Start with 7 free days of training.

Gain instant access to our entire IT training library, free for your first week.
Train anytime on your desktop, tablet, or mobile devices.

Implementing and Administering a Windows 2000 Directory Services Infrastructure

This exam has been retired. For a complete list of retiring Microsoft exams, click here.

The videos in this exam-pack will prepare you implement and administer a Windows 2000 directory services infrastructure.

All trademarks and copyrights are the property of their respective holders....

This exam has been retired. For a complete list of retiring Microsoft exams, click here.

The videos in this exam-pack will prepare you implement and administer a Windows 2000 directory services infrastructure.

All trademarks and copyrights are the property of their respective holders.

 show less
1. Intro to Active Directory (26 min)
2. Configuring DNS for Active Directory (24 min)
3. Active Directory Domains (38 min)
4. Active Directory Sites (22 min)
5. Managing the Operations Masters (24 min)
6. Creating and Configuring an OU Structure (17 min)
7. Delegation of Control through Active Directory (24 min)
8. Publishing Resources in the Active Directory (17 min)
9. Intro to Group Policy (34 min)
10. Using Group Policy to Manage the Desktop Environment (20 min)
11. Using Group Policy to Deploy Applications (29 min)
12. Using Group Policy to Optimize Security (21 min)
13. Managing the Active Directory Database (26 min)
14. Managing Active Directory Replication (26 min)

Intro to Active Directory


Introduction to Active Directory. With Windows NT, we had the concept of domains. So we have our NT domain here, where we have our PDC and one or more BDCs, primary domain controller or backup domain controller. And these domain controllers would maintain a database of users and groups of users, so multiple users.


Now, this database of users we called our Windows NT directory. And our Windows NT directory services was how we managed the users and groups within our domain. Now, we also kind of threw in there-- well, we've also got some computers, so we manage the computers.


We don't exactly do it the same way. With the users and groups, we're going to use User Manager for Domains. So we've got that one tool that lists all of our different users, all of our different groups. With the computers, we've got Server Manager, and that listed all of our different computers.


We also have maybe some printers, so we've got Printer Manager, and that lists all of our different printers. We've got shared resources out there, so let's open up our Network Neighborhood. We see our different servers. We can double-click through the server and find the shared resources.


So you see with Windows NT, we have all this information that we need to try to keep a handle on. We need to try to organize it, manage it, control by it. But it's kind of located in all these different places. So with Windows 2000, we have our Windows 2000 domain, and there might be some subdomains underneath that domain.


There might be a noncontiguous domain over here. We'll talk about the different structures within Windows 2000. But now we still have our users. We still have our groups of users. We still have our computers. We have our shared resources. We have our printers.


But now, all of these objects that we need to keep a handle on, that we need to manage, that we need to control, that we need to present in an organized fashion to the users or to the administrators all fall within the Windows 2000 Active Directory. So what is a directory, then?


What is a directory service? Well, a directory service is sort of like the Yellow Pages. It's going to list information, and it's going to provide that information in a nice, organized, controlled way to a target audience. So it provides that information, and with information, we try to control what's going on, we try to organize, and we try to manage.


So let's look at Active Directory, a definition of the Active Directory. The Active Directory is a directory service. It's a very good directory service. It stores information about the different network resources that we have, and I've got some examples here that we've been talking about, of network resources, users, groups, computers, printers, shared resources.


So we're storing information about these different network resources. And here's the bottom line. The Active Directory provides a single point for organization, management, and control. So now we're going to talk about how within the Active Directory, we can have organization, management, and control-- how we facilitate these three concepts within our directory service.


Let's talk about how we provide organization with the Active Directory. We provide for organization primarily in two different ways-- number one, with our ability to do these extensive, very powerful searches on the Active Directory, and number two, with our ability to create what's called an organizational unit.


An organizational unit is a container by which we can group different network resources that we want to manage in a similar fashion. When we're searching the Active Directory, we've got over here our Windows 2000 structure, a few domains, and we're going to look at this entire thing as the Active Directory, our entire Windows 2000 organization.


Well, our Windows 2000 Active Directory can have literally millions of objects, and each object can have a number of attributes associated with that object. Let's say that we have a user account where we've got the first name, the last name, the phone number, the cell number, the pager number, et cetera.


So we've got millions of objects, attributes for each object. Yet we can log on anywhere, and we can search for any object or any attribute throughout the entire Active Directory. Now, the way that we do these extensive searches is with a function called the Global Catalog.


Now, if we're looking for something within our own domain here, we can just search against our Active Directory and our domain controllers that exist here, have the information for the objects within this domain. They provide us the answer. But let's say that we're going to search for the pager number of this user down here.


We do this search. The search gets forwarded to this computer that is serving the function of a global catalog server. The global catalog server has all of the objects within the Active Directory but not all the attributes for every object. So maybe it only has a few of the attributes, some of the most commonly accessed attributes.


