AD Microsoft
of 4
-
Upload
marcos-antonio -
Category
Documents
-
view
225 -
download
0
Transcript of AD Microsoft
-
7/28/2019 AD Microsoft
1/4
Plano de gerenciamento: Define as atividades de gerenciamento para coordenar os trs outros planos do modelo. As cincoreas funcionais definidas pelo modelo de gerenciamento OSI gerenciamento de configurao, de contabilizao, de faltas,de desempenho e de segurana devem ser tratadas por esse plano, bem como pelos demais. Entretanto, a forma derepresentao das informaes de cada rea funcional sofrer variaes para corresponder s expectativas de cada uma dasgerncias definidas no modelo proposto.
O Active Directory uma implementao deservio de diretrio no protocolo LDAP que armazena informaes sobre objetosemrede de computadorese disponibiliza essas informaes a usurios e administradores desta rede. umsoftware da Microsoftutilizado em ambientes Windows.O Active Directory, a exemplo do NIS, surgiu da necessidade de se ter um nico diretrio, ou seja, ao invs do usurio ter umasenha para acessar o sistema principal da empresa, uma senha para ler seus e-mails, uma senha para se logar nocomputador, e vrias outras senhas, com a utilizao do AD, os usurios podero ter apenas uma senha para acessar todos osrecursos disponveis na rede. Podemos definir um diretrio como sendo um banco de dados que armazena as informaes dosusurios.O AD surgiu juntamente com o Windows 2000 Server. Objetos como usurios, grupos, membros dos grupos, senhas, contas decomputadores, relaes de confiana, informaes sobre o domnio, unidades organizacionais, etc, ficam armazenados nobanco de dados do AD. Alm de armazenar vrios objetos em seu banco de dados, o AD disponibiliza vrios servios, como:autenticao dos usurios, replicao do seu banco de dados, pesquisa dos objetos disponveis na rede, administraocentralizada da segurana utilizando GPO, entre outros servios. Esses recursos tornam a administrao do AD bem mais fcil,sendo possvel administrar todos os recursos disponveis na rede centralizadamente.Para que os usurios possam acessar os recursos disponveis na rede, estes devero efetuar o logon. Quando o usurioefetua logon, o AD verifica se as informaes fornecidas pelos usurios so vlidas, e em caso positivo, faz a autenticao. OAD organizado de uma forma hierrquica, com o uso de domnios. Caso uma rede utilize o AD, poder conter vriosdomnios. Um domnio nada mais do que um limite administrativo e de segurana, ou seja, o administrador do domnio possui
permisses somente no domnio, e no em outros domnios. As polticas de segurana tambm se aplicam somente aodomnio, e no a outros domnios. Resumindo: diferentes domnios podem ter diferentes administradores e diferentes polticasde segurana.Nos domnios baseados no AD, podemos ter dois tipos de servidores: Controlador de Domnio (DC Domain Controller) eServidor Membro (Member Server).Para a instalao do AD necessrio que o servioDNS esteja disponvel, ou seja, um pr-requisito (dependncia) para ainstalao do AD. O AD utiliza o DNS para a nomeao de servidores e recursos, e tambm para resoluo de nomes. Caso oservio DNS no esteja disponvel na rede durante a instalao do AD, poderemos instal-lo durante a instalao do AD.Com a utilizao de domnios, podemos fazer com que nossa rede reflita a estrutura de uma empresa. Quando utilizamosvrios domnios temos o conceito de relao de confiana. A relao de confiana permite que os usurios de ambos osdomnios acessem os recursos localizados nesses domnios. No Windows 2000, as relaes de confianas so bidirecionais etransitivas, ou seja, se o domnio X confia no domnio Y, e Y confia no domnio W, o domnio X tambm confia no domnio W.O "diretrio ativo" permite que os administradores atribuam empresa polticas gerais, instalemprogramas em um grandenmero decomputadores e apliquem updates crticos a uma organizao inteira. O "diretrio ativo" armazena informaes e
parmetros em uma base de dadoscentral organizada e acessvel.As redes ativas do diretrio podem variar desde uma instalao pequena, com cem objetos, a uma instalao grande, commilhes de objetos. O Active Directory teve uma pr-estreia em 1999e foi lanado primeiramente com oWindows 2000. Maistarde, foi revisado para estender a sua funcionalidade e melhorar a administrao para uma nova verso, conhecida como'Windows Server 2003'.O Active Directory um conjunto de arquivos localizados no servidor de domnio, no qual esto todas as informaes quepermitem controlar o acesso dos usurios rede. Nele ficam registrados os nomes e senhas de usurios, suas permisses deacesso a arquivos, impressoras e outros recursos da rede, as cotas de disco, os computadores e horrios que cada usuriopode utilizar, etc.O Active Directory est relacionado a: [editar]
Gerenciamento centralizado.GPO Polticas de Grupo.Catlogo Global.
