Ads Overview En

32
Microsoft Active Microsoft Active Directory Directory An Overview An Overview

description

Active Directory Intro

Transcript of Ads Overview En

Page 1: Ads Overview En

Microsoft Active DirectoryMicrosoft Active Directory

An OverviewAn Overview

Page 2: Ads Overview En

What is Active Directory?What is Active Directory?

Microsoft‘s new Directory ServiceMicrosoft‘s new Directory Service Called: ADS, NTDSCalled: ADS, NTDS Successor to LAN Manager DomainsSuccessor to LAN Manager Domains GoalsGoals• Open StandardsOpen Standards

• High ScalabilityHigh Scalability

• Simplified AdministrationSimplified Administration

• Compatibility to existing Windows NT Compatibility to existing Windows NT systems and applicationssystems and applications

Page 3: Ads Overview En

Open StandardsOpen Standards

LDAPLDAP• Low-Level API to Active DirectoryLow-Level API to Active Directory

X.500X.500• Active Directory StructureActive Directory Structure

• Not fully standard-compliantNot fully standard-compliant

DNSDNS• Resource LocationResource Location

• Extensions, e. G. „Dynamic DNS“Extensions, e. G. „Dynamic DNS“

KerberosKerberos• AuthenticationAuthentication

Page 4: Ads Overview En

Active Directory StructureActive Directory Structure

HierarchicalHierarchical Base objectBase object

DomainDomain

OU

Domain

DomainOUOU

Objects

Domain

Tree

Domain

Domain

Domain

Tree

Forest

Page 5: Ads Overview En

Which objects does Active Which objects does Active Directory contain?Directory contain? „„old Friends “old Friends “• UserUser

• GroupGroup

• ComputerComputer

New ElementsNew Elements• Distribution ListsDistribution Lists

• System PoliciesSystem Policies

Application defined custom objectsApplication defined custom objects Described in the SchemaDescribed in the Schema

Page 6: Ads Overview En

What is the Schema?What is the Schema?

Definition of all ADDefinition of all AD• Object-Types (Classes)Object-Types (Classes)

• AttributesAttributes

• Data-Types (Syntaxes)Data-Types (Syntaxes)

Can be compared to a Database Can be compared to a Database SchemaSchema

ONE consistent Schema inside a ONE consistent Schema inside a single Forestsingle Forest

ExtensibleExtensible

Page 7: Ads Overview En

What is a Domain?What is a Domain?

AD Base Element (Building Block)AD Base Element (Building Block) NT 4 CompatibleNT 4 Compatible Physically Implemented on Domain Physically Implemented on Domain

Controllers (DC)Controllers (DC) Border forBorder for• Replication TrafficReplication Traffic

• System PoliciesSystem Policies

• AdministrationAdministration

Firma.de

Page 8: Ads Overview En

What is an Organizational Unit What is an Organizational Unit (OU)?(OU)? Implements a Structure inside a Implements a Structure inside a

DomainDomain Can be nested as neededCan be nested as needed Can Can notnot be assigned any rights be assigned any rights Typically used for Administrative Typically used for Administrative

ReasonsReasons• e.g. System Policiese.g. System Policies

LA

Admin

New York

SalesAdmin Sales

Page 9: Ads Overview En

What is a Tree?What is a Tree?

Hierarchical Domain Structure inside a Hierarchical Domain Structure inside a single Namespacesingle Namespace• adiscon.comadiscon.com

• la.adiscon.comla.adiscon.com

• ny.adiscon.comny.adiscon.com

Transitive Trusts created automaticallyTransitive Trusts created automatically Sub-Domain must be added to Root-Sub-Domain must be added to Root-

Domain – otherwise there will be no Domain – otherwise there will be no tree!tree!

la.adiscon.com

adiscon.com

ny.adiscon.com

Tree

Page 10: Ads Overview En

What is a Forest?What is a Forest?

Combination of TreesCombination of Trees Disjunct NamespacesDisjunct Namespaces• adiscon.deadiscon.de

• adiscon.comadiscon.com

Transitive Trusts created automaticallyTransitive Trusts created automatically There is one single tree-root!There is one single tree-root! Sub-Tree must be added to Root-Tree, Sub-Tree must be added to Root-Tree,

otherwise no Forest will be createdotherwise no Forest will be created

Page 11: Ads Overview En

Domain

The Tree-RootThe Tree-Root

First Domain installedFirst Domain installed Single SchemaSingle Schema Absolutely vital!Absolutely vital!

OU

DomainOUOU

Objects

Domain

Tree

Domain

Domain

Domain

Tree

Forest

Page 12: Ads Overview En

Modeling the physical StructureModeling the physical Structure

Not related to logical StructureNot related to logical Structure Modeled via „Sites“Modeled via „Sites“ A site is well connected via fast A site is well connected via fast

Network LinksNetwork Links One Site can home multiple DomainsOne Site can home multiple Domains One Domain can spread across many One Domain can spread across many

SitesSites Domain Database is stored on Domain Domain Database is stored on Domain

ControllersControllers

Page 13: Ads Overview En

Site New YorkSite LA

Sample Site StructureSample Site Structure Logical and physical Logical and physical

Structure are totally Structure are totally independent of each independent of each other!other!

