Contents
Overview 1
Multimedia: Concepts of Active Directory
in Windows 2000 2
Introduction to Active Directory 3
Active Directory Logical Structure 9
Active Directory Physical Structure 15
Methods for Administering a
Windows 2000 Network 19
Review 24

Module 1: Introduction
to Active Directory in
Windows 2000


Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, BackOffice, FrontPage, IntelliMirror, PowerPoint, Visual Basic,
Visual Studio, Win32, Windows, Windows Media, and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead: Mark Johnson
Instructional Designers: Aneetinder Chowdhry (NIIT (USA) Inc.),
Bhaskar Sengupta (NIIT (USA) Inc.)
Lead Program Manager: Paul Adare (FYI TechKnowlogy Services)
Program Manager: Gregory Weber (Volt Computer Services)
Technical Contributors: Jeff Clark, Chris Slemp
Graphic Artist: Julie Stone (Independent Contractor)
Editing Manager: Lynette Skinner
Editor: Jeffrey Gilbert
Copy Editor: Kaarin Dolliver (S&T Consulting)
Testing Leads: Sid Benavente, Keith Cotton
Testing Developer: Greg Stemp (S&T OnSite)
Courseware Test Engineers: Jeff Clark, H. James Toland III
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)

Online Support: David Myka (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Courseware Testing: Data Dimensions, Inc.
Production Support: Irene Barnett (S&T Consulting)
Manufacturing Manager: Rick Terek
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Managers: Gerry Lang, Julie Truax
Group Product Manager: Robert Stewart


Module 1: Introduction to Active Directory in Windows 2000 iii


Instructor Notes
This module provides students with an introduction to implementing and
administering Microsoft
®
Windows
®
2000 Active Directory
™
directory
services. The module provides a foundation for the course by introducing the
concepts of the Active Directory directory service and its logical and physical
structures. This module also provides an overview of how Active Directory
enables the centralized management and decentralized administration of a
Windows 2000 network.
At the end of this module, students will be able to:
!

Describe the function of Active Directory.
!
Describe the logical structure of Active Directory.
!
Describe the physical structure of Active Directory.
!
Describe the methods of administering a Windows 2000 network.

Materials and Preparation
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
Required Materials
To teach this module, you need the following materials:
!
Microsoft PowerPoint
®
file 2154A_01.ppt
!
The multimedia file AdConcep.avi, Concepts of Microsoft Windows 2000
Active Directory

Preparation Tasks
To prepare for this module, you should:
!
Read all of the materials for this module.
!
View the multimedia presentation, Concepts of Microsoft Windows 2000
Active Directory, under Multimedia Presentations on the Web page on the
Trainer Materials compact disc.
!

Study the review questions and prepare alternative answers to discuss.
!
Anticipate questions that students may ask. Write out the questions and
provide the answers.
!
Read the white paper, Active Directory Architecture, on the Student
Materials compact disc.

Presentation:
60 Minutes
Labs:
00 Minutes
iv Module 1: Introduction to Active Directory in Windows 2000


Module Strategy
Use the following strategies to present this module:
!
Introduction to Active Directory
In this topic, you will introduce Windows 2000 Active Directory. Begin by
illustrating to students the purpose of Active Directory as a network
directory service. Explain the purpose of Active Directory objects and their
attributes. Discuss the Active Directory schema and emphasize how
Lightweight Directory Access Protocol (LDAP) is used to communicate
with Active Directory.
!
Active Directory Logical Structure
In this topic, you will introduce the logical structure of Active Directory.
Begin by illustrating the purpose of domains in Active Directory. Explain
how organizational units (OUs) can be used to group objects into a logical

hierarchy within a domain and to delegate administrative control over the
objects. Illustrate how domains are used to form trees and forests that help
in sharing network resources and administrative functions. Discuss the
global catalog and how it is used to find information about directory objects
and to log on to the network.
!
Active Directory Physical Structure
In this topic, you will introduce the physical structure of Active Directory.
Begin by illustrating how domain controllers are used to replicate in Active
Directory and perform multi-master and single master operations roles.
Explain the concept of sites as physically discrete objects and emphasize
how they optimize replication and logon traffic.
!
Methods for Administering a Windows 2000 Network
In this topic, you will introduce the methods for administering a
Windows 2000 network. Begin by explaining how Active Directory and
Group Policy can be used to centralize management of network resources.
Discuss how Group Policy is used to manage the user environment.
Emphasize the purpose of delegating administrative control of objects and
customizing administrative tools to delegate administrative control.

Module 1: Introduction to Active Directory in Windows 2000 1


Overview
!
Introduction to Active Directory
!
Active Directory Logical Structure
!