Gerenciamento de Desktop Intellimiror.Distribuio de Software Automtica.Interface de acesso ADSI.Compatibilidade com sistemas operacionais MS Legados.Administrao Delegada.Replicao Automtica.
Active DirectoryActive Directory (AD) is a directory service created by MicrosoftforWindows domain networks. It is included in most WindowsServeroperating systems.An AD domain controllerauthenticates and authorizes all users and computers in a Windows domain type networkassigningand enforcing security policies for all computers and installing or updating software. For example, when a userlogs intoacomputer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is
asystem administratoror normal user.[1]Active Directory makes use ofLightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version ofKerberos,and DNS.History [edit]Active Directory was previewed in 1999, released first with Windows NT 4.0 Server. Then it was included withWindows2000Server edition and revised to extend functionality and improve administration inWindows Server 2003. Additional
http://pt.wikipedia.org/wiki/Servi%C3%A7o_de_diret%C3%B3riohttp://pt.wikipedia.org/wiki/Servi%C3%A7o_de_diret%C3%B3riohttp://pt.wikipedia.org/wiki/LDAPhttp://pt.wikipedia.org/wiki/Rede_de_computadoreshttp://pt.wikipedia.org/wiki/Rede_de_computadoreshttp://pt.wikipedia.org/wiki/Rede_de_computadoreshttp://pt.wikipedia.org/wiki/Softwarehttp://pt.wikipedia.org/wiki/Softwarehttp://pt.wikipedia.org/wiki/Microsofthttp://pt.wikipedia.org/wiki/Microsofthttp://pt.wikipedia.org/wiki/Windowshttp://pt.wikipedia.org/wiki/Windowshttp://pt.wikipedia.org/wiki/NIShttp://pt.wikipedia.org/wiki/NIShttp://pt.wikipedia.org/wiki/DNShttp://pt.wikipedia.org/wiki/DNShttp://pt.wikipedia.org/wiki/Empresahttp://pt.wikipedia.org/wiki/Softwarehttp://pt.wikipedia.org/wiki/Softwarehttp://pt.wikipedia.org/wiki/Computadorhttp://pt.wikipedia.org/wiki/Computadorhttp://pt.wikipedia.org/wiki/Banco_de_dadoshttp://pt.wikipedia.org/wiki/Banco_de_dadoshttp://pt.wikipedia.org/wiki/Rede_de_computadoreshttp://pt.wikipedia.org/wiki/1999http://pt.wikipedia.org/wiki/1999http://pt.wikipedia.org/wiki/Windows_2000http://pt.wikipedia.org/wiki/Windows_2000http://pt.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=1http://pt.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=1http://en.wikipedia.org/wiki/Directory_servicehttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Windows_domainhttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/Domain_controllerhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Authorizationhttp://en.wikipedia.org/wiki/Loginhttp://en.wikipedia.org/wiki/Loginhttp://en.wikipedia.org/wiki/System_administratorhttp://en.wikipedia.org/wiki/System_administratorhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-adw2k3-1http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocolhttp://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Domain_Name_Systemhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=1http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=1http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=1http://en.wikipedia.org/wiki/Windows_2000http://en.wikipedia.org/wiki/Windows_2000http://en.wikipedia.org/wiki/Windows_2000http://en.wikipedia.org/wiki/Windows_2000http://en.wikipedia.org/wiki/Windows_Server_2003http://en.wikipedia.org/wiki/Windows_Server_2003http://en.wikipedia.org/wiki/Windows_Server_2003http://pt.wikipedia.org/wiki/LDAPhttp://pt.wikipedia.org/wiki/Rede_de_computadoreshttp://pt.wikipedia.org/wiki/Softwarehttp://pt.wikipedia.org/wiki/Microsofthttp://pt.wikipedia.org/wiki/Windowshttp://pt.wikipedia.org/wiki/NIShttp://pt.wikipedia.org/wiki/DNShttp://pt.wikipedia.org/wiki/Empresahttp://pt.wikipedia.org/wiki/Softwarehttp://pt.wikipedia.org/wiki/Computadorhttp://pt.wikipedia.org/wiki/Banco_de_dadoshttp://pt.wikipedia.org/wiki/Rede_de_computadoreshttp://pt.wikipedia.org/wiki/1999http://pt.wikipedia.org/wiki/Windows_2000http://pt.