Chapter 2 WORKING WITH ACTIVE DIRECTORY
Chapter 2: WORKING WITH ACTIVE DIRECTORY CHAPTER OVERVIEW
Chapter 2: WORKING WITH ACTIVE DIRECTORY EXCHANGE SERVER AND ACTIVE DIRECTORY • Exchange Server 2007 is tightly integrated with the Active Directory service. • The configuration of Active Directory often affects the deployment and configuration of Exchange Server 2007.
Chapter 2: WORKING WITH ACTIVE DIRECTORY DIRECTORY SERVICES • A network service that identifies all resources on a network and makes those resources accessible to users and applications. • X.500 uses a hierarchical approach in which objects are organized in a similar way to the files and folders on a hard drive.
Chapter 2: WORKING WITH ACTIVE DIRECTORY DIRECTORY SERVICES • Lightweight Directory Access Protocol (LDAP) • A simpler directory service than X.500 • Sometimes referred to as X.500-lite. • The protocol used to search the Microsoft Active Directory database.
Chapter 2: WORKING WITH ACTIVE DIRECTORY WHAT IS ACTIVE DIRECTORY (AD)? • A Windows directory service that stores and retrieves information about users and network resources. • Used by programs and services to: • Validate the identity of users (a process called authentication ) • Restrict resource access for users (a process called authorization ). • Directory services are designed for network environments where there are more than 10 computers and users require secure access to network resources.
Chapter 2: WORKING WITH ACTIVE DIRECTORY WHAT IS ACTIVE DIRECTORY (AD)? • The services for Active Directory is located on Domain Controller (DC). • UNIX, Linux, Macintosh, Windows 2000, and later clients use the Kerberos ticket-based authentication protocol to log in to a DC and obtain a token. • These tokens are often called tickets. • For fault tolerance and load balancing, you should install additional DCs in each domain.
Chapter 2: WORKING WITH ACTIVE DIRECTORY DNS and Active Directory • To locate DCs, client computers must query their DNS server for service records (SRV) to identify the computers on the network that offer AD services. • To support AD, your DNS server must support the Berkeley Internet Name Domain (BIND) version 4.9.6 standard to allow SRV record support. • To also allow the automatic creation and updating of SRV records using the DNS dynamic update protocol, your DNS server should support BIND version 8.1.2. Windows Server 2003 DNS supports BIND version 8.1.2 standard.
Chapter 2: WORKING WITH ACTIVE DIRECTORY SINGLE SIGN-ON • Because remote computers use your token to verify your identity, you are not prompted to log on to other domain computers. • You only need to log on once to a DC to access all the resources that you have permission to within the domain.
Chapter 2: WORKING WITH ACTIVE DIRECTORY ACCESS CONTROL LISTS (ACLs) • Each domain network resource contains an Access Control List (ACL). • The ACL lists the permissions that specific AD users have when accessing the resource. • When you access a shared network resource, the server with the shared resource uses your token to verify your identity and enforce your permissions listed in the ACL. • AD provides secure resource access because users not authenticated to the domain will be rejected when they attempt to access the resource.
Chapter 2: WORKING WITH ACTIVE DIRECTORY ACCESS CONTROL LISTS (ACLs) • AD objects contain an Access Control List • You can delegate control over different areas of the AD database to different administrators in your organization.
Chapter 2: WORKING WITH ACTIVE DIRECTORY ACTIVE DIRECTORY SCHEMA • The total list of all available object types (called classes ) and their associated properties (called attributes ) is stored in the AD schema. • Members of the Schema Admins group in AD can modify the schema to include more object types and attributes. • Exchange Server 2007 modifies the schema of AD to include new objects and attributes that are used to store email configuration for user objects.
