Post on 23-Dec-2015
transcript
Module 1: Module 1: Introduction to Introduction to
Active DirectoryActive Directory
OverviewOverview
Introduction to Active DirectoryIntroduction to Active DirectoryActive Directory Logical StructureActive Directory Logical StructureRole of DNS in Active DirectoryRole of DNS in Active DirectoryActive Directory Physical StructureActive Directory Physical StructureMethods for Administering a Windows Methods for Administering a Windows
2000 Network2000 Network
Introduction to Active DirectoryIntroduction to Active Directory
What Is Active Directory?What Is Active Directory?Active Directory ObjectsActive Directory ObjectsActive Directory SchemaActive Directory SchemaLightweight Directory Access Protocol Lightweight Directory Access Protocol
(LDAP)(LDAP)
What Is Active Directory?What Is Active Directory?
Directory Service Directory Service FunctionalityFunctionality
Directory Service Directory Service FunctionalityFunctionality
Organize Manage Control
Organize Manage Control
ResourcesResources
Centralized ManagementCentralized ManagementCentralized ManagementCentralized Management
Single point of administration
Full user access to directory resources by a single logon
Single point of administration
Full user access to directory resources by a single logon
Active Directory ObjectsActive Directory Objects
Objects Represent Network Resources
Attributes Store Information About an Object
AttributesAttributes
First NameLast NameLogon Name
First NameLast NameLogon Name
AttributesAttributes
Printer NamePrinter LocationPrinter NamePrinter Location
Active DirectoryActive Directory
Printers
Printer1
Printer2
Suzan Fine
Users
Don Hall
AttributeValue
AttributeValue
ObjectsObjects
PrintersPrinters
UsersUsers
Printer3
Active Directory SchemaActive Directory Schema
ObjectsClass Examples
ObjectsClass Examples
PrintersPrinters
ComputersComputers
UsersUsers
Attributes of Users Might Contain:
Attributes of Users Might Contain:
accountExpiresdepartmentdistinguishedNamemiddleName
accountExpiresdepartmentdistinguishedNamemiddleName
List of AttributesList of Attributes
accountExpiresdepartmentdistinguishedNamedirectReportsdNSHostNameoperatingSystemrepsFromrepsTomiddleName…
accountExpiresdepartmentdistinguishedNamedirectReportsdNSHostNameoperatingSystemrepsFromrepsTomiddleName…
Attribute ExamplesAttribute Examples
Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs
DNS and Active Directory DNS and Active Directory NamespacesNamespaces
microsoft.com
sales. microsoft.com
training. microsoft.com
training
microsoft
DNS Namespace
Active Directory Namespace
= DNS node (domain or computer) = Active Directory domain
sales
computer1
(DNS root domain)““.”.”““.”.”
com.com.com.com.
