Understanding Active Directory inWindows Server 2003
Contents Active Directory Features of Active Directory Active Directory Logical Components Active Directory Physical Components FSMO Roles
What Is Active Directory? Active DirectoryDirectory service Centralized managementfunctionality Organize Single point of Manage Resources administration Control
Features Store Information Use DNS Authentication and Authorization Group policies Replication
SINGLE POINT OF AUTHENTICATION Before directory services Server1 Server2 Server3 After directory services Active Directory Single sign-on
Active Directory Logical Components Domains Trees Forests Organizational Units
Domains Logical partition in Active Directory database Collections of users, computers, groups, and so on Manage objects Replication Windows 2000 or Windows Server 2003 Domain
TREES , FOREST AND OU Forest root and tree root ou Domain tree root parent ou HP .com MPHASIS .com child child . west HP .com . east HP.com39
Active Directory Physical Components Domain Controllers Sites
Domain Controllers Writable copy of the AD database Domain controllers provide authentication and authorization services Domain controllers replicate directory partitions Every domain controller in the forest has a replica of schema and configuration partition
Sites Collection of well connected ip subnets Areas of “fast” network connectivity Single site may contain many domains Single domain may span many sites Domain Site Domain controllers are associated with a given site
Global catalog Global catalog The global catalog is a domain controller that contains attributes for every object in the Active Directory. The commonly used attributes need in queries, such as a users first and last name, and logon name. All the information or records which are important to determine the location of any object in the directory. All the access related permissions for every object and attribute that is stored in the global
Flexible Single Master Operations Most operations in Active Directory are multi-master, meaning that any domain controller can write to the Active Directory database Some functionality must not be performed in multi- master fashion, so five single master operations roles are defined in Active Directory: Schema master Domain naming master RID master PDC emulator Infrastructure master
TABLE OF CONTENTS Overview of DNS DNS Responsibilities DNS Delegation DNS Queries Root Hints & Forwarders DNS zones DNS Resource Record Advantage & Disadvantages Of DNS Installation Of DNS Configuration Of DNS Server to Client Summary
What is DNS? Internet Protocol Distributed database Maps hierarchically organized keys to values E.g. host name to IP address Mailer records Name space
DNS Namespace .( root) com mil org edu gov net arpa uk fr3com dell ati co ac ox ic oucs bnc chem
DNS Responsibilities DNS Database is distributed No one server is responsible for the whole namespace Given name server is responsible for part of the namespace Called a zone Server is “authoritative” for the zone
Delegation of Authority Each primary and secondary name server is authoritative for its domain. For example, if a DNS server contains the zone files for the Contoso.com domain, that server is the authoritative name server for that domain. The authoritative name server, the server will not forward any queries about hosts in that zone to any other DNS server.
DNS Queries DNS is having two types queries : - Recursive Queries Iterative Queries
Recursive Queries A recursive query is one where the DNS server will fully answer the query or give an error. DNS servers are not required to support recursive queries and both the resolver or another DNS acting recursively on behalf of another resolver negotiate use of recursive service using bits in the query headers.
Iterative Queries The response to an iterative query can be either the name resolution that the client requested or a referral to another DNS server that might be able to fulfill the request. In our example, the ISP’s DNS server sends an iterative query to a root server asking for the IP address for www.NAmerica.Contoso.com.
Root hints and Forwarders Root hints table provides IP addresses of name servers for root domain Starting point for iterative queries DNS server can be configured as forwarder Queries for information about which it is not authoritative forwarded to other name servers.
Name servers A name server may be authoritative for more than one zone Should be a minimum of two name servers for a zone One server is primary “Start of authority” for zone maintains a zone file which has information about the zone. Updates are made to the primary server Others are secondarys Updates to primary are replicated to secondarys (zone transfer) Stubs zones can be delegated to other name servers
Active Directory IntegrationForward Lookup Zones Stores all Resource Records for Zone Translates FQDN into IP Addresses Required by AD to locate Services
Active Directory IntegrationReverse Lookup Zones Stores all PTR records for Zone Resolves IP Addresses to FQDN Application Security
Installing and Managing DNSDNS Resource Records Start of Authority (SOA) Name Server (NS) Host (A) Alias (CNAME) Mail Exchanger (MX) Pointer (PTR) Service Location (SRV)
Advantages of chosen AD DNS Setup Main DNS remains secure Host names controlled at central level Client configuration remains unchanged Only main DNS servers visible outside firewall Allows dynamic DNS for DCs DCs need this most Can use Active Directory integrated zones More secure Multi master replication
Disadvantages of chosen AD DNS Setup DNS queries carry no information about the client that triggered the name resolution. Ability to handle names does not increase with availability of content.