Chapter 2: WORKING WITH ACTIVE DIRECTORY CONTAINER OBJECTS • Provide the main structure of AD • Organizes leaf objects • Allows you to delegate administrative permissions to contain objects: • The three main container objects: • Domains • Organizational units (OUs) • Sites
Chapter 2: WORKING WITH ACTIVE DIRECTORY CONTAINER OBJECTS
Chapter 2: WORKING WITH ACTIVE DIRECTORY LEAF OBJECTS • Objects that represent a user, computer, or resource are called leaf objects and contain attributes that are used by applications. • The default leaf object classes that exist in AD include: • User accounts • Group accounts • Computer accounts • Printers • Shared folders
Chapter 2: WORKING WITH ACTIVE DIRECTORY LEAF OBJECTS • Each object must have a unique LDAP name called a distinguished name (DN). • DNs identify leaf objects using the common name (CN) prefix. • Example: CN=bob,OU=Accounting,OU=West,DC=octavius,DC=net • Objects are also identified by a variable-length number called a Security IDentifier (SID) that is used to identify the object in an ACL, as well as a 128-bit number called a Globally Unique Identifier (GUID) that is used to guarantee its uniqueness in the AD database.
Chapter 2: WORKING WITH ACTIVE DIRECTORY FORESTS AND TREES • To accommodate large organizations, AD creates a forest that can contain multiple domains that are part of the same organization. • When the first DC in an organization is created, it creates the forest as well as the first domain in the forest called the forest root domain. • As additional DCs are added, they can be configured to participate in the forest root domain or they can be used to create additional domains within the same forest.
Chapter 2: WORKING WITH ACTIVE DIRECTORY FORESTS AND TREES • A tree is two or more domains with contiguous name space. • If you have two or more existing trees and you need to merge them, then combine them into a grouping called a forest. • In forests, each tree still has its own unique name space.
Chapter 2: WORKING WITH ACTIVE DIRECTORY FORESTS AND TREES
Chapter 2: WORKING WITH ACTIVE DIRECTORY TRUST RELATIONSHIP • Each domain in a forest maintains its own security, administrator user accounts, and resources. • To allow users in a domain (the source domain) to access resources that they have permission to in another domain (the target domain), the target domain must trust the source domain. • Trust relationships do not give permissions to resources.
Chapter 2: WORKING WITH ACTIVE DIRECTORY TRUST RELATIONSHIP
Chapter 2: WORKING WITH ACTIVE DIRECTORY TRANSITIVE TRUSTS • To reduce the number of trust relationships that need to be created in large forests • Transitive trust: If domain A trusts domain B And domain B trusts domain C Then domain A trusts domain C
Chapter 2: WORKING WITH ACTIVE DIRECTORY TRANSITIVE TRUSTS
Chapter 2: WORKING WITH ACTIVE DIRECTORY GROUPS • Assigning permissions to specific user accounts is a time consuming and inefficient process. • You should place several user account objects in a group object and assign permissions to the group object for the resource.
Chapter 2: WORKING WITH ACTIVE DIRECTORY TYPES OF GROUPS • There are two main types of group accounts in AD: • Distribution groups • designed for email distribution only • Contain an email address attribute • Cannot be used to assigned permissions to a resource • Security groups • The main group type used in AD • Security groups can be assigned permissions to resources • Can also be used as a mail distribution group
Chapter 2: WORKING WITH ACTIVE DIRECTORY GROUP SCOPES
Chapter 2: WORKING WITH ACTIVE DIRECTORY USING GLOBAL AND DOMAIN LOCAL GROUPS • To use Global and Domain Local Groups, follow the AGUDLP approach: A — Add users to G — Global groups based on job function. Add global groups to U — Universal groups for forest-wide use. Add universal groups to DL — Domain Local groups that are matched to a particular resource. Assign P — Permissions to the domain local group. • Hint: Remember that resources are local to the Domain Local Group.
Chapter 2: WORKING WITH ACTIVE DIRECTORY USING GLOBAL AND DOMAIN LOCAL GROUPS
Chapter 2: WORKING WITH ACTIVE DIRECTORY UNIVERSAL GROUP • Any member from any domain in the forest can be assigned to Universal group. • Can be assigned to any resource in any domain in the forest. • You should limit the usage of Universal groups because they are stored in the global catalog.
