3rdNovember-Active Directory Fundamentals Administration

Active Directory Fundamentals
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
What Will We Cover?

Active Directory concepts
Domains, trees, forests
Domain controllers, sites
Domain Naming Service
Replication
Operations masters
What Is a Directory Service?

A service that helps track and locate objects on a
network
Active Directory Management
Workstations
Services
Files
Users
What's a directory service?
A directory service is a container that provides a hierarchical structure and allows to

store objects for quick and easy access and manipulation. A directory service is like an
electronic phone directory that lets you search for Name and retrieve the phone
number, address, or other information without knowing where that person lives.
Before directory services, If you needed a file, you needed to know the name of the file,
the name of the server on which it is stored and its folder path. Now this works well on
small network, but as the network grows it becomes challenging.
Directory service is the means by which users and administrators can locate resources
regardless of where those resources are located.
Also earlier typical user could have more than one user account or password, and as the
network grows and the number of username and password also increases, like one for
File Server, one for email server, etc.
Active Directory Domains
Boundary of
Policies
Boundary of
Authentication
CONTOSO.COM
Boundary of Replication
Active Directory
Active Directory is Microsofts answer to directory services and it
does a lot more than just locating resources.
Active Directory take care of this by using Kerberos Authentication
and Single Sign-On (SSO). SSO means ability of Kerberos to
provide a user with one set of credentials and grant them access
across a range of resources and services with that same set of
credentials. Kerberos authenticates the credentials and issues the
user a ticket with which the user gains access to the resources and
services that support Kerberos.
Active Directory also makes user management more easier as it acts
as a single repository for all of this user and computer related
information.
History of Directory Service
Earlier to todays directory services is X.500 specification that emerged from

the International Telecommunications Union (ITU), formerly the CCITT
(Comit Consultatif International Tlphonique et Tlgraphique).
X.500 sits at the Application layer in the OSI model. X.500 contain several
component databases that work together as a single entity.
The primary database is the Directory Information Base (DIB), which stores
information about the objects. Major limitation was its lack of integration with
Internet Protocol (IP).
Protocol it used was Directory Access Protocol, or DAP. DAP offered more
functionality than that is required for implementing directory services, so a
scaled down version called Lightweight Directory Access Protocol (LDAP) was
made. Later it was considered as a standard by Internet Engineering Task
Force (IETF).
Advantage of LDAP
LDAP relies on the TCP/IP stack rather than the OSI stack
Integrate with IP and enable IP clients to use LDAP to query directory services.
LDAP can perform hyper-searches. Giving one directory the ability to defer to another to
provide requested data.
LDAPs API is C-based
Like X.500, LDAP uses an inverted-tree hierarchical structure
LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL),

and Secure Sockets Layer (SSL)
Simple Authentication and Security Layer (SASL) is a framework for authentication and
data security in Internet protocols.
Back to Active Directory

AD is Microsofts answer to directory services and
it does a lot more than just locating resources.
AD uses LDAP as its access protocol.
AD relies on DNS as its locator service, enabling
clients to locate domain controllers through DNS
queries.
Lets Understand Active Directory in more detail.
Naming Conventions
AD contains information about objects in your
enterprise.
These objects can be computers, users, printers etc.
AD is a container with nested containers holding other
containers or objects.
And we name these container and objects so that its
easy to query or search.
Requirement of DNS
DNS Server must support
Service resource (SRV) records
Dynamic update protocol specified by RFC 2136
AD relies on DNS as its primary locator service, although its not the only mechanism for locating domain
controllers (DCs).
Domain Controller is the server which has Active Directory Installed.
When a Domain Controller starts,

It registers both its DNS name and NetBIOS name. More on NetBIOS name later.
It add LDAP-specific SRV records in DNS to enable LDAP clients to locate DCs through LDAP queries.
It also add Kerberos authentication protocol-specific SRV records to enable clients to locate servers running the Kerberos Key
Distribution Center (KDC) service.
Also each DC also adds an A record that enables clients that dont support SRV records to locate the DC through a simple host record
lookup. You can disable this if required.
Active Directory Database

The ESE comprises of
tables that define the
structure of the
directory.
The Database Layer
has three partition that
define the contents of
AD with an optional
4th table or partition.
Active Directory Partitions
Schema Partition
This stores Active Directory Schema.
Active Directory Schema defines what are the types of objects that can be created in the directory
How are those objects relate to one another, and what are the mandatory and optional attributes of
each object.
And how can one create such objects.
Configuration Partition
This contains configuration of AD.
Domain Partition
This partition stores the objects.
Application Partition
This is an optional 4th partition that an administrator can create.
Active Directory Schema

