cisy 331 lecture5 active directory service

8/8/2019 CISY 331 Lecture5 Active Directory Service

1/43

CISY 331CISY 331

NetworkNetworkAdministration 1Administration 1

LECTURE 5:Windows Active Directory

Service


2/43

CISY 331: Network Administration 1 2Feb_09: Lecture5

Lecture 5: Scope:

Windows Active directory service

Goal:

Define active directory.

Examine the structure of AD

Discuss trusts as used in AD


3/43


Active Directory Service Active Directory (definition) is a directory

service used to store information about the

network resources across a domain.

It is an implementation of lightweight

directory access protocol (LDAP) directory

services by Microsoft for use primarily inWindows environments.


4/43


Active Directory Service Its main purpose is to provide central

authentication and authorization services

for Windows based computers.

Active Directory also allows administrators

to assign policies, deploy software, and

apply critical updates to an organization.


5/43


Active directoryActive Directory was previewed in 1996,

released first with Windows 2000 Server

edition, and revised to extend functionalityand improve administration in WindowsServer 2003.

Additional improvements were made inboth Windows Server 2003 R2 andWindows Server 2008.


6/43


Active directory Microsoft Active Directory Domain Services are

the foundation for distributed networks built on

Windows 2000 Server, Windows Server 2003and Microsoft Windows Server 2008 operatingsystems that use domain controllers.

Active Directory Domain Services provide

secure, structured, hierarchical data storage forobjects in a network such as users, computers,printers, and services.


7/43


Active Directory ServiceActive Directory Domain Services provide

support for locating and working with these

objects.

Active Directory stores information and

settings in a central database.


8/43


Active directory Active Directory networks can vary from a small

installation with a few hundred objects, to a large

installation with millions of objects. Windows 2000 Server and later operating

systems provide a user interface for users and

administrators to work with the objects and data

in Active Directory Domain Services.


9/43


Active directory structureObjects:

An Active Directory (AD) structure is a

hierarchical framework of objects. The

objects fall into three broad categories:

Resources (e.g. printers),

Services (e.g. e-mail) and

Users (user accounts and groups).


10/43


Active directory structure The AD provides information on the

objects, organizes the objects, controls

access and sets security. Each object represents a single entity (a

user, a computer, a printer, or a group)and its attributes.

Certain objects can also be containers ofother objects.


11/43


12/43


Active directory structure Each attribute object can be used in several

different schema class objects.

These schema objects exist to allow the schemato be extended or modified when necessary.

However, because each schema object isintegral to the definition of AD objects,

deactivating or changing these objects can haveserious consequences because it willfundamentally change the structure of AD itself.


13/43


Active Directory StructureA schema object, when altered, will

automatically propagate through Active

Directory and once it is created it can onlybe deactivated not deleted.

Changing the schema usually requires a

fair amount of planning.


14/43


Forests, trees, and domains The framework that holds the objects is viewed

at a number of levels (three);

Forest Tree

Domain.

At the top of the structure is the Forest

Consist of the collection of every object, its attributes

and rules (attribute syntax) in the AD.


15/43


Forest, trees, and domain The forest holds one or more transitive,

trust-linked Trees.

A tree holds one or more Domain and

domain trees, linked in a transitive trust

hierarchy.

Domains are identified by their DNS namestructure, the namespace.


16/43


Organizational units The objects held within a domain can be

grouped into containers called OrganizationalUnits (OUs).

OUs give a domain a hierarchy, ease itsadministration, and can give a semblance of thestructure of the AD's company in organizationalor geographical terms.

OUs can contain OUs - indeed, domains arecontainers in this sense - and can hold multiplenested OUs.


17/43


Organizational units Microsoft recommends as few domains as possible in

AD and a reliance on OUs to produce structure andimprove the implementation of policies and

administration. The OU is the common level at which to apply group

policies.

Policies can also be applied to domains or sites

The OU is the level at which administrative powers arecommonly delegated. Granular delegation can be also performed on individual objects

or attributes as well.


18/43


Sites: AD also supports the creation ofSites.

Sites are physical, rather than logical, groupings

defined by one or more IP subnets. Sites distinguish between locations connected

by low-speed (e.g. WAN, VPN) and high-speed(e.g. LAN) connections.

Sites are independent of the domain and OUstructure and are common across the entireforest.


19/43


Sites Sites are used to control network traffic

generated by replication and also to refer

clients to the nearest domain controllers.

Exchange 2007 also uses the site

topology for mail routing.

Policies can also be applied at the sitelevel.


20/43


Active Directory Database The AD database is split into different

stores orpartitions.

Microsoft often refers to these partitions as'naming contexts'.

They include:

The 'Schema' partition The 'Configuration' partition

The 'Domain partition


21/43


AD Database The 'Schema'partition contains the definition of

object classes and attributes within the Forest.

The 'Configuration'partition, containsinformation on the physical structure and

configuration of the forest (such as the site

topology).

The 'Domain'partition holds all objects created

in a given domain.


22/43


AD Database The schema and configuration partitions

replicate to all domain controllers in a

Forest. The Domain partition replicates only to

Domain Controllers within its domain.

A subset of objects in the domain partitionare also replicated to domain controllersthat are configured as global catalogs.


23/43


Global catalogue Global catalog (GC) servers are used to provide

a global listing of all objects in the Forest.

