Slide 1

Download Report

Transcript Slide 1 

Essential Services
Lesson 5
Objectives
Naming Resolution
• In today’s networks, you assign logical addresses,
such as with IP addressing.
• Unfortunately, these addresses tend to be hard to
remember, especially in the case of newer, more
complicated IPv6 addresses.
• Therefore, you need to use some form of naming
service that will allow you to translate logical
names, which are easier to remember, into logical
addresses.
• The most common naming service is Domain
Name System, or DNS.
HOST File
Domain Name System
• DNS is short for Domain Name System.
• DNS is a hierarchical client/server-based
distributed database management system that
translates domain/hosts names to IP addresses.
• The top of the tree is known as the root domain.
• Below the root domain, you will find top-level
domains, such as .com, .edu, .org, and .net, as well
as two-letter country codes, such as .uk, .ca, and
.us.
Resource Records in a Forward Lookup Zone
DNS Zones Types
• When you define DNS zones, you create the
zone as either a forward lookup zone or a
reverse lookup zone.
– The forward lookup zone (such as
technet.microsoft.com or microsoft.com) has
the majority of the resource records,
including A and CNAME records, whereas the
reverse lookup zone has PTR records.
– The reverse lookup zone is defined by
reverse lookup format.
DNS Round Robin
• DNS servers use a mechanism called roundrobin to share and distribute loads for a
network resource.
• Round-robin rotates the order of resource
records with the same name that point to
different IP addresses.
DNQ Queries and Transfers
• DNS queries and DNS transfers between
primary and secondary zones occur over
TCP/UDP port 53.
• So, if you have any firewall between servers
(including firewalls running on the servers),
you will need to open port 53.
Windows Internet Service (WINS)
• Windows Internet Name Service (WINS) is a legacy naming
service that translates from NetBIOS (computer name) to
specify a network resource.
• A WINS sever contains a database of IP addresses and
NetBIOS names that update dynamically. Unfortunately,
WINS is not a hierarchy system like DNS, so it is only good
for your organization; also, it functions only for Windows
operating systems.
• Typically, other network devices and services cannot
register with a WINS server.
• Therefore, you have to add static entries for these devices if
you want name resolution using WINS.
DHCP
• Dynamic Host Configuration Protocol (DHCP) services
automatically assign IP addresses and related
parameters (including subnet mask and default gateway
and length of the lease) so that a host can immediately
communicate on an IP network when it starts.
• A DHCP server maintains a list of IP addresses called a
pool.
• When a DHCP client starts and needs an IP address
assigned to it, it broadcasts to a DHCP server asking for a
leased address.
• The client sends messages to UDP port 67, and the
server sends messages to UDP port 68.
DHCP
Directory Services
• A directory service stores, organizes, and
provides access to information in a directory.
• Directory services are used for locating,
managing, administering, and organizing
common items and network resources, such
as volumes, folders, files, printers, users,
groups, devices, telephone numbers, and
other objects.
• One popular directory service used by many
organizations is Microsoft’s Active Directory.
Active Directory
• Active Directory is a technology created by
Microsoft that provides a variety of network
services, including the following:
– LDAP
– Kerberos-based and single sign-on authentication
– DNS-based naming and other network information
– A central location for network administration and
delegation of authority
• Active Directory requires DNS.
Active Directory Logical Structure
• Active Directory domains, trees, and forests
are logical representations of your network
organization, which allow you to organize
them in the best way to manage them.
– Domain
– Tree
– Forest
• To allow users in one domain to access
resources in another domain, Active Directory
uses trust relationships.
Physical Structure
• Although domains, trees, and forests are logical
representations of your organization, sites and
domain controllers represent the physical structure
of your network.
– Sites: A site is one or more IP subnets that are
connected by a high-speed link, typically defined
by a geographical location.
– Domain Controllers: A Windows server that
stores a replica of the account and security
information for the domain and defines the
domain boundaries.
Active Directory Management Tools
• After you have promoted a computer to a
domain controller, you can use several MMC
snap-in consoles to manage Active Directory.
• These consoles are as follows:
– Active Directory Users and Computers
– Active Directory Domains and Trusts
– Active Directory Sites and Services
– Active Directory Administrative Center
– Group Policy Management Console (GPMC)
Member Server
• A server that is not running as a domain
controller is known as a member server.
• To demote a domain controller to a member
server, you would rerun the dcpromo
program.
FSMO Roles
• Active Directory uses multimaster replication,
which means that there is no master domain
controller, commonly referred to as a primary
domain controller within Windows NT domains.
• However, because there are certain functions that
can be handled by only one domain controller at a
time, Active Directory uses Flexible Single Master
Operations (FSMO) roles, also known as operations
master roles.
FSMO Roles
FSMO Roles
Global Catalogs
• Because the domain controller only has
information for the domain and does not store a
copy of the objects for other domains, you still
need a way to find and access objects in other
domains within your tree and forest.
• A global catalog replicates the information of every
object in a tree and forest.
• By default, a global catalog is created automatically
on the first domain controller in the forest, but any
domain controller can be made into a global
catalog.
Functional Levels
• In Active Directory, you can have domain
controllers running different versions of Windows
servers, such as Windows 2000, Windows Server
2003, or Windows Server 2008.
• The functional level of a domain or forest depends
on which Windows Server operating system
