CISNTWK-11A.D. IntroBackground
• DirectoryIs a comprehensive catalog of information– Is a comprehensive catalog of information
• names• phone numbers• computers• software• services
– It is organized in a manner that makes the information easily accessible
2
CISNTWK-11A.D. IntroBackground
Di t S i• Directory Services– It is based on a Directory– It is a distributed database– It is a distributed database– It stores information about your network resources– It allows for accessing this informationg– It allows for searching this information using search criteria– It facilitates the resources location and management
3
CISNTWK-11A.D. IntroWhat is Active Directory?
• Active Directory– Is the implementation of Directory Services forIs the implementation of Directory Services for
Windows 2000 (or greater) Server• the full capabilities of Active Directory are only available with
Windows 2000 (client or server) or greaterWindows 2000 (client or server) or greater• Active Directory requires Windows Server (s) configured as
Domain Controller(s).
– Is the central repository (database) of network resources– Is the functional replacement of NT 4 Domains
Describes– Describes• what information can be stored in the database• how it is stored in the database
4
• how users can query the database to obtain specific information about network resources
CISNTWK-11A.D. IntroEnterprise Requirements
• Enterprise Directory Services requirementsCentralization– Centralization
– Scalability– Reliablee ab e– Ease of administration– Integration with security– Integration with applications– Standardization and openness
b d i d d d• based on “open” industry standards• is extensible (you can add to it)
5
CISNTWK-11A.D. IntroEnterprise Requirements (continued)
• Active Directory meets the “enterprise” Directory Services requirementsServices requirements– Active Directory is centralized– Active Directory is scalabley– Active Directory makes Windows networks easier to
administer– Active Directory is built on the Windows Server security
model• it is tightly integrated with Windows Serverit is tightly integrated with Windows Server• makes use of Access Control Lists (ACLs)
6
CISNTWK-11A.D. IntroEnterprise Requirements (continued)
– Active Directory implements industry standards• Active Directory Services is accessible programmatically through y p g y g
the Lightweight Directory Access Protocol (LDAP)• Active Directory incorporates Domain Name System (DNS) for
name translation
– Active Directory is open (extensible)
7
CISNTWK-11A.D. Intro
Active DirectoryThe Logical StructureThe Logical Structure
• The following terms are used to help describe Active Directory, from “least encompassing” (lowest level) to “most p g ( )encompassing” (highest level)– Object
h b i i i A i i• the basic unit in Active Directory• examples include: Users, Groups, and Computers
– Organizational Unitg• a “container” of Objects
– Domain• an administrative boundary• a security boundary• contains zero or more Organizational Units
8
CISNTWK-11A.D. Intro
Active DirectoryThe Logical StructureThe Logical Structure
– Tree• a Domain hierarchyy• contains one or more Domains
– Forestll i f• a collection of one or more Trees
• they share the same Active Directory Schema, Configuration, and Global Catalog
9
CISNTWK-11A.D. Intro
Active DirectoryThe Physical StructureThe Physical Structure
• The physical structure of Active Directory is independent of the logical structureindependent of the logical structure
• The physical structure consists of the following componentscomponents– Domain Controller
• houses the Active Directory database and services• runs on Windows Servers (2000 or better)
– Site• a set of computers in one or more TCP/IP subnets• a set of computers in one or more TCP/IP subnets• is used to facilitate the replication of the Active Directory database• allows client computers to access Active Directory in a “network
ffi i t”
10
efficient” manner
CISNTWK-11A.D. Intro
Active DirectoryThe Physical StructureThe Physical Structure
Global Catalog– Global Catalog• a catalog of a selected set of properties from every object in an
Active Directory Foresth Gl b l C l i i i h i i id d b f• the Global Catalog is unique in that it is considered to be part of
both the logical structure of Active Directory as well as the physical structure of Active Directory
11
CISNTWK-11A.D. IntroDomain
• A Domain is collection of one or more computersUsers Gro ps and net ork reso rces are associated• Users, Groups, and network resources are associated with a Domain
• Domains act as security boundaries• Domains act as security boundaries– Access to Domain resources require user authentication on
that Domain• resources include directories, files, and printers
– Users in one Domain are generally unable to access i th D i l th h Uresources in another Domain unless they have a User
