Introduction to Active Directory Services
-
Upload
teagan-obrien -
Category
Documents
-
view
62 -
download
6
description
Transcript of Introduction to Active Directory Services
![Page 1: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/1.jpg)
Introduction to Active Directory Services
• Completely integrated with Microsoft Windows 2000 Server
• Integrates the Internet concept of namespace with the operating system’s directory service
• Allows a single point of administration for all published resources
![Page 2: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/2.jpg)
Understanding Active Directory Concepts
• Extensible schema
• Global catalog
• Namespace
• Naming conventions
![Page 3: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/3.jpg)
Extensible Schema
Extending the schema is an advanced operation, intended to be performed by experienced programmers and system administrators.
![Page 4: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/4.jpg)
Global Catalog
• The global catalog is the central repository of information about objects in a domain tree or forest.
• The global catalog is a service as well as a physical storage location that contains a replica of selected attributes of every object in the Active Directory store.
• By default, the first domain controller is a global catalog server.
• Additional domain controllers can also be designated as global catalog servers by using the Active Directory Sites And Services snap-in.
![Page 5: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/5.jpg)
Namespace
![Page 6: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/6.jpg)
Naming Conventions
• Distinguished names (DNs)
• Relative distinguished names (RDNs)
• Globally unique identifiers (GUIDs)
• User principal names (UPNs)
![Page 7: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/7.jpg)
Distinguished Names (DNs)
• Objects are located within Active Directory domains according to a hierarchical path.
• Every object in the Active Directory store has a DN, which uniquely identifies the object.
• The DN includes the name of the domain that holds the object as well as the complete path through the container hierarchy to the object. For example: DC=msft/DC=Contoso/CN=Users/CN=John Smith
![Page 8: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/8.jpg)
Relative Distinguished Names (RDNs)
• The RDN is one of an object’s attributes.
• The RDN is part of the full DN. For example: CN=John Smith
• Active Directory services allows duplicate RDNs for objects, but no two objects with the same RDN can exist within the same OU.
![Page 9: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/9.jpg)
Globally Unique Identifiers (GUIDs)
![Page 10: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/10.jpg)
User Principal Names (UPNs)
• The UPN is a friendly name that is shorter than the DN and easier to remember.
• The UPN consists of a shorthand name that represents the user and usually the DNS name of the domain where the object resides.
• Example: [email protected]
![Page 11: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/11.jpg)
Structure of Active Directory Architecture
• Data model
• Schema
• Security model
• Administration model
![Page 12: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/12.jpg)
Access to Active Directory Services
• Protocol Support
• Application programming interfaces (APIs)
• Virtual containers
![Page 13: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/13.jpg)
Protocol Support
• LDAP is the Active Directory core protocol.
• Active Directory services supports remote procedure call (RPC) interfaces that support Messaging Application Programming Interface (MAPI) interfaces.
• The Active Directory information model is derived from the X.500 information model.
![Page 14: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/14.jpg)
Application Programming Interfaces (APIs)
• Active Directory Service Interfaces (ADSI)
• LDAP C API
• Windows MAPI
![Page 15: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/15.jpg)
Virtual Containers
• Active Directory services supports virtual containers, which allow any LDAP-compliant directory to be accessed transparently through Active Directory services.
• The virtual container is implemented via location information in the Active Directory store.
![Page 16: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/16.jpg)
Directory Service Architecture
• Interfaces
• Directory System Agent (DSA)
• Database layer
• Extensible Storage Engine (ESE)
• Data store (Ntds.dit)
![Page 17: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/17.jpg)
Active Directory Key Service Components
![Page 18: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/18.jpg)
Interfaces
• LDAP provides the API for LDAP clients and exposes the ADSI so that additional applications can be written that can talk to the Active Directory services.
• REPL is used by the replication service to facilitate Active Directory replication via RPC over Internet Protocol (IP) or Simple Mail Transfer Protocol (SMTP).
• SAM Provides down-level compatibility to facilitate communication between Microsoft Windows 2000 and Microsoft Windows NT 4.0 domains.
• MAPI supports legacy MAPI clients.
![Page 19: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/19.jpg)
Directory System Agent (DSA)
• Object identification
• Transaction processing
• Schema enforcement of updates
• Access control enforcement
• Support for replication
• Referrals
![Page 20: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/20.jpg)
Database Layer
• Provides an object view of database information by applying schema semantics to database records
• Is an internal interface that is not exposed to the public
• Follows the parent references in the database and concatenates the successive RDNs to form DNs
• Translates each DN into an integer structure called the DN tag, which is used for internal access
• Is responsible for the creation, retrieval, and deletion of individual records, attributes, and values
![Page 21: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/21.jpg)
Extensible Storage Engine (ESE)
• A new and improved version of the JET database
• Implements a transacted database system that uses log files to ensure that committed transactions are safe
• Stores all Active Directory objects
• Comes with a predefined schema that defines all the attributes required and allowed for a given object
• Stores attributes that can have multiple values
![Page 22: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/22.jpg)
Introduction to Namespace Planning
• The Active Directory namespace is the top-level qualified domain name for the company.
• You must determine whether the internal and external namespaces will be the same or separate.
![Page 23: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/23.jpg)
Defining a Namespace Architecture
• Introduction
• Root domain
• First-layer domains
• Second-layer domains
![Page 24: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/24.jpg)
Introduction to OU Planning
• OUs should reflect the details of the organization’s business structure.
• Create OUs to delegate administrative control over smaller groups of users, groups, and resources.
• OUs eliminate the need to provide users with administrative access at the domain level.
• OUs inherit security policies from the parent domain and parent OU unless inheritance is specifically disabled.
