View
205
Download
2
Category
Tags:
Preview:
Citation preview
Microsoft Active DirectoryMicrosoft Active Directory
An OverviewAn Overview
What is Active Directory?What is Active Directory?
Microsoft‘s new Directory ServiceMicrosoft‘s new Directory Service Called: ADS, NTDSCalled: ADS, NTDS Successor to LAN Manager DomainsSuccessor to LAN Manager Domains GoalsGoals• Open StandardsOpen Standards
• High ScalabilityHigh Scalability
• Simplified AdministrationSimplified Administration
• Compatibility to existing Windows NT Compatibility to existing Windows NT systems and applicationssystems and applications
Open StandardsOpen Standards
LDAPLDAP• Low-Level API to Active DirectoryLow-Level API to Active Directory
X.500X.500• Active Directory StructureActive Directory Structure
• Not fully standard-compliantNot fully standard-compliant
DNSDNS• Resource LocationResource Location
• Extensions, e. G. „Dynamic DNS“Extensions, e. G. „Dynamic DNS“
KerberosKerberos• AuthenticationAuthentication
Active Directory StructureActive Directory Structure
HierarchicalHierarchical Base objectBase object
DomainDomain
OU
Domain
DomainOUOU
Objects
Domain
Tree
Domain
Domain
Domain
Tree
Forest
Which objects does Active Which objects does Active Directory contain?Directory contain? „„old Friends “old Friends “• UserUser
• GroupGroup
• ComputerComputer
New ElementsNew Elements• Distribution ListsDistribution Lists
• System PoliciesSystem Policies
Application defined custom objectsApplication defined custom objects Described in the SchemaDescribed in the Schema
What is the Schema?What is the Schema?
Definition of all ADDefinition of all AD• Object-Types (Classes)Object-Types (Classes)
• AttributesAttributes
• Data-Types (Syntaxes)Data-Types (Syntaxes)
Can be compared to a Database Can be compared to a Database SchemaSchema
ONE consistent Schema inside a ONE consistent Schema inside a single Forestsingle Forest
ExtensibleExtensible
What is a Domain?What is a Domain?
AD Base Element (Building Block)AD Base Element (Building Block) NT 4 CompatibleNT 4 Compatible Physically Implemented on Domain Physically Implemented on Domain
Controllers (DC)Controllers (DC) Border forBorder for• Replication TrafficReplication Traffic
• System PoliciesSystem Policies
• AdministrationAdministration
Firma.de
What is an Organizational Unit What is an Organizational Unit (OU)?(OU)? Implements a Structure inside a Implements a Structure inside a
DomainDomain Can be nested as neededCan be nested as needed Can Can notnot be assigned any rights be assigned any rights Typically used for Administrative Typically used for Administrative
ReasonsReasons• e.g. System Policiese.g. System Policies
LA
Admin
New York
SalesAdmin Sales
What is a Tree?What is a Tree?
Hierarchical Domain Structure inside a Hierarchical Domain Structure inside a single Namespacesingle Namespace• adiscon.comadiscon.com
• la.adiscon.comla.adiscon.com
• ny.adiscon.comny.adiscon.com
Transitive Trusts created automaticallyTransitive Trusts created automatically Sub-Domain must be added to Root-Sub-Domain must be added to Root-
Domain – otherwise there will be no Domain – otherwise there will be no tree!tree!
la.adiscon.com
adiscon.com
ny.adiscon.com
Tree
What is a Forest?What is a Forest?
Combination of TreesCombination of Trees Disjunct NamespacesDisjunct Namespaces• adiscon.deadiscon.de
• adiscon.comadiscon.com
Transitive Trusts created automaticallyTransitive Trusts created automatically There is one single tree-root!There is one single tree-root! Sub-Tree must be added to Root-Tree, Sub-Tree must be added to Root-Tree,
otherwise no Forest will be createdotherwise no Forest will be created
Domain
The Tree-RootThe Tree-Root
First Domain installedFirst Domain installed Single SchemaSingle Schema Absolutely vital!Absolutely vital!
OU
DomainOUOU
Objects
Domain
Tree
Domain
Domain
Domain
Tree
Forest
Modeling the physical StructureModeling the physical Structure
Not related to logical StructureNot related to logical Structure Modeled via „Sites“Modeled via „Sites“ A site is well connected via fast A site is well connected via fast
Network LinksNetwork Links One Site can home multiple DomainsOne Site can home multiple Domains One Domain can spread across many One Domain can spread across many
SitesSites Domain Database is stored on Domain Domain Database is stored on Domain
ControllersControllers
Site New YorkSite LA
Sample Site StructureSample Site Structure Logical and physical Logical and physical
Structure are totally Structure are totally independent of each independent of each other!other!
