Chapter 1
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

OVERVIEW OF ACTIVE DIRECTORY PowerPoint PPT Presentation


  • 54 Views
  • Uploaded on
  • Presentation posted in: General

Chapter 1. OVERVIEW OF ACTIVE DIRECTORY. ACTIVE DIRECTORY FUNCTIONS. Directory Services Used to define, manage, access, and secure network resources. Resources include: files, printers, groups, people, and applications. Active Directory Stored as NTDS.dit on a domain controller.

Download Presentation

OVERVIEW OF ACTIVE DIRECTORY

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chapter 1

Chapter 1

OVERVIEW OF ACTIVE DIRECTORY


Active directory functions

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

ACTIVE DIRECTORY FUNCTIONS

  • Directory Services

    • Used to define, manage, access, and secure network resources.

    • Resources include: files, printers, groups, people, and applications.

  • Active Directory

    • Stored as NTDS.dit on a domain controller.

    • Used by domain controllers to authenticate users.

    • Domain controllers store, maintain, and replicate.


Active directory benefits

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

ACTIVE DIRECTORY BENEFITS

  • Centralized administration

  • Single point of access

  • Fault tolerance and redundancy

  • Multiple domain controllers are used

  • Multi-master replication

  • Simplified resource location


Centralized administration

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

CENTRALIZED ADMINISTRATION

  • Hierarchical organization for ease of administration

  • Common Microsoft Management Console (MMC) tool set

    • Active Directory Users And Computers (DSA.MSC)

    • Active Directory Domains And Trusts (DOMAIN.MSC)

    • Active Directory Sites And Services (DSSITE.MSC)


Single point of authentication

Before directory services

Server1

Server2

Server3

After directory services

Active Directory

Single sign-on

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

SINGLE POINT OF AUTHENTICATION


Multi master replication

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

MULTI-MASTER REPLICATION


Simplified resource location

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

SIMPLIFIED RESOURCE LOCATION

  • Search features available on Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003.

  • Search Active Directory to find:

    • Shared folders

    • Printers

    • People (user accounts)


Active directory schema

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

ACTIVE DIRECTORY SCHEMA

  • Object classes

    • User accounts

    • Computer accounts

    • Printers

    • Groups

  • Object Attributes

    • Name

    • Globally unique identifier (GUID)

    • Location (for printer)

    • E-mail address (for users)


Active directory components

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

ACTIVE DIRECTORY COMPONENTS


Organizational units

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

ORGANIZATIONAL UNITS

  • Container objects

  • Look like a folder with a book icon in Active Directory Users And Computers

  • Security is applied to OUs

    • Inherited by child OUs

    • Used to control access to that OU or hide subordinate OUs

    • Allows for the delegation of administrative rights


Domains

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

DOMAINS

  • Logical grouping of resources.

  • Form security and replication boundaries.

    • Individual access control lists (ACLs) for each domain.

    • Group Policies are typically assigned and inherited within a domain only, not from the forest.

    • Domain replication is independent of global catalog and schema replication.

  • Multiple domains may be used by a single organization.


Domains trees and a forest

Forest root

Domain tree

and tree root

ou

root

parent

ou

contoso

.

com

tailspintoys

.

com

child

child

west

.

contoso

.

com

east

.

contoso

.

com

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

DOMAINS, TREES, AND A FOREST


Sites

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

SITES

  • Used to reflect the physical network structure

  • Usually local area network (LAN) versus wide area network (WAN)

  • Optimize replication

  • Knowledge Consistency Checker (KCC) creates and maintains this structure


Naming standards

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

NAMING STANDARDS

  • Lightweight Directory Access Protocol (LDAP)

    • Standard naming structure and hierarchy

    • Established by the Internet Engineering Task Force (IETF)

  • Domain Name System (DNS)

  • Uniform Resource Locator (URL)


Ldap names

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

LDAP NAMES

  • Cn=jsmith,ou=sales,dc=cohowinery,dc=com

  • [email protected]


Planning for active directory

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

PLANNING FOR ACTIVE DIRECTORY

  • Logical and physical structure

  • DNS and Active Directory integration and naming

  • Functional levels of domains and forests

  • Trust relationships and models


Structuring active directory

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

STRUCTURING ACTIVE DIRECTORY

  • Security and administrative goals are important when defining the logical structure.

    • Group Policy application and inheritance

    • Delegating administrative control

    • Permission inheritance

  • Logical structure often reflects the business or administrative model.

  • Sites are used to reflect the physical structure of the network.


Role of dns

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

ROLE OF DNS

  • Resolves friendly names to Internet Protocol (IP) addresses.

  • Required by Active Directory.

  • Domain members use service locator (SRV) records to find domain controllers.

  • Dynamic DNS (DDNS) is supported and recommended.


