Active Directory .

• Active Directory

https://store.theartofservice.com/the-active-directory-toolkit.html

Active Directory

1 'Active Directory' ('AD') is a directory service implemented by

Microsoft for Windows domain networks. It is included in most

Windows Server Operating Systems.


Active Directory

1 An AD domain controller authentication|authenticates and authorization|authorizes all

users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and

installing or updating software. For example, when a user login|logs into a computer that is part of a Windows domain, Active Directory

checks the submitted password and determines whether the user is a system

administrator or normal user.


Active Directory

1 Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's

version of Kerberos (protocol)|Kerberos, and Domain Name System|

DNS.


Active Directory - History

1 Active Directory, like many information-technology efforts, originated out of a

democratization of design using Request for Comments or RFCs. The Internet Engineering

Task Force (IETF), which oversees the RFC process, has accepted numerous RFCs

initiated by widespread participants. Active Directory incorporates decades of

communication technologies into the overarching Active Directory concept then

makes improvements upon them.



1 For example, LDAP, a long-standing directory technology, underpins Active

Directory. Also X.500 directories and the Organizational Unit preceded the Active

Directory concept that makes use of those methods. The Active Directory concept

began to emerge even before the founding of Microsoft in April 1975, with RFCs as

early as 1971. RFCs contributing to Active Directory include RFC 1823 (on the LDAP

API, August 1995),https://store.theartofservice.com/the-active-directory-toolkit.html


1 With the release of the last, Microsoft renamed the domain controller role as Active Directory Domain Services

(AD DS)


Active Directory - Objects

1 An Active Directory structure is an arrangement of information about Object (computing)|objects. The

objects fall into two broad categories: resources (e.g., printers) and security

principals (user or computer accounts and groups). Security principals are assigned unique

security identifiers (SIDs).



1 Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects

can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a database schema|schema,

which also determines the kinds of objects that can be stored in Active Directory.



1 The schema object lets administrators extend or modify the schema when necessary.

However, because each schema object is integral to the definition of Active Directory

objects, deactivating or changing these objects can fundamentally change or disrupt

a deployment. Schema changes automatically propagate throughout the

system. Once created, an object can only be deactivated—not deleted. Changing the

schema usually requires planning.


Active Directory - Site

1 A 'Site' object in Active Directory represents a geographic location that hosts networks. An Active Directory site object represents a collection of Internet Protocol (IP) subnets, usually

constituting a physical Local Area Network (LAN).


Active Directory - Forests, trees, and domains

1 The Active Directory framework that holds the objects can be viewed at a

number of levels. The forest, tree, and domain are the logical divisions

in an Active Directory network.


Active Directory - Forests, trees, and domains

1 A domain is defined as a logical group of network objects (computers, users, devices) that share the same

active directory database.


Active Directory - Trusting

1 To allow users in one domain to access resources in another, Active Directory uses

trusts.


Active Directory - Unix integration

1 Varying levels of interoperability with Active Directory can be achieved on most Unix-like Operating Systems through standards-compliant LDAP

clients, but these systems usually do not interpret many attributes

associated with Windows components, such as Group Policy

and support for one-way trusts.



1 Third parties offer Active Directory integration for Unix platforms

(including UNIX, Linux, Mac OS X, and a number of Java and UNIX-based applications), including:



1 * Fox Technologies and the product FoxT ServerControl (software)

implements AD Bridging capabilities that allows UNIX/Linux systems to

join Active Directory and enables the use of the Kerberos (protocol) for

authentication of users



1 * Centrify DirectControl (Centrify) – Active Directory-compatible

centralized authentication and access control



1 * Centrify Express (Centrify) – A suite of free software|free Active Directory-

compliant services for centralized authentication, monitoring, file-

sharing and remote access



1 * PowerBroker Identity Services, formerly Likewise (BeyondTrust,

formerly Likewise Software) – Allows a non-Windows client to join Active

Directory



1 Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many scripting

languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby. Using free AD administration tools can help to simplify AD management tasks.


