You are on page 1of 23

Active Directory Infrastructure Overview

Prepared by: MTGuillermo

1

Terminology and Concepts
• • • • • Directory data store Directory partitions Policy-based administration DAP and LDAP Naming schemes used in Active Directory

Prepared by: MTGuillermo

2

Prepared by: MTGuillermo 3 .Three partitions exist on any DC • Domain partition – contains information about the domain • Configuration partition – deals with the topology of Active Directory • Schema partition – Contains information that defines object classes and attributes used within the domain.

startup. such as by setting minimum password lengths. and shutdown. • Enforce password security. • Assign scripts that run at logon. maximum length • of time before a password must be changed.Policy-Based Administration • Control desktop settings that determine the display properties of a computer. and so on. logoff. • Redirect folders from the local computer to a folder on a networked computer • Deploy applications Prepared by: MTGuillermo 4 .

• Server 2003 used LDAP Prepared by: MTGuillermo 5 .Directory Access Protocol • for the specific purpose of exchanging information with the directory service.

Naming Scheme • • • • • Domain Name System (DNS) User principal name (UPN) Universal Naming Convention (UNC) Uniform Resource Locator (URL) Lightweight Directory Access Protocol Uniform Resource Locator (LDAP URL) Prepared by: MTGuillermo 6 .

These are containers in the directory that are used to hold objects • DC .domain component Prepared by: MTGuillermo 7 .Distinguished Name • CN – The common name of the object • OU – The organizational unit.

Directory Structure Overview Components of AD • Sites • Domains • Trees • Forests • Objects • DCs Components of AD use to organize and manage hierarchy • GC • Schema Prepared by: MTGuillermo 8 .

• LostAndFound • System – container is used for system settings Prepared by: MTGuillermo 9 .Active Directory Users and Computers • Builtin – holds groups that were created by Windows Server 2003. and can be used to control access • Computers – container is used to store computer objects • Domain Controllers – container contains objects representing DCs that reside in the domain • Users – container is used to store user accounts and groups. – container is used to store stray objects whose containers no longer exist.

Active Directory Domains and Trusts • • • • Shortcut trust Forest trust Realm trust External trust Prepared by: MTGuillermo 10 .

Shortcut Trust Prepared by: MTGuillermo 11 .

Forest trust Prepared by: MTGuillermo 12 .

REAL TRUST Prepared by: MTGuillermo 13 .

External Trust Prepared by: MTGuillermo 14 .

Prepared by: MTGuillermo 15 .Active Directory Sites and Services • Inter-Site Transports – container is used to create and store site links • Subnets – container is used to create and store objects containing information about subnetsBon your network.

Ntdsutil – Used for general management of Active Directory. Prepared by: MTGuillermo 16 . and OUs. groups. contacts. computers. and OUs. or moves an object to a new location. contacts.Command-line tools for Active Directory • • • • • • Dsadd – Used to add users. and delete objects from Active Directory. computers. Dsget – Displays the properties of an object in Active Directory. servers. groups. modify. Dsmod – Used to modify users. Dsmove – Renames an object without moving it. Ldifde – Used to create.

and credentials. • Dcgpofix – Restores Group Policy Objects (GPOs) to the state they where in when initially installed Prepared by: MTGuillermo 17 . • Cacls – Used to view and modify discretionary access control lists (DACLs) on files. • Cmdkey – Used to create.Command-line tools for Active Directory • Whoami – Provides information on the user who’s currently logged on. and delete usernames. • Csvde – Used to import and export data from the directory. passwords. list.

Access Control in Active Directory • Security descriptors • Object Inheritance • Authentication Prepared by: MTGuillermo 18 .

and includes information about the permissions that a user or group has to a file Prepared by: MTGuillermo 19 .Two different types of ACLs in the security descriptor • Security access control list (SACL) – used to track an object’s security based on how a user or group accesses the object • Discretionary access control list (DACL) – is a listing of ACEs for users and groups.

2 PERMISSIONS APPLY TO AD OBJECT • Standard permissions – are those that are commonly applied to objects • special permissions – provide additional access control Prepared by: MTGuillermo 20 .

Standard permissions • Full Control – Allows the user to change permissions. take ownership. • Write – Allows the user to change attributes on an object. and have the abilities associated with all other standard permissions. • Delete – All Child Objects Allows the user to delete objects from an OU. Prepared by: MTGuillermo 21 . ownership. attributes. • Create All Child Objects – Allows the user to add objects to an OU. • Read – Allows the user to view objects. and permissions on an object.

Four different levels of functionality for Active Directory • Windows 2000 mixed – allows domains to contain Windows NT BDCs that can interact with Windows 2000 and Windows Server 2003 servers. • Windows 2000 native – is the highest mode available for Windows 2000 and the next highest level for Windows Server 2003 DCs • Windows 2003 interim – is a new level that’s available in Windows Server 2003 • Windows 2003 – The highest functionality level for Active Directory. – used when there are only Windows Server 2003 DCs in the domain Prepared by: MTGuillermo 22 .

• • • • • • • New Features Available Only with Windows Server 2003 Domain/Forest Functionality Domain Controller Renaming Tool Domain Rename Utility Forest Trusts Dynamically Links Auxiliary Classes Disabling Classes Replication Raise Domain and Forest Functionality Prepared by: MTGuillermo 23 .