cisy 331 lecture5 active directory service
TRANSCRIPT
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
1/43
CISY 331CISY 331
NetworkNetworkAdministration 1Administration 1
LECTURE 5:Windows Active Directory
Service
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
2/43
CISY 331: Network Administration 1 2Feb_09: Lecture5
Lecture 5: Scope:
Windows Active directory service
Goal:
Define active directory.
Examine the structure of AD
Discuss trusts as used in AD
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
3/43
CISY 331: Network Administration 1 3Feb_09: Lecture5
Active Directory Service Active Directory (definition) is a directory
service used to store information about the
network resources across a domain.
It is an implementation of lightweight
directory access protocol (LDAP) directory
services by Microsoft for use primarily inWindows environments.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
4/43
CISY 331: Network Administration 1 4Feb_09: Lecture5
Active Directory Service Its main purpose is to provide central
authentication and authorization services
for Windows based computers.
Active Directory also allows administrators
to assign policies, deploy software, and
apply critical updates to an organization.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
5/43
CISY 331: Network Administration 1 5Feb_09: Lecture5
Active directoryActive Directory was previewed in 1996,
released first with Windows 2000 Server
edition, and revised to extend functionalityand improve administration in WindowsServer 2003.
Additional improvements were made inboth Windows Server 2003 R2 andWindows Server 2008.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
6/43
CISY 331: Network Administration 1 6Feb_09: Lecture5
Active directory Microsoft Active Directory Domain Services are
the foundation for distributed networks built on
Windows 2000 Server, Windows Server 2003and Microsoft Windows Server 2008 operatingsystems that use domain controllers.
Active Directory Domain Services provide
secure, structured, hierarchical data storage forobjects in a network such as users, computers,printers, and services.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
7/43
CISY 331: Network Administration 1 7Feb_09: Lecture5
Active Directory ServiceActive Directory Domain Services provide
support for locating and working with these
objects.
Active Directory stores information and
settings in a central database.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
8/43
CISY 331: Network Administration 1 8Feb_09: Lecture5
Active directory Active Directory networks can vary from a small
installation with a few hundred objects, to a large
installation with millions of objects. Windows 2000 Server and later operating
systems provide a user interface for users and
administrators to work with the objects and data
in Active Directory Domain Services.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
9/43
CISY 331: Network Administration 1 9Feb_09: Lecture5
Active directory structureObjects:
An Active Directory (AD) structure is a
hierarchical framework of objects. The
objects fall into three broad categories:
Resources (e.g. printers),
Services (e.g. e-mail) and
Users (user accounts and groups).
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
10/43
CISY 331: Network Administration 1 10Feb_09: Lecture5
Active directory structure The AD provides information on the
objects, organizes the objects, controls
access and sets security. Each object represents a single entity (a
user, a computer, a printer, or a group)and its attributes.
Certain objects can also be containers ofother objects.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
11/43
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
12/43
CISY 331: Network Administration 1 12Feb_09: Lecture5
Active directory structure Each attribute object can be used in several
different schema class objects.
These schema objects exist to allow the schemato be extended or modified when necessary.
However, because each schema object isintegral to the definition of AD objects,
deactivating or changing these objects can haveserious consequences because it willfundamentally change the structure of AD itself.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
13/43
CISY 331: Network Administration 1 13Feb_09: Lecture5
Active Directory StructureA schema object, when altered, will
automatically propagate through Active
Directory and once it is created it can onlybe deactivated not deleted.
Changing the schema usually requires a
fair amount of planning.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
14/43
CISY 331: Network Administration 1 14Feb_09: Lecture5
Forests, trees, and domains The framework that holds the objects is viewed
at a number of levels (three);
Forest Tree
Domain.
At the top of the structure is the Forest
Consist of the collection of every object, its attributes
and rules (attribute syntax) in the AD.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
15/43
CISY 331: Network Administration 1 15Feb_09: Lecture5
Forest, trees, and domain The forest holds one or more transitive,
trust-linked Trees.
A tree holds one or more Domain and
domain trees, linked in a transitive trust
hierarchy.
Domains are identified by their DNS namestructure, the namespace.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
16/43
CISY 331: Network Administration 1 16Feb_09: Lecture5
Organizational units The objects held within a domain can be
grouped into containers called OrganizationalUnits (OUs).
OUs give a domain a hierarchy, ease itsadministration, and can give a semblance of thestructure of the AD's company in organizationalor geographical terms.
