A Course on
Overview Of Active Directory
1
Prepared for: *Stars*
New Horizons Certified Professional
Course
Company Confidential
1
ACTIVE DIRECTORY FUNCTIONS
•
Directory Services
–
–
•
Used to define, manage, access, and secure
network resources.
Resources include: files, printers, groups, people,
and applications.
Active Directory
–
–
–
Stored as NTDS.dit on a domain controller.
Used by domain controllers to authenticate users.
Domain controllers store, maintain, and replicate.
2
ACTIVE DIRECTORY BENEFITS
•
•
•
•
•
•
Centralized administration
Single point of access
Fault tolerance and redundancy
Multiple domain controllers are used
Multi-master replication
Simplified resource location
3
CENTRALIZED ADMINISTRATION
•
Hierarchical organization
administration.
•
Common Microsoft Management Console
(MMC) tool set
–
–
–
for
ease
of
Active Directory Users And Computers
(DSA.MSC)
Active Directory Domains
And Trusts
(DOMAIN.MSC)
Active
Directory
Sites
And
Services
(DSSITE.MSC)
4
SINGLE POINT OF
AUTHENTICATION
Before directory services
Server1
Server2
Server3
After directory services
Active Directory
Single sign-on
5
MULTI-MASTER REPLICATION
6
SIMPLIFIED RESOURCE LOCATION
•
Search features available on Microsoft
Windows 2000, Microsoft Windows XP, and
Microsoft Windows Server 2003.
•
Search Active Directory to find:
–
–
–
Shared folders
Printers
People (user accounts)
7
ACTIVE DIRECTORY SCHEMA
•
Object classes
–
–
–
–
•
User accounts
Computer accounts
Printers
Groups
Object Attributes
–
–
–
–
Name
Globally unique identifier (GUID)
Location (for printer)
E-mail address (for users)
8
ACTIVE DIRECTORY COMPONENTS
IP Site
Forest Root Domain
cohowinery.com
IP Site
Child Domain
north.cohowinery.com
9
ORGANIZATIONAL UNITS
•
Container objects
•
Look like a folder with a book icon in Active
Directory Users And Computers
•
Security is applied to OUs
–
–
–
Inherited by child OUs
Used to control access to that OU or hide
subordinate OUs
Allows for the delegation of administrative rights
10
DOMAINS
•
Logical grouping of resources.
•
Form security and replication boundaries.
•
–
Individual access control lists (ACLs) for each
domain.
–
Group Policies are typically assigned and inherited
within a domain only, not from the forest.
–
Domain replication is independent of global catalog
and schema replication.
Multiple domains may be used by a single
organization.
11
DOMAINS, TREES, AND A FOREST
Forest root
and tree root
ou
parent
Domain tree
root
ou
contoso.com
tailspintoys.com
child
child
west.contoso.com
east.contoso.com
12
SITES
•
Used to reflect the physical network structure
•
Usually local area network (LAN) versus wide
area network (WAN)
•
Optimize replication
•
Knowledge Consistency Checker
creates and maintains this structure
(KCC)
13
NAMING STANDARDS
•
Lightweight Directory Access Protocol (LDAP)
–
–
Standard naming structure and hierarchy
Established by the Internet Engineering Task Force
(IETF)
•
Domain Name System (DNS)
•
Uniform Resource Locator (URL)
14
LDAP NAMES
• Cn=jsmith,ou=sales,dc=cohowiner
y,dc=com
• jsmith@cohowinery.com
15
PLANNING FOR ACTIVE
DIRECTORY
•
Logical and physical structure.
•
DNS and Active Directory integration and
naming.
•
Functional levels of domains and forests.
•
Trust relationships and models
16
STRUCTURING ACTIVE
DIRECTORY
•
Security and administrative goals are important
when defining the logical structure.
–
–
–
Group Policy application and inheritance
Delegating administrative control
Permission inheritance
•
Logical structure often reflects the business or
administrative model.
•
Sites are used to reflect the physical structure
of the network.
17
ROLE OF DNS
•
Resolves friendly names to Internet Protocol
(IP) addresses.
•
Required by Active Directory.
•
Domain members use service locator (SRV)
records to find domain controllers.
•
Dynamic DNS (DDNS) is supported and
recommended.
18
FUNCTIONAL LEVELS
•
Designed to support downlevel compatibility.
•
Increasing functional level allows for use of
new features.
