+ All Categories
Home > Documents > ACTIVE DIRECTORY

ACTIVE DIRECTORY

Date post: 04-Jan-2016
Category:
Upload: fleur-mcconnell
View: 75 times
Download: 10 times
Share this document with a friend
Description:
ACTIVE DIRECTORY. An Overview. By Karan Oberoi. What are directory services?. A directory service ( DS ) is a software application- or a set of applications - that stores and organizes information about a computer network's users and network resources. - PowerPoint PPT Presentation
Popular Tags:
26
By Karan Obero
Transcript
Page 1: ACTIVE   DIRECTORY

By Karan Oberoi

Page 2: ACTIVE   DIRECTORY

A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer network's users and network resources.

Allows network administrators to manage users' access to the resources

Act as an abstraction layer between users and shared resources

Page 3: ACTIVE   DIRECTORY

Provide file shares.

Authenticate users

Provide services, such as Email, Access to the internet,

Print services etc.

Control access to services and shares.

Page 4: ACTIVE   DIRECTORY

Active Directory is Microsoft’s version of an LDAP based network directory service.

»Active Directory allows administrators to define, arrange and manage objects, such as user data, printers and servers, so they are available to users and applications throughout the organization.

Page 5: ACTIVE   DIRECTORY

Microsoft’s directory service which is included in the Windows 2000 and Windows Server 2003 operating system versions.

Is an implementation of LDAP directory services.

Called: ADS,NTDS

Goals and BenefitsOpen Standards High Scalability Simplified Administration

Page 6: ACTIVE   DIRECTORY

HierarchicalHierarchical Base objectBase object

DomainDomain

OU

Domain

DomainOUOU

Objects

Domain

Tree

Domain

Domain

Domain

Tree

Forest

Page 7: ACTIVE   DIRECTORY

„ „old Friends “old Friends “ UserUserGroupGroupComputerComputer

New ElementsNew ElementsDistribution ListsDistribution ListsSystem PoliciesSystem Policies

Application defined custom Application defined custom objectsobjectsDescribed in the SchemaDescribed in the Schema

Page 8: ACTIVE   DIRECTORY

Definition of all ADDefinition of all AD Object-Types (Classes)Object-Types (Classes) AttributesAttributes Data-Types (Syntaxes)Data-Types (Syntaxes)

Can be compared to a Database Can be compared to a Database SchemaSchema

ONE consistent Schema inside a ONE consistent Schema inside a single Forestsingle Forest

ExtensibleExtensible

Page 9: ACTIVE   DIRECTORY

Firma.de

AD Base Element (Building Block)AD Base Element (Building Block)

NT 4 CompatibleNT 4 Compatible

Physically Implemented on Domain Physically Implemented on Domain Controllers (DC)Controllers (DC)

Border forBorder for - Replication Traffic- Replication Traffic - System Policies- System Policies - Administration- Administration

Page 10: ACTIVE   DIRECTORY

LA

Admin

New York

SalesAdmin Sales

Implements a Structure inside a DomainImplements a Structure inside a Domain Can be nested as neededCan be nested as needed Can Can notnot be assigned any rights be assigned any rights Typically used for Administrative ReasonsTypically used for Administrative Reasons

e.g. System Policiese.g. System Policies

Page 11: ACTIVE   DIRECTORY

Hierarchical Domain Structure Hierarchical Domain Structure inside a single Namespace inside a single Namespace - adiscon.com- adiscon.com

- la.adiscon.com- la.adiscon.com - ny.adiscon.com- ny.adiscon.com

Transitive Trusts created Transitive Trusts created automaticallyautomatically Sub-Domain must be added to Sub-Domain must be added to Root-Domain – otherwise there Root-Domain – otherwise there will be no treewill be no tree

la.adiscon.com

adiscon.com

ny.adiscon.com

Tree

Page 12: ACTIVE   DIRECTORY

Combination of TreesCombination of Trees Disjunct NamespacesDisjunct Namespaces

- adiscon.de- adiscon.de- adiscon.com- adiscon.com

Transitive Trusts created Transitive Trusts created automaticallyautomatically There is one single tree-root!There is one single tree-root! Sub-Tree must be added to Root-Sub-Tree must be added to Root-Tree, otherwise no Forest will be Tree, otherwise no Forest will be createdcreated

Page 13: ACTIVE   DIRECTORY

Site: A site is a physical location, or LAN. This is different from a web site, which is an organization’s internet presence.

