Welcome to this TechNet Event

FREE bi-weekly technical newsletter

FREE regular technical events hosted across the UK

FREE weekly UK & US led technical webcasts

FREE comprehensive technical web site

Monthly CD / DVD subscription with the latest technical tools & resources

FREE quarterly technical magazine

We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK:

To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break

Understanding the Active Directory Platform in the Real World

John Howard, Mark Cribben, Mike Brannigan

Microsoft UK

Today’s Sessions

Architectural Overview

Recommended design practices

In-place upgrades

Lunch: The Business case for Active Directory

Directory migration

Extending the value of the directory

Managing and Securing Active Directory

Today’s Sessions

Architectural Overview

Recommended design practices

In-place upgrades

Lunch: The Business case for Active Directory

Directory migration

Extending the value of the directory

Managing and Securing Active Directory

Introduction to Directories

What is a directory?–At a basic level a structured way of organising useful information.

The classic example is that of a telephone directory.

What a directory is not.– It is not a database. Although they share common features the

emphasis between the two is different.

Types of directory.–NOS based directories

–Application directories

–General purpose directories

Directories vs. Databases

Common uses for directories

NOS– Core directory service for network management and administration

– Authentication of network users

– Examples such as Active Directory and eDirectory

Application– Specific applications that store configuration information without the need

for a database

– Examples include firewalls, HR applications

General purpose– Internal white pages

– A driver for provisioning

– Simple applications for which a directory is better suited than a database

Introduction to LDAP

Firstly it is a protocol defined through RFC’s

Secondly it is a set of four models–An information model to describe what you can put in the

directory

–A naming model that describes how data is arranged within the directory

–A functional model that describes what you can do with the data

–A security model that defines how the data in the directory can be protected from unauthorised access

LDAP Protocol - 1

A message oriented protocol

The LDAP protocol consists of 9 basic operations divided into 3 categories:

– Interrogation Operations:search, compare

–Update Operations:add, delete, modify, modify DN (rename)

–Authentication and control:bind, unbind, abandon

1. Open connection and bind

2. Result of bind operation

3. Search operation

4. Entries returned

5. Result of search operation

6. Unbind operation

7. Close connection

LDAP Protocol - 2

A typical LDAP exchange

LDAP compliance

Common request these days but what does it mean?

–As with all things it depends on a number of things. Principally though the question is “do you conform to the LDAP standards as defined in RFC’s”

–Open Group / DIF test certifications: LDAP Ready and LDAP Certified.

–Dependent on the standards. Compliant does not mean you implement every possible RFC for a technology. Rather that you meet the required standards.

Providers of directories

There are a number of commercial LDAP directory products available today including:

– Microsoft Active Directory and ADAM

– Computer Associates eTrust Directory 8

– IBM Tivoli Directory Server 5.x

– Nexor Directory 5.1

– Novell eDirectory 8.7.x

– Oracle Internet Directory v 10g

– Sun Microsystems Sun ONE Directory Server 5.2

Plus there are non commercial products:

– OpenLDAP

Typical Company scenario

Network

– Probably a directory of some description providing authentication services and network management for all users in the company

HR

– A significant number of companies have an HR system that is separate from the Network directory.

Firewall

– Several firewall products use authentication to determine internet access permissions. These are stored in a directory

Applications

– Commercial applications may be deployed that provide a specific function in the company and ships with its own directory.

– In house applications such as a provisioning application or a white pages or “global directory”

Without realising it most organisations are now awash with directories.

The directory challenges! (1)

Management

– How accurate is the data? Who is responsible for inputting the data? How current is the data? How available is the directory?

Information consistency

– Identities that are shared between multiple directories can become inconsistent. Representation of common data.

Interoperability

– How accessible is the data?

Synchronisation

– Do we have the right information? Where is the authoritative data stored? Synchronisation rules? Synchronisation logic?

The directory challenges! (2)

Ownership

– Who owns the data? Are they happy to share it?

Security

– How do we secure the data in the directory? Is access control important for the data stored?

Extending the directory

– How do we extend the directory? Do schema extensions clash? Are the extensions universally important?

Use

– How do we use the directory effectively? Are we doing all that we can with the directories we have?

What is Active Directory?

Microsoft’s core directory service offering

–Enterprise capable NOS Directory Service providing network authentication, authorisation, location and application services

–Available since 2000 as part of Windows 2000 Server

–Supports LDAP v2 and v3 industry standards

–Ships free as part of the Windows Server Operating System

AD concepts – 1(Logical)

Boundaries– Security

– Administrative

Forest– A forest is the security boundary for a single Active Directory deployment.

– Shared schema and configuration

– A single, logical entity

– Comprised of one or more domain trees

Domain– A Domain is an administrative boundary within an AD forest.