•
Two types of functional level
–
–
Domain functional level
Forest functional level
19
DOMAIN FUNCTIONAL
LEVELS
•
•
•
•
Windows 2000 mixed
Windows 2000 native
Windows Server 2003 interim
Windows Server 2003
20
WINDOWS 2000 MIXED
FUNCTIONAL LEVEL
•
Domain controllers can run on the following
operating systems:
–
–
–
•
Windows NT Server 4.0
Windows 2000 Server
Windows Server 2003
Features at this functional level include:
–
–
–
Install from media
Application directory partitions
Enhanced user interface (UI)
21
WINDOWS 2000 NATIVE
FUNCTIONAL LEVEL
•
Domain controllers can run on the following
operating systems:
–
–
•
Windows 2000 Server
Windows Server 2003
Features at this functional level include:
–
–
–
Group nesting
Universal groups
Security Identifier History (siDHistory)
22
WINDOWS SERVER 2003 INTERIM
FUNCTIONAL LEVEL
•
Designed for organizations that have not upgraded
to Windows 2000 Active Directory.
•
Only Windows Server 2003 and Windows NT
Server 4.0 domain controllers are supported.
•
Windows 2000 Server domain controllers are NOT
allowed.
•
No extra features over any other functional level.
23
WINDOWS SERVER 2003
FUNCTIONAL LEVEL
•
Only Windows Server 2003 domain controllers.
•
Features at this functional level include:
–
–
–
–
Replicated last logon timestamp
Key Distribution Center (KDC) version numbers
User password on inetOrgPerson objects
Domain renaming
24
RAISING THE DOMAIN
FUNCTIONAL LEVEL
•
Must be logged on as a member of the Domain
Admins group.
•
Performed using the Primary Domain Controller
(PDC) emulator.
•
All domain controllers must support the new
level.
•
Irreversible.
25
FOREST FUNCTIONAL
LEVELS
•
Windows 2000
•
Windows Server 2003 interim
•
Windows Server 2003
26
WINDOWS 2000 FOREST
FUNCTIONAL LEVEL
• All domain controllers must be Windows
2000 Server or Windows Server 2003
domain controllers.
• Features supported at this functional level
include:
– Install from media
– Universal group caching
– Application directory partitions
27
WINDOWS 2003 INTERIM FOREST
FUNCTIONAL LEVEL
•
Only Windows Server 2003 and Windows NT
Server 4.0 domain controllers are supported.
•
Windows 2000 Server domain controllers are
NOT allowed.
•
Features at this level include:
–
–
Improved inter-site topology generator (ISTG)
Improved linked value replication
28
WINDOWS SERVER 2003 FOREST
FUNCTIONAL LEVEL
•
Only Windows Server 2003 domain controllers
are supported.
•
Features at this level include:
–
–
–
–
–
Dynamic auxiliary class objects
User objects can be converted to inetOrgPerson
objects
Schema redefinitions permitted
Domain renames permitted
Cross-forest trusts permitted
29
RAISING THE FOREST FUNCTIONAL
LEVEL
•
Must be logged on as a member of the Enterprise
Administrators group.
•
Must be connected to the Schema Operations Master.
•
All domain controllers must support the new functional level.
•
Irreversible.
30
ACTIVE DIRECTORY TRUST
MODELS
• Transitivity: If A
trusts B and B
trusts C, then A
trusts C
Child Domain A
Child Domain B
Forest Root Domain
Child Domain C
Child Domain D
31
SHORTCUT TRUST
Forest Root Domain
Child Domain A
Child Domain C
Shortcut Trust
Child Domain B
Child Domain D
32
WINDOWS NT SERVER 4.0 TRUST
MODEL
Domain A
Domain
C
Domain B
Domain
D
33
CROSS-FOREST TRUST
•
New in Windows Server 2003
•
Trusts between two forests
•
Requires Windows Server 2003 forest functional level
•
Uses Kerberos as do all Windows 2000 and Windows
Server 2003 intra-forest trust relationships
34
SUMMARY
•
Active Directory is a database (NTDS.dit).
•
DNS is required by Active Directory.
•
Schema defines object types and attributes.
•
Domain and forest functional levels provide a balance
between backward compatibility and new functionality.
•
Active Directory allows for two-way transitive (Kerberos)
trusts.
•
Trusts allow domain hierarchies to be created.
•
Cross-forest trusts are a new feature for Windows Server
2003 Active Directory.
35