OUs can contain OUs - indeed, domains arecontainers in this sense - and can hold multiplenested OUs.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
17/43
CISY 331: Network Administration 1 17Feb_09: Lecture5
Organizational units Microsoft recommends as few domains as possible in
AD and a reliance on OUs to produce structure andimprove the implementation of policies and
administration. The OU is the common level at which to apply group
policies.
Policies can also be applied to domains or sites
The OU is the level at which administrative powers arecommonly delegated. Granular delegation can be also performed on individual objects
or attributes as well.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
18/43
CISY 331: Network Administration 1 18Feb_09: Lecture5
Sites: AD also supports the creation ofSites.
Sites are physical, rather than logical, groupings
defined by one or more IP subnets. Sites distinguish between locations connected
by low-speed (e.g. WAN, VPN) and high-speed(e.g. LAN) connections.
Sites are independent of the domain and OUstructure and are common across the entireforest.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
19/43
CISY 331: Network Administration 1 19Feb_09: Lecture5
Sites Sites are used to control network traffic
generated by replication and also to refer
clients to the nearest domain controllers.
Exchange 2007 also uses the site
topology for mail routing.
Policies can also be applied at the sitelevel.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
20/43
CISY 331: Network Administration 1 20Feb_09: Lecture5
Active Directory Database The AD database is split into different
stores orpartitions.
Microsoft often refers to these partitions as'naming contexts'.
They include:
The 'Schema' partition The 'Configuration' partition
The 'Domain partition
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
21/43
CISY 331: Network Administration 1 21Feb_09: Lecture5
AD Database The 'Schema'partition contains the definition of
object classes and attributes within the Forest.
The 'Configuration'partition, containsinformation on the physical structure and
configuration of the forest (such as the site
topology).
The 'Domain'partition holds all objects created
in a given domain.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
22/43
CISY 331: Network Administration 1 22Feb_09: Lecture5
AD Database The schema and configuration partitions
replicate to all domain controllers in a
Forest. The Domain partition replicates only to
Domain Controllers within its domain.
A subset of objects in the domain partitionare also replicated to domain controllersthat are configured as global catalogs.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
23/43
CISY 331: Network Administration 1 23Feb_09: Lecture5
Global catalogue Global catalog (GC) servers are used to provide
a global listing of all objects in the Forest.
The Global catalog is held on domain controllersconfigured as global catalog servers.
Global Catalog servers replicate to themselves
all objects from all domains and hence, provide
a global listing of objects in the forest.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
24/43
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
25/43
CISY 331: Network Administration 1 25Feb_09: Lecture5
FSMO Roles: AD domain controllers operate in a multi-master
model, i.e. updates can occur in multiple places
at once However, there are several roles that are
necessarily single instance.
These are called the Flexible Single Master
Operations (FSMO sometimes pronounced "fizz-mo")roles are also known as operations master roles.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
26/43
CISY 331: Network Administration 1 26Feb_09: Lecture5
FSMO RolesRole Name Scope Description
Schema
Master1 per forest Controls updates to the Schema
Domain
Naming
Master
1 per forest Controls the addition and removal of domains from the forest
PDC
Emulator1 per domain
Provides backwards compatibility for NT4 clients for PDC
operations (like password changes). The PDCs also runs
domain specific processes such as the Security Descriptor
Propagator (SDPROP), and is the master time server withinthe domain.
RID Master 1 per domainAllocates pools of unique identifier to domain controllers for use
when creating objects
Infrastructure
Master1 per domain
Synchronizes cross-domain group membership changes. The
infrastructure master cannot run on a global catalog server
(unless all DCs are also GCs.)
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
27/43
CISY 331: Network Administration 1 27Feb_09: Lecture5
Naming: AD supports Universal Naming Convention (UNC) (\),
Uniform Resource Locator(URL) (/), and LightweightDirectory Application Protocol (LDAP) URL names for
object access. Naming conventions include:
Distinguished name.
Common name.
Canonical name.
Relative distinguished name.
Globally unique identifier.
User principal name.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
28/43
CISY 331: Network Administration 1 28Feb_09: Lecture5
Naming Every object has a Distinguishedname (DN)
For example:
A printer object called HPLaser3 in the OU Marketingand the domain Kemu.ac.ke, would have the DN:
CN=HPLaser3,OU=Marketing,DC=kemu,DC=ac.ke
Where:
CN is common name and DC is domain object class
DNs can have many more than four parts.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
29/43
CISY 331: Network Administration 1 29Feb_09: Lecture5
Naming An object can also have a Canonicalname,
A canonical name is essentially the DN in
reverse, without identifiers, and using slashes:foo.org/Marketing/HPLaser3.