Windows Server 2008 - Active Directory roles

1 Identity Integration Feature Pack is included as Active Directory Metadirectory Services


Windows Server 2008 - Active Directory improvements

1 The RODC holds a non-writeable copy of Active Directory, and

redirects all write attempts to a Full Domain Controller


Windows Server 2008 - Active Directory improvements

1 * Restartable Active Directory allows ADDS to be stopped and restarted

from the Management Console or the command-line without rebooting the

domain controller. This reduces downtime for offline operations and

reduces overall DC servicing requirements with Server Core. ADDS

is implemented as a Domain Controller Service in Windows Server

2008.https://store.theartofservice.com/the-active-directory-toolkit.html

Multi-master replication - Active Directory

1 Some Active Directory needs are however better served by Flexible single master

operation.


Hitachi Content Platform - Active Directory support (version 5.0+)

1 HCP can be configured to support Windows Active Directory (AD) for user authentication at the system, tenant,

and namespace levels. This means that users with AD user accounts can access the HCP System Management Console, Tenant Management Console, Search

Console, and namespace content, provided they have the applicable

permissions in HCP.


Windows Server domain - Active Directory

1 Active Directory makes it easier for administrators to manage and deploy

network changes and policies (see Group Policy) to all of the machines

connected to the domain.


Roaming user profile - Active Directory

1 In Windows 2000 and later versions, this is set using the Active Directory

Users and Computers snap-in


Roaming user profile - Active Directory

1 Enabling roaming profiles for a workstation running Windows NT 4.0,

Windows 2000, Windows XP Professional, Windows Vista Business or Ultimate is done by specifying a location on the server where the users' profiles are located; this is

done under User Manager for Domains in Windows NT 4.0 Server

and Active Directory Users and Computers in Windows 2000 and

later


Windows Server 2000 - Active Directory

1 Active Directory can organise and link groups of domains into a

contiguous domain name space to form trees



1 As part of an organization's migration, Windows NT clients

continued to function until all clients were upgraded to Windows 2000 Professional, at which point the

Active Directory domain could be switched to native mode and

maximum functionality achieved.



1 Active Directory requires a DNS server that supports SRV resource records, or that an organization's

existing DNS infrastructure be upgraded to support this. There should be one or more domain controllers to hold the Active

Directory database and provide Active Directory directory services.


Active Directory Application Mode - History

1 For example, Lightweight Directory Access Protocol (LDAP), a long-standing directory

technology, underpins Active Directory. Also X.500 directories and the Organizational Unit preceded the Active Directory concept that

makes use of those methods. The LDAP concept began to emerge even before the

founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August

1995),


Active Directory Application Mode - Organizational units

1 The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs), although policies can also be applied

to domains or sites (see below)


Active Directory Application Mode - Shadow groups

1 In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access

privileges based on their containing OU. This is a design limitation

specific to Active Directory. Other competing directories such as Novell

Novell eDirectory|NDS are able to assign access privileges through object placement within an OU.



1 Active Directory requires a separate step for an administrator to assign an

object in an OU as a member of a group also within that OU. Relying on

OU location alone to determine access permissions is unreliable, because the object may not have

been assigned to the group object for that OU.



1 A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and

maintain a user group for each OU in their directory


Active Directory Application Mode - Physical matters

1 Physically, the Active Directory information is held on one or more peer domain controllers, replacing

the Windows NT|NT Primary Domain Controller|PDC/Backup Domain

Controller|BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called

Member Servers.https://store.theartofservice.com/the-active-directory-toolkit.html


1 The Active Directory database is organized in partitions, each holding specific object types and following a

specific replication pattern



1 Earlier versions of Windows used NetBIOS to communicate. Active

Directory is fully integrated with DNS and requires TCPIP|TCP/IP—DNS. To be fully functional, the DNS server

must support SRV record|SRV resource records, also known as

service records.


Active Directory Application Mode - Physical implementation

1 In general, a network utilizing Active Directory will have more than one

licensed Windows server computer. Although backup and restore of Active Directory is possible for a

network with a single domain controller, Microsoft recommends

more than one domain controller to provide automatic failover protection of the directory. Domain controllers are also ideally single-purpose for

directory operations only, and should not run any other software or role

such as a file server.


Active Directory Application Mode - Physical implementation

1 A business intending to implement Active Directory is therefore recommended to purchase a number of Windows server

licenses, to provide for at least two separate domain controllers, and

optionally, additional domain controllers for performance or redundancy, a

separate file server, an separate Exchange server, a separate SQL Server, and so

forth to support the various server roles.


