Embed Size (px)
DESCRIPTION
Directory services. Unit objectives Describe Windows networking concepts Discuss planning of a directory services “ implementation” Describe and install Microsoft’s Active Directory Discuss what’s new in Active Directory in Windows Server 2003 Discuss the Windows NT domain model - PowerPoint PPT Presentation
Citation preview
Cou
rse
ILT
Directory services
Unit objectives Describe Windows networking concepts Discuss planning of a directory services
“implementation” Describe and install Microsoft’s Active
Directory Discuss what’s new in Active Directory in
Windows Server 2003 Discuss the Windows NT domain model Explain the design and purpose of Novell
Directory Services / eDirectory
Cou
rse
ILT
Topic A
Windows networking concepts Directory services planning and
implementation Introduction to Active Directory New Active Directory features in
Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Cou
rse
ILT
Workgroups Logical group of computers Decentralized security and administration
(every PC for itself!) In a workgroup, every computer holds its
own security database– Security Accounts Manager (SAM) database– This way, each computer does its own
authentication (i.e., ensure that the person logging in has the correct credentials).
Simple (sort of) Doesn’t require a server
Cou
rse
ILT
Workgroups Problems with Workgroups:
– The maximum effective size for a workgroup is 10 or so computers With more than 10 you will have problems
sharing resources, keeping track of security information and so on.
– In order to access resources on another computer you must, first log on to that PC.
– This means that you have to have a username and password for every PC
– A server in a workgroup does its normal jobs of sharing files, sending email, etc.
– A server is called a standalone server.
Cou
rse
ILT
Workgroup security model
Cou
rse
ILT
Domains Logical groups of computers Use centralized authentication and
administration The device in the domain responsible for
this is the “domain controller”, or DC
Cou
rse
ILT
Domain security model
Cou
rse
ILT
Member servers Not domain controllers but they run the
server software, not the client. Used for a variety of functions
– File servers– Print servers– Application servers– DNS and DHCP servers
A member server can backup the DC– it can be promoted to DC if the DC goes down– and a DC can be demoted to member server– But security functions are unique to the DC
Cou
rse
ILT
Recap Two different security models used in
Windows environments– Workgroup– Domain
Three roles for a Windows Server 2003 system in a network– Standalone server– Member server– Domain controller
Cou
rse
ILT
Domain controllers Store a copy of the Active Directory
database Service user authentication requests Service queries about domain objects The AD database is stored on network DCs Changes made to any Active Directory will be
replicated across all domain controllers– Called multimaster replication– Provides fault tolerance for domain controller failure
Uses Domain Name Service (DNS) conventions for network resources– i.e., this is how devices in the domain are recognized
Cou
rse
ILT
Activity A-1 - page 16-6
Discussing Windows security models
Cou
rse
ILT
Topic B
Windows networking concepts Directory services planning and
implementation Introduction to Active Directory New Active Directory features in
Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Cou
rse
ILT
Directory service (DS) Network service that allows users or
computers to look up information– location of files, – printers, – email addresses, – security information such as passwords,– rights and permissions, etc.
Microsoft’s directory service is called Active Directory (AD)
Cou
rse
ILT
Planning and Maintaining Infrastructure & Group policy
Planning your AD is emphasized– Consider bandwidth, location, resources, etc– Security issues include password issues
such as length, complexity and use time. Group policy is used to manage servers,
workstations, and user environments Used to deploy applications to computers
or users Used to implement security policies like
encrypting all client/server communication
Cou
rse
ILT
Activity B-1 - page 16-9
Planning and implementing directory services
Cou
rse
ILT
Topic C
Windows networking concepts Directory services planning and
implementation Introduction to Active Directory New Active Directory features in
Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Cou
rse
ILT
AD Features and Services Provides the following services
– Central point for storing & managing network objects– Central point for administering objects and resources– Logon and authentication services– Delegation of administration (to member servers)– Stored on domain controllers (plural) in the network– Changes made to any Active Directory will be
replicated across all domain controllers Multimaster replication Fault tolerance for domain controller failure
– Uses Domain Name Service (DNS) conventions for network resources (i.e., objects are arranged in a hierarchy)
Cou
rse
ILT
Active Directory Objects Represent network resources such as
users, groups, computers, and printers Objects have attributes depending on
object type Objects are searchable by attributes
Cou
rse
ILT
Creating a new user object
Cou
rse
ILT
Viewing user object properties
Cou
rse
ILT
Active Directory schema– Consists of two main definitions
Object classes Attributes Attributes and object classes have a many-to-many
relationship– The Schema defines all objects– It defines the attributes available for objects– The Schema defines the set of objects for the
entire Active Directory structure – Only one schema for a given Active Directory,
replicated across domain controllers
Cou
rse
ILT
Schema Elements used in the definition of each object
contained in the Active Directory, including the object class and its attributes– Unique object name– Globally unique identifier (GUID) associated with
each object name– Required attributes– Optional attributes– Syntax of how attributes are defined– Pointers to parent entities
Cou
rse
ILT
SchemaActive D irectory
Useraccount Computer Printer Domain
O bjectclasses
Object nam e GUID Required attributes Optional attributes Syntax Parent relationships
Usernam e User's full nam e Password
Account description Rem ote access OK
Schema
Sample schema information for user accounts
Cou
rse
ILT
GUID: A server-based Aside … Short for Globally Unique Identifier, a unique
128-bit number that is produced by the Windows OS or by some Windows application to identify a particular component, application, file, database entry or user.
