OVERVIEW OF ACTIVE DIRECTORY

11

OVERVIEW OF ACTIVE DIRECTORY

Chapter 1

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 2

ACTIVE DIRECTORY FUNCTIONS

Directory Services Used to define, manage, access, and secure

network resources.

Resources include: files, printers, groups, people, and applications.

Active Directory Stored as NTDS.dit on a domain controller.

Used by domain controllers to authenticate users.

Domain controllers store, maintain, and replicate.


ACTIVE DIRECTORY BENEFITS

Centralized administration

Single point of access

Fault tolerance and redundancy

Multiple domain controllers are used

Multi-master replication

Simplified resource location


CENTRALIZED ADMINISTRATION

Hierarchical organization for ease of administration

Common Microsoft Management Console (MMC) tool set Active Directory Users And Computers

(DSA.MSC)

Active Directory Domains And Trusts (DOMAIN.MSC)

Active Directory Sites And Services (DSSITE.MSC)


SINGLE POINT OF AUTHENTICATION

Single sign-on

Active Directory

Before directory services

After directory services

Server1

Server2

Server3


MULTI-MASTER REPLICATION

Active Directory DomainReplication Process

DC3 DC2

DC1

1. A change occurs on DC2.2. DC2 notifies DC1 and DC3 that there

is a change to Active Directory.3. At the next replication interval, DC1

and DC3 request the new databaseinformation.

4. DC2 replicates the changes to DC1and DC3.

5. DC1 and DC3 update their ActiveDirectory database.


SIMPLIFIED RESOURCE LOCATION

Search features available on Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003.

Search Active Directory to find: Shared folders

Printers

People (user accounts)


ACTIVE DIRECTORY SCHEMA

Object classes User accounts Computer accounts Printers Groups

Object Attributes Name Globally unique identifier (GUID) Location (for printer) E-mail address (for users)


ACTIVE DIRECTORY COMPONENTS

IP Site

Forest Root Domaincohowinery.com

Child Domainnorth.cohowinery.com

IP Site


ORGANIZATIONAL UNITS

Container objects

Look like a folder with a book icon in Active Directory Users And Computers

Security is applied to OUs Inherited by child OUs

Used to control access to that OU or hide subordinate OUs

Allows for the delegation of administrative rights


DOMAINS

Logical grouping of resources. Form security and replication boundaries.

Individual access control lists (ACLs) for each domain.

Group Policies are typically assigned and inherited within a domain only, not from the forest.

Domain replication is independent of global catalog and schema replication.

Multiple domains may be used by a single organization.


DOMAINS, TREES, AND A FOREST

parent

contoso.com

ou

ou

tailspintoys.com

Domain tree root

Forest root and tree root

child

west.contoso.com

child

east.contoso.com


SITES

Used to reflect the physical network structure

Usually local area network (LAN) versus wide area network (WAN)

Optimize replication

Knowledge Consistency Checker (KCC) creates and maintains this structure


NAMING STANDARDS

Lightweight Directory Access Protocol (LDAP) Standard naming structure and hierarchy

Established by the Internet Engineering Task Force (IETF)

Domain Name System (DNS)

Uniform Resource Locator (URL)


LDAP NAMES

Cn=jsmith,ou=sales,dc=cohowinery,dc=com

[email protected]

Jeffrey Smith

Guy Gilbert

Color Printer

cohowinery.com

Sales

Accounting


PLANNING FOR ACTIVE DIRECTORY

Logical and physical structure

DNS and Active Directory integration and naming

Functional levels of domains and forests

Trust relationships and models


STRUCTURING ACTIVE DIRECTORY

Security and administrative goals are important when defining the logical structure. Group Policy application and inheritance

Delegating administrative control

Permission inheritance

Logical structure often reflects the business or administrative model.

Sites are used to reflect the physical structure of the network.


ROLE OF DNS

Resolves friendly names to Internet Protocol (IP) addresses.

Required by Active Directory.

Domain members use service locator (SRV) records to find domain controllers.

