8/8/2019 Module 1 - Introduction to Active Directory (1)

1/41

Module 1:Module 1:

Introduction toIntroduction to

Active DirectoryActive Directory

8/8/2019 Module 1 - Introduction to Active Directory (1)

2/41

OverviewOverview

Introduction to Active DirectoryIntroduction to Active Directory

Active Directory Logical StructureActive Directory Logical Structure

Role of DNS in Active DirectoryRole of DNS in Active DirectoryActive Directory Physical StructureActive Directory Physical Structure

Methods for Administering a WindowsMethods for Administering a Windows

2000 Network2000 Network

8/8/2019 Module 1 - Introduction to Active Directory (1)

3/41

Introduction to Active DirectoryIntroduction to Active Directory

What Is Active Directory?What Is Active Directory?

Active Directory ObjectsActive Directory Objects

Active Directory SchemaActive Directory SchemaLightweight Directory Access ProtocolLightweight Directory Access Protocol

(LDAP)(LDAP)

8/8/2019 Module 1 - Introduction to Active Directory (1)

4/41

What Is Active Directory?What Is Active Directory?

Directory ServiceDirectory Service

FunctionalityFunctionality

Organize

Manage Control

Resources

Centralized ManagementCentralized Management

Single point of administration

Full user access to directoryresources by a single logon

8/8/2019 Module 1 - Introduction to Active Directory (1)

5/41

Active Directory ObjectsActive Directory Objects

Objects Represent NetworkResources

Attributes Store Information Aboutan Object

Attributes

First Name

Last Name

Logon Name

Attributes

Printer Name

Printer Location

Active Directory

Printers

Printer1

Printer2

Suzan Fine

Users

Don Hall

AttributeValue

Objects

Printers

Users

Printer3

8/8/2019 Module 1 - Introduction to Active Directory (1)

6/41

Active Directory SchemaActive Directory Schema

Objects

Class Examples

Printers

Computers

Users

Attributes of Users

Might Contain:

accountExpires

department

distinguishedName

middleName

List ofAttributes

accountExpires

department

distinguishedName

directReportsdNSHostName

operatingSystem

repsFrom

repsTo

middleName

Attribute

Examples

Active Directory Schema Is:

DynamicallyAvailable

Dynamically Updateable

Protected by DACLs

8/8/2019 Module 1 - Introduction to Active Directory (1)

7/41

DNS and Active DirectoryDNS and Active Directory

NamespacesNamespaces

microsoft.com

sales. microsoft.com

training. microsoft.com

training

microsoft

DNS Namespace

Active Directory Namespace

= DNS node (domain or computer) =Active Directory domain

sales

computer1

(DNS root domain)..

com.com.

Internet

8/8/2019 Module 1 - Introduction to Active Directory (1)

8/41

Lightweight Directory AccessLightweight Directory Access

Protocol (LDAP)Protocol (LDAP)

LDAP Provides a Way toLDAP Provides a Way to

Communicate with ActiveCommunicate with ActiveDirectory by Specifying UniqueDirectory by Specifying UniqueNaming Paths for Each Object inNaming Paths for Each Object inthe Directorythe Directory

LDAP Naming Paths Include:LDAP Naming Paths Include: Distinguished namesDistinguished names

Relative distinguished namesRelative distinguished names

CN=Suzan Fine,OU=Sales,DC=contoso,DC=msftSuzan Fine

8/8/2019 Module 1 - Introduction to Active Directory (1)

9/41

Active Directory LogicalActive Directory LogicalStructureStructure

DomainsDomains

Organizational UnitsOrganizational Units

Trees and ForestsTrees and ForestsGlobal CatalogGlobal Catalog

8/8/2019 Module 1 - Introduction to Active Directory (1)

10/41

DomainsDomains

A Domain Is a Security Boundary A domain administrator can administeronly within the domain, unlessexplicitly granted administration rightsin other domains

A Domain Is a Unit of Replication Domain controllers in a domain

participate in replication and contain acomplete copy of the directoryinformation for their domain

Windows 2000

Replication

8/8/2019 Module 1 - Introduction to Active Directory (1)

