70-240 in 15 minutes a week: Introduction to Windows 2000 Server and Active Directory

by ServerWatch Staff

Welcome to article 8 in my 70-240 in 15 minutes a week series. This week's article is the first in our look at the Windows 2000 Server portion of the exam - it covers an introduction to both Windows 2000 Server as well as Active Directory concepts...

by Dan DiNicolo
Welcome to article 8 in my 70-240 in 15 minutes a week series. This week's article is the first in our look at the Windows 2000 Server portion of the exam - it covers an introduction to both Windows 2000 Server as well as Active Directory concepts. In reviewing my materials and notes, I have decided not to explicitly follow the Microsoft exam preparation guide on a topic-by-topic basis. Quite simply, the Server preparation guide looks like a great big cut-and-paste from the Professional guide, and doesn't give you nearly enough information to be successful on this exam. I am also trying to avoid repeating what has been stated in previous Professional-related articles, so I'll reiterate that you need to know the material from both to find success on either exam. My revised expectation is that the Server portion of the series will run between 5 and 6 articles total.

The material that this article will cover includes:

- Introduction to Windows 2000 Server
- Introduction to Active Directory concepts
- Object Naming
- Active Directory Logical Structure
- Active Directory Physical Structure
- Upgrading a domain to Windows 2000

Introduction to Windows 2000 Server

Windows 2000 Server and Professional are fundamentally quite similar, both in terms or interface and architecture. As such, they often get lumped together when discussed, and for the purpose of the exams, this is very much the case. However, there are a number of fundamental differences between the two. The two main differences between Server and Pro are in terms of optimization as well as services offered. Professional is optimized as a desktop operating system where one runs user applications, while Server is optimized to service a variety of requests from client systems. In terms of services offered, Server provides many more than Professional, providing the ability to run WINS, DNS, Active Directory, and so forth. Since we've already covered the Professional materials, let's begin taking a look at what the Server product itself is all about.

First off, we can't just talk about the Server product, because there are actually three: Windows 2000 Server, Advanced Server, and Datacenter Server. There seems to be some debate over the differences between these three, when in fact the only differences are in terms of scalability and availability. The differences are outlined in the table below:
 Max RAMMax CPUsClustering?
Windows 2000 Server4 GB4No
Windows 2000 Advanced Server8 GB8Yes - 2 node cluster and 32-node network load balancing
Windows 2000 Datacenter Server64 GB32Yes - 4 node cluster and 32-node network load balancing
Be aware that the minimum support CPU for Server is a Pentium 133, and recommended minimum for RAM is 256 MB, although 128 MB is the minimum supported. The scalability elements outlined in the table above are obvious - Advanced and Datacenter Server can utilize more RAM and CPUs than the basic Server version. However, both of these versions also support two types of clustering, which are availability technologies. When servers are clustered, more than one server (called a node) is connected to a common storage device, and work together as a single system to ensure availability of mission-critical applications. Should one of the nodes in a cluster fail, the services are still available, since the other nodes continue to handle requests. In a Network Load Balancing (NLB) cluster, client requests are distributed amongst a number of systems that provide access to a single application. For example, you could have up to 32 servers configured with identical copies of your website, and the NLB will distribute requests across the NLB cluster, increasing performance, availability and reliability. Just a note, but any suggestion that Windows 2000 Server cannot act as a domain controller is absolutely false.

Windows 2000 Server also differs from Windows 2000 Professional in terms of the acceptance of incoming client connections. Windows 2000 Pro supports a maximum of 10 simultaneous connections, while in Windows 2000 Server the number of simultaneous connections supported is based on the number of CALs (client access licenses) available. Much like NT 4, two options exist in terms of licensing a server, Per Server and Per Seat. In Per Server licensing, each simultaneous client connection requires a CAL, while in Per Seat, each client requires a CAL. You can still switch from Per Server to Per Seat, but not vice versa. Note that you don't require CALs for Telnet, FTP, or anonymous web server connections.

