Introduction to Active Directory Services - PowerPoint PPT Presentation

1 / 48

About This Presentation

Title:

Introduction to Active Directory Services

Description:

Integrates the Internet concept of namespace with the operating system's directory service ... Administrators - C , VB, Script. Users - Script. LDAP C API ... – PowerPoint PPT presentation

Number of Views:437

Avg rating:3.0/5.0

Slides: 49

Provided by: MicrosoftC50

Category:

more less

Transcript and Presenter's Notes

Title: Introduction to Active Directory Services

1
Introduction to Active Directory Services

Completely integrated with Microsoft Windows 2000
Server
Integrates the Internet concept of namespace with
the operating systems directory service
Allows a single point of administration for all
published resources
Secure
Distributed
Partitioned
Replicated
Hierarchical
Scalable

2
Understanding Active Directory Concepts

Schema
defines attributes an instance class must have
and those attributes that are optional
What Object classes can be parents
Default schema contains definitions of most
commonly used objects
Extensible schema
Can name new object types and their attributes
Or new attributes of existing objects
Not for the faint hearted

3
Global Catalog

The global catalog is the central repository of
information about objects in a domain tree or
forest.
Contents generated by AD Services
Only the most frequently used attributes
The global catalog is a service as well as a
physical storage location that contains a replica
of selected attributes of every object in the
Active Directory store.
By default, the first domain controller is a
global catalog server.
Additional domain controllers can also be
designated as global catalog servers by using the
Active Directory Sites And Services snap-in.

4
Understanding Active Directory Concepts

Namespace
Any bounded area in which a name can be resolved
Based on DNS naming scheme
Contiguous namespace
Parent name part of full name
Disjoint namespace

5
Namespace
6
Distinguished Names (DNs)

Objects are located within Active Directory
domains according to a hierarchical path.
Every object in the Active Directory store has a
DN, which uniquely identifies the object.
The DN includes the name of the domain that holds
the object as well as the complete path through
the container hierarchy to the object. For
example if John Smith works for msft.com and is
a member of the CONTOSO domain his DN is
DCcom/DCmsft/DCContoso/CNUsers/CNJohn Smith

7
Relative Distinguished Names (RDNs)

The RDN is one of an objects attributes.
The RDN is part of the full DN. For example
CNJohn Smith
Active Directory services allows duplicate RDNs
for objects, but no two objects with the same RDN
can exist within the same OU.

8
Globally Unique Identifiers (GUIDs)

Assigned to every object
128 bit number
Never changes
Identifies Object regardles of DN
Unique across Domains
Stored in an Object attribute
Can move objects but GUID stays the same

9
User Principal Names (UPNs)

The UPN is a friendly name that is shorter than
the DN and easier to remember.
The UPN consists of a shorthand name that
represents the user and usually the DNS name of
the domain where the object resides.
Independent of DN
Example johns_at_contoso.msft

10
Active Directory Structure

Data model
X.500
Schema
Class instances
Can be updated dynamically
Protected by ACLs
Security model
Trusted Computer Base
Administration model
Authorized to perform certain set of actions
Directory System Agent
Manages physical storage

11
Protocol Support

LDAP is the Active Directory core protocol.
V2 or v3
Active Directory services supports remote
procedure call (RPC) interfaces that support
Messaging Application Programming Interface
(MAPI) interfaces.
The Active Directory information model is derived
from the X.500 information model.
Does not support all x.500 defined wire protocols

12
Application Programming Interfaces (APIs)

Active Directory Service Interfaces (ADSI)
Easy to write applications
Developers - C, VB
Administrators - C, VB, Script
Users - Script
LDAP C API
Ability to work with many types of clients
Windows MAPI
Outlook or other legacy apps

13
Virtual Containers

Active Directory services supports virtual
containers, which allow any LDAP-compliant
directory to be accessed transparently through
Active Directory services.
The virtual container is implemented via location
information in the Active Directory store.
Location describes where in the AD Store the
foreign directory should appear

14
Active Directory Key Service Components
15
Interfaces

LDAP provides the API for LDAP clients and
exposes the ADSI so that additional applications
can be written that can talk to the Active
Directory services.
REPL is used by the replication service to
facilitate Active Directory replication via RPC
over Internet Protocol (IP) or Simple Mail
Transfer Protocol (SMTP).
SAM Provides down-level compatibility to
facilitate communication between Microsoft
Windows 2000 and Microsoft Windows NT 4.0
domains.
MAPI supports legacy MAPI clients.

