Академический Документы
Профессиональный Документы
Культура Документы
NT WIN 2000
1. Supports Fat 16, & NTFS 4+.0 FAT 16, 32, NTFS 5
2. Default Internet Explorer is 4.0 Internet Explorer 5.5
3. Single Master Domain Model Multi Master Domain Model
4. Security Accounts stored in SAM Security Accounts stored in ADS
5. Database size is 40 Mb. Database size is 17 TB
6. Supports upto 40,000 Objects Supports more than 1 million Objects
Limitations of NT Security
n Restricted SAM size
n Single point of failure at the primary domain controller
n Poor operational performance
n Poor replication performance
n Lack of management granularity
n Nontransitive trust relationships
Lack of Management
A major weakness in the SAM structure is its inability to support hierarchical
management.
2. Multiple domain controllers can host read/write copies of Active Directory, eliminating the
problems with a single point of failure and poor operational performance.
3. A Windows 2000 server can be promoted to a domain controller and demoted back to a
member server without the need to reinstall the operating system.
4. Active Directory domains still use “trusts” that now give full, two-way access to resources and
are fully transitive between domains.
Introduction: Active Directory is made up of components that constitute its logical and physical
structure. To administer Active Directory, we must understand the purpose of these components
Logical Structure : The logical structure of Active Directory provides methods for organizing
network resources such as computers, printers, users and groups. It is made up
of objects, organizational units, domains, domain trees, and forests.
1. Objects
The object is the most basic component of the logical structure. Object classes are template for the
types of objects that can be created in Active Directory. Each object class is defined by a group of
attribute. Attributes define the possible values that can be associated with an object. Each object has a
unique combination of attribute values.
2. Organizational units
Organizational units are container objects that are used to group other objects in a manner that
supports your administrative purposes. By grouping objects by organizational unit in a logical fashion,
it becomes easier to locate and administer objects. We can also delegate the authority to administer an
organizational unit. Organizational units can be nested in other organizational units. By nesting
organizational units, we can further simplify the administration of objects.
3. Domains
Domains are the core functional units in the Active Directory logical structure. A domain is a
collection of objects that share a common directory database, security policies, and security
relationships with other domains. Domains provide the following three functions:
• Serve as an administrative boundary for objects
• Help to manage security for shared resources
• Serve as a unit of replication for objects
4. Domain Trees
Domains can be grouped together in hierarchical structures that are called trees. When a second
domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child
domain is attached is called the parent domain. A child domain may in turn have its own child
domain. The name of a child domain is combined with the name of its parent domain to form its own
unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.
5.Forests
Forests are made up of one or more trees, although a single two-level tree is recommended for most
organizations. A two-level tree is when all child domains are made children of the forest root domain
to form one contiguous tree. The first domain in the forest is called the forest root domain, and the
name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory.
By default, the information within Active Directory is shared only within the forest. In this way, the
forest is a security
boundary for the information contained in the instance of Active Directory.
Physical Structure : The physical structure of Active Directory models the physical structure of
the network, and is made up of domain controllers and sites. The physical structure of Active
Directory defines where and when replication and logon traffic occur, and is used to and manage
network traffic. The physical structure enables you to optimize network traffic by determining when
and where replication and logon traffic occur. The elements of the Active Directory physical structure
are :
1. Domain controllers Domain controller performs storage and replication functions. A domain
controller can support only one domain. A domain can have one or more domain controllers.
2. Active Directory sites Created mainly to optimize replication traffic and to enable users
to connect domain controllers by using reliable , high speed connection. A site is a group of
well-connected computers. When sites are established, domain controllers within a single site
communicate frequently. This communication minimizes the latency within the site. Latency is the
time required for a change that is made on one domain controller to be replicated on other domain
controllers. You create sites to optimize the use of bandwidth between separated domain controllers.
There can be multiple domains in a single site and single site can have multiple sites.
Note : We use Logical structure to organize the network resources and Physical structure
to manage the network traffic.
1.Open Active Directory Users and Computers and view the organizational
units in Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Users and Computers.
b. In the left pane, double-click Active Directory Users and computers.
c. In the left pane, double-click the domain for which you want to view the organizational units.
d. Display the Properties page for each container in the left pane and determine the object type by
using the Object class information on the Object tab.
You can also view the organizational units in Active Directory by using the
ADSI editor. The ADSI Edit snap-in is not installed by default. To install it, use the
support tools installer, Suptools.msi, which is located in the \Support\Tools
folder of the Windows Server 2003 product CD.