For instance, a Web site may generate a GUID and assign it to a user's browser to record and track the session.
A GUID is also used in the Windows Registry to identify COM DLLs.
Knowing where to look in the registry and having the correct GUID yields a lot information about a COM object (i.e., information in the type library, its physical location, etc.).
Cou
rse
ILT
GUID: A server-based Aside Windows also identifies user accounts by
a username (computer/domain and username) and assigns it a GUID.
Some database administrators even will use GUIDs as primary key values in databases.
GUIDs can be created in a number of ways, but usually they are a combination of a few unique settings based on specific point in time (e.g: an IP or MAC address, clock date/time, etc.).
Cou
rse
ILT
Activity C-1 - page 16-13
Discussing Active Directory
Cou
rse
ILT
AD structure and components Active Directory comprises components
that: – Enable design and administration of a
network structure Logical Hierarchical
Components include:– Domains and organizational units– Trees and forests– A global catalog
Cou
rse
ILT
AD Domain and OU structure
Cou
rse
ILT
Trees and Forests Sometimes necessary to create multiple
domains within an organization The first Active Directory domain is the forest
root domain A tree is a hierarchical collection of domains
that share a contiguous DNS naming structure
A forest is a collection of trees that do not share a contiguous DNS naming structure
Transitive trust relationships exist among domains in trees and, optionally, in and across forests
Cou
rse
ILT
Domains & Organizational Units Domain
– Has a unique name– Is organized in hierarchical levels– Has an Active Directory replicated across its
domain controllers Organizational unit (OU)
– A logical container used to organize domain objects
– Makes it easy to locate and manage objects– Allows you to apply Group Policy settings– Allows delegation of administrative control
Cou
rse
ILT
An Active Directory treeThere is a “contiguous DNS naming structure” here; i.e., all of the OU’s in the tree on the right follow the same naming scheme – they all end with “Dovercorp .net
Cou
rse
ILT
An Active Directory forest There is no “contiguous DNS naming structure” here; i.e., the tree on the right follows a different naming scheme.
Cou
rse
ILT
AD naming standards: Namespaces
Contiguous namespace: – A namespace in which every child object
contains the name of its parent object - Tree
Disjointed namespace: – A namespace in which the child object
name does not resemble the name of its
parent object - Forest
Cou
rse
ILT
Multimaster Replication Multimaster replication: In Windows 2003
there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicate it to each other.
Because each DC acts as a master, its replication doesn’t stop when one is down.
Each DC is a master in its own right.
Cou
rse
ILT
Global Catalog An index and partial replica of most frequently
used objects and attributes of an Active Directory
Replicated to any server in a forest configured to be a “global catalog server”
Contains all information from the root and partial information for all other domains
Allows authentication using the User Principal Name ([email protected])
Cou
rse
ILT
Global Catalog (continued) Four main functions
1. Enable users to find Active Directory information 2. Provide universal group membership information3. Supply authentication services when a user logs
on from another domain4. Respond to directory lookup requests from
Exchange 2000 and other applications
Cou
rse
ILT
An Active Directory Forest
Cou
rse
ILT
Activity C-2 - Page 16-18,19
Discussing components of Active Directory
Cou
rse
ILT
Activity C-3 - page 16-20, 21
Installing Active Directory
Cou
rse
ILT
Active Directory naming standards Active Directory uses the DNS naming
standard for – hostname resolution – providing information on the location of
network services and resources Lightweight Directory Access Protocol
(LDAP) is used to query or update the Active Directory database– Distinguished name– Relative distinguished name
Cou
rse
ILT
AD Communications Standards The Lightweight Directory Access Protocol
(LDAP) is used to query or update an Active Directory database directly
LDAP follows convention using naming paths with two components– Distinguished name: the unique name of an object
in Active Directory – Relative distinguished name: the portion of a
distinguished name that is unique within the context of its container
Cou
rse
ILT
LDAP Naming Paths Common name (CN):
– The most basic name of an object in the Active Directory, such as the name of a printer
Distinguished name (DN): – A name in the Active Directory that contains all
hierarchical components of an object, such as that object’s organizational unit and domain, in addition to the object’s common name.
