Transcript Document
Microsoft Active Directory(AD)
A presentation by
Robert, Jasmine, Val and Scott
IMT546
December 11, 2004
What are directory services?
All Directory services use a hierarchical
structure that stores information about
objects on the network. What differentiates
the various implementations are the types of
objects that they track.
What objects are tracked via
Directory Services?
• Shared Resources:
–
–
–
–
Servers,
Shared volumes,
Printers;
Applications
• Administration of:
–
–
–
–
Users
User/Group access
Network resources
Management of
domains, applications,
services, security
policies, and just about
everything else in your
network.
Directory Services Common
Features:
• Provide file shares
• Authenticate users
• Provide services, such as Email, Access to
the internet, Print services etc.
• Control access to services and shares.
Key Features of Active Directory
• AD as a namespace that is integrated with the
Internet's Domain Name System (DNS).
• AD - A new directory service central to the
Windows 2000 Server operating system, runs only
on domain controllers.
Some directory services are integrated with an
operating system, and others are applications such
as e-mail directories. Operating system directory
services, such as AD, provide user, computer, and
shared resource management.
Active Directory utilizes a
distributed architecture
• Active Directory, in addition to providing a
place to store data and services to make that
data available, also protects network objects
from unauthorized access and replicates
information about objects across the entire
network so that information about objects is
not lost if one domain controller fails.
Terminology
• Site: A site is a physical location, or LAN. This is
different from a web site, which is an
organization’s internet presence.
• Domain:
– (1) A sub-network comprised of a group of clients and
servers under the control of one security database.
Dividing LANs into domains improves performance
and security.
– (2) All resources under the control of a single computer
system.
Sample Domain Structure
Basic Network Identity Services
–
–
–
–
–
–
–
Dynamic Host Configuration Protocol (DHCP)
Domain Name System (DNS)
Lightweight Directory Access Protocol (LDAP)
Public Key Infrastructure (PKI)
Remote Authentication Dial-In User Service (RADIUS)
Microsoft's Active Directory
Novell Directory Services (NDS)
Identity Service Providers
SERVICE SPECIFICS
• Most mid-sized to large enterprises today are likely to run
about a half dozen network identity services to connect their
business applications and network infrastructure.
• These services each have specific roles to play in the network.
But they often also interact with one another, too.
• Network identity services each perform specific tasks and also
frequently interact. Managing interactions becomes
challenging when multiple internal organizations administer
the various services, which may be duplicated in numerous
locations throughout the network and use different data stores.
DNS
Domain Name System
• DNS is a globally distributed database that
manages IP addresses on the internet.
• DNS uses a hierarchy of domains on the internet.
– Top level domains use the familiar names
like .com, .edu, .gov.
– The second level are registered to organizations who
have a presence on the web.
Active Directory is designed to exist within the scope of
the Global DNS Namespace.
DNS Structure
LDAP
• Lightweight Directory Access Protocol
(LDAP) -- a protocol used to access a
directory service.
• Lightweight Access Directory Protocol is
the primary access protocol for Active
Directory.
Active Directory's Global
Catalog
• The global catalog is the mechanism that
tracks all of the objects managed across the
network, across all domains within the
organization.
• Elements of the catalog are replicated
across all of the domain controllers within
all domains across the org.
Global Catalog -Service Discovery
• For Active Directory to function properly, DNS
servers must support Service Location (SRV)
resource records.
• SRV resource records map the name of a service
to the name of a server offering that service.
Active Directory clients and domain controllers
use SRV resource records to determine the IP
addresses of domain controllers.
Domain authority
• Active Directory replicates its administration
information across domain controllers throughout
the “forest” utilizing a “multi-master” approach.
• Multi-master replication among peer domain
controllers is impractical for some types changes,
so only one domain controller, called the
operations master, accepts requests for such
changes.
Authentication
• Each domain controller has information for the
entire forest to support authentication and access
control.
• This provides the ability for local domain
controllers (the “tree”) to provide a quick local
lookup of authority.
• Not just users but every object authenticating to
Active Directory must reference the global catalog
server, including every computer that boots up
An example of an Active
Directory implementation
PING North America
Benefits from using Active Directory
•
Reduced one IT staff member’s workload by 40
percent, freeing 800 hours per year to work on
new projects
•
Significant cost savings due to server
consolidation and elimination of mainframe and
NetWare
•
Increased security and stability through
centralized desktop management
•
Active Directory also gives PING a single
repository for all types of information.
Source: Microsoft
Time Savings
Before
•
PCs that were still running Windows NT
Workstation or Windows 98, it would take as
much as 40 hours of effort to manually visit each
desktop and install the patch.
After
•
Desktops that are running Windows XP
Professional, A group policy can be created that
will push a new security patch out to all of them
in less than 30 minutes.
Repository of Information
Before
•
Spreadsheets had to be created and spreadsheets
maintained for user locations, office numbers, phone
numbers etc.
After
•
All of the information is now managed in a single place
and is updated using a single interface.
Increased Security
•
Since Active Directory will provide a single point of management for all systems. Desktops can be
locked down in a known, secure state and kept current with software updates and security patches
with minimal time and effort.
Open Source Implementation:
Mac OS X Server v10.3 Open
Directory 2
• The latest version of Apple’s standards-based
directory and authentication services
architecture.
• The Open Directory architecture makes it easy to
integrate Mac OS X client and server systems to
into your existing network infrastructure. It’s
compatible with other standards-based LDAP
servers, and can even plug into environments that
use proprietary services such as Microsoft’s Active
Directory and Novell’s eDirectory.
Open Directory Features:
• Support for mixed-platform
environments • Strong authentication options -Kerberos
• Reliability and scalability -
References:
•
•
•
•
•
•
Mac Os X Open Directory: http://www.apple.com/server/macosx/open_directory.html
Microsoft Active Directory:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deplo
y/projplan/adarch.mspx
Ping: http://www.microsoft.com/resources/casestudies/CaseStudy.asp?CaseStudyID=15304
General: http://www.microsoft.com
Gaining Control of Your network Identity infrastructure…
http://www.bitpipe.com/detail/RES/1082474885_246.html