Module 1: Introduction to Active Directory

Module 1:

Introduction to

Active Directory

Overview

uIntroduction to Active Directory

uActive Directory Logical Structure uRole of DNS in Active Directory

uActive Directory Physical Structure

uMethods for Administering a Windows

Introduction to Active Directory

uWhat Is Active Directory? uActive Directory Objects uActive Directory Schema

uLightweight Directory Access Protocol

What Is Active Directory?

Directory Service Functionality n Organize n Manage n Control Resources Centralized Management

n Single point of administration n Full user access to directory

Active Directory Objects

uObjects Represent Network

Resources

uAttributes Store Information About

an Object Attributes First Name Last Name Logon Name Attributes Printer Name Printer Location Active Directory Printers Printer1 Printer2 Suzan Fine Users Don Hall Attribute Value Objects Printers Users Printer3

Active Directory Schema

Objects Class Examples Printers Computers Users Attributes of Users Might Contain: accountExpires department distinguishedName middleName List of Attributes accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … Attribute Examples

Active Directory Schema Is:

n Dynamically Available n Dynamically Updateable n Protected by DACLs

DNS and Active Directory

Namespaces

microsoft.com sales. microsoft.com training. microsoft.com training microsoft DNS Namespace

Active Directory Namespace

= DNS node (domain or computer) = Active Directory domain

sales computer1 (DNS root domain) “.” com. Internet

Lightweight Directory Access

Protocol (LDAP)

uLDAP Provides a Way to

Communicate with Active Directory by Specifying Unique Naming

Paths for Each Object in the Directory

uLDAP Naming Paths Include:

n Distinguished names

n Relative distinguished names

Active Directory Logical

Structure

uDomains

uOrganizational Units uTrees and Forests

Domains

uA Domain Is a Security Boundary

n A domain administrator can administer

only within the domain, unless

explicitly granted administration rights in other domains

uA Domain Is a Unit of Replication

n Domain controllers in a domain

participate in replication and contain a complete copy of the directory

information for their domain

Windows 2000 Domain

Organizational Units

Organizational Structure Sales Vancouver Repair Users Sales Computers Network Administrative Model

uUse OUs to Group Objects into a Logical

Hierarchy That Best Suits the Needs of Your Organization

uDelegate Administrative Control over the

Objects Within an OU by Assigning

Trees and Forests

contoso.msft au. contoso.msft asia. contoso.msft Tree

Two-Way Transitive Trusts

au. nwtraders.msft asia. nwtraders.msft nwtraders.msft Forest Tree

Global Catalog

Global Catalog Server Global Catalog Subset of the Attributes of All Objects Domain Domain Domain Domain Domain Domain Queries Group membership when user logs on

Introduction to the Role of DNS

in Active Directory

uName Resolution

n DNS translates computer names to IP addresses n Computers use DNS to locate each other on the

network

uNaming Convention for Windows 2000 Domains

n Windows 2000 uses DNS naming standards for domain names

n DNS domains and Active Directory domains share a common hierarchical naming structure

uLocating the Physical Components of Active

Directory

n DNS identifies domain controllers by the services they provide

n Computers use DNS to locate domain controllers and global catalog servers

DNS Host Names and Windows

2000 Computer Names

n DNS host record and Active Directory

object represent the same physical computer

n DNS allows computers to locate domain

controllers within Active Directory

Active Directory training.microsoft.com Builtin Computers Computer1 Computer2 “.” com. sales _training computer1 microsoft FQDN = computer1.training.microsoft.com

DNS Requirements for Active

Directory

DNS Requirements to Support Active Directory Support for SRV records (mandatory)

Support for the dynamic update protocol (recommended)

Support for incremental zone transfers (recommended)

What Is a Tree?

