Active Directory

1
Active Directory

• Lecture 3

2
Active Directory Definitions

• AD is Microsofts consolidation of the major
  enterprise-wide directory services within a
  single, replicable data store and administrative
  interface
• AD is a network-based object store and service
  that locates and manages resources, and makes
  these resources available to authorized users and
  groups.
• The 2 components of AD are the Data Store and the
  AD Services that act on that data

3
AD Advantages

• Provides centralized logon and authentication
  point for users to access resources
• A focal point for centralized administration and
  management
• A searchable store for info about every network
  object and its attributes
• Standard-based structures and interfaces allow
  for product interoperability and compatibility
  with 3rd party products
• Scalable (virtually no limit on number of objects)

4
New Features

• Restart capability
• Read-only Domain Controller
• Auditing improvements
• Multiple Password/Account Lockout Policies in a
  Domain
• AD Lightweight Directory Services Role

5
DNS

• DNS is an Internet standard service that
  translates easily readable host names, such as
  mycomputer.microsoft.com, to numeric IP
  addresses.
• Domain names for DNS are based on the
  hierarchical naming structure (inverted tree
  structure) a single root domain, underneath
  which can be parent and child domains (branches
  and leaves).
• Each computer in a DNS domain is uniquely
  identified by its DNS fully qualified domain name
  (FQDN), e.g. server1.ifsm.umbc.edu
• Dynamic DNS newer standard, required for AD

6
AD and DNS integration

• Active Directory and DNS have the same
  hierarchical structure.
• All AD names follow DNS conventions
• DNS records (zones) can be stored in Active
  Directory.
• Active Directory clients use DNS to locate domain
  controllers.

7
AD Organization

• An underlying principle of the AD is that
  everything is considered and object people,
  servers, workstations, printers, etc.
• Each object also has certain attributes
• Object classes are definitions of the object
  types that can be created in the AD.

8
Controlling Object Access

• Every object has an ACL that contains information
  about who has access to it and what they can do
  with it.
• Controlling access to the object in AD is not the
  same as access to the object itself. AD
  permissions only specify whether a user, group or
  computer can view or modify an objects
  properties in AD.
• Access can be setup for individual object
  properties

9
Schema

• A set of object definitions (object classes) and
  their associated attributes
• Provides info on what objects and attributes are
  available to the Directory
• Allows administrators to modify and add new
  object classes, objects and attributes as needed,
  making the schema extensible
• Because of this flexibility, AD is capable of
  being the single point of administration for all
  published resources (files, peripheral devices,
  host connections, databases, Web access, users)

10
AD Organization

• AD objects are organized around a hierarchical
  domain model that allows scalability and
  expandability
• Domain model building blocks are- domains
• - domain trees- forests- organization units

11
Name Space

• AD is based on the concept of a namespace, that
  is a name is used to resolve the location of an
  object
• AD domain names correspond to DNS domain names
• Each object has different ways to refer to it,
  and each name pinpoints the location of object in
  AD

12
Domain

• Logical partition comprised of users, computers
  and network resources that share a common logical
  security boundary and utilize a common namespace
  (e.g. ifsm.umbc.edu)
• Domains can be arranged into a hierarchical
  parent-child structure
• All domains maintain their own security policies
  and security relationships with other domains
• Requires at least 1 Domain Controller (where AD
  database is stored)
• If more than 1 DC (recommended) they use
  multi-master replication

13
Trusts

• Logical connections between domains to allow
  users from one domain to access resources in
  another domain
• Can be one- or two-way
• Can be transitive, intransitive or explicit
• Trust terminology Trusting trusts Trusted Domain

Trusted Domain (Users)
Trusting Domain(Resources)
14
Transitive Trusts
Domain B
Domain A
Domain C

• A transitive trust is a trust between two
  domains in the same domain tree/forest that can
  extend beyond these two domains to other trusted
  domains within the same domain tree/forest. A
  transitive trust is always a 2-way trust - both
  of.the domains trust each other. By default, all
  Windows Server 2008 trusts within a domain
  tree/forest are transitive trusts.

15
Domain Tree

• Consists of hierarchy of domains sharing a common
  schema, security trust relationship, and a Global
  Catalog
• Formed through the expansion of child domains,
  and theres one root domain (the first created
  domain)
• Defined by a common and contiguous namespace

16
Domain Tree Example
Toysrus.com
Marketing.toysrus.com
Sales.toysrus.com
ny.marketing.toysrus.com
17
Domain Forests

• Domain trees with different namespaces connected
  by trust relationships
• All trees within the forest share a Global
  Catalog, configuration and schema.
• Simply a reference point between trees and
  doesnt have its own name.

18
Domain Forest Example
toysrus.com
Babiesrus.com
Sales.toysrus.com
Marketing.toysrus.com
Sales.babiesrus.com
HR.Babiesrus.com
Ny.marketing.toysrus.com
Ny.sales.babiesrus.com
19
Organizational Unit

• Administrative substructure of domains, arranged
  hierarchically, can be nested
• Special type of object called container includes
  users, computer systems, printers, etc.
• A logical subset defined by security or
  administrative parameters where specific system
  admin functions can be easily segment and
  delegated

20
OU Example
Toysrus.com
Marketing.toysrus.com
Sales.toysrus.com
Teams.sales.toysrus.com
Retail.teams
Online.teams
ny.marketing.toysrus.com
21
Global Catalog

• AD uses a global catalog in order for users to
  find objects quickly, even in a large multidomain
  environment
• GC contains all the objects in the AD, inclusive
  of all domains and trees in a forest, but with
  only a subset of their attributes.
• Serves as an index to the entire structure
• Serves as a central point for user authentication

22
Domain and Forest Functional Levels

• Windows Server 2008 has 3 forest functional
  levelsWindows 2000 Native Windows 2003
  Windows 2008
• Windows Server 2008 has 3 domain functional
  levelsWindows 2000 Windows 2003 Windows 2008
• Functional level only applies to DC, not member
  servers.
• Raising domain/forest functional level is
  irreversible

23
Sites

• Address physical network structure
• A site is a region of your network infrastructure
  made up of one or more well-connected IP subnets.
• Sites are used to allow all AD clients belonging
  to the same physical network area to access
  services (DCs, GC and DNS servers) from the
  servers in close proximity, rather than across
  slow, expensive WAN links
• Sites allow AD have more efficient DC replication
  - can configure DC replication differently inter-
  and intra-sites

24
Sites and DCs

• DCs are automatically placed into sites when they
  join the AD domain, by IP subnet membership.
• After being placed into the site, the DCs begin
  receiving replicated information for their own
  domain, as well as forest info.