versions are running on the domain controllers in
that domain or forest.
• The functional level also controls which advanced
features are available in the domain or forest.
Organizational Units
Delegation of Control
• By delegating administration, you can assign
a range of administrative tasks to the
appropriate users and groups.
Active Directory Objects
• An object is a distinct, named set of attributes or
characteristics that represent a network resource.
• Common objects used within Active Directory are
computers, users, groups, and printers.
• Attributes have values that define the specific
object.
• Active Directory objects are assigned a 128-bit
unique number called a globally unique identifier
(GUID), sometimes referred to as a security
identifier (SID), to uniquely identify an object.
User Accounts
• A user account enables a user to log on to a computer
and domain.
• As a result, it can be used to prove the identity of a user,
and this identity information can then be used to
determine what the user can access and what kind of
authorization he or she has.
• It can also be used for auditing.
• On today’s Windows networks, there are two types of
user accounts: Local user accounts and Domain user
accounts
User Accounts
User Profile Tab
Computer Accounts
• Like user accounts, Windows computer accounts
provide a means for authenticating and auditing a
computer’s access to a Windows network and
access to domain resources.
• Each Windows computer to which you want to
grant access must have a unique computer
account.
• A computer account can also be used for auditing
purposes, specifying what system was used when
something was accessed.
Groups
• A group is a collection or list of user accounts or
computer accounts.
• Different from a container, a group does not store
user or computer information; rather, it just lists it.
• The advantage of using groups is that they simplify
administration, especially when assigning rights
and permissions.
• In Windows Active Directory, there are there are
two types of groups: Security and Distribution
group
Group Types and Scopes
Using Groups
• To effectively manage the use of groups when
assigning access to a network resource using
global groups and domain local groups, remember
the mnemonic AGDLP
– Accounts
– Global
– Domain Local
– Permissions
• If you are using universal groups, the mnemonic is
expanded to AGUDLP:
Built-In Groups
• Similar to the administrator and guest accounts,
Windows has default groups called built-in groups.
• These default groups are granted specific rights and
permissions to get you started. Various built-in groups
are as follows:
– Domain Admins
– Domain Users
– Account Operators
– Backup Operators
– Authenticated Users
– Everyone
Group Policies
• Group Policy is one of the most powerful
features of Active Directory that controls the
working environment for user accounts and
computer accounts.
• Group Policy provides centralized
management and configuration of operating
systems, applications, and user settings in
an Active Directory environment.
Group Policies
Apply Group Policies
• Group Policy can be set locally on a workstation or
set at different levels (site, domain, or
organizational unit) within Active Directory.
• Generally speaking, you will not find as many
settings locally as you will at the site, domain, or
OU level. When group policies are applied, they are
applied in the following order:
1.
2.
3.
4.
Local
Site
Domain
OU
Group Policy Management Console
User Rights
Permissions
• A permission defines the type of access that is
granted to an object (an object can be identified
with a security identifier) or object attribute.
• The most common objects assigned permissions
are NTFS files and folders, printers, and Active
Directory objects.
• Which users can access an object and what
actions those users are authorized to perform are
recorded in the access control list (ACL), which lists
all users and groups that have access to the
object.
Summary
• Besides becoming the standard for the Internet,
DNS, short for Domain Name System, is a
hierarchical client/server-based distributed
database management system that translates
domain/hosts names to IP addresses.
• A fully qualified domain name (FQDN) describes
the exact position of a host within a DNS hierarchy.
• The legacy naming service is Windows Internet
Name Service or WINS, which translates from
NetBIOS (computer name) to specify a network
resource.
Summary
• When you share a directory, drive, or printer on a PC
running Microsoft Windows or on a Linux machine
running Samba, you can access the resource by using
the Universal Naming Convention (UNC), also known as
Uniform Naming Convention, to specify the location of
the resource.
• Dynamic Host Configuration Protocol (DHCP) services
automatically assign IP addresses and related
parameters (including subnet mask and default
gateway and length of the lease) so that a host can
immediately communicate on an IP network when it
starts.
Summary
• The Lightweight Directory Access Protocol, or
LDAP, is an application protocol for querying
and modifying data using directory services
running over TCP/IP.
• Active Directory domains, trees, and forests
are logical representations of network
organization, which allow you to organize
them in the best way to manage them.
Summary
• Sites and domain controllers represent the
physical structure of a network.
• A site is one or more IP subnets that are connected
by a high-speed link, typically defined by a
geographical location.
• A domain controller is a Windows server that stores
a replica of the account and security information
for the domain and defines the domain
boundaries.
• A server that is not running as a domain controller
is known as a member server.
Summary
• Because there are certain functions that can
only be handled by one domain controller at
a time, Active Directory uses Flexible Single
Master Operations (FSMO) roles.
• A global catalog holds replicate information
of every object in a tree and forest.
• The functional level of a domain or forest
controls which advanced features are
available in the domain or forest.
Summary
• A right authorizes a user to perform certain
actions on a computer.
• A permission defines the type of access that
is granted to an object (an object can be
identified with a security identifier) or object
attribute.