Transcript ch01

Overview of Active Directory
Domain Services
Lesson 1
Chapter Objectives
• Identify Active Directory functions and
Benefits.
• Identify the major components that make
up an Active Directory structure.
• Identify how DNS relates to Active
Directory.
• Identify Forest and Domain Functional
Levels.
Directory Service
• A network service that identifies all
resources on a network and makes those
resources accessible to users and
applications.
• The most common directory service
standards are:
– X.500 http://en.wikipedia.org/wiki/X.500
– Lightweight Directory Access Protocol (LDAP)
http://en.wikipedia.org/wiki/LDAP
X.500
• Uses a hierarchical approach in which
objects are organized in a similar way to
the files and folders on a hard drive.
Lightweight Directory Access Protocol
(LDAP)
• Industry standard.
• Slim-down version of X.500 modified to
run over the TCP/IP network.
Active Directory
• A directory service that uses the “tree”
concept for managing resources on a
Windows network. (DOMAINS)
• Stores information about the network
resources and services, such as user
data, printer, servers, databases, groups,
computers, and security policies.
• Identifies all resources on a network and
makes them accessible to users and
applications.
Active Directory
• Used in:
– Windows 2000
– Windows Server 2003
– Windows Server 2008
• Subsequent versions of Active Directory
have introduced new functionality and
security features.
Active Directory
• Windows Server 2008 provides two
directory services:
– Active Directory Domain Services (AD DS)
for managing users and resources in a domain environment
– Active Directory Lightweight Directory
Services (AD LDS)
used by developers for OS software and applications – can’t be used to
administer users and resources
Active Directory Domain
Services (AD DS)
• Provides the full-fledged directory service
that is referred to as Active Directory in
Windows Server 2008 and previous
versions of Windows Server.
Active Director Lightweight
Directory Services (AD LDS)
• Provides a lightweight, flexible directory
platform that can be used by Active
Directory developers without incurring the
overhead of the full-fledged Active
Directory DS directory service.
Domain Controller (DC)
• Server that stores the Active Directory
database and authenticates users with the
network during logon. (PARTITIONED DATABASE)
• Stores database information in a file called
ntds.dit.
• Active Directory is a multimaster database,
and uses multimaster replication.
– Information is automatically replicated
between multiple domain controllers.
Active Directory Functions and
Benefits
• Centralized resource and security
administration.
• Single logon for access to global
resources.
• Fault tolerance and redundancy.
• Simplified resource location. (USES THE GLOBAL
CATALOG FOR THE FOREST, PUBLISH OBJECTS IN ACTIVE
DIRECTORY)
Centralizing Resources and
Security Administration
• Active Directory provides a single point
from which administrators can manage
network resources and their associates’
security objects:
• MMC Consoles found in Administrator
Tools:
– Active Directory Users and Computers (DSA.MSC)
– Active Directory Sites and Services (DASITE.MSC)
– Active Directory Domains and Trusts (DOMAIN.MSC)
– ADSI Edit (adsiedit.msc)
Fault Tolerance and
Redundancy
• Active Directory uses a multimaster
domain controller design.
• Changes made on one domain controller
are replicated to all other domain
controllers in the environment.
• It is recommended to have two or more
domain controllers for each domain.
WHY??? Fault tolerance (redundancy)
Read-Only Domain Controller
(RODC)
• Introduced with Windows Server 2008.
• A domain controller that contains a copy of
the ntds.dit file that cannot be modified
and that does not replicate its changes to
other domain controllers with Active
Directory.
Simplifying Resource Location
• Allows file and print resources to be
published within Active Directory.
• Examples include:
– Shared folders
– Printers
Active Directory Components
• Forests – One or more domain trees, with
each tree having its own unique name
space.
• Domain trees – One or more domains with
contiguous name space.
• Domains – A logical unit (grouping) of
computers and network resources that
defines a security boundary.
Active Directory Components
• Some of these common attributes are as
follows:
– Unique name
– Globally unique identifier (OBJECT GUID)
(can be found using adsiedit.msc)
– Required object attributes
– Optional object attributes
GUID DEFINITION AND USES
•
•
•
•
•
•
•
A globally unique identifier or GUID (pronounced /ˈɡuːɪd/ or /ˈɡwɪd/) is a unique reference
number used as an identifier in computer software. The term GUID also is used for Microsoft's
implementation of the Universally Unique Identifier (UUID) standard.
