Active Directory Logical Design

1
Active Directory Logical Design

• Chapter Five

2
Namespace

• In Windows 2003, DNS is the primary method of
  name resolution
• DNS is a hierarchical naming system
• 63 characters in domain name
• 255 total characters in FQDN
• A-Z, a-z, 0-9, and -(dash) valid characters

3
Namespace Options

• Same DNS Name for Active Directory
• Confidential data is publicly available
• Completely different namespace
• Separate resources (computersrus.local or
  computerworld.private for Active Directory and
  computersrus.com or computerworld.net for
  Internet DNS)
• Must have forwarders configured properly so that
  internal clients may access external resources

4
Namespace Options

• Active Directory is subdomain of DNS Name space
• Resources are kept separate from Internet
• Delegation for a DNS server for the subdomain
  zone data
• Dynamic DNS
• Helps make changes to the DNS host table easier
  to manage

5
Namespace

• www.Sales.TexasPinball.com
• .com - top-level domain name, refers to the type
  of organization
• TexasPinball - second-level domain name, refers
  to the organization
• Sales - subdomain
• www and mail - refer to specific machines within
  the organization

6
Forests

• A collection of domain trees
• The domains have a noncontiguous namespace and
  differing name structure
• Security and administrative boundary
• All domains share a common schema
• The domains share a common Global Catalog
• The domains operate independently, but
  cross-domain communication is enabled
• There is an implicit, two-way transitive trusts
  exist between domains and domain trees
• Common configuration partition stores information
  about domains, sites, and site links

7
Forest
8
Multiple Forests

• Different schemas required
• Complete separation of administration and
  security
• Do not want a complete trust between all domains

9
Domain

• Domain - a selection of computers, user accounts,
  or other objects that share a common replication
  boundary
• hierarchical structure of containers and objects
• Directory for publishing shared resources
• Authentication of computers and users
• Group policy based administration
• Require separate domains for different account
  policies

10
Domain Tree
11
Domain Trees

• A group of Windows 2003 domains that share the
  same namespace
• all domains share a common schema
• all domains share a common Global Catalog
• implicit two-way transitive trusts exist between
  domains
• permissions and rights flow down the tree

12
Designing Domains

• Single Domains
• Easier to administer
• Use OUs to delegate administrative control and
  apply group policies
• Multiple Domains
• Need to create different account policies
• Password length 8 for some accounts in one
  division
• and password length 10 for other accounts in a
  different division
• Have many objects
• Concern over replication

13
Multi-master Intra-site Replication
14
Dedicated Forest Root

• Root has groups that can manage forest,
  Enterprise Admin and Schema Admin
• Central trust location all transitive trusts
  pass through the root
• Can not rename forest root or delete root.

15
Domain Controllers

• Recommended to have at least two domain
  controllers for a given domain
• Redundancy and hence fault tolerance
• Faster authentication
• Additional domain controller for an existing
  domain
• Use Domain Admins credentials to add a second
  domain controller for a given domain

16
Domain Controllers (DC)

• Servers that provide authentication of domain
  members
• Data stores

17
Active Directory Structure

• AD is a single table residing in a single file
  that is copied to all domain controllers
• Rows describe objects
• Columns describe attributes

18
Active Directory Components

• Active Directory Objects
• Active Directory Schema
• Organizational Unit
• Global Catalog
• Operation masters

19
Active Directory Objects

• An object refers to a specific, distinctive,
  named resource on the network
• groupings of similar objects are classes
• objects that can contain other objects are
  containers (e.g. a domain)

20
Active Directory Schema

• An definition of the types of objects allowed
  within a directory, and the attributes associated
  with them
• attributes (schema objects) are defined once and
  can be applied to multiple classes
• classes (metadata) describe which attributes are
  used to define objects

21
Attributes and Objects
22
Active Directory Schema
23
Organizational Unit (OU)

• A special container used to organize objects in a
  domain into administrative units
• Can apply group policy to users and computers in
  OU
• Do not nest more that 10 layers deep
• Slows authentication

24
Relationships Forest, Trees, Organizational
Units
25
Global Catalog

• A limited database that stores partial replicas
  of the directories of other domains
• Stored on DCs known as Global Catalog Servers

26
Global Catalog
27
Trust Relationships

• Trusts can between domains in a forest are
  transitive and two way.
• If Domain 1 trusts Domain 2 and Domain 2 trusts
  Domain 3, then Domain 1 also trusts Domain 3

28
Forest Trust

• Can have a two-way forest trust between two
  forests only.
• Establishes a two-way transitive trust between
  forests.

29
Shortcut Trust

• Within forest to allow quicker authentication
  across domains.

30
Trust Relationships

• Allow cross-domain access to resources requires a
  trusted domain and a trusting domain
• Users in Domain 1 can access resources in Domain
  2 in this one-way trust
• External trusts are non-transitive

31
Trusts

• One way trust
• Domain 2 trusts Domain 1
• Users in Domain 1 can access resources in Domain
  2
• Domain 1 can validate logons for Domain 2

32
External are non-transitive

• External trusts can also be two-way