Active Directory Presentation

8/6/2019 Active Directory Presentation

http://slidepdf.com/reader/full/active-directory-presentation 1/18

Active DirectoryActive Directory

by Jörg Bänder andby Jörg Bänder and

Steffen DiehlSteffen Diehl





Windows UsersWindows Users

�� Account infoAccount info�� PrivilegesPrivileges

�� ProfilesProfiles

�� PolicyPolicy

Windows ClientsWindows Clients

��

Mgmt profileMgmt profile�� Network infoNetwork info

�� PolicyPolicy

Windows ServersWindows Servers

��Mgmt profileMgmt profile

�� Network infoNetwork info

�� ServicesServices

�� PrintersPrinters

�� File sharesFile shares

�� PolicyPolicy

A Focal Point for:A Focal Point for:�� ManageabilityManageability

�� SecuritySecurity

�� InteroperabilityInteroperability

ActiveActive

DirectoryDirectory

WindowsWindows 2000 Active Directory2000 Active Directory

Active Directory provides a focal point for management,

security, and interoperability



How is AD installed?How is AD installed?

Active Directory needs dynamic DNS!Active Directory needs dynamic DNS!

Use dcpromo to create your firstUse dcpromo to create your firstDomaincontroller (DC) and create aDomaincontroller (DC) and create aDomainDomain

The DC has a complete read/write copyThe DC has a complete read/write copyof the AD for this new Domainof the AD for this new Domain

Information is stored in the sysvol folder Information is stored in the sysvol folder

and the ntds.dit fileand the ntds.dit file



Types of ServersTypes of Servers

AWindows NT 4.0 server can be a:AWindows NT 4.0 server can be a:Primary domain controller (PDC)Primary domain controller (PDC)

Backup domain controller (BDC)Backup domain controller (BDC)

Member server Member server

AWindows 2000 Server is either aAWindows 2000 Server is either adomain controller or a member server domain controller or a member server

Domain controllers (DC) have a replicaDomain controllers (DC) have a replica

of the directory database, member serversof the directory database, member serversdo notdo not

DC can also be a Global Catalog (GC)DC can also be a Global Catalog (GC)server server



Terms:Terms:

ForestForest(Overall Structure)(Overall Structure)

TreeTree(Structure, Domaintree)(Structure, Domaintree)

DomainDomain(Domain)(Domain)

Organisational UnitOrganisational Unit(Unit of administration, OU)(Unit of administration, OU)

Logical Structure of ADLogical Structure of AD





ForestsForests

A joint set of Domain Trees that:A joint set of Domain Trees that:

Share a single SchemaShare a single Schema

Share a single configuration (Sites, etc)Share a single configuration (Sites, etc)

Share the same Global CatalogShare the same Global Catalog Are automatically conected by transitiveAre automatically conected by transitive

TrustsTrusts

Are overseen by Enterprise AdminsAre overseen by Enterprise AdminsGroupGroup

Are represented by a Global CatalogAre represented by a Global Catalog

Different namespaces in the treesDifferent namespaces in the trees



Domain TreeDomain Tree

More than one domain sharing same rootMore than one domain sharing same rootnamespacenamespace

Hierarchically arranged domains createdH

ierarchically arranged domains createdby parentby parent--child relationshipchild relationship

Users can search for all informationUsers can search for all informationwithin the Domain Treewithin the Domain Tree

Bidirectional Kerberos Trust to theBidirectional Kerberos Trust to theparent domainparent domain



TrustsTrusts

10 Domains:10 Domains:

AD: 9 TrustsAD: 9 Trusts

NT4: 90 (!)NT4: 90 (!)





ADAD -- OUOU

Lowest form of grouping in the ActiveLowest form of grouping in the ActiveDirectoryDirectory

Organizational Unit is graphicallyOrganizational Unit is graphically

represented by a circle in the diagramsrepresented by a circle in the diagrams Group Policy can be applied to the OUGroup Policy can be applied to the OU

Can be nested up to x levels deepCan be nested up to x levels deep

Performance considerations if using GroupPerformance considerations if using Group

Policy Objects (GPOs)Policy Objects (GPOs)



Existence of OUsExistence of OUs

Only two justifications for OUs toOnly two justifications for OUs toexist (best practise):exist (best practise):

Delegation of administrationDelegation of administration

Use of Policies on contained objectsUse of Policies on contained objects



The SchemaThe Schema

Defines the objects that areDefines the objects that areallowed within the Activeallowed within the ActiveDirectoryDirectory

Each object class has attributesEach object class has attributesthat are also definedthat are also defined

The schema is extensibleThe schema is extensible

Changes to the schema areChanges to the schema are

permanentpermanent Schema flexible single master Schema flexible single master

operation (FSMO) replicatesoperation (FSMO) replicateschanges throughout thechanges throughout theenterpriseenterprise

Domain Schema

User AccountUser Account

NameName

TitleTitle

Manager Manager

OfficeOfficeLocationLocation

PhonePhone

DivisionDivision

Cost Center Cost Center CodeCode

CertificationCertificationExpiresExpires

Printer Printer

NameName

Mfr Mfr

ModelModel

Color Color

DuplexDuplex

Asset #Asset #

Paper SizePaper Size



The Global CatalogThe Global CatalogContains a partial replica of the informationContains a partial replica of the informationcontained within each of the domainscontained within each of the domains

Allows for fast searching of the keyAllows for fast searching of the keyinformation in the Active Directory,information in the Active Directory,without hitting all of the domainswithout hitting all of the domains

Enables objects to be located throughoutEnables objects to be located throughoutthe forestthe forest

Reduces replication overheadReduces replication overhead

Can have every DC be a GCCan have every DC be a GC Administrators define which attributesAdministrators define which attributes

are includedare included

Replication occurs along with domainReplication occurs along with domaincontroller replicationcontroller replication



Global CatalogGlobal CatalogDomain TreeDomain Tree The GC in each domain has a

pointer to its own domaininformation (which is complete)

It also has partial information from all of the

other domains in the tree (or forest)



AD Best PractiseAD Best Practise

Create an empty Root Domain which holdsCreate an empty Root Domain which holdsEnterprise Admin Accounts and Schema Master Enterprise Admin Accounts and Schema Master FSMO RoleFSMO Role

This Domain should remain empty!This Domain should remain empty!

Keep only three things in mind when designingKeep only three things in mind when designinga OUa OU--Structure:Structure:

DoADoA

Policy UsagePolicy Usage

Do not model the Business StructureDo not model the Business Structure

Sites reflect High Network Connectivity (LANs)Sites reflect High Network Connectivity (LANs)

And the most important: Keep it simple!!And the most important: Keep it simple!!



Finito!Finito!

Thank you for your attentionThank you for your attention

Questions ??Questions ??

Documents

Active Directory Presentation