2. What are directory services?
All Directory services use a hierarchical
structure that stores information about
objects on the network. What differentiates
the various implementations are the types of
objects that they track.
3. What objects are tracked via
Directory Services?
• Shared Resources:
–
–
–
–
Servers,
Shared volumes,
Printers;
Applications
• Administration of:
–
–
–
–
Users
User/Group access
Network resources
Management of
domains, applications,
services, security
policies, and just about
everything else in your
network.
4. Directory Services Common
Features:
• Provide file shares
• Authenticate users
• Provide services, such as Email, Access to
the internet, Print services etc.
• Control access to services and shares.
5. Key Features of Active Directory
• AD as a namespace that is integrated with the
Internet's Domain Name System (DNS).
• AD - A new directory service central to the
Windows 2000 Server operating system, runs only
on domain controllers.
Some directory services are integrated with an
operating system, and others are applications such
as e-mail directories. Operating system directory
services, such as AD, provide user, computer, and
shared resource management.
6. Active Directory utilizes a
distributed architecture
• Active Directory, in addition to providing a
place to store data and services to make that
data available, also protects network objects
from unauthorized access and replicates
information about objects across the entire
network so that information about objects is
not lost if one domain controller fails.
7. Terminology
• Site: A site is a physical location, or LAN. This is
different from a web site, which is an
organization’s internet presence.
• Domain:
– (1) A sub-network comprised of a group of clients and
servers under the control of one security database.
Dividing LANs into domains improves performance
and security.
– (2) All resources under the control of a single computer
system.
9.
Basic Network Identity Services
–
–
–
–
–
–
–
Dynamic Host Configuration Protocol (DHCP)
Domain Name System (DNS)
Lightweight Directory Access Protocol (LDAP)
Public Key Infrastructure (PKI)
Remote Authentication Dial-In User Service (RADIUS)
Microsoft's Active Directory
Novell Directory Services (NDS)
10. Identity Service Providers
SERVICE SPECIFICS
• Most mid-sized to large enterprises today are likely to run
about a half dozen network identity services to connect their
business applications and network infrastructure.
• These services each have specific roles to play in the network.
But they often also interact with one another, too.
• Network identity services each perform specific tasks and also
frequently interact. Managing interactions becomes
challenging when multiple internal organizations administer
the various services, which may be duplicated in numerous
locations throughout the network and use different data stores.
11. DNS
Domain Name System
• DNS is a globally distributed database that
manages IP addresses on the internet.
• DNS uses a hierarchy of domains on the internet.
– Top level domains use the familiar names like .com,
.edu, .gov.
– The second level are registered to organizations who
have a presence on the web.
Active Directory is designed to exist within the scope of
the Global DNS Namespace.
13. LDAP
• Lightweight Directory Access Protocol
(LDAP) -- a protocol used to access a
directory service.
• Lightweight Access Directory Protocol is
the primary access protocol for Active
Directory.
14. Active Directory's Global
Catalog
• The global catalog is the mechanism that
tracks all of the objects managed across the
network, across all domains within the
organization.
• Elements of the catalog are replicated
across all of the domain controllers within
all domains across the org.
15. Global Catalog -Service Discovery
• For Active Directory to function properly, DNS
servers must support Service Location (SRV)
resource records.
• SRV resource records map the name of a service
to the name of a server offering that service.
Active Directory clients and domain controllers
use SRV resource records to determine the IP
addresses of domain controllers.
16. Domain authority
• Active Directory replicates its administration
information across domain controllers throughout
the “forest” utilizing a “multi-master” approach.
• Multi-master replication among peer domain
controllers is impractical for some types changes,
so only one domain controller, called the
operations master, accepts requests for such
changes.
17. Authentication
• Each domain controller has information for the
entire forest to support authentication and access
control.
• This provides the ability for local domain
controllers (the “tree”) to provide a quick local
lookup of authority.
• Not just users but every object authenticating to
Active Directory must reference the global catalog
server, including every computer that boots up
18. An example of an Active
Directory implementation
PING North America
Benefits from using Active Directory
•
Reduced one IT staff member’s workload by 40
percent, freeing 800 hours per year to work on
new projects
•
Significant cost savings due to server
consolidation and elimination of mainframe and
NetWare
•
Increased security and stability through
centralized desktop management
•
Active Directory also gives PING a single
repository for all types of information.
Source: Microsoft
19. Time Savings
Before
•
PCs that were still running Windows NT
Workstation or Windows 98, it would take as
much as 40 hours of effort to manually visit each
desktop and install the patch.
