DC

 A directory service (DS) is a software
application- or a set of applications - that stores and
organizes information about a computer network's
users and network resources.
Allows network administrators to manage users'
access to the resources
Act as an abstraction layer between users and
shared resources

 Provide file shares.
 Authenticate users
 Provide services, such as Email, Access to the
Internet,Print services etc.
 Control access to services and shares.

Active Directory is Microsoft’s version of an
LDAP based network directory service.
»Active Directory allows administrators to define,
arrange and manage objects, such as user data,
printers and servers, so they are available to
users and applications throughout the
organization.

 Microsoft’s directory service which is included in the
Windows 2000 and Windows Server 2003,2008,2012
operating system versions.
 Is an implementation of LDAP directory services.
 Called: ADS,NTDS
Goals and Benefits
Open Standards
High Scalability
Simplified Administration

 HierarchicalHierarchical
 Base objectBase object
DomainDomain
OU
Domain
Domain
OUOU
Objects
Domain
Tree
Domain
Domain
Domain
Tree
Forest

 „„office network“office network“
 UserUser
GroupGroup
ComputerComputer
New ElementsNew Elements
Distribution ListsDistribution Lists
System PoliciesSystem Policies
Application defined custom objectsApplication defined custom objects
Described in the SchemaDescribed in the Schema

 Definition of all ADDefinition of all AD
 Object-Types (Classes)Object-Types (Classes)
 AttributesAttributes
 Data-Types (Syntaxes)Data-Types (Syntaxes)
 Can be compared to a Database SchemaCan be compared to a Database Schema
 ONE consistent Schema inside a singleONE consistent Schema inside a single
ForestForest
 ExtensibleExtensible

Lebenlab.
com
 AD Base Element (Building Block)AD Base Element (Building Block)
 NT 4 CompatibleNT 4 Compatible
 Physically Implemented on Domain ControllersPhysically Implemented on Domain Controllers
(DC)(DC)
 Border forBorder for
- Replication Traffic- Replication Traffic
- System Policies- System Policies
- Administration- Administration

MUMBAI
Admin
AKOLA
SalesAdmin Sales
 Implements a Structure inside a DomainImplements a Structure inside a Domain
 Can be nested as neededCan be nested as needed
 CanCan notnot be assigned any rightsbe assigned any rights
 Typically used for Administrative ReasonsTypically used for Administrative Reasons
e.g. System Policiese.g. System Policies

 Hierarchical Domain Structure insideHierarchical Domain Structure inside
a single Namespacea single Namespace
- lebenlab.com- lebenlab.com
- mu.lebenlab.com- mu.lebenlab.com
- sri.lebenlab.com- sri.lebenlab.com
 Transitive Trusts createdTransitive Trusts created
automaticallyautomatically
 Sub-Domain must be added to Root-Sub-Domain must be added to Root-
Domain – otherwise there will be noDomain – otherwise there will be no
treetree
mu.lebenlab.co
m
lebenlab.com
sri.lebenlab.co
m
Tree

 Combination of TreesCombination of Trees
 Disjunct NamespacesDisjunct Namespaces
- lebenlab.de- lebenlab.de
- lebenlab.com- lebenlab.com
 Transitive Trusts created automaticallyTransitive Trusts created automatically
 There is one single tree-root!There is one single tree-root!
 Sub-Tree must be added to Root-Tree,Sub-Tree must be added to Root-Tree,
otherwise no Forest will be createdotherwise no Forest will be created

 Site: A site is a physical location, or LAN. This is
different from a web site, which is an organization’s
internet presence.
 Domain:
- A sub-network comprised of a group of clients and
servers under the control of one security database.
Dividing LANs into domains improves performance
and security.
- All resources under the control of a single
computer system.

 Lightweight Directory Access
Protocol (LDAP) -- a protocol used to
access a directory service.
 Lightweight Access Directory Protocol
is the primary access protocol for Active
Directory.

