A Course on Overview Of Active Directory 1 Prepared for: *Stars* New Horizons Certified Professional Course Company Confidential 1 ACTIVE DIRECTORY FUNCTIONS • Directory Services – – • Used to define, manage, access, and secure network resources. Resources include: files, printers, groups, people, and applications. Active Directory – – – Stored as NTDS.dit on a domain controller. Used by domain controllers to authenticate users. Domain controllers store, maintain, and replicate. 2 ACTIVE DIRECTORY BENEFITS • • • • • • Centralized administration Single point of access Fault tolerance and redundancy Multiple domain controllers are used Multi-master replication Simplified resource location 3 CENTRALIZED ADMINISTRATION • Hierarchical organization administration. • Common Microsoft Management Console (MMC) tool set – – – for ease of Active Directory Users And Computers (DSA.MSC) Active Directory Domains And Trusts (DOMAIN.MSC) Active Directory Sites And Services (DSSITE.MSC) 4 SINGLE POINT OF AUTHENTICATION Before directory services Server1 Server2 Server3 After directory services Active Directory Single sign-on 5 MULTI-MASTER REPLICATION 6 SIMPLIFIED RESOURCE LOCATION • Search features available on Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003. • Search Active Directory to find: – – – Shared folders Printers People (user accounts) 7 ACTIVE DIRECTORY SCHEMA • Object classes – – – – • User accounts Computer accounts Printers Groups Object Attributes – – – – Name Globally unique identifier (GUID) Location (for printer) E-mail address (for users) 8 ACTIVE DIRECTORY COMPONENTS IP Site Forest Root Domain cohowinery.com IP Site Child Domain north.cohowinery.com 9 ORGANIZATIONAL UNITS • Container objects • Look like a folder with a book icon in Active Directory Users And Computers • Security is applied to OUs – – – Inherited by child OUs Used to control access to that OU or hide subordinate OUs Allows for the delegation of administrative rights 10 DOMAINS • Logical grouping of resources. • Form security and replication boundaries. • – Individual access control lists (ACLs) for each domain. – Group Policies are typically assigned and inherited within a domain only, not from the forest. – Domain replication is independent of global catalog and schema replication. Multiple domains may be used by a single organization. 11 DOMAINS, TREES, AND A FOREST Forest root and tree root ou parent Domain tree root ou contoso.com tailspintoys.com child child west.contoso.com east.contoso.com 12 SITES • Used to reflect the physical network structure • Usually local area network (LAN) versus wide area network (WAN) • Optimize replication • Knowledge Consistency Checker creates and maintains this structure (KCC) 13 NAMING STANDARDS • Lightweight Directory Access Protocol (LDAP) – – Standard naming structure and hierarchy Established by the Internet Engineering Task Force (IETF) • Domain Name System (DNS) • Uniform Resource Locator (URL) 14 LDAP NAMES • Cn=jsmith,ou=sales,dc=cohowiner y,dc=com • jsmith@cohowinery.com 15 PLANNING FOR ACTIVE DIRECTORY • Logical and physical structure. • DNS and Active Directory integration and naming. • Functional levels of domains and forests. • Trust relationships and models 16 STRUCTURING ACTIVE DIRECTORY • Security and administrative goals are important when defining the logical structure. – – – Group Policy application and inheritance Delegating administrative control Permission inheritance • Logical structure often reflects the business or administrative model. • Sites are used to reflect the physical structure of the network. 17 ROLE OF DNS • Resolves friendly names to Internet Protocol (IP) addresses. • Required by Active Directory. • Domain members use service locator (SRV) records to find domain controllers. • Dynamic DNS (DDNS) is supported and recommended. 18 FUNCTIONAL LEVELS • Designed to support downlevel compatibility. • Increasing functional level allows for use of new features. • Two types of functional level – – Domain functional level Forest functional level 19 DOMAIN FUNCTIONAL LEVELS • • • • Windows 2000 mixed Windows 2000 native Windows Server 2003 interim Windows Server 2003 20 WINDOWS 2000 MIXED FUNCTIONAL LEVEL • Domain controllers can run on the following operating systems: – – – • Windows NT Server 4.0 Windows 2000 Server Windows Server 2003 Features at this functional level include: – – – Install from media Application directory partitions Enhanced user interface (UI) 21 WINDOWS 2000 NATIVE FUNCTIONAL LEVEL • Domain controllers can run on the following operating systems: – – • Windows 2000 Server Windows Server 2003 Features at this functional level include: – – – Group nesting Universal groups Security Identifier History (siDHistory) 22 WINDOWS SERVER 2003 INTERIM FUNCTIONAL LEVEL • Designed for organizations that have not upgraded to Windows 2000 Active Directory. • Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported. • Windows 2000 Server domain controllers are NOT allowed. • No extra features over any other functional level. 23 WINDOWS SERVER 2003 FUNCTIONAL LEVEL • Only Windows Server 2003 domain controllers. • Features at this functional level include: – – – – Replicated last logon timestamp Key Distribution Center (KDC) version numbers User password on inetOrgPerson objects Domain renaming 24 RAISING THE DOMAIN FUNCTIONAL LEVEL • Must be logged on as a member of the Domain Admins group. • Performed using the Primary Domain Controller (PDC) emulator. • All domain controllers must support the new level. • Irreversible. 25 FOREST FUNCTIONAL LEVELS • Windows 2000 • Windows Server 2003 interim • Windows Server 2003 26 WINDOWS 2000 FOREST FUNCTIONAL LEVEL • All domain controllers must be Windows 2000 Server or Windows Server 2003 domain controllers. • Features supported at this functional level include: – Install from media – Universal group caching – Application directory partitions 27 WINDOWS 2003 INTERIM FOREST FUNCTIONAL LEVEL • Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported. • Windows 2000 Server domain controllers are NOT allowed. • Features at this level include: – – Improved inter-site topology generator (ISTG) Improved linked value replication 28 WINDOWS SERVER 2003 FOREST FUNCTIONAL LEVEL • Only Windows Server 2003 domain controllers are supported. • Features at this level include: – – – – – Dynamic auxiliary class objects User objects can be converted to inetOrgPerson objects Schema redefinitions permitted Domain renames permitted Cross-forest trusts permitted 29 RAISING THE FOREST FUNCTIONAL LEVEL • Must be logged on as a member of the Enterprise Administrators group. • Must be connected to the Schema Operations Master. • All domain controllers must support the new functional level. • Irreversible. 30 ACTIVE DIRECTORY TRUST MODELS • Transitivity: If A trusts B and B trusts C, then A trusts C Child Domain A Child Domain B Forest Root Domain Child Domain C Child Domain D 31 SHORTCUT TRUST Forest Root Domain Child Domain A Child Domain C Shortcut Trust Child Domain B Child Domain D 32 WINDOWS NT SERVER 4.0 TRUST MODEL Domain A Domain C Domain B Domain D 33 CROSS-FOREST TRUST • New in Windows Server 2003 • Trusts between two forests • Requires Windows Server 2003 forest functional level • Uses Kerberos as do all Windows 2000 and Windows Server 2003 intra-forest trust relationships 34 SUMMARY • Active Directory is a database (NTDS.dit). • DNS is required by Active Directory. • Schema defines object types and attributes. • Domain and forest functional levels provide a balance between backward compatibility and new functionality. • Active Directory allows for two-way transitive (Kerberos) trusts. • Trusts allow domain hierarchies to be created. • Cross-forest trusts are a new feature for Windows Server 2003 Active Directory. 35