Active Directory - Nassau Community College
advertisement
Session 18 Windows 7 Professional DNS, Groups, and Active Directory(Part 3) Fall 2011 Nassau Community College ITE153 – Operating Systems 1 Session 17 Windows 7 Professional Operating in Microsoft Networks Fall 2011 Nassau Community College ITE153 – Operating Systems 2 Overview • • • • • • • • Introduction to Active Directory Structure - Objects Levels – Forest, Trees, Domains Organizational Units Physical Topology Replication Global Catalog Trust Fall 2011 Nassau Community College ITE153 – Operating Systems 3 Active Directory • a directory service created by Microsoft • for Windows domain networks • included in most Windows Server operating systems • Server computers running Active Directory are called domain controllers Fall 2011 Nassau Community College ITE153 – Operating Systems 4 Active Directory • serves as a central location for network administration and security • responsible for authenticating and authorizing all users and computers within a domain • assigning and enforcing security policies for all computers in a network and installing or updating software on network computers Fall 2011 Nassau Community College ITE153 – Operating Systems 5 Active Directory • Uses Lightweight Directory Access Protocol (LDAP), Kerberos, and DNS • First release: Windows 2000 Server edition • Revised to extend functionality and improve administration in Windows Server 2003 • Windows Server 2008 the domain controller role was renamed Active Directory Domain Services Fall 2011 Nassau Community College ITE153 – Operating Systems 6 Active Directory Structure • An Active Directory structure is a hierarchical arrangement of information about objects • An object is any entity that can be manipulated by the commands of a programming language, such as a value, variable, function, or data structure • An object has attributes (object elements) and behaviors (methods or subroutines) encapsulating an entity Fall 2011 Nassau Community College ITE153 – Operating Systems 7 Active Directory Structure • An Active Directory structure is a hierarchical arrangement of information about objects • An object is any entity that can be manipulated by the commands of a programming language, such as a value, variable, function, or data structure • An object has attributes (object elements) and behaviors (methods or subroutines) encapsulating an entity Fall 2011 Nassau Community College ITE153 – Operating Systems 8 Active Directory Structure • AD objects fall into two broad categories: • resources (e.g., printers) • security principals (user or computer accounts and groups). • Security principals are assigned unique security identifiers (SIDs) • A SID is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify a subject Fall 2011 Nassau Community College ITE153 – Operating Systems 9 Active Directory Structure • The object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. • Certain objects can contain other objects. • An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in the AD • A Site object in an AD represents a geographic location that hosts networks Fall 2011 Nassau Community College ITE153 – Operating Systems 10 Active Directory Structure - Levels • The logical divisions in an Active Directory are: • Forest • Tree • Domain • The forest represents the security boundary within which users, computers, groups, and other objects are accessible Fall 2011 Nassau Community College ITE153 – Operating Systems 11 Active Directory Structure - Levels • Objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace • A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy • At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration Fall 2011 Nassau Community College ITE153 – Operating Systems 12 Active Directory Structure - OUs • The objects held within a domain can be grouped into Organizational Units (OUs) • OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. • Microsoft recommends using OUs rather than domains for structure and to simplify the implementation of policies and administration. • The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs Fall 2011 Nassau Community College ITE153 – Operating Systems 13 Active Directory Structure - Physical • Sites in Active Directory represent the physical structure, or topology, of your network • AD uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. • A site is a set of well-connected subnets • Sites and subnets are represented in AD by site and subnet objects, which you create through Active Directory Sites and Services. Each site object is associated with one or more subnet objects Fall 2011 Nassau Community College ITE153 – Operating Systems 14 Active Directory Structure - Physical • In AD, sites map the physical structure of your network, while domains map the logical or administrative structure of your organization • You can deploy domain controllers for multiple domains within the same site • You can also deploy domain controllers for the same domain in multiple sites Fall 2011 Nassau Community College ITE153 – Operating Systems 15 Active Directory Structure - Physical • Physically the Active Directory information is held on one or more peer domain controllers (DCs) • Each DC has a copy of the Active Directory • Servers