As in Windows NT, when you install Windows 2000 Server you will be asked whether you wish the system to be part of a workgroup or a domain. If made part of a workgroup, users who log on will be authenticated versus the local security database on the server. If made part of a domain, a computer account must be created for the system, either in advance or during the installation process. Note that the decision as to whether or not a computer becomes a domain controller is no longer made as part of the installation process. Unlike NT 4, domain controllers are created after Windows 2000 Server is installed. Promotions to domain controllers or demotions to member servers can be done without needing to reinstall the operating system.

Page 2: Active Directory Concepts

Introduction to Active Directory concepts

Certainly the biggest single change between Windows NT 4 and Windows 2000 is the inclusion in Windows 2000 of an important new service - Active Directory. Active Directory is the native directory service in Windows 2000. Unlike Windows NT 4, when domains were pretty much stand-alone islands that we connected with trust relationships as necessary, Active Directory is a full-featured directory service. But what is a directory service? Well, a directory service is actually a combination of two things - a directory, and services that make the directory useful. Simply, a directory is a store of information, similar to other directories, such as a telephone book. A directory can store a variety of useful information relating to users, groups, computers, printers, shared folders, and so forth - we call these objects. A directory also stores information about objects, or properties of objects - we call these attributes. For example, attributes stored in a directory for a particular user object would be the user's manager, phone numbers, address information, logon name, password, the groups they are a part of, and more. To make a directory useful, we have services interact with the directory. For example, we can use the directory as a store or information against which users are authenticated, or as the place we query to find information about an object. For example, I could query a directory to show me all the color printers in the Frankfurt office, the phone number of Bob in the Delhi office, or a list all of the users accounts whose first name starts with the letter 'G'. In Windows 2000, Active Directory is responsible for creating and organizing not only these smaller objects, but also larger objects - like domains, organizational units, and sites. In order to fully comprehend what Active Directory is all about, we need to take an initial look at a number of concepts. For the Server exam, you'll only need to be familiar with the ideas for the most part. A deeper discussion on Active Directory will be covered once we get to the AD Implementation and Administration portion of the series.

Object Naming

Active Directory is uses the Lightweight Directory Access Protocol (LDAP) as its primary access protocol. LDAP runs over TCP/IP, and defines a way to reference and access objects between an Active Directory client and server. Under LDAP, every object has a distinct Distinguished Name, and this name distinguishes the object from every other object in Active Directory, while also telling us where the object exists. The two main components of a distinguished name are a CN (common name) and a DC (domain component). The common name identifies an object or the container in which it exists, while the domain component references the domains within which the object exists. For example, a distinguished name could be as follows:

CN=Dan DiNicolo, CN=Users, DC = win2000trainer, DC=com

In the above example I have a user called Dan DiNicolo, who exists within a container called Users, in the domain win2000trainer, which is a subdomain of com. The distinguished name of an object must be unique within a given Active Directory forest (more on forests in a bit). 

While a distinguished name tells us about the complete context of an object, a relative distinguished name uniquely identifies an object within its parent container. For example, if I were searching within the Users container, the relative distinguished name of the object I identified above would be Dan DiNicolo. 

When a user logs on to an Active Directory domain, two types of names can be provided. The first is the traditional NetBIOS name, referred to in Windows 2000 as the downlevel logon name. This exists for the purpose of backwards compatibility with versions of Windows that rely on NetBIOS for logon functions (such as NT 4, Windows 9x, etc). When using a downlevel logon name ('User logon name - pre-Windows 2000' in the interface) to log on, the user must provide a username, password, and choose the appropriate domain name that they wish to log in to. The second option and new in Windows 2000 is the ability to log on using what is referred to as a User Principal Name, or UPN. A UPN follows the format user@domain.com (in the interface it is referred to as the User logon name). When this convention is used, a user no longer needs to specify the domain that they wish to log in to. In fact, under Windows 2000, the domain portion of the login box is grayed out when a UPN is used to sign in. An example of the two types of names is shown in the properties of an Active Directory use account below:

A first look requires that we also discuss both the logical and physical elements of Active Directory. The logical part of Active Directory includes some ideas that you may have already heard of, including terms like forest, trees, domains, and OUs. The physical part of Active Directory relates to sites and domain controllers. The distinction between the logical and physical elements is important and you must recognize and understand the differences.

