Active Directory Domain Services

advertisement
Overview of Active Directory Domain
Services
Lesson 1
Chapter Objectives
• Identify Active Directory functions and
Benefits.
• Identify the major components that make up
an Active Directory structure.
• Identify how DNS relates to Active Directory.
• Identify Forest and Domain Functional
Levels.
Directory Service
• A network service that identifies all
resources on a network and makes those
resources accessible to users and
applications.
• The most common directory service
standards are:
– X.500
– Lightweight Directory Access Protocol (LDAP)
X.500
• Uses a hierarchical approach in which
objects are organized in a similar way to the
files and folders on a hard drive.
Lightweight Directory Access Protocol (LDAP)
• Industry standard.
• Slim-down version of X.500 modified to run
over the TCP/IP network.
Active Directory
• A directory service that uses the “tree”
concept for managing resources on a
Windows network.
• Stores information about the network
resources and services, such as user data,
printer, servers, databases, groups,
computers, and security policies.
• Identifies all resources on a network and
makes them accessible to users and
applications.
Active Directory
• Used in:
– Windows 2000
– Windows Server 2003
– Windows Server 2008
• Subsequent versions of Active Directory
have introduced new functionality and
security features.
Active Directory
• Windows Server 2008 provides two directory
services:
– Active Directory Domain Services (AD DS)
– Active Directory Lightweight Directory
Services (AD LDS)
Active Directory Domain Services (AD DS)
• Provides the full-fledged directory service
that is referred to as Active Directory in
Windows Server 2008 and previous versions
of Windows Server.
Active Director Lightweight Directory Services
(AD LDS)
• Provides a lightweight, flexible directory
platform that can be used by Active Directory
developers without incurring the overhead of
the full-fledged Active Directory DS directory
service.
Domain Controller (DC)
• Server that stores the Active Directory
database and authenticates users with the
network during logon.
• Stores database information in a file called
ntds.dit.
• Active Directory is a multimaster database.
– Information is automatically replicated
between multiple domain controllers.
Active Directory Functions and Benefits
• Centralized resource and security
administration.
• Single logon for access to global resources.
• Fault tolerance and redundancy.
• Simplified resource location.
Centralizing Resources and Security
Administration
• Active Directory provides a single point from
which administrators can manage network
resources and their associates’ security
objects:
• MMC Consoles found in Administrator Tools:
– Active Directory Users and Computers
– Active Directory Sites and Services
– Active Directory Domains and Trusts
– ADSI Edit
Fault Tolerance and Redundancy
• Active Directory uses a multimaster domain
controller design.
• Changes made on one domain controller are
replicated to all other domain controllers in
the environment.
• It is recommended to have two or more
domain controllers for each domain.
Read-Only Domain Controller (RODC)
• Introduced with Windows Server 2008.
• A domain controller that contains a copy of
the ntds.dit file that cannot be modified and
that does not replicate its changes to other
domain controllers with Active Directory.
Simplifying Resource Location
• Allows file and print resources to be
published within Active Directory.
• Examples include:
– Shared folders
– Printers
Active Directory Components
• Forests – One or more domain trees, with
each tree having its own unique name
space.
• Domain trees – One or more domains with
contiguous name space.
• Domains – A logical unit of computers and
network resources that defines a security
boundary.
Active Directory Components
• Some of these common attributes are as
follows:
– Unique name
– Globally unique identifier (GUID)
– Required object attributes
– Optional object attributes
Understanding the Schema
• Defines the objects stored within Active
Directory the properties (attributes)
associated within each object.
– User has different properties, which has
different properties than a group, which has
different properties of a computer.
Active Directory Naming Standard
• Example:
– cn=JSmith, ou=sales, dc=lucernepublishing,
dc=com
Domain Name System (DNS)
• Provides name resolution for a TPC/IP
network.
• Active Directory requires DNS as the default
name resolution method.
• Example Resource Records (RR):
– Host (A) – Host name to IP.
– Pointer (PTR) – IP to Host name.
– Service (SRV) – Locator service for
LDAP/Domain controllers services.
Functional Levels
• Allows interoperability with prior versions of
Microsoft Windows.
• Higher levels of functional level will not allow
older versions of Windows to function but
will add additional functionality or features.
• Raising functional level is a one-way
process.
Domain Functional Levels
Forest Functional Levels
Using Forest Functional Levels
• To raise the functional level of a forest, you
must be logged on as a member of the
Enterprise Admins group.
• The functional level of a forest can be raised
only on a server that holds the Schema
Master role.
Trust Relationships
• Active Directory uses trust relationships to
allow access between multiple domains
and/or forests, either within a single forest
or across multiple enterprise networks.
• A trust relationship allows administrators
from a particular domain to grant access to
their domain’s resources to users in other
domains.
Trust Relationships
• When a child domain is created, it
automatically receives a two-way transitive
trust with its parent domain.
• Trusts are transitive:
If domain A trusts domain B
And domain B trusts C
Then domain A trusts domain C
Chapter Summary
• Active Directory is a database of objects that are
used to organize resources according to a logical
plan.
– These objects include containers such as domains
and OUs in addition to resources such as users,
computers, and printers.
• The Active Directory schema includes definitions of
all objects and attributes within a single forest.
– Each forest maintains its own Active Directory
schema.
Chapter Summary
• Active Directory requires DNS to support SRV
records.
– Microsoft recommends that DNS support
dynamic updates.
Chapter Summary
• Domain and forest functional levels are new
features of Windows Server 2008.
– The levels defined for each of these are
based on the type of server operating
systems that are required by the Active
Directory design.
– The Windows Server 2003 forest functional
level is the highest functional level available
and includes support for all Windows Server
2003 features.
Chapter Summary
• Two-way transitive trusts are automatically
generated within the Active Directory domain
structure.
– Parent and child domains form the trust path
by which all domains in the forest can
traverse to locate resources.
– The ISTG is responsible for this process.
Chapter Summary
• Cross-forest trusts are new to Windows
Server 2003, and they are only available
when the forest functionality is set to
Windows Server 2003.
– They must be manually created and
maintained.
Download