Upload
june-quinn
View
214
Download
1
Embed Size (px)
Citation preview
Microsoft Active Directory
ITL
© 2005 Hans Kruse, Shawn Ostermann, Carl Bruggeman, Ohio University 2
Early Networking Schemes
• Windows LAN Manager, AppleTalk– Broadcast-based service discovery– Security attached to each object
• Unix NFS, lpr– TCP/IP based– workstation-level security
© 2005 Hans Kruse, Shawn Ostermann, Carl Bruggeman, Ohio University 3
NOS(Network Operating System)
• 3COM, Novell– User data stored on a central server– “Single sign-on”– Resources discovered by broadcast
announcements– Client software for Windows, Apple, Unix
© 2005 Hans Kruse, Shawn Ostermann, Carl Bruggeman, Ohio University 4
Microsoft, Take one
• Windows NT domains– Single name space– 40,000 object limit– WINS name resolution– NETBEUI and TCP/IP transport– Master-slave database replication– Domain-wide administrator role designation– Inter-domain trust relationships
© 2005 Hans Kruse, Shawn Ostermann, Carl Bruggeman, Ohio University 5
Microsoft, Take two
• Active Directory (Windows 2000, XP, 2003)– Core protocols:
• Dynamic DNS• LDAP• Kerberos
• Hierarchical name space (based on DNS)• Multi-master peer database replication
© 2005 Hans Kruse, Shawn Ostermann, Carl Bruggeman, Ohio University 6
Dynamic DNS
• Client or DHCP server modify DNS when the client gets an IP address– In AD the client sends the update request– Standard requires DNSSEC
• AD uses internal ACLs instead
• Servers update DDNS based on the roles they acquire and the services they can provide
© 2005 Hans Kruse, Shawn Ostermann, Carl Bruggeman, Ohio University 7
LDAP
• Light-weight Directory Access Protocol– Based on the structure of ISO X.500– Compatible with X.500 data schemas– Does not rely on ISO protocols
• Example of a DN (distinguised, aka unique, name in LDAP)– CN=Steve Kille, O=Isode Limited, C=GB
© 2005 Hans Kruse, Shawn Ostermann, Carl Bruggeman, Ohio University 8
Service Discovery in AD
• Based on DNS SRV records• For Example, the general catalog server:
– _gc._tcp.mycorp.com. 600 IN SRV 0 100 3268 moose.mycorp.com.
• LDAP Servers:– _ldap._tcp.mycorp.com. 600 IN SRV 0 100 389 moose.mycorp.com.
• There can be many SRV records for a service• AD uses SRV records for
– General Catalog servers– Kerberos– Domain Controllers