Transcript onedrive.live.com

1
Chapter 1
OVERVIEW OF
ACTIVE DIRECTORY
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
2
ACTIVE DIRECTORY FUNCTIONS


Directory Services

Used to define, manage, access, and secure network
resources.

Resources include: files, printers, groups, people,
and applications.
Active Directory

Stored as NTDS.dit on a domain controller.

Used by domain controllers to authenticate users.

Domain controllers store, maintain, and replicate.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
ACTIVE DIRECTORY BENEFITS

Centralized administration

Single point of access

Fault tolerance and redundancy

Multiple domain controllers are used

Multi-master replication

Simplified resource location
3
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
4
CENTRALIZED ADMINISTRATION

Hierarchical organization for ease of
administration

Common Microsoft Management Console (MMC)
tool set

Active Directory Users And Computers (DSA.MSC)

Active Directory Domains And Trusts (DOMAIN.MSC)

Active Directory Sites And Services (DSSITE.MSC)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
5
SINGLE POINT OF AUTHENTICATION
Before directory services
Server1
Server2
Server3
After directory services
Active Directory
Single sign-on
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
6
MULTI-MASTER REPLICATION
Active Directory Domain
Replication Process
DC1
DC3
DC2
1. A change occurs on DC2.
2. DC2 notifies DC1 and DC3 that there
is a change to Active Directory.
3. At the next replication interval, DC1
and DC3 request the new database
information.
4. DC2 replicates the changes to DC1
and DC3.
5. DC1 and DC3 update their Active
Directory database.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
SIMPLIFIED RESOURCE LOCATION

Search features available on Microsoft Windows
2000, Microsoft Windows XP, and Microsoft
Windows Server 2003.

Search Active Directory to find:

Shared folders

Printers

People (user accounts)
7
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
ACTIVE DIRECTORY SCHEMA

Object classes





User accounts
Computer accounts
Printers
Groups
Object Attributes




Name
Globally unique identifier (GUID)
Location (for printer)
E-mail address (for users)
8
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
ACTIVE DIRECTORY COMPONENTS
IP Site
Forest Root Domain
cohowinery.com
IP Site
Child Domain
north.cohowinery.com
9
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
ORGANIZATIONAL UNITS

Container objects

Look like a folder with a book icon in Active
Directory Users And Computers

Security is applied to OUs

Inherited by child OUs

Used to control access to that OU or hide
subordinate OUs

Allows for the delegation of administrative rights
10
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
11
DOMAINS

Logical grouping of resources.

Form security and replication boundaries.




Individual access control lists (ACLs) for each
domain.
Group Policies are typically assigned and inherited
within a domain only, not from the forest.
Domain replication is independent of global catalog
and schema replication.
Multiple domains may be used by a single
organization.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
DOMAINS, TREES, AND A FOREST
Forest root
and tree root
ou
parent
Domain tree
root
ou
contoso.com
tailspintoys.com
child
child
west.contoso.com
east.contoso.com
12
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
13
SITES

Used to reflect the physical network structure

Usually local area network (LAN) versus wide area
network (WAN)

Optimize replication

Knowledge Consistency Checker (KCC) creates and
maintains this structure
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
NAMING STANDARDS

Lightweight Directory Access Protocol (LDAP)

Standard naming structure and hierarchy

Established by the Internet Engineering Task Force
(IETF)

Domain Name System (DNS)

Uniform Resource Locator (URL)
14
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
LDAP NAMES
cohowinery.com
Jeffrey Smith
Sales
Guy Gilbert
Accounting
Color Printer

Cn=jsmith,ou=sales,dc=cohowinery,dc=com

[email protected]
15
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
16
PLANNING FOR ACTIVE DIRECTORY

Logical and physical structure

DNS and Active Directory integration and naming

Functional levels of domains and forests

Trust relationships and models
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
STRUCTURING ACTIVE DIRECTORY

Security and administrative goals are important
when defining the logical structure.

Group Policy application and inheritance

Delegating administrative control

Permission inheritance

Logical structure often reflects the business or
administrative model.

Sites are used to reflect the physical structure of
the network.
17
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
ROLE OF DNS

Resolves friendly names to Internet Protocol (IP)
addresses.

Required by Active Directory.

Domain members use service locator (SRV)
records to find domain controllers.