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=1http://en.wikipedia.org/wiki/Directory_servicehttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Windows_domainhttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/Domain_controllerhttp://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Authorizationhttp://en.wikipedia.org/wiki/Loginhttp://en.wikipedia.org/wiki/System_administratorhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-adw2k3-1http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocolhttp://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Domain_Name_Systemhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=1http://en.wikipedia.org/wiki/Windows_2000http://en.wikipedia.org/wiki/Windows_2000http://en.wikipedia.org/wiki/Windows_Server_2003http://pt.wikipedia.org/wiki/Servi%C3%A7o_de_diret%C3%B3rio -
7/28/2019 AD Microsoft
2/4
-
7/28/2019 AD Microsoft
3/4
In general the reason for this lack of allowance for duplicate names through hierarchical directory placement, is that Microsoftprimarily relies on the principles ofNetBIOS, which is a flat-file method of network object management that for Microsoftsoftware, goes all the way back toWindows NT 3.1 andMS-DOSLAN Manager. Allowing for duplication of object names in thedirectory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software andequipment.
As the number of users in a domain increases, conventions such as "first initial, middle initial, last name" (Western order) or thereverse (Eastern order) fail for common family nameslike Li, Smith orGarcia. Workarounds include adding a digit to the end ofthe username. Alternatives include creating a separate ID system of unique employee/student id numbers to use as accountnames in place of actual user's names, and allowing users to nominate their preferred word sequence within an acceptable usepolicy.
Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for largeorganizations that cannot be easily subdivided into separate domains, such as students in a public school system or universitywho must be able to use any computer across the network.
Shadow groups [edit]In Active Directory, organizational units cannot be assigned as owners or trustees. Only groups are selectable, and members ofOUs cannot be collectively assigned rights to directory objects.
In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automaticallyassigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competingdirectories such as NovellNDSare able to assign access privileges through object placement within an OU.
Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also withinthat OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been
assigned to the group object for that OU.A common workaround for an Active Directory administrator is to write a customPowerShellorVisual Basic script toautomatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update thegroup to match the OU's account membership, but are unable to instantly update the security groups anytime the directorychanges, as occurs in competing directories where security is directly implemented into the directory itself. Such groups areknown as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools.
Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. Thereare no built-in server methods or console snap-ins for managing shadow groups.[5]
The division of an organization's information infrastructure into a hierarchy of one or more domains and top-level OUs is a keydecision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these.OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application.Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any
domain in the forest must be trusted across all domains in the forest. [6]Physical matters [edit]Sites are physical (rather than logical) groupings defined by one or more IP subnets.[7] AD also holds the definitions ofconnections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are independent ofthe domain and OU structure and are common across the forest. Sites are used to control network traffic generated byreplication and also to refer clients to the nearest domain controllers (DCs).Microsoft Exchange Server 2007uses the sitetopology for mail routing. Policies can also be defined at the site level.
