Active Directory

Active Directory Definitions AD is Microsoft’s consolidation of the major

enterprise-wide directory services within a single, replicable data store and administrative interface

AD is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups.

The 2 components of AD are the Data Store and the AD Services that act on that data

AD Advantages Provides centralized logon and authentication

point for users to access resources

A focal point for centralized administration and management

A searchable store for info about every network object and its attributes

Standard-based structures and interfaces allow for product interoperability and compatibility with 3rd party products

Scalable (virtually no limit on number of objects)

New Features Restart capability

Read-only Domain Controller

Auditing improvements

Multiple Password/Account Lockout Policies in a Domain

AD Lightweight Directory Services Role

DNS DNS is an Internet standard service that translates

easily readable host names, such as mycomputer.microsoft.com, to numeric IP addresses.

Domain names for DNS are based on the hierarchical naming structure (inverted tree structure): a single root domain, underneath which can be parent and child domains (branches and leaves).

Each computer in a DNS domain is uniquely identified by its DNS fully qualified domain name (FQDN), e.g. server1.ifsm.umbc.edu

Dynamic DNS – newer standard, required for AD

AD and DNS integration• Active Directory and DNS have the

same hierarchical structure. • All AD names follow DNS conventions• DNS records (zones) can be stored in

Active Directory. • Active Directory clients use DNS to

locate domain controllers.

AD Organization An underlying principle of the AD is that

everything is considered and object – people, servers, workstations, printers, etc.

Each object also has certain attributes

Object classes are definitions of the object types that can be created in the AD.

Controlling Object Access Every object has an ACL that contains

information about who has access to it and what they can do with it.

Controlling access to the object in AD is not the same as access to the object itself. AD permissions only specify whether a user, group or computer can view or modify an object’s properties in AD.

Access can be setup for individual object properties

Schema A set of object definitions (object classes)

and their associated attributes Provides info on what objects and

attributes are available to the Directory Allows administrators to modify and add

new object classes, objects and attributes as needed, making the schema extensible

Because of this flexibility, AD is capable of being the single point of administration for all published resources (files, peripheral devices, host connections, databases, Web access, users)

AD Organization AD objects are organized around a

hierarchical domain model that allows scalability and expandability

Domain model building blocks are:

- domains - domain trees

- forests- organization units

Name Space

AD is based on the concept of a namespace, that is a name is used to resolve the location of an object

AD domain names correspond to DNS domain names

Each object has different ways to refer to it, and each name pinpoints the location of object in AD

Domain Logical partition comprised of users, computers

and network resources that share a common logical security boundary and utilize a common namespace (e.g. ifsm.umbc.edu)

Domains can be arranged into a hierarchical parent-child structure

All domains maintain their own security policies and security relationships with other domains

Requires at least 1 Domain Controller (where AD database is stored)

If more than 1 DC (recommended) – they use multi-master replication

Trusts Logical connections between domains to allow

users from one domain to access resources in another domain

Can be one- or two-way Can be transitive, intransitive or explicit Trust terminology: Trusting trusts Trusted

DomainTrusted Domain

(Users)Trusting Domain

(Resources)

Transitive Trusts

A transitive trust is a trust between two domains in the same domain tree/forest that can extend beyond these two domains to other trusted domains within the same domain tree/forest. A transitive trust is always a 2-way trust - both of.the domains trust each other. By default, all Windows Server 2008 trusts within a domain tree/forest are transitive trusts.

Domain A

Domain B

Domain C

Domain Tree Consists of hierarchy of domains

sharing a common schema, security trust relationship, and a Global Catalog

Formed through the expansion of child domains, and there’s one root domain (the first created domain)

Defined by a common and contiguous namespace

Domain Tree Example

Marketing.toysrus.com

Toysrus.com

Sales.toysrus.com

ny.marketing.toysrus.com

Domain Forests Domain trees with different namespaces

connected by trust relationships

All trees within the forest share a Global Catalog, configuration and schema.

Simply a reference point between trees and doesn’t have its own name.

Domain Forest Example

Marketing.toysrus.com

toysrus.com

Sales.toysrus.com

Ny.marketing.toysrus.com

HR.Babiesrus.com

Babiesrus.com

Sales.babiesrus.com

Ny.sales.babiesrus.com

Organizational Unit Administrative substructure of domains,

arranged hierarchically, can be nested Special type of object called container;

includes users, computer systems, printers, etc.

A logical subset defined by security or administrative parameters where specific system admin functions can be easily segment and delegated

OU Example

Marketing.toysrus.com

Toysrus.com

ny.marketing.toysrus.com

Teams.sales.toysrus.com

Online.teams…Retail.teams…

Sales.toysrus.com

Global Catalog AD uses a global catalog in order for users to

find objects quickly, even in a large multidomain environment

GC contains all the objects in the AD, inclusive of all domains and trees in a forest, but with only a subset of their attributes.

Serves as an index to the entire structure Serves as a central point for user

authentication

Domain and Forest Functional Levels

Windows Server 2008 has 3 forest functional levels:Windows 2000 Native Windows 2003 Windows 2008

Windows Server 2008 has 3 domain functional levels:Windows 2000 Windows 2003 Windows 2008

Functional level only applies to DC, not member servers.

Raising domain/forest functional level is irreversible

Sites Address physical network structure A site is a region of your network

infrastructure made up of one or more well-connected IP subnets.

Sites are used to allow all AD clients belonging to the same physical network area to access services (DCs, GC and DNS servers) from the servers in close proximity, rather than across slow, expensive WAN links

Sites allow AD have more efficient DC replication - can configure DC replication differently inter- and intra-sites

Sites and DCs DCs are automatically placed into

sites when they join the AD domain, by IP subnet membership.

After being placed into the site, the DCs begin receiving replicated information for their own domain, as well as forest info.