Internet
Lightweight Directory Access Lightweight Directory Access Protocol (LDAP)Protocol (LDAP)
LDAP Provides a Way to LDAP Provides a Way to Communicate with Active Directory Communicate with Active Directory by Specifying Unique Naming Paths by Specifying Unique Naming Paths for Each Object in the Directory for Each Object in the Directory
LDAP Naming Paths Include: LDAP Naming Paths Include: Distinguished namesDistinguished names
Relative distinguished namesRelative distinguished namesCN=Suzan Fine,OU=Sales,DC=contoso,DC=msft Suzan Fine
Active Directory Logical Active Directory Logical StructureStructure
DomainsDomainsOrganizational UnitsOrganizational UnitsTrees and ForestsTrees and ForestsGlobal CatalogGlobal Catalog
DomainsDomainsA Domain Is a Security Boundary
A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains
A Domain Is a Unit of Replication Domain controllers in a domain
participate in replication and contain a complete copy of the directory information for their domain
Windows 2000Domain
Windows 2000Domain
User1
User2User1
User2ReplicationReplication
Organizational UnitsOrganizational Units
Organizational StructureOrganizational StructureOrganizational StructureOrganizational Structure
Sales
Vancouver
Repair
Users
Sales
Computers
Network Administrative ModelNetwork Administrative ModelNetwork Administrative ModelNetwork Administrative Model
Use OUs to Group Objects into a Logical Use OUs to Group Objects into a Logical Hierarchy That Best Suits the Needs of Hierarchy That Best Suits the Needs of Your OrganizationYour Organization
Delegate Administrative Control over the Delegate Administrative Control over the Objects Within an OUObjects Within an OU by Assigning by Assigning Specific Permissions to Users and GroupsSpecific Permissions to Users and Groups
Trees and ForestsTrees and Forests
contoso.msftcontoso.msft
(root)
au. contoso.msft
au. contoso.msft
asia. contoso.msft
asia. contoso.msft
Tree
Two-Way Transitive TrustsTwo-Way Transitive TrustsTwo-Way Transitive TrustsTwo-Way Transitive Trusts
au. nwtraders.msft
au. nwtraders.msft
asia. nwtraders.msft
asia. nwtraders.msft
nwtraders.msftnwtraders.msft
Forest
Tree
Two-Way Transitive TrustTwo-Way Transitive TrustTwo-Way Transitive TrustTwo-Way Transitive Trust
Global CatalogGlobal Catalog
Global Catalog Server
Global CatalogGlobal CatalogGlobal CatalogGlobal Catalog
Subset of the Subset of the Attributes of All Attributes of All
ObjectsObjects
Subset of the Subset of the Attributes of All Attributes of All
ObjectsObjects
DomainDomain
Domain
DomainDomain
Domain
QueriesQueriesQueriesQueries
Group membershipGroup membershipwhen user logs onwhen user logs on
Group membershipGroup membershipwhen user logs onwhen user logs on
Introduction to the Role of DNS Introduction to the Role of DNS in Active Directoryin Active Directory Name ResolutionName Resolution
DNS translates computer names to IP addressesDNS translates computer names to IP addresses Computers use DNS to locate each other on the Computers use DNS to locate each other on the
networknetwork Naming Convention for Windows 2000 DomainsNaming Convention for Windows 2000 Domains
Windows 2000 uses DNS naming standards for Windows 2000 uses DNS naming standards for domain namesdomain names
DNS domains and Active Directory domains share a DNS domains and Active Directory domains share a common hierarchical naming structurecommon hierarchical naming structure
Locating the Physical Components of Active Locating the Physical Components of Active DirectoryDirectory DNS identifies domain controllers by the services DNS identifies domain controllers by the services
they providethey provide Computers use DNS to locate domain controllers and Computers use DNS to locate domain controllers and
global catalog serversglobal catalog servers
DNS Host Names and Windows DNS Host Names and Windows 2000 Computer Names2000 Computer Names
DNS host record and Active Directory object represent the same physical computer
DNS allows computers to locate domain controllers within Active Directory
Active DirectoryActive Directory
training.microsoft.com
Builtin
Computers
Computer1
Computer2
““.”.”““.”.”
com.com.com.com.
salessales trainingtrainingtrainingtraining
computer1computer1computer1computer1
microsoftmicrosoftmicrosoftmicrosoft
FQDN = computer1.training.microsoft.comWindows 2000 Computer Name = Computer1
FQDN = computer1.training.microsoft.comWindows 2000 Computer Name = Computer1
DNS Requirements for Active DNS Requirements for Active DirectoryDirectory
DNS Requirements to Support Active DirectoryDNS Requirements to Support Active DirectoryDNS Requirements to Support Active DirectoryDNS Requirements to Support Active Directory
Support for SRV records (mandatory)
Support for the dynamic update protocol (recommended)
Support for incremental zone transfers (recommended)
What Is a Tree?What Is a Tree?