Dynamic DNS (DDNS) is supported and recommended.


FUNCTIONAL LEVELS

Designed to support downlevel compatibility

Increasing functional level allows for use of new features

Two types of functional level Domain functional level

Forest functional level


DOMAIN FUNCTIONAL LEVELS

Windows 2000 mixed

Windows 2000 native

Windows Server 2003 interim

Windows Server 2003


WINDOWS 2000 MIXED FUNCTIONAL LEVEL

Domain controllers can run on the following operating systems: Windows NT Server 4.0 Windows 2000 Server Windows Server 2003

Features at this functional level include: Install from media Application directory partitions Enhanced user interface (UI)


WINDOWS 2000 NATIVE FUNCTIONAL LEVEL

Domain controllers can run on the following operating systems: Windows 2000 Server

Windows Server 2003

Features at this functional level include: Group nesting

Universal groups

Security Identifier History (siDHistory)


WINDOWS SERVER 2003 INTERIM FUNCTIONAL LEVEL

Designed for organizations that have not upgraded to Windows 2000 Active Directory.

Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported.

Windows 2000 Server domain controllers are NOT allowed.

No extra features over any other functional level.


WINDOWS SERVER 2003 FUNCTIONAL LEVEL

Only Windows Server 2003 domain controllers

Features at this functional level include: Replicated last logon timestamp

Key Distribution Center (KDC) version numbers

User password on inetOrgPerson objects

Domain renaming


RAISING THE DOMAIN FUNCTIONAL LEVEL

Must be logged on as a member of the Domain Admins group.

Performed using the Primary Domain Controller (PDC) emulator.

All domain controllers must support the new level.

Irreversible.


FOREST FUNCTIONAL LEVELS

Windows 2000

Windows Server 2003 interim

Windows Server 2003


WINDOWS 2000 FOREST FUNCTIONAL LEVEL

All domain controllers must be Windows 2000 Server or Windows Server 2003 domain controllers.

Features supported at this functional level include: Install from media

Universal group caching

Application directory partitions


WINDOWS 2003 INTERIM FOREST FUNCTIONAL LEVEL

Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported.

Windows 2000 Server domain controllers are NOT allowed.

Features at this level include: Improved inter-site topology generator

(ISTG)

Improved linked value replication


WINDOWS SERVER 2003 FOREST FUNCTIONAL LEVEL

Only Windows Server 2003 domain controllers are supported.

Features at this level include: Dynamic auxiliary class objects

User objects can be converted to inetOrgPerson objects

Schema redefinitions permitted

Domain renames permitted

Cross-forest trusts permitted


RAISING THE FOREST FUNCTIONAL LEVEL

Must be logged on as a member of the Enterprise Administrators group.

Must be connected to the Schema Operations Master.

All domain controllers must support the new functional level.

Irreversible.


ACTIVE DIRECTORY TRUST MODELS

Transitivity: If A trusts B and B trusts C, then A trusts C Forest Root Domain

Child Domain A Child Domain C

Child Domain B Child Domain D


SHORTCUT TRUST

Forest Root Domain

Child Domain A Child Domain C

Child Domain B

Shortcut Trust

Child Domain D


WINDOWS NT SERVER 4.0 TRUST MODEL

Domain A

DomainD

DomainCDomain B


CROSS-FOREST TRUST

New in Windows Server 2003

Trusts between two forests

Requires Windows Server 2003 forest functional level

Uses Kerberos as do all Windows 2000 and Windows Server 2003 intra-forest trust relationships


SUMMARY Active Directory is a database (NTDS.dit).

DNS is required by Active Directory.

Schema defines object types and attributes.

Domain and forest functional levels provide a balance between backward compatibility and new functionality.

Active Directory allows for two-way transitive (Kerberos) trusts.

Trusts allow domain hierarchies to be created.

Cross-forest trusts are a new feature for Windows Server 2003 Active Directory.

Documents

OVERVIEW OF ACTIVE DIRECTORY