Installing and Managing DNSInstallation Wizard Simplifies Configuration of Server Roles Installs Only Required Components Ensures Secure Configuration
Steps to Configure DNS onSubsequent Domain Controllers Ensure the DNS setup on first DC is correct and working before installing other DCs Disable secure updates for all sub domains on first DC Ensure new server is configured to use only the first DC as DNS server in its TCP/IP configuration Promote server to domain controller Make sure that its entries are registered in DNS Enable secure updates for sub domains on first DC If desired, install DNS on new DC Set as its own DNS server in TCP/IP config
Problem Expected in D-2-D Operations Name Resolving network connectivity The scope of the problem Try pinging a host Error SRV , CNAME & Host file
Monitor DNS Server Applications Manager provides in- depth availability and performance monitoring of DNS (Domain Name System). It also monitors individual attribute of DNS monitor such as Response Time, Record Type, Record Available, Search Field, Search Value, Search Value Status and Search Time.
Daily checklist Ensure that the operating system is properly working & is in the domain. Ensure that administrator account is well protected. Ensure that the DNS machine has been configured so that no other service other than DNS is running. Identify domains to be load balanced Ensure delegate of sub domain on the primary DNS for use by the DNS Controller. Ensure that all default shares have been unshared on that machine and that no anonymous access to the services is allowed. Ensure that all unused ports are closed.
SUMMARY Name resolution is a process of converting a computer name of address. AD services requires DNS to function on the network. Types of zones: Primary , secondary & stub zone. AD integrated DNS services offers a more efficient & secure zone than a traditional DNS server. Zone transfer occurs in traditional DNS zones. Zone replication occurs in AD integrated zones
Objectives• Outline the benefits of using DHCP• Describe the DHCP lease and renewal process• Install and authorize the DHCP service• Configure DHCP scopes• Create DHCP reservations for client computers• Configure DHCP options• Understand and describe the purpose of a DHCP relay• Install and configure a DHCP relay
What is DHCP?• It stands for Dynamic Host Configuration Protocol• DHCP automatically assign the IP address to the computer• The ipconfig /all command will indicate whether the configuration came from a DHCP server computer
Leasing an IP Address• An IP address is leased during the boot process• Default lease period is 8 days• Maximum lease period is 999 days• Leasing an IP address is performed by DORA process
DORA Process• DORA process means DHCP DISCOVER DHCP OFFER DHCP REQUEST DHCP ACK
Simple network DHCP Server DHCP Clients DHCP Clients DHCP Server DHCP protocol is a mainly 4-step process: Hello Mr. Server, I need to connect to the UDP Port UDP Port UDP Port DHCP server discover UDP Port Internet, could you be kind 68 68 68 67 Okme up with an IP in dude, I got some Broadcast to hook address?pool of address, I my lend you it. Check it out? DHCP server offer Your IP : 18.104.22.168 Thank you Mr. Server, I Router like your offer. I will use DHCP request it. Unicast You’re welcome, here is your configuration but DHCP acknowledge it’s only for 3 days. Internet 76
DHCP Message Types DHCP Message Use DHCPDISCOVER Client broadcast to locate available servers DHCPOFFER Server to client response offering configuration parameters DHCPREQUEST Client broadcast requesting offered parameters DHCPDECLINE Client to server notification that IP address is in use DHCPACK Server to client response confirming a request DHCPNAK Server to client response denying a request DHCPRELEASE Client to server request to relinquish IP address DHCPINFORM Client to server request for configuration parameters 77
Renewing an IP Address The IP address can either be permanent or timed A permanent address is never reused for another client Timed leases expire after a certain amount of time Windows clients attempt to renew their lease after 50% of the lease time has expired A DHCP server may either honor or reject a renew request 79
Authorizing the DHCP Service• Unauthorized DHCP servers can hand out bad information• DHCP will not start unless authorized• If Active Directory is used, authorization takes place in Active Directory• DHCP servers are automatically authorized under certain conditions
Creating a Scope• Create a scope to distribute IP addresses to client computers• Manually enter the IP configuration settings as directed by the text• Create a new scope using the configuration settings provided
Configuring DHCP Scope• Scope is a range of IP address• Each scope is configured with: • Description • Starting IP address • Ending IP address • Subnet mask • Exclusions Range • Lease duration
Configuring DHCP Scope• Create a scope to distribute IP addresses to client computers• Manually enter the IP configuration settings as directed by the text• Create a new scope using the configuration settings provided
Types of Scope • Super Scopes • Multicast Scopes
Super scopes• It is a collection of individual scope• Combine two scopes into a single logical unit using a super scopes• First, create a second scope in addition to the scope already created in a previous activity• Create a super scopes to encompass the two scopes• Use the DHCP snap-in for this activity
Multicast scopes• It is used to deliver multicast address to a group of computers• It is defined by using the following parameters • Starting IP address • Ending IP address • TTL • Exclusions • Lease duration
Creating DHCP Reservations• Reservations are used to hand out a specific IP address to a particular client• Reservations are created based on MAC addresses
Vendor and User classes Used to differentiate between clients within a scope Vendor classes are based on the operating system User classes are defined based on network connectivity or the administrator You can use the ipconfig /setclassid command to set the DHCP user class ID
Configuring Relay agents DHCP packets cannot travel across a router A relay agent is necessary in order to have a single DHCP server handle all leases Relay agents receive broadcast DHCP packets and forward them as unicast packets to a DHCP server The DHCP relay cannot be installed on the same server as the DHCP service
Comparison between Wintel and Unix Wintel UnixEase of Use Microsoft has made several Although the majority Linux advancements and changes that variants have improved have made it a much easier to dramatically in ease of use, use operating system, and Windows is still much easier to although arguably it may not be use for new computer users. the easiest operating system, it is still Easier than Linux.Open source Microsoft Windows is not open Many of the Linux variants and source and the majority of many Linux programs are open Windows programs are not open source and enable users to source. customize or modify the code however they wish to.