Domain: - A sub-network comprised of a group of clients and servers under the control of one security database. Dividing LANs into domains improves performance and security.- All resources under the control of a single computer system.

Page 14: ACTIVE   DIRECTORY

Lightweight Directory Access Protocol (LDAP) -- a protocol used to access a directory service.

Lightweight Access Directory Protocol is the primary access protocol for Active Directory.

Page 15: ACTIVE   DIRECTORY

The global catalog is the mechanism that tracks all of the objects managed across the network, across all domains within the organization.

Elements of the catalog are replicated across all of the domain controllers within all domains across the org.

Page 16: ACTIVE   DIRECTORY

For Active Directory to function properly, DNS servers must support Service Location (SRV) resource records.

SRV resource records map the name of a service to the name of a server offering that service. Active Directory clients and domain controllers use SRV resource records to determine the IP addresses of domain controllers.

Page 17: ACTIVE   DIRECTORY

Active Directory replicates its administration information across domain controllers throughout the “forest” utilizing a “multi-master” approach.

Multi-master replication among peer domain controllers is impractical for some types changes, so only one domain controller, called the operations master, accepts requests for such changes.

Page 18: ACTIVE   DIRECTORY

Each domain controller has information for the entire forest to support authentication and access control.

This provides the ability for local domain controllers (the “tree”) to provide a quick local lookup of authority.

Not just users but every object authenticating to Active Directory must reference the global catalog server, including every computer that boots up

Page 19: ACTIVE   DIRECTORY

Stores a physical Copy of the Stores a physical Copy of the Active Directory DatabaseActive Directory Database - Currently a single Domain per DC - Currently a single Domain per DC supported!supported!

- ESE95 Database (MS Exchange)- ESE95 Database (MS Exchange) Logon ServicesLogon Services

- Kerberos- Kerberos - LAN Manager Authentication- LAN Manager Authentication

Its always recommended to Its always recommended to have at least 2 Domain have at least 2 Domain Controllers!Controllers!

Page 20: ACTIVE   DIRECTORY

Updates can be applied to ANY Domain Updates can be applied to ANY Domain ControllerController

Will be Replicated to each other Domain Will be Replicated to each other Domain Controls (inside that Domain) within 15 Controls (inside that Domain) within 15 MinutesMinutes

Optimized Algorithm reduces Replication Optimized Algorithm reduces Replication TrafficTraffic

NotNot time based (triggered on demand, time based (triggered on demand, only)!only)!

Page 21: ACTIVE   DIRECTORY

All Domain Databases involvedAll Domain Databases involved Changes are transmitted compressedChanges are transmitted compressed via IP (RPC) or SMTPvia IP (RPC) or SMTP

-SMTP not within a single domain!-SMTP not within a single domain! Time Replication occurs can be configuredTime Replication occurs can be configured Volume of Replication Traffic can not be Volume of Replication Traffic can not be restricted!restricted! Have an Eye on GCs!Have an Eye on GCs!

Page 22: ACTIVE   DIRECTORY

Improved AuthenticationImproved Authentication Permissions applied via ACLsPermissions applied via ACLs

- To Objects as whole- To Objects as whole - To specific Attributes- To specific Attributes

Fine-Tuning of Access Fine-Tuning of Access Permissions possiblePermissions possible Tool-Support to visualize Tool-Support to visualize Security Settings Security Settings . . currently currently weak (try Visio!)weak (try Visio!)

Page 23: ACTIVE   DIRECTORY

Time Savings

Repository of Information

Increased Security

Page 24: ACTIVE   DIRECTORY

DNS DependencyDNS Dependency No „Merge-Tree“No „Merge-Tree“ No Partitioning (only a single No Partitioning (only a single Domain per Domain per .. Domain Controller) Domain Controller) Limited Tool-SupportLimited Tool-Support Forest Global SchemaForest Global Schema Schema-Modifications can not be Schema-Modifications can not be undoneundone

Page 25: ACTIVE   DIRECTORY

Applications directly using and accessing Applications directly using and accessing the Active the Active . . Directory Directory

- e.g. Exchange 2000- e.g. Exchange 2000 - Many more expected!- Many more expected! Typically extend the SchemaTypically extend the Schema

May dramatically change usage pattern May dramatically change usage pattern for Active for Active . . Directory ResourcesDirectory Resources

- Replication Traffic- Replication Traffic (new Objects, Attributes) (new Objects, Attributes) - AD Queries (GCs!)- AD Queries (GCs!)

Page 26: ACTIVE   DIRECTORY

Recommended