Dynamic DNS (DDNS) is supported and
recommended.
18
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
FUNCTIONAL LEVELS

Designed to support downlevel compatibility

Increasing functional level allows for use of new
features

Two types of functional level

Domain functional level

Forest functional level
19
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
DOMAIN FUNCTIONAL LEVELS

Windows 2000 mixed

Windows 2000 native

Windows Server 2003 interim

Windows Server 2003
20
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
WINDOWS 2000 MIXED FUNCTIONAL LEVEL

Domain controllers can run on the following
operating systems:




Windows NT Server 4.0
Windows 2000 Server
Windows Server 2003
Features at this functional level include:



Install from media
Application directory partitions
Enhanced user interface (UI)
21
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
WINDOWS 2000 NATIVE FUNCTIONAL LEVEL


Domain controllers can run on the following
operating systems:

Windows 2000 Server

Windows Server 2003
Features at this functional level include:

Group nesting

Universal groups

Security Identifier History (siDHistory)
22
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
23
WINDOWS SERVER 2003 INTERIM
FUNCTIONAL LEVEL

Designed for organizations that have not upgraded
to Windows 2000 Active Directory.

Only Windows Server 2003 and Windows NT
Server 4.0 domain controllers are supported.

Windows 2000 Server domain controllers are NOT
allowed.

No extra features over any other functional level.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
WINDOWS SERVER 2003 FUNCTIONAL LEVEL

Only Windows Server 2003 domain controllers

Features at this functional level include:

Replicated last logon timestamp

Key Distribution Center (KDC) version numbers

User password on inetOrgPerson objects

Domain renaming
24
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
25
RAISING THE DOMAIN FUNCTIONAL LEVEL

Must be logged on as a member of the Domain
Admins group.

Performed using the Primary Domain Controller
(PDC) emulator.

All domain controllers must support the new level.

Irreversible.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
FOREST FUNCTIONAL LEVELS

Windows 2000

Windows Server 2003 interim

Windows Server 2003
26
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
27
WINDOWS 2000 FOREST FUNCTIONAL LEVEL

All domain controllers must be Windows 2000
Server or Windows Server 2003 domain
controllers.

Features supported at this functional level include:

Install from media

Universal group caching

Application directory partitions
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
28
WINDOWS 2003 INTERIM FOREST
FUNCTIONAL LEVEL

Only Windows Server 2003 and Windows NT
Server 4.0 domain controllers are supported.

Windows 2000 Server domain controllers are NOT
allowed.

Features at this level include:

Improved inter-site topology generator (ISTG)

Improved linked value replication
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
29
WINDOWS SERVER 2003 FOREST
FUNCTIONAL LEVEL

Only Windows Server 2003 domain controllers are
supported.

Features at this level include:

Dynamic auxiliary class objects

User objects can be converted to inetOrgPerson
objects

Schema redefinitions permitted

Domain renames permitted

Cross-forest trusts permitted
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
30
RAISING THE FOREST FUNCTIONAL LEVEL

Must be logged on as a member of the Enterprise
Administrators group.

Must be connected to the Schema Operations
Master.

All domain controllers must support the new
functional level.

Irreversible.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
31
ACTIVE DIRECTORY TRUST MODELS
 Transitivity: If A trusts
B and B trusts C, then
A trusts C
Forest Root Domain
Child Domain A
Child Domain B
Child Domain C
Child Domain D
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
32
SHORTCUT TRUST
Forest Root Domain
Child Domain A
Child Domain C
Shortcut Trust
Child Domain B
Child Domain D
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
WINDOWS NT SERVER 4.0 TRUST MODEL
Domain A
Domain
C
Domain B
Domain
D
33
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
CROSS-FOREST TRUST

New in Windows Server 2003

Trusts between two forests

Requires Windows Server 2003 forest functional
level

Uses Kerberos as do all Windows 2000 and
Windows Server 2003 intra-forest trust
relationships
34
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY
35
SUMMARY

Active Directory is a database (NTDS.dit).

DNS is required by Active Directory.

Schema defines object types and attributes.

Domain and forest functional levels provide a balance
between backward compatibility and new functionality.

Active Directory allows for two-way transitive
(Kerberos) trusts.

Trusts allow domain hierarchies to be created.

Cross-forest trusts are a new feature for Windows
Server 2003 Active Directory.