Advanced LAN Spring 07

1
Advanced LAN Spring 07

• Introductions
• Course Outline
• Syllabus
• Grading
• Attendance
• Exams
• Chapter 1

2
Advanced LAN Spring 07

• Jim McGinnis MS IS
• CISM, CNE, MCP
• Office BU 321
• Office Hours By Appointment
• jmcginnis_at_astate.edu or jimmcginnis_at_sbcglobal.net
• Who are you

3
Goals

• Introduce Active Directory
• Identify the functions and features of Active
  Directory
• Introduce Active Directory architecture
• Introduce Active Directory objects

• Examine the logical and physical structure of
  Active Directory
• Examine more Active Directory concepts
• Plan a domain structure
• Plan a domain namespace
• Examine guidelines for planning a site structure

4
(Skill 1)
Introducing Active Directory

• Active Directory database
• Stores information about users, groups, domains,
  and objects on a network
• Allows you to centrally access and administer the
  information
• Provides an unique identity for each object
  called a Security ID (SID)

5
(Skill 1)
Introducing Active Directory (2)

• Active Directory database
• Allows you to access and administer the directory
  service globally, unlike decentralized network
  models
• Reduces the effort required to complete
  day-to-day administrative tasks, such as managing
  users and resources

6
(Skill 1)
Figure 1-1 Active Directory
7
(Skill 1)
Introducing Active Directory (3)

• Windows NT
• Introduced the concept of a directory service
  based on domains that provide a single point of
  authentication for all users on a network
• Limitations prevent it from being used
  effectively in large networks
• Has only one writable copy of the database, which
  leads to a single point of failure for Write
  operations
• Trust relationships between domains must be built
  manually

8
(Skill 1)
Introducing Active Directory (4)

• Active Directorys advantages over Windows NT
• Most trust relationships within a single forest
  are created automatically
• Makes it possible for Active Directory to provide
  scalability in large business organizations

9
(Skill 2)
Identifying the Functions and Features of Active
Directory

• Active Directory features make it a reliable and
  secure directory service
• Policy-based administration
• Active Directory makes network administration
  easier by using Group Policies
• Using this feature, an administrator can make
  complex modifications to the users environment,
  assign rights, configure network security, and
  install software to collections of users or
  computers

10
(Skill 2)
Identifying the Functions and Features of Active
Directory (2)

• Active Directory features make it a reliable and
  secure directory service
• Increased security of information
• Windows Server 2003 supports protection of both
  stored data and network data
• Stored data can be protected using Encrypting
  File System (EFS) and permissions

11
(Skill 2)
Identifying the Functions and Features of Active
Directory (3)

• Active Directory features make it a reliable and
  secure directory service
• Integration with Domain Name System (DNS)
• DNS is a naming service that translates host
  names into numeric IP addresses
• Active Directory uses standard DNS naming
  conventions for domains

12
(Skill 2)
Identifying the Functions and Features of Active
Directory (4)

• Active Directory features make it a reliable and
  secure directory service
• Extensibility
• Active Directory allows nearly any type of
  information to be added to the database because
  it has an extensible schema
• Schema contains a list of all possible object
  types (object classes), their attributes, and
  relationships allowed between objects

13
(Skill 2)
Identifying the Functions and Features of Active
Directory (5)

• Active Directory features make it a reliable and
  secure directory service
• Scalability
• Active Directory can store anywhere from a small
  number to millions of objects
• An object automatically inherits the permissions
  of the container into which it is placed

14
(Skill 2)
Identifying the Functions and Features of Active
Directory (6)

• Active Directory features make it a reliable and
  secure directory service
• Information replication
• Active Directory automatically replicates the
  contents of its database across every domain
  controller in the domain
• Compatibility with other directory services
• Active Directory is based on protocols, such as
  LDAP, HTTP, and NSPI, so it is compatible with
  other directory services that use these protocols

15
(Skill 2)
Identifying the Functions and Features of Active
Directory (7)