Chapter 2: WORKING WITH ACTIVE DIRECTORY DOMAIN FUNCTIONAL LEVEL • Domain functional levels only determine the types of DCs that can participate in a particular domain. • A domain at the Windows Server 2003 functional level can only contain Windows Server 2003 DCs but can still contain clients that run previous versions of Windows such as Windows NT4 and Windows 2000. • Windows Server 2008 AD does not allow backwards compatibility with Windows NT4 domains. • By default, Windows Server 2003 AD domains are in the Windows 2000 Mixed functional. • By default, Windows Server 2008 AD uses the Windows 2000 Native functional level for backwards compatibility.
Chapter 2: WORKING WITH ACTIVE DIRECTORY WINDOWS SERVER 2003 and 2008 DOMAIN FUNCTIONAL LEVEL
Chapter 2: WORKING WITH ACTIVE DIRECTORY DOMAIN FUNCTIONAL LEVEL • Raising a functional level is a one-way operation. • Exchange Server 2007 requires that you upgrade your domain functional level to Windows 2000 Native or higher.
Chapter 2: WORKING WITH ACTIVE DIRECTORY FOREST FUNCTIONAL LEVEL • In a forest that contains multiple domains, each domain may operate at a different functional level. • AD contains forest functional levels that define the type of DCs allowed within all domains in the forest. • To raise your forest functional level, you must first raise your domain function levels. • As with domain functional levels, you cannot revert to a previous forest functional level once it has been raised.
Chapter 2: WORKING WITH ACTIVE DIRECTORY WINDOWS SERVER 2003 and 2008 FOREST FUNCTIONAL LEVEL
Chapter 2: WORKING WITH ACTIVE DIRECTORY DOMAIN AND FUNCTIONAL DOMAIN FUNCTIONAL LEVEL • You can raise your domain and forest functional level using the Active Directory Domains and Trusts console.
Chapter 2: WORKING WITH ACTIVE DIRECTORY SITES REPLICATION • Each DC in a domain will contain a copy of the AD database. • Information is replicated between DCs in a domain and forest when new information is added to the AD database or existing information is modified or removed. • To control replication within an organization, AD uses site and site link objects. • Exchange Server 2007 uses AD sites to control the flow of internal email within an organization.
Chapter 2: WORKING WITH ACTIVE DIRECTORY DIRECTORY PARTITIONS • There are three main sections of the AD database called directory partitions : • Schema partition • Configuration partition • Domain partition • Changes to the schema and configuration relatively infrequent.
Chapter 2: WORKING WITH ACTIVE DIRECTORY SCHEMA PARTITION • The schema partition contains the AD schema. • Must be identical on all DCs in the forest to ensure that objects can be interpreted by any DC. • If a change is made to the schema partition, such as the addition of a new object class, the schema partition changes must be replicated to all other DCs in the forest.
Chapter 2: WORKING WITH ACTIVE DIRECTORY CONFIGURATION PARTITION • The configuration partition must be identical on all DCs in the forest as it stores the structure and layout of the AD forest. • If you change the structure of the forest by adding a new domain or trust relationship, the configuration partition will be replicated to all other DCs in the forest.
Chapter 2: WORKING WITH ACTIVE DIRECTORY DOMAIN PARTITIONS • All objects (such as users, groups, computers, printers and so on) within a particular domain are stored in the domain partition on the DCs. • Because of this, the domain partition is the largest directory partition and typically contains thousands of objects. • Replicating the domain partition to all DCs in the forest would prove too bandwidth intensive and would increase the size of the AD database unnecessarily. • When a change is made to the domain partition on a DC, such as the addition of a user account object, it is replicated to other DCs in the same domain only. • Because each domain maintains its own domain objects, you must contact DCs in a remote domain when you need access to information that is stored within an object in the remote domain.
