Embed Size (px)
Citation preview
1
Chapter Summary
Understanding DNS Understanding Name Resolution Configuring a DNS Client Understanding Active Directory Understanding Active Directory
Structure and Replication Understanding Active Directory
Concepts
2
Introduction to DNS The Domain Name System (DNS) is a
naming system based on a distributed database.
DNS is used in TCP/IP networks to translate computer names to IP addresses.
DNS is the default naming system for IP-based networks.
The DNS Service is not available with Microsoft Windows XP Professional, but it ships with Microsoft Windows 2000 Server.
3
Benefits of Using DNS
DNS names are user friendly. DNS names remain more constant than
IP addresses. DNS uses the same naming conventions
as the Internet.
4
Domain Namespace
5
Examples of Second-Level Domains
ed.gov Microsoft.com Stanford.edu w3.org
6
Host Names Host names refer to specific computers
on the Internet or an intranet. They are the leftmost portion of a fully
qualified domain name (FQDN), such as Computer1.sales.microsoft.com.
DNS uses a host’s FQDN to resolve a name to an IP address.
Host names do not have to match the computer names.
7
Domain Naming Guidelines
Limit the number of domain levels. Use unique names. Use simple names. Avoid lengthy domain names.
8
Domain Naming Guidelines (Cont.)
Use standard DNS characters and Unicode characters. Windows 2000 Server supports A–Z, a–z, 0–
9, and hyphen (-). The DNS Service supports the Unicode
character set.
9
Zones
10
Name Servers
DNS name servers store the zone database file. They store the database files for one or
multiple zones. They have authority for the domain
namespace that the zone encompasses. A zone must have at least one name
server.
11
Primary Zone Database File
A name server in each domain contains the master database file, called the primary zone database file.
Changes to a zone are performed on the primary zone database file.
Multiple name servers act as a backup.
12
Benefits of Multiple Name Servers
Provide zone transfers Provide redundancy Improve access speed Reduce the load
13
Name Resolution
Name resolution is the process of resolving names to IP addresses.
DNS resolves a name, such as www.microsoft.com, to an IP address.
The mapping of names to addresses is stored in the DNS distributed database.
14
Resolving a Forward Lookup Query
15
Name Server Caching When a name server is processing a query,
it might have to send out several queries to find the answer. Each query discovers other name servers that
have authority for a portion of the domain namespace.
The name server caches these query results to reduce network traffic.
When a name server receives a query result, the name server caches the query result for a specified amount of time, referred to as Time to Live (TTL).
16
Time to Live (TTL) The zone that provides the query results
specifies the TTL; the default TTL is 60 minutes.
When TTL expires, the name server deletes the query result from its cache.
Shorter TTL values help ensure that data about the domain namespace is more current across the network.
Shorter TTL values increase the load on name servers. Longer TTL values decrease the time required to
resolve information. Longer TTL values mean it will take longer for a client to
receive any updated information.
17
Reverse Lookup Query A reverse lookup query maps an IP address
to a name. Troubleshooting tools such as the nslookup
utility use reverse lookup. Some applications implement security
based on the ability to connect to names rather than IP addresses.
The DNS distributed database is indexed by name, so a reverse lookup query would require an exhaustive search of every domain name.
18
The in-addr.arpa Domain Is a special second-level domain created to
resolve the difficulty of doing a reverse lookup query
Follows the same hierarchical naming scheme as the rest of the domain namespace, but it is based on IP addresses, not domain names
Has subdomains named after the numbers in the dotted-decimal representation of IP addresses
Reverses the order of the IP address octets Lets companies administer subdomains of the in-
addr.arpa domain based on their assigned IP addresses and subnet mask
19
Introduction to DNS Clients
A DNS client uses DNS, a distributed database used in Transmission Control Protocol/Internet Protocol (TCP/IP) networks, for name resolution.
TCP/IP must be installed for a computer to use DNS.
20
Internet Protocol (TCP/IP) Properties Dialog Box
21
Configuring DNS Query Settings Append Primary And Connection Specific DNS Suffixes
Append the client name to the primary domain name, as well as the domain name defined in the DNS Domain Name field of each network connection
Append Parent Suffixes Of The Primary DNS Suffix The DNS server strips off the leftmost portion of the primary DNS
suffix and attempts the resulting domain name. Append These DNS Suffixes (In Order)
The DNS resolver adds each one of these suffixes, one at a time and in the order you specified.
Register This Connection’s Addresses In DNS The computer attempts to dynamically register the IP addresses
(through DNS) of this computer with its full computer name. Use This Connection’s DNS Suffix In DNS Registration
The computer uses dynamic updates to register the IP address and the connection-specific domain name of the connection.
22
What Is Active Directory? A directory service uniquely identifies users
and resources on a network. Active Directory service is the directory
service included with Microsoft Windows 2000 products.