– CN=JSmith, OU=Accounting, DC=pbcc, DC=edu
Relative distinguished name (RDN): – An object name in the Active Directory that has two
or more related components, such as the RDN of a user account name that consists of User (a container for accounts) and the first and last name of the actual user (CN=JSmith)
Cou
rse
ILT
AD Physical Structure Physical structure distinct from logical structure Physical structure relates to the actual
connectivity of the physical network A Logical structure used to organize
network resources Important to consider the effect of Active
Directory traffic and authentication requests on physical resources
A site is a combination of Internet Protocol (IP) subnets connected by a high-speed link
A site link is a configurable object that represents a connection between sites
Cou
rse
ILT
Site structure for Dovercorp.net
Cou
rse
ILT
Activity C-4 - page 16-24
Discussing Active Directory naming standards and physical structure
Cou
rse
ILT
Topic D
Windows networking concepts Directory services planning and
implementation Introduction to Active Directory New Active Directory features in
Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Cou
rse
ILT
New Active Directory features– Renaming domains
in case you misnamed a domain, to comply with new company policy The company is sold, buys another company or merges
– Improved migration tools E.g., from earlier versions, as from NT to 2000 or from 2000
to 2003. Makes deployment easier One feature of the “AD Migration Tool” (ADMT) is aimed
specifically at allowing passwords to be migrated between different OS versions.
– New management features Multi-object selection Better drag-and-drop capabilities Improvements in Group Policy
Cou
rse
ILT
Activity D-1 Page 16-27
Discussing deployment and management
Cou
rse
ILT
Activity D-2 - Page 16-28
Discussing performance and dependability
Cou
rse
ILT
Topic E
Windows networking concepts Directory services planning and
implementation Introduction to Active Directory New Active Directory features in
Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Cou
rse
ILT
Windows NT Domains Windows NT Server acts as the
Primary Domain Controller (PDC), providing centralized management of resources, user accounts, group accounts, permissions, and rights
Multiple domains – By using Trust relationships, you can set
up different types of domain models– The flexibility of these models is one of
the advantages of using Windows NT Server
Cou
rse
ILT
Trust relationships Provide a way of combining domains
into a single management unit Are of two types:
– One-way trust– Two-way trust
Cou
rse
ILT
Trust relationships, an example
Cou
rse
ILT
One-way trusts, an example
Cou
rse
ILT
Two-way trusts, an example
Cou
rse
ILT
Activity E-1 - Page 16-31
Discussing Windows NT and trust relationships
Cou
rse
ILT
Domain models Several domain models:
– Single– Master– Multiple master– Complete trust
Cou
rse
ILT
Activity E-2
Discussing Windows NT domains
Cou
rse
ILT
Topic F
Windows networking concepts Directory services planning and
implementation Introduction to Active Directory New Active Directory features in
Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Cou
rse
ILT
Bindery files In the earlier versions of NetWare,
bindery files were used to store information about users, groups, file servers, and other logical and physical entities on the network
Network information, such as passwords, account balances, and trustee assignments, were also kept in the bindery files
Cou
rse
ILT
Novell Directory Services/eDirectory
Replaces the bindery files Commonly referred to as the Directory
tree Can be organized the way your
organization is structured
Cou
rse
ILT
Objects and object classes
NDS objects – Objects represent items defined in the
NDS/eDirectory database– Objects are maintained globally for the
entire network NDS object classes
– The three classes of objects are root, container, and leaf
Cou
rse
ILT
NDS object classes
Cou
rse
ILT
Bindery emulation in the NDS To provide backward compatibility with
NetWare bindery applications and third-party bindery products, NetWare 4.x and 5.x and 6.x provide bindery emulation
The NetWare 3.x bindery consists of three files: – NET$OBJ.SYS – NET$PROP.SYS – NET$VAL.SYS
Cou
rse
ILT
Activity F-1
Discussing NDS/eDirectory
Cou
rse
ILT
Unit summary
Learned about Windows networking concepts
Discussed planning of a directory services implementation
Described and installed Microsoft’s Active Directory
Learned what’s new in Active Directory in Windows Server 2003
Discussed the Windows NT domain model Learned about the design and purpose of
Novell Directory Services/eDirectory