Comparison between Wintel and Unix(cont…) Wintel UnixReliability Although Microsoft Windows has The majority of Linux variants made great improvements in and versions are notoriously reliability over the last few reliable and can often run for versions of Windows, it still months and years without cannot match the reliability of needing to be rebooted. Linux.Software Because of the large amount of Linux has a large variety of Microsoft Windows users, there is available software programs and a much larger selection of utilities. However, Windows has available software programs, a much larger selection of utilities, and games for Windows. available software.
Comparison between Wintel and Unix(con…) Wintel UnixSoftware cost Although Windows does have Many of the available software software programs, utilities, and programs and utilities available on games for free, the majority of Linux are freeware and/or open the software the costs can be source. Even such complex considerable programs such as Gimp, Open Office, Star Office, and wine are available for free or at a low cost.Hardware Because of the amount of Linux companies and hardware Microsoft Windows users and manufacturers have made great the broader driver support, advancements in hardware support Windows has a much larger for Linux and today Linux will support for hardware devices support most hardware devices. and a good majority of hardware However, many companies still do manufacturers will support their not offer drivers or support for products in Microsoft Windows. their hardware in Linux.
Comparison between Wintel and Unix(con…) Wintel UnixSecurity Although Microsoft has made Linux is and has always been a great improvements over the years very secure operating system. with security on their operating Although it still can be attacked system, their operating system when compared to Windows, it continues to be the most much more secure. vulnerable to viruses and other attacks.Support Microsoft Windows includes its Although it may be more own help section, has vast amount difficult to find users familiar of available online documentation with all Linux variants, there and help, as well as books on each are vast amounts of available of the versions of Windows. online documentation and help, available books, and support available for Linux.
Advantage of Wintel and Unix Wintel UnixLots of software and games are developed for More control and flexibility.windows. Unix has greater built-in security andWindows is user friendly. permissions features than Windows.Simply stated, the main difference is Unix possesses much greater processingWindows uses a GUI (Graphical User power than Windows.Interface) and UNIX does not. In Windows oneuses the click of a mouse to execute a less administration and maintenance.command where as in UNIX one must type in acommand. Unix is more flexible and can be installed on many different types of machines, includingWindows can often more easily be installed main-frame computers, supercomputers andand configured to run on cheaper hardware to micro-computers.run a desired 3rd party product.Windows hosting is more easily madecompatible with UNIX-based programming
Disadvantage of Wintel and Unix Wintel UnixVery bloated with many features most Front Page Extensionspeople dont use, thus slowing down the If you are using Microsoft Front Page to developcomputer and takes excessive hard drive your website, you will need to make sure that yourspace. However this shouldnt be much of a Unix host offers Front Page extensions. If you don’tproblem with newer computers. have these extensions, you will not be able to use Front Page to its complete abilities. Most UnixThere are many viruses programmed for based hosts are now offering these extensions, butwindows. there are still several that do not. No .ASPCan get a little pricey. If you plan to use Active Server Pages or .ASP for your website, you will not be able to use thisWintel has lower built-in security and language on a Unix server. Since this scriptingpermissions features than Unix language is gaining in popularity, this can be a tremendous downside if you select a Unix basedUnix possesses much greater processing host.power than Windows. No Visual Basic Like .ASP, Visual Basic is not supported on Unix based hosting, so again, if you plan to use this, or
ConclusionThe best way to choose between UNIX and windows is todetermine organizational needs. If an organization uses mostlyMicrosoft products, such as access, front page, or vbscripts, itsprobably better to stick with windows.
Microsoft having it’s own tools for monitoring servers1. Microsoft Operation Manager2. Microsoft System Center Operation Manager
Microsoft Operations Manager It helps improve the availability, performance, and security of Windows ne tworks and applications. provides event-driven operations monitoring, performance tracking, security policy enforcement, and auditing capability.
MOM 2005 helps:-1. Simplify identification of issues2. Streamlines the process for determining the root cause of the problem3. Facilitates quick resolution to restore services and toprevent potential IT problems.
Microsoft System Center OperationManager• Operations Manager helps you to monitor your infrastructure, applications, and IT services, and to react to operational problems.• Shows state, health and performance information of computer systems.
Provides alerts generated according to some avail ability,performance, configuration or security situation beingidentified.It places an agent, on the computer to be monitored.The agent watches several sources on that computer,including the Windows Event Log, for specific eventsor alerts generated by the applications executing on themonitored computer.