Transcript Chapter 9 PowerPoint Presentation

Introduction to Active
Directory Directory Services
• Uniquely identify users and resources on a network
• Provide a single point of network management
1
What Are Active Directory
Directory Services?
The directory service included with Microsoft Windows 2000
Server products
• A directory service is a network service.
• A directory service identifies all resources on a
network.
• A directory service makes all resources available.
2
What Are Active Directory
Directory Services? (continued)
Active Directory directory services include the Directory.
• The Directory stores information about network
resources.
• Resources stored in the Directory are referred to as
objects.
3
Simplified Administration
Active Directory directory services organize resources
hierarchically in domains.
• A domain is a logical grouping of servers and
other network resources under a single domain name.
• A domain is the basic unit of replication and security.
• A domain includes at least one domain controller.
4
Simplified Administration
(continued)
Active Directory directory services provide
• A single point of administration for all objects on the
network
• A single point of logon for all network resources
5
Scalability
• The Directory stores information by organizing itself
into sections that permit storage for a huge number of
objects.
• The Directory can expand to meet the needs of
• Small installations with one server and a few hundred
objects.
• Huge installations with hundreds of servers and
millions of objects.
6
Open Standards Support
Active Directory directory services
• Integrate the Internet concepts of a namespace
with the Windows 2000 directory service
• Allow you to unify and manage multiple namespaces
• Use DNS for its name system
• Exchange information with any application or
directory that uses LDAP or HTTP
7
Domain Name System
• DNS is the domain naming and locator service for Active
Directory.
• Windows 2000 domain names are also DNS names.
• Windows 2000 Server uses dynamic DNS (DDNS).
• Clients can update the DNS table dynamically.
• DDNS eliminates the need for other naming services.
8
Support for LDAP and HTTP
• LDAP is an Internet standard for accessing directory
services.
• HTTP is the standard protocol for displaying pages on the
World Wide Web.
• You can display every object in Active Directory as an
HTML page in a Web browser.
9
Support for Standard Name
Formats
RFC 822
[email protected]
HTTP URL
http://domain/path-to-page
UNC
\\microsoft.com\xl\budget.xls
LDAP URL
LDAP://someserver.microsoft.com/
CN=FirstnameLastname,OU=sys,
OU=product,OU=division,DC=devel
10
Logical Structure
• The logical structure is separate from the physical
structure.
• Organize resources in a logical structure.
• Find a resource by its name rather than its physical
location.
• The network’s physical structure is transparent to the
users.
11
Objects
12
Organizational Units
13
Domain
• The domain is the core unit of logical structure.
• All network objects exist within a domain.
• A domain stores information about only the objects that
it contains.
• A practical limit to the number of objects in a domain is
1 million.
14
A Domain Is a Security
Boundary
•
•
•
•
Access to domain objects is controlled by ACLs.
ACLs contain the permission associated with objects.
ACLs control which users can gain access to an object.
ACLs control which type of access users can gain to the
objects.
• Security policies and settings do not cross from one
domain to another.
• A domain administrator has absolute rights to set policies
only within that domain.
15
Tree
• A tree is a grouping of one or more Windows 2000
domains.
• All domains within a single tree share a contiguous
namespace.
• The domain name of a child domain is the relative name
of that child domain appended with the name of the
parent domain.
• All domains within a single tree share a common schema.
• All domains within a single tree share a common global
catalog.
16
Forest
•
•
•
•
•
•
A forest is a grouping of one or more domain trees.
The trees in a forest form a disjointed namespace.
All trees in a forest share a common schema.
Trees in a forest have different naming structures.
All domains in a forest share a common global catalog.
Domains in a forest operate independently.
17
Sites
•
•
•
•
•
The physical structure is based on sites.
A site is a combination of one or more IP subnets.
Typically a site has the same boundaries as a LAN.
Sites are not part of the logical namespace.
Sites contain computer objects and connection objects.
18
Replication Within a Site
• The Active Directory directory services include a
replication feature.
• Replication ensures that changes to a domain controller
are reflected by all domain controllers within a domain.
19
Functions of Domain
Controllers in a Domain
• Store a complete copy of all Active Directory information
• Replicate all objects in the domain to each other
automatically
•
•
•
•
Replicate certain important updates immediately
Use multimaster replication
Provide fault tolerance
Manage all aspects of user domain interactions
20
Ring Topology for
Replication
21
Schema
• Contains a formal definition of the contents and
structure of Active Directory directory services
• Defines attributes for each object class
22
Default Schema
• Created by installing Active Directory on first computer in
a new forest
• Contains definitions of commonly used objects and
properties
• Contains definitions of objects and properties used by
Active Directory
23
Extensible Schema
• You can define new directory object types and attributes.
• You can define new attributes for existing objects.
• You can extend the schema
• By using LDAP Data Interchange Format (LDIF)
scripts.
• Programmatically or by using the Active Directory
Services Interface (ADSI).
• By using the Active Directory Schema snap-in.
• The schema is stored in the global catalog and can be
updated dynamically.
24
Global Catalog
25
Global Catalog Servers
• Installing Active Directory on the first computer in a new
forest makes that domain controller a global catalog
server.
• The Active Directory Sites and Services snap-in allows you
to designate additional global catalog servers.
• More global catalog servers means more replication
traffic.
• More global catalog servers can provide quicker
responses.
• Every major site should have a global catalog server.
26
Namespace
27
Naming Conventions
• Every object in Active Directory is identified by a name.
• Active Directory uses a variety of naming conventions.
28
Distinguished Name
• Every object has a distinguished name (DN).
• The DN uniquely identifies the object.
• The DN contains sufficient information for a client to
retrieve the object.
• The DN includes the name of the domain that holds the
object.
• The DN includes the complete path to the object.
29
Relative Distinguished
Name
30
Globally Unique Identifier
• A globally unique identifier (GUID) is a 128-bit number
that is guaranteed to be unique.
• GUIDs are assigned when the object is created.
• The GUID for an object never changes.
• Applications use GUIDs to retrieve objects regardless of
current DNs.
31
User Principal Name
• User accounts have a friendly name, the user principal
name (UPN).
• The UPN is composed of the shorthand name for the user
account and the DNS name of the tree where the user
account object resides.
32