microsoft confidential zelko kecman microsoft windows 2000 server directory services
TRANSCRIPT
Microsoft ConfidentialMicrosoft Confidential
Zelko KecmanZelko Kecman
Microsoft Microsoft Windows 2000 ServerWindows 2000 ServerDirectory ServicesDirectory Services
Microsoft ConfidentialMicrosoft Confidential
AsiaAsia EuropeEurope
ChicagoChicago
San DiegoSan Diego BostonBoston
= = Windows NT DomainWindows NT Domain= Partition Boundary= Partition Boundary
= = Domain ControllerDomain Controller= Partition Replica= Partition Replica
Active Directory Design GoalsActive Directory Design Goals
Must meet enterprise requirementsMust meet enterprise requirements Scalability with minimum complexityScalability with minimum complexity Built on Internet standardsBuilt on Internet standards Security through simplicitySecurity through simplicity Enable incremental upgrade and migrationEnable incremental upgrade and migration Work well with existing directory investmentsWork well with existing directory investments Flexibility to support organizational changeFlexibility to support organizational change
Microsoft ConfidentialMicrosoft Confidential
User and NetworkUser and Network
ManagementManagement Users and organization managementUsers and organization managementUser device managementUser device management
Authentication and Authentication and Authorization ServicesAuthorization Services
Protect data and facilitate accessProtect data and facilitate accessBased on Internet technologiesBased on Internet technologies
Directory Directory ManagementManagement
Directory consolidationDirectory consolidationDirectory synchronizationDirectory synchronization
InfrastructureInfrastructureServicesServices
Directory-enabled networkingDirectory-enabled networkingDirectory-enabled servicesDirectory-enabled services
ApplicationApplicationManagement Management
Publish server locations for client lookupPublish server locations for client lookupPolicy-based application configurationPolicy-based application configuration
Active Directory DeliversActive Directory Delivers
Microsoft ConfidentialMicrosoft Confidential
RootRoot
UsersUsers MachinesMachines ApplicationsApplications
MarketingMarketing PersonnelPersonnel
DevicesDevices
Give ‘Personnel’ Members Give ‘Personnel’ Members the HR Applicationthe HR Application
Color Printer in Color Printer in Building 6Building 6
Delegate Management Delegate Management Tasks to Office AdminsTasks to Office Admins
Simplify User And Network Simplify User And Network ManagementManagement
Users and organization managementUsers and organization management User device managementUser device management
Microsoft ConfidentialMicrosoft Confidential
RootRoot
UsersUsers MachinesMachines ApplicationsApplications
MarketingMarketing ExtranetExtranet
DevicesDevices
Restrict Access Rights of Restrict Access Rights of Extranet UsersExtranet Users
KerberosKerberosX.509X.509
Smart CardSmart Card
PKI CertificatesPKI Certificates
Provide Security ServicesProvide Security Services
Protect data while facilitating accessProtect data while facilitating access Based on Internet technologiesBased on Internet technologies
Microsoft ConfidentialMicrosoft Confidential
UsersUsers
MarketingMarketing PersonnelPersonnelUser Application:User Application:
Store Application Data Store Application Data on User Objectson User Objects
Exchange Platinum:Exchange Platinum:Consolidated User and Consolidated User and Mailbox ManagementMailbox Management
Directory Directory SynchronizationSynchronization
Simplify Directory Simplify Directory ManagementManagement
Directory consolidationDirectory consolidation Directory synchronizationDirectory synchronization
Microsoft ConfidentialMicrosoft Confidential
RootRoot
UsersUsers MachinesMachines ApplicationsApplications
BillingBilling DoctorsDoctors
RoutersRouters
Policy: Give Doctors Policy: Give Doctors More Bandwidth than More Bandwidth than the Billing Departmentthe Billing Department
Publish file shares to Publish file shares to facilitate locationfacilitate location
Enhanced Infrastructure Enhanced Infrastructure ServicesServices
Directory-enabled networkingDirectory-enabled networking Directory-enabled servicesDirectory-enabled services
Microsoft ConfidentialMicrosoft Confidential
RootRoot
UsersUsers MachinesMachines ApplicationsApplications
MarketingMarketing PersonnelPersonnel
DevicesDevices
Policy: Give Personnel Policy: Give Personnel access to ‘Change access to ‘Change
Salary’ Menu OptionsSalary’ Menu Options
Publish Server Publish Server locationslocations
Simplified Application Simplified Application ManagementManagement
Publish server locations for client lookupPublish server locations for client lookup Enable application configuration based on Enable application configuration based on
policies and rolespolicies and roles
Microsoft ConfidentialMicrosoft Confidential
Windows UsersWindows Users Account infoAccount info PrivilegesPrivileges ProfilesProfiles PolicyPolicy
Windows ClientsWindows Clients Mgmt profileMgmt profile Network infoNetwork info PolicyPolicy
Windows ServersWindows Servers Mgmt profileMgmt profile Network infoNetwork info ServicesServices PrintersPrinters File sharesFile shares PolicyPolicy
Management Management Focal Point For:Focal Point For: Users and resourcesUsers and resources SecuritySecurity Delegation Delegation PolicyPolicy
ActiveActiveDirectoryDirectory
What Is Active Directory?What Is Active Directory?
