Introducing Active Directory
Ever since the introduction of Windows 2000, Active Directory has been the heart of Windows-based domains. Just about every administrative task you'll perform will affect Active Directory in some way. Active Directory technology is based on standard Internet protocols and has a design that helps you clearly define your network's -structure.
Active Directory and DNS
Active Directory uses Domain Name System (DNS). DNS is a standard Internet service that organizes groups of computers into domains. DNS domains are organized into a hierarchical structure. The DNS domain hierarchy is defined on an Internet-wide basis, and the different levels within the hierarchy identify computers, organizational domains, and top-level domains. DNS is also used to map host names, such as zeta.microsoft.com, to numeric Transmission Control Protocol/Internet Protocol (TCP/IP) addresses, such as 192.168.19.2. Through DNS, an Active Directory domain hierarchy can also be defined on an Internet-wide basis or the domain hierarchy can be separate and private.
When you refer to computer resources in this type of domain, you use the fully qualified domain name (FQDN), such as zeta.microsoft.com. Here, zeta represents the name of an individual computer, microsoft represents the organizational domain, and com is the top-level domain. Top-level domains (TLDs) are at the base of the DNS hierarchy. TLDs are organized geographically, by using two-letter country codes, such as CA for Canada; by organization type, such as com for commercial organizations; and by function, such as mil for U.S. military installations.
Normal domains, such as microsoft.com, are also referred to as parent domains. They have this name because they're the parents of an organizational structure. You can divide parent domains into subdomains, which you can then use for different offices, divisions, or geographic locations. For example, the fully qualified domain name for a computer at Microsoft's Seattle office could be designated as jacob.seattle.micro-soft.com. Here, jacob is the computer name, seattle is the subdomain, and microsoft.com is the parent domain. Another term for a subdomain is a child domain.
As you can see, DNS is an integral part of Active Directory technology—so much so, in fact, that you must configure DNS on the network before you can install Active Directory. Working with DNS is covered in Chapter 20, "Optimizing DNS."
With Windows Server 2008, you install Active Directory in a two-part process. First, you add the Active Directory Domain Services role to the server using the Add Role Wizard. Then, you run the Active Directory Installation Wizard (click Start, type dcpromo in the Search field, and then press Enter). If DNS isn't installed already, you will be prompted to install DNS. If there isn't an existing domain, the wizard helps you create a domain and configure Active Directory in a new domain. The wizard can also help you add child domains to existing domain structures. To verify that a domain controller is installed correctly, you can:
- Check the Directory Service event log for errors.
- Ensure that the Sysvol folder is accessible to clients.
- Verify that name resolution is working through DNS.
- Verify the replication of changes to Active Directory.
Note In the rest of this chapter I'll often use the terms directory and domains to refer to Active Directory and Active Directory domains, respectively, except when I need to distinguish Active Directory structures from DNS or other types of directories.
Read-Only Domain Controller Deployment
As discussed in Chapter 1, "Windows Server 2008 Administration Overview," domain controllers running Windows Server 2008 can be configured as read-only domain controllers (RODCs). When you install the DNS Server service on an RODC, the RODC can act as a read-only DNS server (RODNS server). In this configuration, the following conditions are true:
- The RODC replicates the application directory partitions that DNS uses, including the ForestDNSZones and DomainDNSZones partitions. Clients can query an RODNS server for name resolution. However, the RODNS server does not support client updates directly because the RODNS server does not register resource records for any Active Directory-integrated zone that it hosts.
- When a client attempts to update its DNS records, the server returns a referral. The client can then attempt to update against the DNS server that is provided in the referral. Through replication in the background, the RODNS server will then attempt to retrieve the updated record from the DNS server that made the update. This replication request is only for the changed DNS record. The entire list of changed zone or domain data is not replicated during this special request.
The first Windows Server 2008 domain controller installed in a forest or domain cannot be an RODC. However, you can configure subsequent domain controllers as read-only. For planning purposes, keep the following in mind:
- Prior to adding Active Directory Domain Services (AD DS) for the first time to a server that is running Windows Server 2008 in a Windows Server 2003 or Windows 2000 Server forest, you must update the schema on the schema operations master in the forest by running adprep /forestprep.
- Prior to adding AD DS for the first time to a server that is running Windows Server 2008 in a Windows Server 2003 or Windows 2000 Server domain, you must update the infrastructure master in the domain by running adprep /domainprep /gpprep.
- Prior to installing AD DS to create your first RODC in a forest, you must prepare the forest by running adprep /rodcprep.
Windows Server 2008 with Windows NT 4.0
Windows Server 2008 domain functions are not designed to interoperate with Windows NT 4.0 domain functions. Domain controllers that are running Windows NT Server 4.0 are not supported with Windows Server 2008. Servers running Windows NT Server 4.0 are not supported by domain controllers that are running Windows Server 2008. Because of these interoperability issues, you should take the following actions:
- Upgrade domain controllers running Windows NT Server 4.0 prior to deploying any computers running Windows Server 2008.
- Upgrade all computers running Windows NT Server 4.0 prior to deploying any domain controllers running Windows Server 2008.
You can upgrade Windows NT Server 4.0 to Windows 2000 Server or Windows Server 2003. It is important to remember that a Primary Domain Controller (PDC) emulator operations master is still required when you upgrade all computers running Windows NT Server 4.0.
© Microsoft. All Rights Reserved.