Professional Documents
Culture Documents
3rdNovember-Active Directory Fundamentals Administration
3rdNovember-Active Directory Fundamentals Administration
Services
Files
Users
Before directory services, If you needed a file, you needed to know the name of the file,
the name of the server on which it is stored and its folder path. Now this works well on
small network, but as the network grows it becomes challenging.
Directory service is the means by which users and administrators can locate resources
regardless of where those resources are located.
Also earlier typical user could have more than one user account or password, and as the
network grows and the number of username and password also increases, like one for
File Server, one for email server, etc.
Boundary of
Policies
Boundary of
Authentication
CONTOSO.COM
Boundary of Replication
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Active Directory
Active Directory is Microsofts answer to directory services and it
does a lot more than just locating resources.
Active Directory take care of this by using Kerberos Authentication
and Single Sign-On (SSO). SSO means ability of Kerberos to
provide a user with one set of credentials and grant them access
across a range of resources and services with that same set of
credentials. Kerberos authenticates the credentials and issues the
user a ticket with which the user gains access to the resources and
services that support Kerberos.
Active Directory also makes user management more easier as it acts
as a single repository for all of this user and computer related
information.
X.500 sits at the Application layer in the OSI model. X.500 contain several
component databases that work together as a single entity.
The primary database is the Directory Information Base (DIB), which stores
information about the objects. Major limitation was its lack of integration with
Internet Protocol (IP).
Protocol it used was Directory Access Protocol, or DAP. DAP offered more
functionality than that is required for implementing directory services, so a
scaled down version called Lightweight Directory Access Protocol (LDAP) was
made. Later it was considered as a standard by Internet Engineering Task
Force (IETF).
Advantage of LDAP
LDAP relies on the TCP/IP stack rather than the OSI stack
Integrate with IP and enable IP clients to use LDAP to query directory services.
LDAP can perform hyper-searches. Giving one directory the ability to defer to another to
provide requested data.
Simple Authentication and Security Layer (SASL) is a framework for authentication and
data security in Internet protocols.
Naming Conventions
AD contains information about objects in your
enterprise.
These objects can be computers, users, printers etc.
AD is a container with nested containers holding other
containers or objects.
And we name these container and objects so that its
easy to query or search.
Requirement of DNS
AD relies on DNS as its primary locator service, although its not the only mechanism for locating domain
controllers (DCs).
Schema Partition
This stores Active Directory Schema.
Active Directory Schema defines what are the types of objects that can be created in the directory
How are those objects relate to one another, and what are the mandatory and optional attributes of
each object.
And how can one create such objects.
Configuration Partition
This contains configuration of AD.
Domain Partition
This partition stores the objects.
Application Partition
This is an optional 4th partition that an administrator can create.
AD Domain Tree
A tree is a collection of one or more domains
AD Forest
A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration.
OHIO.US.CONTOSO.COM
Global Catalog
Transitive Trusts
CONTOSO.COM
UK.CONTOSO.COM
US.CONTOSO.COM
CONTOSO.COM
US.CONTOSO.COM
UK.FABRIKAM.COM
Schema
Global
Configuration
Catalog
Demo
demonstration
Organizational Units
Organized For:
Administration
Same Requirements
Delegation
Group Policy
Configuration
Security
OU Admin
OU Security
CONTOSO.COM
OU Policy
SalesLondon
Department
Desktops
Marketing
New
Department
York
Printers
Hardware Devices
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Demo
demonstration
Domain Controllers
DC
PDC
DC
BDC
DC
BDC
Windows NT 4.0
Site A
WAN Link
Locate Services
Optimize Replication
Define Policies
Site B
US.CONTOSO.COM
CONTOSO.COM
Site B
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Global Catalog
Spans all domains
Contains object attributes
Used for searches
Exists on domain controllers
Demo
demonstration
Agenda
Logical Concepts of Active Directory
Physical Concepts of Active Directory
DNS in 10 Minutes
Overview of Active Directory Replication
The role played by Operations Masters
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
DNS
Domain Naming System locates network services
and resources.
DNS Request Process
Requested Service
Site Information
DNS Server
IP Addresses
SVR Records
DC
Cache
Windows
2003
Dynamic Update*
AD Integration
Secure Update
SRV Records*
Windows
Server 2008
DNS Migration
Upgrade to BIND 9.x
Upgrade to Microsoft DNS
Delegate to Microsoft DNS
Demo
demonstration
Replication Scope
Across Domain
Domain NC
Across Forest:
Schema NC
Configuration NC
Intersite
(Compressed)
Intrasite
(Token Ring)
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Demo
demonstration