Active Directory Application Mode - Replication

1 Active Directory replication by default is 'pull' rather than 'push',

meaning that replicas pull changes from the server where the change

was effected.



1 Replication for Active Directory zones is automatically configured when

DNS is activated in the domain based by site.



1 Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP can be

used for replication, but only for changes in the Schema,

Configuration, or Partial Attribute Set (Global Catalog) NCs. SMTP cannot be used for replicating the default

Domain partition.


Active Directory Application Mode - Database

1 'The Active Directory' database, the directory store, in Windows 2000

Server uses the Microsoft JET Blue|JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller's database.

Microsoft has created NTDS databases with more than 2 billion

objects.https://store.theartofservice.com/the-active-directory-toolkit.html


1 Programs may access the features of Active Directory via the Component

Object Model|COM interfaces provided by Active Directory Service

Interfaces.



1 [http://msdn.microsoft.com/en-us/library/aa772170%28VS.85%29.aspx Active Directory Service Interfaces],

Microsoft


Directory System Agent - Active Directory

1 In Microsoft's Active Directory the DSA is a collection of Server

(computing)|servers and daemon (computer software)|daemon process

(computing)|processes that run on Windows 2000 Server systems that provide various means for clients to

access the Active Directory data store.



1 Clients connect to an Active Directory DSA using various communications protocols:



1 *A proprietary RPC interface mdash; used by Active Directory DSAs to

communicate with one another and replication (computer science)|

replicate data amongst themselves


Active Directory Explorer

1 'Active Directory Explorer' is a viewer and editor for Active Directory

databases, from Microsoft. It can be used to navigate around and modify AD entries, view schema for objects as well as perform searches. It can also save AD snapshots for offline

browsing.


Active Directory Explorer

1 'ADSI Edit' is included by default on Microsoft Windows Server 2008 (and Microsoft Windows Server 2008 R2) Standard and above. This has many similar features to the SysInternals Active Directory Explorer and is a

low-level editor for Active Directory.


Univention Corporate Server - Active Directory-compatible services

1 With the component Active Directory-compatible Domain Controller based on Samba 4, UCS can be used as an

Active Directory domain controller for Windows systems including file, printer and network services.



1 Active Directory Connection avoids double, demanding, complex and error-prone

administration.



1 If the aim is to replace Microsoft domain controllers completely by

UCS which also includes the parallel switching-off of all Active Directory

domain controllers, the UCS-component Active Directory Takeover allows the migration of objects from

a native Active Directory domain controller to a UCS Samba/AD

domain controller.https://store.theartofservice.com/the-active-directory-toolkit.html

Organizational Unit - Sun Enterprise Directory Server and Active Directory

1 In Sun Java System Directory Server and Microsoft Active Directory (AD),

an organizational unit (OU) can contain any other unit, including

other OUs, users, groups, and computers. OUs in separate Domains

may have identical names but are independent of each other.


Active Directory Rights Management Services

1 'Windows Rights Management Services' (also called 'Rights

Management Services', 'Active Directory Rights Management Services' or 'RMS') is a form of

Information Rights Management used on Microsoft Windows that uses

encryption and a form of selective functionality denial for limiting access to documents such as

corporate e-mail, Microsoft Word|Word documents, and web pages,

and the operations authorized users can perform on them


Active Directory Rights Management Services

1 In Windows Server 2008, Windows Rights Management Services has been renamed to 'Active Directory

Rights Management Services', reflecting a higher level of

integration with Active Directory


Active Directory Federation Services

1 'Active Directory Federation Services' (AD FS) is a software

component developed by Microsoft that can be installed on Windows

Server operating systems to provide users with single sign-on access to systems and applications located

across organizational boundaries. It uses a claims-based access control

authorization model to maintain application security and implement

federated identity.



1 A federation server on one side (the Accounts side) authenticates the

user through the standard means in Active Directory Domain Services

and then issues a token containing a series of claims about the user,

including its identity



1 AD FS integrates with Active Directory Domain Services, using it as an identity provider. AD FS can interact with other WS-* and SAML

2.0 compliant federation services as federation partners.


For More Information, Visit:

• https://store.theartofservice.com/the-active-directory-toolkit.html

The Art of Servicehttps://store.theartofservice.com






Date post:	25-Dec-2015
Category:	Documents
Upload:	kristian-fletcher
View:	261 times
Download:	0 times

Active Directory .

Documents