Active Directory provides a single point of network management.
Active Directory is a network service that Identifies all resources on a network Makes all resources available to users and
applications
23
What Is Active Directory? (Cont.)
Active Directory includes the directory or data store. The directory is a structured database that
stores information about network resources. Resources stored in the directory are
referred to as objects.
24
Simplified Administration Active Directory organizes resources
hierarchically in domains. A domain is a logical grouping of servers and
other network resources under a single domain name.
A domain is the basic unit of replication and security.
A domain includes at least one domain controller. Active Directory provides
A single point of administration for all objects on the network
A single point of logon for all network resources
25
Scalability
The directory stores information by organizing itself into sections that permit storage for a huge number of objects.
For example, the directory can be scaled to meet the needs of Small installations with one server and a few
hundred objects Huge installations with hundreds of servers
and millions of objects
26
Open Standards Support Active Directory use of open standards
Integrates the Internet concept of a namespace with the Windows 2000 directory service
Allows you to unify and manage multiple namespaces
Uses DNS for its name system Can exchange information with any application or
directory that uses Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP)
Can share information with other directory services that support LDAP version 2 or version 3, such as Novell Directory Services (NDS)
27
Open Standards Support (Cont.) Domain Name System
DNS is the domain naming and locator service for Active Directory.
Windows 2000 domain names are also DNS names.
Windows 2000 Server uses dynamic DNS (DDNS).
Clients can update the DNS table dynamically. DDNS eliminates the need for other naming services.
To function correctly, Active Directory and the associated client software require the DNS Service.
28
Open Standards Support (Cont.)
Support for LDAP and HTTP LDAP is an Internet standard for accessing
directory services. HTTP is the standard protocol for displaying
pages on the World Wide Web. You can display every object in Active
Directory as an HTML (Hypertext Markup Language) page in a Web browser.
29
Support for Standard Name Formats
Request for Comments (RFC) 822 [email protected]
HTTP URL http://domain/path-to-page
Universal Naming Convention (UNC) Example: \\microsoft.com\xl\budget.xls
LDAP URL LDAP://someserver.microsoft.com/
CN=FirstnameLastname,OU=sys,OU=product,OU=division,DC=devel
30
Logical Structure
Active Directory separates the logical structure from the physical structure.
Active Directory lets you organize resources in a logical structure. A resource is located by its name rather
than its physical location. The network’s physical structure is
transparent to all users.
31
Objects
32
Organizational Units An organizational unit (OU) is a container that
you use to organize objects in a domain into logical administrative groups.
An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs.
Each domain can implement its own OU hierarchy.
There is no limit to the depth of the hierarchy, but shallow is better.
An administrator can delegate administrative tasks by assigning permissions to OUs.
33
Domain
The domain is the core unit of logical structure.
All network objects exist within a domain.
A domain stores information about only the objects that it contains.
A practical limit to the number of objects in a domain is 1 million.
34
A Domain Is a Security Boundary Access control lists (ACLs) control access to
domain objects. ACLs contain the permissions associated with
objects. ACLs control
Which users can access an object Which type of access users have to the objects
Security policies and settings do not cross from one domain to another.
A domain administrator has absolute rights to set policies only in that domain.
35
Tree A tree is a grouping of one or more
Windows 2000 domains that share a contiguous namespace.
The domain name of a child domain is the relative name of that child domain appended with the name of the parent domain.
All domains within a single tree share A common schema A common Global Catalog
36
Forest A forest is a grouping of one or more domain
trees that form a disjointed namespace. All trees in a forest share a common
schema. Trees in a forest have different naming
structures. All domains in a forest share a common
Global Catalog. Domains in a forest operate independently,
but the forest enables communication across the entire organization.
37
Physical Structure
The physical components of Active Directory are Domain controllers Sites
The physical components of Active Directory are used to mirror the physical structure of an organization.
38
Domain Controllers Each domain controller in a domain
Stores a complete copy of all Active Directory information for that domain
Manages changes to that information Replicates changes to other domain controllers
in the same domain Automatically replicates all objects in the
domain to all other domain controllers in the domain
Immediately replicates certain important updates, such as the disabling of a user account
39
Domain Controllers (Cont.) Active Directory uses multimaster replication, in
which no one domain controller is the master domain controller.
Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another controller is completely propagated.
Having more than one domain controller in a domain provides fault tolerance.
Domain controllers manage all aspects of user domain interaction, such as locating Active Directory objects and validating user logon attempts.
40
Sites The physical structure of Active Directory is
based on sites. A site is a combination of one or more IP subnets. Typically, a site has the same boundaries as a
local area network (LAN). Sites are not part of the logical namespace. Sites contain only computer objects and
connection objects used to configure replication between sites.
