microsoft confidential zelko kecman microsoft windows 2000 server directory services

Microsoft ConfidentialMicrosoft Confidential

Zelko KecmanZelko Kecman

Microsoft Microsoft Windows 2000 ServerWindows 2000 ServerDirectory ServicesDirectory Services


AsiaAsia EuropeEurope

ChicagoChicago

San DiegoSan Diego BostonBoston

= = Windows NT DomainWindows NT Domain= Partition Boundary= Partition Boundary

= = Domain ControllerDomain Controller= Partition Replica= Partition Replica

Active Directory Design GoalsActive Directory Design Goals

Must meet enterprise requirementsMust meet enterprise requirements Scalability with minimum complexityScalability with minimum complexity Built on Internet standardsBuilt on Internet standards Security through simplicitySecurity through simplicity Enable incremental upgrade and migrationEnable incremental upgrade and migration Work well with existing directory investmentsWork well with existing directory investments Flexibility to support organizational changeFlexibility to support organizational change


User and NetworkUser and Network

ManagementManagement Users and organization managementUsers and organization managementUser device managementUser device management

Authentication and Authentication and Authorization ServicesAuthorization Services

Protect data and facilitate accessProtect data and facilitate accessBased on Internet technologiesBased on Internet technologies

Directory Directory ManagementManagement

Directory consolidationDirectory consolidationDirectory synchronizationDirectory synchronization

InfrastructureInfrastructureServicesServices

Directory-enabled networkingDirectory-enabled networkingDirectory-enabled servicesDirectory-enabled services

ApplicationApplicationManagement Management

Publish server locations for client lookupPublish server locations for client lookupPolicy-based application configurationPolicy-based application configuration

Active Directory DeliversActive Directory Delivers


RootRoot

UsersUsers MachinesMachines ApplicationsApplications

MarketingMarketing PersonnelPersonnel

DevicesDevices

Give ‘Personnel’ Members Give ‘Personnel’ Members the HR Applicationthe HR Application

Color Printer in Color Printer in Building 6Building 6

Delegate Management Delegate Management Tasks to Office AdminsTasks to Office Admins

Simplify User And Network Simplify User And Network ManagementManagement

Users and organization managementUsers and organization management User device managementUser device management


RootRoot


MarketingMarketing ExtranetExtranet

DevicesDevices

Restrict Access Rights of Restrict Access Rights of Extranet UsersExtranet Users

KerberosKerberosX.509X.509

Smart CardSmart Card

PKI CertificatesPKI Certificates

Provide Security ServicesProvide Security Services

Protect data while facilitating accessProtect data while facilitating access Based on Internet technologiesBased on Internet technologies


UsersUsers

MarketingMarketing PersonnelPersonnelUser Application:User Application:

Store Application Data Store Application Data on User Objectson User Objects

Exchange Platinum:Exchange Platinum:Consolidated User and Consolidated User and Mailbox ManagementMailbox Management

Directory Directory SynchronizationSynchronization

Simplify Directory Simplify Directory ManagementManagement

Directory consolidationDirectory consolidation Directory synchronizationDirectory synchronization


RootRoot


BillingBilling DoctorsDoctors

RoutersRouters

Policy: Give Doctors Policy: Give Doctors More Bandwidth than More Bandwidth than the Billing Departmentthe Billing Department

Publish file shares to Publish file shares to facilitate locationfacilitate location

Enhanced Infrastructure Enhanced Infrastructure ServicesServices

Directory-enabled networkingDirectory-enabled networking Directory-enabled servicesDirectory-enabled services


RootRoot


MarketingMarketing PersonnelPersonnel

DevicesDevices

Policy: Give Personnel Policy: Give Personnel access to ‘Change access to ‘Change

Salary’ Menu OptionsSalary’ Menu Options

Publish Server Publish Server locationslocations

Simplified Application Simplified Application ManagementManagement

Publish server locations for client lookupPublish server locations for client lookup Enable application configuration based on Enable application configuration based on

policies and rolespolicies and roles


Windows UsersWindows Users Account infoAccount info PrivilegesPrivileges ProfilesProfiles PolicyPolicy

Windows ClientsWindows Clients Mgmt profileMgmt profile Network infoNetwork info PolicyPolicy

Windows ServersWindows Servers Mgmt profileMgmt profile Network infoNetwork info ServicesServices PrintersPrinters File sharesFile shares PolicyPolicy

Management Management Focal Point For:Focal Point For: Users and resourcesUsers and resources SecuritySecurity Delegation Delegation PolicyPolicy

ActiveActiveDirectoryDirectory

What Is Active Directory?What Is Active Directory?


Windows UsersWindows Users Account infoAccount info PrivilegesPrivileges ProfilesProfiles PolicyPolicy

ApplicationsApplications Server configServer config Single Sign-OnSingle Sign-On App-specificApp-specific

directory info directory info PolicyPolicy

Windows ClientsWindows Clients Mgmt profileMgmt profile Network infoNetwork info PolicyPolicy

Windows ServersWindows Servers Mgmt profileMgmt profile Network infoNetwork info ServicesServices PrintersPrinters File sharesFile shares PolicyPolicy

Network DevicesNetwork Devices ConfigurationConfiguration QoS policyQoS policy Security policySecurity policy

InternetInternet

Firewall ServicesFirewall Services ConfigurationConfiguration Security PolicySecurity Policy VPN policyVPN policy

OtherOtherDirectoriesDirectories White pagesWhite pages E-CommerceE-Commerce

Other NOSOther NOS User registryUser registry SecuritySecurity PolicyPolicy

E-Mail ServersE-Mail Servers Mailbox infoMailbox info Address bookAddress book

ActiveActiveDirectoryDirectory

What Is Active Directory?What Is Active Directory?

Management Management Focal Point For:Focal Point For: Users and resourcesUsers and resources SecuritySecurity Delegation Delegation PolicyPolicy


The Active DirectoryThe Active Directory


Active Directory - TermsActive Directory - Terms DirectoryDirectory is made of is made of ObjectsObjects

Objects have Objects have AttributesAttributes

SchemaSchema is a specific definition of is a specific definition of objects and attributesobjects and attributes

Example:Example: User AccountUser Account NameName TitleTitle ManagerManager Office LocationOffice Location PhonePhone DivisionDivision Cost Center CodeCost Center Code ……


Active Directory - TermsActive Directory - Terms

Organizational UnitOrganizational Unit Lowest form of grouping in the Active Lowest form of grouping in the Active

DirectoryDirectory Group Policy can be applied to the Group Policy can be applied to the

Organizational UnitsOrganizational Units Can be nested up to 12 levels deepCan be nested up to 12 levels deep Organizational Unit is graphically Organizational Unit is graphically

represented by a circle in the diagramsrepresented by a circle in the diagrams


Nice, Artistic ViewNice, Artistic View


More Realistic ViewMore Realistic ViewM

arke

tin

g

Fin

ance

R&

D

Sal

es

Ad

min

Man

ufa

ctu

rin

g

Dis

trib

uti

on

OUs reflect the corporate organizationOUs reflect the corporate organization May be geographical and/or business May be geographical and/or business

model hierarchymodel hierarchy Some levels may have children, while Some levels may have children, while

others do notothers do not



DomainDomain Next hierarchical level above Next hierarchical level above

Organizational Units (OUs)Organizational Units (OUs) Is a security boundary in the Active Is a security boundary in the Active

DirectoryDirectory OU properties are inherited within a OU properties are inherited within a

domain only - not across domainsdomain only - not across domains Provides a replication boundaryProvides a replication boundary Represented by a triangle in the Active Represented by a triangle in the Active

