Introduction to Active Directory Services

Document Sample
Introduction to Active Directory Services Powered By Docstoc
					Introduction to Active
Directory Services
•   Completely integrated with Microsoft Windows 2000 Server
•   Integrates the Internet concept of namespace with the
    operating system’s directory service
•   Allows a single point of administration for all published resources
Understanding Active
Directory Concepts
•   Extensible schema
•   Global catalog
•   Namespace
•   Naming conventions
Extensible Schema
Extending the schema is an advanced operation, intended to be
performed by experienced programmers and system administrators.
Global Catalog
•   The global catalog is the central repository of information about
    objects in a domain tree or forest.
•   The global catalog is a service as well as a physical storage
    location that contains a replica of selected attributes of every
    object in the Active Directory store.
•   By default, the first domain controller is a global catalog server.
•   Additional domain controllers can also be designated as global
    catalog servers by using the Active Directory Sites And Services
Naming Conventions
•   Distinguished names (DNs)
•   Relative distinguished names (RDNs)
•   Globally unique identifiers (GUIDs)
•   User principal names (UPNs)
Distinguished Names (DNs)
•   Objects are located within Active Directory domains according to
    a hierarchical path.
•   Every object in the Active Directory store has a DN, which
    uniquely identifies the object.
•   The DN includes the name of the domain that holds the object
    as well as the complete path through the container hierarchy to
    the object. For example:
    DC=msft/DC=Contoso/CN=Users/CN=John Smith
Relative Distinguished
Names (RDNs)
•   The RDN is one of an object’s attributes.
•   The RDN is part of the full DN. For example: CN=John Smith
•   Active Directory services allows duplicate RDNs for objects, but
    no two objects with the same RDN can exist within the same
Globally Unique Identifiers
User Principal Names
•   The UPN is a friendly name that is shorter than the DN and
    easier to remember.
•   The UPN consists of a shorthand name that represents the user
    and usually the DNS name of the domain where the object
•   Example: johns@contoso.msft
Structure of Active
Directory Architecture
•   Data model
•   Schema
•   Security model
•   Administration model
Access to Active Directory
•   Protocol Support
•   Application programming interfaces (APIs)
•   Virtual containers
Protocol Support
•   LDAP is the Active Directory core protocol.
•   Active Directory services supports remote procedure call (RPC)
    interfaces that support Messaging Application Programming
    Interface (MAPI) interfaces.
•   The Active Directory information model is derived from the
    X.500 information model.
Application Programming
Interfaces (APIs)
•   Active Directory Service Interfaces (ADSI)
•   Windows MAPI
Virtual Containers
•   Active Directory services supports virtual containers, which allow
    any LDAP-compliant directory to be accessed transparently
    through Active Directory services.
•   The virtual container is implemented via location information in
    the Active Directory store.
Directory Service
•   Interfaces
•   Directory System Agent (DSA)
•   Database layer
•   Extensible Storage Engine (ESE)
•   Data store (Ntds.dit)
Active Directory Key Service
•   LDAP provides the API for LDAP clients and exposes the ADSI so
    that additional applications can be written that can talk to the
    Active Directory services.
•   REPL is used by the replication service to facilitate Active
    Directory replication via RPC over Internet Protocol (IP) or
    Simple Mail Transfer Protocol (SMTP).
•   SAM Provides down-level compatibility to facilitate
    communication between Microsoft Windows 2000 and Microsoft
    Windows NT 4.0 domains.
•   MAPI supports legacy MAPI clients.
Directory System Agent
•   Object identification
•   Transaction processing
•   Schema enforcement of updates
•   Access control enforcement
•   Support for replication
•   Referrals
Database Layer
•   Provides an object view of database information by applying
    schema semantics to database records
•   Is an internal interface that is not exposed to the public
•   Follows the parent references in the database and concatenates
    the successive RDNs to form DNs
•   Translates each DN into an integer structure called the DN tag,
    which is used for internal access
•   Is responsible for the creation, retrieval, and deletion of
    individual records, attributes, and values
Extensible Storage Engine
•   A new and improved version of the JET database
•   Implements a transacted database system that uses log files to
    ensure that committed transactions are safe
•   Stores all Active Directory objects
•   Comes with a predefined schema that defines all the attributes
    required and allowed for a given object
•   Stores attributes that can have multiple values
Introduction to Namespace
•   The Active Directory namespace is the top-level qualified domain
    name for the company.
•   You must determine whether the internal and external
    namespaces will be the same or separate.
Defining a Namespace
•   Introduction
•   Root domain
•   First-layer domains
•   Second-layer domains
Introduction to OU Planning
•   OUs should reflect the details of the organization’s business
•   Create OUs to delegate administrative control over smaller
    groups of users, groups, and resources.
•   OUs eliminate the need to provide users with administrative
    access at the domain level.
•   OUs inherit security policies from the parent domain and parent
    OU unless inheritance is specifically disabled.
Creating the OU Structure
•   You should begin your OU design by creating an OU structure
    for the first domain in the namespace.
•   When you create an OU, you should determine who will be able
    to view and control certain objects and what level of
    administration each administrator will have over the objects.
OU Design Guidelines
•   Create OUs to delegate administration.
•   Create a logical and meaningful OU structure that allows OU
    administrators to complete their tasks efficiently.
•   Create OUs to apply security policies.
•   Create OUs to manage the visibility of published resources.
•   Create OU structures that are relatively static. OUs also give the
    namespace flexibility to adapt to changing needs of the
•   Avoid allocating too many child objects to any OU.
Structure the OU Hierarchy
•   Administration-based or object-based OUs
•   Geographical-based OUs
•   Business function–based OUs
•   Department-based OUs
•   Project-based OUs
Introduction to Site
•   The physical design of a Windows 2000 network is demarcated
    by site.
•   The Active Directory replication engine allows you to
    differentiate between replication over a LAN and replication over
    a WAN.
•   How you set up your sites affects Windows 2000 with respect to
    workstation logon and directory replication.
•   In Active Directory services, sites are not part of the namespace.
•   Properly planned sites ensure that network links are not
    saturated by replication traffic, that Active Directory services
    stay current, and that client computers access resources that are
    closest to them.
•   When planning how to group subnets into sites, consider the
    connection speed between the subnets.
Optimizing Workstation
Logon Traffic
•   When planning sites, consider which domain controllers
    workstations should use.
•   To have a particular workstation log on to a specific set of
    domain controllers, define the sites so that only those domain
    controllers are on the same site as the workstation.
Optimizing Directory
•   When planning sites, consider where the domain controllers will
    be located.
•   Configure sites so that replication occurs at times or intervals
    that will not interfere with network performance.
•   When implementing sites in branch offices, base your planning
    on the size of the branch office.
Introduction to the Active
Directory Installation Wizard
Adding or Creating a
Domain Controller
•   If you add a domain controller to an existing domain, you create
    a peer domain controller.
•   If you create the first domain controller for a new domain, you
    are creating not only the domain controller but also a new
Adding a Domain Controller
to an Existing Domain
Creating a New Child
Creating a New Domain
Adding a Domain Tree to a
The Active Directory
Database and the Shared
System Volume
Created when Active Directory Services is installed
The Active Directory
•   The database is a file named Ntds.dit, which is the directory for
    the new domain.
•   The default location for the database and the database log files
    is %systemroot%\Ntds, although you can specify a different
•   The database contains all the information stores in the Active
    Directory store.
•   The Ntds.dit file is an ESE database that contains the entire
    schema, the global catalog, and all the objects stored on that
    domain controller.
The Shared System Volume
•   The shared system volume is a folder structure that exists on all
    Windows 2000 domain controllers.
•   The shared system volume stores scripts and some of the group
    policy objects for the current domain as well as the enterprise.
•   Replication of the shared system volume occurs on the same
    schedule as Active Directory replication.
Domain Modes
•   Mixed mode
•   Native mode
Introduction to OUs and
their Objects
•   Each Active Directory object is a distinct named set of attributes
    that represents a specific network resource.
•   Before objects are added to Active Directory services, you
    should create the OUs that will contain those objects.
Creating Ous
Adding Objects to OUs