– Boundary for password / security policy

– Partition / control replication of AD data

Ad.microsoft.com

Eu.ad.microsoft.com Na.ad.microsoft.com

AD concepts – 2 (Logical)

Tree

–AD domains a logically organised in trees

A contiguous DNS based name space eg. Ad.microsoft.com is the forest root domain. It has two child domains that form a single domain tree within the forest: eu.ad.microsoft.com and na.ad.microsoft.com

AD concepts – 3 (Logical)

Organisational Units (OU’s)

–A way of further partitioning data within a domain for the purposes of delegating administration or applying Group Policy

–Hierarchical within the domain

–Can be easily moved or renamed

AD concepts – 4 (Logical)

Schema

–The definition of the objects that can be created within a forest. Eg. Users, computers, printers.

–The boundaries of the individual attributes.

–Default permissions on attributes

–Unique OID’s essential.

–Once defined cannot be removed from AD

–Objects and attributes can be deactivated in Windows Server 2003

AD concepts – 5 (Logical)

Trusts. Defines the relationship between different logical components of an AD installation.

–Within a forest all domains are trusted.

–External trusts

–Forest trusts

–Kerberos trusts

AD concepts – 6 (Physical)

Sites– A logical representation of the physical nature of your underlying network

infrastructure.

– Used for controlling authentication process, replication and accessing “local” resources.

– Requires defining IP subnets.

Domain Controllers (DC’s)– Servers that physically host the Directory.

– Replicate directory information

– Authoritative for their domain NC

– Writable (operations such as creating new objects or updating existing objects)

Global Catalog (GC)– A DC that holds read only copies of other domain NC’s within the forest as well as

the writable copy of the domain NC for which it is authoritative.

– Easy and known way to search the forest for information

AD and DNS

DNS is a name resolution service and is separate from AD.

–Used to provide the name space rules for AD

–Used to locate AD and AD resources

DNS information can be stored in AD

–Can improve the security of DNS information

– Improves replication / transfer of zone data

How AD distributes data

Domain Controllers

–DC’s are distributed around the organisation to facilitate local operations

Replication

–The mechanism for ensuring all DC’s contain up to date information

–Multimaster loose consistency with convergence

– Intra site replication for DC’s in the same site

– Inter site replication between sites

Roles for AD

NOS

– Primary role for managing the network, users and machines

Authentication

– Provides the authentication service for the network.

– Default in Active Directory is Kerberos

– Can also be utilised as an authentication service for other applications

Application

– AD can be extended to support applications

– A number of MS applications utilise AD (Exchange, SMS, ISA to name a few)

Scalability

AD as a NOS Directory has the capacity to handle any organisation

– Tested with millions of objects

– Technically could support 1 billion objects!

– Currently supporting many of the largest companies in the world

There are some technical limitations for some objects

– Number of DC’s in a domain

– Number of DNS Name Servers

– Number of Groups a user can belong to

– Number of users in a group*

The Microsoft directory strategyD

irec

tory

Arc

hit

ectu

reD

irec

tory

Arc

hit

ectu

re

Dir

ecto

ry T

ech

no

log

ies

Dir

ecto

ry T

ech

no

log

ies

Active DirectoryActive Directory

ADAMADAM

MIISMIIS

IIFPIIFP

ADFSADFS

GPMCGPMC

FederationFederation

SynchronisationSynchronisation

AuthorisationAuthorisation

ProvisioningProvisioning

SecuritySecurity

ManagementManagement

AuthenticationAuthentication

Getting to a Single Directory

Very difficult in the enterprise

–Existing application requirements

–Scope of application (local vs. global)

–Schema requirements

–Control of application/identity information

How to deal with multiple account stores

– Infrastructure Directory – Global

–Application Directories – Local to Application

–Meta-Directory – Integration/Business Process

Where We Are Today

Directories deployed per-app; little re-use

Provisioning, sync are ad-hoc

Active Directory

Portal Portal applicationapplication

WhitepagesWhitepages

GenericGenericLDAP-basedLDAP-based

appappHR/ERP HR/ERP

appappLDAPLDAP

Centralized Centralized managementmanagement

Policy & SSOPolicy & SSOfor Windowsfor Windows

DatabaseDatabase

LDAPLDAP

Generic Generic dumpdump

(Non-existent)(Non-existent)

Ad-hoc Ad-hoc syncsync

iPlanetiPlanet

eDirectoryeDirectory

Outlook/Outlook/ExchangeExchange

LDAPLDAP

iPlanetiPlanetMAPIMAPI

The Solution

DS-enabledDS-enabledappapp

HR/ERP HR/ERP appapp

CentralizedCentralizedidentity identity

managementmanagement

DatabaseDatabase

MIIS 2003MIIS 2003

IntegrationIntegrationServicesServices

App DSApp DS

App DSApp DSADAMADAM

Infrastructure Directory

ActiveActiveDirectoryDirectory

DS-enabledDS-enabledappapp

App DSApp DSADAMADAM

DS-enabledDS-enabledappapp33rdrd-party DS-party DS

accessaccess

syncsync

Today’s Sessions

Architectural Overview

Recommended design practices

In-place upgrades

Lunch: The Business case for Active Directory

Directory migration

Extending the value of the directory

Managing and Securing Active Directory