Embed Size (px)
Citation preview
Introducing Microsoft Active Directory Services
CSIS 165 – Week 1BExams 70-217 & 70-294
CSIS 165 – Week 1B
Windows 2003 Systems Overview Ch 1 - Introduction To Active
Directory Ch 2 – Domain Naming Services
(DNS)
Windows 2003 Security Models Workgroups
Windows Server is not required User accounts are managed locally Resources are managed locally
Domains User accounts are managed centrally Most resources are managed centrally Windows Server is required
Windows 2003 Architecture Two major layers:
User mode Environment subsystems Integral subsystems
Kernel mode
Environment subsystems Emulates other operating systems Supports Win32, OS/2, POSIX
(UNIX) Restrictions on applications:
Can access only the associated API Cannot access:
Hardware, drivers Shared memory
Integral Subsystems Security subsystem
Logon processing Authentication Resource access
Workstation service Access shared resources
Server service Provide shared resources
Kernel Mode System services – Available to
kernel and user mode processes IO manager, virtual memory manager
Internal services – Available only to kernel mode processes
Windows 2003 Subsystems
Chapter 1Introduction to
Active Directory
Active Directory Features & Services
Authentication of users Controlling access of resources Advertisement of resource Centralized administration Replication platform Support for open standards
Active Directory Architecture Client Interfaces
LDAP/ADSI, MAPI, SAM, REPL Directory System Agent (DSA) Database Layer Extensible Storage Engine Data Store (NTDS.DIT)
Active Directory Architecture
Active Directory Object Containers Active Directory Objects Active Directory Schema Active Directory Logical Structures
Domains Organizational Units Trees & Forests
Physical Structures Domain Controllers Sites
Active Directory Objects Define consumers
users & groups Define resources
Computers & servers Shared services Printers, etc…
Container objects Domains Organizational units Groups Sites Forest
Active Directory Schema Define objects
Classes Represent a type of object Contains attributes
Attributes Define properties of objects
Name, Datatype & length, etc… May be included in multiple classes
Schema may be extended by adding or replacing classes and attributes
Not reversible without restoring AD from system state Requires Enterprise Admin rights & AD Schema snap-in Done automatically when Exchange 2000 is installed
Active Directory Components Domains - Security boundary
Users and resources belong to one domain. Domain Admins defines Administration boundary.
Organizational Units Users and resources exist in OU’s Provide namespace Applies group policy Does not confer privileges – groups do that
Trees and Forests Trees – contiguous DNS namespace All domains in a Global Catalogue Two-way implicit, transitive trusts
Sites - Define replication boundaries
Active Directory Concepts Global Catalog Sites and Replication Domains and Trusts DNS namespace
Global Catalog Functions:
Indexes all objects in its domain. Indexes a subset of all objects in the entire forest. Is the only source of Universal group information Required for logins, except by Domain Admins
Creating Global Catalog servers: By default, on the first DC in a forest or domain. Additional GC servers can be created on any DC. Two rules:
Have a GC at every physical site. Keep the GC and infrastructure master role on separate
hosts.
Replication What information is replicated?
Schema Domain-level AD objects Configuration Global Catalogue information
Sites provide replication boundaries
Replication Replication Within a Site:
Replication topology is automatically determined Provides at least two paths between DCs Replication is triggered by changes Transmissions are not compressed - RPCs
Replication between sites: Occurs between bridgehead servers Occurs as scheduled Is compressed and may use SMTP Security changes replicate immediately.
Trusts Implicit two-way transitive trusts:
exist between parent and child domains in a tree and top-level domains in a forest.
