Active Directory - Nassau Community College

advertisement
Session 18
Windows 7 Professional
DNS, Groups, and Active
Directory(Part 3)
Fall 2011
Nassau Community College
ITE153 – Operating Systems
1
Session 17
Windows 7 Professional
Operating in Microsoft Networks
Fall 2011
Nassau Community College
ITE153 – Operating Systems
2
Overview
•
•
•
•
•
•
•
•
Introduction to Active Directory
Structure - Objects
Levels – Forest, Trees, Domains
Organizational Units
Physical Topology
Replication
Global Catalog
Trust
Fall 2011
Nassau Community College
ITE153 – Operating Systems
3
Active Directory
• a directory service created by Microsoft
• for Windows domain networks
• included in most Windows Server operating
systems
• Server computers running Active Directory
are called domain controllers
Fall 2011
Nassau Community College
ITE153 – Operating Systems
4
Active Directory
• serves as a central location for network
administration and security
• responsible for authenticating and
authorizing all users and computers within a
domain
• assigning and enforcing security policies
for all computers in a network and installing or
updating software on network computers
Fall 2011
Nassau Community College
ITE153 – Operating Systems
5
Active Directory
• Uses Lightweight Directory Access
Protocol (LDAP), Kerberos, and DNS
• First release: Windows 2000 Server edition
• Revised to extend functionality and improve
administration in Windows Server 2003
• Windows Server 2008 the domain controller
role was renamed Active Directory Domain
Services
Fall 2011
Nassau Community College
ITE153 – Operating Systems
6
Active Directory Structure
• An Active Directory structure is a hierarchical
arrangement of information about objects
• An object is any entity that can be
manipulated by the commands of
a programming language, such as a value,
variable, function, or data structure
• An object has attributes (object elements)
and behaviors (methods or subroutines)
encapsulating an entity
Fall 2011
Nassau Community College
ITE153 – Operating Systems
7
Active Directory Structure
• An Active Directory structure is a hierarchical
arrangement of information about objects
• An object is any entity that can be manipulated by
the commands of a programming language, such
as a value, variable, function, or data structure
• An object has attributes (object
elements) and behaviors
(methods or subroutines)
encapsulating an entity
Fall 2011
Nassau Community College
ITE153 – Operating Systems
8
Active Directory Structure
• AD objects fall into two broad categories:
• resources (e.g., printers)
• security principals (user or computer
accounts and groups).
• Security principals are assigned unique
security identifiers (SIDs)
• A SID is a unique name (an alphanumeric
character string) which is assigned by a
Windows Domain controller during the log on
process that is used to identify a subject
Fall 2011
Nassau Community College
ITE153 – Operating Systems
9
Active Directory Structure
• The object represents a single entity—whether
a user, a computer, a printer, or a group—and
its attributes.
• Certain objects can contain other objects.
• An object is uniquely identified by its name
and has a set of attributes—the characteristics
and information that the object represents—
defined by a schema, which also determines
the kinds of objects that can be stored in the AD
• A Site object in an AD represents a geographic
location that hosts networks
Fall 2011
Nassau Community College
ITE153 – Operating Systems
10
Active Directory Structure - Levels
• The logical divisions in an Active Directory
are:
• Forest
• Tree
• Domain
• The forest represents the security boundary
within which users, computers, groups, and
other objects are accessible
Fall 2011
Nassau Community College
ITE153 – Operating Systems
11
Active Directory Structure - Levels
• Objects are grouped into domains. The objects for a
single domain are stored in a single database (which
can be replicated). Domains are identified by
their DNS name structure, the namespace
• A tree is a collection of one or more
domains and domain trees in a
contiguous namespace, linked in a
transitive trust hierarchy
• At the top of the structure is
the forest. A forest is a collection of
trees that share a common global
catalog, directory schema, logical
structure, and directory configuration
Fall 2011
Nassau Community College
ITE153 – Operating Systems
12
Active Directory Structure - OUs
• The objects held within a domain can be grouped
into Organizational Units (OUs)
• OUs can provide hierarchy to a domain, ease its
administration, and can resemble the organization's
structure in managerial or geographical terms.
• Microsoft recommends using OUs rather
than domains for structure and to simplify
the implementation of policies and
administration.
• The OU is the recommended level at which
to apply group policies, which are Active
Directory objects formally named Group
Policy Objects (GPOs
Fall 2011
Nassau Community College
ITE153 – Operating Systems
13
Active Directory Structure - Physical
• Sites in Active Directory represent the
physical structure, or topology, of your
network
• AD uses topology information, stored as
site and site link objects in the directory, to
build the most efficient replication
topology.
• A site is a set of well-connected subnets
• Sites and subnets are represented in AD by site and
subnet objects, which you create through Active
Directory Sites and Services. Each site object is
associated with one or more subnet objects
Fall 2011
Nassau Community College
ITE153 – Operating Systems
14
Active Directory Structure - Physical
• In AD, sites map the physical
structure of your network, while
domains map the logical or
administrative structure of
your organization
• You can deploy domain
controllers for multiple domains
within the same site
• You can also deploy domain
controllers for the same domain
in multiple sites
Fall 2011
Nassau Community College
ITE153 – Operating Systems
15
