Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Active directory ii


Published on

Published in: Technology
  • Be the first to comment

Active directory ii

  2. 2. Basics of Active Directory in Windows Server 2003 <ul><li>Active Directory partitions </li></ul><ul><li>Logical structures </li></ul><ul><li>“Physical” structures </li></ul><ul><li>Functional levels </li></ul>
  3. 3. Active Directory Partitions
  4. 4. Schema <ul><li>Logical partition in Active Directory database </li></ul><ul><li>“ Template” for Active Directory database </li></ul><ul><li>Forms the database structures in which data is stored </li></ul><ul><ul><li>Object classes </li></ul></ul><ul><ul><li>Attributes </li></ul></ul><ul><li>Extensible </li></ul><ul><li>Dynamic </li></ul><ul><li>Protected by ACLs (Access Control Lists)- DACLs and SACLs (Discretionary ACLs and System ACLs) </li></ul><ul><li>One schema per Active Directory forest </li></ul>
  5. 5. Schema Users Servers Attributes of Users might contain: List of attributes accountExpires badPasswordTime mail cAConnect dhcpType eFSPolicy fromServer governsID Name … accountExpires badPasswordTime mail name Attribute Examples: Object Class Examples: Dynamically available, updateable, and protected by DACLs Computers
  6. 6. Configuration <ul><li>Logical partition in Active Directory database </li></ul><ul><li>“ Map” of Active Directory implementation </li></ul><ul><li>Contains information used for replication, logon, searches </li></ul><ul><ul><li>Domains </li></ul></ul><ul><ul><li>Trust relationships </li></ul></ul><ul><ul><li>Sites & site links </li></ul></ul><ul><ul><li>Subnets </li></ul></ul><ul><ul><li>Domain controller locations </li></ul></ul>
  7. 7. Domains <ul><li>Logical partition in Active Directory database </li></ul><ul><li>Collections of users, computers, groups, etc. </li></ul><ul><li>Units of replication </li></ul><ul><ul><li>Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain </li></ul></ul><ul><ul><li>Domain controllers do not replicate domain partition information for other domains </li></ul></ul>Windows 2000/WS03 Domain Replication User1 User2 User1 User2
  8. 8. Directory Partitions Configurable Replication Application Domain-wide replication Forest-wide replication (every DC in forest has a replica) All Partitions Together Comprise the Active Directory Database Configuration Schema Contains information about all domain-specific objects created in Active Directory Contains information about Active Directory structure Contains definitions and rules for creating and manipulating all objects and attributes Contains application data ForestDNSZone DomainDNSZone
  9. 9. Logical Structures
  10. 10. Tree <ul><li>One or more domains that share a contiguous DNS namespace, e.g. </li></ul><ul><ul><li>ZOOM.COM </li></ul></ul><ul><ul><li>MCSE.ZOOM.COM </li></ul></ul><ul><ul><li>CCNA.ZOOM.COM </li></ul></ul>
  11. 11. Forest <ul><li>One or more domains that share: </li></ul><ul><ul><li>Common schema </li></ul></ul><ul><ul><li>Common configuration </li></ul></ul><ul><ul><li>Automatic transitive trust relationships </li></ul></ul><ul><ul><li>Common global catalog </li></ul></ul><ul><li>Forest can contain from as few as one domain to many domains and/or many trees </li></ul><ul><li>First domain created is forest root- this cannot be changed without rebuilding the entire forest </li></ul>
  12. 12. Trust Relationship
  13. 13. Trust Relationships <ul><li>Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains </li></ul><ul><li>Some trusts are automatically created </li></ul><ul><ul><li>Parent-child domains trust each other </li></ul></ul><ul><ul><li>Tree root domains trust forest root domain </li></ul></ul><ul><li>Other trusts are manually created </li></ul><ul><li>Forest-to-Forest transitive trust relationships can be created-Windows Server 2003 forests only </li></ul>
  14. 14. <ul><li>Default - two-way- transitive Kerberos trusts (intraforest) </li></ul><ul><li>Shortcut - one or two-way – transitive Kerberos trusts (intraforest) </li></ul><ul><ul><li>Reduce authentication requests </li></ul></ul><ul><li>Forest – one or two-way – transitive Kerberos trusts* </li></ul><ul><ul><li>*.WS2003 Forests- Windows 2000 does not support forest trusts </li></ul></ul><ul><ul><li>Only between Forest Roots </li></ul></ul><ul><ul><li>Creates transitive domain relationships </li></ul></ul><ul><li>External – one-way – non-transitive NTLM trusts </li></ul><ul><ul><li>Used to connect to/from Windows NT or external 2000 domains </li></ul></ul><ul><ul><li>Manually created </li></ul></ul><ul><li>Realm – one or two-way – non-transitive Kerberos trusts </li></ul><ul><ul><li>Connect to/from UNIX MIT Kerberos realms </li></ul></ul>Trust Relationships in Windows Server 2003
  15. 15. Trees and Forests Tree Forest External One-Way Non-Transitive Trust Tree Forest Forest Two-Way Transitive Trusts (Forest/Tree Root) contoso.msft nwtraders.msft (Forest/Tree Root) japan. contoso.msft (Child Domain) tailspintoys.msft (Tree Root) japan. nwtraders.msft (Child Domain) china. nwtraders.msft (Child Domain) Windows NT Domain Tree
  16. 16. Functional Levels