 The global catalog is the mechanism
that tracks all of the objects managed
across the network, across all domains
within the organization.
 Elements of the catalog are replicated
across all of the domain controllers
within all domains across the org.

 For Active Directory to function properly,
DNS servers must support Service Location
(SRV) resource records.
 SRV resource records map the name of a
service to the name of a server offering that
service. Active Directory clients and domain
controllers use SRV resource records to
determine the IP addresses of domain
controllers.

 Active Directory replicates its administration
information across domain controllers throughout
the “forest” utilizing a “multi-master” approach.
 Multi-master replication among peer domain
controllers is impractical for some types changes,
so only one domain controller, called the
operations master, accepts requests for such
changes.

Each domain controller has information for the
entire forest to support authentication and access
control.
This provides the ability for local domain
controllers (the “tree”) to provide a quick local
lookup of authority.
Not just users but every object authenticating to
Active Directory must reference the global
catalog server, including every computer that
boots up

 Stores a physical Copy of the ActiveStores a physical Copy of the Active
Directory DatabaseDirectory Database
- Currently a single Domain per DC- Currently a single Domain per DC
supported!supported!
- ESE95 Database (MS Exchange)- ESE95 Database (MS Exchange)
 Logon ServicesLogon Services
- Kerberos- Kerberos
- LAN Manager Authentication- LAN Manager Authentication
 Its always recommended to have atIts always recommended to have at
least 2 Domain Controllers!least 2 Domain Controllers!

 Updates can be applied to ANY Domain ControllerUpdates can be applied to ANY Domain Controller
 Will be Replicated to each other Domain ControlsWill be Replicated to each other Domain Controls
(inside that Domain) within 15 Minutes(inside that Domain) within 15 Minutes
 Optimized Algorithm reduces Replication TrafficOptimized Algorithm reduces Replication Traffic
 NotNot time based (triggered on demand, only)!time based (triggered on demand, only)!

 All Domain Databases involvedAll Domain Databases involved
 Changes are transmitted compressedChanges are transmitted compressed
 via IP (RPC) or SMTPvia IP (RPC) or SMTP
-SMTP not within a single domain!-SMTP not within a single domain!
 Time Replication occurs can be configuredTime Replication occurs can be configured
 Volume of Replication Traffic can not beVolume of Replication Traffic can not be
restricted!restricted!
 Have an Eye on GCs!Have an Eye on GCs!

 Improved AuthenticationImproved Authentication
 Permissions applied via ACLsPermissions applied via ACLs
- To Objects as whole- To Objects as whole
- To specific Attributes- To specific Attributes
 Fine-Tuning of Access PermissionsFine-Tuning of Access Permissions
possiblepossible
 Tool-Support to visualize SecurityTool-Support to visualize Security
SettingsSettings .. currently weak (trycurrently weak (try
Visio!)Visio!)

 Time Savings
 Repository of Information
 Increased Security

 DNS DependencyDNS Dependency
 No „Merge-Tree“No „Merge-Tree“
 No Partitioning (only a single Domain perNo Partitioning (only a single Domain per
.. Domain Controller)Domain Controller)
 Limited Tool-SupportLimited Tool-Support
 Forest Global SchemaForest Global Schema
 Schema-Modifications can not beSchema-Modifications can not be
undoneundone

 Applications directly using and accessing theApplications directly using and accessing the
ActiveActive .. DirectoryDirectory
- e.g. Exchange 2000- e.g. Exchange 2000
- Many more expected!- Many more expected!
 Typically extend the SchemaTypically extend the Schema
 May dramatically change usage pattern forMay dramatically change usage pattern for
ActiveActive .. Directory ResourcesDirectory Resources
- Replication Traffic- Replication Traffic
(new Objects, Attributes)(new Objects, Attributes)
- AD Queries (GCs!)- AD Queries (GCs!)

DC

More Related Content

What's hot

Viewers also liked

Similar to DC

DC