Active Directory Basics 2003

8/6/2019 Active Directory Basics 2003

1/46

Active Directory Basics


2/46

2

Active Directory

Having a foundational knowledge of active directory is immensely

helpful in the MCSE 2003 Certification Track.

All courses require a knowledge and understanding of the active

directory environment.

Active Directory is the foundation of the Microsoft 2003 client /

server environment.


3/46

3

Overview

Active Directory is the directory service for all Windows servereditions except for Web Server.

Active Directory stores information about objects on the network in

a centralized location, making it easy for administrators and usersto find and use this information.

Active Directory uses a structured database, modeled after theMicrosoft Access product, as the basis for a logical, hierarchicalorganization of directory information .


4/46

4

Overview

This presentation discusses the basics of the

Active Directory environment, including:

The Physical Structure of Active Directory

The Logical Structure of Active Directory


5/46

The Physical Structure of Active

Directory


6/46

6

Directory DatabaseDefinition

This database is often simply

referred to as the directory.

The directory contains informationabout objects such as users,

groups, computers, domains,

organizational units (OUs), and

security policies.

This information can be publishedfor use by users and

administrators.


7/46

7

Directory DatabaseStorage and Replication

The directory is stored on servers known as domain controllers andcan be accessed by network applications or services.

A domain can have one or more domain controllers.

Each domain controller has a writeable copy of the directory for thedomain in which it is located.

Changes made to the directory are replicated from the originatingdomain controller to other domain controllers in the domain, domaintree, or forest.

Because the directory is replicated, and because each domaincontroller has a writeable copy of the directory,

the directory is highly available to users andadministrators throughout the domain.


8/46

8

Directory DatabasePhysical Files

Directory data is stored in

the Ntds.dit file on the

domain controller. It must be

stored on an NTFS partition.

Some data is stored in the

directory database file, and

some data is stored in a

replicated file system, like

logon scripts and GroupPolicies.


9/46

9

Directory DatabaseInformation

There are three categories of data replicated

between domain controllers:

Domain Data

Configuration Data

Schema Data


10/46


11/46

11

Directory DatabaseConfiguration Data

The configuration data describes

the topology of the directory.

This configuration data includes

a list of all domains, trees, and

forests, and the locations of the

domain controllers and global

catalogs.


12/46

12

Directory DatabaseSchema Data

The schema is the formal definition of all object and attributedata that can be stored in the directory. Windows Server 2003includes a default schema that defines many object types, suchas user and computer accounts, groups, domains,

organizational units, and security policies.

Only enterprise admins or schema admins can modify theschema. They can extend the schema by defining new objecttypes and attributes, or by adding new attributes for existingobjects.

Schema objects are protected by access control lists (ACLs),ensuring that only authorized users can alter the schema.


13/46

13

Active Directory SecurityOverview

Security is Integrated

with Active Directory:

Through logon

authentication

Through access control of

objects in the directory


14/46


15/46

15

Active Directory SecurityLogon Authentication

MicrosoftUses Kerberos to create and encrypt AuthenticationKeys.

Kerberos is a network authentication protocol.

It is designed to provide strong authentication for client/serverapplications by using secret-key cryptography.

Cryptography consists of the sending of multiple encryptedmessages between a client and server to ensure that the client iswho they say they are.Once this is verified, the client isissued a ticket, granting them

access to the network.


16/46

16

Active Directory SecurityAccess Control Lists

Active Directory Data is protected by limiting access to usersthrough the use of Access Control Lists.

Users who log on to the network have to obtain both authenticationand authorization to access system resources.

When a user logs on to the network, the security systemauthenticates the user with information stored in Active Directory.Then, when the user attempts to access a service on the network,the system checks the properties defined in the discretionaryaccess control list (DACL) for that service.

This multi-tier system creates a more protected environment andgranular control of resource access.


17/46

17

Global CatalogOverview

A global catalog is a domain controllerthat stores a copy of all ActiveDirectory objects in a forest.

In addition, the global catalog storeseach objects most common

searchable attributes. The global catalog stores a full copy of

all objects in the directory for its hostdomain and a partial copy of allobjects for all other domains in theforest, which provides efficientsearches without unnecessary

referrals to domain controllers.

A global catalog is created automatically on the initial domaincontroller in the forest. You can add global catalog functionality toother domain controllers or change the default location of the globalcatalog to another domain controller.


18/46

18

Global CatalogRoles

A global catalog performs the following roles:

Finds Objects

Provides User Authentication Information across multiple domains. If

a DC cant find a user located in a second domain, it contacts theglobal catalog server for the authentication information

Supplies Universal Group Membership information across domains


19/46

19

Active Directory

Search Capabilities Database search tools allow easy search and access of users,

groups, and objects stored in the active directory database.

Administrators can use the advanced Find dialogs in the Active

DirectoryU

sers and Computers snap-in to performmanagement tasks with greater efficiency and to easilycustomize and filter data retrieved from the directory.

Administrators can add objects to groups quickly and withminimal network impact by utilizing browse-less queries to helpfind likely members.


20/46


21/46

21

Active DirectoryReplication

A domain controller stores and replicates:

Schema Information. The schema is the objects that are created inactive directory and their attributes.

Configuration Information. This is the logical database designincluding the domain structure and replication information.

Domain Information. Describes all objects in a domain only storedin that domain. A subset is stored in the global catalog in a multi-domain environment.

Application Information. Application information is stored to limitreplication traffic among domain controllers.


22/46

The Logical Structure of ActiveDirectory


23/46


24/46

24

DomainsOverview

A domain is a logical grouping of computers and users managedthrough a central security accounts database.