11/41

Organizational UnitsOrganizational Units

Organizational StructureOrganizational Structure

Sales

Vancouver

Repair

Users

Sales

Computers

NetworkAdministrative ModelNetworkAdministrative Model

Use OUs to Group Objects into a LogicalUse OUs to Group Objects into a Logical

Hierarchy That Best Suits the Needs ofHierarchy That Best Suits the Needs ofYour OrganizationYour Organization

Delegate Administrative Control over theDelegate Administrative Control over theObjects Within an OUObjects Within an OU by Assigningby Assigning

Specific Permissions to Users and GroupsSpecific Permissions to Users and Groups

8/8/2019 Module 1 - Introduction to Active Directory (1)

12/41

Trees and ForestsTrees and Forests

con oso.mscontoso.msft

con oso.ms

au.

contoso.msft

con oso.ms

asia.

contoso.msft

Tree

TwoTwo--Way Transitive TrustsWay Transitive Trusts

nw ra ers.ms

au.

nwtraders.msftnw ra ers.ms

asia.

nwtraders.msft

nw ra ers.msnwtraders.msft

Forest

Tree

TwoTwo--Way Transitive TrustWay Transitive Trust

8/8/2019 Module 1 - Introduction to Active Directory (1)

13/41

Global CatalogGlobal Catalog

Global Catalog Server

Global CatalogGlobal Catalog

Subset of theSubset of theAttributes ofAllAttributes ofAll

ObjectsObjects

DomainDomain

Domain

DomainDomain

Domain

QueriesQueries

Group membershipGroup membership

when user logs onwhen user logs on

8/8/2019 Module 1 - Introduction to Active Directory (1)

14/41

Introduction to the Role of DNSIntroduction to the Role of DNSin Active Directoryin Active Directory

Name ResolutionName Resolution DNS translates computer names to IP addressesDNS translates computer names to IP addresses Computers use DNS to locate each other on theComputers use DNS to locate each other on the

networknetwork

Naming Convention for Windows 2000 DomainsNaming Convention for Windows 2000 Domains Windows 2000 uses DNS naming standards forWindows 2000 uses DNS naming standards for

domain namesdomain names

DNS domains and Active Directory domains share aDNS domains and Active Directory domains share acommon hierarchical naming structurecommon hierarchical naming structure

Locating the Physical Components of ActiveLocating the Physical Components of ActiveDirectoryDirectory DNS identifies domain controllers by the servicesDNS identifies domain controllers by the services

they providethey provide

Computers use DNS to locate domain controllers andComputers use DNS to locate domain controllers and

global catalog serversglobal catalog servers

8/8/2019 Module 1 - Introduction to Active Directory (1)

15/41

DNS Host Names and WindowsDNS Host Names and Windows2000 Computer Names2000 Computer Names

DNS host record and Active Directoryobject represent the same physicalcomputer

DNS allows computers to locate domaincontrollers within Active Directory

Active DirectoryActive Directory

training.microsoft.com

Builtin

ComputersComputer1

Computer2

..

com.com.

sales trainingtraining

computer1computer1

microsoftmicrosoft

FQDN = computer1.training.microsoft.com

Windows 2000 Computer Name = Computer1

8/8/2019 Module 1 - Introduction to Active Directory (1)

16/41

DNS Requirements for ActiveDNS Requirements for ActiveDirectoryDirectory

DNS Requirements to Support Active DirectoryDNS Requirements to Support Active Directory

Support for SRV records (mandatory)

Support for the dynamic updateprotocol (recommended)

Support for incremental zone transfers(recommended)

8/8/2019 Module 1 - Introduction to Active Directory (1)

17/41

What Is a Tree?What Is a Tree?

Parent Domain

Child Domain

Contiguous Namespace

sales.contoso.msft

Parent

Child

New

Domain

Tree Root Domain

contoso.msft

sales.contoso.msft

8/8/2019 Module 1 - Introduction to Active Directory (1)

18/41

What Is a Forest?What Is a Forest?

nwtraders.msftnwtraders.msft

.

marketing.

nwtraders.msft .

sales.

nwtraders.msft

contoso.msftcontoso.msft

sales.

contoso.msft

sales.

contoso.msftA

ll of The Domains in aForest Share a Common

Configuration, Schema, and

Global Catalog

AForest is

One or More Trees

Trees in a Forest Do Not Share a

Contiguous Namespace

Forest

Tree

Tree

8/8/2019 Module 1 - Introduction to Active Directory (1)

19/41

What Is the Forest RootWhat Is the Forest RootDomain?Domain?

