Transcript Document

Chapter 11: Directory Services
Directory Services
• A directory service is a database that contains information
about all objects on the network.
• Directory services contain data and metadata.
• Metadata is information about data.
For example: A user account is data. Metadata specifies
what information is included in every user account object.
Directory Services
• Information within directories is organized hierarchically.
This means that there is a strict set of rules as to where
certain data is located within the directory based on the
properties of that data.
• Unlike relational databases such as SQL where information is
read and written often, information is usually only read from
a directory service, but rarely is it input.
For example: User account data changes very little once it
has been entered.
Early Directory Services
• The first directory service was developed at PARC and was
called Grapevine.
• X.500 was developed as a directory service standard by the
ISO and CCITT.
• Although X.500 was developed as a comprehensive standard,
as with the OSI model, it was not widely deployed on realworld LANs.
• X.500 formed the basis of a standard that is widely deployed
known as LDAP.
• Some X.500 conventions are used in Active Directory and
eDirectory.
LDAP
Stands for Lightweight Directory Access Protocol.
• LDAP is a scaled-down implementation of the X.500 standard.
• Active Directory and eDirectory are based on LDAP.
• Netscape’s Directory Server was the first wide implementation of
LDAP. It was used primarily for enterprise calendaring and contact
management. Netscape’s product was not used for network
management.
• Most LDAP directories use a single master method of replication.
Changes are made to the master databases and then propagated out
to subordinate databases. The disadvantage of this scheme is that it
has a single point of failure.
• Objects within an LDAP directory are referenced using the object’s
DN (Distinguished Name). The DN consists of the RDN (Relative
Distinguished Name) appended with the names of ancestor entries.
LDAP II
RDN of the user object in the figure is cn=ccarpenter.
DN of the user object in the figure is
cn=ccarpenter,ou=mn,o=emcp,c=us.
Novell eDirectory
• eDirectory is a partitioned and loosely replicated directory
service.
• eDirectory can be used to manage multiple operating systems.
• The two primary components of eDirectory are database
partitions and database replicas.
• Partitions are sectioned off according to location. The partition is
hosted on a server local to that location. The primary benefit of
this is that authentication is localized.
Novell eDirectory
Database replicas are copies of partitions. There are several
different types of replicas.
Master replica: First copy of partition.
Read-write replica: Can be used to authenticate and make changes
to objects. Used for redundancy purposes.
Read-only replica: Can be used to locate information, but not to
change objects.
Subordinate reference: Special replicate automatically created.
Used as a pointer to a target replica.
eDirectory
Object
Description
country
two letter country code
locality
city or state
organization
top level container in tree
organizational unit
container object, used to represent department
root
top level of tree
Container objects are used to organize other objects within the
directory.
For example: You might place all of the accountant user objects
within the accountants organizational unit.
In eDirectory, a DN finishes at the organizational level. Objects are
separated by periods. An accountant at EMCP with an user account
named dmorgan, would have the DN
.cn=dmorgan.ou=accountants.o=emcp.
Active Directory
• Active Directory is an implementation of LDAP that uses
multimaster replication.
• Active Directory runs on Windows Server 2003 and Windows
2000 Server on special computers known as domain controllers.
• Active Directory can be used to manage almost every aspect of a
Windows Server 2003 network.
• Active Directory can also be used as a type of phonebook.
For example, you could query Active Directory to locate all users
located on the 2nd floor of a building. Alternatively you could
locate all color printers at a particular location.
• Any domain controller can process directory updates.
• Replication uses the RPC protocol for servers on the same LAN
and the SMTP protocol for servers located across WAN links.
Active Directory Components
Domain. All user accounts within a domain share a common
password policy. Different password policies require separate
domains.
Site. Used to represent a single physical location within Active
Directory.
Organizational Unit (OU). Can be used to represent organizational
hierarchy. OU can contain OU.
Group Policy Object (GPO). Collection of policies that can be
applied to domains, sites, and OUs.
Forest. Collection of domains with common schema.
Tree. Collection of domains with common namespace.
GPO and Delegation
• Control of a particular OU can be delegated.
For example: You could allow a certain user to administer all of
the accountant’s user accounts, without allowing them to
administer anyone else’s account.
• GPO can be applied to sites, domains, and OU.
• GPOs can be used to install software or to configure user
environment settings.
For example: You could install Microsoft Word at a particular
location by creating a GPO that installs word and applying it to
that location’s site. Alternatively, if you applied that same GPO to
the domain, all users would have Word installed. If you applied that
GPO to an OU instead, only users within that OU would have word
installed.
Active Directory Naming
• Active Directory naming is similar to LDAP and eDirectory,
though has a slightly different format.
• A user named Orin Thomas located within the Engineers OU
in the melbourne.emcp.com domain of a Windows Server
2003 network would have the DN:
CN=Orin Thomas,OU=Engineers,DC=Melbourne,DC=EMCP,DC=COM
• DNs are often used in scripts that query information from the
Active Directory database.
• As an administrator you might right a script that queries the
database to determine which users have not logged on to the
network in the last six months.
Summary
• A directory service is a database that contains information about
all objects on the network.
• LDAP is a scaled-down implementation of the X.500 standard.
• eDirectory is a partitioned and loosely replicated directory service.
• eDirectory partitions are sectioned off according to location.
• eDirectory database replicas are copies of partitions.
• Active Directory uses multimaster replication.
• Active Directory can be used to manage almost every aspect of a
Windows Server 2003 network and as a type of phonebook.
Discussion Questions
 What is the difference between an Active Directory site and
domain?
 What is the difference between an eDirectory partition and
replica?
 Discuss why you would apply one GPO to a domain and
another GPO to an OU.
 Which Directory Service can be used to manage multiple
operating systems?
 What weakness exists in the LDAP replication method?