Adiscon.com

sales.adiscon.comsales.adiscon.com

Page 14: Ads Overview En

Which Role can a Server have?Which Role can a Server have?

Member ServerMember Server Domain ControllerDomain Controller Global CatalogGlobal Catalog FSMO FSMO • Special Roles carried out by only a limited Special Roles carried out by only a limited

set of Serversset of Servers

• e.g. PDC Emulatore.g. PDC Emulator

• e.g. Schema Mastere.g. Schema Master

Page 15: Ads Overview En

What is a Domain-Controller?What is a Domain-Controller?

Stores a physical Copy of the Active Stores a physical Copy of the Active Directory DatabaseDirectory Database• Currently a single Domain per DC Currently a single Domain per DC

supported!supported!• ESE95 Database (MS Exchange)ESE95 Database (MS Exchange)

Logon ServicesLogon Services• KerberosKerberos• LAN Manager AuthenticationLAN Manager Authentication

Recommendation: always have at least Recommendation: always have at least 2 Domain Controllers!2 Domain Controllers!

Page 16: Ads Overview En

What is a Global Catalog Server?What is a Global Catalog Server?

Answers AD Search QueriesAnswers AD Search Queries Must be present to successfully logon Must be present to successfully logon Holds a copy of all Objects of the Holds a copy of all Objects of the

whole Forest…whole Forest… ...but holds only a subset of the ...but holds only a subset of the

AttributesAttributes• User definable User definable

Recommendation: at least one GC per Recommendation: at least one GC per (larger) Site(larger) Site

Page 17: Ads Overview En

Multi Master ReplicationMulti Master Replication

Updates can be applied to ANY Updates can be applied to ANY Domain ControllerDomain Controller

Will be Replicated to each other Will be Replicated to each other Domain Controls (inside that Domain) Domain Controls (inside that Domain) within 15 Minuteswithin 15 Minutes

Optimized Algorithm reduces Optimized Algorithm reduces Replication TrafficReplication Traffic

NotNot time based (triggered on demand, time based (triggered on demand, only)!only)!

Page 18: Ads Overview En

Intra-Sites ReplicationIntra-Sites Replication

All Domain Databases involvedAll Domain Databases involved Changes are transmitted compressedChanges are transmitted compressed via IP (RPC) or SMTPvia IP (RPC) or SMTP• SMTP not within a single domain!SMTP not within a single domain!

Time Replication occurs can be Time Replication occurs can be configuredconfigured

Volume of Replication Traffic can not Volume of Replication Traffic can not be restricted!be restricted!

Have an Eye on GCs!Have an Eye on GCs!

Page 19: Ads Overview En

Mixed vs. Native Mode?Mixed vs. Native Mode?

Mixed Mode supports Coexistence with NT4Mixed Mode supports Coexistence with NT4• DefaultDefault

• NT 4 BDCs continue to workNT 4 BDCs continue to work

• Enables “Fallback Scenario” during MigrationEnables “Fallback Scenario” during Migration

Only Native Mode supports all AD FeaturesOnly Native Mode supports all AD Features• More than 40 MB Domain Database SizeMore than 40 MB Domain Database Size

• Mostly problem-free „MoveTree“Mostly problem-free „MoveTree“

• Universal Groups, Group nestingUniversal Groups, Group nesting

Once you have switched to Native Mode, Once you have switched to Native Mode, there is no way back to Mixed Mode!there is no way back to Mixed Mode!

Page 20: Ads Overview En

Are there still Trusts available?Are there still Trusts available?

Old fashioned NT 4 Trusts can still be Old fashioned NT 4 Trusts can still be usedused• Work like alwaysWork like always• No additional functionalityNo additional functionality

Most be used to connect different Most be used to connect different ForestsForests• Be careful – no common Global Catalog!Be careful – no common Global Catalog!

Shortcut-TrustsShortcut-Trusts• Connect frequently used Domains to each Connect frequently used Domains to each

other (Performance Optimization)other (Performance Optimization)

Page 21: Ads Overview En

Shortcut-TrustsShortcut-Trusts

Domain A users Domain A users frequently access frequently access Domain B’s ResourcesDomain B’s Resources

No Change in logical No Change in logical StructureStructure

Domain

OU

DomainOUOU

Objects

Domain A

Tree

Domain

Domain

Domain B

Tree

Forest

Page 22: Ads Overview En

Vital for AD: DNS!Vital for AD: DNS!

DNS is Active Directory’s Locator ServiceDNS is Active Directory’s Locator Service Without correctly configured DNS no Without correctly configured DNS no

working Active Directory!working Active Directory!• Currently TOP 1 Trouble spotCurrently TOP 1 Trouble spot

Can be hosted on non MS-DNSCan be hosted on non MS-DNS• Minimum BIND Version 8.1.2Minimum BIND Version 8.1.2

• No special Characters in Computer NamesNo special Characters in Computer Names

• Not really an optionNot really an option

• Recommendation: delegate a separate “AD-Recommendation: delegate a separate “AD-Zone” on non-MS DNS and use MS-DNS for that Zone” on non-MS DNS and use MS-DNS for that zone – saves lots of Trouble!zone – saves lots of Trouble!

