Post on 25-Dec-2015
transcript
Active Directory
1 'Active Directory' ('AD') is a directory service implemented by
Microsoft for Windows domain networks. It is included in most
Windows Server Operating Systems.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory
1 An AD domain controller authentication|authenticates and authorization|authorizes all
users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and
installing or updating software. For example, when a user login|logs into a computer that is part of a Windows domain, Active Directory
checks the submitted password and determines whether the user is a system
administrator or normal user.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory
1 Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's
version of Kerberos (protocol)|Kerberos, and Domain Name System|
DNS.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - History
1 Active Directory, like many information-technology efforts, originated out of a
democratization of design using Request for Comments or RFCs. The Internet Engineering
Task Force (IETF), which oversees the RFC process, has accepted numerous RFCs
initiated by widespread participants. Active Directory incorporates decades of
communication technologies into the overarching Active Directory concept then
makes improvements upon them.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - History
1 For example, LDAP, a long-standing directory technology, underpins Active
Directory. Also X.500 directories and the Organizational Unit preceded the Active
Directory concept that makes use of those methods. The Active Directory concept
began to emerge even before the founding of Microsoft in April 1975, with RFCs as
early as 1971. RFCs contributing to Active Directory include RFC 1823 (on the LDAP
API, August 1995),https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - History
1 With the release of the last, Microsoft renamed the domain controller role as Active Directory Domain Services
(AD DS)
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Objects
1 An Active Directory structure is an arrangement of information about Object (computing)|objects. The
objects fall into two broad categories: resources (e.g., printers) and security
principals (user or computer accounts and groups). Security principals are assigned unique
security identifiers (SIDs).
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Objects
1 Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects
can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a database schema|schema,
which also determines the kinds of objects that can be stored in Active Directory.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Objects
1 The schema object lets administrators extend or modify the schema when necessary.
However, because each schema object is integral to the definition of Active Directory
objects, deactivating or changing these objects can fundamentally change or disrupt
a deployment. Schema changes automatically propagate throughout the
system. Once created, an object can only be deactivated—not deleted. Changing the
schema usually requires planning.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Site
1 A 'Site' object in Active Directory represents a geographic location that hosts networks. An Active Directory site object represents a collection of Internet Protocol (IP) subnets, usually
constituting a physical Local Area Network (LAN).
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Forests, trees, and domains
1 The Active Directory framework that holds the objects can be viewed at a
number of levels. The forest, tree, and domain are the logical divisions
in an Active Directory network.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Forests, trees, and domains
1 A domain is defined as a logical group of network objects (computers, users, devices) that share the same
active directory database.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Trusting
1 To allow users in one domain to access resources in another, Active Directory uses
trusts.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Unix integration
1 Varying levels of interoperability with Active Directory can be achieved on most Unix-like Operating Systems through standards-compliant LDAP
clients, but these systems usually do not interpret many attributes
associated with Windows components, such as Group Policy
and support for one-way trusts.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Unix integration
1 Third parties offer Active Directory integration for Unix platforms
(including UNIX, Linux, Mac OS X, and a number of Java and UNIX-based applications), including:
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Unix integration
1 * Fox Technologies and the product FoxT ServerControl (software)
implements AD Bridging capabilities that allows UNIX/Linux systems to
join Active Directory and enables the use of the Kerberos (protocol) for
authentication of users
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Unix integration
1 * Centrify DirectControl (Centrify) – Active Directory-compatible
centralized authentication and access control
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Unix integration
1 * Centrify Express (Centrify) – A suite of free software|free Active Directory-
compliant services for centralized authentication, monitoring, file-
sharing and remote access
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Unix integration
1 * PowerBroker Identity Services, formerly Likewise (BeyondTrust,
formerly Likewise Software) – Allows a non-Windows client to join Active
Directory
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory - Unix integration
1 Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting
languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby. Using free AD administration tools can help to simplify AD management tasks.
https://store.theartofservice.com/the-active-directory-toolkit.html
Windows Server 2008 - Active Directory roles
1 Identity Integration Feature Pack is included as Active Directory Metadirectory Services
https://store.theartofservice.com/the-active-directory-toolkit.html
Windows Server 2008 - Active Directory improvements
1 The RODC holds a non-writeable copy of Active Directory, and
redirects all write attempts to a Full Domain Controller
https://store.theartofservice.com/the-active-directory-toolkit.html
Windows Server 2008 - Active Directory improvements
1 * Restartable Active Directory allows ADDS to be stopped and restarted
from the Management Console or the command-line without rebooting the
domain controller. This reduces downtime for offline operations and
reduces overall DC servicing requirements with Server Core. ADDS
is implemented as a Domain Controller Service in Windows Server
2008.https://store.theartofservice.com/the-active-directory-toolkit.html
Multi-master replication - Active Directory
1 Some Active Directory needs are however better served by Flexible single master
operation.
