Microsoft Active Directory(AD)

A presentation by

Robert, Jasmine, Val and Scott

IMT546

December 11, 2004

What are directory services?

All Directory services use a hierarchical structure that stores information about objects on the network. What differentiates the various implementations are the types of objects that they track.

What objects are tracked via Directory Services?

• Shared Resources: – Servers,

– Shared volumes,

– Printers;

– Applications

• Administration of: – Users

– User/Group access

– Network resources

– Management of domains, applications, services, security policies, and just about everything else in your network.

Directory Services Common Features:

• Provide file shares

• Authenticate users

• Provide services, such as Email, Access to the internet, Print services etc.

• Control access to services and shares.

Key Features of Active Directory

• AD as a namespace that is integrated with the Internet's Domain Name System (DNS).

• AD - A new directory service central to the Windows 2000 Server operating system, runs only on domain controllers.

Some directory services are integrated with an operating system, and others are applications such as e-mail directories. Operating system directory services, such as AD, provide user, computer, and shared resource management.

Active Directory utilizes a distributed architecture

• Active Directory, in addition to providing a place to store data and services to make that data available, also protects network objects from unauthorized access and replicates information about objects across the entire network so that information about objects is not lost if one domain controller fails.

Terminology

• Site: A site is a physical location, or LAN. This is different from a web site, which is an organization’s internet presence.

• Domain: – (1) A sub-network comprised of a group of clients and

servers under the control of one security database. Dividing LANs into domains improves performance and security.

– (2) All resources under the control of a single computer system.

Sample Domain Structure

Basic Network Identity Services

– Dynamic Host Configuration Protocol (DHCP)

– Domain Name System (DNS)

– Lightweight Directory Access Protocol (LDAP)

– Public Key Infrastructure (PKI)

– Remote Authentication Dial-In User Service (RADIUS)

– Microsoft's Active Directory

– Novell Directory Services (NDS)

Identity Service ProvidersSERVICE SPECIFICS

• Most mid-sized to large enterprises today are likely to run about a half dozen network identity services to connect their business applications and network infrastructure.

• These services each have specific roles to play in the network. But they often also interact with one another, too.

• Network identity services each perform specific tasks and also frequently interact. Managing interactions becomes challenging when multiple internal organizations administer the various services, which may be duplicated in numerous locations throughout the network and use different data stores.

DNSDomain Name System

• DNS is a globally distributed database that manages IP addresses on the internet.

• DNS uses a hierarchy of domains on the internet.– Top level domains use the familiar names

like .com, .edu, .gov.

– The second level are registered to organizations who have a presence on the web.

Active Directory is designed to exist within the scope of the Global DNS Namespace.

DNS Structure

LDAP

• Lightweight Directory Access Protocol (LDAP) -- a protocol used to access a directory service.

• Lightweight Access Directory Protocol is the primary access protocol for Active Directory.

Active Directory's Global Catalog

• The global catalog is the mechanism that tracks all of the objects managed across the network, across all domains within the organization.

• Elements of the catalog are replicated across all of the domain controllers within all domains across the org.

Global Catalog -Service Discovery

• For Active Directory to function properly, DNS servers must support Service Location (SRV) resource records.

• SRV resource records map the name of a service to the name of a server offering that service. Active Directory clients and domain controllers use SRV resource records to determine the IP addresses of domain controllers.

Domain authority

• Active Directory replicates its administration information across domain controllers throughout the “forest” utilizing a “multi-master” approach.

• Multi-master replication among peer domain controllers is impractical for some types changes, so only one domain controller, called the operations master, accepts requests for such changes.

Authentication

• Each domain controller has information for the entire forest to support authentication and access control.

• This provides the ability for local domain controllers (the “tree”) to provide a quick local lookup of authority.

• Not just users but every object authenticating to Active Directory must reference the global catalog server, including every computer that boots up

An example of an Active Directory implementation

PING North AmericaBenefits from using Active Directory

• Reduced one IT staff member’s workload by 40 percent, freeing 800 hours per year to work on new projects

• Significant cost savings due to server consolidation and elimination of mainframe and NetWare

• Increased security and stability through centralized desktop management

• Active Directory also gives PING a single repository for all types of information.

Source: Microsoft

Time Savings

Before

• PCs that were still running Windows NT Workstation or Windows 98, it would take as much as 40 hours of effort to manually visit each desktop and install the patch.

After• Desktops that are running Windows XP

Professional, A group policy can be created that will push a new security patch out to all of them in less than 30 minutes.

Repository of Information

Before• Spreadsheets had to be created and spreadsheets

maintained for user locations, office numbers, phone numbers etc.

After• All of the information is now managed in a single place

and is updated using a single interface.

Increased Security

• Since Active Directory will provide a single point of management for all systems. Desktops can be locked down in a known, secure state and kept current with software updates and security patches with minimal time and effort.

Open Source Implementation:

Mac OS X Server v10.3 Open Directory 2

• The latest version of Apple’s standards-based directory and authentication services architecture.

• The Open Directory architecture makes it easy to integrate Mac OS X client and server systems to into your existing network infrastructure. It’s compatible with other standards-based LDAP servers, and can even plug into environments that use proprietary services such as Microsoft’s Active Directory and Novell’s eDirectory.

Open Directory Features:

• Support for mixed-platform environments -

• Strong authentication options -Kerberos

• Reliability and scalability -

References:

• Mac Os X Open Directory: http://www.apple.com/server/macosx/open_directory.html

• Microsoft Active Directory:

• http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/projplan/adarch.mspx

• Ping: http://www.microsoft.com/resources/casestudies/CaseStudy.asp?CaseStudyID=15304

• General: http://www.microsoft.com

• Gaining Control of Your network Identity infrastructure… http://www.bitpipe.com/detail/RES/1082474885_246.html