Adiscon.com
sales.adiscon.comsales.adiscon.com
Which Role can a Server have?Which Role can a Server have?
Member ServerMember Server Domain ControllerDomain Controller Global CatalogGlobal Catalog FSMO FSMO • Special Roles carried out by only a limited Special Roles carried out by only a limited
set of Serversset of Servers
• e.g. PDC Emulatore.g. PDC Emulator
• e.g. Schema Mastere.g. Schema Master
What is a Domain-Controller?What is a Domain-Controller?
Stores a physical Copy of the Active Stores a physical Copy of the Active Directory DatabaseDirectory Database• Currently a single Domain per DC Currently a single Domain per DC
supported!supported!• ESE95 Database (MS Exchange)ESE95 Database (MS Exchange)
Logon ServicesLogon Services• KerberosKerberos• LAN Manager AuthenticationLAN Manager Authentication
Recommendation: always have at least Recommendation: always have at least 2 Domain Controllers!2 Domain Controllers!
What is a Global Catalog Server?What is a Global Catalog Server?
Answers AD Search QueriesAnswers AD Search Queries Must be present to successfully logon Must be present to successfully logon Holds a copy of all Objects of the Holds a copy of all Objects of the
whole Forest…whole Forest… ...but holds only a subset of the ...but holds only a subset of the
AttributesAttributes• User definable User definable
Recommendation: at least one GC per Recommendation: at least one GC per (larger) Site(larger) Site
Multi Master ReplicationMulti Master Replication
Updates can be applied to ANY Updates can be applied to ANY Domain ControllerDomain Controller
Will be Replicated to each other Will be Replicated to each other Domain Controls (inside that Domain) Domain Controls (inside that Domain) within 15 Minuteswithin 15 Minutes
Optimized Algorithm reduces Optimized Algorithm reduces Replication TrafficReplication Traffic
NotNot time based (triggered on demand, time based (triggered on demand, only)!only)!
Intra-Sites ReplicationIntra-Sites Replication
All Domain Databases involvedAll Domain Databases involved Changes are transmitted compressedChanges are transmitted compressed via IP (RPC) or SMTPvia IP (RPC) or SMTP• SMTP not within a single domain!SMTP not within a single domain!
Time Replication occurs can be Time Replication occurs can be configuredconfigured
Volume of Replication Traffic can not Volume of Replication Traffic can not be restricted!be restricted!
Have an Eye on GCs!Have an Eye on GCs!
Mixed vs. Native Mode?Mixed vs. Native Mode?
Mixed Mode supports Coexistence with NT4Mixed Mode supports Coexistence with NT4• DefaultDefault
• NT 4 BDCs continue to workNT 4 BDCs continue to work
• Enables “Fallback Scenario” during MigrationEnables “Fallback Scenario” during Migration
Only Native Mode supports all AD FeaturesOnly Native Mode supports all AD Features• More than 40 MB Domain Database SizeMore than 40 MB Domain Database Size
• Mostly problem-free „MoveTree“Mostly problem-free „MoveTree“
• Universal Groups, Group nestingUniversal Groups, Group nesting
Once you have switched to Native Mode, Once you have switched to Native Mode, there is no way back to Mixed Mode!there is no way back to Mixed Mode!
Are there still Trusts available?Are there still Trusts available?
Old fashioned NT 4 Trusts can still be Old fashioned NT 4 Trusts can still be usedused• Work like alwaysWork like always• No additional functionalityNo additional functionality
Most be used to connect different Most be used to connect different ForestsForests• Be careful – no common Global Catalog!Be careful – no common Global Catalog!
Shortcut-TrustsShortcut-Trusts• Connect frequently used Domains to each Connect frequently used Domains to each
other (Performance Optimization)other (Performance Optimization)
Shortcut-TrustsShortcut-Trusts
Domain A users Domain A users frequently access frequently access Domain B’s ResourcesDomain B’s Resources
No Change in logical No Change in logical StructureStructure
Domain
OU
DomainOUOU
Objects
Domain A
Tree
Domain
Domain
Domain B
Tree
Forest
Vital for AD: DNS!Vital for AD: DNS!
DNS is Active Directory’s Locator ServiceDNS is Active Directory’s Locator Service Without correctly configured DNS no Without correctly configured DNS no
working Active Directory!working Active Directory!• Currently TOP 1 Trouble spotCurrently TOP 1 Trouble spot
Can be hosted on non MS-DNSCan be hosted on non MS-DNS• Minimum BIND Version 8.1.2Minimum BIND Version 8.1.2
• No special Characters in Computer NamesNo special Characters in Computer Names
• Not really an optionNot really an option
• Recommendation: delegate a separate “AD-Recommendation: delegate a separate “AD-Zone” on non-MS DNS and use MS-DNS for that Zone” on non-MS DNS and use MS-DNS for that zone – saves lots of Trouble!zone – saves lots of Trouble!