https://store.theartofservice.com/the-active-directory-toolkit.html
Hitachi Content Platform - Active Directory support (version 5.0+)
1 HCP can be configured to support Windows Active Directory (AD) for user authentication at the system, tenant,
and namespace levels. This means that users with AD user accounts can access the HCP System Management Console, Tenant Management Console, Search
Console, and namespace content, provided they have the applicable
permissions in HCP.
https://store.theartofservice.com/the-active-directory-toolkit.html
Windows Server domain - Active Directory
1 Active Directory makes it easier for administrators to manage and deploy
network changes and policies (see Group Policy) to all of the machines
connected to the domain.
https://store.theartofservice.com/the-active-directory-toolkit.html
Roaming user profile - Active Directory
1 In Windows 2000 and later versions, this is set using the Active Directory
Users and Computers snap-in
https://store.theartofservice.com/the-active-directory-toolkit.html
Roaming user profile - Active Directory
1 Enabling roaming profiles for a workstation running Windows NT 4.0,
Windows 2000, Windows XP Professional, Windows Vista Business or Ultimate is done by specifying a location on the server where the users' profiles are located; this is
done under User Manager for Domains in Windows NT 4.0 Server
and Active Directory Users and Computers in Windows 2000 and
later
https://store.theartofservice.com/the-active-directory-toolkit.html
Windows Server 2000 - Active Directory
1 Active Directory can organise and link groups of domains into a
contiguous domain name space to form trees
https://store.theartofservice.com/the-active-directory-toolkit.html
Windows Server 2000 - Active Directory
1 As part of an organization's migration, Windows NT clients
continued to function until all clients were upgraded to Windows 2000 Professional, at which point the
Active Directory domain could be switched to native mode and
maximum functionality achieved.
https://store.theartofservice.com/the-active-directory-toolkit.html
Windows Server 2000 - Active Directory
1 Active Directory requires a DNS server that supports SRV resource records, or that an organization's
existing DNS infrastructure be upgraded to support this. There should be one or more domain controllers to hold the Active
Directory database and provide Active Directory directory services.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - History
1 For example, Lightweight Directory Access Protocol (LDAP), a long-standing directory
technology, underpins Active Directory. Also X.500 directories and the Organizational Unit preceded the Active Directory concept that
makes use of those methods. The LDAP concept began to emerge even before the
founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August
1995),
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Organizational units
1 The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs), although policies can also be applied
to domains or sites (see below)
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Shadow groups
1 In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access
privileges based on their containing OU. This is a design limitation
specific to Active Directory. Other competing directories such as Novell
Novell eDirectory|NDS are able to assign access privileges through object placement within an OU.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Shadow groups
1 Active Directory requires a separate step for an administrator to assign an
object in an OU as a member of a group also within that OU. Relying on
OU location alone to determine access permissions is unreliable, because the object may not have
been assigned to the group object for that OU.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Shadow groups
1 A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and
maintain a user group for each OU in their directory
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Physical matters
1 Physically, the Active Directory information is held on one or more peer domain controllers, replacing
the Windows NT|NT Primary Domain Controller|PDC/Backup Domain
Controller|BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called
Member Servers.https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Physical matters
1 The Active Directory database is organized in partitions, each holding specific object types and following a
specific replication pattern
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Physical matters
1 Earlier versions of Windows used NetBIOS to communicate. Active
Directory is fully integrated with DNS and requires TCPIP|TCP/IP—DNS. To be fully functional, the DNS server
must support SRV record|SRV resource records, also known as
service records.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Physical implementation
1 In general, a network utilizing Active Directory will have more than one
licensed Windows server computer. Although backup and restore of Active Directory is possible for a
network with a single domain controller, Microsoft recommends
more than one domain controller to provide automatic failover protection of the directory. Domain controllers are also ideally single-purpose for
directory operations only, and should not run any other software or role
such as a file server.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Physical implementation
1 A business intending to implement Active Directory is therefore recommended to purchase a number of Windows server
licenses, to provide for at least two separate domain controllers, and
optionally, additional domain controllers for performance or redundancy, a
separate file server, an separate Exchange server, a separate SQL Server, and so
forth to support the various server roles.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Replication
1 Active Directory replication by default is 'pull' rather than 'push',
meaning that replicas pull changes from the server where the change
was effected.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Replication
1 Replication for Active Directory zones is automatically configured when
DNS is activated in the domain based by site.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Replication
1 Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP can be
used for replication, but only for changes in the Schema,
Configuration, or Partial Attribute Set (Global Catalog) NCs. SMTP cannot be used for replicating the default
Domain partition.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Database
1 'The Active Directory' database, the directory store, in Windows 2000
Server uses the Microsoft JET Blue|JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller's database.