A single domain can span multiple geographical sites, and a single site can include accounts and computers from multiple domains.
41
Replication Within a Site
Active Directory includes a replication feature.
Replication ensures that changes to a domain controller are reflected by all domain controllers in a domain.
42
Ring Topology for Replication
43
Active Directory Terminology
Schema Global Catalog Namespace Naming conventions
44
Schema The schema contains a formal definition of the
contents and structure of Active Directory. The schema contains two types of definition
objects: Schema class objects define what objects can be stored
in Active Directory. Schema attribute objects define the type of information
that can be stored about each object. The schema defines
The schema attribute objects required for each object The additional schema attribute objects that an instance
of the class can have
45
Default Schema
Installing Active Directory on the first domain controller in a network creates the default schema, which contains Definitions of commonly used objects and
properties Definitions of objects and properties that
Active Directory uses internally to function
46
Extensible Schema You can define
New directory object types and attributes New attributes for existing objects
You can extend the schema By using LDAP Data Interchange Format (LDIF)
scripts Programmatically, or by using the Active Directory
Services Interface (ADSI) By using the Active Directory Schema Manager
snap-in The schema is stored in the Global Catalog
and can be updated dynamically.
47
Global Catalog The Global Catalog is the central repository of
information about objects in a tree or forest. Active Directory automatically generates the
contents of the Global Catalog. The Global Catalog is a service and a physical
storage location. It contains a full replica (all information) for its
host domain and a partial replica of all information in all other domains in the tree or forest.
It enables finding directory information regardless of which domain in the tree or forest actually contains the data.
48
Global Catalog Servers Installing Active Directory on the first computer
in a new forest makes that domain controller a Global Catalog server.
The Active Directory Sites and Services snap-in allows you to designate additional Global Catalog servers.
More Global Catalog servers means more replication traffic.
More Global Catalog servers can provide quicker responses.
Every major site should have a Global Catalog server.
49
Namespace Contiguous namespace
The name of the child object in an object hierarchy always contains the name of the parent domain.
A tree is a contiguous namespace. Disjointed namespace
The names of a parent object and of a child of the same parent object are not directly related to one another.
A forest is a disjointed namespace.
50
Naming Conventions
Every object in Active Directory is identified by a name.
Active Directory uses a variety of naming conventions: Distinguished name (DN) Relative distinguished name (RDN) Globally unique identifier (GUID) User principal name (UPN)
51
Distinguished Name
Every object has a DN that Uniquely identifies the object Contains sufficient information for a client to
retrieve the object from the directory Includes the name of the domain that holds
the object Includes the complete path through the
container hierarchy to the object DNs must be unique in the directory.
52
Relative Distinguished Name Active Directory supports querying by
attributes, so that You can locate an object even if the exact DN is
unknown You can locate an object even if the DN has
changed The RDN of an object is the part of the
name that is an attribute of the object itself.
You can have duplicate RDNs for Active Directory objects, but not in the same OU.
53
Globally Unique Identifier
A GUID is a 128-bit number that is guaranteed to be unique.
GUIDs are assigned when the object is created.
The GUID for an object never changes. Applications use GUIDs to retrieve
objects regardless of their current DNs.
54
User Principal Name
User accounts have a friendly name, the UPN.
The UPN is composed of the shorthand name for the user account and the DNS name of the tree where the user account object resides.
55
Chapter Summary DNS is the default naming system for IP-based networks. (It is
not included in Windows XP Professional.) DNS resolves computer names to IP addresses and locates
computers within local networks and on the Internet. The DNS database is indexed by name, so each domain must
have a name. The domain namespace consists of a root domain, top-level
domains, second-level domains, and host names. A forward lookup query resolves a name to an IP address, and a
reverse lookup query resolves an IP address to a name. The DNS distributed database is indexed by name and not by IP
address, but in-addr.arpa is based on IP addresses instead of domain names.
You can configure a DNS client to obtain the address of the DNS server automatically, or you can manually enter multiple addresses for DNS servers.
56
Chapter Summary (Cont.) Active Directory is the directory service included in the
Windows 2000 Server products. (It is not included in Windows XP Professional.)
Active Directory includes the directory or data store, which stores information about network resources.
Windows 2000 Server uses DDNS. Active Directory completely separates the logical
structure of the domain hierarchy from the physical structure.
The schema contains a formal definition of the contents and structure of Active Directory.
The Active Directory schema is extensible.
57
Chapter Summary (Cont.) In a contiguous namespace, the name of the child object
in an object hierarchy always contains the name of the parent domain.
In a disjointed namespace, the name of the parent object and the name of a child object are not directly related.
The Global Catalog contains select information about every object in all domains in the directory.
Active Directory uses a variety of naming conventions: DN RDN GUID UPN
