1 / 31

Welcome to this TechNet Event

Welcome to this TechNet Event. FREE bi-weekly technical newsletter FREE regular technical events hosted across the UK FREE weekly UK & US led technical webcasts FREE comprehensive technical web site Monthly CD / DVD subscription with the latest technical tools & resources

lahela
Download Presentation

Welcome to this TechNet Event

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Welcome to this TechNet Event • FREE bi-weekly technical newsletter • FREE regular technical events hosted across the UK • FREE weekly UK & US led technical webcasts • FREE comprehensive technical web site • Monthly CD / DVD subscription with the latest technical tools & resources • FREE quarterly technical magazine We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break

  2. Understanding the Active Directory Platform in the Real World John Howard, Mark Cribben, Mike Brannigan Microsoft UK

  3. Today’s Sessions • Architectural Overview • Recommended design practices • In-place upgrades • Lunch: The Business case for Active Directory • Directory migration • Extending the value of the directory • Managing and Securing Active Directory

  4. Today’s Sessions • Architectural Overview • Recommended design practices • In-place upgrades • Lunch: The Business case for Active Directory • Directory migration • Extending the value of the directory • Managing and Securing Active Directory

  5. Introduction to Directories • What is a directory? • At a basic level a structured way of organising useful information. The classic example is that of a telephone directory. • What a directory is not. • It is not a database. Although they share common features the emphasis between the two is different. • Types of directory. • NOS based directories • Application directories • General purpose directories

  6. Directories vs. Databases

  7. Common uses for directories • NOS • Core directory service for network management and administration • Authentication of network users • Examples such as Active Directory and eDirectory • Application • Specific applications that store configuration information without the need for a database • Examples include firewalls, HR applications • General purpose • Internal white pages • A driver for provisioning • Simple applications for which a directory is better suited than a database

  8. Introduction to LDAP • Firstly it is a protocol defined through RFC’s • Secondly it is a set of four models • An information model to describe what you can put in the directory • A naming model that describes how data is arranged within the directory • A functional model that describes what you can do with the data • A security model that defines how the data in the directory can be protected from unauthorised access

  9. LDAP Protocol - 1 • A message oriented protocol • The LDAP protocol consists of 9 basic operations divided into 3 categories: • Interrogation Operations:search, compare • Update Operations:add, delete, modify, modify DN (rename) • Authentication and control:bind, unbind, abandon

  10. 1. Open connection and bind 2. Result of bind operation 3. Search operation 4. Entries returned 5. Result of search operation 6. Unbind operation 7. Close connection LDAP Protocol - 2 • A typical LDAP exchange

  11. LDAP compliance • Common request these days but what does it mean? • As with all things it depends on a number of things. Principally though the question is “do you conform to the LDAP standards as defined in RFC’s” • Open Group / DIF test certifications: LDAP Ready and LDAP Certified. • Dependent on the standards. Compliant does not mean you implement every possible RFC for a technology. Rather that you meet the required standards.

  12. Providers of directories • There are a number of commercial LDAP directory products available today including: • Microsoft Active Directory and ADAM • Computer Associates eTrust Directory 8 • IBM Tivoli Directory Server 5.x • Nexor Directory 5.1 • Novell eDirectory 8.7.x • Oracle Internet Directory v 10g • Sun Microsystems Sun ONE Directory Server 5.2 • Plus there are non commercial products: • OpenLDAP

  13. Typical Company scenario • Network • Probably a directory of some description providing authentication services and network management for all users in the company • HR • A significant number of companies have an HR system that is separate from the Network directory. • Firewall • Several firewall products use authentication to determine internet access permissions. These are stored in a directory • Applications • Commercial applications may be deployed that provide a specific function in the company and ships with its own directory. • In house applications such as a provisioning application or a white pages or “global directory” • Without realising it most organisations are now awash with directories.

  14. The directory challenges! (1) • Management • How accurate is the data? Who is responsible for inputting the data? How current is the data? How available is the directory? • Information consistency • Identities that are shared between multiple directories can become inconsistent. Representation of common data. • Interoperability • How accessible is the data? • Synchronisation • Do we have the right information? Where is the authoritative data stored? Synchronisation rules? Synchronisation logic?

  15. The directory challenges! (2) • Ownership • Who owns the data? Are they happy to share it? • Security • How do we secure the data in the directory? Is access control important for the data stored? • Extending the directory • How do we extend the directory? Do schema extensions clash? Are the extensions universally important? • Use • How do we use the directory effectively? Are we doing all that we can with the directories we have?