Microsoft ConfidentialMicrosoft Confidential
Windows UsersWindows Users Account infoAccount info PrivilegesPrivileges ProfilesProfiles PolicyPolicy
ApplicationsApplications Server configServer config Single Sign-OnSingle Sign-On App-specificApp-specific
directory info directory info PolicyPolicy
Windows ClientsWindows Clients Mgmt profileMgmt profile Network infoNetwork info PolicyPolicy
Windows ServersWindows Servers Mgmt profileMgmt profile Network infoNetwork info ServicesServices PrintersPrinters File sharesFile shares PolicyPolicy
Network DevicesNetwork Devices ConfigurationConfiguration QoS policyQoS policy Security policySecurity policy
InternetInternet
Firewall ServicesFirewall Services ConfigurationConfiguration Security PolicySecurity Policy VPN policyVPN policy
OtherOtherDirectoriesDirectories White pagesWhite pages E-CommerceE-Commerce
Other NOSOther NOS User registryUser registry SecuritySecurity PolicyPolicy
E-Mail ServersE-Mail Servers Mailbox infoMailbox info Address bookAddress book
ActiveActiveDirectoryDirectory
What Is Active Directory?What Is Active Directory?
Management Management Focal Point For:Focal Point For: Users and resourcesUsers and resources SecuritySecurity Delegation Delegation PolicyPolicy
Microsoft ConfidentialMicrosoft Confidential
The Active DirectoryThe Active Directory
Microsoft ConfidentialMicrosoft Confidential
Active Directory - TermsActive Directory - Terms DirectoryDirectory is made of is made of ObjectsObjects
Objects have Objects have AttributesAttributes
SchemaSchema is a specific definition of is a specific definition of objects and attributesobjects and attributes
Example:Example: User AccountUser Account NameName TitleTitle ManagerManager Office LocationOffice Location PhonePhone DivisionDivision Cost Center CodeCost Center Code ……
Microsoft ConfidentialMicrosoft Confidential
Active Directory - TermsActive Directory - Terms
Organizational UnitOrganizational Unit Lowest form of grouping in the Active Lowest form of grouping in the Active
DirectoryDirectory Group Policy can be applied to the Group Policy can be applied to the
Organizational UnitsOrganizational Units Can be nested up to 12 levels deepCan be nested up to 12 levels deep Organizational Unit is graphically Organizational Unit is graphically
represented by a circle in the diagramsrepresented by a circle in the diagrams
Microsoft ConfidentialMicrosoft Confidential
Nice, Artistic ViewNice, Artistic View
Microsoft ConfidentialMicrosoft Confidential
More Realistic ViewMore Realistic ViewM
arke
tin
g
Fin
ance
R&
D
Sal
es
Ad
min
Man
ufa
ctu
rin
g
Dis
trib
uti
on
OUs reflect the corporate organizationOUs reflect the corporate organization May be geographical and/or business May be geographical and/or business
model hierarchymodel hierarchy Some levels may have children, while Some levels may have children, while
others do notothers do not
Microsoft ConfidentialMicrosoft Confidential
Active Directory - TermsActive Directory - Terms
DomainDomain Next hierarchical level above Next hierarchical level above
Organizational Units (OUs)Organizational Units (OUs) Is a security boundary in the Active Is a security boundary in the Active
DirectoryDirectory OU properties are inherited within a OU properties are inherited within a
domain only - not across domainsdomain only - not across domains Provides a replication boundaryProvides a replication boundary Represented by a triangle in the Active Represented by a triangle in the Active
Directory diagramsDirectory diagrams
Microsoft ConfidentialMicrosoft Confidential
Active Directory - TermsActive Directory - Terms
Domain TreeDomain Tree Hierarchically arranged domains created Hierarchically arranged domains created
by parent-child relationshipby parent-child relationship All domains within a domain tree share All domains within a domain tree share
the same root namespacethe same root namespace Users can search for all information Users can search for all information
within the Domain Treewithin the Domain Tree Schema is the same within the Domain Schema is the same within the Domain
TreeTree
Microsoft ConfidentialMicrosoft Confidential
Active Directory - TermsActive Directory - Terms
Global CatalogGlobal Catalog Contains a Partial replica of the Contains a Partial replica of the