16
Directory System Agent (DSA)

Object identification
Maintains GUID association with object
Transaction processing
Commit / Rollback
Schema enforcement of updates
Multimaster Replication
Duplication and Synchronization of directory
information
Change in an object may conflict with other
object in same or other replicas
Single-master Replication
Any change you make on the master is made on all
replicas
Ie. Schema changes must be replicated to preserve
consistency
Access control enforcement
SIDs
Support for replication
Referrals

17
Database Layer

Provides an object view of database information
by applying schema semantics to database records
Is an internal interface that is not exposed to
the public
Follows the parent references in the database and
concatenates the successive RDNs to form DNs
Translates each DN into an integer structure
called the DN tag, which is used for internal
access
Is responsible for the creation, retrieval, and
deletion of individual records, attributes, and
values

18
Extensible Storage Engine (ESE)

A new and improved version of the JET database
Implements a transacted database system that uses
log files to ensure that committed transactions
are safe
Stores all Active Directory objects
Comes with a predefined schema that defines all
the attributes required and allowed for a given
object
Stores attributes that can have multiple values
Can handle sparse rows

19
End Part 1
20
Introduction to Namespace Planning

Consists of
Doman hierarchy
Global catalog
Trust relationships
OUs
The Active Directory namespace is the top-level
qualified domain name for the company.
You must determine whether the internal and
external namespaces will be the same or separate.
Internal - Inside the firewall
External - Outside the firewall
Registered Domain Name
Your name space architecture should be
scalable
adaptable to change
able to distinguish between internal and external
resources
protect company data

21
Scenarios

Same internal and external name space
Internal users can access both intranet and
internet servers
External users external users can access internal
resources
Solution
Company DNS divided into two zones
One resolves resources for external users -
outside the firewall
The other resolves resources for internal users
inside the firewall
May need to duplicate the external zone for
internal user access
Advantage - Single logon, Consistent naming
Disadvantage complicated, duplication,
different view of internal and external
resources

22
Scenarios

Different internal and external name space
Requires registering two Domain Names
If internal name not reserved someone else may
use it???
Two DNS Zones
Advantages
Distinct difference between internal and external
resources
No overlap or duplication
Configuration simpler
Disadvantages
Registering two names
Different logon names and email names
Internal ken_at_expedia.dom
Email ken_at_microsoft.com

23
Introduction to OU Planning

OUs should reflect the details of the
organizations business structure.
Create OUs to delegate administrative control
over smaller groups of users, groups, and
resources.
OUs eliminate the need to provide users with
administrative access at the domain level.
OUs inherit security policies from the parent
domain and parent OU unless inheritance is
specifically disabled.

24
Creating the OU Structure

You should begin your OU design by creating an OU
structure for the first domain in the namespace.
When you create an OU, you should determine who
will be able to view and control certain objects
and what level of administration each
administrator will have over the objects.

25
OU Design Guidelines

Create OUs to delegate administration.
Create a logical and meaningful OU structure that
allows OU administrators to complete their tasks
efficiently.
Create OUs to apply security policies.
Create OUs to manage the visibility of published
resources.
Create OU structures that are relatively static.
OUs also give the namespace flexibility to adapt
to changing needs of the enterprise.
Avoid allocating too many child objects to any OU.