• Active Directory features make it a reliable and
  secure directory service
• Mutual authentication
• Active Directory utilizes Kerberos as the default
  authentication mechanism
• Kerberos is an industry-standard, high-security
  mutual authentication mechanism that provides
  increased security for logon information

16
(Skill 3)
Introducing Active Directory Architecture

• Windows Server 2003 architecture has two primary
  layers
• User mode
• Kernel mode

17
(Skill 3)
Introducing Active Directory Architecture (2)

• User mode layer
• The interface between applications and the kernel
  mode layer
• Accepts requests from an application and forwards
  them to the kernel for processing

18
(Skill 3)
Introducing Active Directory Architecture (5)

• Kernel mode layer
• Communicates with system data and hardware to
  process any input/output requests made by a user
• Operates in a protected area of memory
• Is responsible for executing I/O requests
• Prioritizes hardware and software interrupts
  based on the precedence of the application or
  service making the request

19
(Skill 3)
Introduce Active Directory Architecture (6)

• Components of the kernel mode layer
• Executive
• Performs I/O functions, object management, and
  security functions
• Has a number of subcomponents
• Provides security guidelines for the user mode
  layer

20
(Skill 3)
Introducing Active Directory Architecture (7)

• Components of the kernel mode layer
• Microkernel, which manages the computers
  processors
• Kernel mode drivers, which take requests from
  applications and translate them into hardware
  functions
• Hardware Abstraction Layer (HAL), which provides
  the interface between the other software layers
  and the core hardware

21
(Skill 3)
Introducing Active Directory Architecture (8)

• Active Directory is made up of three service
  layers and the underlying Data Store
• Directory System Agent (DSA)
• Provides the interface for application calls made
  to the directory
• Supports the protocols that enable clients to
  gain access to the Active Directory
• LDAP/ADSI
• SAM
• MAPI
• REPL

22
(Skill 3)
Introducing Active Directory Architecture (9)

• Database Layer
• Access calls to the database go through the
  Database Layer
• Acts as an abstraction layer between the
  applications that make the access calls and the
  database
• Extensible Storage Engine (ESE)
• Has direct contact with the records in the
  directory data store
• Based on an objects relative distinguished name
  attribute

23
(Skill 3)
Introducing Active Directory Architecture (10)

• Data Store (Ntds.dit)
• Contains the records that make up the Active
  Directory database
• Stored by default in the \systemroot\NTDS
  folder on the domain controller
• Administered from Active Directory Restore Mode
  using Ntdsutil.exe, located in the system32
  folder in the systemroot folder

24
(Skill 4)
Introducing Active Directory Objects

• Active Directory
• Treats each domain resource as an object
• Each object is represented by distinct
  characteristics known as attributes

25
(Skill 4)
Introducing Active Directory Objects (2)

• Types of Active Directory objects
• User accounts
• Store the logon information for the users in a
  domain
• A domain acts as a security boundary assuming no
  trusts are in place, users can only access
  objects within their own domains

26
(Skill 4)
Figure 1-4 Objects and their attributes
27
(Skill 4)
Introducing Active Directory Objects (3)

• Types of Active Directory objects
• Contacts
• Used to store information about any person or
  organization that has business relations with
  your organization
• Contacts information includes name, address,
  telephone number, and e-mail address

28
(Skill 4)
Introducing Active Directory Objects (4)

• Types of Active Directory objects
• Computers
• Computer objects store information about
  computers that are members of a domain
• Information includes computer name, description,
  and other attributes

29
(Skill 4)
Introducing Active Directory Objects (5)

• Types of Active Directory objects
• Groups
• Used to apply permissions across large numbers of
  users, computers, and groups
• They are not strictly containers, but have
  membership lists that define which objects are
  members of the group

30
(Skill 4)
Introducing Active Directory Objects (6)

• Types of Active Directory objects
• Published folders
• Shared folders that have been listed in Active
  Directory
• When you publish a folder in Active Directory,
  you create an object that stores a pointer to the
  folder

31
(Skill 4)
Introducing Active Directory Objects (7)