Active Directory Physical Structure
!
Methods for Administering a Windows 2000 Network


In a Microsoft
®
Windows
®
2000 network, the Active Directory
™
directory
service provides the structure and functions for organizing, managing, and
controlling network resources. To implement and administer a Windows 2000
network, you must understand the purpose and structure of Active Directory.
Active Directory also provides the capability to centrally manage your
Windows 2000 network. This capability means that you can centrally store
information about the enterprise and administrators can manage the network
from a single location. Active Directory supports the delegation of
administrative control over Active Directory objects. This delegation enables
administrators to assign specific administrative permissions for objects, such as
user or computer accounts, to other users and administrators.
At the end of this module, you will be able to:
!
Describe the function of Active Directory.
!
Describe the logical structure of Active Directory.
!
Describe the physical structure of Active Directory.
!

Describe the methods for administering a Windows 2000 network.

Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about the purpose and
structure of Active Directory,
the directory service in
Windows 2000.
2 Module 1: Introduction to Active Directory in Windows 2000


Multimedia: Concepts of Active Directory in
Windows 2000


This multimedia presentation describes basic Active Directory concepts, such
as organizational units (OUs), trees, forests, DNS naming conventions, and
sites.
Slide Objective
To introduce the multimedia
presentation about the
concepts of Active Directory
in Windows 2000.
Lead-in
Before we get started, let’s
look at a multimedia

presentation that introduces
the important concepts of
Active Directory.
Start this presentation from
the instructor computer. To
view the presentation, open
the Web page on the
Trainer Materials compact
disc, click Multimedia
Presentations, and then
click the title of the
presentation.

The estimated time to
complete this presentation is
seven minutes.

Tell students that a copy of
the presentation is included
on the Student Materials
compact disc.
Module 1: Introduction to Active Directory in Windows 2000 3


#
##
#

Introduction to Active Directory
!

What Is Active Directory?
!
Active Directory Objects
!
Active Directory Schema
!
Lightweight Directory Access Protocol (LDAP)


Active Directory stores information about resources on the entire network and
makes it easy for users to locate, manage, and use these resources. Active
Directory is made up of multiple components. You should understand the
components and how to use them to administer Active Directory.
Slide Objective
To introduce Active
Directory.
Lead-in
Active Directory stores
information about resources
on the entire network.
4 Module 1: Introduction to Active Directory in Windows 2000


What Is Active Directory?
Directory Service
Functionality
Directory Service
Directory Service
Functionality
Functionality

!
Organize
!
Manage
!
Control
!
Organize
!
Manage
!
Control
Resources
Resources
Centralized Management
Centralized Management
Centralized Management
!
Single point of administration
!
Full user access to directory
resources by a single logon
!
Single point of administration
!
Full user access to directory
resources by a single logon


Active Directory is the directory service in a Windows 2000 network. A

directory service is a network service that stores information about network
resources and makes the resources accessible to users and applications.
Directory services provide a consistent way to name, describe, locate, access,
manage, and secure information about these resources.
Directory Service Functionality
Active Directory provides directory service functionality, including a means of
centrally organizing, managing, and controlling access to network resources.
Active Directory makes the physical network topology and protocols
transparent so that a user on a network can gain access to any resource without
knowing where the resource is or how it is physically connected to the network.
An example of this type of resource would be a printer.
Active Directory is organized into sections that permit storage for a very large
number of objects. As a result, Active Directory can expand as an organization
grows, so that an organization that has a single server with a few hundred
objects can grow to having thousands of servers and millions of objects.
Centralized Management
A server running Windows 2000 stores system configuration, user profiles, and
application information in Active Directory. Combined with Group Policy,
Active Directory enables administrators to manage distributed desktops,
network services, and applications from a central location while using a
consistent management interface.
Active Directory also provides centralized control of access to network
resources by allowing users to log on only once to gain full access to resources
throughout Active Directory.
Slide Objective
To illustrate the purpose of
Active Directory as a
network directory service.
Lead-in
Active Directory stores

information about resources
in a Windows 2000 network
and makes the resources
accessible to users and
applications.
Key Points
Active Directory provides
directory service
functionality, including a
means of centrally
organizing, managing, and
controlling access to
network resources.