Parent Domain
Child Domain
Contiguous Namespace sales.contoso.msft
ParentParent
ChildChild
New Domain
Tree Root Domain
contoso.msft
sales.contoso.msft
What Is a Forest?What Is a Forest?
nwtraders.msftnwtraders.msft
marketing. nwtraders.msft
marketing. nwtraders.msft
sales. nwtraders.msft
sales. nwtraders.msft
contoso.msftcontoso.msft
sales. contoso.msft
sales. contoso.msft
All of The Domains in a Forest Share a Common Configuration, Schema, and Global Catalog
A Forest is One or More TreesTrees in a Forest Do Not Share a
Contiguous Namespace
Forest
Tree
Tree
What Is the Forest Root What Is the Forest Root Domain?Domain?
The Forest Root Domain Is the First Domain Created in a Forest
contoso.msftcontoso.msft
Forest
Forest Root Domain
nwtraders.msftnwtraders.msft
Tree
Tree Root Domain
Global Catalog
Configuration and Schema
Enterprise Admins
Schema Adminsmarketing.nwtraders.msft sales.contoso.msft
Tree
Characteristics of Multiple Characteristics of Multiple DomainsDomains
Reduce Replication Traffic
Maintain Separate and Distinct Security Policies Between Domains
Preserve the Domain Structure of Earlier Versions of Windows NT
Separate Administrative Control
Active Directory Physical Active Directory Physical StructureStructure
Domain ControllersDomain ControllersSitesSites
Domain ControllersDomain Controllers
Domain Controller
Domain Controller
DomainDomain
ReplicationReplicationReplicationReplicationUser1
User2User1
User2
= A Writeable Copy of the Active Directory Database= A Writeable Copy of the Active Directory Database= A Writeable Copy of the Active Directory Database= A Writeable Copy of the Active Directory Database
Domain Controllers:
Participate in Active Directory replication
Perform single master operations roles in a domain
SitesSites
Sites:
Optimize replication traffic
Enable users to log on to a domain controller by using a reliable, high-speed connection
SiteIP subnetIP subnetIP subnetIP subnet
IP subnetIP subnetIP subnetIP subnet
Los Angeles
Seattle
ChicagoNew York
Introduction to Active Directory Introduction to Active Directory ReplicationReplication
Replication
DomainController B
DomainController C
Domain Controller A
Multimaster Replication with a Loose Convergence
Replication Components and Replication Components and ProcessesProcesses
How Replication WorksHow Replication WorksReplication LatencyReplication LatencyResolving Replication ConflictsResolving Replication ConflictsOptimizing ReplicationOptimizing Replication
How Replication WorksHow Replication Works
ReplicationOriginating UpdateOriginating Update
Domain Controller A
DomainController B
DomainController C
Replicated UpdateReplicated Update
Replicated UpdateReplicated Update
Active Directory UpdateActive Directory Update
Move Delete
Add Modify
Replication LatencyReplication Latency
ReplicationOriginating UpdateOriginating Update
Domain Controller A
Change Notification
Change Notification
Domain Controller C
DomainController B
Replicated UpdateReplicated Update
Replicated UpdateReplicated Update
Default Replication Latency (Change Notification) = 5 minutes
When No Changes, Scheduled Replication = One Hour
Urgent Replication = Immediate Change Notification
Resolving Replication ConflictsResolving Replication Conflicts
Domain Controller A
Originating UpdateOriginating Update
Domain Controller B
ConflictConflict
Originating UpdateOriginating UpdateStampStamp StampStamp
ConflictConflict
Version Number TimestampTimestamp Server GUID
StampStamp
Conflicts Can Be Due to: Attribute Value Adding/Moving Under a Deleted Container Object
or the Deletion of a Container Object Sibling Name
Replication TopologyReplication Topology
Directory PartitionsDirectory Partitions What Is Replication Topology?What Is Replication Topology? Global Catalog and Replication of Global Catalog and Replication of
PartitionsPartitions
Directory PartitionsDirectory Partitions
Domain
Forest
Directory Partitions
Active Directory Database
contoso.msftcontoso.msft
ConfigurationConfiguration
SchemaSchema
Holds information about all domain-specific objects created in Active Directory
Holds information about all domain-specific objects created in Active Directory
Contains information about Active Directory structureContains information about Active Directory structure
Contains definitions and rules for creating and manipulating all objects and attributes
Contains definitions and rules for creating and manipulating all objects and attributes
B2A2A1
B1
B3A4A3
Domain Controllers from Different Domains Domain A Topology
Domain B TopologySchema/Configuration Topology
Domain A TopologyDomain B TopologySchema/Configuration Topology
A2A1
A4A3
Domain Controllers from the Same Domains
Domain A TopologySchema/Configuration Topology
Domain A TopologySchema/Configuration Topology
What Is Replication Topology?What Is Replication Topology?
