Overview of Active Directory Overview of Active Directory Domain ServicesDomain Services

Lesson 1

Chapter ObjectivesChapter Objectives• Identify Active Directory functions and

Benefits.

• Identify the major components that make up an Active Directory structure.

• Identify how DNS relates to Active Directory.

• Identify Forest and Domain Functional Levels.

Directory ServiceDirectory Service• A network service that identifies all

resources on a network and makes those resources accessible to users and applications.

• The most common directory service standards are:– X.500 http://en.wikipedia.org/wiki/X.500– Lightweight Directory Access Protocol (LDAP)

http://en.wikipedia.org/wiki/LDAP

X.500X.500• Uses a hierarchical approach in which

objects are organized in a similar way to the files and folders on a hard drive.

Lightweight Directory Access Protocol Lightweight Directory Access Protocol (LDAP)(LDAP)

• Industry standard.

• Slim-down version of X.500 modified to run over the TCP/IP network.

Active DirectoryActive Directory• A directory service that uses the “tree”

concept for managing resources on a Windows network. (DOMAINS)

• Stores information about the network resources and services, such as user data, printer, servers, databases, groups, computers, and security policies.

• Identifies all resources on a network and makes them accessible to users and applications.

Active DirectoryActive Directory• Used in:

– Windows 2000– Windows Server 2003– Windows Server 2008

• Subsequent versions of Active Directory have introduced new functionality and security features.

Active DirectoryActive Directory• Windows Server 2008 provides two

directory services:– Active Directory Domain Services (AD DS)

for managing users and resources in a domain environment

– Active Directory Lightweight Directory Services (AD LDS) used by developers for OS software and applications – can’t be used to administer users and resources

Active Directory Domain Active Directory Domain Services (AD DS)Services (AD DS)

• Provides the full-fledged directory service that is referred to as Active Directory in Windows Server 2008 and previous versions of Windows Server.

Active Director Lightweight Active Director Lightweight Directory Services (AD LDS)Directory Services (AD LDS)

• Provides a lightweight, flexible directory platform that can be used by Active Directory developers without incurring the overhead of the full-fledged Active Directory DS directory service.

Domain Controller (DC)Domain Controller (DC)• Server that stores the Active Directory

database and authenticates users with the network during logon. (PARTITIONED DATABASE)

• Stores database information in a file called ntds.dit.

• Active Directory is a multimaster database, and uses multimaster replication.– Information is automatically replicated

between multiple domain controllers.

Active Directory Functions and Active Directory Functions and BenefitsBenefits

• Centralized resource and security administration.

• Single logon for access to global resources.

• Fault tolerance and redundancy.• Simplified resource location. (USES THE GLOBAL

CATALOG FOR THE FOREST, PUBLISH OBJECTS IN ACTIVE DIRECTORY)

Centralizing Resources and Centralizing Resources and Security AdministrationSecurity Administration

• Active Directory provides a single point from which administrators can manage network resources and their associates’ security objects:

• MMC Consoles found in Administrator Tools:– Active Directory Users and Computers (DSA.MSC)

– Active Directory Sites and Services (DASITE.MSC)

– Active Directory Domains and Trusts (DOMAIN.MSC)

– ADSI Edit (adsiedit.msc)

Fault Tolerance and Fault Tolerance and RedundancyRedundancy

• Active Directory uses a multimaster domain controller design.

• Changes made on one domain controller are replicated to all other domain controllers in the environment.

• It is recommended to have two or more domain controllers for each domain.

WHY??? Fault tolerance (redundancy)

Read-Only Domain Controller Read-Only Domain Controller (RODC)(RODC)

• Introduced with Windows Server 2008.

• A domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers with Active Directory.

Simplifying Resource LocationSimplifying Resource Location• Allows file and print resources to be

published within Active Directory.

• Examples include:– Shared folders– Printers

Active Directory ComponentsActive Directory Components• Forests – One or more domain trees, with

each tree having its own unique name space.

• Domain trees – One or more domains with contiguous name space.

• Domains – A logical unit (grouping) of computers and network resources that defines a security boundary.

Active Directory ComponentsActive Directory Components• Some of these common attributes are as

follows:– Unique name– Globally unique identifier (OBJECT GUID)

(can be found using adsiedit.msc)– Required object attributes– Optional object attributes

GUID DEFINITION AND USES

• A globally unique identifier or GUID (pronounced /ˈɡuːɪd/ or /ˈɡwɪd/) is a unique reference number used as an identifier in computer software. The term GUID also is used for Microsoft's implementation of the Universally Unique Identifier (UUID) standard.