Domains act as the basic building blocks of an AD environment. Assuch, AD design starts here, at the domain level.

Its imperative that you have a solid, secure, and efficient domainplan in place before you move to any other aspect of creating yourActive Directory tree.


25/46

25

DomainsRoot Domain

The first domain created in your active directory environment isknown as the root domain.

The name given to the root domain will act as the base for thename of all domains created later.

As each subsequent domain is added to the structure, it will beadded somewhere below the root domain. Additional domains arealways children of some other domain in the tree.

The only domain that is not a child is the root (topmost) domain.


26/46

26

DomainsRoot and Child Domains

TechSkills.com

IT.Chicago.TechSkills.com

Dallas.TechSkills.com

Medical.Chicago.TechSkills.com

Chicago.TechSkills.com

Root

Child

Child Child

Child


27/46


28/46

28

DomainsNumber ofObjects

There is really no limit to

the amount of users,

groups and objects that

can be supported in the

Active Directory

Database.

Tests have been performed with literally millions ofrecords.


29/46

29

DomainsReplication Traffic

All domain controllers within a domain must contain the samedatabase. In other words, a replication process is used tosynchronize any changes made to the database to all domaincontrollers for the domain. The net effect is more network traffic.

The larger the database (meaning more users, computers, groups,and other types of records), the more potential replication trafficwill be generated.

A corollary to this is that the more domain controllers you have, themore replication traffic will travel through your network.


30/46

30

DomainsSecurity Boundaries

Since a domain represents a separate database, the domain

boundary is often seen as a built-in security boundary.

Administrators of a domain are limited (by default) to the

management of resources within their own domain.

While administrative accounts can be given privileges in more than

one domain, this is a manual configuration -- in other words, a

conscious decision, rather than a default.


31/46

31

DomainsLanguage Considerations

Within a domain, servers can beconfigured for a single language:French, German, etc., although English

is supported by all installations.

If your company crosses internationalboundaries, you might need additionaldomains so that local administratorscan manage their resources in their

native tongue.


32/46

32

Domains

Security Policies Security Policies control and limit access to resources on the

network.

Certain policy elements are domainwide. These include somevery common settings, things like password policies (complexity,

length, and lifetime), account lockout policies (when and for howlong an account will be locked due to unsuccessful logonattempts), and Kerberos v5 policies (ticket lifetimes, renewal, andlogon restrictions).

If you have different areas of your environment in which thesepolicy elements need to differ, you must create multiple domains.


33/46

33

Organizational UnitsOverview

An organizational unit (OU) is a container used to organize objects

within a domain into logical administrative groups. Those groups

should mirror your organizational structure.

OUs are the smallest scope to which you can delegateadministrative authority. Therefore, they can provide a means for

handling administrative tasks and a way to delegate administration

of users and resources.


34/46

34

Organizational UnitsOUs and Objects

TechSkills.com Domain

SalesOU

Medical

OU

IT OU

IT OU Objects


35/46

35

Organizational UnitsOverview

An OU can contain objects such as:

User accounts

Groups

Computers

Printers

Applications,

File shares Other OUs from the same domain


36/46

36

Organizational Units

Security Objects: User Accounts

User Accounts represent people and are used to log on to aWindows domain.User accounts are used for the following:

Authentication This is the process of proving your identity. User accountsand passwords are used to authenticate users to a domain.

Authorization This is the process ofbeing granted permissions to a resource.

Auditing By requiring all your users touse a unique user account, you caneasily audit access to resources.

Active Directory contains three

default user accounts:Administrator, Guest, and Help Assistant.


37/46

37


Security Objects: Groups Overview

Without groups, you would have tomanually assign all permissions toindividual user accounts.

Groups enable you to organize yourusers. You can group useraccounts and assign permissionsto everyone in the group at once.

Any permissions assigned to a

group are automatically granted tomembers of that group.


38/46


39/46

39


Security Objects: Group Scopes Scope is the range that a group will extend over a domain, tree, and

forest.

The scope is used to determine the level of security that will applyto a group, which users can be added to its membership, and the

resources that they will have permission to access.

Active Directory provides three different scopes for groups:

Universal

Global

Domain Local


40/46

40


Security Objects: Group Scopes Universal. Universal groups have the widest scope of any of the

different group scopes. Members of this group are able to containaccounts and groups from any domain in the forest, and can beassigned permissions to resources in any domain in the forest.

Global.A global group can contain accounts and groups from thedomain in which it is created, and be assigned permissions toresources in any domain in a tree or forest.

Domain Local. The difference between domain local and globalgroups is that user accounts, global groups, and universal groupsfrom any domain can be added to a domain local group. Because of

its limited scope, however, members can only be assignedpermissions within the domain in which this group is created.


41/46


42/46


43/46

43

Trees

Trusts You can set up your system so that a small group of administrators

have security privileges over the entire structure, or you can give agroup administrative abilities in a select few domains.

You can also give users permission to access resources

throughout the tree. This permission is granted through the use oftrusts.

Trusts can be granted from one domain to another and back again.This creates a logical link between domains for the selectindividuals granted that right.


44/46


45/46

45

Forest

Diagram

TechSkills.com Edgia.com

Chicago Columbus Houston Dallas


46/46

46

Conclusion

Active Directory is the foundation of the Microsoft 2003 client /

server environment.

The physical structure of Active Directory includes the directory

database that stores information about active directory objects in

the ntds file.

The logical structure of active directory indicates the organization

of users, groups, computers, applications and data into logical

units: domains, organizational units, trees and forests.

Documents

Active Directory Basics 2003