The Global catalog is held on domain controllersconfigured as global catalog servers.

Global Catalog servers replicate to themselves

all objects from all domains and hence, provide

a global listing of objects in the forest.


24/43


25/43


FSMO Roles: AD domain controllers operate in a multi-master

model, i.e. updates can occur in multiple places

at once However, there are several roles that are

necessarily single instance.

These are called the Flexible Single Master

Operations (FSMO sometimes pronounced "fizz-mo")roles are also known as operations master roles.


26/43


FSMO RolesRole Name Scope Description

Schema

Master1 per forest Controls updates to the Schema

Domain

Naming

Master

1 per forest Controls the addition and removal of domains from the forest

PDC

Emulator1 per domain

Provides backwards compatibility for NT4 clients for PDC

operations (like password changes). The PDCs also runs

domain specific processes such as the Security Descriptor

Propagator (SDPROP), and is the master time server withinthe domain.

RID Master 1 per domainAllocates pools of unique identifier to domain controllers for use

when creating objects

Infrastructure

Master1 per domain

Synchronizes cross-domain group membership changes. The

infrastructure master cannot run on a global catalog server

(unless all DCs are also GCs.)


27/43


Naming: AD supports Universal Naming Convention (UNC) (\),

Uniform Resource Locator(URL) (/), and LightweightDirectory Application Protocol (LDAP) URL names for

object access. Naming conventions include:

Distinguished name.

Common name.

Canonical name.

Relative distinguished name.

Globally unique identifier.

User principal name.


28/43


Naming Every object has a Distinguishedname (DN)

For example:

A printer object called HPLaser3 in the OU Marketingand the domain Kemu.ac.ke, would have the DN:

CN=HPLaser3,OU=Marketing,DC=kemu,DC=ac.ke

Where:

CN is common name and DC is domain object class

DNs can have many more than four parts.


29/43


Naming An object can also have a Canonicalname,

A canonical name is essentially the DN in

reverse, without identifiers, and using slashes:foo.org/Marketing/HPLaser3.

To identify the object within its container the

Relative distinguishedname (RDN) is used:CN=HPLaser3.


30/43


Naming

Each object also has a Globally UniqueIdentifier(GUID)

This is a unique and unchanging 128-bit stringwhich is used by AD for search andreplication.

Certain objects also have a User

principalname (UPN) an objectname@domain name form.


31/43


Trust:

AD uses trusts to allow users in one

domain to access resources in another.

Trusts inside a forest are automatically

created when domains are created.

The forest sets the default boundaries of trust,

not the domain, and implicit, transitive trust isautomatic for all domains within a forest.


32/43


33/43


Trust

Shortcut- joins two domains in different

trees. Transitive, one- or two-way

Forest- transitive, one- or two-way,

Realm - transitive or nontransitive, one- or

two-way

External - nontransitive, one- or two-way


34/43


Trust terminology

One way trust - When one domain allows

access to users on another domain, but the

other domain does not allow access to users onthe first domain.

Two way trust - When two domains allow

access to users on the other domain.

Trusting domain - The domain that allows

access to users from a trusted domain.


35/43


Trusts terminology

Trusted domain - The domain that istrusted; whose users have access to a

trusting domain. Transitive trust - A trust that can extend

beyond two domains to other trusteddomains in the tree.

Intransitive trust - A one way trust thatdoes not extend beyond two domains.


36/43


Trusts terminology

Explicit trust - A trust that an administrator

creates.

It is not transitive and is one way only.

Cross link trust - An explicit trust between

domains in different trees or in the same tree

when a descendant/ancestor(child/parent)

relationship does not exist between the twodomains.


37/43


Trust

Windows 2000 - supports the following

types of trusts:

Two way transitive trusts.

One way non transitive trusts.

Additional trusts can be created by

administrators. These trusts can be: Shortcut


38/43


Trust

Windows 2003 offers a new trust type: The forest root trust.

This type of trust can be used to connectWindows 2003 forests if they are operating atthe 2003 forest functional level.

Authentication across this type of trust is

Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the

domains in the forests that are trusted.


39/43


ADAM:

Active Directory Application Mode (ADAM)

is a light-weight implementation of Active

Directory.

ADAM is capable of running as a service,

on computers running Microsoft Windows

Server 2003 or Windows XP Professional.


40/43


ADAM v/s AD

ADAM shares the code base with Active

Directory and provides the same

functionality as Active Directory, includingan identical API

However, ADAM does not require the

creation of domains or domain controllers.


41/43


ADAM v/s AD

Like Active Directory, ADAM provides a Data

Store, which is a hierarchical datastore for

storage of directory data, a DirectoryServicewith an LDAP DirectoryService Interface.

Unlike Active Directory, however, multiple ADAM

instances can be run on the same server, with

each instance having its own unique data store,service name, and description.


42/43


ADAM data store

The data store in ADAM is divided into logicalpartitions: Configuration Partition - This partition holds

configuration information about the particular ADAMinstance.

Schema Partition - This partition holds the definitionsfor the type of data that can be held by the data store.This is helpful in maintaining data consistency.

Application Partition - This partition hold data that isstored and required by applications making use ofADAM directory service.


43/43


Practical exercise 3:

Configuring active directory service.

cisy 331 lecture5 active directory service

Documents