Transcript ch05.

Chapter Summary






Understanding DNS
Understanding Name Resolution
Configuring a DNS Client
Understanding Active Directory
Understanding Active Directory Structure and
Replication
Understanding Active Directory Concepts
1
Introduction to DNS




The Domain Name System (DNS) is a naming
system based on a distributed database.
DNS is used in TCP/IP networks to translate
computer names to IP addresses.
DNS is the default naming system for IPbased networks.
The DNS Service is not available with
Microsoft Windows XP Professional, but it
ships with Microsoft Windows 2000 Server.
2
Benefits of Using DNS



DNS names are user friendly.
DNS names remain more constant than IP
addresses.
DNS uses the same naming conventions as
the Internet.
3
Domain Namespace
4
Examples of Second-Level Domains




ed.gov
Microsoft.com
Stanford.edu
w3.org
5
Host Names




Host names refer to specific computers on
the Internet or an intranet.
They are the leftmost portion of a fully
qualified domain name (FQDN), such as
Computer1.sales.microsoft.com.
DNS uses a host’s FQDN to resolve a name to
an IP address.
Host names do not have to match the
computer names.
6
Domain Naming Guidelines




Limit the number of domain levels.
Use unique names.
Use simple names.
Avoid lengthy domain names.
7
Domain Naming Guidelines (Cont.)

Use standard DNS characters and Unicode
characters.


Windows 2000 Server supports A–Z, a–z, 0–9, and
hyphen (-).
The DNS Service supports the Unicode character
set.
8
Zones
9
Name Servers

DNS name servers store the zone database
file.



They store the database files for one or multiple
zones.
They have authority for the domain namespace
that the zone encompasses.
A zone must have at least one name server.
10
Primary Zone Database File



A name server in each domain contains the
master database file, called the primary zone
database file.
Changes to a zone are performed on the
primary zone database file.
Multiple name servers act as a backup.
11
Benefits of Multiple Name Servers




Provide zone transfers
Provide redundancy
Improve access speed
Reduce the load
12
Name Resolution



Name resolution is the process of resolving
names to IP addresses.
DNS resolves a name, such as
www.microsoft.com, to an IP address.
The mapping of names to addresses is stored
in the DNS distributed database.
13
Resolving a Forward Lookup Query
14
Name Server Caching

When a name server is processing a query, it
might have to send out several queries to find
the answer.



Each query discovers other name servers that
have authority for a portion of the domain
namespace.
The name server caches these query results to
reduce network traffic.
When a name server receives a query result,
the name server caches the query result for a
specified amount of time, referred to as Time
to Live (TTL).
15
Time to Live (TTL)


The zone that provides the query results
specifies the TTL; the default TTL is 60
minutes.
When TTL expires, the name server deletes
the query result from its cache.




Shorter TTL values help ensure that data about the
domain namespace is more current across the
network.
Shorter TTL values increase the load on name servers.
Longer TTL values decrease the time required to
resolve information.
Longer TTL values mean it will take longer for a client
to receive any updated information.
16
Reverse Lookup Query




A reverse lookup query maps an IP address
to a name.
Troubleshooting tools such as the nslookup
utility use reverse lookup.
Some applications implement security based
on the ability to connect to names rather than
IP addresses.
The DNS distributed database is indexed by
name, so a reverse lookup query would
require an exhaustive search of every domain
name.
17
The in-addr.arpa Domain





Is a special second-level domain created to
resolve the difficulty of doing a reverse lookup
query
Follows the same hierarchical naming scheme as
the rest of the domain namespace, but it is
based on IP addresses, not domain names
Has subdomains named after the numbers in the
dotted-decimal representation of IP addresses
Reverses the order of the IP address octets
Lets companies administer subdomains of the
in-addr.arpa domain based on their assigned IP
addresses and subnet mask
18
Introduction to DNS Clients


A DNS client uses DNS, a distributed
database used in Transmission Control
Protocol/Internet Protocol (TCP/IP) networks,
for name resolution.
TCP/IP must be installed for a computer to
use DNS.
19
Internet Protocol (TCP/IP) Properties
Dialog Box
20
Configuring DNS Query Settings

Append Primary And Connection Specific DNS Suffixes


Append Parent Suffixes Of The Primary DNS Suffix


The DNS resolver adds each one of these suffixes, one at a time
and in the order you specified.
Register This Connection’s Addresses In DNS


The DNS server strips off the leftmost portion of the primary DNS
suffix and attempts the resulting domain name.
Append These DNS Suffixes (In Order)


Append the client name to the primary domain name, as well as
the domain name defined in the DNS Domain Name field of each
network connection
The computer attempts to dynamically register the IP addresses
(through DNS) of this computer with its full computer name.
Use This Connection’s DNS Suffix In DNS Registration

The computer uses dynamic updates to register the IP address and
the connection-specific domain name of the connection.
21
What Is Active Directory?




A directory service uniquely identifies users
and resources on a network.
Active Directory service is the directory
service included with Microsoft Windows 2000
products.
Active Directory provides a single point of
network management.
Active Directory is a network service that


Identifies all resources on a network
Makes all resources available to users and
applications
22
What Is Active Directory? (Cont.)