Physically, the Active Directory information is held on one or more peerdomain controllers, replacing the NTPDC/BDCmodel.Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called MemberServers.[8]
The Active Directory database is organized inpartitions, each holding specific object types and following a specific replicationpattern. AD synchronizes changes usingmulti-master replication.[9] Microsoft often refers to these partitions as 'naming
contexts'.[10] The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration'partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicateto all domain controllers in the Forest. The 'Domain' partition holds all objects created in that domain and replicates only toDomain Controllers within its domain. So, for example, a user created in Domain X would be listed only in Domain X's domaincontrollers. A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs.Global catalog (GC) servers provide a global listing of all objects in the Forest.[11]Global Catalog servers replicate tothemselves all objects from all domains and hence, provide a global listing of objects in the forest. However, to minimizereplication traffic and keep the GC's database small, only selected attributes of each object are replicated. This is called thepartial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.[12]Earlier versions of Windows used NetBIOSto communicate. Active Directory is fully integrated with DNS and requiresTCP/IPDNS. To be fully functional, the DNS server must support SRV resource records, also known as service records.
Replication [edit]Active Directory replication by default is 'pull' rather than 'push', meaning that replicas pull changes from the server where the
change was effected.[13] The Knowledge Consistency Checker(KCC) creates a replication topology ofsite links using thedefined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggerspeers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notificationby default, although this is configurable and can be made identical to intrasite replication.
Each link can have a 'cost' (e.g., DS3,T1, ISDN etc.) and the KCC alters the site link topology accordingly. Replication mayoccur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically
http://en.wikipedia.org/wiki/NetBIOShttp://en.wikipedia.org/wiki/NetBIOShttp://en.wikipedia.org/wiki/Windows_NT_3.1http://en.wikipedia.org/wiki/Windows_NT_3.1http://en.wikipedia.org/wiki/MS-DOShttp://en.wikipedia.org/wiki/MS-DOShttp://en.wikipedia.org/wiki/MS-DOShttp://en.wikipedia.org/wiki/LAN_Managerhttp://en.wikipedia.org/wiki/LAN_Managerhttp://en.wikipedia.org/wiki/Name_orderhttp://en.wikipedia.org/wiki/Family_nameshttp://en.wikipedia.org/wiki/Family_nameshttp://en.wikipedia.org/wiki/Acceptable_use_policyhttp://en.wikipedia.org/wiki/Acceptable_use_policyhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=7http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=7http://en.wikipedia.org/wiki/Novell_eDirectoryhttp://en.wikipedia.org/wiki/Novell_eDirectoryhttp://en.wikipedia.org/wiki/Novell_eDirectoryhttp://en.wikipedia.org/wiki/PowerShellhttp://en.wikipedia.org/wiki/PowerShellhttp://en.wikipedia.org/wiki/PowerShellhttp://en.wikipedia.org/wiki/Visual_Basichttp://en.wikipedia.org/wiki/Active_Directory#cite_note-5http://en.wikipedia.org/wiki/Active_Directory#cite_note-6http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=8http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=8http://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-7http://en.wikipedia.org/wiki/Wide_area_networkhttp://en.wikipedia.org/wiki/Virtual_private_networkhttp://en.wikipedia.org/wiki/Local_area_networkhttp://en.wikipedia.org/wiki/Domain_controllerhttp://en.wikipedia.org/wiki/Microsoft_Exchange_Serverhttp://en.wikipedia.org/wiki/Microsoft_Exchange_Serverhttp://en.wikipedia.org/wiki/Microsoft_Exchange_Serverhttp://en.wikipedia.org/wiki/Domain_controllerhttp://en.wikipedia.org/wiki/Windows_NThttp://en.wikipedia.org/wiki/Primary_Domain_Controllerhttp://en.wikipedia.org/wiki/Primary_Domain_Controllerhttp://en.wikipedia.org/wiki/Primary_Domain_Controllerhttp://en.wikipedia.org/wiki/Backup_Domain_Controllerhttp://en.wikipedia.org/wiki/Backup_Domain_Controllerhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-8http://en.wikipedia.org/wiki/Multi-master_replicationhttp://en.wikipedia.org/wiki/Multi-master_replicationhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-9http://en.wikipedia.org/wiki/Active_Directory#cite_note-9http://en.wikipedia.org/wiki/Active_Directory#cite_note-10http://en.wikipedia.org/wiki/Active_Directory#cite_note-11http://en.wikipedia.org/wiki/Active_Directory#cite_note-11http://en.wikipedia.org/wiki/Active_Directory#cite_note-12http://en.wikipedia.org/wiki/Active_Directory#cite_note-12http://en.wikipedia.org/wiki/NetBIOShttp://en.wikipedia.org/wiki/NetBIOShttp://en.wikipedia.org/wiki/TCPIPhttp://en.wikipedia.org/wiki/SRV_recordhttp://en.wikipedia.org/wiki/SRV_recordhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=9http://en.wikipedia.org/wiki/Active_Directory#cite_note-13http://en.wikipedia.org/wiki/DS3http://en.wikipedia.org/wiki/DS3http://en.wikipedia.org/wiki/Digital_Signal_1http://en.wikipedia.org/wiki/Digital_Signal_1http://en.wikipedia.org/wiki/ISDNhttp://en.wikipedia.org/wiki/NetBIOShttp://en.wikipedia.org/wiki/Windows_NT_3.1http://en.wikipedia.org/wiki/MS-DOShttp://en.wikipedia.org/wiki/LAN_Managerhttp://en.wikipedia.org/wiki/Name_orderhttp://en.wikipedia.org/wiki/Family_nameshttp://en.wikipedia.org/wiki/Acceptable_use_policyhttp://en.wikipedia.org/wiki/Acceptable_use_policyhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=7http://en.wikipedia.org/wiki/Novell_eDirectoryhttp://en.wikipedia.org/wiki/PowerShellhttp://en.wikipedia.org/wiki/Visual_Basichttp://en.wikipedia.org/wiki/Active_Directory#cite_note-5http://en.wikipedia.org/wiki/Active_Directory#cite_note-6http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=8http://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-7http://en.wikipedia.org/wiki/Wide_area_networkhttp://en.wikipedia.org/wiki/Virtual_private_networkhttp://en.wikipedia.org/wiki/Local_area_networkhttp://en.wikipedia.org/wiki/Domain_controllerhttp://en.wikipedia.org/wiki/Microsoft_Exchange_Serverhttp://en.wikipedia.org/wiki/Domain_controllerhttp://en.wikipedia.org/wiki/Windows_NThttp://en.wikipedia.org/wiki/Primary_Domain_Controllerhttp://en.wikipedia.org/wiki/Backup_Domain_Controllerhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-8http://en.wikipedia.org/wiki/Multi-master_replicationhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-9http://en.wikipedia.org/wiki/Active_Directory#cite_note-10http://en.wikipedia.org/wiki/Active_Directory#cite_note-11http://en.wikipedia.org/wiki/Active_Directory#cite_note-12http://en.wikipedia.org/wiki/NetBIOShttp://en.wikipedia.org/wiki/TCPIPhttp://en.wikipedia.org/wiki/SRV_recordhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=9http://en.wikipedia.org/wiki/Active_Directory#cite_note-13http://en.wikipedia.org/wiki/DS3http://en.wikipedia.org/wiki/Digital_Signal_1http://en.wikipedia.org/wiki/ISDN -
7/28/2019 AD Microsoft
4/4
costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur betweena bridgehead serverin each site, which then replicates the changes to other DCs within the site. Replication for Active Directoryzones is automatically configured when DNS is activated in the domain based by site.
Replication of Active Directory uses Remote Procedure Calls(RPC) over IP (RPC/IP). Between SitesSMTP can be used forreplication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) NCs. SMTP cannot beused for replicating the default Domain partition.[14]
Database [edit]The Active Directory database, the directory store, in Windows 2000 Server uses the JET Blue-basedExtensible StorageEngine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain
controller's database. Microsoft has created NTDS databases with more than 2 billion objects. [15] (NT4's Security AccountManagercould support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table.In Windows Server 2003 a third main table was added forsecurity descriptorsingle instancing.[16]
Forest trusts [edit]Windows Server 2003 introduced the forest root trust. This trust can be used to connect Windows Server 2003 forests if they areoperating at the 2003 forest functional level. Authentication across this type of trust isKerberos based (as opposed to NTLM).
Forest trusts are transitive for all the domains within the trusted forests. However, forest trustsare nottransitive between forests.
