Page 1
Active Directory and DNSActive Directory and DNS
Lecture 2Hassan Shuja
09/14/2004
Page 2
Active Directory (AD)Active Directory (AD)
• Active Directory Definitions/Features– Active Directory has two parts
– A database with information about users and resources– A service that manages the database and enables users of computers on the
network to access the database
– Active Directory Features/Advantages– Security - Logon process and controlling access to objects– Administration – Hierarchical structure– Search capabilities – Search AD for an object– Scalable – Allows multiple domains, fits for any size network– Flexibility – Grows with your company, allows for additions
Page 3
Active DirectoryActive Directory
• Structure– Objects and Classes
– An object is the smallest component that you can have in AD– A class is a template of all attributes of an object when it is created
– Schema– Schema governs the structure of the directory– Allows administrators to modify and add new object classes, objects and attributes
as needed, making the schema extensible– Active Directory Schema is the name of the snap-in in MMC and can only be
changed by Schema Admins
– Global Catalog– A master searchable index that contains information about every object in a forest– Created by default on first DC in a domain
– Contains a full copy of all objects in its own domain and a partial replica of all objects in all other domains in the forest
– Serves as a central point for user authentication
Page 4
Active DirectoryActive Directory
• AD Organization– Smallest component in AD is an object
– Objects have attributes and are defined by classes– Objects have permissions ACL that contains information about who has access to it
and what they can do with it– Controlling access to object is different than having access to the objects resources
– Organizational Units (Container objects)– Substructure of domains and are arranged hierarchically– Used to organize related objects in AD, can also contain other OUs– Helps simplify administration
Page 5
Active DirectoryActive Directory
• Object IDs– Globally Unique Identifier (GUID) – A 32 hex number assigned to an object at
the time of creation and object is stored with it. This ensures uniqueness and avoids duplication
– Security ID (SID) – A unique security ID created by the Security subsystem that is assigned to user, groups, and computers to grant or deny an object access to other objects
Page 6
Domain Controller (DC)Domain Controller (DC)
• DC Setup– All Domain Controllers are equal
– A change on one DC will be replicated to all other DCs
– Five Scenarios where a DC can have an additional role– Relative ID Master– Schema Master– Infrastructure Master– Domain Naming Master– PDC Emulator
Page 7
DomainsDomains
• AD Organization– Tree
– Grouping of one or more domains that must have a single root domain– Parent child & child relationships
– Defined by a common and contiguous name space– A hierarchy of domains sharing a common schema, security trust relationship, and a
Global Catalog
Page 8
DomainsDomains
• AD Organization– Forest
– A group of one or more Domain Trees linked together by a trust– Two different root domains
– All Trees share a common schema and global catalog– Do not have contiguous DNS domain names
Page 9
TrustsTrusts
• NT Domains– Each domain had its own accounts
– Need accounts in every domain that you need resources or need administrator to setup a trust between domains
– Trust were setup explicitly as one-way or two-way trusts– These trusts are intransitive
Page 10
TrustsTrusts
• Trusts– A logical connection that allows users from one domain to access resources in
another domain– Can be one way or two ways– Trusting domain and Trusted domain
Trusted Domain(Users)
Trusting Domain(Resources)
Page 11
TrustsTrusts
• Intransitive Trusts– Domain C trusts Domain B and Domain B trusts Domain A
– (B has access to resources in C and A has access to resources in B)
– Domain C does not trust Domain A– Intransitive trusts are possible in Windows NT
Domain A Domain CDomain B
Page 12
TrustsTrusts
• Transitive Trusts– A trust between two domains in the same Tree/Forest that can extend beyond
two domains to other trusted domains within the same Tree/Forest– Always a 2 way trust– By default all Windows 2000 trusts within Tree/Forest are transitive– Domain A and C trust each other
Domain A Domain C
Domain B
Page 13
TrustsTrusts
• Explicit Trusts– A trust that is setup by an administrator
– Connect domains directly to shorten the path between them
– It can be either transitive or intransitive
– Used to manage trusts between Windows 2000 and NT domains
Page 14
Domain Name System (DNS)Domain Name System (DNS)
• DNS– DNS Structure
– Based on a hierarchical naming structure (inverted tree)– A single root domain, underneath there are second-level domains– Every computer in a DNS domain is uniquely identified by a Fully Qualified Domain
Name (FQDN)– Dynamic DNS is supported in W2K
Root Domain Servers
WWW
NorthropGrumman
Workstation
Internal UMBC DNSServer
External UMBCDNS Server
External NorthropGrumman DNS
Server
UMBC
1
A B C D
2
3
4
Page 15
Domain Name SystemDomain Name System
• Zone Files and DNS Servers– Forward Lookup Zone
– This contains host name to IP address resolution
– Reverse Lookup Zone– This contains IP address to host name resolution
– DNS Servers– Primary – Maintains the master copy of the zone files– Secondary – Keeps a back-up copy of the zone files– AD-integrated – DNS entries kept in AD data store instead of zone files
– Scavenge Files– Finds and deletes records in a zone if they have been stale for a certain amount of
time
Page 16
Active Directory & Domain Name SystemActive Directory & Domain Name System
• AD & DNS– Active Directory and DNS use the same hierarchical structure
– Typically use the same FQDN
– DNS records can be stored in Active Directory
– Clients use DNS to locate Domain Controllers on the network
Page 17
Domain Name SystemDomain Name System
• Name Space– Active Directory is based on the concept of namespace, that is a name is used
to resolve the location of an object
– Active Directory names correspond to DNS domain names
– Each name gives the location of the object in Active Directory
Page 18
Domain Name SystemDomain Name System
• Name Convention– Relative Distinguished Name (RDN) – A name that is assigned to the object by
the administrator when it is created, a unique name– Example – hshuja1
– Distinguished Name (DN) – Defines the RDN and also location within Active Directory, such as OU that user belongs to
– Example – [email protected]
– User Principal Name (UPN) – A more “easier” naming convention. Combines RDN with domain name, no OU is referenced
– Example – [email protected]