Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

AD 1.2

VIEWS: 12 PAGES: 43

  • pg 1
									                    A ININ
             F TR            G
           AF                    PR
         ST



                                  O                Active
    TF




                                      GR
M AG




                                       AM




  DOCEMUS PRIMAM ACIEM                          Directory
                                            Basics, Components and
                                                         Structures
                                                              Day 1
                                               Mr. Michael Coleman
   Upon Course Completion


•Describe the function of AD
•Describe the logical structure of AD
•Describe the physical structure of AD
•Describe the function of Sites/Rep.
•Knowledge to plan and implement AD
                    Session Agenda
1.    Active Directory Basics.
2.    Active Directory Components.
     (Objects, Attributes, OU’s, Delegation)
3.    Active Directory concepts.
     (Directory and Directory Service)
4.    Logical Structure.
     (Domains, Trees, Forests)
5.    Physical Structure.
     (Domain Controllers)
6.    Additional DC Lab
           Active Directory Basics

• A Directory is a stored collection of
  information about objects that are        Services     Users
  related to one another in some way.

• A Directory Service stores all
  information needed to use and
  manage these objects in a               Workstations   Files
  centralized location, simplifying the
  process of locating and managing
  these resources.

   A service that helps track and locate objects on a
   network
     Physical and Logical Components
Active Directory can be viewed as either logical
or physical components. The goal is a directory
structure that works with your company or
organization.

  Logical components

                      Used to create the logical
                      structure of your company



  Physical components


                       Used to develop a directory structure that
                       supports the logical structure of your company
Active Directory Supported Technologies

                         DNS
                                                    SNTP
    DHCP           Internet-Standard Technologies



                                                              LDAP
TCP/IP




                                                       LDIF
           X.509
                                Kerberos
                     Centralized Management

                                                           Domain
                                     Domain                   OU1
                                                                    Computers
                         Searc      OU1   OU2
                           h                                             Computer1
                                                                    Users
                                                                         User1
                                                              OU2
                                                                    Users

                          User1 Computer1 User2 Printer1                 User2
                                                                    Printers
• Active Directory:                                                       Printer1
   – Enables a single administrator to centrally manage
      resources
   – Enables administrators to easily locate information
   – Enables administrators to group objects into
      organizational units
   – Uses Group Policy to specify policy-based settings
  Active Directory Components

                            Computer
Topics:
• Objects                     User

• Attributes
• Organization Unit’s        Container

• Delegation of OU’s
                        Organizational Unit
Active Directory Objects
             Active Directory references
             everything it stores by the
                     word object.
Object Types in Active Directory
Attributes
       Objects are found using
   Mandatory and Optional Attributes
        Attributes Describe Objects

           As your directory increases in size and scope the
       attributes that define each object become very important.


• An attribute is a method of identifying a defined object
  stored in the directory.
• Although the normal way to find a user object in the
  directory is to search using their name, other user
  attributes could also be utilized to locate the desired user.
• The user accounts attributes are characteristics that
  describe the user account.
• It is important to enter as many object attributes as
  possible when creating a new object in the directory.
Active Directory Users and Computers Improvements




                          • Multiple editing of
                            objects permitted
                          • inetOrgPerson support
                          • Use and save queries
Organizational Unit (Hierarchical Models)
        Function-based                                Examples of Hybrid-based
        S       S – Supply
                T – Transportation                         Function
                H – Headquarters                             Organization
    T       H
                                                           Location
                    Organization-based                       Function
                    M         F – FSSG                     Organization
                              M – MEF
                                                              Location
                              W – MAW
                F       W

                                     Location-based
                                 O          O – Okinawa
                                            Q – Quantico
                                            L – Lejeune
                             Q         L
     Organizational Unit (OU) (cont.)

 An Organizational Unit is NOT a security
  principal. An OU contains security principals:
  users, groups, or computers.
 OUs cannot be made members of security
  groups, and not all rights can be assigned
  directly to the OU.
     Delegating Administrative Control
                                                Domain
                                               OU1
                                                         Admin1

                                               OU2
• Grant permissions:                                     Admin2
   – For specific organizational
     units to other administrators             OU3

   – To modify specific attributes                       Admin3
     of an object in a single organizational
     unit
   – To perform the same task in all
     organizational units
• Customize administrative tools to:
   – Map to delegated administrative tasks
   – Simplify interface design
Active Directory Logical Concepts


    Topics:
    • Active Directory Partitions
    • Domains
    • Domain Functional Levels
    • Trees
    • Forests
    • Forest Functional Levels
    • Raise your Functional Level
    Active Directory Partitions

• The Active Directory database is stored in one
  database file on the hard disk of each domain
  controller. The Directory database is divided
  into multiple logical partitions, which are also
  called, naming contexts (NC’s). The
  partitions are:
   –   Domain Directory Partition.
   –   Configuration Directory Partition.
   –   Schema Directory Partition.
   –   Global Catalogue Partition.
   –   Application Directory Partition.
            Domain Partition

• The domain directory partition is the partition
  where most of the action takes place.
• This partition contains all the domain
  information:
  –   Users
  –   Groups
  –   Computers
  –   Contacts
• Automatically replicated to all domain
  controllers in a domain.
     Configuration Partition


• The configuration partition contains the
  information about the configuration of
  the entire forest:
  – Sites
  – Site Links
  – Replication Connections
• Replicated throughout the entire forest.
         Schema Partition