Functional levels

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

FUNCTIONAL LEVELS

  • Designed to support downlevel compatibility

  • Increasing functional level allows for use of new features

  • Two types of functional level

    • Domain functional level

    • Forest functional level


Domain functional levels

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

DOMAIN FUNCTIONAL LEVELS

  • Windows 2000 mixed

  • Windows 2000 native

  • Windows Server 2003 interim

  • Windows Server 2003


Windows 2000 mixed functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS 2000 MIXED FUNCTIONAL LEVEL

  • Domain controllers can run on the following operating systems:

    • Windows NT Server 4.0

    • Windows 2000 Server

    • Windows Server 2003

  • Features at this functional level include:

    • Install from media

    • Application directory partitions

    • Enhanced user interface (UI)


Windows 2000 native functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS 2000 NATIVE FUNCTIONAL LEVEL

  • Domain controllers can run on the following operating systems:

    • Windows 2000 Server

    • Windows Server 2003

  • Features at this functional level include:

    • Group nesting

    • Universal groups

    • Security Identifier History (siDHistory)


Windows server 2003 interim functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS SERVER 2003 INTERIM FUNCTIONAL LEVEL

  • Designed for organizations that have not upgraded to Windows 2000 Active Directory.

  • Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported.

  • Windows 2000 Server domain controllers are NOT allowed.

  • No extra features over any other functional level.


Windows server 2003 functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS SERVER 2003 FUNCTIONAL LEVEL

  • Only Windows Server 2003 domain controllers

  • Features at this functional level include:

    • Replicated last logon timestamp

    • Key Distribution Center (KDC) version numbers

    • User password on inetOrgPerson objects

    • Domain renaming


Raising the domain functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

RAISING THE DOMAIN FUNCTIONAL LEVEL

  • Must be logged on as a member of the Domain Admins group.

  • Performed using the Primary Domain Controller (PDC) emulator.

  • All domain controllers must support the new level.

  • Irreversible.


Forest functional levels

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

FOREST FUNCTIONAL LEVELS

  • Windows 2000

  • Windows Server 2003 interim

  • Windows Server 2003


Windows 2000 forest functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS 2000 FOREST FUNCTIONAL LEVEL

  • All domain controllers must be Windows 2000 Server or Windows Server 2003 domain controllers.

  • Features supported at this functional level include:

    • Install from media

    • Universal group caching

    • Application directory partitions


Windows 2003 interim forest functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS 2003 INTERIM FOREST FUNCTIONAL LEVEL

  • Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported.

  • Windows 2000 Server domain controllers are NOT allowed.

  • Features at this level include:

    • Improved inter-site topology generator (ISTG)

    • Improved linked value replication


Windows server 2003 forest functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS SERVER 2003 FOREST FUNCTIONAL LEVEL

  • Only Windows Server 2003 domain controllers are supported.

  • Features at this level include:

    • Dynamic auxiliary class objects

    • User objects can be converted to inetOrgPerson objects

    • Schema redefinitions permitted

    • Domain renames permitted

    • Cross-forest trusts permitted


Raising the forest functional level

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

RAISING THE FOREST FUNCTIONAL LEVEL

  • Must be logged on as a member of the Enterprise Administrators group.

  • Must be connected to the Schema Operations Master.

  • All domain controllers must support the new functional level.

  • Irreversible.


Active directory trust models

Forest Root Domain

Child Domain A

Child Domain C

Child Domain B

Child Domain D

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

ACTIVE DIRECTORY TRUST MODELS

  • Transitivity: If A trusts B and B trusts C, then A trusts C


Shortcut trust

Forest Root Domain

Child Domain A

Child Domain C

Shortcut Trust

Child Domain B

Child Domain D

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

SHORTCUT TRUST


Windows nt server 4 0 trust model

Domain A

Domain

Domain B

C

Domain

D

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

WINDOWS NT SERVER 4.0 TRUST MODEL


Cross forest trust

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

CROSS-FOREST TRUST

  • New in Windows Server 2003

  • Trusts between two forests

  • Requires Windows Server 2003 forest functional level

  • Uses Kerberos as do all Windows 2000 and Windows Server 2003 intra-forest trust relationships


Summary

Chapter 1: OVERVIEW OF ACTIVE DIRECTORY

SUMMARY

  • Active Directory is a database (NTDS.dit).

  • DNS is required by Active Directory.

  • Schema defines object types and attributes.

  • Domain and forest functional levels provide a balance between backward compatibility and new functionality.

  • Active Directory allows for two-way transitive (Kerberos) trusts.

  • Trusts allow domain hierarchies to be created.

  • Cross-forest trusts are a new feature for Windows Server 2003 Active Directory.


  • Login