View
240
Download
1
Tags:
Embed Size (px)
Citation preview
Introduction to Active DirectoryIntroduction to Active Directory
CIT 237CIT 237
Active Directory ObjectsActive Directory Objects
ObjectsObjects–Attributes that represents a network resourceAttributes that represents a network resource
Object name: ComputersObject name: Computers–Attributes: computer 1, computer 2, computer 3, etcAttributes: computer 1, computer 2, computer 3, etc..
Object: UsersObject: Users–Attributes: First name, last name, logon name, etcAttributes: First name, last name, logon name, etc..
Active Directory SchemaActive Directory Schema–Defines objects that can be stored in Active Directory Defines objects that can be stored in Active Directory
(See schema administration in Active Directory Users (See schema administration in Active Directory Users and Computers)and Computers)
Types of schema objects (metadata)Types of schema objects (metadata)–Schema class objects - Template for creating new Schema class objects - Template for creating new
objects (e.g. computer, Group, User, etc.)objects (e.g. computer, Group, User, etc.)–Schema attribute objects – Define or describes the Schema attribute objects – Define or describes the
schema class object with which they are associated schema class object with which they are associated even though they may be used in many schema classeseven though they may be used in many schema classes
Active Directory ComponentsActive Directory Components
DomainsDomainsOrganizational Units (OUs)Organizational Units (OUs)TreesTreesForestsForests
DOMAINS, TREES, AND A DOMAINS, TREES, AND A FORESTFOREST
parent
contoso.com
ou
ou
tailspintoys.com
Domain tree root
Forest root and tree root
child
west.contoso.com
child
east.contoso.com
DomainsDomains
Core unit of logical structureCore unit of logical structureStores millions of objectsStores millions of objectsA security boundaryA security boundary
–Access to objects is governed by access control lists Access to objects is governed by access control lists (ACLs), which contain permissions for each object (files, (ACLs), which contain permissions for each object (files,
folders, shares, printers, etc.). Those permissions folders, shares, printers, etc.). Those permissions control which users can gain access to an object and control which users can gain access to an object and
what type of access they can gainwhat type of access they can gain–ACL rights are not transferable from one domain to ACL rights are not transferable from one domain to
anotheranother
DomainsDomains
Default functional levelsDefault functional levels::–Windows 2000 Mixed (default for Windows Windows 2000 Mixed (default for Windows
2003 server)2003 server)–Windows 2000 NativeWindows 2000 Native–Windows 2000 InterimWindows 2000 Interim–Windows 2003Windows 2003
Windows 2000 MixedWindows 2000 Mixed
Allows functionality with domain controllers Allows functionality with domain controllers in the same domain running Windows NT 4in the same domain running Windows NT 4
Allows functionality with domain controllers Allows functionality with domain controllers in the same domain running Windows in the same domain running Windows
Server 2003Server 2003
Windows Server 2003Windows Server 2003
Allows functionality Allows functionality onlyonly with domain with domain controllers in the same domain running controllers in the same domain running
Windows server 2003Windows server 2003..–The functional level should be raised according The functional level should be raised according
to the type of domain controllers in the domainto the type of domain controllers in the domain
Organizational Units (OUs)Organizational Units (OUs)
Organizes objects within a domain into Organizes objects within a domain into logical administrative groupslogical administrative groups
–Nesting when an OU is added within another Nesting when an OU is added within another OU (like a subdirectory). This creates a OU (like a subdirectory). This creates a
hierarchical structurehierarchical structure
TreesTrees
A group or hierarchy of domains created by A group or hierarchy of domains created by adding child domain to a parentadding child domain to a parent
ForestsForests
A group or hierarchy of independent domain A group or hierarchy of independent domain treestrees
Forest functional level provides a way to Forest functional level provides a way to enable forest-wide Active Directory featuresenable forest-wide Active Directory features
Physical StructuresPhysical Structures
Physical components of Active DirectoryPhysical components of Active Directory::–SitesSites–Domains controllersDomains controllers
SitesSites
One or more connected IP subnetsOne or more connected IP subnets–Usually has the same performance boundaries Usually has the same performance boundaries
(fast network connections group with each other (fast network connections group with each other and slow with each other)and slow with each other)
–Not listed in Active Directory as OUs areNot listed in Active Directory as OUs are–Contain only computer and connection objectsContain only computer and connection objects
Domain ControllersDomain Controllers
Stores a replica of the domain portion of Stores a replica of the domain portion of Active DirectoryActive Directory
Services only one domainServices only one domainAuthenticates users and maintains domain Authenticates users and maintains domain
security policysecurity policy
ReplicationReplication
Ensures that changes in one domain Ensures that changes in one domain controller are represented in all other controller are represented in all other
domain controllers in the domaindomain controllers in the domain
What Information is ReplicatedWhat Information is Replicated
Active Directory is partitioned into four unitsActive Directory is partitioned into four units::–Schema partition – describes objects and attributes that can be Schema partition – describes objects and attributes that can be
created in a directory. This data is common to all domains in a created in a directory. This data is common to all domains in a forest and is replicatedforest and is replicated
–Configuration partition – describes domain structure and replication Configuration partition – describes domain structure and replication layout. This data is common to all domains in a forest and is layout. This data is common to all domains in a forest and is
replicatedreplicated–Domain Partition – Describes all domain objects. This is domain Domain Partition – Describes all domain objects. This is domain
specific and is specific and is notnot replicated, but data is replicated to every domain replicated, but data is replicated to every domain controller in the domaincontroller in the domain
–Application Directory partition – Stores dynamic application-specific Application Directory partition – Stores dynamic application-specific data and can contain any type of object except security type. Can data and can contain any type of object except security type. Can
be set for replication if desiredbe set for replication if desired
Stores and ReplicatesStores and Replicates
Schema partition stores data for a forestSchema partition stores data for a forestConfiguration partition stores data for all Configuration partition stores data for all
domains in a forestdomains in a forestDomain partition stores data, such as Domain partition stores data, such as
directory objects and properties for its directory objects and properties for its specific domainspecific domain
Types of ReplicationTypes of Replication
Intrasite – replication occurs within domain Intrasite – replication occurs within domain controllers in the same domain, using a ring controllers in the same domain, using a ring
structure and knowledge consistency structure and knowledge consistency checker (KCC), which runs on all domain checker (KCC), which runs on all domain
controllers to ensure consistencycontrollers to ensure consistency..Intersite replication – Performed by creating Intersite replication – Performed by creating
site links (network connections)site links (network connections)
Trust RelationshipsTrust Relationships
Link between two domains in which the Link between two domains in which the trusting domain honors the logon trusting domain honors the logon
authentication of the trusted domain using authentication of the trusted domain using NT LAN Manager (NTLM), or KerberosNT LAN Manager (NTLM), or Kerberos..
Kerberos is the default for Windows Server Kerberos is the default for Windows Server 2003. If Kerberos is not supported in a trust, 2003. If Kerberos is not supported in a trust,
NTLM is usedNTLM is used
Global CatalogGlobal Catalog
A role designation assigned to a domain A role designation assigned to a domain controller. By default is created controller. By default is created
automatically and assigned to the first (root) automatically and assigned to the first (root) domain controller in the forest. However any domain controller in the forest. However any domain in the forest can be a global catalog. domain in the forest can be a global catalog.
The information is simply replicatedThe information is simply replicatedCentral repository of information about Central repository of information about
objects in a tree or forestobjects in a tree or forest