Active Directory includes the directory or data
store.


The directory is a structured database that stores
information about network resources.
Resources stored in the directory are referred to
as objects.
23
Simplified Administration

Active Directory organizes resources
hierarchically in domains.




A domain is a logical grouping of servers and
other network resources under a single domain
name.
A domain is the basic unit of replication and
security.
A domain includes at least one domain controller.
Active Directory provides


A single point of administration for all objects on
the network
A single point of logon for all network resources
24
Scalability


The directory stores information by
organizing itself into sections that permit
storage for a huge number of objects.
For example, the directory can be scaled to
meet the needs of


Small installations with one server and a few
hundred objects
Huge installations with hundreds of servers and
millions of objects
25
Open Standards Support

Active Directory use of open standards





Integrates the Internet concept of a namespace
with the Windows 2000 directory service
Allows you to unify and manage multiple
namespaces
Uses DNS for its name system
Can exchange information with any application or
directory that uses Lightweight Directory Access
Protocol (LDAP) or Hypertext Transfer Protocol
(HTTP)
Can share information with other directory
services that support LDAP version 2 or version 3,
such as Novell Directory Services (NDS)
26
Open Standards Support (Cont.)

Domain Name System



DNS is the domain naming and locator service for
Active Directory.
Windows 2000 domain names are also DNS
names.
Windows 2000 Server uses dynamic DNS (DDNS).



Clients can update the DNS table dynamically.
DDNS eliminates the need for other naming services.
To function correctly, Active Directory and the
associated client software require the DNS
Service.
27
Open Standards Support (Cont.)

Support for LDAP and HTTP



LDAP is an Internet standard for accessing
directory services.
HTTP is the standard protocol for displaying pages
on the World Wide Web.
You can display every object in Active Directory as
an HTML (Hypertext Markup Language) page in a
Web browser.
28
Support for Standard Name Formats

Request for Comments (RFC) 822


HTTP URL


http://domain/path-to-page
Universal Naming Convention (UNC)


[email protected]
Example: \\microsoft.com\xl\budget.xls
LDAP URL

LDAP://someserver.microsoft.com/CN=FirstnameLastname,O
U=sys,OU=product,OU=division,DC=devel
29
Logical Structure


Active Directory separates the logical
structure from the physical structure.
Active Directory lets you organize resources
in a logical structure.


A resource is located by its name rather than its
physical location.
The network’s physical structure is transparent to
all users.
30
Objects
31
Organizational Units





An organizational unit (OU) is a container that
you use to organize objects in a domain into
logical administrative groups.
An OU can contain objects such as user
accounts, groups, computers, printers,
applications, file shares, and other OUs.
Each domain can implement its own OU
hierarchy.
There is no limit to the depth of the hierarchy,
but shallow is better.
An administrator can delegate administrative
tasks by assigning permissions to OUs.
32
Domain




The domain is the core unit of logical
structure.
All network objects exist within a domain.
A domain stores information about only the
objects that it contains.
A practical limit to the number of objects in a
domain is 1 million.
33
A Domain Is a Security Boundary



Access control lists (ACLs) control access to
domain objects.
ACLs contain the permissions associated with
objects.
ACLs control




Which users can access an object
Which type of access users have to the objects
Security policies and settings do not cross
from one domain to another.
A domain administrator has absolute rights to
set policies only in that domain.
34
Tree



A tree is a grouping of one or more Windows
2000 domains that share a contiguous
namespace.
The domain name of a child domain is the
relative name of that child domain appended
with the name of the parent domain.
All domains within a single tree share


A common schema
A common Global Catalog
35
Forest





A forest is a grouping of one or more domain
trees that form a disjointed namespace.
All trees in a forest share a common schema.
Trees in a forest have different naming
structures.
All domains in a forest share a common
Global Catalog.
Domains in a forest operate independently,
but the forest enables communication across
the entire organization.
36
Physical Structure

The physical components of Active Directory
are



Domain controllers
Sites
The physical components of Active Directory
are used to mirror the physical structure of an
organization.
37
Domain Controllers

Each domain controller in a domain





Stores a complete copy of all Active Directory
information for that domain
Manages changes to that information
Replicates changes to other domain controllers in
the same domain
Automatically replicates all objects in the domain
to all other domain controllers in the domain
Immediately replicates certain important updates,
such as the disabling of a user account
38
Domain Controllers (Cont.)




