Title Of Presentation Speaker name Title Department Microsoft

Download Report

Transcript Title Of Presentation Speaker name Title Department Microsoft 

Microsoft
Windows 2000 Server
Directory Services
Zelko Kecman
Microsoft Confidential
Active Directory Design Goals
Chicago
San Diego
Boston
Asia
Europe
= Domain Controller
= Partition Replica
= Windows NT Domain
= Partition Boundary

Must meet enterprise requirements





Scalability with minimum complexity
Built on Internet standards
Security through simplicity
Enable incremental upgrade and migration
Work well with existing directory investments
Flexibility to support organizational change

Microsoft Confidential
Active Directory Delivers
User and Network
Management
Authentication and
Authorization Services
Users and organization management
User device management
Protect data and facilitate access
Based on Internet technologies
Directory
Management
Directory consolidation
Directory synchronization
Infrastructure
Services
Directory-enabled networking
Directory-enabled services
Application
Management
Publish server locations for client lookup
Policy-based application configuration
Microsoft Confidential
Simplify User And Network
Management
Delegate Management
Tasks to Office Admins
Users
Marketing
Root
Machines
Personnel
Devices
Applications
Color Printer in
Building 6
Give ‘Personnel’ Members
the HR Application
Users and organization management
 User device management
Microsoft Confidential

Provide Security Services
Kerberos
X.509
Smart Card
Users
Marketing
Root
Machines
Extranet
Devices
Applications
Restrict Access Rights of
Extranet Users
PKI Certificates
Protect data while facilitating access
 Based on Internet technologies
Microsoft Confidential

Simplify Directory
Management
Exchange Platinum:
Consolidated User and
Mailbox Management
Users
Marketing
Personnel
User Application:
Store Application Data
on User Objects
Directory
Synchronization
Directory consolidation
 Directory synchronization
Microsoft Confidential

Enhanced Infrastructure
Services
Publish file shares to
facilitate location
Users
Billing
Root
Machines
Routers
Applications
Doctors
Policy: Give Doctors
More Bandwidth than
the Billing Department
Directory-enabled networking
 Directory-enabled services
Microsoft Confidential

Simplified Application
Management
Publish Server
Root
Users
Marketing
Machines
locations
Devices
Applications
Personnel
Policy: Give Personnel
access to ‘Change
Salary’ Menu Options
Publish server locations for client lookup
 Enable application configuration based on
policies and roles
Microsoft Confidential

What Is Active Directory?
Windows Users
 Account info
 Privileges
 Profiles
 Policy
Active
Directory
Microsoft Confidential
Windows Clients
 Mgmt profile
 Network info
 Policy
Management
Focal Point For:
 Users and resources
 Security
 Delegation
 Policy
Windows Servers
 Mgmt profile
 Network info
 Services
 Printers
 File shares
 Policy
What Is Active Directory?
Windows Users
 Account info
 Privileges
 Profiles
 Policy
Other
Directories
 White pages
 E-Commerce
Other NOS
 User registry
 Security
 Policy
E-Mail Servers
 Mailbox info
 Address book
Microsoft Confidential
Active
Directory
Windows Clients
 Mgmt profile
 Network info
 Policy
Management
Focal Point For:
 Users and resources
 Security
 Delegation
 Policy
Applications
 Server config
 Single Sign-On
 App-specific
directory info
 Policy
Windows Servers
 Mgmt profile
 Network info
 Services
 Printers
 File shares
 Policy
Network Devices
 Configuration
 QoS policy
 Security policy
Firewall Services
 Configuration
 Security Policy
 VPN policy
Internet
The Active Directory
Microsoft Confidential
Active Directory - Terms

Directory is made of Objects



Objects have Attributes
Schema is a specific definition of
objects and attributes
Example: User Account








Microsoft Confidential
Name
Title
Manager
Office Location
Phone
Division
Cost Center Code
…
Active Directory - Terms
Organizational Unit




Lowest form of grouping in the Active
Directory
Group Policy can be applied to the
Organizational Units
Can be nested up to 12 levels deep
Organizational Unit is graphically
represented by a circle in the diagrams
Microsoft Confidential
Nice, Artistic View
Microsoft Confidential
More Realistic View

Microsoft Confidential
Distribution
Manufacturing
Admin
Sales
R&D
Marketing

OUs reflect the corporate organization
May be geographical and/or business
model hierarchy
Some levels may have children, while
others do not
Finance

Active Directory - Terms
Domain





Next hierarchical level above
Organizational Units (OUs)
Is a security boundary in the Active
Directory
OU properties are inherited within a
domain only - not across domains
Provides a replication boundary
Represented by a triangle in the Active
Directory diagrams
Microsoft Confidential
Active Directory - Terms
Domain Tree