Active Directory Logical Structure

The logical structure of Active Directory will vary based on the needs of an organization. Logical elements include forests, trees, domains, and organizational units. 


A domain in Windows 2000 is very similar to what a domain was in NT 4. For all intents and purposes, a domain is still a logical group of users and computers (objects) that forms an administrative and replication boundary. That means two things. First of all, a domain is an administrative unit. As such, an administrator from one domain is only the administrator of that domain, and not necessarily any others. Secondly, all domain controllers in the same domain must replicate with one another. We refer to this as a replication boundary. In Windows 2000, domains are named according to DNS naming conventions, instead of conventions based on Netbios. An example of an Active Directory domain name would be win2000trainer.com. In Windows NT, domains had a restriction on how large they could grow, based on the size of the domain SAM database (40MB or thereabouts). As such it was often necessary to create multiple domains if a company had tens of thousands of users and computers. By comparison, multiple domains wouldn't actually be required in such a scenario under Windows 2000, since Active Directory can contain literally millions of objects. In the same manner that a user account existed within a domain in Windows NT, the same is true in Windows 2000. A given user should be given only one account, and that account exists within only one domain, even if multiple domains exist. Active Directory does allow you to have multiple domains, forming structures referred to as trees and forests, to be discussed next. 

In Windows 2000, multiple domains may still be necessary, especially in large organizations where companies want to remain tight control over their environments, their own identities (such as different business units), and distinct administrative control. In Active Directory, a collection of domains can be created that form a hierarchy referred to as a tree. In a tree structure, domains fall into a parent/child relationship. That is, the new child domain takes on the domain name of its parent domain. For example, I might create separate domains for the European and Asian divisions of my company. If this were the case, I might end up with the tree shown below:

Note that each domain in the tree is a separate and distinct administrative unit, as well as a boundary for replication purposes. That is, if you create a user in the asia.win2000trainer.com domain, the account exists on domain controllers in that domain, and will be replicated to all other domain controllers in the asia.win2000trainer.com domain. Note also that each new child domain has a transitive two-way trust relation with its parent. This is configured automatically by Active Directory, and exists to allow users in one domain access to resources in another. Even without a direct trust, users in Asia can access resources (for which they have been given appropriate permissions) in the Europe domain and vice versa, since the trust relationship is transitive (Asia trusts its parent, who trusts Europe - therefore Europe trusts Asia and vice versa). A tree is broadly defined as a collection of domains that form a parent/child relationship and share a contiguous namespace.


Forest is the term used to describe a collection of Active Directory trees. Each tree in a forest has its own distinct namespace. For example, lets say that my company owned another smaller company called Acme Plumbing. If I wanted Acme Plumbing to have its own distinct name and domain, I might end up with a collection of trees, forming a forest, as shown below:

The acmeplumbing.com domain is part of the same forest as the win2000trainer.com domain tree, but is still its own domain and tree. Note that there are transitive trust relationships between the root domains of every tree in a forest - this allows acmeplumbing.com users to access resources in the win2000trainer.com tree and vice versa, while allow them to maintain distinct identities. Note that the first domain created in a forest is considered the forest root. One important feature of a forest is that every single domain shares a common schema - the definition of the different types of objects and associated attributes that may be created with the forest. It is also important to recognize that a forest might be made up of a single tree, containing a single domain. It may be small, but technically it is still a forest!

Organizational Unit

An organizational unit (commonly referred to as an OU) is a container object within Active Directory used to group objects for the purposes of delegating administrative authority and the application of group policy within a domain. OUs can be created to organize objects in a number of ways, including according to function, location, resources, and so forth. Example of objects that can be grouped into OUs would include user accounts, computer accounts, group accounts, and so forth. The diagram below outlines an example OU structure based on user location and resources:

Note that an OU can only contain objects from the same domain in which it exists. Also note that OU structures will vary widely from company to company. They are meant to be designed with administration of resources and the application of group policy settings in mind. Since complete administrative control can be granted (delegated) to a user over an OU and potentially nothing else, it makes it possible for a very large organization to have only a single domain, which each business unit having administrative control over their own OU only.
Physical Structure

The physical structure of Active Directory relates to two main types of objects - sites and domain controllers. 