Example: Suppose that a two-way transitive forest trust exists between the forest root domains in Forest A and Forest B, andanother two-way transitive forest trust exists between the forest root domains in Forest B and Forest C. Such a configurationlets users in Forest B access resources in any domain in either Forest A or Forest C, and users in Forest A or C accessresources in any domain in Forest B. However, it does notlet users in Forest A access resources in Forest C, or vice versa. To
let users in Forest A and Forest C share resources, a two-way transitive trust must exist between both forests.Lightweight Directory Service [edit]Active Directory Lightweight Directory Service (AD LDS), formerly known asActive Directory Application Mode (ADAM),[20]is alight-weight implementation of Active Directory (AD DS).[21]AD LDS is capable of running as a service on computers runningMicrosoftWindows Server. AD LDS shares the code base with Active Directory and provides the same functionality as ActiveDirectory, including an identicalAPI, but does not require the creation of domains or domain controllers.
Like Active Directory, AD LDS provides a Data Store for storage of directory data and aDirectory Service with anLDAP Directory Service Interface. Unlike Active Directory, however, multiple AD LDS instances can be run on the same server.
Unix integration [edit]Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems throughstandards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windowscomponents, such as Group Policyand support for one-way trusts.
Third parties offer Active Directory integration for Unix platforms (including UNIX,Linux, Mac OS X, and a number of Java andUNIX-based applications), including:
Fox Technologies and the product FoxT ServerControl (software)implements AD Bridging capabilities thatallowsUNIX/Linuxsystems to join Active Directory and enables the use of the Kerberos (protocol)for authentication of users
Centrify DirectControl(Centrify) Active Directory-compatible centralized authentication and access control[22]
Centrify Express (Centrify) A suite offree Active Directory-compliant services for centralized authentication, monitoring,file-sharing and remote access
UNAB (Computer Associates) TrustBroker(CyberSafe Limited) An implementation of Kerberos PowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly Likewise Software) Allows a non-Windows client to
join Active Directory[22]
Quest Authentication Services(Quest Software) (Formerly Vintela) - AD Authentication to Unix/Linux/Mac, Group Policymanagement, User/Group Migration tools, Auditing and Reporting
ADmitMac(Thursby Software Systems)[22]
Samba Can act as a domain controller[23][24]The schema additions shipped withWindows Server 2003 R2 include attributes that map closely enough toRFC 2307 to begenerally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support theseattributes directly. The default schema for group membership complies with RFC 2307bis (proposed). [25]Windows Server 2003R2 includes aMicrosoft Management Console snap-in that creates and edits the attributes.
http://en.wikipedia.org/wiki/Remote_Procedure_Callhttp://en.wikipedia.org/wiki/Remote_Procedure_Callhttp://en.wikipedia.org/wiki/SMTPhttp://en.wikipedia.org/wiki/SMTPhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-14http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=10http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=10http://en.wikipedia.org/wiki/Databasehttp://en.wikipedia.org/wiki/Microsoft_JET_Bluehttp://en.wikipedia.org/wiki/Microsoft_JET_Bluehttp://en.wikipedia.org/wiki/Extensible_Storage_Enginehttp://en.wikipedia.org/wiki/Extensible_Storage_Enginehttp://en.wikipedia.org/wiki/Active_Directory#cite_note-blogs.technet.com-15http://en.wikipedia.org/wiki/Security_Account_Managerhttp://en.wikipedia.org/wiki/Security_Account_Managerhttp://en.wikipedia.org/wiki/Security_descriptorhttp://en.wikipedia.org/wiki/Security_descriptorhttp://en.wikipedia.org/wiki/Security_descriptorhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-16http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=14http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=14http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/NTLMhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=15http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services-20http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services