Active Directory confusion?

[matt37]

In what instances I have to install Active Directory?

When I create a new domain?
When I create a new forest?
When I promote a server to be Domain Controler?

When? I am confused!!!


Can I have more than 1 Active Directory in the forest?

Please explain.

Thank you

 

[BlitzRommel]

There's only one instance of AD, you're just adding computers who can contribute/administer the database when making multiple domain controllers.

 

[ITJunkie]

You can have multiple child domains but I think you can only have one "root forest" domain.
Something like:
example.com (root)
ca.example.com (child)...etc.

As far as installing, if you want everyone to have to login to a domain (central accounts) you will need an AD. If you are going to run Exchange 2000/+ , you will need an AD domain. If you are just looking for a workgroup file server than you do not necessarily need a domain.

Hope this helps.

 

[casper114]

I concur........excellent answer!

 

[matt37]

OK.
So if I promote w2k server into DC and create a new child domain (in already existing root domain), I don't need another Active Directory in this child domain????

I will kill Bill Gates someday.

 

[ITJunkie]

Originally posted by: matt37
OK.
So if I promote w2k server into DC and create a new child domain (in already existing root domain), I don't need another Active Directory in this child domain????

I will kill Bill Gates someday.

Correct...you can add another DC if you wish for redundancy but you don't have to. Just run dcpromo and it will ask if you want to create a child-domain or bring it up as just another DC in the forest.

Unless there is a need to run a child domain, your life will be much easier if you just make it a DC in the root. This way, you avoid single point of failure.

 

[stash]

I will kill Bill Gates someday.

Or you just read one of the hundreds of Active Directory design and administration books out there. Or go to microsoft.com/technet and read.

Asking questions on a forum is not the way to learn basic Active Directory concepts.

 

[alent1234]

AD is nothing more than marketing speak for microsoft's ldap implementation

that's one thing I don't like MS, they make up stupid marketing names for technology that is more confusing than useful

 

[stash]

Right...AD is not useful. OK.

 

[ktwebb]

Originally posted by: STaSh

I will kill Bill Gates someday.

Or you just read one of the hundreds of Active Directory design and administration books out there. Or go to microsoft.com/technet and read.

Asking questions on a forum is not the way to learn basic Active Directory concepts.

Word.

 

[rbrandon]

Originally posted by: alent1234
AD is nothing more than marketing speak for microsoft's ldap implementation

that's one thing I don't like MS, they make up stupid marketing names for technology that is more confusing than useful

Spoken like a true anti MS zealot who doesn't have a clue.

 

[PawNtheSandman]

AD is your best friend!

 

[nweaver]

I think you have it a bit off. When you promote the first server to DC, it creates the forest. You can have other domains in the same forest that are not child domains.

for example, you make example.com, and it makes the example.com forest. YOu can now make example2.com in the example.com forest, but it is not a child domain to the example.com domain. if you make child.example.com then it is a child domain.

confused yet? Good


Really, most of active directory is a rip from LDAP which is a rip from X500 which was probably ripped from somewhere. I actually welcomed the move to AD, as it makes more sense then the old PDC/BDC NT craptastic stuff.

 

[stash]

You can have other domains in the same forest that are not child domains

BTW, those are called trees.



The really confusing thing to wrap your head around is there is still a root domain, even though you now have two domain at the same level in the forest. So if you were to look at a diagram of the structure, you would have two domains at the 'root' level, but only one is the root domain (the first one that was installed).

 

[nweaver]

I thought they wer both root domains, but the forest took on the name of the first root domain. So you had
domain2 and domain1, both in the "domain1" forest.

 

[stash]

You can only have one forest root domain. You can have two trees in the forest, each consisting of one domain (corp.local, othercorp.local). Each of those trees has a 'root' but only the first domain that was installed is the actual forest root domain.

This is a big distinction because the forest root is where the enterprise and schema admins groups are located, and the DN of the forest root domain is is what is used to locate the Schema and Configuration partitions. Which domain is the forest root domain cannot be changed, but you can rename the forest root domain (as long as the FFL is 2003 and there are no Exchange servers that are pre-2003 SP1).

Having two trees in a single forest gives you a non-contiguous namespace, but the shared schema and configuration parititions is what ties them together.

 

[stash]

Also, you can find out which domain is the forest root by dumping the rootDSE attributes for any domain in the forest. The rootDSE is an imaginary object that represents the root of the directory tree from the point of view of the DC you are connected to. Below the root of the tree is the actual root domain of that tree.

To dump the rootDSE attributes, you can use ldp.exe. Go to the connections menu, click connect, enter the name of a DC and hit OK. In the right pane, the rootDSE attributes will be listed. The one that shows which domain is the Forest Root is rootDomainNamingContext.

 

[matt37]

Great info guys!!!
I am regaining my senity!

Thanks a million

 

[BlitzRommel]

You're regaining your sanity? Then you're not working with AD enough

j/k. Active Directory isn't bad at all once you learn how it operates. There's several books I can recommend, but I like the O'reilly series myself.

 

[spidey07]

Originally posted by: rbrandon

Originally posted by: alent1234
AD is nothing more than marketing speak for microsoft's ldap implementation

that's one thing I don't like MS, they make up stupid marketing names for technology that is more confusing than useful

Spoken like a true anti MS zealot who doesn't have a clue.

but he is right. Active directory is MS butchering of an already established hierarch for administration...LDAP.

Its been around for quite a long time.

 

[stash]

He's right that it's an ldap implementation, that's about it.

If it's such a butchering, why isn't openldap running away with the directory services marketshare? Especially since it's free...

 

[alent1234]

reading part of the documentation for OpenLdap and Sun's LDAP server taught me more about AD than Microsoft's documentation ever did. Why can't they describe GPO's in technical terms instead of putting a stupid layer on top of it?

 

[stash]

Why can't they describe GPO's in technical terms instead of putting a stupid layer on top of it?

http://www.microsoft.com/technet/prodte...7e9f7-2090-4c88-8d14-270c749fddb5.mspx

Expand technology collections and have a look at the group policy section. If that isn't technical enough for you, I don't know what is. Have a look at the other sections in there as well. The sections on AD replication and FRS are extremely low level.

And how does reading openldap manuals teach you anything about GPOs?

 

[spidey07]

Originally posted by: STaSh
He's right that it's an ldap implementation, that's about it.

If it's such a butchering, why isn't openldap running away with the directory services marketshare? Especially since it's free...

Because MS owns the market and people want single sign-on. That means you use MS for directory services.

 

[stash]

Because MS owns the market and people want single sign-on. That means you use MS for directory services.

If people want single sign on and they feel that AD is a hachet job of ldap, then market forces would shift to a better product, especially if it was a FREE product.