  16. What is Active Directory? • Microsoft’s core directory service offering • Enterprise capable NOS Directory Service providing network authentication, authorisation, location and application services • Available since 2000 as part of Windows 2000 Server • Supports LDAP v2 and v3 industry standards • Ships free as part of the Windows Server Operating System

  17. AD concepts – 1(Logical) • Boundaries • Security • Administrative • Forest • A forest is the security boundary for a single Active Directory deployment. • Shared schema and configuration • A single, logical entity • Comprised of one or more domain trees • Domain • A Domain is an administrative boundary within an AD forest. • Boundary for password / security policy • Partition / control replication of AD data

  18. Ad.microsoft.com Eu.ad.microsoft.com Na.ad.microsoft.com AD concepts – 2 (Logical) • Tree • AD domains a logically organised in trees • A contiguous DNS based name space eg. Ad.microsoft.com is the forest root domain. It has two child domains that form a single domain tree within the forest: eu.ad.microsoft.com and na.ad.microsoft.com

  19. AD concepts – 3 (Logical) • Organisational Units (OU’s) • A way of further partitioning data within a domain for the purposes of delegating administration or applying Group Policy • Hierarchical within the domain • Can be easily moved or renamed

  20. AD concepts – 4 (Logical) • Schema • The definition of the objects that can be created within a forest. Eg. Users, computers, printers. • The boundaries of the individual attributes. • Default permissions on attributes • Unique OID’s essential. • Once defined cannot be removed from AD • Objects and attributes can be deactivated in Windows Server 2003

  21. AD concepts – 5 (Logical) • Trusts. Defines the relationship between different logical components of an AD installation. • Within a forest all domains are trusted. • External trusts • Forest trusts • Kerberos trusts

  22. AD concepts – 6 (Physical) • Sites • A logical representation of the physical nature of your underlying network infrastructure. • Used for controlling authentication process, replication and accessing “local” resources. • Requires defining IP subnets. • Domain Controllers (DC’s) • Servers that physically host the Directory. • Replicate directory information • Authoritative for their domain NC • Writable (operations such as creating new objects or updating existing objects) • Global Catalog (GC) • A DC that holds read only copies of other domain NC’s within the forest as well as the writable copy of the domain NC for which it is authoritative. • Easy and known way to search the forest for information

  23. AD and DNS • DNS is a name resolution service and is separate from AD. • Used to provide the name space rules for AD • Used to locate AD and AD resources • DNS information can be stored in AD • Can improve the security of DNS information • Improves replication / transfer of zone data

  24. How AD distributes data • Domain Controllers • DC’s are distributed around the organisation to facilitate local operations • Replication • The mechanism for ensuring all DC’s contain up to date information • Multimaster loose consistency with convergence • Intra site replication for DC’s in the same site • Inter site replication between sites

  25. Roles for AD • NOS • Primary role for managing the network, users and machines • Authentication • Provides the authentication service for the network. • Default in Active Directory is Kerberos • Can also be utilised as an authentication service for other applications • Application • AD can be extended to support applications • A number of MS applications utilise AD (Exchange, SMS, ISA to name a few)

  26. Scalability • AD as a NOS Directory has the capacity to handle any organisation • Tested with millions of objects • Technically could support 1 billion objects! • Currently supporting many of the largest companies in the world • There are some technical limitations for some objects • Number of DC’s in a domain • Number of DNS Name Servers • Number of Groups a user can belong to • Number of users in a group*

  27. Active Directory Federation Authentication ADAM Synchronisation MIIS Directory Architecture Directory Technologies Authorisation IIFP Provisioning ADFS Security GPMC Management The Microsoft directory strategy

  28. Getting to a Single Directory • Very difficult in the enterprise • Existing application requirements • Scope of application (local vs. global) • Schema requirements • Control of application/identity information • How to deal with multiple account stores • Infrastructure Directory – Global • Application Directories – Local to Application • Meta-Directory – Integration/Business Process

  29. Where We Are Today (Non-existent) LDAP Portal application Centralized management • Directories deployed per-app; little re-use • Provisioning, sync are ad-hoc eDirectory Ad-hoc sync LDAP Generic LDAP-based app HR/ERP app Database iPlanet Generic dump Whitepages LDAP iPlanet Policy & SSO for Windows Outlook/ Exchange MAPI Active Directory

  30. 3rd-party DS App DS ADAM ADAM App DS App DS access Active Directory sync Infrastructure Directory The Solution DS-enabled app Centralized identity management DS-enabled app MIIS 2003 HR/ERP app Database DS-enabled app Integration Services

  31. Today’s Sessions • Architectural Overview • Recommended design practices • In-place upgrades • Lunch: The Business case for Active Directory • Directory migration • Extending the value of the directory • Managing and Securing Active Directory

More Related