Hierarchically arranged domains created
by parent-child relationship
All domains within a domain tree share
the same root namespace
Users can search for all information
within the Domain Tree
Schema is the same within the Domain
Tree
Microsoft Confidential
Active Directory - Terms
Global Catalog




Contains a Partial replica of the
information contained within each of the
domains
Network administrator designates which
Objects and Attributes get placed in the
Global Catalog
Allows for fast searching of the key
information in the AD, without hitting all
of the domains
Reduces replication overhead
Microsoft Confidential
Global Catalog
Domain Schema
User Account








Name
Title
Manager
Office Location
Phone
Division
Cost Center Code
Certification Expires
…





Microsoft Confidential

User Account





Name
Mfr
Model
Color
Duplex
Asset #
Paper Size
Name
Title
Manager
Office Location
Phone
Printer



Printer

Global Catalog


Name
Mfr
Model
Color
Duplex
Global Catalog
Domain Tree
The GC in each domain has a
pointer to it’s own domain
information (which is complete)
Plus it has partial information from all of
the other domains in the tree (or forest)
Microsoft Confidential
Q: What is a Group of Domain
Trees?
Answer: A Forest
Microsoft Confidential
Active Directory - Terms

Forest



A joined set of Domain Trees that:
 Use the same schema
 Share the same Global Catalog
 Joined by Kerberos Trust
Very useful for groups of subsidiary
companies that want autonomy in
administrative roles
Provides for multiple public Internet
names (microsoft.com, msnbc.com, etc.)
Microsoft Confidential
Active Directory - Terms

Site




Relates directly to the network topology
and network connectivity
Defined as an area of “good” network
connectivity
Primarily affects
 User logon, distributed file system
 Replication traffic
Site boundaries are independent of
domain boundaries
Microsoft Confidential
Defining Sites




Sites are areas of “good” network
connectivity, defined by IP subnets
Current thinking is a T1 (1.5 Mb/s) link
or higher
Intra-site replication takes place
automatically via RPC
Inter-site replication is configured by
the network administrator

Time of day, frequency
Microsoft Confidential
Sites




Controls replication
Controls client locating DC’s
Where to locate GC Servers
Applications can be site aware - DFS
Microsoft Confidential
Sites - Intra Domain
Microsoft Confidential
Domain Name System (DNS)



Windows 2000 DNS owns the root
Windows 2000 DNS owns a delegated
sub-domain
No Windows 2000 DNS implemented
Microsoft Confidential
DNS Integration Choices
Windows 2000 owns the root

widgets.org
Pros


na.widgets.org euro.widgets.org
asia.widgets.org



Cons

Microsoft Confidential
No dependency on
existing DNS servers
No AD integration
testing required
Multi-master replication
with AD-based DNS
A shorter familiar name
is more user friendly
Requires effort to replace
existing DNS servers
DNS Integration Choices
Delegated sub-domain
widgets.org

Pros

w2k.widgets.org

euro.w2k.widgets.org
na.w2k.widgets.org
asia.w2k.widgets.org

Cons



Microsoft Confidential
Requires no upgrade to
existing DNS servers
Minimizes dependency
of Active Directory on
existing DNS servers
Names are longer
The added component is
arbitrary, therefore
unmemorable
Continued dependency
on existing DNS servers
DNS Integration Choices
No Windows 2000 DNS

widgets.org
Pros


Cons

na.widgets.org euro.widgets.org
asia.widgets.org




Microsoft Confidential
No political change
Single point of failure for
dynamic registrations
Must upgrade servers
to support SRV recs
(RFC 2052)
Must manually enter
contents of NETLOGON.DNS
if no support for DDNS
(RFC 2136)
Must perform
integration testing with
MS DHCP server
More integration testing with
third-party server
DNS
Naming considerations

Use Internet-standard characters



Users not exposed to domain names



‘A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123)
Microsoft DNS supports wider range
E-mail style login name does not have to
be related to domain name
Most interaction is query to global catalog
Admins exposed to domain names
Microsoft Confidential
DNS Requirements
The Locator

Domain controllers dynamically
register Service Location records





SRV resource record (RFC 2052)
Maps (service) --> (hosts offering service)
General rendezvous mechanism
Analogous to SMTP and the MX record
NETLOGON service sends updates

Dynamic update protocol (RFC 2136)
Microsoft Confidential
DNS Requirements
Locator records

SRV records are named like




ldap.tcp.<domain name>.
i.e. ldap.tcp.nt.microsoft.com.
More like that, all ending in
<domain name>
DNS server that owns <domain name>


MUST support the SRV record
SHOULD support dynamic update
Microsoft Confidential
Upgrading Windows NT 4.0



Start with Windows NT 4.0 domains
Implement Mixed mode domains
Migrate over time to Native mode
domains
Microsoft Confidential
Summary


Active Directory Terms
Plan Your Domains




OUs, Group Policy
Sites, Global Catalog, DNS
Plan The Upgrade
Review the Plan
Microsoft Confidential