Upload
topanga-fernandez
View
34
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Chapter 1. OVERVIEW OF ACTIVE DIRECTORY. ACTIVE DIRECTORY FUNCTIONS. Directory Services Used to define, manage, access, and secure network resources. Resources include: files, printers, groups, people, and applications. Active Directory Stored as NTDS.dit on a domain controller. - PowerPoint PPT Presentation
Citation preview
11
OVERVIEW OF ACTIVE DIRECTORY
Chapter 1
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 2
ACTIVE DIRECTORY FUNCTIONS
Directory Services Used to define, manage, access, and secure
network resources.
Resources include: files, printers, groups, people, and applications.
Active Directory Stored as NTDS.dit on a domain controller.
Used by domain controllers to authenticate users.
Domain controllers store, maintain, and replicate.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 3
ACTIVE DIRECTORY BENEFITS
Centralized administration
Single point of access
Fault tolerance and redundancy
Multiple domain controllers are used
Multi-master replication
Simplified resource location
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 4
CENTRALIZED ADMINISTRATION
Hierarchical organization for ease of administration
Common Microsoft Management Console (MMC) tool set Active Directory Users And Computers
(DSA.MSC)
Active Directory Domains And Trusts (DOMAIN.MSC)
Active Directory Sites And Services (DSSITE.MSC)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 5
SINGLE POINT OF AUTHENTICATION
Single sign-on
Active Directory
Before directory services
After directory services
Server1
Server2
Server3
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 6
MULTI-MASTER REPLICATION
Active Directory DomainReplication Process
DC3 DC2
DC1
1. A change occurs on DC2.2. DC2 notifies DC1 and DC3 that there
is a change to Active Directory.3. At the next replication interval, DC1
and DC3 request the new databaseinformation.
4. DC2 replicates the changes to DC1and DC3.
5. DC1 and DC3 update their ActiveDirectory database.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 7
SIMPLIFIED RESOURCE LOCATION
Search features available on Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003.
Search Active Directory to find: Shared folders
Printers
People (user accounts)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 8
ACTIVE DIRECTORY SCHEMA
Object classes User accounts Computer accounts Printers Groups
Object Attributes Name Globally unique identifier (GUID) Location (for printer) E-mail address (for users)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 9
ACTIVE DIRECTORY COMPONENTS
IP Site
Forest Root Domaincohowinery.com
Child Domainnorth.cohowinery.com
IP Site
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 10
ORGANIZATIONAL UNITS
Container objects
Look like a folder with a book icon in Active Directory Users And Computers
Security is applied to OUs Inherited by child OUs
Used to control access to that OU or hide subordinate OUs
Allows for the delegation of administrative rights
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 11
DOMAINS
Logical grouping of resources. Form security and replication boundaries.
Individual access control lists (ACLs) for each domain.
Group Policies are typically assigned and inherited within a domain only, not from the forest.
Domain replication is independent of global catalog and schema replication.
Multiple domains may be used by a single organization.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 12
DOMAINS, TREES, AND A FOREST
parent
contoso.com
ou
ou
tailspintoys.com
Domain tree root
Forest root and tree root
child
west.contoso.com
child
east.contoso.com
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 13
SITES
Used to reflect the physical network structure
Usually local area network (LAN) versus wide area network (WAN)
Optimize replication
Knowledge Consistency Checker (KCC) creates and maintains this structure
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 14
NAMING STANDARDS
Lightweight Directory Access Protocol (LDAP) Standard naming structure and hierarchy
Established by the Internet Engineering Task Force (IETF)
Domain Name System (DNS)
Uniform Resource Locator (URL)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 15
LDAP NAMES
Cn=jsmith,ou=sales,dc=cohowinery,dc=com
Jeffrey Smith
Guy Gilbert
Color Printer
cohowinery.com
Sales
Accounting
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 16
PLANNING FOR ACTIVE DIRECTORY
Logical and physical structure
DNS and Active Directory integration and naming
Functional levels of domains and forests
Trust relationships and models
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 17
STRUCTURING ACTIVE DIRECTORY
Security and administrative goals are important when defining the logical structure. Group Policy application and inheritance
Delegating administrative control
Permission inheritance
Logical structure often reflects the business or administrative model.
