Module 1: Title
Download
Report
Transcript Module 1: Title
Module 1:
Introduction to
Active Directory
Overview
Introduction
to Active Directory
Active Directory Logical Structure
Role of DNS in Active Directory
Active Directory Physical Structure
Methods for Administering a Windows
2000 Network
Introduction to Active Directory
What
Is Active Directory?
Active Directory Objects
Active Directory Schema
Lightweight Directory Access Protocol
(LDAP)
What Is Active Directory?
Directory Service
Functionality
Organize
Manage
Control
Resources
Centralized Management
Single point of administration
Full user access to directory
resources by a single logon
Active Directory Objects
Active Directory
Objects
Attributes
Printers
Users
Printers
Printer1
Printer Name
Printer Location
Printer2
Printer3
Attributes
First Name
Last Name
Logon Name
Objects
Users
Don Hall
Suzan Fine
Represent Network
Resources
Attributes Store Information About
an Object
Attribute
Value
Active Directory Schema
Active Directory Schema Is:
Dynamically Available
Dynamically Updateable
Protected by DACLs
Objects
Class Examples
Computers
Users
Printers
Attribute
Examples
Attributes of Users
Might Contain:
accountExpires
department
distinguishedName
middleName
List of Attributes
accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…
DNS and Active Directory
Namespaces
DNS Namespace
Internet
“.”
(DNS root domain)
com.
Active Directory Namespace
microsoft
microsoft.com
training
sales
training. microsoft.com
computer1
sales. microsoft.com
= DNS node (domain or computer)
= Active Directory domain
Lightweight Directory Access
Protocol (LDAP)
LDAP
Provides a Way to
Communicate with Active Directory
by Specifying Unique Naming
Paths for Each Object in the
Directory
LDAP Naming Paths Include:
Distinguished names
CN=Suzan
Suzan Fine,OU=Sales,DC=contoso,DC=msft
Fine
Relative distinguished names
Active Directory Logical
Structure
Domains
Organizational
Units
Trees and Forests
Global Catalog
Domains
A
A
Domain Is a Security Boundary
A domain administrator can administer
only within the domain, unless
explicitly granted administration rights
in other domains
Domain Is a Unit of Replication
Domain controllers in a domain
participate in replication and contain a
complete copy of the directory
information for their domain
Replication
Windows 2000
Organizational Units
Network Administrative Model
Sales
Use
Organizational Structure
Vancouver
Users
Sales
Computers
Repair
OUs to Group Objects into a Logical
Hierarchy That Best Suits the Needs of
Your Organization
Delegate Administrative Control over the
Objects Within an OU by Assigning
Specific Permissions to Users and Groups
Trees and Forests
Two-Way Transitive Trust
contoso.msft
Forest
Tree
nwtraders.msft
au.
contoso.msft
Two-Way Transitive Trusts
Tree
asia.
nwtraders.msft
asia.
contoso.msft
au.
nwtraders.msft
Global Catalog
Subset of the
Attributes of All
Objects
Domain
Domain
Domain
Global Catalog
Domain
Domain
Domain
Queries
Group membership
when user logs on
Global Catalog Server
Introduction to the Role of DNS
in Active Directory
Name
Resolution
DNS translates computer names to IP addresses
Computers use DNS to locate each other on the
network
Naming
Convention for Windows 2000 Domains
Windows 2000 uses DNS naming standards for
domain names
DNS domains and Active Directory domains share a
common hierarchical naming structure
Locating
the Physical Components of Active
Directory
DNS identifies domain controllers by the services
they provide
Computers use DNS to locate domain controllers and
global catalog servers
DNS Host Names and Windows
2000 Computer Names
DNS host record and Active Directory
object represent the same physical
computer
DNS allows computers to locate domain
controllers within Active Directory
“.”
com.
Active Directory
microsoft
sales
training.microsoft.com
training
Builtin
computer1
Computers
Computer1
Computer2
FQDN = computer1.training.microsoft.com
Windows 2000 Computer Name = Computer1
DNS Requirements for Active
Directory
DNS Requirements to Support Active Directory
Support for SRV records (mandatory)
Support for the dynamic update
protocol (recommended)
Support for incremental zone transfers
(recommended)
What Is a Tree?
Tree Root Domain
Parent Domain
Parent
contoso.msft
Child
Child Domain
sales.contoso.msft
Contiguous Namespace
sales.contoso.msft
New
Domain
What Is a Forest?
A Forest
is One or More Trees
Trees in a Forest Do Not Share a
Contiguous Namespace
Forest
contoso.msft
Tree
nwtraders.msft
All
Tree
marketing.
nwtraders.msft
sales.
nwtraders.msft
sales.
contoso.msft
of The Domains in a
Forest Share a Common
Configuration, Schema, and
Global Catalog
What Is the Forest Root
Domain?