Active Directory enables
administrators to manage
distributed desktops,
network services, and
applications from a central
location while using a
consistent management
interface.
Module 1: Introduction to Active Directory in Windows 2000 5


Active Directory Objects
!
Objects Represent Network Resources
!
Attributes Store Information About an Object

Attributes
Attributes
Attributes
First Name
Last Name
Logon Name
First Name
Last Name
Logon Name
Attributes
Attributes
Attributes
Printer Name
Printer Location
Printer Name
Printer Location
Active Directory
Active Directory
Active Directory
Printers
Printer1
Printer2
Suzan Fine
Users
Don Hall
Attribute
Value
Attribute
Attribute
Value

Value
Objects
Objects
Objects
Printers
Printers
Users
Users
Printer3


Active Directory stores information about network objects. Active Directory
objects represent network resources, such as users, groups, computers, and
printers. Moreover, all servers, domains, and sites in the network are also
represented as objects. Because Active Directory represents all network
resources as objects in a distributed database, a single administrator can
centrally manage and administer these resources.
When you create an object, the properties, or attributes of that object store the
information that describes the object. Users can locate objects throughout
Active Directory by searching for specific attributes. For example, a user can
locate a printer in a specific building by searching the Location attribute of the
printer object class.
Slide Objective
To identify the purpose of
Active Directory objects.
Lead-in
Active Directory objects
represent network
resources, such as users,
groups, computers, and

printers.
6 Module 1: Introduction to Active Directory in Windows 2000


Active Directory Schema
Objects
Class Examples
Objects
Objects
Class Examples
Class Examples
Printers
Printers
Computers
Computers
Users
Users
Attributes of Users
Might Contain:
Attributes of Users
Attributes of Users
Might Contain:
Might Contain:
accountExpires
department
distinguishedName
middleName
accountExpires
department
distinguishedName

middleName
List of Attributes
List of Attributes
List of Attributes
accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…
accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…
Attribute
Examples
Attribute
Attribute
Examples
Examples

Active Directory Schema Is:
!
Dynamically Available
!
Dynamically Updateable
!
Protected by DACLs


The Active Directory schema contains the definitions of all objects, such as
computers, users, and printers that are stored in Active Directory. In
Windows 2000, there is only one schema for an entire forest, so that all objects
created in Active Directory conform to the same rules.
The two types of definitions in the schema are object classes and attributes.
Object classes describe the possible directory objects that can be created. Each
object class is a collection of attributes. Attributes are defined separately from
object classes. Each attribute is defined only once and can be used in multiple
object classes. For example, the Description attribute is used in many object
classes, but is defined only once in the schema to ensure consistency.
The Active Directory database stores the schema. Storing the schema in a
database means that the schema:
!
Is dynamically available to user applications, which means that user
applications can read the schema to discover which objects and properties
are available for use.
!
Is dynamically updateable, which enables an application to extend the
schema with new attributes and object classes, and then use these schema
extensions immediately.
!

Can use discretionary access control lists (DACLs) to protect all object
classes and attributes. The use of DACLs allows only authorized users to
make schema changes.

Slide Objective
To identify the purpose of
the schema in Active
Directory.
Lead-in
The Active Directory
schema defines all Active
Directory objects.
Module 1: Introduction to Active Directory in Windows 2000 7


Lightweight Directory Access Protocol (LDAP)
!
LDAP Provides a Way to Communicate with Active
Directory by Specifying Unique Naming Paths for
Each Object in the Directory
!
LDAP Naming Paths Include:
$
Distinguished names
$
Relative distinguished names
CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft
Suzan Fine



Lightweight Directory Access Protocol (LDAP) is a directory service protocol
that is used to query and update Active Directory. The protocol specification for
LDAP specifies that an Active Directory object be represented by a series of
domain components, OUs, and common names, which creates an LDAP
naming path within Active Directory. LDAP naming paths are used to access
Active Directory objects and include the following:
!
Distinguished names
!
Relative distinguished names

Distinguished Name
Every object in Active Directory has a distinguished name. The distinguished
name identifies the domain where the object is located, and the complete path
by which the object is reached. An example of a typical distinguished name is:
CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft
Key Attribute Description

DC Domain Component A component of the DNS name of the
domain, such as com.
OU Organizational Unit An organizational unit that can be used to
contain other objects.
CN Common Name Any object other than domain components
and organizational units, such as user and
computer objects.

Slide Objective
To identify the LDAP
naming paths for objects in
Active Directory.

Lead-in
LDAP is the protocol that is
used for accessing Active
Directory.
Use the illustration on the
slide to explain to the class
the concepts of
distinguished and relative
distinguished names.
8 Module 1: Introduction to Active Directory in Windows 2000


Relative Distinguished Name
The LDAP relative distinguished name is the portion of the LDAP
distinguished name that uniquely identifies the object in its container. Its
composition varies depending upon the extent of the existing search context
established by the client. The search context may vary from the domain
component level to the common name level. In the preceding example, the
relative distinguished name of the Suzan Fine user object is Suzan Fine.
The following table provides examples of distinguished names, the search
context established by the client, and relative distinguished names.
Distinguished name Relative distinguished name

OU=Sales,DC=contoso,DC=msft OU=Sales
CN=Suzan Fine,OU=Sales,DC=contoso,
DC=msft
CN=Suzan Fine
CN=Judy Lew,OU=Shipping,
DC=europe,DC=contoso,DC=msft
CN=Judy Lew