• The schema partition contains the
  schema for the entire forest.
• Replicated to all domain controllers in
  the entire forest, however, only one
  domain controller, the Schema Master,
  has a writeable copy of the schema
  partition.
    Global Catalogue Partition

• The Global Catalogue is not a partition in the
  same sense as the other parititons. It is still
  stored in the Active Directory database,
  however, administrators cannot enter
  information directly. The GC is a read-only
  partition on all GC servers, and is built from
  the contents of the Domain databases.
   – Schema items can be replicated to the GC by
     changing isMemberOfPartialAttributeSet to True.
          Application Partition

• Only one type of application directory partition is
  created by default in Active Directory, DNS.
• Application partitions can store any type of
  information, with the exception of security principals.
• No objects in the Application directory are replicated
  to the Global Catalogue.
• Used to store application specific information.
• Which domain controllers the application partition are
  replicated to can be controlled.
     What is an Active Directory Domain?

• Logical partitions for security and
  directory replication.
• Unique names.
• One-to-one correspondence
  between Active Directory domains
  and DNS domains.
• Containers for AD objects.
• Each domain stores information                usmc.mil
  only about the objects it contains.
• Up to 10 million objects.
   – One million objects in an Active
     Directory domain is the supported limit.
                  Domains


                             DC
      PDC




BDC                     DC
            BDC                    DC

 Windows NT 4.0       Windows Server 2003
                  Domain Trees
                              Several domains that form a seamless
                         contiguous namespace construct a domain tree.




              usmc.mil




                              quantico.usmc.mil


mcnosc.usmc.mil

                                          mstp.quantico.usmc.mil
         Domain Tree Rules

• Domains in a single tree:
  – share a contiguous namespace.
  – share a single schema.
  – share a global catalogthe central location
    for all information about all objects in the
    tree.
• An administrator in a parent domain is
  not automatically made an administrator
  of a child domain.
                             Forests
              An Active Directory forest is a distributed
                  database with one or more trees.


                         Trust relationship



              usmc.mil                         navy.mil




                           quantico.usmc.mil                  nimitz.navy.mil


mcnosc.usmc.mil



                                         mstp.quantico.usmc.mil
   Domain Functional Levels


                            Domain Controllers
Domain Functional Level        Supported
Windows 2000 Mixed        Windows NT 4.0, 2000,
(default)                 2003
Windows 2000 Native       Windows 2000, 2003
Windows Server 2003       Windows Server 2003
      Forest Functional Levels

 Domain Functional Level      Domain Controllers
                                 Supported
                           Windows NT 4.0, 2000,
Windows 2000 (default)
                           2003

Windows Server 2003        Windows Server 2003


    • Improved replication
    • Forest-to-forest trusts
    • Improved schema functionality
  Raise your Functional Level


• Start, Administrative Tools, Active
  Directory Users and Computers.
• Right click your domain, Raise
  Functional level to Windows Server
  2003.
Active Directory Physical Concepts


     Topics:
     • Domain Controllers
Active Directory Domain Controller
            In the Windows 2003 environment, a domain controller
             is a computer that is running a Windows 2003 server
                        and hosting Active Directory.




                                    DC
 usmc.mil
                                A domain can
                                have multiple
                                   domain
                      DC         controllers        DC




                                    DC
                                   usmc.mil
            Domain Controllers
           A Windows 2003 domain controller stores
          and replicates a copy of the domain directory
                   throughout the domain tree.

• Each domain controller can host one domain.
• Domain controllers automatically update changes
  through the process of multimaster replication with
  the other domain controllers for their domain.
• Having more than one physical domain controller in
  a domain provides fault tolerance and localized
  access.
• Trust relationships are transitive.
Active Directory Database Files
        Before Promotion Begins

•   TCP/IP Services
•   DNS services: Location
•   DNS namespace
•   NTFS partition size
    – NTFS REQUIRED
• Windows Firewall
 Before Promotion Begins (cont.)

• Database and log locations
• Shared System Volume
  location
• Permission choices
• Directory Services Restore
  Mode password
• NetBIOS Domain Name
   Database and Log Folders

• To avoid any problems with installing or
  removing Active Directory, it is important to
  confirm that you have sufficient disk space to
  host the directory database and log files. The
  Active Directory Installation Wizard requires
  250 megabytes (MB) of disk space for Active
  Directory database and 50 MB for the log
  files. It is recommended that you store these
  on an NTFS partition.
     Shared System Volume


• The Sysvol folder must be stored on an
  NTFS volume since it contains files that
  are replicated between domain
  controllers in a domain or forest.
  Directory Services Restore Mode Password




• You must know this password to restore
  a backup copy of the System State for
  this domain controller.
• You use this password when the
  domain controller starts in Directory
  Services Restore Mode.
     NetBIOS Domain Name

• Although Active Directory domains are named
  according to DNS naming standards, you still
  need to define a NetBIOS name when you
  create Active Directory Domains.
• NetBIOS names should match the first label
  of the DNS domain name whenever possible.
• FQDN is constructed using the DNS domain
  name, not the NetBIOS name.
 Additional Domain Controller


• Create additional domain controllers
  when:
  – you want to improve the availability and
   reliability of network services.
     • provide fault tolerance.
     • load balancing.
     • add additional infrastructure support.
     • improve performance.
Questions

                TR   A ININ
           A FF               G
                                  PR
         ST




                                   O
    TF




                                       GR
M AG




                                        AM
  DOCEMUS PRIMAM ACIEM

								
To top