information contained within each of the information contained within each of the domainsdomains
Network administrator designates which Network administrator designates which Objects and Attributes get placed in the Objects and Attributes get placed in the Global CatalogGlobal Catalog
Allows for fast searching of the key Allows for fast searching of the key information in the AD, without hitting all information in the AD, without hitting all of the domainsof the domains
Reduces replication overheadReduces replication overhead
Microsoft ConfidentialMicrosoft Confidential
Domain Schema
Global CatalogGlobal Catalog
User AccountUser Account NameName TitleTitle ManagerManager Office LocationOffice Location PhonePhone DivisionDivision Cost Center CodeCost Center Code Certification ExpiresCertification Expires
……
PrinterPrinter NameName MfrMfr ModelModel ColorColor DuplexDuplex Asset #Asset # Paper SizePaper Size
Global Catalog
User AccountUser Account NameName TitleTitle ManagerManager Office LocationOffice Location PhonePhone
PrinterPrinter NameName MfrMfr ModelModel ColorColor DuplexDuplex
Microsoft ConfidentialMicrosoft Confidential
Global CatalogGlobal CatalogDomain TreeDomain Tree The GC in each domain has a
pointer to it’s own domain information (which is complete)
Plus it has partial information from all of the other domains in the tree (or forest)
Microsoft ConfidentialMicrosoft Confidential
Q: What is a Group of Domain Q: What is a Group of Domain Trees?Trees?
Answer: A ForestAnswer: A Forest
Microsoft ConfidentialMicrosoft Confidential
Active Directory - TermsActive Directory - Terms
ForestForest A joined set of Domain Trees that:A joined set of Domain Trees that:
Use the same schemaUse the same schema Share the same Global CatalogShare the same Global Catalog Joined by Kerberos TrustJoined by Kerberos Trust
Very useful for groups of subsidiary Very useful for groups of subsidiary companies that want autonomy in companies that want autonomy in administrative rolesadministrative roles
Provides for multiple public Internet Provides for multiple public Internet names (microsoft.com, msnbc.com, etc.)names (microsoft.com, msnbc.com, etc.)
Microsoft ConfidentialMicrosoft Confidential
Active Directory - TermsActive Directory - Terms
SiteSite Relates directly to the network topology Relates directly to the network topology
and network connectivityand network connectivity Defined as an area of “good” network Defined as an area of “good” network
connectivityconnectivity Primarily affectsPrimarily affects
User logon, distributed file systemUser logon, distributed file system Replication trafficReplication traffic
Site boundaries are independent of Site boundaries are independent of domain boundariesdomain boundaries
Microsoft ConfidentialMicrosoft Confidential
Defining SitesDefining Sites
Sites are areas of “good” network Sites are areas of “good” network connectivity, defined by IP subnetsconnectivity, defined by IP subnets
Current thinking is a Current thinking is a T1 (1.5 Mb/s)T1 (1.5 Mb/s) link link or higheror higher
Intra-site replication takes place Intra-site replication takes place automatically via RPCautomatically via RPC
Inter-site replication is configured by Inter-site replication is configured by the network administratorthe network administrator Time of day, frequencyTime of day, frequency
Microsoft ConfidentialMicrosoft Confidential
SitesSites
Controls replicationControls replication Controls client locating DC’sControls client locating DC’s Where to locate GC ServersWhere to locate GC Servers Applications can be site aware - DFSApplications can be site aware - DFS
Microsoft ConfidentialMicrosoft Confidential
Sites - Intra DomainSites - Intra Domain
Microsoft ConfidentialMicrosoft Confidential
Domain Name System (DNS)Domain Name System (DNS)
Windows 2000 DNS owns the rootWindows 2000 DNS owns the root Windows 2000 DNS owns a delegated Windows 2000 DNS owns a delegated
sub-domainsub-domain No Windows 2000 DNS implemented No Windows 2000 DNS implemented
Microsoft ConfidentialMicrosoft Confidential
DNS Integration Choices DNS Integration Choices Windows 2000 owns the rootWindows 2000 owns the root
ProsPros No dependency on No dependency on
existing DNS serversexisting DNS servers No AD integration No AD integration