-20http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services-20http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services_versus_AD_DS-21http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services_versus_AD_DS-21http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services_versus_AD_DS-21http://en.wikipedia.org/wiki/Windows_servicehttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/APIhttp://en.wikipedia.org/wiki/Directory_(database)http://en.wikipedia.org/wiki/Directory_(database)http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=16http://en.wikipedia.org/wiki/Group_Policyhttp://en.wikipedia.org/wiki/Group_Policyhttp://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/FoxT_ServerControl_(software)http://en.wikipedia.org/wiki/FoxT_ServerControl_(software)http://en.wikipedia.org/wiki/UNIXhttp://en.wikipedia.org/wiki/UNIXhttp://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Centrifyhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-EMAG-22http://en.wikipedia.org/wiki/Centrifyhttp://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/BeyondTrusthttp://en.wikipedia.org/wiki/Active_Directory#cite_note-EMAG-22http://www.quest.com/authentication-services/http://www.quest.com/authentication-services/http://en.wikipedia.org/wiki/Quest_Softwarehttp://en.wikipedia.org/wiki/Active_Directory#cite_note-EMAG-22http://en.wikipedia.org/wiki/Samba_(software)http://en.wikipedia.org/wiki/Samba_(software)http://en.wikipedia.org/wiki/Active_Directory#cite_note-23http://en.wikipedia.org/wiki/Active_Directory#cite_note-23http://en.wikipedia.org/wiki/Active_Directory#cite_note-Samba_Plugfest_Report-24http://en.wikipedia.org/wiki/Active_Directory#cite_note-Samba_Plugfest_Report-24http://en.wikipedia.org/wiki/Windows_Server_2003_R2http://en.wikipedia.org/wiki/Windows_Server_2003_R2http://tools.ietf.org/html/rfc2307http://tools.ietf.org/html/rfc2307http://en.wikipedia.org/wiki/Active_Directory#cite_note-25http://en.wikipedia.org/wiki/Active_Directory#cite_note-25http://en.wikipedia.org/wiki/Microsoft_Management_Consolehttp://en.wikipedia.org/wiki/Microsoft_Management_Consolehttp://en.wikipedia.org/wiki/Remote_Procedure_Callhttp://en.wikipedia.org/wiki/SMTPhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-14http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=10http://en.wikipedia.org/wiki/Databasehttp://en.wikipedia.org/wiki/Microsoft_JET_Bluehttp://en.wikipedia.org/wiki/Extensible_Storage_Enginehttp://en.wikipedia.org/wiki/Extensible_Storage_Enginehttp://en.wikipedia.org/wiki/Active_Directory#cite_note-blogs.technet.com-15http://en.wikipedia.org/wiki/Security_Account_Managerhttp://en.wikipedia.org/wiki/Security_Account_Managerhttp://en.wikipedia.org/wiki/Security_descriptorhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-16http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=14http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/NTLMhttp://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=15http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services-20http://en.wikipedia.org/wiki/Active_Directory#cite_note-Active_Directory_Lightweight_Directory_Services_versus_AD_DS-21http://en.wikipedia.org/wiki/Windows_servicehttp://en.wikipedia.org/wiki/Windows_Serverhttp://en.wikipedia.org/wiki/APIhttp://en.wikipedia.org/wiki/Directory_(database)http://en.wikipedia.org/w/index.php?title=Active_Directory&action=edit§ion=16http://en.wikipedia.org/wiki/Group_Policyhttp://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/FoxT_ServerControl_(software)http://en.wikipedia.org/wiki/UNIXhttp://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Centrifyhttp://en.wikipedia.org/wiki/Active_Directory#cite_note-EMAG-22http://en.wikipedia.org/wiki/Centrifyhttp://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/BeyondTrusthttp://en.wikipedia.org/wiki/Active_Directory#cite_note-EMAG-22http://www.quest.com/authentication-services/http://en.wikipedia.org/wiki/Quest_Softwarehttp://en.wikipedia.org/wiki/Active_Directory#cite_note-EMAG-22http://en.wikipedia.org/wiki/Samba_(software)http://en.wikipedia.org/wiki/Active_Directory#cite_note-23http://en.wikipedia.org/wiki/Active_Directory#cite_note-Samba_Plugfest_Report-24http://en.wikipedia.org/wiki/Windows_Server_2003_R2http://tools.ietf.org/html/rfc2307http://en.wikipedia.org/wiki/Active_Directory#cite_note-25http://en.wikipedia.org/wiki/Microsoft_Management_Console