Directory diagramsDirectory diagrams



Domain TreeDomain Tree Hierarchically arranged domains created Hierarchically arranged domains created

by parent-child relationshipby parent-child relationship All domains within a domain tree share All domains within a domain tree share

the same root namespacethe same root namespace Users can search for all information Users can search for all information

within the Domain Treewithin the Domain Tree Schema is the same within the Domain Schema is the same within the Domain

TreeTree



Global CatalogGlobal Catalog Contains a Partial replica of the Contains a Partial replica of the

information contained within each of the information contained within each of the domainsdomains

Network administrator designates which Network administrator designates which Objects and Attributes get placed in the Objects and Attributes get placed in the Global CatalogGlobal Catalog

Allows for fast searching of the key Allows for fast searching of the key information in the AD, without hitting all information in the AD, without hitting all of the domainsof the domains

Reduces replication overheadReduces replication overhead


Domain Schema

Global CatalogGlobal Catalog

User AccountUser Account NameName TitleTitle ManagerManager Office LocationOffice Location PhonePhone DivisionDivision Cost Center CodeCost Center Code Certification ExpiresCertification Expires

……

PrinterPrinter NameName MfrMfr ModelModel ColorColor DuplexDuplex Asset #Asset # Paper SizePaper Size

Global Catalog

User AccountUser Account NameName TitleTitle ManagerManager Office LocationOffice Location PhonePhone

PrinterPrinter NameName MfrMfr ModelModel ColorColor DuplexDuplex


Global CatalogGlobal CatalogDomain TreeDomain Tree The GC in each domain has a

pointer to it’s own domain information (which is complete)

Plus it has partial information from all of the other domains in the tree (or forest)


Q: What is a Group of Domain Q: What is a Group of Domain Trees?Trees?

Answer: A ForestAnswer: A Forest



ForestForest A joined set of Domain Trees that:A joined set of Domain Trees that:

Use the same schemaUse the same schema Share the same Global CatalogShare the same Global Catalog Joined by Kerberos TrustJoined by Kerberos Trust

Very useful for groups of subsidiary Very useful for groups of subsidiary companies that want autonomy in companies that want autonomy in administrative rolesadministrative roles

Provides for multiple public Internet Provides for multiple public Internet names (microsoft.com, msnbc.com, etc.)names (microsoft.com, msnbc.com, etc.)



SiteSite Relates directly to the network topology Relates directly to the network topology

and network connectivityand network connectivity Defined as an area of “good” network Defined as an area of “good” network

connectivityconnectivity Primarily affectsPrimarily affects

User logon, distributed file systemUser logon, distributed file system Replication trafficReplication traffic

Site boundaries are independent of Site boundaries are independent of domain boundariesdomain boundaries


Defining SitesDefining Sites

Sites are areas of “good” network Sites are areas of “good” network connectivity, defined by IP subnetsconnectivity, defined by IP subnets

Current thinking is a Current thinking is a T1 (1.5 Mb/s)T1 (1.5 Mb/s) link link or higheror higher

Intra-site replication takes place Intra-site replication takes place automatically via RPCautomatically via RPC

Inter-site replication is configured by Inter-site replication is configured by the network administratorthe network administrator Time of day, frequencyTime of day, frequency


SitesSites

Controls replicationControls replication Controls client locating DC’sControls client locating DC’s Where to locate GC ServersWhere to locate GC Servers Applications can be site aware - DFSApplications can be site aware - DFS


Sites - Intra DomainSites - Intra Domain


Domain Name System (DNS)Domain Name System (DNS)

Windows 2000 DNS owns the rootWindows 2000 DNS owns the root Windows 2000 DNS owns a delegated Windows 2000 DNS owns a delegated

sub-domainsub-domain No Windows 2000 DNS implemented No Windows 2000 DNS implemented


DNS Integration Choices DNS Integration Choices Windows 2000 owns the rootWindows 2000 owns the root