Computer   Contact      Group

Printer    User      Shared Folder
Locating Objects
Modifying Attributes and
Deleting Objects
•   You can modify the attributes of an object to change or add
•   You can modify an object’s attribute by opening the properties
    for that object in the Active Directory Users And Computers
•   To maintain security, delete objects when they are no longer
Moving Objects
•   You can move objects from one location in the Active Directory
    store to another location.
•   You should move objects when organization or administrative
    functions change.
Managing Active Directory
•   Use Active Directory permissions to determine who has the
    permissions to gain access to the object and what type of access
    is allowed.
•   The object type determines which permissions you can select.
•   Permissions inheritance minimizes the number of times you need
    to assign permissions for objects.
Delegating Administrative
Control of Objects
•   You can delegate administrative control of objects to individuals.
•   Use the Delegation Of Control wizard to delegate control of
•   An administrator can delegate specific types of control.
•   The most common method of delegating control is to assign
    permissions at the OU level.
•   To delegate administrative control, you should try to follow
    specific guidelines.
•   You can access the Delegation Of Control wizard through the
    Active Directory Users And Computers snap-in.
Guidelines for Administering
Active Directory Services
•   Coordinate Active Directory structure with other administrators.
•   Complete all attributes when creating objects.
•   Use deny permissions sparingly.
•   Ensure that at least one user has Full Control permission for
    each object.
•   Ensure that delegated users take responsibility and can be held
•   Provide training for users who control objects.

Shared By: