Embed Size (px)
Citation preview
© N. Ganesan, Ph.D. , All rights reserved.
Active Directory Installation
Nanda Ganesan, Ph.D.
Contributions
• Chris Rike• Christian Ng• Juan Herrera• Pauline Cheng
Overview of Active Directory
• Directory service included in Windows server
• Stores information about network object and makes the information available to administrators, users, and applications
• Provides a single point of network management allowing people to add, remove, and relocate users and resources easily
1. What is Active Directory? What is the purpose of using Active Directory?
2. What is the function of a directory service? How is it structure?
3. How Active Directory communicate with a wide variety of other technologies?
What is Active Directory? What is the purpose of using Active
Directory?
• Active directory is the directory service included in Windows 2000 server.
• Active Directory stores information about network object and makes the information available to administrators, users, and applications.
• Active Directory provides a single point of network management, allowing people to add, remove, and relocate users and resources easily.
Active Directory Provides Benefits
1). Integration with DNS2). Flexible querying3). Information security4). Simplified administration5). Scalability
1) Active directory as a namespace that is integrated with
the Internet’s Domain Name System (DNS).• Active Directory domains and DNS domains have the same hierarchical structure.• DNS zones can be stored in Active Directory.• Active Directory clients use DNS to locate domain
controllers.
(diagram 1) here:
2) Flexible querying
• Users and administrators can use the Search command on the Start menu, the My Network Places icon on the desktop, or the Active Directory Users and Computer snap-in to quickly find an object on the network using object properties.
• For example, one can find a user by first name, last name, e-mail name, office location, or other properties of that person’s user account.
3) Information security
• Protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.
4) Simplified administration
• Since all domain controllers in the domain are equal, the process of making changes to one domain controller can be replicated to all other domain controllers in the domain.
• Providing a single point of administration for all objects on the network.
5) Scalability
• With one or more domain controllers, Active Directory enables you to scale the directory to meet any network requirement.
• Multiple domains can be combined into a domain tree and multiple domain trees can be combined into a forest.
How is it structure?
• Using Active Directory, the network and
its objects are organized by constructs
such as domains, trees, forests, trust relationships, organizational units
(OUs), and sites.
How Active Directory communicate with a wide
variety of other technologies?
• Because Active Directory is based on standard directory access protocols, it can interoperate with other directory services and can be accessed by third-party applications that follow these protocols.
Figure 1 How Microsoft fits into the Internet's DNS namespace
Active Directory
Active Directory
Figure 2 Comparing DNS and Active Directory namespace roots
Objects
• The entities that make up a network
• A distinct, named set of attributes that represents something concrete. i.e.a user
• A globally unique identifier (GUID) is assign when it is created
Schema
• A description of the object classes• The attribute for those object
classes
Every Active Directory is an instance of an object class. Each attribute is define only once and can be used in multiple classes.
Schema Attributes and Querying
• Using the Active Directory Schema tool– Mark an attribute as indexed– Include attributes in the global catalog
• Contains a default set of attributes for every object in the forest
• Globally useful• Not volatile• Small
Schema Object Names
• LDAP display name• Common name• Object identifier (OID)
Object Naming Conventions
• Security principal names• Security identifier• LDAP-related names• Object GUIDs• Logon names
Security Principal Names
• Can be a user account, computer account, or a group.
• A name that uniquely identifies a user, computer, or group within a single domain.
• Unique across domains for backward compatibility.
Security IDs (SIDs)
• A unique number created by the security subsystem of the Windows 2000 operating system, and assigned to security principal object. i.e. user, group, and computer accounts.
• Every account on the network is issued a unique SID that account is first created.
LDAP-related Names
• Defines what operations can be perform in order to query and modify information in a directory and how information in a directory can be securely access.
LDAP-related Names
• Three object-naming format based on the LDAP distinguished name:– LDAP DN and RDN names– LDAP URLs– LDAP-based canonical names
LDAP-related Names
Example:User = JohnCountry = USA (forest)State = CA (tree)City = Rosemead (domain)Department = Marketing (OU)
LDAP-related Names
• LDAP DN Name:cn=John,ou=Marketing,dc=Rosemead,dc=CA,dc=USA
• LDAP URL Name:LDAP://server1.CA.USA.com/cm=John,ou=Marketing,dc=Rosemead,dc=CA,dc=USA
• Canonical Name:CA.USA.com/Rosemead/Marketing/John
Object Publishing
• Publishing - is the act of creating objects in the directory that either directly contain the information you want to make available or provide a reference for it.– Share Publishing– Printer Publishing
When to Publish
• Relatively static– Publish only information that changes
infrequently
• Structured– Publish information that is structured
and can be represented as a set of discrete attributes.