Parent Domain Child Domain Contiguous Namespace sales.contoso.msft Parent Child New Domain

Tree Root Domain

contoso.msft

What Is the Forest Root

Domain?

uThe Forest Root Domain Is

the First Domain Created in a Forest

contoso.msft Forest

Forest Root Domain

nwtraders.msft Tree

Tree Root Domain

Global Catalog Configuration and Schema Enterprise Admins Schema Admins marketing.nwtraders.msft sales.contoso.msft Tree

Characteristics of Multiple

Domains

Reduce Replication Traffic

Maintain Separate and Distinct

Security Policies Between Domains Preserve the Domain Structure of Earlier Versions of Windows NT

Active Directory Physical

Structure

uDomain Controllers uSites

Domain Controllers

Domain

Controller ControllerDomain

Domain Replication

= A Writeable Copy of the Active Directory Database Domain Controllers:

uParticipate in Active Directory replication

Sites

Sites:

uOptimize replication traffic

uEnable users to log on to a domain controller by using a reliable, high-speed connection

Site

IP subnet

IP subnet Los Angeles

Seattle

Introduction to Active Directory

Replication

Replication Domain Controller B Domain Controller C Domain Controller A

Multimaster Replication with a Loose Convergence

Replication Components and

Processes

uHow Replication Works uReplication Latency

uResolving Replication Conflicts uOptimizing Replication

How Replication Works

Replication Originating Update Domain Controller A Domain Controller B Domain Controller C Replicated Update Replicated Update Active Directory Update n Move n Delete n Add n Modify

Replication Latency

Replication Originating Update Domain Controller A Change Notification Change Notification Domain Controller C Domain Controller B Replicated Update Replicated Update

n Default Replication Latency (Change Notification) = 5 minutes n When No Changes, Scheduled Replication = One Hour

n Urgent Replication = Immediate Change

Resolving Replication Conflicts

Domain Controller A Originating Update Domain Controller B Conflict Originating Update Stamp Stamp Conflict

Version Number Timestamp Server GUID

Stamp

Conflicts Can Be Due to:

u Attribute Value

u Adding/Moving Under a Deleted Container Object

or the Deletion of a Container Object

Optimizing Replication

Originating Update Replicated Update GUID USN GUID USN Up-To-Dateness Vector Domain Controller A Domain Controller B Replicated Update GUID USN Domain Controller C

Replication Topology

uDirectory Partitions

uWhat Is Replication Topology?

uGlobal Catalog and Replication of

Directory Partitions

Domain Forest Directory Partitions Active Directory Database contoso.msft Configuration Schema

Holds information about all domain-specific objects created in Active Directory Contains information about Active Directory structure

Contains definitions and rules for creating and manipulating all objects and attributes

B2 A2 A1 B1 B3 A4 A3 Domain Controllers

from Different Domains Domain A Topology Domain B Topology Schema/Configuration Topology A2 A1 A4 A3 Domain Controllers

from the Same Domains _{Domain A Topology}

Schema/Configuration Topology

A2 A1

A4 A3

Domain Controllers

from the Same Domains _{Domain A Topology}

Schema/Configuration Topology B2 A2 A1 B1 B3 A4 A3 Domain Controllers

from Different Domains Domain A Topology

Domain B Topology

Schema/Configuration Topology

Using Active Directory for

Centralized Management

OU1 Domain Computers Users OU2 Users Printers Computer1 User1 Printer1 User2 Domain OU2 OU1

User1 Computer1 User2 Printer1

Search

Active Directory:

n Enables a single administrator to centrally manage resources

n Allows administrators to easily locate information n Allows administrators to group objects into OUs n Uses Group Policy to specify policy-based settings

Managing the User

Environment

Use Group Policy to:

nControl and lock down what users can do

nCentrally manage software installation,

repairs, updates, and removal

nConfigure user data to follow users whether

they are online or offline

Windows 2000 Enforces Continually Apply Group

Policy Once

1 2

₃

Domain

OU1 OU2 OU3

Delegating Administrative

Control

Assign Permissions:

lFor specific OUs to other administrators

lTo modify specific attributes of an object in a single OU

lTo perform the same task in all OUs Customize Administrative Tools to:

lMap to delegated administrative tasks lSimplify interface design

Domain Admin1 Admin2 Admin3 OU2 OU3 OU1

Review

uIntroduction to Active Directory

uActive Directory Logical Structure uRole of DNS in Active Directory

uActive Directory Physical Structure

uMethods for Administering a Windows