Chapter 2: WORKING WITH ACTIVE DIRECTORY SITES AND REPLICATION • Frequent AD replication across these slow WAN connections will consume a great deal of the available bandwidth and likely slow down the organization's access to the Internet. • You can implement AD site objects to optimize the replication that occurs across slow WAN links between the physical locations within your organization.
Chapter 2: WORKING WITH ACTIVE DIRECTORY SITES AND REPLICATION • To save bandwidth, replication between sites only occurs between a single DC in each site called a bridgehead server. • Although AD automatically chooses a DC to become the bridgehead server in each site, you can manually specify the bridgehead server for each site.
Chapter 2: WORKING WITH ACTIVE DIRECTORY GLOBAL CATALOG (GC) • Because forests can grow very large, a list of all object names in the forest is stored on the global catalog (GC), located on at one DC, to aid in locating objects in the AD. • By default, the GC is hosted on the first DC in the forest by default. • The GC allows you to quickly locate an object in a remote domain. • Only domains at the Windows 2000 Native functional level or higher can access the GC.
Chapter 2: WORKING WITH ACTIVE DIRECTORY USER PRINCIPLE NAME (UPN) • For user account objects, the GC also stores the User Principle Name (UPN) that users can use to log in to their domain from a computer anywhere in the forest. • Must be unique in the forest. • UPN follows the username@domainname format • UPNs can only be used during the logon process if the domain is at or above the Windows 2000 Native functional level.
Chapter 2: WORKING WITH ACTIVE DIRECTORY UNIVERSAL GROUP MEMBERSHIP CACHING (UGMC) • Universal groups are entirely stored in the GC and can be accessed by domains that are at the Windows 2000 Native functional level or greater. • Because authentication tokens list your group membership, you must contact a GC during the logon process to determine your universal group membership. • You should enable Universal Group Membership Caching (UGMC) on the site to allow DCs in the site the ability to cache the universal group memberships for user accounts. • A remote GC must be contacted the first time a user authenticates to the domain to verify universal group memberships and populate the cache. • Even if a GC is unavailable, domain administrators can still log in to a domain that is at or above the Windows 2000 Native functional level.
Chapter 2: WORKING WITH ACTIVE DIRECTORY FSMO ROLES • Flexible Single Master Operations (FSMO) roles provide specific functions within an AD domain and forest. • A DC can hold a single FSMO role or can hold all FSMO roles for its domain or forest.
Chapter 2: WORKING WITH ACTIVE DIRECTORY FSMO ROLES • If a DC that holds an FSMO role fails, you can force another DC to assume the FSMO role. • To do this, you must seize the FSMO role from a DC that is online. • To bring the failed DC back online, you should first reinstall the operating system and configure it as a new DC in the existing domain.
Chapter 2: WORKING WITH ACTIVE DIRECTORY SCHEMA MASTER • Replicates changes made to the AD schema to all DCs in the forest. • 1 per forest • In order to modify the AD schema, the DC that holds the Schema Master FSMO role must be available. • Since the Exchange Server 2007 extends the AD schema, it is good practice to move the Schema Master FSMO role toa DC close to the computer that will become the first Exchange server to reduce installation problems and speed the installation process.
Chapter 2: WORKING WITH ACTIVE DIRECTORY DOMAIN NAMING MASTER • Permits the addition of new domains and removal of existing domains. • Before a new domain is added to the forest, the DC that holds the Domain Naming Master FSMO is contacted to ensure that the name is unique. • 1 per forest • For best performance, the DC that contains the Domain Naming Master FSMO role should also contain the GC.
Chapter 2: WORKING WITH ACTIVE DIRECTORY PDC EMULATOR • Emulates an NT4 PDC for backwards compatibility to NT4 BDCs that exist in a Windows 2000 Mixed functional level domain. • Coordinates user password changes • Synchronizes time among the computers in a domain. • 1 per domain