The Forest Root Domain Is

the First Domain Created

in a Forest

contoso.msftcontoso.msft

Forest

Forest Root Domain

nwtraders.msftnwtraders.msftTree

Tree Root Domain

Global Catalog

Configuration

and Schema

EnterpriseAdmins

SchemaAdminsmarketing.nwtraders.msft sales.contoso.msft

Tree

8/8/2019 Module 1 - Introduction to Active Directory (1)

20/41

Characteristics of MultipleCharacteristics of MultipleDomainsDomains

Reduce Replication Traffic

Maintain Separate and Distinct

Security Policies Between Domains

Preserve the Domain Structure of

Earlier Versions ofWindows NT

SeparateAdministrative Control

8/8/2019 Module 1 - Introduction to Active Directory (1)

21/41

Active Directory PhysicalActive Directory PhysicalStructureStructure

Domain ControllersDomain Controllers

SitesSites

8/8/2019 Module 1 - Introduction to Active Directory (1)

22/41

Domain ControllersDomain Controllers

Domain

Controller

Domain

Controller

Domain

ReplicationReplication

= AWriteable Copy of the Active Directory Database= AWriteable Copy of the Active Directory Database= AWriteable Copy of the Active Directory Database= AWriteable Copy of the Active Directory Database

Domain Controllers:Participate in Active Directory replication

Perform single master operations roles in a domain

8/8/2019 Module 1 - Introduction to Active Directory (1)

23/41

SitesSites

Sites:Optimize replication traffic

Enable users to log on to a domain controllerby using a reliable, high-speed connection

SiteIP subnetIP subnet

IP subnetIP subnet

Los Angeles

Seattle

ChicagoNew York

8/8/2019 Module 1 - Introduction to Active Directory (1)

24/41

Introduction to Active DirectoryIntroduction to Active DirectoryReplicationReplication

Replication

Domain

Controller B

Domain

Controller C

Domain

ControllerA

Multimaster Replication with

a Loose Convergence

8/8/2019 Module 1 - Introduction to Active Directory (1)

25/41

Replication Components andReplication Components andProcessesProcesses

How Replication WorksHow Replication Works

Replication LatencyReplication Latency

Resolving Replication ConflictsResolving Replication ConflictsOptimizing ReplicationOptimizing Replication

8/8/2019 Module 1 - Introduction to Active Directory (1)

26/41

How Replication WorksHow Replication Works

ReplicationOriginating Update

DomainControllerA

Domain

Controller B

Domain

Controller C

Replicated Update

Replicated Update

Active DirectoryActive Directory

UpdateUpdate Move

Delete

Add

Modify

8/8/2019 Module 1 - Introduction to Active Directory (1)

27/41

Replication LatencyReplication Latency

ReplicationOriginating Update

DomainControllerA

Change Notification

Change Notification

Domain Controller C

Domain

Controller B

Replicated Update

Replicated Update

Default Replication Latency (Change Notification) = 5 minutes

When No Changes, Scheduled Replication = One Hour

Urgent Replication = Immediate ChangeNotification

8/8/2019 Module 1 - Introduction to Active Directory (1)

28/41

Resolving Replication ConflictsResolving Replication Conflicts

Domain ControllerA

Originating Update

Domain Controller B

Conflict

Originating Update

StampStamp StampStamp

Conflict

Version Number TimestampTimestamp Server GUID

StampStamp

Conflicts Can Be Due to: Attribute Value

Adding/Moving Under a Deleted Container Objector the Deletion of a Container Object

Sibling Name

8/8/2019 Module 1 - Introduction to Active Directory (1)

29/41

Optimizing ReplicationOptimizing Replication

Originating Update

Replicated Update

GUID USNGUID USN

Up-To-Dateness

Vector

DomainControllerA

DomainController B

Replicated Update

GUID USNDomain

Controller C

8/8/2019 Module 1 - Introduction to Active Directory (1)

30/41

Replication TopologyReplication Topology

Directory PartitionsDirectory Partitions

What Is Replication Topology?What Is Replication Topology?