So if we're looking for an attribute that is commonly accessed, then right away we get our answer from our global catalog server. If not, the global catalog server refers us to the appropriate domain. We do a search against the domain controller. Down here we find our information.


So as a user, we have huge amounts of functionality to be able to search through the different network resources that exist in our domain. But we also have the ability to search as an administrator. So we can search for a different type of network resource to be able to set the properties for it, to manage it, to control it, to just do some network administration on that particular network resource.


With our organizational units here, we have the ability to group items together. That may not sound like a big thing, but let's talk about our Windows NT domain. And if we have, let's say 5,000 users, we've got a list of 5,000 users. We scroll through a list of 5,000 users to try to find the user we want to manage, open up its properties, and we manage that particular user account.


With Windows 2000-- let's take a look at our Active Directory here-- we see that our users and groups are created by default in this container called "Users." But let's say that I want to manage these particular users separately. I can create what's called an "organization unit." Let's say that this is my sales department.


I create a sales organizational unit, and now let's say that I want to have this salesman existing within the sales organizational unit. Maybe this computer is a sales computer. Maybe a certain group that we've created is a sales group. So what I'm doing here is I'm centralizing my sales resources into the sales organizational unit.


Now, by putting my users, computers, groups, printers, shared resources, et cetera, into the same organizational unit, what I can do is I can say I want to manage these particular types of network resources as a group. So maybe there's a sales administrator that I give permissions to the sales organizational unit so that he or she can manage these objects.


Maybe I want to apply a group policy to the sales organizational unit, where we are going to standardize desktops within the sales department a certain way. Maybe we want to deploy software just within the sales organizational unit, a sales application.


So the ability to have this containerized version of our Active Directory objects is very strong, as we'll see here when we get to the manage and control features of the Active Directory and we start talking more about the group policy, and delegating control to these organizational units.


Now, when we talk about the ability to organize with these organizational units, we're not only talking about for the administrator. Granted, there's huge benefits for the administrator, and probably the advantages are heavily weighted toward the administrator rather than the user.


But we can also, let's say, create maybe a shared folder or the representation of a printer within our sales organizational unit. And now, if a user within the sales division of our company searches the Active Directory within their own organizational unit, they'll find the representation for the different printers and shared resources that exist for their benefit.


So they don't have to go to the, let's say, network neighborhood, try to figure out what server or what share name is set up for them. They can just go to their Active Directory sales container and search throughout it for any published resources that have been published by the administrator for their use.


Let's talk about how we can manage and control with our Active Directory. In our discussion of management and control, we really have to start with Group Policy. Group Policy, we'll see, is a major concept within Windows 2000. In fact, it's one of the core themes that runs through Windows 2000 that makes for such a incredibly flexible and usable network directory service.


What we have, basically, with our group policy is a set of procedures or instructions or rules. So I like to think of it like disciplining children. If you have children, and you have, let's say, one child that is child, one child that is 16, well, you've got different sets of rules that apply to the five-year-old than apply to the 16-year-old.


For a five-year-old, you don't go to R-rated movies. You go to bed at this time. You're allowed to play with this toy, and here it is, et cetera. So you have different rules that you've set up. And these are your five-year-old rules. So we've got our five-year-old rules here, and we have maybe our 16-year-old rules over here.


We take these preconfigured sets of rules that we've developed for someone who is five years old, and we apply them to our five-year-old. We say, OK, you're allowed to do this, this, and this because that's what the five-year-old rules say. The 16-year-old can do this, this, and this because that's what the 16-year-old rules say.


So with our group policy, then, we're developing these different group policy objects. And within the group policy object, we can do not only standardization-- so we can say, you have this desktop, you have this screensaver, you have this restriction-- we can also deploy software.


So we could say, you have this software that you're allowed to use, and here you go. Here's how you get it. We can also set security. We say, you have these rights on the operating system. We have a very, very large amount of flexibility within the establishment of these rules.


And then once we establish these rules, we apply them to the appropriate people. So within our Active Directory, then, let's say that we have established a set of rules or a group policy object that we want to apply to this particular sales container.


Well, when we apply the group policy to this sales container, then everything that is within that group policy applies to these particular objects, so these computers, these users. So we decide that we want a standardized background. We want this level of security.


We want this software to be deployed. We apply those within our Group Policy to the sales organizational unit. So we're managing and controlling, then, by developing the group policies and then applying them to the appropriate locations within the Active Directory.


We can also manage and control through the Active Directory by setting properties or permissions on our different objects within the Active Directory. So let's say that we are back here in the Active Directory in our sales organizational unit. If I open up the Daniel J. Charbonneau user account, going through my Active Directory to get to this particular user account, I can set the groups that this user belongs to.