The value of a GUID is represented as a 32-character hexadecimal string, such as {21EC20203AEA-1069-A2DD-08002B30309D}, and is usually stored as a 128-bit integer. The total number
of unique keys is 2128 or 3.4×1038 — roughly 2 trillion per cubic millimeter of the entire volume of
the Earth. This number is so large that the probability of the same number being generated
randomly twice is extremely small.
Database servers can use GUIDs to create unique row identifiers, solving the chicken
and egg problem inherent with sequential row IDs.
Microsoft Windows uses GUIDs internally to identify the classes and interfaces of
COM objects. A script can activate a specific class or object without having to know
the name or location of the dynamic linked library that contains it.
Intel's GUID Partition Table, a system for partitioning hard drives. (GPT)
ActiveX, a system for downloading and installing controls in a web browser, uses
GUIDs to uniquely identify each control.
SecondLife uses GUIDs for identification of all assets in its world.
Understanding the Schema
• Defines the objects stored within Active
Directory the properties (attributes)
associated within each object.
– User has different properties, which has
different properties than a group, which has
different properties of a computer.
– REGSVR32 SCHMMGMT.DLL RUN THIS COMMAND TO
BE ABLE TO CREATE AN MMC TO VIEW THE SCHEMA
Active Directory Naming
Standard
•
BELOW IS AN EXAMPLE OF A “DN”
( Distinguished Name )
• Example:
– cn=JSmith, ou=sales, dc=lucernepublishing,
dc=com
– USE ADSI EDIT TO VIEW USER DN
Domain Name System (DNS)
• Provides name resolution for a TPC/IP
network.
• Active Directory requires DNS as the
default name resolution method.
• Example Resource Records (RR):
– Host (A) – Host name to IP.
– Pointer (PTR) – IP to Host name.
– Service (SRV) – Locator service for
LDAP/Domain controllers services.
FUNCTIONS OF DNS
YOU MUST REMEMBER THESE
• DNS PROVIDES NAME RESOLUTION
(BOTH FORWARD AND REVERSE NAME
RESOLUTION)
• DNS FUNCTIONS AS A SERVICE
LOCATOR FOR SERVICES OFFERED
BY ACTIVE DIRECTORY DOMAIN
CONTROLLERS.
• DNS PROVIDES A NAMING CONTEXT
FOR ACTIVE DIRECTORY.
Functional Levels
• Allows interoperability with prior versions
of Microsoft Windows.
• Higher levels of functional level will not
allow older versions of Windows to
function but will add additional functionality
or features.
• Raising functional level is a one-way
process.
Domain Functional Levels
DEFAULT
FUNCTIONAL
LEVEL
Forest Functional Levels
DEFAULT
FUNCTIONAL
LEVEL
Using Forest Functional Levels
• To raise the functional level of a forest,
you must be logged on as a member of
the Enterprise Admins group.
• The functional level of a forest can be
raised only on a server that holds the
Schema Master role.
• (one of 5 FSMO roles found in a forest)
Trust Relationships
• Active Directory uses trust relationships to
allow access between multiple domains
and/or forests, either within a single
forest or across multiple enterprise
networks.
• A trust relationship allows administrators
from a particular domain to grant access to
their domain’s resources to users in other
domains. AGDLP ….. REMEMBER?
Trust Relationships
• When a child domain is created, it
automatically receives a two-way
transitive trust with its parent domain.
• Trusts are transitive:
If domain A trusts domain B
And domain B trusts C
Then domain A trusts domain C
Chapter Summary
• Active Directory is a database of objects that are
used to organize resources according to a
logical plan.
– These objects include containers such as domains
and OUs in addition to resources such as users,
computers, and printers.
• The Active Directory schema includes
definitions of all objects and attributes within
a single forest.
– Each forest maintains its own Active Directory
schema.
Chapter Summary
• Active Directory requires DNS to
support SRV records.
– Microsoft recommends that DNS support
dynamic updates.
Chapter Summary
• Domain and forest functional levels are
new features of Windows Server 2008.
– The levels defined for each of these are
based on the type of server operating
systems that are required by the Active
Directory design.
– The Windows Server 2003 forest functional
level is the highest functional level
available and includes support for all
Windows Server 2003 features.
Chapter Summary
• Two-way transitive trusts are
automatically generated within the Active
Directory domain structure.
– Parent and child domains form the trust path
by which all domains in the forest can
traverse to locate resources.
– The ISTG is responsible for this process.
Inter Site Topology Generator
Chapter Summary
• Cross-forest trusts are new to Windows
Server 2003, and they are only available
when the forest functionality is set to
Windows Server 2003 or higher
– They must be manually created and
maintained.