2. Open Active Directory Domains and Trusts to view the logical structure
of Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Domains and Trusts.
b. In the left pane, expand the node that represents the forest-root domain
to view the domains that make up the logical structure of Active
Directory.
3. Open Active Directory Sites and Services and view the physical structure
of Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Sites and Services.
b. In the left pane, expand the Sites folder.
c. Click the folder that represents the site for which you want to view a list
of servers.
d. Click the Servers folder to view a list of servers in the right pane.
What Does Active Directory Do?
1. Active Directory stores information about users, computers and network resources, and makes the
resources accessible to users and applications. It does this by providing a consistent way to name,
describe, locate, access, manage, and secure information about these resources.
2. Active Directory provides centralized control of network resources, such as servers, shared files,
and printers, and allows only authorized users to gain access to resources throughout Active Directory.
3. With Active Directory, you can centralize or delegate the administration of resources and objects as
appropriate. Administrators can manage distributed desktops, network services, and applications from
a central location by using a consistent management interface, or they can distribute administrative
tasks by
delegating control of resources to other administrators.
4. When Active Directory is installed, all resources in a Windows Server 2003 network are stored in
Active Directory as objects. These objects are organized in a secure, hierarchical logical structure.
5.The physical structure of Active Directory enables you to optimize the use of network bandwidth.
For example, the physical structure of Active Directory ensures that, when users log on to the
network, they are authenticated by the authentication authority that is nearest to the user, thus reducing
the amount of network traffic.
Schema
Active Directory Schema is the structure of the database which contains the definitions
of objects. Active Directory objects represent users, groups and network resources such as
computers and printers. All servers, domains, and sites in the network are also represented as objects.
Because Active Directory represents all network resources as objects in a distributed database, a single
administrator can centrally manage and administer these resources. There can be only one schema
for entire forest , so that all objects created in Active Directory conform to the same rules.: Two
types of definition of the objects are :- Classes and Attributes
When you create an object, the properties, or attributes, of that object store the information that
describes the object. Some of these attributes are mandatory and must be assigned value to create the
object. For example, when you create a user object, you must assign a value to the SAM Account
Name attribute. Users can locate objects throughout Active Directory by searching for specific
attributes. For example, you can search for a particular object by searching on an attribute value that
makes it unique, such as a printer name, or you can search for an object that has a combination of
attribute values, such as a printer with a location value of building 118, a floor value of 3.
Structure of Active Directory Database
All databases have a schema which is a formal definition (set of rules) which
govern the database structure and types of objects and attributes which can be
contained in the database. The schema contains a list of all classes and
attributes in the forest.
Classes
Class attributes
Class relationships such as subclasses (Child classes that inherit attributes from
the super class) and super classes (Parent classes).
Active Directory Schema
All databases have a schema which is a formal definition (set of rules)
which govern the database structure and types of objects and attributes
which can be contained in the database. The schema contains a list of all
classes and attributes in the forest.
Classes
Class attributes
Class relationships such as subclasses (Child classes that inherit
attributes from the super class) and super classes (Parent classes).
Object relationships such as what objects are contained by other
objects or what objects contain other objects.
There is a class Schema object for each class in the Active Directory
database. For each object attribute in the database, there is an
attributeSchema object.
Partitions
Active Directory objects are stored in the Directory Information Tree (DIT)
which is broken into the following partitions:
The DIT holds a subset of Active Directory information and stores enough
information to start and run the Active Directory service.
Schema Container
System Attributes
These system attributes can only be changed by the Directory System Agent
(DSA) which manages the Active directory database.
badPasswordCount
badPasswordTime
creationTime
domainReplica
isCriticalSystemObject
lastLogoff
lastLogon
LockoutTime
modifiedCount
ntPwdHistory
PrimaryGroupName
revision
SAMAccountName
SAMAccountType
Schema Modifications
The schema operations master domain controller is the only controller that
the schema can be changed from.
The Schema console must have schema modification set to enabled.
Each schema object has permissions set through the Windows 2000
security model.
Global Catalog
Resources in Active Directory can be shared across domains and forests. Active Directory must
therefore provide a method that makes searching for resources across domains and forests transparent
to the user. The global catalog feature of Active Directory makes such searches possible. Global
Catalog is a repository containing information which is necessary to determine the
location of any object in Active Directory. For example, if you search for all of the printers in a
forest, a global catalog server processes the query in the global catalog and then returns the results.
Without a global catalog server, this query would require a search of every domain in the forest.
