Date post: | 04-Jan-2016 |
Category: |
Documents |
Upload: | fleur-mcconnell |
View: | 75 times |
Download: | 10 times |
By Karan Oberoi
A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer network's users and network resources.
Allows network administrators to manage users' access to the resources
Act as an abstraction layer between users and shared resources
Provide file shares.
Authenticate users
Provide services, such as Email, Access to the internet,
Print services etc.
Control access to services and shares.
Active Directory is Microsoft’s version of an LDAP based network directory service.
»Active Directory allows administrators to define, arrange and manage objects, such as user data, printers and servers, so they are available to users and applications throughout the organization.
Microsoft’s directory service which is included in the Windows 2000 and Windows Server 2003 operating system versions.
Is an implementation of LDAP directory services.
Called: ADS,NTDS
Goals and BenefitsOpen Standards High Scalability Simplified Administration
HierarchicalHierarchical Base objectBase object
DomainDomain
OU
Domain
DomainOUOU
Objects
Domain
Tree
Domain
Domain
Domain
Tree
Forest
„ „old Friends “old Friends “ UserUserGroupGroupComputerComputer
New ElementsNew ElementsDistribution ListsDistribution ListsSystem PoliciesSystem Policies
Application defined custom Application defined custom objectsobjectsDescribed in the SchemaDescribed in the Schema
Definition of all ADDefinition of all AD Object-Types (Classes)Object-Types (Classes) AttributesAttributes Data-Types (Syntaxes)Data-Types (Syntaxes)
Can be compared to a Database Can be compared to a Database SchemaSchema
ONE consistent Schema inside a ONE consistent Schema inside a single Forestsingle Forest
ExtensibleExtensible
Firma.de
AD Base Element (Building Block)AD Base Element (Building Block)
NT 4 CompatibleNT 4 Compatible
Physically Implemented on Domain Physically Implemented on Domain Controllers (DC)Controllers (DC)
Border forBorder for - Replication Traffic- Replication Traffic - System Policies- System Policies - Administration- Administration
LA
Admin
New York
SalesAdmin Sales
Implements a Structure inside a DomainImplements a Structure inside a Domain Can be nested as neededCan be nested as needed Can Can notnot be assigned any rights be assigned any rights Typically used for Administrative ReasonsTypically used for Administrative Reasons
e.g. System Policiese.g. System Policies
Hierarchical Domain Structure Hierarchical Domain Structure inside a single Namespace inside a single Namespace - adiscon.com- adiscon.com
- la.adiscon.com- la.adiscon.com - ny.adiscon.com- ny.adiscon.com
Transitive Trusts created Transitive Trusts created automaticallyautomatically Sub-Domain must be added to Sub-Domain must be added to Root-Domain – otherwise there Root-Domain – otherwise there will be no treewill be no tree
la.adiscon.com
adiscon.com
ny.adiscon.com
Tree
Combination of TreesCombination of Trees Disjunct NamespacesDisjunct Namespaces
- adiscon.de- adiscon.de- adiscon.com- adiscon.com
Transitive Trusts created Transitive Trusts created automaticallyautomatically There is one single tree-root!There is one single tree-root! Sub-Tree must be added to Root-Sub-Tree must be added to Root-Tree, otherwise no Forest will be Tree, otherwise no Forest will be createdcreated
Site: A site is a physical location, or LAN. This is different from a web site, which is an organization’s internet presence.
Domain: - A sub-network comprised of a group of clients and servers under the control of one security database. Dividing LANs into domains improves performance and security.- All resources under the control of a single computer system.
Lightweight Directory Access Protocol (LDAP) -- a protocol used to access a directory service.
Lightweight Access Directory Protocol is the primary access protocol for Active Directory.
The global catalog is the mechanism that tracks all of the objects managed across the network, across all domains within the organization.
Elements of the catalog are replicated across all of the domain controllers within all domains across the org.
For Active Directory to function properly, DNS servers must support Service Location (SRV) resource records.
SRV resource records map the name of a service to the name of a server offering that service. Active Directory clients and domain controllers use SRV resource records to determine the IP addresses of domain controllers.
Active Directory replicates its administration information across domain controllers throughout the “forest” utilizing a “multi-master” approach.
Multi-master replication among peer domain controllers is impractical for some types changes, so only one domain controller, called the operations master, accepts requests for such changes.
Each domain controller has information for the entire forest to support authentication and access control.
This provides the ability for local domain controllers (the “tree”) to provide a quick local lookup of authority.
Not just users but every object authenticating to Active Directory must reference the global catalog server, including every computer that boots up
Stores a physical Copy of the Stores a physical Copy of the Active Directory DatabaseActive Directory Database - Currently a single Domain per DC - Currently a single Domain per DC supported!supported!
- ESE95 Database (MS Exchange)- ESE95 Database (MS Exchange) Logon ServicesLogon Services
- Kerberos- Kerberos - LAN Manager Authentication- LAN Manager Authentication
Its always recommended to Its always recommended to have at least 2 Domain have at least 2 Domain Controllers!Controllers!
Updates can be applied to ANY Domain Updates can be applied to ANY Domain ControllerController
Will be Replicated to each other Domain Will be Replicated to each other Domain Controls (inside that Domain) within 15 Controls (inside that Domain) within 15 MinutesMinutes
Optimized Algorithm reduces Replication Optimized Algorithm reduces Replication TrafficTraffic
NotNot time based (triggered on demand, time based (triggered on demand, only)!only)!
All Domain Databases involvedAll Domain Databases involved Changes are transmitted compressedChanges are transmitted compressed via IP (RPC) or SMTPvia IP (RPC) or SMTP
-SMTP not within a single domain!-SMTP not within a single domain! Time Replication occurs can be configuredTime Replication occurs can be configured Volume of Replication Traffic can not be Volume of Replication Traffic can not be restricted!restricted! Have an Eye on GCs!Have an Eye on GCs!
Improved AuthenticationImproved Authentication Permissions applied via ACLsPermissions applied via ACLs
- To Objects as whole- To Objects as whole - To specific Attributes- To specific Attributes
Fine-Tuning of Access Fine-Tuning of Access Permissions possiblePermissions possible Tool-Support to visualize Tool-Support to visualize Security Settings Security Settings . . currently currently weak (try Visio!)weak (try Visio!)
Time Savings
Repository of Information
Increased Security
DNS DependencyDNS Dependency No „Merge-Tree“No „Merge-Tree“ No Partitioning (only a single No Partitioning (only a single Domain per Domain per .. Domain Controller) Domain Controller) Limited Tool-SupportLimited Tool-Support Forest Global SchemaForest Global Schema Schema-Modifications can not be Schema-Modifications can not be undoneundone
Applications directly using and accessing Applications directly using and accessing the Active the Active . . Directory Directory
- e.g. Exchange 2000- e.g. Exchange 2000 - Many more expected!- Many more expected! Typically extend the SchemaTypically extend the Schema
May dramatically change usage pattern May dramatically change usage pattern for Active for Active . . Directory ResourcesDirectory Resources
- Replication Traffic- Replication Traffic (new Objects, Attributes) (new Objects, Attributes) - AD Queries (GCs!)- AD Queries (GCs!)