Explicit one-way non-transitive trusts: Used between AD and NT 4.0 domains Domains in different forests AD Domains and Kerberos Realms
DNS Namespace Forward-lookup namespace Reverse-lookup namespace Record types
Host, NS, MX, SRV, CNAME, PTR
Active Directory Namespace Distinguished name Relative distinguished name
GUID Unique across all domains Does not change when objects move or
rename Replaces NT 4.0 SID
The Operation Master Roles Forest-level
Schema Master Domain Naming Master
Domain-level Relative ID Master PDC Emulator - Down-level clients and BDCs Infrastructure Master
Active Directory Tasks & Tools Active Directory Users and Computers:
Create & manage user accounts, groups & OUs Active Directory Domains & Trusts
Manage trusts Change to native mode Assign alternate user principal name suffix Transfer domain naming master role
Active Directory Sites and Services Manage replication
Active Directory Schema Used to modify the AD schema Not installed be default
Other tools covered in lab – Know them for the exam
Review Roles of Active Directory Windows & Active Directory Architecture The Windows login process The Active Directory schema Active Directory objects The Global Catalogue Replication Trusts Operation Master Roles Active Directory management tools
Ch 2 – Understanding DNS IP Addressing & Host Naming The hosts file DNS Objectives The DNS Namespace DNS Messaging The Name Resolution Process Planning a DNS Infrastructure
IP Addressing & Host Naming Earliest IP network – ARPANET
Single-level name identified hosts Names mapped to IP Addresses – hosts file
Problems: Hosts file would become enormous New host entries require updated hosts files Administrators could not choose just any
host names – only those not yet used
The Hosts File C:\WINNT\system32\drivers\etc\hosts
# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
10.11.200.253 saicu2010.11.200.253 saicu20.mcse.wallihan.com
DNS Objectives Decentralize name management Flexible identification of services Identify services such as mail hosts
Solutions: A hierarchic namespace Diverse resource record types
The Forward Lookup Namespace Resolves host names to IP addresses Locates services
Root domain “.” Top-level domains – com, org, gov,
etc… Second-level domains – privately
managed
The Forward Lookup Namespace
“.”
COM ORG
SAIC
WWW
Hosts
NS Records
Forward Lookup Zones Zones represent files A zone may represent one or more
domains Zones represent a contiguous
namespace Zones define replication boundaries
Forward Lookup Zones
COM
SAIC
DOMAIN2DOMAIN1
Zone1 Zone 2
An Invalid Zone
DNS Messaging DNS uses UDP for name resolution (port
53) DNS uses TCP for zone file replication A single message format handles all
traffic DNS Header – See book
Flags Bit8 – Recursion desired Flags Bit9 – Recursion available
The Name Resolution Process
“.”
COM
SAIC
RecursiveQuery
Non-Recursive
Query
The Reverse Lookup Namespace
200
11
10
In-addr
arpa
“.”
253 PTR saicu20.mcse.wallihan.com
DNS Configuration
Forwarders Enables a server to forward unknown queries
Caching-only servers These servers do not maintain zones or entries Forwarders must be enabled
Dynamic updates Configure in DHCP Three options
No, Yes Only Secure updates (Active Directory integrated zones
only)
Configuring DNS
DNS Record Types A – Host record CNAME – Canonical name NS – Name server SOA – Authoritative name server MX – Mail relay SRV – Well-known services
PTR – Reverse lookup record
Implementing WINS
Implementing WINS When to use WINS NetBIOS Naming The Lmhosts file The NetBIOS name server NetBIOS node types The WINS architecture Implementing WINS
NetBIOS Naming NetBIOS originally served single
LANs NetBIOS names were cached
locally Computers would broadcast queries Only the requested computer replied The reply was cached locally
The Lmhosts File Problems with NetBIOS:
Computers on remote LANs – broadcast Large environments – broadcast
The Lmhosts file enabled the most popular servers to be resolved locally
The Lmhosts file structure: IP address <space or tab> name
Lmhosts File Records & Tags A standard record:
10.11.200.253 saicu20 Tags:
#PRE – preloads entry into cache #DOM:domain – Windows NT domain #INCLUDE filepath – Loads info from a
centrally managed file END_ALTERNATE & BEGIN_
ALTERNATE
A Sample Lmhosts File# The following example illustrates all of these extensions:
102.54.94.97 rhino #PRE #DOM:networking #net group's DC102.54.94.102 "appname \0x14" #special app server102.54.94.123 popular #PRE #source server102.54.94.117 localsrv #PRE #needed for the include
BEGIN_ALTERNATEINCLUDE \\localsrv\public\lmhostsINCLUDE \\rhino\public\lmhostsEND_ALTERNATE
The NetBIOS Name Server - WINS Clients are configured with the WINS
server’s IP address (enables unicast) Clients register their name and IP with
WINS TTL - 6 days by default Clients refresh at half TTL Name or IP address changes are registered with
WINS Clients release names when they shut down
Clients query the name server to resolve hosts
NetBIOS Node Types
Node Type Registration
Resolution
B Node Broadcast Broadcast
P Node Unicast-WINS
Unicast-WINS
M Node Broadcast Broadcast then WINS
Modified B Node Broadcast Broadcast then Lmhosts
H Node (hybrid) Unicast-WINS
WINS then Broadcast
MS Enhanced Node
Unicast-WINS
Configurable
Configuring WINS Clients:
Specify the WINS server Configure a node type (optional)
MS-enhanced H-node by default WINS Servers
Install WINS Create static mappings Configure Replication
WINS Proxy Agents Handles broadcast name registrations Set EnableProxy to 1 in registry - Any WINS client
Review Active Directory DNS WINS
