You are on page 1of 5

1

ACTIVE DIRECTORY FUNCTIONS

OVERVIEW OF ACTIVE DIRECTORY

Directory Services
Used to define, manage, access, and secure network resources. Resources include: files, printers, groups, people, and applications.

Active Directory
Stored as NTDS.dit on a domain controller. Used by domain controllers to authenticate users. Domain controllers store, maintain, and replicate.

ACTIVE DIRECTORY BENEFITS


Centralized administration Single point of access Fault tolerance and redundancy Multiple domain controllers are used Multi-master replication Simplified resource location

CENTRALIZED ADMINISTRATION
Hierarchical organization for ease of administration Common Microsoft Management Console (MMC) tool set
Active Directory Users And Computers (DSA.MSC) Active Directory Domains And Trusts (DOMAIN.MSC) Active Directory Sites And Services (DSSITE.MSC)

DOMAINS, TREES, AND A FOREST

SINGLE POINT OF AUTHENTICATION


Before directory services

Forest root and tree root parent contoso.com ou

Server1

ou

Domain tree root


Server2

tailspintoys.com
Server3

After directory services

child west.contoso.com

child
Active Directory

east.contoso.com

Single sign-on

MULTI-MASTER REPLICATION

SIMPLIFIED RESOURCE LOCATION


Search features available on Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003 & 2008. Search Active Directory to find:
Shared folders Printers People (user accounts)

10

ACTIVE DIRECTORY SCHEMA


Object classes
User accounts Computer accounts Printers Groups

ACTIVE DIRECTORY COMPONENTS

Object Attributes
Name Globally unique identifier (GUID) Location (for printer) E-mail address (for users)

11

12

SITES
Used to reflect the physical network structure Usually local area network (LAN) versus wide area network (WAN) Optimize replication Knowledge Consistency Checker (KCC) creates and maintains this structure

DOMAINS
Logical grouping of resources. Form security and replication boundaries.
Individual access control lists (ACLs) for each domain. Group Policies are typically assigned and inherited within a domain only, not from the forest. Domain replication is independent of global catalog and schema replication.

Multiple domains may be used by a single organization.

13

14

ORGANIZATIONAL UNITS
Container objects Look like a folder with a book icon in Active Directory Users And Computers Security is applied to OUs
Inherited by child OUs Used to control access to that OU or hide subordinate OUs Allows for the delegation of administrative rights

NAMING STANDARDS
Lightweight Directory Access Protocol (LDAP)
Standard naming structure and hierarchy Established by the Internet Engineering Task Force (IETF)

Domain Name System (DNS) Uniform Resource Locator (URL)

15

16

LDAP NAMES

PLANNING FOR ACTIVE DIRECTORY


Logical and physical structure
Jeffrey Smith

cohowinery.com

DNS and Active Directory integration and naming Functional levels of domains and forests Trust relationships and models

Sales

Guy Gilbert

Accounting Color Printer

Cn=jsmith,ou=sales,dc=cohowinery,dc=com jsmith@cohowinery.com

17

18

STRUCTURING ACTIVE DIRECTORY


Security and administrative goals are important when defining the logical structure.
Group Policy application and inheritance Delegating administrative control Permission inheritance

ROLE OF DNS
Resolves friendly names to Internet Protocol (IP) addresses. Required by Active Directory. Domain members use service locator (SRV) records to find domain controllers. Dynamic DNS (DDNS) is supported and recommended.

Logical structure often reflects the business or administrative model. Sites are used to reflect the physical structure of the network.

19

20

FUNCTIONAL LEVELS
Designed to support downlevel compatibility Increasing functional level allows for use of new features Two types of functional level
Domain functional level Forest functional level

DOMAIN FUNCTIONAL LEVELS


Windows 2000 mixed Windows 2000 native Windows Server 2003 interim Windows Server 2003 Windows Server 2008

21

22

RAISING THE DOMAIN FUNCTIONAL LEVEL


Must be logged on as a member of the Domain Admins group. Performed using the Primary Domain Controller (PDC) emulator. All domain controllers must support the new level. Irreversible.

FOREST FUNCTIONAL LEVELS


Windows 2000 Windows Server 2003 interim Windows Server 2003 Windows Server 2008

23

24

RAISING THE FOREST FUNCTIONAL LEVEL


Must be logged on as a member of the Enterprise Administrators group. Must be connected to the Schema Operations Master. All domain controllers must support the new functional level. Irreversible.

ACTIVE DIRECTORY TRUST MODELS


Transitivity: If A trusts B and B trusts C, then A trusts C
Forest Root Domain

Child Domain A

Child Domain C

Child Domain B

Child Domain D

25

26

SHORTCUT TRUST

WINDOWS NT SERVER 4.0 TRUST MODEL

Domain A
Forest Root Domain

Domain B
Child Domain A Child Domain C

Domain C

Shortcut Trust Child Domain B Child Domain D

Domain D

27

28

CROSS-FOREST TRUST
Tree/Root Trust Parent/Child Trust Forest Trust

SUMMARY
Active Directory is a database (NTDS.dit). DNS is required by Active Directory. Schema defines object types and attributes. Domain and forest functional levels provide a balance between backward compatibility and new functionality.

Shortcut Trust Realm Trust External Trust

Active Directory allows for two-way transitive (Kerberos) trusts. Trusts allow domain hierarchies to be created. Cross-forest trusts are a new features.