The
Forest Root Domain Is
the First Domain Created
in a Forest
Forest Root Domain
Global Catalog
Forest
Configuration
and Schema
Tree Root Domain
nwtraders.msft
Tree
marketing.nwtraders.msft
contoso.msftTree
Enterprise Admins
Schema Admins
sales.contoso.msft
Characteristics of Multiple
Domains
Reduce Replication Traffic
Maintain Separate and Distinct
Security Policies Between Domains
Preserve the Domain Structure of
Earlier Versions of Windows NT
Separate Administrative Control
Active Directory Physical
Structure
Domain
Sites
Controllers
Domain Controllers
Domain Controllers:
Participate in Active Directory replication
Perform single master operations roles in a domain
Replication
Domain
Controller
Domain
Controller
Domain
= A Writeable Copy of the Active Directory Database
Sites
Seattle
New York
Chicago
Los Angeles
IP subnet
Site
IP subnet
Sites:
Optimize
Enable
replication traffic
users to log on to a domain controller
by using a reliable, high-speed connection
Introduction to Active Directory
Replication
Multimaster Replication with
a Loose Convergence
Domain
Controller B
Replication
Domain
Controller A
Domain
Controller C
Replication Components and
Processes
How
Replication Works
Replication Latency
Resolving Replication Conflicts
Optimizing Replication
How Replication Works
Active Directory
Update
Add
Modify
Move
Delete
Domain
Controller B
Replicated Update
Originating Update
Replication
Domain
Controller A
Domain Replicated Update
Controller C
Replication Latency
Default Replication Latency (Change Notification) = 5 minutes
When No Changes, Scheduled Replication = One Hour
Urgent Replication = Immediate Change
Notification
Change Notification
Replicated Update
Domain
Controller B
Originating Update
Replication
Domain
Controller A
Change Notification
Replicated Update
Domain Controller C
Resolving Replication Conflicts
Domain Controller A
Domain Controller B
Stamp
Originating Update
Stamp
Originating Update
Conflict
Conflict
Stamp
Version Number
Timestamp
Server GUID
Conflicts Can Be Due to:
Attribute Value
Adding/Moving Under a Deleted Container Object
or the Deletion of a Container Object
Sibling Name
Replication Topology
Directory
Partitions
What Is Replication Topology?
Global Catalog and Replication of
Partitions
Directory Partitions
Directory
Partitions
Forest
Schema
Configuration
Domain
contoso.msft
Active Directory
Database
Contains definitions and rules
for creating and manipulating
all objects and attributes
Contains information about
Active Directory structure
Holds information about all
domain-specific objects
created in Active Directory
What Is Replication Topology?
A1
A2
B2
A3
A4
B3
B1
Domain Controllers
Controllers
Domain
fromthe
Different
from
SameDomains
Domains
Domain A Topology
Domain A Topology
Domain B Topology
Schema/Configuration Topology
Schema/Configuration Topology
What Is Replication Topology?
A1
A2
B2
A3
A4
B3
B1
Domain
Domain Controllers
Controllers
from
Domains
fromDifferent
the Same Domains
Domain A Topology
Domain A Topology
Domain B Topology
Schema/Configuration Topology
Schema/Configuration Topology
Global Catalog and Replication
of Partitions
Partial Directory
Partition Replica
Schema
Configuration
contoso.msft
namerica.contoso.msft
Global Catalog
Server
Holds read only copy of all
domain directory partitions
Global Catalog and Replication
of Partitions
A1
A2
B2
A3
A4
B3
B1
Domain A Topology
Domain B Topology
Schema/Configuration Topology
Methods for Administering a
Windows 2000 Network
Using
Active Directory for Centralized
Management
Managing the User Environment
Delegating Administrative Control
Using Active Directory for
Centralized Management
Domain
Search
OU1
OU1
Computers
Domain
Computer1
OU2
Users
User1
OU2
User1 Computer1 User2 Printer1
Users
User2
Active Directory:
Printers
Printer1
Enables a single administrator to centrally manage
resources
Allows administrators to easily locate information
Allows administrators to group objects into OUs
Uses Group Policy to specify policy-based settings
Managing the User
Environment
12
Domain
3
Apply Group
Policy Once
OU1
Windows 2000
Enforces Continually
OU2
1 2
OU3
3
Use Group Policy to:
Control
and lock down what users can do
Centrally
manage software installation,
repairs, updates,
and removal
Configure
user data to follow users whether
they are online or offline
Delegating Administrative
Control
Domain
OU1
Assign Permissions:
For specific OUs to other
administrators
To modify specific attributes of
an object in a single OU
To perform the same task in all OUs
Customize Administrative Tools to:
Map
to delegated administrative tasks
Simplify
interface design
Admin1
OU2
Admin2
OU3
Admin3
Review
Introduction
to Active Directory
Active Directory Logical Structure
Role of DNS in Active Directory
Active Directory Physical Structure
Methods for Administering a Windows
2000 Network