How to Publish
• Remote Procedure Call (RPC)• Windows Sockets • Distributed Component Object
Model (DCOM)
You Use Domains to Accomplish the Following Network Management Goals:
• Administrative boundaries • Replicate information • Apply group policy • Structure the network • Delegate administrative authority
Domains:
• Trees• Forests• Trusts• And Ous (organizational units )
Figure 3 Parent and child domains in a domain tree. Double-headed arrows indicate two-way transitive trust relationships
Tree
Figure 4 One forest with three domain trees. The three root domains are not contiguous with each other, but
EuropeRoot.com and AsiaRoot.com are child domains of HQ-Root.com.
Forests
Figure 5 Shortcut trusts between Domains B and D, and between Domains D and 2
Forest
Trust Relationships
• Transitive • Two-way• Shortcut trusts • External trusts
Figure 7 A network with two forests and one extranet
Trust Relationships Trust Relationships
Figure 9 Intra-site replication with just one domain
Organizational Units
Figure 10 Intra-site replication with two domains and two global catalogs
Trust Relationships
Figure 11 Two sites connected by a site link. Each site's preferred bridgehead server is used preferentially for inter-site information exchange.
Trust Relationships
Domain Common Tasks You Can Delegate
Organizational Unit Common Tasks You Can Delegate
Join a computer to a domain Manage Group Policy links
Create, delete, and manage user accounts Reset passwords for user accounts Read all user information Create, delete, and manage groups Modify the membership of a group Manage printers Create and delete printers Manage Group Policy links
Domain and OU Delegation
Groups (or Users) Security Permission
Authenticated User Read with Apply Group Policy ACE
Domain AdministratorsEnterprise AdministratorsCreator Owner Local System
Full control without Apply Group Policy ACE
Table 4 Security Permission Settings for a GPO
Group Policy
• Group Policy (GP): Defines a variety of user’s environments that administrators can manage. GP configurations apply to computers. GP settings apply to users and computers in sites, domains & OU’s.
Group Policy
Components:• Registry based policies• Security options• Software deployment options• Scripts• Redirections to special folders
Group Policy
• GP affect all users and computers in the linked container unless the administrators explicitly change permissions.
• By using security groups, policies are applied specifically to sets of objects within a container.
• Within security groups, Group Policy Objects (GPO) determine the following for specific containers:
• Using security groups to represent business organizational structure is more efficient than using domains or organizational units for administration.
• Policy settings that are domain wide applied to OU’s containing other OU”s are inherited by child containers, unless inheritance is otherwise specified.
Delegating Control of Group Policies
Network administrators which is composed of enterprise administrators or domain administrators can determine which other administrators groups can modify policy settings.
Delegation can also be granted to other administrators to perform the following tasks:– managing group policy for domains, sites and
organizational units.– creating group policy objects– editing group policy objects
Interoperability
Active Directory (A.D) supports a number of standards to ensure interoperability of Windows 2000 environment with other vendors (Novell, Unix)
The following are supported by Active Directory:• Lightweight Directory Access Protocol (LDAP) which is an
industry std for directory access. This service is on the Internet Engineering Task Force (IETF) for becoming an internet std.
• o LDAP it is used to add, modify, delete and query information stored in AD.
• o LDAP to AD is like SQL to Oracle• o LDAP determines how a client can access the directory,
operations within the directory and share directory data• o Application Programming Interfaces (API) uses
Active Directory Service Interfaces and LDAP C API for:
• ADSI enables access to AD by exposing objects stored in the directory as Component
Object Model (COM) objects through scripts• COM’s have access to different types of
directories for which a provider exists• Several providers: Novell Directory Services
(NDS), WinNT, LDAP and Internet Information Services metabase.
• Do you guys know what an object is?
Active Directory Service Interfaces and LDAP C API for:
• Example: You can add a method to the user object that creates an Exchange mailbox for a user when the method is invoked.
• LDAP C API (RFC 1823) is a set of low level C-language API’s to the LDAP protocol.
• Used by developers, however, ADSI is more powerful and more appropriate for developers.
Synchronizing AD with other Directory Services (DS)
• AD interacts with other DS by using an Active Directory Connector which offers bi-directional synchronization for:
MS Exchange (Email) Lotus Notes (Email) GroupWise (Email and common
attributes) LDAP Data Interchange Format
(LDIFDE): Supports importing and exporting directory information. This is an internet std format.
(LDIFDE):
Usage: • Perform batch operations such as
add, delete, rename, modify• Can be also used to backup or
extend the schema.
Internal and external references
• Administrators can create cross-reference object that points to a server in a directory in another forest.