• Types of Active Directory objects
• Printers
• A printer is represented by a printer object that
  contains a pointer to the printer on a computer
• A Windows Server 2003 print server automatically
  detects and publishes printers to Active
  Directory

32
(Skill 4)
Introducing Active Directory Objects (8)

• Types of Active Directory objects
• Domain controllers
• A Windows Server 2003 computer that authenticates
  user logon attempts and exchanges the directory
  information with other domain controllers
• Exchanging directory information is called
  replication
• In Active Directory, domain controllers use
  multimaster replication to exchange directory
  information with other domain controllers in a
  domain
• No single domain controller is responsible for
  replication and all of the domain controllers act
  as peers

33
(Skill 4)
Introducing Active Directory Objects (9)

• Types of Active Directory objects
• Domain controllers
• Each domain controller is represented by a Domain
  Controller object in Active Directory
• You can store the Domain Name System (DNS) name,
  pre-Windows Server 2003 name, operating system
  version, location, and name of the administrator
  in this object
• Domain controllers also handle a users
  interactions with a domain such as locating
  objects and logon requests

34
(Skill 4)
Introduce Active Directory Objects (10)

• Types of Active Directory objects
• Organizational units (OUs)
• Container objects that can store groups, users,
  computers, and other OUs
• Used to organize the objects in the domain, to
  delegate control over a small portion of the
  domain, and to apply Group Policy to a select
  group of objects
• Only one OU exists by default
• It is recommended that you create additional OUs
  based on your administrative needs

35
(Skill 4)
Figure 1-5 A typical Active Directory hierarchy
36
(Skill 4)
Figure 1-6 Active Directory objects
37
(Skill 4)
Introducing Active Directory Objects (11)

• In Active Directory, you use names to locate
  objects in a network
• Naming conventions that Active Directory supports
• Distinguished name (DN)
• A unique name for every object in a network
• It includes the name of the domain that holds the
  object and the complete path to the object
  through the container hierarchy

38
(Skill 4)
Introducing Active Directory Objects (12)

• Naming conventions that Active Directory supports
• Relative distinguished name (RDN)
• Derived from the DN
• The RDN of an object is simply the objects name
• Globally unique identifier (GUID)
• A unique 128-bit number assigned to an object at
  the time of its creation
• The GUID for an object does not change even when
  you move or rename the object

39
(Skill 4)
Introducing Active Directory Objects (13)

• Naming conventions that Active Directory supports
• User principal name (UPN)
• Consists of the first name and last name
  attributes for a user
• Consists of the UPN suffix, which is usually the
  DNS name of the domain where the user is located

40
(Skill 4)
Figure 1-7 Examples of naming conventions
41
(Skill 5)
Examining the Logical and Physical Structure of
Active Directory

• Objects in Active Directory can be organized
  logically and physically
• Logical structure
• Consists of domains, trees, and forests
• Besides being Active Directory objects, OUs are
  also part of the logical structure
• Physical structure
• Consists of sites
• Domain controllers are also part of the physical
  structure, as well as being Active Directory
  objects

42
(Skill 5)
Examining the Logical and Physical Structure of
Active Directory (2)

• Components of the logical structure
• Domains
• In Active Directory, domains represent the core
  unit of the logical structure
• Used to represent the administrative boundaries
  of your organization
• Store information only about the objects they
  contain
• Can span multiple physical locations

43
(Skill 5)
Figure 1-8 A domain structure in an organization
44
(Skill 5)
Examining the Logical and Physical Structure of
Active Directory (3)

• Components of the logical structure
• Trees
• Formed when you add one or more child domains to
  the top-level domain (also known as the root of
  the tree)
• Follows a contiguous naming scheme where every
  child domain (subdomain) in the tree derives its
  name from the root domain
• Implicit two-way transitive trust exists between
  the parent domains and the child domains in a
  domain tree, which is a type of a logical link,
  automatically established between domains

45
(Skill 5)
Figure 1-9 A tree structure in Active Directory
46
(Skill 5)
Examining the Logical and Physical Structure of
Active Directory (4)