• The value of a GUID is represented as a 32-character hexadecimal string, such as {21EC2020-3AEA-1069-A2DD-08002B30309D}, and is usually stored as a 128-bit integer. The total number of unique keys is 2128 or 3.4×1038 — roughly 2 trillion per cubic millimeter of the entire volume of the Earth. This number is so large that the probability of the same number being generated randomly twice is extremely small.

• Database servers can use GUIDs to create unique row identifiers, solving the chicken and egg problem inherent with sequential row IDs.

• Microsoft Windows uses GUIDs internally to identify the classes and interfaces of COM objects. A script can activate a specific class or object without having to know the name or location of the dynamic linked library that contains it.

• Intel's GUID Partition Table, a system for partitioning hard drives. (GPT)• ActiveX, a system for downloading and installing controls in a web browser, uses

GUIDs to uniquely identify each control.

• SecondLife uses GUIDs for identification of all assets in its world.

Understanding the SchemaUnderstanding the Schema• Defines the objects stored within Active

Directory the properties (attributes) associated within each object.– User has different properties, which has

different properties than a group, which has different properties of a computer.

– REGSVR32 SCHMMGMT.DLL RUN THIS COMMAND TO BE ABLE TO CREATE AN MMC TO VIEW THE SCHEMA

Active Directory Naming Active Directory Naming StandardStandard

• BELOW IS AN EXAMPLE OF A “DN” ( Distinguished Name )

• Example:– cn=JSmith, ou=sales, dc=lucernepublishing,

dc=com– USE ADSI EDIT TO VIEW USER DN

Domain Name System (DNS)Domain Name System (DNS)• Provides name resolution for a TPC/IP

network.• Active Directory requires DNS as the

default name resolution method.• Example Resource Records (RR):

– Host (A) – Host name to IP.– Pointer (PTR) – IP to Host name.– Service (SRV) – Locator service for

LDAP/Domain controllers services.

FUNCTIONS OF DNS YOU MUST REMEMBER THESE

• DNS PROVIDES NAME RESOLUTION (BOTH FORWARD AND REVERSE NAME RESOLUTION)

• DNS FUNCTIONS AS A SERVICE LOCATOR FOR SERVICES OFFERED BY ACTIVE DIRECTORY DOMAIN CONTROLLERS.

• DNS PROVIDES A NAMING CONTEXT FOR ACTIVE DIRECTORY.

Functional LevelsFunctional Levels• Allows interoperability with prior versions

of Microsoft Windows.

• Higher levels of functional level will not allow older versions of Windows to function but will add additional functionality or features.

• Raising functional level is a one-way process.

DomainDomain Functional Levels Functional Levels

DEFAULT FUNCTIONAL

LEVEL

ForestForest Functional Levels Functional Levels

DEFAULT FUNCTIONAL

LEVEL

Using Forest Functional LevelsUsing Forest Functional Levels• To raise the functional level of a forest, you

must be logged on as a member of the Enterprise Admins group.

• The functional level of a forest can be raised only on a server that holds the Schema Master role.

• (one of 5 FSMO roles found in a forest)

TrustTrust Relationships Relationships• Active Directory uses trust relationships to

allow access between multiple domains and/or forests, either within a single forest or across multiple enterprise networks.

• A trust relationship allows administrators from a particular domain to grant access to their domain’s resources to users in other

domains. AGDLP ….. REMEMBER?

Trust RelationshipsTrust Relationships• When a child domain is created, it

automatically receives a two-way transitive trust with its parent domain.

• Trusts are transitive:If domain A trusts domain B

And domain B trusts C

Then domain A trusts domain C

Chapter SummaryChapter Summary• Active Directory is a database of objects that are

used to organize resources according to a logical plan. – These objects include containers such as domains

and OUs in addition to resources such as users, computers, and printers.

• The Active Directory schema includes definitions of all objects and attributes within a single forest. – Each forest maintains its own Active Directory

schema.

Chapter SummaryChapter Summary• Active Directory requires DNS to

support SRV records. – Microsoft recommends that DNS support

dynamic updates.

Chapter SummaryChapter Summary• Domain and forest functional levels are

new features of Windows Server 2008. – The levels defined for each of these are

based on the type of server operating systems that are required by the Active Directory design.

– The Windows Server 2003 forest functional level is the highest functional level available and includes support for all Windows Server 2003 features.

Chapter SummaryChapter Summary• Two-way transitive trusts are

automatically generated within the Active Directory domain structure.– Parent and child domains form the trust path

by which all domains in the forest can traverse to locate resources.

– The ISTG is responsible for this process. Inter Site Topology Generator

Chapter SummaryChapter Summary• Cross-forest trusts are new to Windows

Server 2003, and they are only available when the forest functionality is set to Windows Server 2003 or higher– They must be manually created and

maintained.