Active Directory Schema defines what are the types of objects
that can be created in the directory
How are those objects relate to one another, and what are the
mandatory and optional attributes of each object.
And how can one create such objects.
Schema requires to updates whenever you need to create a new
type of object or add anything that requires new attribute.
Domain, Tree and Forest

AD Domain
Objects that are made on AD are grouped into domains.
The objects for a single domain are stored in a single database
(which can be replicated).
AD Domain Tree
A tree is a collection of one or more domains
AD Forest
A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration.
Active Directory Trees

Shared
Schema
CONTOSO.COM
Configuration
US.CONTOSO.COM
OHIO.US.CONTOSO.COM
Global Catalog
Transitive Trusts
CONTOSO.COM
UK.CONTOSO.COM
US.CONTOSO.COM
Active Directory Forests

FABRIKAM.COM
CONTOSO.COM
US.CONTOSO.COM
UK.FABRIKAM.COM
Schema
Global
Configuration
Catalog
Demo
demonstration
Reviewing Domains and Trusts
Organizational Units
Organized For:
Administration
Same Requirements
Delegation
Group Policy
Configuration
Security
OU Admin
OU Security
CONTOSO.COM
OU Policy
Organizational Unit Applications
SalesLondon
Department
Desktops
Marketing
New
Department
York
Printers
Hardware Devices
Demo
demonstration
Using Organizational Units

Review Organizational Units
Create New Organizational Units
Domain Controllers
DC
PDC
DC
BDC
DC
BDC
Windows NT 4.0
Windows Server 2003
Active Directory Sites
Site A
WAN Link
Sites Used To:
Locate Services
Optimize Replication
Define Policies
Site B
Sites and Domains

Site A
US.CONTOSO.COM
CONTOSO.COM
Site B
Global Catalog
Spans all domains
Contains object attributes
Used for searches
Exists on domain controllers
Demo
demonstration
Using Sites and Global Catalogs

Create a Site
Review Global Catalog Settings
Choose Global Catalog Attributes
Agenda
Logical Concepts of Active Directory
Physical Concepts of Active Directory
DNS in 10 Minutes
Overview of Active Directory Replication
The role played by Operations Masters
DNS
Domain Naming System locates network services
and resources.
DNS Request Process
Requested Service
Site Information
DNS Server
IP Addresses
SVR Records
DC
Cache
DNS Systems and Requirements

BIND 8.1.2 Windows
NT
Windows
2003
Dynamic Update*
AD Integration
Secure Update
SRV Records*
* Required for Active Directory
Windows
Server 2008
DNS Migration
Upgrade to BIND 9.x
Upgrade to Microsoft DNS
Delegate to Microsoft DNS
Demo
demonstration
Working with DNS

Review DNS Zones
Review Host Records and Dynamic Update
Replication Scope
Across Domain
Domain NC
Across Forest:
Schema NC
Configuration NC
More Replication Scope
Intersite
(Compressed)
Intrasite
(Token Ring)
Demo
demonstration
Working with Replication

Enable Replication
Review Replication

3rdNovember-Active Directory Fundamentals Administration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3rdNovember-Active Directory Fundamentals Administration

Uploaded by

Copyright:

Available Formats

Active Directory Fundamentals

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What Will We Cover?

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What Is a Directory Service?

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What's a directory service?

A directory service is a container that provides a hierarchical structure and allows to

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Domains

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

History of Directory Service

Earlier to todays directory services is X.500 specification that emerged from

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

LDAPs API is C-based

Like X.500, LDAP uses an inverted-tree hierarchical structure

LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL),

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Back to Active Directory

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

DNS Server must support

Service resource (SRV) records

Dynamic update protocol specified by RFC 2136

Domain Controller is the server which has Active Directory Installed.

When a Domain Controller starts,

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Database

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Partitions

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Schema

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Domain, Tree and Forest

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Trees

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Forests

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Reviewing Domains and Trusts

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Organizational Unit Applications

Using Organizational Units

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Windows Server 2003

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Sites

Sites Used To:

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Sites and Domains

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Using Sites and Global Catalogs

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

DNS Systems and Requirements

* Required for Active Directory

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Working with DNS

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

More Replication Scope