ACTIVE DIRECTORY

1
ACTIVE DIRECTORY

• Terry Lewis
• tlewis_at_go-eol.com
• Emergent OnLine, Inc.
• 703-709-9210 ext 209

2
Microsoft Active Directory Foundations

• Microsoft Exchange 4.0, 5.0, 5.5
• Active Directory OLE Preview Oct 97
• Microsoft Active Directory Rapid Deployment
  Partner (RDP)
• Windows NT 5.0 Beta 1
• Windows NT 5.0 Beta 2
• Windows 2000 Beta 3
• Windows 2000 RC1/2/3/Gold

3
Agenda

• What is Active Directory?
• Management
• Security
• Interoperability
• Additional resources

4
So What IS Active Directory?
Directory Service Functionality

• Store
• Organize
• Manage
• Control

Database of Network Resources
5
Active Directory Installation

• Windows 2000 Server or later
• Run Dcpromo to start Active Directory
  Installation wizard
• DNS name resolution
• SRV record

6
DemoActive Directory Installation Wizard

• Show the Active Directory Installation wizard

7
Manageability

• Centralized Management
• Group Policy
• Global Catalog
• IntelliMirror Desktop Management
• Automated Software Distribution

8
Manageability

• Active Directory Service Interfaces (ADSI)
• Backward Compatibility
• Delegated Administration
• Multi-Master Replication

9
Security

• Kerberos Authentication
• Smart Card Support
• Transitive Domain Trusts
• PKI X.509 Infrastructure
• LDAP over SSL
• Required Authentication Mechanism
• Attribute Level Security
• Domain Spanning Security groups
• LDAP ACL Support

10
Interoperability

• DirSync Support
• Active Directory Connector
• Open APIs
• Native LDAP
• DNS Naming
• Open Change History
• DEA Platform
• DEN Platform
• Extensible Schema

11
DemoCentralized Management

• Browse Active Directory
• Create objects

12
Active Directory Schema
Objects Class Examples

• Active Directory Schema Is
• Defines Objects that can be added to the database
• Protected by DACLs

Attribute Examples
Computers
Attributes of Users Might Contain
List of Attributes
accountExpires department distinguishedName middle
Name
accountExpires department distinguishedName direct
Reports dNSHostName operatingSystem repsFrom repsT
o middleName
Users
Printers
13
DemoActive Directory Schema

• Browse Active Directory schema
• Extensibility for DEA

14
Logical Structure

• Organizational units
• Domains
• Trees and forests
• Global Catalog

15
Organizational Units
Organizational Structure
Network Administrative Model
Vancouver
Sales
Sales
Users
Repair
Computers

• Group objects into a logical hierarchy that best
  suits the needs of your organization
• Delegate administrative control over the objects
  within an OU by assigning specific permissions to
  users and groups

16
DemoOrganizational Units

• Create organizational units
• Show delegation of administration
• Administrative Tools and Taskpad views

17
Domains
Windows 2000Domain
Replication
User1 User2

• Contain organizational units
• Unit of replication
• Security boundary

18
What Is a Tree?
Parent
Tree Root Domain
Parent Domain
Emergent.com
Child
Contiguous Namespace sales.emergent.com
Child Domain
sales.emergent.com
New Domain
19
What Is a Forest?

• A Forest Is One or More Trees
• Trees in a Forest Do Not Share a Contiguous
  Namespace

contoso.msft
Forest
nwtraders.msft
sales. contoso.msft
Tree
marketing. nwtraders.msft
sales. nwtraders.msft

• All of The Domains in a Forest Share a Common
  Configuration, Schema, and Global Catalog

Tree
20
Active Directory Partitions
Directory Partitions
Schema
Contains definitions and rules for creating and
manipulating all objects and attributes
Forest
Configuration
Contains information about Active Directory
structure
Emergent.com
Holds information about all domain-specific
objects created in Active Directory
Domain
21
Global Catalog
A DC designated as a GC has knowledge of its own
domain information (which is complete)
Plus it has partial information from all of the
other domains in the tree
22
Demo Global Catalog

• Create a Global Catalog server
• Set Global Catalog attributes

23
DemoManageability

• Edit Default Domain Group Policy
• Demo IntelliMirror Desktop Management
• Demo Automated Software Distribution
• Show Resultant Summary of Group Policy

24
Active Directory Replication
Multi-master Replication (of changed attributes)
with Loose Convergence
DomainController B
Replication
DomainController C
25
When Replication Occurs

• Default replication latency (change notification)
  5 minutes
• Scheduled replication one hour
• Urgent replication immediate change
  notification

Replicated update
Change notification
Domaincontroller B
Replication
Originating update
Domain controller A
Change notification
Replicated update
Domain controller C
26
How Kerberos V5 Works
Emergent.com
Forest Root Domain
Kerberos Authentication
KDC
2
KDC
Session Ticket
marketing.emergent.com
Client
Sales.go-eol.com
27
DEMOSecurity

• Smart Card Support
• PKI X.509
• Required Authentication
• Universal groups

28
Additional Resources

• 2154A Implementing And Administering Microsoft
  Windows 2000 Directory Services
• Emergent Consultant and Integration Services