Active Directory Structure - Physical
• Physically the Active Directory information is held on
one or more peer domain controllers (DCs)
• Each DC has a copy of the Active Directory
• Servers joined to Active Directory that are not domain
controllers are called Member Servers
Fall 2011
Nassau Community College
ITE153 – Operating Systems
16
Active Directory Structure - Physical
• AD synchronizes changes using multi-master replication
• Multi-master replication is a method of
database replication which allows data to be stored by a
group of computers, and updated by any member of the
group.
Fall 2011
Nassau Community College
ITE153 – Operating Systems
17
Active Directory Structure - Physical
• The Active Directory database is organized in partitions or
naming contexts, each holding specific object types and
following a specific replication pattern:
• schema partition defines the objects (such as users)
and attributes (such as telephone numbers) that can be
created in the AD, and the rules for creating and
manipulating them.
• configuration partition contains information on the
physical structure and configuration of the forest (such
as the site topology)
• domain partition holds all objects created in that
domain and replicates only to Domain Controllers within
its domain
Fall 2011
Nassau Community College
ITE153 – Operating Systems
18
Active Directory Structure - Physical
• Global catalog (GC) servers
provide a global listing of all
objects in the Forest
• Global Catalog servers replicate
to themselves all objects from
all domains and hence, provide
a global listing of objects in
the forest
• By default, AD DS searches are directed to global
catalog servers
• The first domain controller in a forest is automatically
created as a global catalog server. Thereafter, you can
designate other DCs be global catalog servers
Fall 2011
Nassau Community College
ITE153 – Operating Systems
19
Active Directory Structure - Physical
• A domain controller designated as a global catalog
server stores the objects from all domains in the forest.
• A global catalog server stores its own full, writable
domain replica (all objects and all attributes) plus a
partial, read-only replica of every other domain in the
forest
• The global catalog is built and updated automatically by
the AD DS replication system.
• Makes it possible for clients to search AD DS without
having to be referred from server to server until a domain
controller that has the domain directory partition storing the
requested object is found
Fall 2011
Nassau Community College
ITE153 – Operating Systems
20
Active Directory - Replication
• Active Directory replication is 'pull' rather than 'push', meaning that
replicas pull changes from the server where the change was effected
• The Knowledge Consistency Checker (KCC) creates a replication
topology of site links using the defined sites to manage traffic.
• Intrasite replication is frequent and automatic as a result of change
notification, which triggers peers to begin a pull replication cycle
Fall 2011
Nassau Community College
ITE153 – Operating Systems
21
Active Directory - Trust
• To allow users in one domain to access
resources in another, Active Directory uses
trusts
• Trusts inside a forest are automatically
created when domains are created.
• The forest sets the default boundaries of
trust, and implicit, transitive trust is
automatic for all domains within a forest
• Based on Kerberos Version 5
Fall 2011
Nassau Community College
ITE153 – Operating Systems
22
Active Directory - Trust
• One-way trust - one domain allows
access to users on another domain,
but the other domain does not allow
access to users on the first domain.
• Two-way trust - two domains allow
access to users on both domains.
• Trusting domain - the domain that
allows access to users from a trusted
domain.
• Trusted domain - the domain that is
trusted; whose users have access to
the trusting domain.
• Transitive trust - a trust that can
extend beyond two domains to other
trusted domains in the
Fall 2011
Nassau Community College
ITE153 – Operating Systems
23
Active Directory - Trust
• Intransitive trust - a one way trust that
does not extend beyond two domains.
• Explicit trust - a trust that an admin
creates. Not transitive; is one way only
• Cross-link trust - an explicit trust
between domains in different trees
• Shortcut - joins two domains in
different trees, transitive, 1or 2-way
• Forest - applies to the entire forest.
Transitive, 1or 2-way
• Realm - Can be transitive or
nontransitive, 1or 2-way
• External - connect to other forests or
non-AD domains. Nontransitive, 1or 2way
Fall 2011
Nassau Community College
ITE153 – Operating Systems
24
Review
Fall 2011
Nassau Community College
ITE153 – Operating Systems
25
Lab A: Operating in a Domain
Fall 2011
Nassau Community College
ITE153 – Operating Systems
26
Important URLS
• Active Directory - a very good overview from Wikipedia
• What is an object? - a very good tutorial on object and classes
• AD Server Roles - good description of different server roles
• Sites - good explanation of site and subnet objects in AD
• Replication SCenarios - nice overview of replication techniques, not just
for ADs, but directories in general
• What is a Global Catalog - an update overview of that explains GCS in
the context of Active Directory Domain Services (AD DS)
• How Domain and Forest Trusts Works - good nut & bolts description of
how this works
• Active Directory Collection - from Microsoft's Technologies Collection,
provides in-depth tech reference about the Windows Server 2003 AD
• Windows Server 2008 R2 Active Directory - good overview, free
download, and a virtual lab
Fall 2011
Nassau Community College
ITE153 – Operating Systems
27
Homework
 Review the Slides
 Review Lesson 17 In The Text
Fall 2011
Nassau Community College
ITE153 – Operating Systems
28
Download
Related flashcards

ITunes

16 cards

Windows components

22 cards

Windows components

41 cards

Create Flashcards