Relative Distinguished Name:The relative distinguished name of an object uniquely identifies the
object within its container. No two objects in the same container can have exactly the same name. The
relative distinguished name is always the first component of the distinguished name, but it might not
always be a common name.
Example of a Relative Distinguished Name
Sales is the relative distinguished name of an organizational unit that is represented by the following
LDAP naming path: OU=Sales,DC=contoso,DC=msft
You can create scripts by using ADSI to perform the following tasks:
1. Retrieve information about Active Directory objects
2. Add objects to Active Directory
3. Modify Active Directory object attribute values
4. Delete objects form Active Directory
5. Extend the Active Directory schema
ADS and DNS Integration
DNS domains and Active Directory domains use identical domain names for different Namespaces.
Using identical domain names enables computers in a Windows Server 2003 network to use DNS to
locate domain controllers and other computers that provide Active Directory.related services.The
integration of DNS and Active Directory is essential because a client computer in a Windows Server
2003 network must be able to locate a domain controller to allow users to log on to a domain or to use
the services provided by Active Directory. To locate a domain controller, a computer uses DNS to
locate the IP address for a computer that provides the required service within Active Directory.
For Active Directory to function properly, client computers must be able to locate servers that provide
specific services such as authenticating logon requests and searching for information in Active
Directory. To achieve this, Active Directory stores information about the location of the computers
that provide these services in DNS records known as SRV resource records.
SRV resource records link the name of a service to the DNS computer name for the computer that
offers that service. For example, an SRV record can contain information to help clients locate a
domain controller in a specific domain or forest.
When a domain controller starts, it registers SRV records, which contain information about the
services it provides, and an A resource record that contains its DNS computer name and its IP address.
A DNS client later uses this combined information to locate the requested service on the appropriate
domain controller.
All SRV records use a standard format, which consists of fields that contain the information used to
map a specific service to the computer that provides the service.
The SRV record indicates that the computer provides the following services:
1. Provides the LDAP service
2. Provides the LDAP service by using the TCP transport protocol
3. Registers the SRV record in the contoso.msft DNS domain
4. Has a time to live (TTL) of 600 seconds or 10 minutes.
5. Has an FQDN of london.contoso.msft
Procedure for viewing SRV records by using the DNS Snap-in
You can use either the DNS console or the NSLookup utility to view the SRV records registered by
domain controllers. To view the SRV resource records registered domain controllers by using the
DNS snap-in, perform the following steps:
1. Open DNS from the Administrative Tools menu.
2. Double-click Server (where Server is the name of your DNS server),double-click forward
Lookup Zones, and then double-click domain
3. Open the following folders in the domain folder to view the SRV resource records that are
registered:
• _msdcs
• _sites
• _tcp
• _udp
The following describes the process of how a computer locates a domain controller:
1. A user logs on to the domain, initiates an Active Directory search, or performs other tasks that
require a domain controller. The Net Logon service on the client (the computer that is
locating the domain controller) starts the DsGetDcName application programming interface
(API).
2. Net Logon collects information about the client and the specific service required; this
information will be included in the DNS query. This information is specified by the following
DsGetDcName parameters:
• ComputerName. The name of the client computer.
• DomainName. The name of the DNS domain that will be queried.
• SiteName. The name of the site in which the domain controller should be located. I
if the site is not specified, the domain controller that will be located is in the site that is
closest to the site in which the client computer is located. The client also specifies that
the domain controller should be an LDAP server in the domain named by DomainName,
or a global catalog server or KDC server for the forest in which DomainName is located.
3. The Net Logon service sends a DNS query to a DNS server. This DNS query contains the
information it collected from the client and specifies the service that is required.
4. The DNS server queries the DNS zone database for SRV records that match the service
required by the client in the domain named by DomainName. T
5. he DNS server returns a list of IP addresses of domain controllers that provide the service
requested in the domain specified by the client.
6. The Net Logon service sends a datagram (an LDAP UDP message) to one or more of the
located domain controllers to determine whether it is running and whether it supports the
specified domain.
7. Each available domain controller responds to the datagram to indicate that it is currently
operational, and then returns the information to DsGetDcName. The Net Logon service
returns the information to the client from the domain controller that responds first.
8. The client computer chooses the first domain controller that responds and meets the criteria,
and then sends the request to that domain controller. The Net Logon service caches the
domain controller information so that it is not necessary that the client computer repeat the
discovery process for subsequent requests. Caching this information also encourages the
consistent use of the same domain controller.