Microsoft has created NTDS databases with more than 2 billion
objects.https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Database
1 Programs may access the features of Active Directory via the Component
Object Model|COM interfaces provided by Active Directory Service
Interfaces.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Application Mode - Database
1 [http://msdn.microsoft.com/en-us/library/aa772170%28VS.85%29.aspx Active Directory Service Interfaces],
Microsoft
https://store.theartofservice.com/the-active-directory-toolkit.html
Directory System Agent - Active Directory
1 In Microsoft's Active Directory the DSA is a collection of Server
(computing)|servers and daemon (computer software)|daemon process
(computing)|processes that run on Windows 2000 Server systems that provide various means for clients to
access the Active Directory data store.
https://store.theartofservice.com/the-active-directory-toolkit.html
Directory System Agent - Active Directory
1 Clients connect to an Active Directory DSA using various communications protocols:
https://store.theartofservice.com/the-active-directory-toolkit.html
Directory System Agent - Active Directory
1 *A proprietary RPC interface mdash; used by Active Directory DSAs to
communicate with one another and replication (computer science)|
replicate data amongst themselves
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Explorer
1 'Active Directory Explorer' is a viewer and editor for Active Directory
databases, from Microsoft. It can be used to navigate around and modify AD entries, view schema for objects as well as perform searches. It can also save AD snapshots for offline
browsing.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Explorer
1 'ADSI Edit' is included by default on Microsoft Windows Server 2008 (and Microsoft Windows Server 2008 R2) Standard and above. This has many similar features to the SysInternals Active Directory Explorer and is a
low-level editor for Active Directory.
https://store.theartofservice.com/the-active-directory-toolkit.html
Univention Corporate Server - Active Directory-compatible services
1 With the component Active Directory-compatible Domain Controller based on Samba 4, UCS can be used as an
Active Directory domain controller for Windows systems including file, printer and network services.
https://store.theartofservice.com/the-active-directory-toolkit.html
Univention Corporate Server - Active Directory-compatible services
1 Active Directory Connection avoids double, demanding, complex and error-prone
administration.
https://store.theartofservice.com/the-active-directory-toolkit.html
Univention Corporate Server - Active Directory-compatible services
1 If the aim is to replace Microsoft domain controllers completely by
UCS which also includes the parallel switching-off of all Active Directory
domain controllers, the UCS-component Active Directory Takeover allows the migration of objects from
a native Active Directory domain controller to a UCS Samba/AD
domain controller.https://store.theartofservice.com/the-active-directory-toolkit.html
Organizational Unit - Sun Enterprise Directory Server and Active Directory
1 In Sun Java System Directory Server and Microsoft Active Directory (AD),
an organizational unit (OU) can contain any other unit, including
other OUs, users, groups, and computers. OUs in separate Domains
may have identical names but are independent of each other.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Rights Management Services
1 'Windows Rights Management Services' (also called 'Rights
Management Services', 'Active Directory Rights Management Services' or 'RMS') is a form of
Information Rights Management used on Microsoft Windows that uses
encryption and a form of selective functionality denial for limiting access to documents such as
corporate e-mail, Microsoft Word|Word documents, and web pages,
and the operations authorized users can perform on them
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Rights Management Services
1 In Windows Server 2008, Windows Rights Management Services has been renamed to 'Active Directory
Rights Management Services', reflecting a higher level of
integration with Active Directory
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Federation Services
1 'Active Directory Federation Services' (AD FS) is a software
component developed by Microsoft that can be installed on Windows
Server operating systems to provide users with single sign-on access to systems and applications located
across organizational boundaries. It uses a claims-based access control
authorization model to maintain application security and implement
federated identity.
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Federation Services
1 A federation server on one side (the Accounts side) authenticates the
user through the standard means in Active Directory Domain Services
and then issues a token containing a series of claims about the user,
including its identity
https://store.theartofservice.com/the-active-directory-toolkit.html
Active Directory Federation Services
1 AD FS integrates with Active Directory Domain Services, using it as an identity provider. AD FS can interact with other WS-* and SAML
2.0 compliant federation services as federation partners.
https://store.theartofservice.com/the-active-directory-toolkit.html
For More Information, Visit:
• https://store.theartofservice.com/the-active-directory-toolkit.html
The Art of Servicehttps://store.theartofservice.com