  17. 17. Forest and Domain Functional Levels <ul><li>Functional levels determine </li></ul><ul><ul><li>Supported domain controller operating system </li></ul></ul><ul><ul><li>Active Directory features available </li></ul></ul><ul><li>Domain functional levels can be raised independently of one another </li></ul><ul><li>Raising forest functional level is performed by Enterprise Admin </li></ul><ul><ul><li>Requires all domains to be at Windows 2000 native or WS03 functional levels </li></ul></ul>
  18. 18. Forest Functional Levels Windows Server 2003 Server family Windows Server 2003 Server family   Windows NT 4.0, Windows Server 2003 Server family Windows Server 2003 Interim Windows NT 4.0, Windows 2000, Windows Server 2003 Server family Windows 2000 (default) Domain Controllers Supported Forest Functional Level
  19. 19. Forest Functional Levels- Features Same as Windows Server 2003 Interim, plus: Schema de-/reactivation Domain rename Forest trust Windows Server 2003 Server Family Same as Windows 2000, plus: LVR replication (Linked Value Replication- new group structuring) Improved ISTG (Inter-Site Topology Generator- generates replication connections) Windows Server 2003 Interim Universal group caching Windows 2000 Features Supported Functional Level
  20. 20. Domain Functional Levels Windows 2000 Mixed Mode- NT4, Windows 2000 or WS03 DCs Domain Controller (Windows 2000) Domain controller (Windows NT 4.0) Domain Controller (Windows Server 2003) Windows 2000 Native Mode- No NT 4 DCs Domain Controller (Windows Server 2003) Domain Controller (Windows 2000)
  21. 21. Domain Functional Levels Windows Server 2003 Interim- No 2000 DCs Domain controller (Windows NT 4.0) Domain Controller (Windows Server 2003) Windows Server 2003 Server Level- All WS03 DCs Domain Controller (Windows Server 2003) Domain Controller (Windows Server 2003)
  22. 22. Domain Functional Levels- Features Same as Windows 2000 Native, plus: Kerberos KDC version numbers Domain Rename Windows 2003 Server Family Same as Windows 2000 mixed, plus: Group nesting and converting Universal security and distribution groups Universal group membership caching SID history Windows 2000 Native/Windows Server 2003 Interim Universal group caching Application directory partitions Windows 2000 mixed Features Supported Functional Level
  23. 23. Physical Components
  24. 24. “Physical” Components of Active Directory <ul><li>Sites </li></ul><ul><ul><li>Areas of “good” connectivity </li></ul></ul><ul><ul><li>Single site may contain many domains </li></ul></ul><ul><ul><li>Single domain may span many sites </li></ul></ul><ul><li>Domain Controllers </li></ul><ul><ul><li>Store replicas of the Active Directory database </li></ul></ul><ul><ul><li>Associated with a given site </li></ul></ul>Site Domain
  25. 25. Sites <ul><li>Subnets are defined and associated with sites </li></ul><ul><li>Used by domain controllers to determine replication behavior </li></ul><ul><li>Used by computers to locate close domain controllers for authentication and searches of the directory </li></ul>Chicago Seattle New York Los Angeles IP Subnet Site IP Subnet
  26. 26. Domain Controllers <ul><ul><li>Domain controllers replicate common partitions </li></ul></ul><ul><ul><li>Every DC in the forest has a replica of schema & configuration partitions </li></ul></ul><ul><ul><li>Every DC in a domain has a replica of that domain’s domain partition </li></ul></ul><ul><ul><li>DCs may contain replicas of application partitions </li></ul></ul>
  27. 27. Roles of Active Directory
  28. 28. Roles of a Domain Controller Roles <ul><li>Global Catalog Server </li></ul><ul><li>Domain Naming Master </li></ul><ul><li>Schema Master </li></ul><ul><li>RID Master </li></ul><ul><li>PDC Emulator </li></ul><ul><li>Infrastructure Master </li></ul>Operation Masters Forest Wide Roles Domain Wide Roles
  29. 29. Global Catalog <ul><li>Like a telephone book contains limited information about all people and businesses within a city, the global catalog contains limited information about every object in a forest </li></ul><ul><li>Within the schema, certain attributes are marked for inclusion in the GC </li></ul><ul><ul><li>Searches are commonly performed against these attributes </li></ul></ul><ul><ul><li>By searching against the GC, individual domains do not have to be queried in most cases- GC can resolve </li></ul></ul><ul><li>Servers that hold a copy of the global catalog are called global catalog servers </li></ul>
  30. 30. Global Catalog Server Application Configuration Schema Holds read only copy of all other domain directory partitions- all objects, but only attributes marked for GC inclusion Holds full copy of domain partition for own domain Holds full copy of configuration partition for forest Holds full copy of the schema partition for forest Contains application data if configured ForestDNSZone, DomainDNSZone, user-defined application partition(s)
  31. 31. Global Catalog Servers Global Catalog Server Universal Group membership when user logs on Global Catalog Queries Include in GC Telephone Email Name … Object Attributes Domain Domain Domain