or PDC. This database is replicated to Backup Domain Controllers (or BDCs) on a scheduled and regular basis. The BDCs maintain a read only copy of the directory. By contrast, Windows 2000 has a multi-master Directory service. Domain Controllers are neither Primary, nor backup, but simply controllers. Changes can be made to any instance of the database, and the replication process handles this transparently. In Windows NT, the domain was the unit of administration, a geographic and replication boundary. This presented designers with problems, and typically more domains were created than was required simply to address limitations in the NT Directory structure. In Windows 2000, the Domain can be all those things, too. But it is also possible to delegate administration within a domain to other containers called OUs. A domain need not be an administrative boundary. Replication is handled between sites, and a site is a geographic area. Therefore, the domain is now longer a geographic or replication boundary. The Windows 2000 Directory Service simplifies things for the network designer by allowing a greater degree of flexibility. In this Unit we will look more closely at Active Directory, covering planning and design issues; implementation and maintenance and troubleshooting. Domains
The domain is the basic building block of our Windows 2000 Enterprise network. By default, it functions as an administrative boundary, replication boundary and geographic boundary. A domain consists of a least one domain controller, and this machine will typically be the first on the network. Any Windows 2000 server machine can be promoted to domain controller (DC) at any time using the DCPROMO command. Multiple Domains Trees
In Windows 2000, once you have created a domain, other domains can be linked to it to create an Enterprise network simply by defining the relationship between them. In the graphic above, once the comsurf.co.uk domain had been created, the Glasgow.comsurf.co.uk domain could be created, defining the latter as a child domain of the former.
As you add domains, and establish their parental relationships (thereby creating trusts), you are building a domain tree. A domain tree is a group of domains with a contiguous namespace. In this case all domains share a common root. Forests
As the Enterprise network grows, it may be desirable to create more than one tree. In this situation, you will have built at least the root and first domain of one tree. As you add your next domain, you indicate that it has no appropriate parent within the current tree, and that you are adding a new tree. This will create a forest of trees. A forest of trees shares a common root, a common schema but has a non-contiguous name space. This arrangement is typical only for very large organizations, and is desirable because a certain degree of interoperability is required, but most administrative function needs to be kept separate. A trust relationship binds the top-level domains together, so that com surf trusts bootkamp and vice versa. Because the trust is a two way transitive link, then all sub domains trusts all other sub domains within the forest - so once again, a user account anywhere in the forest could be granted access to a resource anywhere else in the forest. Organisational Units (OUs)
With Windows 2000, the domain can be divided into Organizational Units, each of which has a separate administrator. Then some or all of the administrative tasks can be delegated to users within the OU. OUs can be given names, which reflect their geographic location, or departmental structure (as above) or any other scheme that the designer thinks appropriate. Computers, users and groups can be easily moved between OUs.
Sites
the Active Direcory Wizard"
just "Next"
We are installing the first Domain Controller
Again, we are installing a first domain controller and for this domain, we need to create a new domain tree. Example: I will call below my domain "JHHOME.COM". If I would now create a second domain called: "SUPPORT.JHHOME.COM", it would be part of the same domain tree as JHHOME.COM
Like in nature, trees usually grow in a forest , and using this comparison, we need to define the forest for our domain tree. In general, each new top-level domain name (like: JHHOME.COM) would be a new forest. Since this is our first domain, we need to create a new "forest" for our "Domain Tree" (which is then the only tree in our forest). Here is a difference compared to nature: one tree is just one tree and not a forest, but with computers, it is just a matter of definition)
It is now required to define the name of the new domain. As I was used with Windows9x and Windows NT4 networking, I selected the name of the workgroup to become the new name of my domain. However, note already the exact message: "Full DNS name for new domain". As you are used to see with Internet Domain names, a network Domain should have now a second part separated by a dot.
To avoid problems, I am redefining my domain name to be now: "JHHOME.COM", which looks like an Internet Domain name. (I am not sure, but if you insist on using no "dot-something", Windows 2000 will add itself ".DOM" ) It does NOT matter, whether this name is registered and in use already on the Internet, because you will be using it only on your own network, and as long as you are not registering this domain name as Internet Domain name, it will NOT be known by the Internet users.
While a network with ONLY Windows2000 systems can work using only DNS, any network with "legacy" versions of Windows (WfW, Windows95/98/ME, Windows NT4) requires the use of "NetBIOS", either using "NetBEUI" -protocol or using "NetBIOS over TCP/IP", for which I need to define a NetBIOS compatible Domain name. Here I can use now the name of the workgroup, which I like to change to a domain.
You need to define the location for the database and Log-file for the Active Directory. (on my system, I did not have the 200 Mbyte free disk capacity on my C:- system drive, so I was required = forced by the installion wizard to store this information to a different drive )
Remember the window with the information on the Active Direcory stating the need to a partition in NTFS ? At this time, the "SYSVOL" folder must be defined on an NTFS Disk-partition. The SYSVOL folder will be later visible as part of the "Network Neighborhood" or "My Network Places" and will contain user specific file, and to be able to control the access to these files, that partition must be NTFS (since it is not possible to use a FAT -partition to define Access rights)
Active Directory is based on using a DNS-server. Since I did not yet install / configure a DNS-server, it is now required to install it. Unless you are an expert on DNS-server setup, please follow the recommondation of the wizard to let the wizard install now the DNS-server.
Again the question: will you have a network with some "legacy" systems (= all pre-Windows 20000, like Windows95/98/ME/NT4)
Let's hope, that we will never have to use this password for a Restore operation......
The summary of all the information collected in the previous steps. Selecting now "Next" will start the installation of the Active Direcory and of the DNS-server.
You may have to be patient now for a LONG time : Please, just WAIT !
It will need to install DNS
You may have to insert your Windows2000 CD-ROM or point the wizard to the installation files on the disk (if you copied them from CD-ROM to an I386 folder, as it is often done on NT-installations)
Finished !
You need to restart !