Active Directory and DNS
Download
Report
Transcript Active Directory and DNS
Active Directory
Lecture 3
Active Directory Definitions
AD is Microsoft’s consolidation of the major
enterprise-wide directory services within a single,
replicable data store and administrative interface
AD is a network-based object store and service that
locates and manages resources, and makes these
resources available to authorized users and groups.
The 2 components of AD are the Data Store and the
AD Services that act on that data
AD Advantages
Provides centralized logon and authentication point
for users to access resources
A focal point for centralized administration and
management
A searchable store for info about every network
object and its attributes
Standard-based structures and interfaces allow for
product interoperability and compatibility with 3rd
party products
Scalable (virtually no limit on number of objects)
New Features
Restart capability
Read-only Domain Controller
Auditing improvements
Multiple Password/Account Lockout
Policies in a Domain
AD Lightweight Directory Services Role
DNS
DNS is an Internet standard service that translates
easily readable host names, such as
mycomputer.microsoft.com, to numeric IP addresses.
Domain names for DNS are based on the hierarchical
naming structure (inverted tree structure): a single
root domain, underneath which can be parent and
child domains (branches and leaves).
Each computer in a DNS domain is uniquely identified
by its DNS fully qualified domain name (FQDN), e.g.
server1.ifsm.umbc.edu
Dynamic DNS – newer standard, required for AD
AD and DNS integration
•
•
•
•
Active Directory and DNS have the same
hierarchical structure.
All AD names follow DNS conventions
DNS records (zones) can be stored in Active
Directory.
Active Directory clients use DNS to locate
domain controllers.
AD Organization
An underlying principle of the AD is that
everything is considered and object – people,
servers, workstations, printers, etc.
Each object also has certain attributes
Object classes are definitions of the object
types that can be created in the AD.
Controlling Object Access
Every object has an ACL that contains
information about who has access to it and
what they can do with it.
Controlling access to the object in AD is not
the same as access to the object itself. AD
permissions only specify whether a user,
group or computer can view or modify an
object’s properties in AD.
Access can be setup for individual object
properties
Schema
A set of object definitions (object classes) and
their associated attributes
Provides info on what objects and attributes
are available to the Directory
Allows administrators to modify and add new
object classes, objects and attributes as
needed, making the schema extensible
Because of this flexibility, AD is capable of
being the single point of administration for all
published resources (files, peripheral devices,
host connections, databases, Web access,
users)
AD Organization
AD objects are organized around a
hierarchical domain model that allows
scalability and expandability
Domain model building blocks are:
- domains
- domain trees
- forests
- organization units
Name Space
AD is based on the concept of a namespace,
that is a name is used to resolve the location
of an object
AD domain names correspond to DNS domain
names
Each object has different ways to refer to it,
and each name pinpoints the location of
object in AD
Domain
Logical partition comprised of users, computers
and network resources that share a common
logical security boundary and utilize a common
namespace (e.g. ifsm.umbc.edu)
Domains can be arranged into a hierarchical
parent-child structure
All domains maintain their own security policies
and security relationships with other domains
Requires at least 1 Domain Controller (where AD
database is stored)
If more than 1 DC (recommended) – they use
multi-master replication
Trusts
Logical connections between domains to allow users
from one domain to access resources in another domain
Can be one- or two-way
Can be transitive, intransitive or explicit
Trust terminology: Trusting trusts Trusted Domain
Trusted Domain
(Users)
Trusting Domain
(Resources)
Transitive Trusts
Domain B
Domain A
Domain C
A transitive trust is a trust between two domains in the same
domain tree/forest that can extend beyond these two domains
to other trusted domains within the same domain tree/forest.
A transitive trust is always a 2-way trust - both of.the
domains trust each other. By default, all Windows Server
2008 trusts within a domain tree/forest are transitive trusts.
Domain Tree
Consists of hierarchy of domains sharing a
common schema, security trust relationship,
and a Global Catalog
Formed through the expansion of child
domains, and there’s one root domain (the
first created domain)
Defined by a common and contiguous
namespace
Domain Tree Example
Toysrus.com
Marketing.toysrus.com
ny.marketing.toysrus.com
Sales.toysrus.com
Domain Forests
Domain trees with different namespaces
connected by trust relationships
All trees within the forest share a Global
Catalog, configuration and schema.
Simply a reference point between trees and
doesn’t have its own name.
Domain Forest Example
toysrus.com
Sales.toysrus.com
Marketing.toysrus.com
Ny.marketing.toysrus.com
Babiesrus.com
HR.Babiesrus.comSales.babiesrus.com
Ny.sales.babiesrus.com
Organizational Unit
Administrative substructure of domains,
arranged hierarchically, can be nested
Special type of object called container;
includes users, computer systems, printers,
etc.
A logical subset defined by security or
administrative parameters where specific
system admin functions can be easily
segment and delegated
OU Example
Toysrus.com
Marketing.toysrus.com
Sales.toysrus.com
Teams.sales.toysrus.com
Online.teams…
ny.marketing.toysrus.com
Retail.teams…
Global Catalog
AD uses a global catalog in order for users to
find objects quickly, even in a large
multidomain environment
GC contains all the objects in the AD,
inclusive of all domains and trees in a forest,
but with only a subset of their attributes.
Serves as an index to the entire structure
Serves as a central point for user
authentication
Domain and Forest
Functional Levels
Windows Server 2008 has 3 forest functional levels:
Windows 2000 Native
Windows 2003
Windows 2008
Windows Server 2008 has 3 domain functional
levels:
Windows 2000
Windows 2003
Windows 2008
Functional level only applies to DC, not member
servers.
Raising domain/forest functional level is irreversible
Sites
Address physical network structure
A site is a region of your network infrastructure
made up of one or more well-connected IP
subnets.
Sites are used to allow all AD clients belonging to
the same physical network area to access
services (DCs, GC and DNS servers) from the
servers in close proximity, rather than across
slow, expensive WAN links
Sites allow AD have more efficient DC replication
- can configure DC replication differently interand intra-sites
Sites and DCs
DCs are automatically placed into sites
when they join the AD domain, by IP
subnet membership.
After being placed into the site, the DCs
begin receiving replicated information
for their own domain, as well as forest
info.