• Components of the logical structure
• Forests
• Collection of domains that share a common schema,
  global catalog, and configuration
• All domains in a forest share a common schema and
  a common global catalog, which allows all domains
  within a forest to contain uniform information
• Although domains in a forest operate
  independently, they communicate with each other
  because all domain trees in a forest share a
  common schema

47
(Skill 5)
Examine the Logical and Physical Structure of
Active Directory (5)

• Components of the logical structure
• Forests
• All domains in a forest share a common global
  catalog
• Forests allow a disjointed naming scheme where
  the names of domain trees may not be related to
  one another
• In a forest, an implicit two-way transitive trust
  exists between the root domains of domain trees
  and the root of the forest

48
(Skill 5)
Figure 1-10 A forest structure in Active Directory
49
(Skill 5)
Examining the Logical and Physical Structure of
Active Directory (6)

• Components of the logical structure
• Sites
• Logical representations of a physical location
  within Active Directory
• Subnets are always associated with sites
• Allows clients to determine the site to which
  they belong
• Allows clients to use a domain controller located
  in its physical site

50
(Skill 5)
Examining the Logical and Physical Structure of
Active Directory (7)

• Components of the logical structure
• Sites
• Used to control replication traffic between
  physical locations
• Logical structure of Active Directory is
  different from the physical structure
• A site can span multiple domains
• A domain can span multiple sites

51
(Skill 5)
Figure 1-11 Structure of a site
52
(Skill 6)
Examining More Active Directory Concepts

• Global catalog
• Stores information about all objects in a forest
• By default, the global catalog is created on the
  first domain controller in a forest, known as a
  global catalog server
• Whenever object information is updated, a global
  catalog server exchanges this information with
  other global catalog servers in a forest

53
(Skill 6)
Examining More Active Directory Concepts (2)

• Global catalog
• In a single domain, the global catalog stores
  information about all of the objects in that
  domain
• In multiple domains, the global catalog stores a
  full replica of information about objects
  belonging to its domain and a partial replica of
  information for objects belonging to other
  domains
• You can add global catalog servers to a forest to
  provide backup for the default global catalog
  server

54
(Skill 6)
Figure 1-12 The function of the global catalog
55
(Skill 6)
Examining More Active Directory Concepts (3)

• Global catalog
• Global catalog servers also participate in logons
  in Windows 2000 native mode
• Perform Universal Principal Name (UPN) lookups
• Provide universal group storage
• Handles user and program-related queries about
  objects
• Can quickly resolve a query about an object
  anywhere in the forest

56
(Skill 6)
Examining More Active Directory Concepts (4)

• Trust relationships
• A trust is a connection between domains allowing
  users from one or both domains to be granted
  access to resources in the opposing domain
• In a multi-domain environment, trusts allow users
  to access resources in other domains without the
  need to log on to each domain separately
• Trusts allow users to log on to their own domain
  on computers that are members of a different
  domain

57
(Skill 6)
Examining More Active Directory Concepts (5)

• Trusts come in four basic forms
• One-way trusts allow a domain to access another
  domains resources, but not vice-versa
• Two-way trusts allow both domains to access each
  others resources
• Transitive trusts follow through, meaning they
  pass from domain to domain
• Non-transitive trusts do not follow through, so
  each domain must explicitly trust the other
  domains

58
(Skill 6)
Figure 1-13 Simple one-way trusts
59
(Skill 6)
Figure 1-14 An additional trust from domain A to
domain C
60
(Skill 6)
Figure 1-15 Trusting and trusted domains
61
(Skill 6)
Figure 1-16 Two-way trusts
62
(Skill 6)
Examining More Active Directory Concepts (10)

• Domain Name System (DNS)
• Active Directory uses DNS as its name resolution
  service
• The computer running this service is known as a
  DNS name server
• DNS helps computers to locate other computers on
  a network
• DNS organizes domains in a hierarchical structure
  using a naming scheme called the domain namespace

63
(Skill 6)
Examining More Active Directory Concepts (11)

