Overview of Active Directory Domain Services Lesson 1 Chapter Objectives • Identify Active Directory functions and Benefits. • Identify the major components that make up an Active Directory structure. • Identify how DNS relates to Active Directory. • Identify Forest and Domain Functional Levels. Directory Service • A network service that identifies all resources on a network and makes those resources accessible to users and applications. • The most common directory service standards are: – X.500 – Lightweight Directory Access Protocol (LDAP) X.500 • Uses a hierarchical approach in which objects are organized in a similar way to the files and folders on a hard drive. Lightweight Directory Access Protocol (LDAP) • Industry standard. • Slim-down version of X.500 modified to run over the TCP/IP network. Active Directory • A directory service that uses the “tree” concept for managing resources on a Windows network. • Stores information about the network resources and services, such as user data, printer, servers, databases, groups, computers, and security policies. • Identifies all resources on a network and makes them accessible to users and applications. Active Directory • Used in: – Windows 2000 – Windows Server 2003 – Windows Server 2008 • Subsequent versions of Active Directory have introduced new functionality and security features. Active Directory • Windows Server 2008 provides two directory services: – Active Directory Domain Services (AD DS) – Active Directory Lightweight Directory Services (AD LDS) Active Directory Domain Services (AD DS) • Provides the full-fledged directory service that is referred to as Active Directory in Windows Server 2008 and previous versions of Windows Server. Active Director Lightweight Directory Services (AD LDS) • Provides a lightweight, flexible directory platform that can be used by Active Directory developers without incurring the overhead of the full-fledged Active Directory DS directory service. Domain Controller (DC) • Server that stores the Active Directory database and authenticates users with the network during logon. • Stores database information in a file called ntds.dit. • Active Directory is a multimaster database. – Information is automatically replicated between multiple domain controllers. Active Directory Functions and Benefits • Centralized resource and security administration. • Single logon for access to global resources. • Fault tolerance and redundancy. • Simplified resource location. Centralizing Resources and Security Administration • Active Directory provides a single point from which administrators can manage network resources and their associates’ security objects: • MMC Consoles found in Administrator Tools: – Active Directory Users and Computers – Active Directory Sites and Services – Active Directory Domains and Trusts – ADSI Edit Fault Tolerance and Redundancy • Active Directory uses a multimaster domain controller design. • Changes made on one domain controller are replicated to all other domain controllers in the environment. • It is recommended to have two or more domain controllers for each domain. Read-Only Domain Controller (RODC) • Introduced with Windows Server 2008. • A domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers with Active Directory. Simplifying Resource Location • Allows file and print resources to be published within Active Directory. • Examples include: – Shared folders – Printers Active Directory Components • Forests – One or more domain trees, with each tree having its own unique name space. • Domain trees – One or more domains with contiguous name space. • Domains – A logical unit of computers and network resources that defines a security boundary. Active Directory Components • Some of these common attributes are as follows: – Unique name – Globally unique identifier (GUID) – Required object attributes – Optional object attributes Understanding the Schema • Defines the objects stored within Active Directory the properties (attributes) associated within each object. – User has different properties, which has different properties than a group, which has different properties of a computer. Active Directory Naming Standard • Example: – cn=JSmith, ou=sales, dc=lucernepublishing, dc=com Domain Name System (DNS) • Provides name resolution for a TPC/IP network. • Active Directory requires DNS as the default name resolution method. • Example Resource Records (RR): – Host (A) – Host name to IP. – Pointer (PTR) – IP to Host name. – Service (SRV) – Locator service for LDAP/Domain controllers services. Functional Levels • Allows interoperability with prior versions of Microsoft Windows. • Higher levels of functional level will not allow older versions of Windows to function but will add additional functionality or features. • Raising functional level is a one-way process. Domain Functional Levels Forest Functional Levels Using Forest Functional Levels • To raise the functional level of a forest, you must be logged on as a member of the Enterprise Admins group. • The functional level of a forest can be raised only on a server that holds the Schema Master role. Trust Relationships • Active Directory uses trust relationships to allow access between multiple domains and/or forests, either within a single forest or across multiple enterprise networks. • A trust relationship allows administrators from a particular domain to grant access to their domain’s resources to users in other domains. Trust Relationships • When a child domain is created, it automatically receives a two-way transitive trust with its parent domain. • Trusts are transitive: If domain A trusts domain B And domain B trusts C Then domain A trusts domain C Chapter Summary • Active Directory is a database of objects that are used to organize resources according to a logical plan. – These objects include containers such as domains and OUs in addition to resources such as users, computers, and printers. • The Active Directory schema includes definitions of all objects and attributes within a single forest. – Each forest maintains its own Active Directory schema. Chapter Summary • Active Directory requires DNS to support SRV records. – Microsoft recommends that DNS support dynamic updates. Chapter Summary • Domain and forest functional levels are new features of Windows Server 2008. – The levels defined for each of these are based on the type of server operating systems that are required by the Active Directory design. – The Windows Server 2003 forest functional level is the highest functional level available and includes support for all Windows Server 2003 features. Chapter Summary • Two-way transitive trusts are automatically generated within the Active Directory domain structure. – Parent and child domains form the trust path by which all domains in the forest can traverse to locate resources. – The ISTG is responsible for this process. Chapter Summary • Cross-forest trusts are new to Windows Server 2003, and they are only available when the forest functionality is set to Windows Server 2003. – They must be manually created and maintained.