testing requiredtesting required Multi-master replication Multi-master replication
with AD-based DNSwith AD-based DNS A shorter familiar name A shorter familiar name
is more user friendlyis more user friendly
ConsCons Requires effort to replace Requires effort to replace
existing DNS serversexisting DNS servers
widgets.org
na.widgets.org euro.widgets.org asia.widgets.org
Microsoft ConfidentialMicrosoft Confidential
widgets.org
DNS Integration Choices DNS Integration Choices Delegated sub-domainDelegated sub-domain
ProsPros Requires no upgrade to Requires no upgrade to
existing DNS serversexisting DNS servers Minimizes dependency Minimizes dependency
of Active Directory on of Active Directory on existing DNS serversexisting DNS servers
Cons Cons Names are longerNames are longer The added component is The added component is
arbitrary, therefore arbitrary, therefore unmemorableunmemorable
Continued dependency Continued dependency on existing DNS serverson existing DNS servers
w2k.widgets.org
na.w2k.widgets.org
euro.w2k.widgets.org
asia.w2k.widgets.org
Microsoft ConfidentialMicrosoft Confidential
DNS Integration Choices DNS Integration Choices No Windows 2000 DNSNo Windows 2000 DNS
ProsPros No political changeNo political change
ConsCons Single point of failure for Single point of failure for
dynamic registrationsdynamic registrations Must upgrade servers Must upgrade servers
to support SRV recs to support SRV recs (RFC 2052)(RFC 2052)
Must manually enter Must manually enter contents of NETLOGON.DNS contents of NETLOGON.DNS if no support for DDNS if no support for DDNS (RFC 2136)(RFC 2136)
Must perform Must perform integration testing with integration testing with MS DHCP serverMS DHCP server
More integration testing with More integration testing with third-party serverthird-party server
widgets.org
na.widgets.org euro.widgets.org asia.widgets.org
Microsoft ConfidentialMicrosoft Confidential
DNS DNS Naming considerationsNaming considerations
Use Internet-standard charactersUse Internet-standard characters ‘‘A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123)A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123) Microsoft DNS supports wider rangeMicrosoft DNS supports wider range
Users not exposed to domain namesUsers not exposed to domain names E-mail style login name does not have to E-mail style login name does not have to
be related to domain namebe related to domain name Most interaction is query to global catalogMost interaction is query to global catalog
Admins exposed to domain namesAdmins exposed to domain names
Microsoft ConfidentialMicrosoft Confidential
DNS Requirements DNS Requirements The LocatorThe Locator
Domain controllers dynamically Domain controllers dynamically register Service Location recordsregister Service Location records SRV resource record (RFC 2052)SRV resource record (RFC 2052) Maps (service) --> (hosts offering service)Maps (service) --> (hosts offering service) General rendezvous mechanismGeneral rendezvous mechanism Analogous to SMTP and the MX recordAnalogous to SMTP and the MX record
NETLOGON service sends updatesNETLOGON service sends updates Dynamic update protocol (RFC 2136)Dynamic update protocol (RFC 2136)
Microsoft ConfidentialMicrosoft Confidential
DNS Requirements DNS Requirements Locator recordsLocator records
SRV records are named likeSRV records are named like ldap.tcp.<domain name>.ldap.tcp.<domain name>. i.e. ldap.tcp.nt.microsoft.com.i.e. ldap.tcp.nt.microsoft.com. More like that, all ending inMore like that, all ending in
<domain name><domain name>
DNS server that owns <domain name>DNS server that owns <domain name> MUST support the SRV recordMUST support the SRV record SHOULD support dynamic updateSHOULD support dynamic update
Microsoft ConfidentialMicrosoft Confidential
Upgrading Windows NT 4.0Upgrading Windows NT 4.0
Start with Windows NT 4.0 domainsStart with Windows NT 4.0 domains Implement Mixed mode domainsImplement Mixed mode domains Migrate over time to Native mode Migrate over time to Native mode
domainsdomains
Microsoft ConfidentialMicrosoft Confidential
SummarySummary
Active Directory TermsActive Directory Terms Plan Your DomainsPlan Your Domains
OUs, Group PolicyOUs, Group Policy Sites, Global Catalog, DNSSites, Global Catalog, DNS
Plan The UpgradePlan The Upgrade Review the PlanReview the Plan