I can set the phone number. I can set any number of properties for this particular user. So I've got address, account, et cetera. So I can set the different properties for this particular user. We can go set up a roaming profile or a mandatory profile, going through the Active Directory to get to the properties for this particular user.


I can set the permissions on these different objects so that you only see or have access or availability to the objects within the Active Directory that the administrator decides. For example, let's say that we were to set permissions on this organizational unit so that one user has the ability to reset passwords throughout all this organizational unit.


Let's say that we create a shared resource. Let's say we have a shared folder out there, and we want to publish that shared folder to our Active Directory. So maybe it's a data folder, and the path to it is, let's say, nugget backslash data. Now you can go to your Active Directory, search through your Active Directory, and you can find that data folder and access your actual folders and files through this publishing of that resource, sort of like a shortcut to that actual data shared folder.


Well, I can set permissions on that particular object. First, we have to look at our advanced properties here. What I can do is make it so that only certain users are able to see that shared data folder. So unlike the other shares that we create, where we're creating it in the file system, and we either make it a hidden share or not a hidden share, and if it's not a hidden share, everyone can see it.


If it is a hidden share, we have to know the exact name of it. Now we can create a shared folder, and we can set permissions on who is able to see that particular shared folder. So we could say, hey, only users within the sales organizational unit will be able to see that shared folder.


So we're managing and controlling through the Active Directory, again, by setting properties or permissions on our different objects. And then we talked about delegating control. I can make it so that one user has control of certain objects or certain organizational units within the Active Directory.


So the Active Directory, again, is a directory service, stores information about our different network resources, provides a single point of access for organization, for management, for control. Let's talk about a few more concepts that deal with Active Directory, just as a way to familiarize yourself a little bit more with what it is.


And the first one is the concept of physical versus logical. There is a physical structure of the Active Directory, and there's a logical structure of the Active Directory. Most of the time, we're talking about the logical structure. When we're talking about domains, when we're talking about forests, trees.


When we're talking about organizational units, we're talking about the logical structure, so how we look at it, how we manage it, how we think about it, how we organize it. We're talking about our logical structure. But we also have a physical structure associated with the Active Directory.


Now, we haven't talked at all about network bandwidth, about network traffic, about whether or not it's efficient to have an Active Directory spread out across multiple computers, multiple buildings, or around the world. The physical structure of Active Directory addresses those concerns.


Now, within the physical structure of Active Directory, we've got the concept of sites. Now, the sites have nothing to do with the domains. You can have 10 domains in one site. You can have 10 sites in one domain. It doesn't matter. The sites are set up solely to optimize your network traffic.


And let's talk about how we would do that. Let's go to a new diagram here. OK, you've got a certain network that you work with, and you know that you've got this building over here, and you've got a network within it, and it's all high-speed. You've got another building over here that's got a high-speed network within it, and you've got maybe two buildings over here that have a high-speed network all throughout both of these two buildings, so maybe high speed between these two.


But you know that you have low speed, low speed, low speed. So connecting everything is 56k links. So what we want to do is we want to be able to set up areas of known high bandwidth, and we're calling these areas of known high bandwidth "sites." So we say, OK, we know that everything within here is high bandwidth, so we're going to create one site.


So we have site number one. We know everything here is an area of high bandwidth. We don't have any low-bandwidth concerns as long as we stay within these boundaries. That will be site two. And we know that if we stay within these two buildings, we have no bandwidth concerns.


Everything is high bandwidth. Site three. So the ability to set up these sites lets us have a more efficient network because we're able to do two things. Number one, we're able to make sure that a domain controller within a site validates a client within a site.


And number two, we're able to schedule and compress replication traffic that goes between sites. So let's say that this is all one big, happy Windows 2000 domain. If we didn't set up sites, our client would be authenticated wherever throughout our network.


Our replication traffic would happen automatically, all the time, and it would not be compressed, so we would end up saturating all three of these 56k-link lines. So with our sites, clients here authenticate to domain controllers here. Clients here are authenticated to domain controllers here, et cetera.


And then whenever we send replication traffic between the sites, we can say, hey, only send it every three hours, and when you send it, compress it, so we are making the most of these low-bandwidth links. So our physical structure, then, what we're dealing with is trying to optimize our network traffic by trying to determine what are the areas that we know are high-bandwidth areas.


And then between the high- bandwidth areas, we want to develop these site connectors so that we can control the traffic that goes between the sites. So we have the concept of physical versus logical, then. Remember, physical, optimizing traffic. Logical, how we're managing, how we're organizing, how we're looking at things, so the domains, the organizational units, the trees, the forests, et cetera.


The next say I want to talk about is the DNS structure. Now, you may know that the Windows 2000 domain name looks just like a DNS domain name. So you may be thinking, well, is it a DNS domain name, or is it a Windows 2000 domain name? Well, the answer is it's the same format, but here we have our DNS structure, where we do our domain name resolution.