Page 23: Ads Overview En

Who is using Active Directory?Who is using Active Directory?

Windows 2000Windows 2000• AuthenticationAuthentication

• System PoliciesSystem Policies

Directory Enabled ApplicationsDirectory Enabled Applications• Please do not overlook them when Please do not overlook them when

planning your AD!planning your AD!

Page 24: Ads Overview En

What are Directory-Enabled What are Directory-Enabled Applications?Applications? Applications directly using and Applications directly using and

accessing the Active Directoryaccessing the Active Directory• e.g. Exchange 2000e.g. Exchange 2000• Many more expected!Many more expected!

Typically extend the SchemaTypically extend the Schema May dramatically change usage May dramatically change usage

pattern for Active Directory Resourcespattern for Active Directory Resources• Replication TrafficReplication Traffic

(new Objects, Attributes)(new Objects, Attributes)• AD Queries (GCs!)AD Queries (GCs!)

Page 25: Ads Overview En

Active Directory SecurityActive Directory Security

Improved AuthenticationImproved Authentication Permissions applied via ACLsPermissions applied via ACLs• To Objects as wholeTo Objects as whole

• To specific AttributesTo specific Attributes

Fine-Tuning of Access Permissions Fine-Tuning of Access Permissions possiblepossible

Tool-Support to visualize Security Tool-Support to visualize Security Settings currently weak (try Visio!)Settings currently weak (try Visio!)

Page 26: Ads Overview En

What is Kerberos?What is Kerberos?

„„age-old“ Internet-Standard - matureage-old“ Internet-Standard - mature Commonly used under UnixCommonly used under Unix Secure Authentication thanks to Secure Authentication thanks to

EncryptionEncryption Standard-Authentication Model under Standard-Authentication Model under

Windows 2000Windows 2000 Microsoft Kerberos not fully Microsoft Kerberos not fully

compatible to other Kerberos compatible to other Kerberos ImplementationsImplementations

Page 27: Ads Overview En

Delegation of AdministrationDelegation of Administration

Admin rights can be delegated to Users or Admin rights can be delegated to Users or GroupsGroups• NOTNOT to OUs! to OUs!

Delegation via WizardsDelegation via Wizards Currently “Admin Nightmare” – very hard to Currently “Admin Nightmare” – very hard to

detect who has rightsdetect who has rights• All objects must be viewed separately and All objects must be viewed separately and

manuallymanually• Currently no good tools – but expected to be Currently no good tools – but expected to be

available in the futureavailable in the future• Microsoft itself also plans to provide additional Microsoft itself also plans to provide additional

toolstools

Page 28: Ads Overview En

Inheritance in Active DirectoryInheritance in Active Directory

From Top to BottomFrom Top to Bottom Inheritance can only be blocked Inheritance can only be blocked

completelycompletely• No IRF like NovellNo IRF like Novell

Page 29: Ads Overview En

GroupsGroups

Basically, like under NT 4Basically, like under NT 4• Local Groups are assigned PermissionsLocal Groups are assigned Permissions

• Global Groups contain UsersGlobal Groups contain Users From a single DomainFrom a single Domain Global Groups are members in Local Groups Global Groups are members in Local Groups

for Permission assignmentfor Permission assignment

New: Universal GroupsNew: Universal Groups• Can be used everywhere in every Domain Can be used everywhere in every Domain

(Permissions, Members)(Permissions, Members)

• Implemented via GCImplemented via GC Replication traffic limits usabilityReplication traffic limits usability

Page 30: Ads Overview En

Active Directory Problem SpotsActive Directory Problem Spots

DNS DependencyDNS Dependency No „Merge-Tree“No „Merge-Tree“ No Partitioning (only a single Domain per No Partitioning (only a single Domain per

Domain Controller) Domain Controller) Limited Tool-SupportLimited Tool-Support Forest Global SchemaForest Global Schema Schema-Modifications can not be undoneSchema-Modifications can not be undone Issues will be addressed over time by Issues will be addressed over time by

Microsoft (keep in mind AD is Version 1.0!)Microsoft (keep in mind AD is Version 1.0!)

Page 31: Ads Overview En

Importance of AD for Microsoft’s Importance of AD for Microsoft’s StrategyStrategy Most important ProductMost important Product All new Microsoft Products need or at All new Microsoft Products need or at

least work better with Active Directoryleast work better with Active Directory• Exchange 2000Exchange 2000

• SQL Server 2000SQL Server 2000

• ......

Bill Gates: „We have bet Microsoft on Bill Gates: „We have bet Microsoft on Active Directory.“Active Directory.“

Page 32: Ads Overview En

Questions?Questions?

[email protected]@adiscon.com www.windows-expert.netwww.windows-expert.net