To identify the object within its container the
Relative distinguishedname (RDN) is used:CN=HPLaser3.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
30/43
CISY 331: Network Administration 1 30Feb_09: Lecture5
Naming
Each object also has a Globally UniqueIdentifier(GUID)
This is a unique and unchanging 128-bit stringwhich is used by AD for search andreplication.
Certain objects also have a User
principalname (UPN) an objectname@domain name form.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
31/43
CISY 331: Network Administration 1 31Feb_09: Lecture5
Trust:
AD uses trusts to allow users in one
domain to access resources in another.
Trusts inside a forest are automatically
created when domains are created.
The forest sets the default boundaries of trust,
not the domain, and implicit, transitive trust isautomatic for all domains within a forest.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
32/43
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
33/43
CISY 331: Network Administration 1 33Feb_09: Lecture5
Trust
Shortcut- joins two domains in different
trees. Transitive, one- or two-way
Forest- transitive, one- or two-way,
Realm - transitive or nontransitive, one- or
two-way
External - nontransitive, one- or two-way
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
34/43
CISY 331: Network Administration 1 34Feb_09: Lecture5
Trust terminology
One way trust - When one domain allows
access to users on another domain, but the
other domain does not allow access to users onthe first domain.
Two way trust - When two domains allow
access to users on the other domain.
Trusting domain - The domain that allows
access to users from a trusted domain.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
35/43
CISY 331: Network Administration 1 35Feb_09: Lecture5
Trusts terminology
Trusted domain - The domain that istrusted; whose users have access to a
trusting domain. Transitive trust - A trust that can extend
beyond two domains to other trusteddomains in the tree.
Intransitive trust - A one way trust thatdoes not extend beyond two domains.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
36/43
CISY 331: Network Administration 1 36Feb_09: Lecture5
Trusts terminology
Explicit trust - A trust that an administrator
creates.
It is not transitive and is one way only.
Cross link trust - An explicit trust between
domains in different trees or in the same tree
when a descendant/ancestor(child/parent)
relationship does not exist between the twodomains.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
37/43
CISY 331: Network Administration 1 37Feb_09: Lecture5
Trust
Windows 2000 - supports the following
types of trusts:
Two way transitive trusts.
One way non transitive trusts.
Additional trusts can be created by
administrators. These trusts can be: Shortcut
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
38/43
CISY 331: Network Administration 1 38Feb_09: Lecture5
Trust
Windows 2003 offers a new trust type: The forest root trust.
This type of trust can be used to connectWindows 2003 forests if they are operating atthe 2003 forest functional level.
Authentication across this type of trust is
Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the
domains in the forests that are trusted.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
39/43
CISY 331: Network Administration 1 39Feb_09: Lecture5
ADAM:
Active Directory Application Mode (ADAM)
is a light-weight implementation of Active
Directory.
ADAM is capable of running as a service,
on computers running Microsoft Windows
Server 2003 or Windows XP Professional.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
40/43
CISY 331: Network Administration 1 40Feb_09: Lecture5
ADAM v/s AD
ADAM shares the code base with Active
Directory and provides the same
functionality as Active Directory, includingan identical API
However, ADAM does not require the
creation of domains or domain controllers.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
41/43
CISY 331: Network Administration 1 41Feb_09: Lecture5
ADAM v/s AD
Like Active Directory, ADAM provides a Data
Store, which is a hierarchical datastore for
storage of directory data, a DirectoryServicewith an LDAP DirectoryService Interface.
Unlike Active Directory, however, multiple ADAM
instances can be run on the same server, with
each instance having its own unique data store,service name, and description.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
42/43
CISY 331: Network Administration 1 42Feb_09: Lecture5
ADAM data store
The data store in ADAM is divided into logicalpartitions: Configuration Partition - This partition holds
configuration information about the particular ADAMinstance.
Schema Partition - This partition holds the definitionsfor the type of data that can be held by the data store.This is helpful in maintaining data consistency.
Application Partition - This partition hold data that isstored and required by applications making use ofADAM directory service.
-
8/8/2019 CISY 331 Lecture5 Active Directory Service
43/43
CISY 331: Network Administration 1 43Feb_09: Lecture5
Practical exercise 3:
Configuring active directory service.