After
•
Desktops that are running Windows XP
Professional, A group policy can be created that
will push a new security patch out to all of them
in less than 30 minutes.
20. Repository of Information
Before
•
Spreadsheets had to be created and spreadsheets
maintained for user locations, office numbers, phone
numbers etc.
After
•
All of the information is now managed in a single place
and is updated using a single interface.
21. Increased Security
•
Since Active Directory will provide a single point of management for all systems. Desktops can be
locked down in a known, secure state and kept current with software updates and security patches
with minimal time and effort.
23. Mac OS X Server v10.3 Open
Directory 2
• The latest version of Apple’s standards-based
directory and authentication services
architecture.
• The Open Directory architecture makes it easy to
integrate Mac OS X client and server systems to
into your existing network infrastructure. It’s
compatible with other standards-based LDAP
servers, and can even plug into environments that
use proprietary services such as Microsoft’s
Active Directory and Novell’s eDirectory.
24. Open Directory Features:
• Support for mixed-platform
environments • Strong authentication options -Kerberos
• Reliability and scalability -
25. References:
•
•
•
•
•
•
Mac Os X Open Directory: http://www.apple.com/server/macosx/open_directory.html
Microsoft Active Directory:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory
/deploy/projplan/adarch.mspx
Ping: http://www.microsoft.com/resources/casestudies/CaseStudy.asp?CaseStudyID=15304
General: http://www.microsoft.com
Gaining Control of Your network Identity infrastructure…
http://www.bitpipe.com/detail/RES/1082474885_246.html
Editor's Notes
Network Identity services are used to access user credentials, access rights, and permissions.
They are basically designed to link business applications to physical network devices.
Any mix of network identity services might be present in your enterprise, depending on the preferences of personnel in charge of application servers and network infrastructure equipment.
DNS &LDAP
The server locates host computers by converting names that users enter into IP addresses that computers use to communicate.
Hierarchy of domains basically makes the internet in one big Namespace.
DNS helps you find the computer that you are trying to locate and tells the domain controller what kind of services the computer offers. Such as print and files services and applications.
Active directory’s Domain Controllers act as PEERS.
Each domain controller can host only one domain (possibly a site, portions of a site, or multiple sites)
The global catalog is administered on a single domain controller called the OPERATIONS MASTER, but relevant information from that is propagated to all of the domain controllers across the organization.
The operations master periodically queries each domain controller across the organization to keep the global catalog up to date on the services currently available in any given domain.
It uses DNS, and LDAP to discover services run by other servers across the network.
The OPERATIONS MASTER then sends this information in a condensed format to each domain controller on the network.
Active Directory is designed specifically to work with DNS. SRV files are Described in the Internet Engineering Task Force (IETF) Internet Draft called draft-ietf-dnsind-rfc2052bis-02.txt, "A DNS RR for specifying the location of services (DNS SRV)". (Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups.)
Since all domain controllers are PEERS, they have been given the same information by the OPERATIONS MASTER.
System administrators can give some of their administrative functions to regular users if the choose to, to enable people like HR representatives to reset passwords, or edit group membership.
As object (user account, group membership) status is modified by people with administrative privileges anywhere on the network, that information is modified directly on the OPERATIONS MASTER, and then propagated to the rest of the domain controllers. This means there is a single machine that handles all administrative changes centrally, then distributes the modified picture of to all of the other domain controllers as soon as the changes are made. Most medium to large companies would have backup/redundant operations master machines, so if one went down, another machine would take on that role.
So what the client pc’s or end users mostly see is the interaction with their local domain controller.
The distributed nature of all authentication information means that users would be able to log in at any site and access the resources they have rights to, whether its their main office or an office across the country.
I’m going to hand it over to Robert who will now cover a real-world implementation of Active Directory
We looked for open source implementation of Active Directory, or similar directory services.
Its not like Microsoft would allow anyone to use the name Active Directory in an open source project so we had to read between the lines to find anything
What we found was that Mac OS provides a similar service to Active Directory
They have integrated a number of open source projects to create Open Directory, using OpenLdap, Berkeley Database for object management, an Kerberos for security
The Open Directory architecture allows Mac OS X Server to work seamlessly in virtually any managed network environment. Using the built-in directory access modules, Mac OS X Server can read and write data stored in any LDAP server — even Microsoft’s proprietary Active Directory. The server can also access records in legacy directories such as NIS, NetInfo, and local BSD configuration files (/etc).