Unlike NT 4, Windows 2000 Active Directory provides for the concept of physical locations within its design. In Active Directory, a site is a collection of TCP/IP subnets connected at high speed. Though 'high-speed' is relative, usually it refers to a collection of subnets connected at LAN-type speeds. You define sites in Active Directory to control replication, authentication, and the location of services. Once sites have been defined, a client computer will attempt to authenticate to a domain controller that is part of the same site, instead of sending the request over the WAN.

Sites also allow you to control when replication can occur between domain controllers. For example, in NT 4, all BDCs replicated with their PDC using a 5-minute interval change notification process. Since there wasn't any easy way to control replication between physical locations (it was possible by batch scripting to the registry), replication traffic often saturated links and degraded performance. Once you have defined sites in Active Directory, you can also specify the times and days at which replication between sites can occur, how often during these times, and the preferred path that replication should follow. You should note, however, that only one site exists by default, and until you define more sites, replication will continue to occur on the same old 5-minute change notification interval. It is also important to note that sites are another element that allow large companies to have only a single domain - since there is no correlation between the logical and physical structures of Active Directory, you could have one domain and hundred of sites. The ability to control replication traffic is a big part of what makes this more manageable than in the past.

Domain Controllers

Of course, you can't have a domain without at least one domain controller, since this is where the Active Directory database is stored. Unlike Windows NT, which had only one writable copy of the domain database (stored on the PDC), in Windows 2000 every domain controller has a writable copy of the Active Directory database. As such, all domain controllers in an Active Directory environment are more or less equal. This makes things more complex however, since any domain controller can make an update, instead of everything being done on one system. As in NT 4, you should have at least two domain controllers in a domain for the purpose of redundancy, and usually many more, depending on the size of the organization.

You create a domain controller in Windows 2000 by running the Active Directory Installation Wizard, dcpromo.exe. This tool not only allows you to create new domain controllers, but also new domains, trees, and forests. It will also allow you to change a domain controller back into a member server if you change your mind. An example of the choices available when running dcpromo.exe is shown below:

After a domain controller is created, it will hold a copy of the Active Directory database (ntds.dit), and will be capable of authenticating users from that domain. The Active Directory database is actually made up of what is referred to as 3 partitions, as outlined below:

The domain partition is replicated amongst domain controllers in the same domain only, while the configuration and schema partitions get replicated to every single domain controller in the entire forest.

Although I will get into this in much more detail later in the series, you should be aware that some domain controllers differ from others in terms of special roles that they can hold. I have briefly outlined the basics of each role below:

Global Catalog Server - A global catalog server is a domain controller that knows about every single object that exists within Active Directory, from all domains. However, it stores only a subset of the attributes of every object, those that are considered most important. By default only one domain controller in the entire forest carries this role - the first domain controller created in the forest. More global catalog servers can (and should) be created throughout the forest. If a domain controller were acting as a global catalog server, then it would have a fourth partition as part of its Active Directory database - the Global Catalog partition.

Besides the Global Catalog server role, there are 5 special roles that a domain controller might have, referred to as Operations Masters. These are outlined below:

Schema Master - In a forest, one domain controller holds the role of the Schema Master. The Schema Master maintains the Active Directory schema, and holds the only writable copy of the schema. There is only one Schema Master per forest, and by default it will be the first domain controller created in the root domain of the forest.

Domain Naming Master - This domain controller keeps track of domains that are added or removed from the forest, ensuring integrity of the forest structure as these changes take place. There is only one Domain Naming Master per forest, and by default it will be the first domain controller created in the root domain of the forest.

PDC Emulator - The PDC emulator exists for a couple of reasons, one of which is backwards compatibility with NT 4 domain controllers. When upgrading a domain to Windows 2000, the first system upgraded should be the PDC, and this new Windows 2000 DC emulates the old PDC for remaining NT 4 BDCs. The PDC Emulator is also preferentially passed password changes, and is consulted prior to failing a client logon request. By default downlevel clients such as those running NT 4 and Windows 9x will continue to make password changes at the PDC Emulator (unless they have the Active Directory client installed). There is one PDC Emulator per domain, by default the first domain controller created in the domain.

Relative Identifier (RID) Master - In Windows NT 4, the PDC was responsible for creating all SIDs, since it was responsible for creating all security principals. In Windows 2000, any domain controller can create a security principal. A SID is actually made up of two parts, a SID (which identifies the domain) and a RID (which identifies a unique object within that domain). In order to ensure that all SIDs are unique, one domain controller per domain is assigned the role of the RID Master, who is responsible for creating the domain pool of RIDs, and allocating these RIDs to other domain controllers in the domain. This helps ensure that no duplication of object SIDs will occur. Each Active Directory domain will have one RID Master, by default the first domain controller created in that domain.

Infrastructure Master - The infrastructure Master is responsible for keeping track of which users (from another domain) are members of groups in a domain, and keeping track of any changes that may take place. This ensures consistency of user to group references in Active Directory. Each Active Directory domain will have one Infrastructure Master, by default the first domain controller created in that domain.

Looking for a more in-depth overview of Active Directory? Click here
Upgrading to Windows 2000

You should be familiar with the process of upgrading a domain from Windows NT 4 to Windows 2000 for the Server portion of exam. Creating your new Active Directory domain involves upgrading your existing domain controllers to Windows 2000. Note that member servers and workstations can be upgrading at any time, whether before or after the domain upgrade takes place.

When upgrading a domain, the first machine to be upgraded should be the current PDC. Upgrading the domain will allow all user, group, and computer information that currently exists to be migrated to Active Directory. Before you upgrade the PDC however, Microsoft recommends that you do a full domain synchronization, and then take one BDC offline. If the upgrade were to fail, you could then place the BDC back on the network, promote it to the PDC, and be back to where you originally started. 

After you upgrade the PDC and get Windows 2000 installed, dcpromo will run automatically to turn the system into a domain controller. Your domain will now be in something referred to as Mixed mode, or a state where NT 4 BDCs can continue to exist, using the upgraded PDC (who is now the PDC emulator) as their domain synchronization source. Once all domain controllers have been upgraded to Windows 2000, you can switch the domain to Native mode. The differences between Mixed and Native mode are discussed below:

Mixed Mode: A mode that allows for NT BDC to continue to exists, and allows you to revert to an NT 4 domain if necessary. Even in a non-upgrade scenario, Windows 2000 automatically creates new domains in Mixed mode, requiring you to explicitly switch the domain to Native mode.

Native Mode: In Native mode, all domain controllers run Windows 2000. The switch to native mode provides the ability to create Universal groups, nest groups, and control remote access via RAS policy amongst other things. 

Note that changing from Mixed mode to Native mode is a one-way process and cannot be reversed. Some possible problems / issues with respect to upgrading domains that you should be aware of:

- All domain controllers running Windows 2000 require at least one NTFS partition to house the SYSVOL folder. This is the folder structure that needs to be replicated amongst domain controllers.
- A system being upgraded must be configured to use a DNS server that supports SRV (service) records.
- If no DNS server is available, Windows 2000 will create one for you, making the system an Active Directory Integrated DNS server (more on this later in the series).
- If the dcpromo process fails or returns an error, ensure that domain names provided are entered correctly, that proper network connectivity exists, and that there is enough disk space (dcpromo requires approximately 250 MB of space total).

For a domain controller installation checklist, Click Here.

And there we are, with yet another week completed. Next week I'll continue the Windows 2000 Server portion of series, taking a look at both Networking Services as well as managing domain objects. Thanks again to everyone who has contacted me supporting the series, I sincerely appreciate it. As always, feel free to contact me with any comments of questions, I look forward to your feedback. It's never too early to start practicing for the real exam, so why not add going through one of my smaller 10-question practice exams to your weekly study regiment? We've covered the Pro material already, so you might want to give those exams a shot to begin with - find them here. Also, be sure to sign up for my 70-240.com giveaway contest - the lucky winner will be announced on April 16th. Until next week, good luck with your studies!

This article was originally published on Monday Mar 26th 2001
Mobile Site | Full Site