And we've got our root servers, and we've got our servers at the .com, et cetera. So we got our whole DNS structure over here. Over here we've got our Windows 2000 structure, which looks like the DNS structure but is not the DNS structure. It's the Windows 2000 structure.


It uses the exact same naming to develop the names for the Windows 2000 domains as the DNS domain names, just so that we can have maximum interoperability, or, another way to put it, maximum usage of our Windows 2000 structure within the internet. So as I'm developing my Windows 2000 domain structure, I can call this "cbtnuggets." My domain name is cbtnuggets.


Now I need some type of domain locator service. So we have our WINS database-- Windows Internet Naming Service, where we can resolve NetBIOS names. So we'll resolve that cbtnuggets NetBIOS domain name to an IP address of the domain controllers, we'll find the domain controllers, we'll log in.


Well why don't we just scrap WINS, call this cbtnuggets.com, and just use DNS, because we already have DNS servers that are registering records for DNS cbtnuggets.com. So we already have a server out there that is supporting the cbtnuggets.com domain, DNS domain.


We already have an A record that says, when you want to surf to www.cbtnuggets.com, go to this particular computer. Well, why not just add more records to the DNS database? So we could say, well, when you want to access the Windows 2000 Active Directory, go to this server.


When you want to access the Global Catalog, go to this server. So what we're doing is we're expanding our use of the domain naming system so that we can fit our Windows 2000 domain structure within that domain naming system for name resolution alone.


We still have two totally separate structures, but we're taking advantage of the DNS name resolution to be able to find the different windows 2000 Active Directory services within our Windows 2000 Active Directory. c the ultimate example of complete flexibility is we have cbtnuggets.com registered on the internet.


So we go to the internet, we said we want to register cbtnuggets.com-- that's our domain name-- and our DNS server is this particular DNS server. That DNS server has records for, let's say, the web server, like we talked about, but also the Windows 2000 services.


Now, Joe User here goes anywhere in the entire world where he can access the internet, and he can log into the cbtnuggets.com Windows 2000 Active Directory because he can find the Windows 2000 Active Directory from anywhere in the world, because he can get to the root DNS server and do that DNS resolution to the point where we get to the cbtnuggets.com DNS server, which will point us to the Windows 2000 Active Directory.


So now we can log in, we can use our Windows 2000 domain, from anywhere in the world. Now, we're still able to set permissions and security and firewalls, et cetera, so we're not opening up this big Pandora's box. But what we are doing is just giving ourselves, if we want it, the ability to have just extreme flexibility with logging into and using our Windows 2000 resources.


The last thing I want to talk about with this Introduction to the Active Directory is the Active Directory schema. We said that the Active Directory is a directory service, kind of like the Yellow Pages. We say it stores information. We say it provides a single point for organization, management, and control.


Well, what it also is a distributed database, a database of objects, and these objects have certain attributes. That database, when we're looking at it from a database perspective, we call the Active Directory schema. So our Active Directory schema, then, that database, is where we contain all of our different objects and then the attributes for each object.


Now, that schema is available to users, it's available to administrators, it's available to applications. So we can have applications such as Microsoft Exchange Server 2000 that when we load them on the hard drive over here, they can actually modify that Active Directory schema.


Now, that gives us a lot of power because what we can do is we can take our user account object and add a few more attributes, add some Exchange-specific attributes, so what is your X.400 e-mail address, what is your SMTP email address, et cetera. So we have the concept of the Active Directory schema, which is the database, the definition of that database.


And we can modify that Active Directory schema with different applications that we load so that we can make it more flexible, more suited to our unique environment. In this CBT Nugget, we talked about the Active Directory, Introduction to. We talked about what it is, how to organize, manage and control through the Active Directory.


We talked about the physical versus the logical structure of the Active Directory. How it fits in with the DNS name resolution, and then a little bit about the Active Directory schema. I hope this has been informative for you, and I'd like to thank you for viewing.

Configuring DNS for Active Directory

Active Directory Domains

Active Directory Sites

Managing the Operations Masters

Creating and Configuring an OU Structure

Delegation of Control through Active Directory

Publishing Resources in the Active Directory

Intro to Group Policy

Using Group Policy to Manage the Desktop Environment

Using Group Policy to Deploy Applications

Using Group Policy to Optimize Security

Managing the Active Directory Database

Managing Active Directory Replication

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
6 hrs 14 videos


Training Features

Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Our iOS and Android mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Develop and maintain a study plan with one-to-one assistance from coaches.

Supplemental Files
Files/materials that supplement the video training.

Speed Control
Play videos at a faster or slower pace.

Included in this course
Pick up where you left off watching a video.

Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Follow what the trainers are saying with ease.