![Page 25: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/25.jpg)
Creating the OU Structure
• You should begin your OU design by creating an OU structure for the first domain in the namespace.
• When you create an OU, you should determine who will be able to view and control certain objects and what level of administration each administrator will have over the objects.
![Page 26: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/26.jpg)
OU Design Guidelines
• Create OUs to delegate administration.
• Create a logical and meaningful OU structure that allows OU administrators to complete their tasks efficiently.
• Create OUs to apply security policies.
• Create OUs to manage the visibility of published resources.
• Create OU structures that are relatively static. OUs also give the namespace flexibility to adapt to changing needs of the enterprise.
• Avoid allocating too many child objects to any OU.
![Page 27: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/27.jpg)
Structure the OU Hierarchy
• Administration-based or object-based OUs
• Geographical-based OUs
• Business function–based OUs
• Department-based OUs
• Project-based OUs
![Page 28: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/28.jpg)
Introduction to Site Planning• The physical design of a Windows 2000 network is
demarcated by site.
• The Active Directory replication engine allows you to differentiate between replication over a LAN and replication over a WAN.
• How you set up your sites affects Windows 2000 with respect to workstation logon and directory replication.
• In Active Directory services, sites are not part of the namespace.
• Properly planned sites ensure that network links are not saturated by replication traffic, that Active Directory services stay current, and that client computers access resources that are closest to them.
• When planning how to group subnets into sites, consider the connection speed between the subnets.
![Page 29: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/29.jpg)
Optimizing Workstation Logon Traffic
• When planning sites, consider which domain controllers workstations should use.
• To have a particular workstation log on to a specific set of domain controllers, define the sites so that only those domain controllers are on the same site as the workstation.
![Page 30: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/30.jpg)
Optimizing Directory Replication
• When planning sites, consider where the domain controllers will be located.
• Configure sites so that replication occurs at times or intervals that will not interfere with network performance.
• When implementing sites in branch offices, base your planning on the size of the branch office.
![Page 31: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/31.jpg)
Introduction to the Active Directory Installation Wizard
![Page 32: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/32.jpg)
Adding or Creating a Domain Controller
• If you add a domain controller to an existing domain, you create a peer domain controller.
• If you create the first domain controller for a new domain, you are creating not only the domain controller but also a new domain.
![Page 33: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/33.jpg)
Adding a Domain Controller to an Existing Domain
![Page 34: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/34.jpg)
Creating a New Child Domain
![Page 35: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/35.jpg)
Creating a New Domain Tree
![Page 36: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/36.jpg)
Adding a Domain Tree to a Forest
![Page 37: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/37.jpg)
The Active Directory Database and the Shared System Volume
Created when Active Directory Services is installed
![Page 38: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/38.jpg)
The Active Directory Database
• The database is a file named Ntds.dit, which is the directory for the new domain.
• The default location for the database and the database log files is %systemroot%\Ntds, although you can specify a different location.
• The database contains all the information stores in the Active Directory store.
• The Ntds.dit file is an ESE database that contains the entire schema, the global catalog, and all the objects stored on that domain controller.
![Page 39: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/39.jpg)
The Shared System Volume
• The shared system volume is a folder structure that exists on all Windows 2000 domain controllers.
• The shared system volume stores scripts and some of the group policy objects for the current domain as well as the enterprise.
• Replication of the shared system volume occurs on the same schedule as Active Directory replication.
![Page 40: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/40.jpg)
Domain Modes
• Mixed mode
• Native mode
![Page 41: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/41.jpg)
Introduction to OUs and their Objects
• Each Active Directory object is a distinct named set of attributes that represents a specific network resource.
• Before objects are added to Active Directory services, you should create the OUs that will contain those objects.
![Page 42: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/42.jpg)
Creating Ous
![Page 43: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/43.jpg)
Adding Objects to OUs
Contact
Group
User Shared FolderPrinter
Computer
![Page 44: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/44.jpg)
Locating Objects
![Page 45: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/45.jpg)
Modifying Attributes and Deleting Objects
• You can modify the attributes of an object to change or add information.
• You can modify an object’s attribute by opening the properties for that object in the Active Directory Users And Computers snap-in.
• To maintain security, delete objects when they are no longer needed.
![Page 46: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/46.jpg)
Moving Objects
• You can move objects from one location in the Active Directory store to another location.
• You should move objects when organization or administrative functions change.
![Page 47: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/47.jpg)
Managing Active Directory Permissions
• Use Active Directory permissions to determine who has the permissions to gain access to the object and what type of access is allowed.
• The object type determines which permissions you can select.
• Permissions inheritance minimizes the number of times you need to assign permissions for objects.
![Page 48: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/48.jpg)
Delegating Administrative Control of Objects
• You can delegate administrative control of objects to individuals.
• Use the Delegation Of Control wizard to delegate control of objects.
• An administrator can delegate specific types of control.
• The most common method of delegating control is to assign permissions at the OU level.
• To delegate administrative control, you should try to follow specific guidelines.
• You can access the Delegation Of Control wizard through the Active Directory Users And Computers snap-in.
![Page 49: Introduction to Active Directory Services](https://reader033.fdocuments.in/reader033/viewer/2022061612/5681364b550346895d9dcb55/html5/thumbnails/49.jpg)
Guidelines for Administering Active Directory Services
• Coordinate Active Directory structure with other administrators.
• Complete all attributes when creating objects.
• Use deny permissions sparingly.
• Ensure that at least one user has Full Control permission for each object.
• Ensure that delegated users take responsibility and can be held accountable.
• Provide training for users who control objects.