• They take the form of containers. • Internally, the external reference will appear as a
child of an existing AD object• Externally, it will not appear at all• For both internal and external references, AD
contains the name of the DNS server holding a copy of the external directory and the distinguished name of the root external directory.
Kerberos Role and Interoperability
• Win 2000 and above operating systems support multiple configurations for cross platform interoperability ranging from:
• Clients: A domain controller will authenticate clients running RFC-1510 Kerberos. This will include other clients running other operating systems.
• Unix clients and services: A Kerberos principal is mapped to a Windows 2000 user or computer account.
Kerberos Role and Interoperability
• Applications and operating systems: Applications and other operating systems can obtain tickets for services within a Windows 2000 environment.
• Provides backwards support for earlier versions of operating systems through a mixed-mode network configuration.
• Mixed mode domain is a networked set of computers that run both NT 4.0 and Win 2000 and above
Summary
• Active Directory helps centralize and simplify network manageability and provides the necessary resources to support the organizations objectives.
• AD stores information about network objects and makes information available to administrators, users and applications.
• Interacts with Domain Name Space (DNS) by providing a name space that defines all objects.
Summary
• Uses domains, trees, forests, trust relationships, organizational units, and sites to structure the network and its objects.
• Administrative tasks can be delegated to manage OU’s, domains, sites to appropriate support groups
• AD is built on std directory access protocols and along with API’s can access other Directory Services to expand its flexibility
• Data can be exported or imported as required.
Glossary
Active Directory• An enterprise-class directory service that is
scalable, built from the ground up using Internet-standard technologies, and fully integrated at the operating-system level. Active Directory simplifies administration and makes it easier for users to find resources. Active Directory provides a wide range of features and capabilities, including group policy, scalability without complexity, support for multiple authentication protocol, and the use of Internet standards.
Glossary
Active Directory Service Interfaces (ADSI)
• ADSI is a directory service model and a set of Component Object Model (COM) interfaces. It enables Windows 95, Windows 98, Windows NT, and Windows 2000 applications to access several network directory service, including Actives Directory. It is supplied as a Software Development Kit (SDK).
Glossary
Asynchronous Transfer Mode (ATM)• ATM is a high-speed, connection-oriented
protocol designed to transport multiple types of traffic across a network. It is applicable to both local area networks (LANs) and wide area networks (WANs). Using ATM, your network can simultaneously transport a wide variety of network traffic; voice, data, image, and video.
Glossary
Dynamic Host Configuration Protocol (DHCP) with Domain Name System (DNS) and Active Directory
• DHCP works with DNS and Active Directory on Internet Protocol (IP) networks, freeing you from assigning and tracking static IP addresses. DHCP dynamically assigns IP addresses to computers or other resources connected to an IP network.
Glossary
Indexing Service• Indexing provides a fast, easy, and secure
way for users to search for information locally or on the network. User can use powerful queries to search in files in different formats and languages, either through the Start menu Search command or through Hypertext Markup Language (HTML) pages that they view in a browser.
Glossary
Internet Authentication Service (IAS)• IAS provides you with a central point for
managing authentication, authorization, accounting, and auditing of dial-up or Virtual Private Network users. IAS uses the Internet Engineering Task Force (IETF) protocol called Remote Authentication Dial-In User Service (RADIUS).
Glossary
Internet Information Services (IIS) 5.0• The powerful features in Internet
Information Service (IIS), a part of Microsoft Windows 2000 Server, make it easy to share documents and information across a company intranet or the Internet. Using IIS, you can deploy scalable and reliable Web-based applications, and you can bring existing data and applications to the Web, IIS includes Active Server Pages and other features.
Glossary
Lightweight Directory Access Protocol (LDAP) support
• LDAP, an industry standard, is the primary access protocol for Active Directory. LDAP version 3 was defined by the IETF.
Glossary
Terminal Services• The Windows 2000 Server family offers the only
server operating systems that integrate terminal emulation services. Using Terminal Services, a user can access programs running on the server from a variety of older devices. For example, a user could access a virtual Windows 2000 Professional desktop and 32-bit Windows-based applications from hardware that couldn’t run the software locally. Terminal Services provides this capability for both Windows and non-Windows-based client devices.
Glossary
Virtual Private Network (VPN)• You can allow users ready access to the network even
when they’re out of the office, and reduce the cost of this access, by implementing a VPN. Using VPNs, users can easily and securely connect to the corporate network. The connection is through a local Internet Service Provider (ISP), which reduces connect-time charges. With Windows 2000 Server, you can use several new, more secure protocols for creating Virtual Private networks, including’: L2TP, a more secure version of PPTP (L2TP is used for tunneling, address assignment, and authentication) and IPSec, a standard-based protocol that provides the highest levels of VPN security. Using IPSec, virtually everything above the networking layer can
END