Global Catalog and Replication ofGlobal Catalog and Replication ofPartitionsPartitions

8/8/2019 Module 1 - Introduction to Active Directory (1)

31/41

Directory PartitionsDirectory Partitions

Domain

Forest

Directory

Partitions

Active Directory

Database

contoso.msftcontoso.msft

ConfigurationConfiguration

SchemaSchema

Holds information about all

domain-specific objectscreated in Active Directory

Contains information aboutActive Directory structure

Contains definitions and rulesfor creating and manipulating

all objects and attributes

8/8/2019 Module 1 - Introduction to Active Directory (1)

32/41

B2A2A1

B1

B3A4A3

Domain Controllers

from Different Domains DomainA Topology

Domain B Topology

Schema/Configuration Topology

A2A1

A4A3

Domain Controllers

from the Same DomainsDomainA Topology

Schema/Configuration Topology

What Is Replication Topology?What Is Replication Topology?

8/8/2019 Module 1 - Introduction to Active Directory (1)

33/41

A2A1

A4A3

Domain Controllers

from the Same DomainsDomainA Topology

Schema/Configuration Topology

B2A2A1

B1

B3A4A3

Domain Controllers

from Different Domains DomainA Topology

Domain B Topology

Schema/Configuration Topology

What Is Replication Topology?What Is Replication Topology?

8/8/2019 Module 1 - Introduction to Active Directory (1)

34/41

Partial Directory

Partition Replica

Global Catalog

Server

contoso.msftcontoso.msft

ConfigurationConfiguration

SchemaSchema

Holds read only copy of

all domain directorypartitions

namerica.contoso.msft

Global Catalog and ReplicationGlobal Catalog and Replicationof Partitionsof Partitions

8/8/2019 Module 1 - Introduction to Active Directory (1)

35/41

B2A2A1

B1

B3A4A3

DomainA Topology

Domain B Topology

Schema/Configuration Topology

Global Catalog and ReplicationGlobal Catalog and Replicationof Partitionsof Partitions

8/8/2019 Module 1 - Introduction to Active Directory (1)

36/41

Automatic ReplicationAutomatic ReplicationTopology GenerationTopology Generation

A3KCC

A2KCC

A1KCC

A4KCC

A5

KCC

A6

KCC

A7

KCC

A3KCC

A2KCC

A1KCC

A8

KCCA4KCC

A5

KCC

A6

KCC

A7

KCC

Automatic ReplicationTopology GenerationA8

KCC

Domain Topology

Schema/Configuration Topology

8/8/2019 Module 1 - Introduction to Active Directory (1)

37/41

Methods for Administering aMethods for Administering aWindowsWindows 2000 Network2000 Network

Using Active Directory for CentralizedUsing Active Directory for CentralizedManagementManagement

Managing the User EnvironmentManaging the User EnvironmentDelegating Administrative ControlDelegating Administrative Control

8/8/2019 Module 1 - Introduction to Active Directory (1)

38/41

8/8/2019 Module 1 - Introduction to Active Directory (1)

39/41

8/8/2019 Module 1 - Introduction to Active Directory (1)

40/41

Delegating AdministrativeDelegating AdministrativeControlControl

ssign Permissions:

For specific OUs to otheradministrators

To modify specific attributes ofan object in a single OU

To perform the same task in all OUs

ustomize Administrative Tools to:

Map to delegated administrative tasks

Simplify interface design

Domain

Admin1

Admin2

Admin3

OU2

OU3

OU1

8/8/2019 Module 1 - Introduction to Active Directory (1)

41/41

ReviewReview

Introduction to Active DirectoryIntroduction to Active Directory

Active Directory Logical StructureActive Directory Logical Structure

Role of DNS in Active DirectoryRole of DNS in Active DirectoryActive Directory Physical StructureActive Directory Physical Structure

Methods for Administering a WindowsMethods for Administering a Windows2000 Network2000 Network