Embed Size (px)
DESCRIPTION
Logical and Physical Network Design. Objects. Active Directory. Printers. Printer1. Attributes. Printer Name Printer Location. Printer2. Printers. Printer3. Attribute Value. Users. Attributes. Don Hall. First Name Last Name Logon Name. Suzan Fine. Users. - PowerPoint PPT Presentation
Citation preview
1
Logical and Physical Network Design
2
Active Directory Objects
• Objects Represent Network Resources (Users,Groups,Computers,Printers)
• Attributes Store Information About an Object
AttributesFirst NameLast NameLogon Name
Attributes
Printer NamePrinter Location
Active Directory
Printers
Printer1
Printer2
Suzan Fine
Users
Don Hall
AttributeValue
Objects
Printers
Users
Printer3
3
Active Directory Schema
ObjectsClass Examples
Printers
Computers
Users
Attributes of Users Might Contain:
accountExpiresdepartmentdistinguishedNamemiddleName
List of Attributes
accountExpiresdepartmentdistinguishedNamedirectReportsdNSHostNameoperatingSystemrepsFromrepsTomiddleName…
Attribute Examples
Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs
4
Active Directory Components
• Logical components of the Active Directory– Provide a way to design and administer the
hierarchical, logical structure of the network– Include
• Domains and organizational units• Trees and forests• A global catalog
5
Active Directory Components (Continued)• Windows Server 2008 domain
– Logically structured organization of objects that• Are part of a network, and• Share a common directory database
• Each domain– Has a unique name– Is organized in levels– Is administered as a unit with common rules and
procedures– Is defined by an IP address on the Internet
6
Active Directory Domains
Boundary of Authentication
Boundary of Policies
Boundary of Replication
CONTOSO.COM
Characteristics of Multiple Domains
Reduce Replication Traffic
Maintain Separate and Distinct Security Policies Between Domains
Separate Administrative Control• Geographic basis• Large number of objects Los Angeles
Seattle
ChicagoNew York
8
Active Directory Components (Continued)
• An organizational unit (OU)– A logical container used to organize objects
within a single domain• Benefits of using OUs
– Easier to locate and manage the Active Directory objects
– Define more advanced features by applying Group Policy to an OU
– Delegate administrative control over OUs
Organizational Unit
9
An Active Directory Domain and OU structure
10
Active Directory Components (Continued)
• Trees and forests– Forest root domain
• First Active Directory domain created in an organization
– Tree• Hierarchical collection of domains that share a
contiguous DNS namespace
What Is a Tree?
Parent Domain
Child Domain
Contiguous Namespace sales.contoso.msft
Parent
Child
New Domain
Tree Root Domain & Forest Root Domain
contoso.msft
sales.contoso.msft
a two-way, transitive trust relationship
12
Active Directory Components (Continued)
– Whenever a child domain is created, a two-way, transitive trust relationship is automatically created between the child and parent domains• Transitive trust
– All other trusted domains implicitly trust one another
13
Active Directory Components (Continued)• Forest
– Collection of trees that do not share a contiguous DNS naming structure
– The trees in a forest share a single Active Directory schema
• Enterprise Admins– Special user group– Allows members to manage objects throughout
the entire forest
14
Example of an Active Directory forest
What Is the Forest Root Domain?
The Forest Root Domain Is the First Domain Created in a Forest
contoso.msft
Forest
Forest Root Domain
nwtraders.msftTree
Tree Root Domain
Global Catalog
Configuration and Schema
Enterprise Admins
Schema Adminsmarketing.nwtraders.msft sales.contoso.msft
Tree
16
Active Directory Components (Continued)• Global catalog
– Index and partial replica of the objects and attributes most frequently used throughout the entire Active Directory structure
– Replicated to any server within the forest that is configured to be a global catalog server
– The first domain controller in Active Directory automatically becomes a global catalog server
– Additional domain controllers can also be configured to be global catalog servers
Global Catalog
Global Catalog Server
Global Catalog
Subset of the Attributes of All
Objects
DomainDomain
Domain
DomainDomain
Domain
Queries
Group membershipwhen user logs on
18
Active Directory Physical Structure
• Relates to the actual connectivity of the physical network– Domain Controllers– Sites
19
Domain Controller• A domain controller is a server containing a copy of the
Active Directory. • All domain controllers are peers, and maintain replicated
versions of the Active Directory for their domains. • The domain controller plays an important role in both the
logical and physical structure of the Active Directory. • It organizes all the domain's object data in a logical and
hierarchical data store. • It also authenticates users, provides responses to
queries about network objects, and replicates directory services. (The physical structure provides the means to transmit this data through well-connected sites.)
20
Domain Controllers roles
Domain Controllers
Domain Controller
Domain Controller
Domain
ReplicationUser1
User2User1
User2
= A Writeable Copy of the Active Directory Database
Reasons for Creating Multiple Domain Controllers:
• it is recommended that each domain and each site have more than one domain controller to provide logical and physical structure redundancy and fault tolerance.
Sites
Sites: • Optimize replication traffic• Enable users to log on to a domain controller by using a
reliable, high-speed connection
SiteIP subnet
IP subnet
Los Angeles
Seattle
ChicagoNew York
Combination of one or more Internet Protocol (IP) subnets connected by a high-speed connection
WAN Link
23
Active Directory Physical Structure (Continued)• Aims regarding replication
– Make sure that any modification to the Active Directory database is replicated as quickly as possible between domain controllers
– Make sure that replication does not saturate the available network bandwidth
24
Active Directory Physical Structure (Continued)• A site link
– A configurable object that represents a low-bandwidth or unreliable/occasional connection between sites
– Can be adjusted for• Replication availability
» Using the Schedule onSite Links• Bandwidth costs
» Higher Cost Numbers Represent Lower Priority Replication Paths
• Replication frequency» by Setting the Number of Minutes Between
25
The site structure of Dovercorp.net
26
Domains & sites• No formal relationship exists between the
boundaries of a site or domain.• sites and domains do not have to
maintain the same namespace.• Sites Can Contain
– All domain controllers in a single domain– Some of the domain controllers in a single
domain– Domain controllers from different domains
Sites and Domains
CONTOSO.COM
Site A
Site B
US.CONTOSO.COM
28
References
• Hands-On Microsoft Windows Server 2003 Administration, Dan DiNicolo
• InformIT: Understand Active Directory partIII, http://www.informit.com/articles/article.aspx?p=26866
• Microsoft TechNote, Active Directory Structure and Storage Technologies, http://technet.microsoft.com/en-us/library/cc759186(WS.10).aspx
• Microsoft TechNote,Introduction to Active Directory, http://download.microsoft.com/download/3/5/4/35415b82-399d-4ba3-a24f-ea151742611e/Introduzione_a_Active_Directory.PPT
• Active Directory Fundumentals, http://winserver.members.winisp.net/Active%20Directory%20Content/Active%20Directory%20Fundamentals/ITPROADD-01%2075%20minute%20version.ppt .
• And much more..
