Microsoft Active Directory(AD)

1
Microsoft Active Directory(AD)

• A presentation by
• Robert, Jasmine, Val and Scott
• IMT546
• December 11, 2004

2
What are directory services?

• All Directory services use a hierarchical
  structure that stores information about objects
  on the network. What differentiates the various
  implementations are the types of objects that
  they track.

3
What objects are tracked via Directory Services?

• Shared Resources
• Servers,
• Shared volumes,
• Printers
• Applications

• Administration of
• Users
• User/Group access
• Network resources
• Management of domains, applications, services,
  security policies, and just about everything else
  in your network.

4
Directory Services Common Features

• Provide file shares
• Authenticate users
• Provide services, such as Email, Access to the
  internet, Print services etc.
• Control access to services and shares.

5
Key Features of Active Directory

• AD as a namespace that is integrated with the
  Internet's Domain Name System (DNS).
• AD - A new directory service central to the
  Windows 2000 Server operating system, runs only
  on domain controllers.
• Some directory services are integrated with
  an operating system, and others are applications
  such as e-mail directories. Operating system
  directory services, such as AD, provide user,
  computer, and shared resource management.

6
Active Directory utilizes a distributed
architecture

• Active Directory, in addition to providing a
  place to store data and services to make that
  data available, also protects network objects
  from unauthorized access and replicates
  information about objects across the entire
  network so that information about objects is not
  lost if one domain controller fails.

7
Terminology

• Site A site is a physical location, or LAN.
  This is different from a web site, which is an
  organizations internet presence.
• Domain
• (1) A sub-network comprised of a group of clients
  and servers under the control of one security
  database. Dividing LANs into domains improves
  performance and security.
• (2) All resources under the control of a single
  computer system.

8
Sample Domain Structure
9
Basic Network Identity Services
                                                                                                               

• Dynamic Host Configuration Protocol (DHCP)
• Domain Name System (DNS)
• Lightweight Directory Access Protocol (LDAP)
• Public Key Infrastructure (PKI)
• Remote Authentication Dial-In User Service
  (RADIUS)
• Microsoft's Active Directory
• Novell Directory Services (NDS)

10
Identity Service Providers

• SERVICE SPECIFICS
• Most mid-sized to large enterprises today are
  likely to run about a half dozen network identity
  services to connect their business applications
  and network infrastructure.
• These services each have specific roles to play
  in the network. But they often also interact with
  one another, too.
• Network identity services each perform specific
  tasks and also frequently interact. Managing
  interactions becomes challenging when multiple
  internal organizations administer the various
  services, which may be duplicated in numerous
  locations throughout the network and use
  different data stores.

11
DNSDomain Name System

• DNS is a globally distributed database that
  manages IP addresses on the internet.
• DNS uses a hierarchy of domains on the internet.
• Top level domains use the familiar names like
  .com, .edu, .gov.
• The second level are registered to organizations
  who have a presence on the web.
• Active Directory is designed to exist within the
  scope of the Global DNS Namespace.

12
DNS Structure
13
LDAP

• Lightweight Directory Access Protocol (LDAP) -- a
  protocol used to access a directory service.
• Lightweight Access Directory Protocol is the
  primary access protocol for Active Directory.

14
Active Directory's Global Catalog

• The global catalog is the mechanism that tracks
  all of the objects managed across the network,
  across all domains within the organization.
• Elements of the catalog are replicated across all
  of the domain controllers within all domains
  across the org.

15
Global Catalog -Service Discovery

• For Active Directory to function properly, DNS
  servers must support Service Location (SRV)
  resource records.
• SRV resource records map the name of a service to
  the name of a server offering that service.
  Active Directory clients and domain controllers
  use SRV resource records to determine the IP
  addresses of domain controllers.

16
Domain authority

• Active Directory replicates its administration
  information across domain controllers throughout
  the forest utilizing a multi-master approach.
• Multi-master replication among peer domain
  controllers is impractical for some types
  changes, so only one domain controller, called
  the operations master, accepts requests for such
  changes.

17
Authentication

• Each domain controller has information for the
  entire forest to support authentication and
  access control.
• This provides the ability for local domain
  controllers (the tree) to provide a quick local
  lookup of authority.
• Not just users but every object authenticating to
  Active Directory must reference the global
  catalog server, including every computer that
  boots up

18
An example of an Active Directory implementation
PING North America

• Benefits from using Active Directory
• Reduced one IT staff members workload by 40
  percent, freeing 800 hours per year to work on
  new projects
• Significant cost savings due to server
  consolidation and elimination of mainframe and
  NetWare
• Increased security and stability through
  centralized desktop management
• Active Directory also gives PING a single
  repository for all types of information.

Source Microsoft
19
Time Savings

• Before
• PCs that were still running Windows NT
  Workstation or Windows 98, it would take as much
  as 40 hours of effort to manually visit each
  desktop and install the patch.
• After
• Desktops that are running Windows XP
  Professional, A group policy can be created that
  will push a new security patch out to all of them
  in less than 30 minutes.

20
Repository of Information

• Before
• Spreadsheets had to be created and spreadsheets
  maintained for user locations, office numbers,
  phone numbers etc.
• After
• All of the information is now managed in a single
  place and is updated using a single interface.

21
Increased Security

• Since Active Directory will provide a single
  point of management for all systems. Desktops can
  be locked down in a known, secure state and kept
  current with software updates and security
  patches with minimal time and effort.

22
Open Source Implementation
23
Mac OS X Server v10.3 Open Directory 2

• The latest version of Apples standards-based
  directory and authentication services
  architecture.
• The Open Directory architecture makes it easy to
  integrate Mac OS X client and server systems to
  into your existing network infrastructure. Its
  compatible with other standards-based LDAP
  servers, and can even plug into environments that
  use proprietary services such as Microsofts
  Active Directory and Novells eDirectory.

24
Open Directory Features

• Support for mixed-platform environments -
• Strong authentication options -Kerberos
• Reliability and scalability -

25
References

• Mac Os X Open Directory http//www.apple.com/serv
  er/macosx/open_directory.html
• Microsoft Active Directory
• http//www.microsoft.com/technet/prodtechnol/windo
  ws2000serv/technologies/activedirectory/deploy/pro
  jplan/adarch.mspx
• Ping http//www.microsoft.com/resources/casestudi
  es/CaseStudy.asp?CaseStudyID15304
• General http//www.microsoft.com
• Gaining Control of Your network Identity
  infrastructure http//www.bitpipe.com/detail/RES/
  1082474885_246.html