• Domain Name System (DNS)
• Computers in a domain use this service to locate
  domain controllers in the domain
• DNS zones
• A DNS server typically holds a copy of the DNS
  zone for a given domain or collection of
  contiguous domains
• The DNS zone is contained in a file known as the
  zone database file, typically called the zone file

64
(Skill 7)
Planning Domain Structure

• In Active Directory, domain structure is
  primarily dependent on administrative needs
• In Windows Server 2003
• Domains are simply administrative boundaries
• Best to use a single domain model if at all
  possible
• Domain models are broadly classified into two
  categories
• Single domain model
• Multiple domain model

65
(Skill 7)
Planning Domain Structure (2)

• Single domain model
• Easy to manage and administer because the
  administrative boundary is clearly defined
• Suitable for any organization that follows a
  truly centralized administrative model
• Easy to set up because only a single domain must
  be configured

66
(Skill 7)
Planning Domain Structure (3)

• Multiple domain model
• Typically only appropriate in three specific
  situations
• To separate domain-level administrative
  privileges
• To separate account policies
• To control localized traffic

67
(Skill 7)
Figure 1-18 Domain models
68
(Skill 7)
Figure 1-19 Account Policies
69
(Skill 8)
Planning a Domain Namespace

• Choose a unique domain name for your organization
• Register it with an organization that manages
  Internet DNS namespaces
• This organization adds an entry pointing to the
  authoritative name servers for your domain on the
  top-level name servers on the Internet
• Use this domain name to host the Web site for
  your organization on the Internet

70
(Skill 8)
Planning a Domain Namespace (2)

• DNS namespace types
• Internal
• External
• Hybrid

71
(Skill 8)
Planning a Domain Namespace (3)

• Internal namespace
• Is not resolvable by hosts who are using public
  (Internet) DNS servers
• Only used for internal clients
• Is well-suited for hosting Active Directory due
  to increased security

72
(Skill 8)
Planning a Domain Namespace (4)

• External namespace
• Is resolvable from any client on the Internet
• Is required for Internet-accessible resources,
  such as Web sites
• Is typically a poor choice for hosting Active
  Directory due to the potential lack of security
  it provides

73
(Skill 8)
Planning a Domain Namespace (7)

• Naming guidelines
• All Active Directory domain names should be
  static
• Keep it short, simple, and easy to remember
• Use standard DNS characters
• Limit it to 63 characters including the periods
• The Fully Qualified Domain Name (FQDN) can be up
  to 255 characters

74
(Skill 9)
Guidelines for Planning a Site Structure

• Sites
• Map to the physical structure of an organization
• Participate actively in the user logon and
  authentication process
• Play an important role in the directory
  replication process

75
(Skill 9)
Guidelines for Planning a Site Structure (2)

• Directory replication
• Can take place within a site or between sites
• Within a site, Active Directory automatically
  generates a replication topology
• You can disable Active Directorys automatic
  creation of connection objects by manually
  creating connection objects, and thus control
  intra-site replication

76
(Skill 9)
Figure 1-22 Replication within a site using a
ring topology
77
(Skill 9)
Guidelines for Planning a Site Structure (3)

• Site planning guidelines
• Decide which domain controller the computers on a
  given subnet should use
• To optimize logon traffic, ensure the
  availability of at least one domain controller
  per site
• To optimize inter-site replication, configure
  replication so that it occurs when network
  traffic is light

78
(Skill 9)
Guidelines for Planning a Site Structure (4)

• Site planning guidelines
• Configure a powerful server as the preferred
  bridgehead server for inter-site replication
• The bridgehead server is the only server in a
  site that is allowed to replicate to other sites
• Reduces the amount of replication traffic between
  sites, because all servers are not attempting to
  replicate with all other servers

79
(Skill 9)
Figure 1-23 Using a bridgehead server for
inter-site replication
80
(Skill 9)
Guidelines for Planning a Site Structure (5)

• Site planning site guidelines
• Place your domain controllers in the correct
  sites
• By default, clients will choose the correct site
  each time they get a new IP address
• Domain controllers only choose a site when they
  are first created, and must be manually moved
  thereafter