26
Structure the OU Hierarchy

Administration-based or object-based Ous
Users, Computers, applicatiosn
Geographical-based Ous
Eastern, Central, Rocky Mountaion ..
Business functionbased Ous
Accounting, Finance, Marketing, Manufacturing
Department-based Ous
Shipping, Receiving, Sales
Project-based Ous

27
Introduction to Site Planning

The physical design of a Windows 2000 network is
demarcated by site.
The Active Directory replication engine allows
you to differentiate between replication over a
LAN and replication over a WAN.
How you set up your sites affects Windows 2000
with respect to workstation logon and directory
replication.
In Active Directory services, sites are not part
of the namespace.
Properly planned sites ensure that network links
are not saturated by replication traffic, that
Active Directory services stay current, and that
client computers access resources that are
closest to them.
When planning how to group subnets into sites,
consider the connection speed between the subnets.

28
Optimizing Workstation Logon Traffic

When planning sites, consider which domain
controllers workstations should use.
To have a particular workstation log on to a
specific set of domain controllers, define the
sites so that only those domain controllers are
on the same site as the workstation.

29
Optimizing Directory Replication

When planning sites, consider where the domain
controllers will be located.
Configure sites so that replication occurs at
times or intervals that will not interfere with
network performance.
When implementing sites in branch offices, base
your planning on the size of the branch office.

30
Introduction to the Active Directory Installation
Wizard
31
Adding or Creating a Domain Controller

If you add a domain controller to an existing
domain, you create a peer domain controller.
If you create the first domain controller for a
new domain, you are creating not only the domain
controller but also a new domain.

32
Adding a Domain Controller to an Existing Domain
33
Creating a New Child Domain
34
Creating a New Domain Tree
35
Adding a Domain Tree to a Forest
36
The Active Directory Database and the Shared
System Volume

Created when Active Directory Services is
installed

37
The Active Directory Database

The database is a file named Ntds.dit, which is
the directory for the new domain.
The default location for the database and the
database log files is systemroot\Ntds, although
you can specify a different location.
The database contains all the information stores
in the Active Directory store.
The Ntds.dit file is an ESE database that
contains the entire schema, the global catalog,
and all the objects stored on that domain
controller.

38
The Shared System Volume

The shared system volume is a folder structure
that exists on all Windows 2000 domain
controllers.
The shared system volume stores scripts and some
of the group policy objects for the current
domain as well as the enterprise.
Replication of the shared system volume occurs on
the same schedule as Active Directory replication.

39
Domain Modes

Mixed mode
Native mode

40
Introduction to OUs and their Objects

Each Active Directory object is a distinct named
set of attributes that represents a specific
network resource.
Before objects are added to Active Directory
services, you should create the OUs that will
contain those objects.
Snap-ins
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
Active Directory Schema
Active Directory Group Policy
Active Directory Security Configuration and
Analysis
Active Directory Security Templates
Low Level Active Directory Editing
Active Directory Replication Monitor

41
Creating Ous
42
Adding Objects to OUs
43
Locating Objects
44
Modifying Attributes and Deleting Objects

You can modify the attributes of an object to
change or add information.
You can modify an objects attribute by opening
the properties for that object in the Active
Directory Users And Computers snap-in.
To maintain security, delete objects when they
are no longer needed.

45
Moving Objects

You can move objects from one location in the
Active Directory store to another location.
You should move objects when organization or
administrative functions change.

46
Managing Active Directory Permissions

Use Active Directory permissions to determine who
has the permissions to gain access to the object
and what type of access is allowed.
The object type determines which permissions you
can select.
Permissions inheritance minimizes the number of
times you need to assign permissions for objects.

47
Delegating Administrative Control of Objects

You can delegate administrative control of
objects to individuals.
Use the Delegation Of Control wizard to delegate
control of objects.
An administrator can delegate specific types of
control.
The most common method of delegating control is
to assign permissions at the OU level.
To delegate administrative control, you should
try to follow specific guidelines.
You can access the Delegation Of Control wizard
through the Active Directory Users And Computers
snap-in.

48
Guidelines for Administering Active Directory
Services