Sites are used to reflect the physical structure of the network.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 18
ROLE OF DNS
Resolves friendly names to Internet Protocol (IP) addresses.
Required by Active Directory.
Domain members use service locator (SRV) records to find domain controllers.
Dynamic DNS (DDNS) is supported and recommended.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 19
FUNCTIONAL LEVELS
Designed to support downlevel compatibility
Increasing functional level allows for use of new features
Two types of functional level Domain functional level
Forest functional level
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 20
DOMAIN FUNCTIONAL LEVELS
Windows 2000 mixed
Windows 2000 native
Windows Server 2003 interim
Windows Server 2003
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 21
WINDOWS 2000 MIXED FUNCTIONAL LEVEL
Domain controllers can run on the following operating systems: Windows NT Server 4.0 Windows 2000 Server Windows Server 2003
Features at this functional level include: Install from media Application directory partitions Enhanced user interface (UI)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 22
WINDOWS 2000 NATIVE FUNCTIONAL LEVEL
Domain controllers can run on the following operating systems: Windows 2000 Server
Windows Server 2003
Features at this functional level include: Group nesting
Universal groups
Security Identifier History (siDHistory)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 23
WINDOWS SERVER 2003 INTERIM FUNCTIONAL LEVEL
Designed for organizations that have not upgraded to Windows 2000 Active Directory.
Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported.
Windows 2000 Server domain controllers are NOT allowed.
No extra features over any other functional level.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 24
WINDOWS SERVER 2003 FUNCTIONAL LEVEL
Only Windows Server 2003 domain controllers
Features at this functional level include: Replicated last logon timestamp
Key Distribution Center (KDC) version numbers
User password on inetOrgPerson objects
Domain renaming
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 25
RAISING THE DOMAIN FUNCTIONAL LEVEL
Must be logged on as a member of the Domain Admins group.
Performed using the Primary Domain Controller (PDC) emulator.
All domain controllers must support the new level.
Irreversible.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 26
FOREST FUNCTIONAL LEVELS
Windows 2000
Windows Server 2003 interim
Windows Server 2003
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 27
WINDOWS 2000 FOREST FUNCTIONAL LEVEL
All domain controllers must be Windows 2000 Server or Windows Server 2003 domain controllers.
Features supported at this functional level include: Install from media
Universal group caching
Application directory partitions
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 28
WINDOWS 2003 INTERIM FOREST FUNCTIONAL LEVEL
Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported.
Windows 2000 Server domain controllers are NOT allowed.
Features at this level include: Improved inter-site topology generator
(ISTG)
Improved linked value replication
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 29
WINDOWS SERVER 2003 FOREST FUNCTIONAL LEVEL
Only Windows Server 2003 domain controllers are supported.
Features at this level include: Dynamic auxiliary class objects
User objects can be converted to inetOrgPerson objects
Schema redefinitions permitted
Domain renames permitted
Cross-forest trusts permitted
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 30
RAISING THE FOREST FUNCTIONAL LEVEL
Must be logged on as a member of the Enterprise Administrators group.
Must be connected to the Schema Operations Master.
All domain controllers must support the new functional level.
Irreversible.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 31
ACTIVE DIRECTORY TRUST MODELS
Transitivity: If A trusts B and B trusts C, then A trusts C Forest Root Domain
Child Domain A Child Domain C
Child Domain B Child Domain D
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 32
SHORTCUT TRUST
Forest Root Domain
Child Domain A Child Domain C
Child Domain B
Shortcut Trust
Child Domain D
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 33
WINDOWS NT SERVER 4.0 TRUST MODEL
Domain A
DomainD
DomainCDomain B
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 34
CROSS-FOREST TRUST
New in Windows Server 2003
Trusts between two forests
Requires Windows Server 2003 forest functional level
Uses Kerberos as do all Windows 2000 and Windows Server 2003 intra-forest trust relationships
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 35
SUMMARY Active Directory is a database (NTDS.dit).
DNS is required by Active Directory.
Schema defines object types and attributes.
Domain and forest functional levels provide a balance between backward compatibility and new functionality.
Active Directory allows for two-way transitive (Kerberos) trusts.
Trusts allow domain hierarchies to be created.
Cross-forest trusts are a new feature for Windows Server 2003 Active Directory.