Active Directory uses multimaster replication, in
which no one domain controller is the master domain
controller.
Domain controllers detect collisions, which can occur
when an attribute is modified on a domain controller
before a change to the same attribute on another
controller is completely propagated.
Having more than one domain controller in a domain
provides fault tolerance.
Domain controllers manage all aspects of user
domain interaction, such as locating Active Directory
objects and validating user logon attempts.
39
Sites






The physical structure of Active Directory is based on
sites.
A site is a combination of one or more IP subnets.
Typically, a site has the same boundaries as a local
area network (LAN).
Sites are not part of the logical namespace.
Sites contain only computer objects and connection
objects used to configure replication between sites.
A single domain can span multiple geographical sites,
and a single site can include accounts and computers
from multiple domains.
40
Replication Within a Site


Active Directory includes a replication feature.
Replication ensures that changes to a domain
controller are reflected by all domain
controllers in a domain.
41
Ring Topology for Replication
42
Active Directory Terminology




Schema
Global Catalog
Namespace
Naming conventions
43
Schema


The schema contains a formal definition of the
contents and structure of Active Directory.
The schema contains two types of definition objects:



Schema class objects define what objects can be stored in
Active Directory.
Schema attribute objects define the type of information that
can be stored about each object.
The schema defines


The schema attribute objects required for each object
The additional schema attribute objects that an instance of
the class can have
44
Default Schema

Installing Active Directory on the first domain
controller in a network creates the default
schema, which contains


Definitions of commonly used objects and
properties
Definitions of objects and properties that Active
Directory uses internally to function
45
Extensible Schema

You can define



You can extend the schema




New directory object types and attributes
New attributes for existing objects
By using LDAP Data Interchange Format (LDIF)
scripts
Programmatically, or by using the Active Directory
Services Interface (ADSI)
By using the Active Directory Schema Manager
snap-in
The schema is stored in the Global Catalog
and can be updated dynamically.
46
Global Catalog





The Global Catalog is the central repository of
information about objects in a tree or forest.
Active Directory automatically generates the contents
of the Global Catalog.
The Global Catalog is a service and a physical storage
location.
It contains a full replica (all information) for its host
domain and a partial replica of all information in all
other domains in the tree or forest.
It enables finding directory information regardless of
which domain in the tree or forest actually contains
the data.
47
Global Catalog Servers





Installing Active Directory on the first computer in a
new forest makes that domain controller a Global
Catalog server.
The Active Directory Sites and Services snap-in
allows you to designate additional Global Catalog
servers.
More Global Catalog servers means more replication
traffic.
More Global Catalog servers can provide quicker
responses.
Every major site should have a Global Catalog server.
48
Namespace

Contiguous namespace



The name of the child object in an object
hierarchy always contains the name of the parent
domain.
A tree is a contiguous namespace.
Disjointed namespace


The names of a parent object and of a child of the
same parent object are not directly related to one
another.
A forest is a disjointed namespace.
49
Naming Conventions


Every object in Active Directory is identified
by a name.
Active Directory uses a variety of naming
conventions:




Distinguished name (DN)
Relative distinguished name (RDN)
Globally unique identifier (GUID)
User principal name (UPN)
50
Distinguished Name

Every object has a DN that





Uniquely identifies the object
Contains sufficient information for a client to
retrieve the object from the directory
Includes the name of the domain that holds the
object
Includes the complete path through the container
hierarchy to the object
DNs must be unique in the directory.
51
Relative Distinguished Name

Active Directory supports querying by
attributes, so that




You can locate an object even if the exact DN is
unknown
You can locate an object even if the DN has
changed
The RDN of an object is the part of the name
that is an attribute of the object itself.
You can have duplicate RDNs for Active
Directory objects, but not in the same OU.
52
Globally Unique Identifier




A GUID is a 128-bit number that is
guaranteed to be unique.
GUIDs are assigned when the object is
created.
The GUID for an object never changes.
Applications use GUIDs to retrieve objects
regardless of their current DNs.
53
User Principal Name


User accounts have a friendly name, the UPN.
The UPN is composed of the shorthand name
for the user account and the DNS name of
the tree where the user account object
resides.
54
Chapter Summary







DNS is the default naming system for IP-based networks. (It is not
included in Windows XP Professional.)
DNS resolves computer names to IP addresses and locates computers
within local networks and on the Internet.
The DNS database is indexed by name, so each domain must have a
name.
The domain namespace consists of a root domain, top-level domains,
second-level domains, and host names.
A forward lookup query resolves a name to an IP address, and a
reverse lookup query resolves an IP address to a name.
The DNS distributed database is indexed by name and not by IP
address, but in-addr.arpa is based on IP addresses instead of domain
names.
You can configure a DNS client to obtain the address of the DNS server
automatically, or you can manually enter multiple addresses for DNS
servers.
55
Chapter Summary (Cont.)






Active Directory is the directory service included in the
Windows 2000 Server products. (It is not included in
Windows XP Professional.)
Active Directory includes the directory or data store, which
stores information about network resources.
Windows 2000 Server uses DDNS.
Active Directory completely separates the logical structure
of the domain hierarchy from the physical structure.
The schema contains a formal definition of the contents
and structure of Active Directory.
The Active Directory schema is extensible.
56
Chapter Summary (Cont.)




In a contiguous namespace, the name of the child object in an
object hierarchy always contains the name of the parent
domain.
In a disjointed namespace, the name of the parent object and
the name of a child object are not directly related.
The Global Catalog contains select information about every
object in all domains in the directory.
Active Directory uses a variety of naming conventions:




DN
RDN
GUID
UPN
57