A2A1
A4A3
Domain Controllers from the Same Domains
Domain A TopologySchema/Configuration Topology
Domain A TopologySchema/Configuration Topology
B2A2A1
B1
B3A4A3
Domain Controllers from Different Domains Domain A Topology
Domain B TopologySchema/Configuration Topology
Domain A TopologyDomain B TopologySchema/Configuration Topology
What Is Replication Topology?What Is Replication Topology?
Partial Directory Partition Replica
Global Catalog Server
contoso.msftcontoso.msft
ConfigurationConfiguration
SchemaSchema
Holds read only copy of all domain directory partitionsHolds read only copy of all domain directory partitions
namerica.contoso.msft
Global Catalog and Replication Global Catalog and Replication of Partitionsof Partitions
B2A2A1
B1
B3A4A3
Domain A TopologyDomain B TopologySchema/Configuration Topology
Domain A TopologyDomain B TopologySchema/Configuration Topology
Global Catalog and Replication Global Catalog and Replication of Partitionsof Partitions
Methods for Administering a Methods for Administering a Windows 2000 NetworkWindows 2000 Network
Using Active Directory for Centralized Using Active Directory for Centralized ManagementManagement
Managing the User EnvironmentManaging the User EnvironmentDelegating Administrative ControlDelegating Administrative Control
Using Active Directory for Using Active Directory for Centralized ManagementCentralized Management
OU1
Domain
Computers
Users
OU2
Users
Printers
Computer1
User1
Printer1
User2
DomainDomainOU2OU2OU1OU1
User1User1 Computer1Computer1 Printer1Printer1User2User2
SearchSearchSearchSearch
Active Directory:Active Directory: Enables a single administrator to centrally manage resourcesEnables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to easily locate information Allows administrators to group objects into OUsAllows administrators to group objects into OUs Uses Group Policy to specify policy-based settingsUses Group Policy to specify policy-based settings
Managing the User Managing the User EnvironmentEnvironment
Use Group Policy to:Use Group Policy to: Control and lock down what users can doControl and lock down what users can do
Centrally manage software installation, repairs, updates, Centrally manage software installation, repairs, updates,
and removaland removal
Configure user data to follow users whether they are Configure user data to follow users whether they are online or offlineonline or offline
Windows 2000 Enforces Continually
Windows 2000 Enforces Continually
Apply Group Policy Once
Apply Group Policy Once
11 22 33DomainDomain
OU1OU1 OU2OU2 OU3OU3
11 22 3 3
Delegating Administrative Delegating Administrative ControlControl
Assign Permissions:For specific OUs to other
administratorsTo modify specific attributes of
an object in a single OUTo perform the same task in all OUs
Customize Administrative Tools to:
Map to delegated administrative tasks
Simplify interface design
Domain
Admin1
Admin2
Admin3
OU2
OU3
OU1
ReviewReview
Introduction to Active DirectoryIntroduction to Active DirectoryActive Directory Logical StructureActive Directory Logical StructureRole of DNS in Active DirectoryRole of DNS in Active DirectoryActive Directory Physical StructureActive Directory Physical StructureMethods for Administering a Windows Methods for Administering a Windows
2000 Network2000 Network