Who is using Active Directory?Who is using Active Directory?
Windows 2000Windows 2000• AuthenticationAuthentication
• System PoliciesSystem Policies
Directory Enabled ApplicationsDirectory Enabled Applications• Please do not overlook them when Please do not overlook them when
planning your AD!planning your AD!
What are Directory-Enabled What are Directory-Enabled Applications?Applications? Applications directly using and Applications directly using and
accessing the Active Directoryaccessing the Active Directory• e.g. Exchange 2000e.g. Exchange 2000• Many more expected!Many more expected!
Typically extend the SchemaTypically extend the Schema May dramatically change usage May dramatically change usage
pattern for Active Directory Resourcespattern for Active Directory Resources• Replication TrafficReplication Traffic
(new Objects, Attributes)(new Objects, Attributes)• AD Queries (GCs!)AD Queries (GCs!)
Active Directory SecurityActive Directory Security
Improved AuthenticationImproved Authentication Permissions applied via ACLsPermissions applied via ACLs• To Objects as wholeTo Objects as whole
• To specific AttributesTo specific Attributes
Fine-Tuning of Access Permissions Fine-Tuning of Access Permissions possiblepossible
Tool-Support to visualize Security Tool-Support to visualize Security Settings currently weak (try Visio!)Settings currently weak (try Visio!)
What is Kerberos?What is Kerberos?
„„age-old“ Internet-Standard - matureage-old“ Internet-Standard - mature Commonly used under UnixCommonly used under Unix Secure Authentication thanks to Secure Authentication thanks to
EncryptionEncryption Standard-Authentication Model under Standard-Authentication Model under
Windows 2000Windows 2000 Microsoft Kerberos not fully Microsoft Kerberos not fully
compatible to other Kerberos compatible to other Kerberos ImplementationsImplementations
Delegation of AdministrationDelegation of Administration
Admin rights can be delegated to Users or Admin rights can be delegated to Users or GroupsGroups• NOTNOT to OUs! to OUs!
Delegation via WizardsDelegation via Wizards Currently “Admin Nightmare” – very hard to Currently “Admin Nightmare” – very hard to
detect who has rightsdetect who has rights• All objects must be viewed separately and All objects must be viewed separately and
manuallymanually• Currently no good tools – but expected to be Currently no good tools – but expected to be
available in the futureavailable in the future• Microsoft itself also plans to provide additional Microsoft itself also plans to provide additional
toolstools
Inheritance in Active DirectoryInheritance in Active Directory
From Top to BottomFrom Top to Bottom Inheritance can only be blocked Inheritance can only be blocked
completelycompletely• No IRF like NovellNo IRF like Novell
GroupsGroups
Basically, like under NT 4Basically, like under NT 4• Local Groups are assigned PermissionsLocal Groups are assigned Permissions
• Global Groups contain UsersGlobal Groups contain Users From a single DomainFrom a single Domain Global Groups are members in Local Groups Global Groups are members in Local Groups
for Permission assignmentfor Permission assignment
New: Universal GroupsNew: Universal Groups• Can be used everywhere in every Domain Can be used everywhere in every Domain
(Permissions, Members)(Permissions, Members)
• Implemented via GCImplemented via GC Replication traffic limits usabilityReplication traffic limits usability
Active Directory Problem SpotsActive Directory Problem Spots
DNS DependencyDNS Dependency No „Merge-Tree“No „Merge-Tree“ No Partitioning (only a single Domain per No Partitioning (only a single Domain per
Domain Controller) Domain Controller) Limited Tool-SupportLimited Tool-Support Forest Global SchemaForest Global Schema Schema-Modifications can not be undoneSchema-Modifications can not be undone Issues will be addressed over time by Issues will be addressed over time by
Microsoft (keep in mind AD is Version 1.0!)Microsoft (keep in mind AD is Version 1.0!)
Importance of AD for Microsoft’s Importance of AD for Microsoft’s StrategyStrategy Most important ProductMost important Product All new Microsoft Products need or at All new Microsoft Products need or at
least work better with Active Directoryleast work better with Active Directory• Exchange 2000Exchange 2000
• SQL Server 2000SQL Server 2000
• ......
Bill Gates: „We have bet Microsoft on Bill Gates: „We have bet Microsoft on Active Directory.“Active Directory.“
Questions?Questions?
rgerhards@adiscon.com www.windows-expert.netwww.windows-expert.net
Recommended