Transcript KaranOberoi

By
Karan Oberoi
 A directory service (DS) is a software application- or a
set of applications - that stores and organizes information
about a computer network's users and network resources.
Allows network administrators to manage users' access
to the resources
Act as an abstraction layer between users and shared
resources
 Provide file shares.
 Authenticate users
 Provide services, such as Email, Access to the internet,
Print services etc.
 Control access to services and shares.
Active Directory is Microsoft’s version of an
LDAP based network directory service.
»Active Directory allows administrators to define,
arrange and manage objects, such as user data,
printers and servers, so they are available to users and
applications throughout the organization.
 Microsoft’s directory service which is included in the
Windows 2000 and Windows Server 2003 operating system
versions.
 Is an implementation of LDAP directory services.
 Called: ADS,NTDS
Goals and Benefits
Open Standards
High Scalability
Simplified Administration


Hierarchical
Base object
Domain
Domain
Tree
Forest
OU
Domain
Domain
Domain
OU
OU
Tree
Domain
Domain
Objects
 „old Friends “
 User
Group
Computer
New Elements
Distribution Lists
System Policies
Application defined custom objects
Described in the Schema

Definition of all AD
Object-Types (Classes)
 Attributes
 Data-Types (Syntaxes)




Can be compared to a Database Schema
ONE consistent Schema inside a single Forest
Extensible
 AD Base Element (Building Block)
 NT 4 Compatible
 Physically Implemented on Domain Controllers (DC)
 Border for
- Replication Traffic
- System Policies
- Administration
Firma.de
LA
Admin
New York
Sales
Admin
Sales
 Implements a Structure inside a Domain
 Can be nested as needed
 Can not be assigned any rights
 Typically used for Administrative Reasons
e.g. System Policies
 Hierarchical Domain Structure inside a
single Namespace
- adiscon.com
- la.adiscon.com
- ny.adiscon.com
 Transitive Trusts created automatically
 Sub-Domain must be added to RootDomain – otherwise there will be no tree adiscon.com
Tree
 Combination of Trees
 Disjunct Namespaces
- adiscon.de
- adiscon.com
 Transitive Trusts created automatically
 There is one single tree-root!
 Sub-Tree must be added to Root-Tree,
otherwise no Forest will be created
 Site: A site is a physical location, or LAN. This is
different from a web site, which is an organization’s
internet presence.
 Domain:
- A sub-network comprised of a group of clients and
servers under the control of one security database.
Dividing LANs into domains improves performance and
security.
- All resources under the control of a single computer
system.
 Lightweight Directory Access Protocol
(LDAP) -- a protocol used to access a
directory service.
 Lightweight Access Directory Protocol is
the primary access protocol for Active
Directory.
 The global catalog is the mechanism that
tracks all of the objects managed across the
network, across all domains within the
organization.
 Elements of the catalog are replicated
across all of the domain controllers within
all domains across the org.
 For Active Directory to function properly, DNS
servers must support Service Location (SRV)
resource records.
 SRV resource records map the name of a service
to the name of a server offering that service.
Active Directory clients and domain controllers
use SRV resource records to determine the IP
addresses of domain controllers.
 Active Directory replicates its administration
information across domain controllers throughout the
“forest” utilizing a “multi-master” approach.
 Multi-master replication among peer domain
controllers is impractical for some types changes, so
only one domain controller, called the operations
master, accepts requests for such changes.
Each domain controller has information for the
entire forest to support authentication and access
control.
This provides the ability for local domain controllers
(the “tree”) to provide a quick local lookup of
authority.
Not just users but every object authenticating to
Active Directory must reference the global catalog
server, including every computer that boots up
 Stores a physical Copy of the Active Directory
Database
- Currently a single Domain per DC supported!
- ESE95 Database (MS Exchange)
 Logon Services
- Kerberos
- LAN Manager Authentication
 Its always recommended to have at least 2
Domain Controllers!
 Updates can be applied to ANY Domain Controller
 Will be Replicated to each other Domain Controls
(inside that Domain) within 15 Minutes
 Optimized Algorithm reduces Replication Traffic
 Not time based (triggered on demand, only)!
 All Domain Databases involved
 Changes are transmitted compressed
 via IP (RPC) or SMTP
-SMTP not within a single domain!
 Time Replication occurs can be configured
 Volume of Replication Traffic can not be restricted!
 Have an Eye on GCs!
 Improved Authentication
 Permissions applied via ACLs
- To Objects as whole
- To specific Attributes
 Fine-Tuning of Access Permissions possible
 Tool-Support to visualize Security Settings .
currently weak (try Visio!)
 Time Savings
 Repository of Information
 Increased Security
 DNS Dependency
 No „Merge-Tree“
 No Partitioning (only a single Domain per .
Domain Controller)
 Limited Tool-Support
 Forest Global Schema
 Schema-Modifications can not be undone
 Applications directly using and accessing the Active
. Directory
- e.g. Exchange 2000
- Many more expected!
 Typically extend the Schema
 May dramatically change usage pattern for Active
. Directory Resources
- Replication Traffic
(new Objects, Attributes)
- AD Queries (GCs!)