joined to Active Directory that are not domain controllers are called Member Servers Fall 2011 Nassau Community College ITE153 – Operating Systems 16 Active Directory Structure - Physical • AD synchronizes changes using multi-master replication • Multi-master replication is a method of database replication which allows data to be stored by a group of computers, and updated by any member of the group. Fall 2011 Nassau Community College ITE153 – Operating Systems 17 Active Directory Structure - Physical • The Active Directory database is organized in partitions or naming contexts, each holding specific object types and following a specific replication pattern: • schema partition defines the objects (such as users) and attributes (such as telephone numbers) that can be created in the AD, and the rules for creating and manipulating them. • configuration partition contains information on the physical structure and configuration of the forest (such as the site topology) • domain partition holds all objects created in that domain and replicates only to Domain Controllers within its domain Fall 2011 Nassau Community College ITE153 – Operating Systems 18 Active Directory Structure - Physical • Global catalog (GC) servers provide a global listing of all objects in the Forest • Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest • By default, AD DS searches are directed to global catalog servers • The first domain controller in a forest is automatically created as a global catalog server. Thereafter, you can designate other DCs be global catalog servers Fall 2011 Nassau Community College ITE153 – Operating Systems 19 Active Directory Structure - Physical • A domain controller designated as a global catalog server stores the objects from all domains in the forest. • A global catalog server stores its own full, writable domain replica (all objects and all attributes) plus a partial, read-only replica of every other domain in the forest • The global catalog is built and updated automatically by the AD DS replication system. • Makes it possible for clients to search AD DS without having to be referred from server to server until a domain controller that has the domain directory partition storing the requested object is found Fall 2011 Nassau Community College ITE153 – Operating Systems 20 Active Directory - Replication • Active Directory replication is 'pull' rather than 'push', meaning that replicas pull changes from the server where the change was effected • The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. • Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle Fall 2011 Nassau Community College ITE153 – Operating Systems 21 Active Directory - Trust • To allow users in one domain to access resources in another, Active Directory uses trusts • Trusts inside a forest are automatically created when domains are created. • The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest • Based on Kerberos Version 5 Fall 2011 Nassau Community College ITE153 – Operating Systems 22 Active Directory - Trust • One-way trust - one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. • Two-way trust - two domains allow access to users on both domains. • Trusting domain - the domain that allows access to users from a trusted domain. • Trusted domain - the domain that is trusted; whose users have access to the trusting domain. • Transitive trust - a trust that can extend beyond two domains to other trusted domains in the Fall 2011 Nassau Community College ITE153 – Operating Systems 23 Active Directory - Trust • Intransitive trust - a one way trust that does not extend beyond two domains. • Explicit trust - a trust that an admin creates. Not transitive; is one way only • Cross-link trust - an explicit trust between domains in different trees • Shortcut - joins two domains in different trees, transitive, 1or 2-way • Forest - applies to the entire forest. Transitive, 1or 2-way • Realm - Can be transitive or nontransitive, 1or 2-way • External - connect to other forests or non-AD domains. Nontransitive, 1or 2way Fall 2011 Nassau Community College ITE153 – Operating Systems 24 Review Fall 2011 Nassau Community College ITE153 – Operating Systems 25 Lab A: Operating in a Domain Fall 2011 Nassau Community College ITE153 – Operating Systems 26 Important URLS • Active Directory - a very good overview from Wikipedia • What is an object? - a very good tutorial on object and classes • AD Server Roles - good description of different server roles • Sites - good explanation of site and subnet objects in AD • Replication SCenarios - nice overview of replication techniques, not just for ADs, but directories in general • What is a Global Catalog - an update overview of that explains GCS in the context of Active Directory Domain Services (AD DS) • How Domain and Forest Trusts Works - good nut & bolts description of how this works • Active Directory Collection - from Microsoft's Technologies Collection, provides in-depth tech reference about the Windows Server 2003 AD • Windows Server 2008 R2 Active Directory - good overview, free download, and a virtual lab Fall 2011 Nassau Community College ITE153 – Operating Systems 27 Homework Review the Slides Review Lesson 17 In The Text Fall 2011 Nassau Community College ITE153 – Operating Systems 28