ProsPros No dependency on No dependency on

existing DNS serversexisting DNS servers No AD integration No AD integration

testing requiredtesting required Multi-master replication Multi-master replication

with AD-based DNSwith AD-based DNS A shorter familiar name A shorter familiar name

is more user friendlyis more user friendly

ConsCons Requires effort to replace Requires effort to replace

existing DNS serversexisting DNS servers

widgets.org

na.widgets.org euro.widgets.org asia.widgets.org


widgets.org

DNS Integration Choices DNS Integration Choices Delegated sub-domainDelegated sub-domain

ProsPros Requires no upgrade to Requires no upgrade to

existing DNS serversexisting DNS servers Minimizes dependency Minimizes dependency

of Active Directory on of Active Directory on existing DNS serversexisting DNS servers

Cons Cons Names are longerNames are longer The added component is The added component is

arbitrary, therefore arbitrary, therefore unmemorableunmemorable

Continued dependency Continued dependency on existing DNS serverson existing DNS servers

w2k.widgets.org

na.w2k.widgets.org

euro.w2k.widgets.org

asia.w2k.widgets.org


DNS Integration Choices DNS Integration Choices No Windows 2000 DNSNo Windows 2000 DNS

ProsPros No political changeNo political change

ConsCons Single point of failure for Single point of failure for

dynamic registrationsdynamic registrations Must upgrade servers Must upgrade servers

to support SRV recs to support SRV recs (RFC 2052)(RFC 2052)

Must manually enter Must manually enter contents of NETLOGON.DNS contents of NETLOGON.DNS if no support for DDNS if no support for DDNS (RFC 2136)(RFC 2136)

Must perform Must perform integration testing with integration testing with MS DHCP serverMS DHCP server

More integration testing with More integration testing with third-party serverthird-party server

widgets.org

na.widgets.org euro.widgets.org asia.widgets.org


DNS DNS Naming considerationsNaming considerations

Use Internet-standard charactersUse Internet-standard characters ‘‘A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123)A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123) Microsoft DNS supports wider rangeMicrosoft DNS supports wider range

Users not exposed to domain namesUsers not exposed to domain names E-mail style login name does not have to E-mail style login name does not have to

be related to domain namebe related to domain name Most interaction is query to global catalogMost interaction is query to global catalog

Admins exposed to domain namesAdmins exposed to domain names


DNS Requirements DNS Requirements The LocatorThe Locator

Domain controllers dynamically Domain controllers dynamically register Service Location recordsregister Service Location records SRV resource record (RFC 2052)SRV resource record (RFC 2052) Maps (service) --> (hosts offering service)Maps (service) --> (hosts offering service) General rendezvous mechanismGeneral rendezvous mechanism Analogous to SMTP and the MX recordAnalogous to SMTP and the MX record

NETLOGON service sends updatesNETLOGON service sends updates Dynamic update protocol (RFC 2136)Dynamic update protocol (RFC 2136)


DNS Requirements DNS Requirements Locator recordsLocator records

SRV records are named likeSRV records are named like ldap.tcp.<domain name>.ldap.tcp.<domain name>. i.e. ldap.tcp.nt.microsoft.com.i.e. ldap.tcp.nt.microsoft.com. More like that, all ending inMore like that, all ending in

<domain name><domain name>

DNS server that owns <domain name>DNS server that owns <domain name> MUST support the SRV recordMUST support the SRV record SHOULD support dynamic updateSHOULD support dynamic update


Upgrading Windows NT 4.0Upgrading Windows NT 4.0

Start with Windows NT 4.0 domainsStart with Windows NT 4.0 domains Implement Mixed mode domainsImplement Mixed mode domains Migrate over time to Native mode Migrate over time to Native mode

domainsdomains


SummarySummary

Active Directory TermsActive Directory Terms Plan Your DomainsPlan Your Domains

OUs, Group PolicyOUs, Group Policy Sites, Global Catalog, DNSSites, Global Catalog, DNS

Plan The UpgradePlan The Upgrade Review the PlanReview the Plan

microsoft confidential zelko kecman microsoft windows 2000 server directory services

Documents