Account in the other Domain
12
CISNTWK-11A.D. IntroDomain
• Domains act as administrative boundaries Domain A can be administered separately from Domain B– Domain A can be administered separately from Domain B
• Windows Servers and Client computers can belong to only one Domain at a timeonly one Domain at a time– Or no Domain if they are configured as a Workgroup– Or no domain if client OS < Windows NT Workstation
13
CISNTWK-11A.D. IntroDomain (continued)
• Domains require Windows ServerFor Windows 2003 Server– For Windows 2003 Server
• must be configured as a Domain Controller
– For Windows NT server• one Primary Domain Controller (PDC)• zero or more Backup Domain Controllers (BDC)
A “ t k” t bit b f• A “network” can support an arbitrary number of Domains
14
CISNTWK-11A.D. IntroDomain Representation
• Domains are represented graphically as follows
A A Windows (>NT) DomainA ( )
B A Windows NT 4 Domain
15
Name of Domain
CISNTWK-11A.D. IntroActive Directory Domain Hierarchy
• Active Directory Domains can be organized in a parent-child relationship to form a hierarchyparent-child relationship to form a hierarchy
Parent of B and CA
Child of AB C
Child of A Child of AParent of D
DChild of CGrandchild of A
16
CISNTWK-11A.D. Intro
Active Directory DomainHierarchy RulesHierarchy Rules
• A child Domain can have exactly one parentA parent Domain can ha e ero or more child• A parent Domain can have zero or more child Domains
• Very important:• Very important: – Administrators in the parent Domain do not automatically
have administrative rights in a child Domaing
17
CISNTWK-11A.D. IntroDomain Name System (DNS)
• Domain Name System (DNS) is a de facto naming system for IP based networkssystem for IP based networks
• DNS is the naming service that is used to locate computers on the Internetcomputers on the Internet
• DNS is used to translate “friendly” names to TCP/IP addressesdd esses– “IBM.COM” (DNS name) translates to “129.42.16.99”
(IPv4 TCP/IP address)
18
CISNTWK-11A.D. IntroDomain Name System (DNS)
DNS is based on a hierarch j st like Windo s 2003• DNS is based on a hierarchy, just like Windows 2003 Domains– This hierarchy defines a namespaceThis hierarchy defines a namespace– Each element of the hierarchy is separated by a dot (“.”)
• A namespace is a context within which the names ofA namespace is a context within which the names of all “objects” are unambiguously resolvable
• The DNS namespace is pictured as an inverted tree, p p ,with the “root” at the top
19
CISNTWK-11A.D. IntroDNS Graphical Representation
• Here is an example of a DNS hierarchy
d il tInternettop le el
The “root”
com edu gov mil net top-levelDomains
org
chaffeysuperwidgets adelphia Subdomainnavy
20
support mail
CISNTWK-11A.D. IntroDNS Components
• Each computer in a DNS domain is uniquely identified by its fully qualified domain name (FQDN)identified by its fully qualified domain name (FQDN)
• Here is an example of a Windows Server DNS name:catbertcatbert.support.superwidgets.com
Subdomain(s)
Internet top-level domain
Host name orComputer name
F ll lifi d d i (FQDN)
21
Fully qualified domain name (FQDN)
CISNTWK-11A.D. IntroWhat Does DNS Do?
• DNS is based on a client / Server model• This is an example of a DNS query:This is an example of a DNS query:
Query - Where’s “Engr1”?
I iti t
Reply - 147.19.180.101
InitiateConnection
p y
22
CISNTWK-11A.D. IntroActive Directory and DNS
Windo s Ser ers ses Domain Name S stem (DNS)• Windows Servers uses Domain Name System (DNS) naming standards for hierarchical naming of Active Directory Domains and computersDirectory Domains and computers
• Windows Servers uses DNS to locate Domain Controllers and computersCo o e s d co pu e s– This includes locating Active Directory on the network
23
CISNTWK-11A.D. IntroActive Directory and DNS
• A Windows 2003/NT Domain is not the same as a “domain” as used by DNSdomain as used by DNS– DNS domains and Active Directory Domains use identical
naming standards for different namespaces– Each stores different data and therefore manages different
objectsDNS i “ l ti ” h i• DNS is a “name resolution” mechanism
• Windows Server Domains are administrative and security boundaries
24
CISNTWK-11A.D. IntroTrusts
A “Tr st” is a relationship bet een t o Domains that• A “Trust” is a relationship between two Domains that allows for resource sharing between the two Domains
• Trust relationships between Domains support the• Trust relationships between Domains support the following capabilities– Permitting Domain A Users to logon to Domain BPermitting Domain A Users to logon to Domain B
• with Windows (>NT), this is also supported in reverse
– Permitting Domain B Users to access resources in Domain A
• with Windows (>NT), this is also supported in reverse
25
CISNTWK-11A.D. IntroTrusts
• Trusts are between DomainsTrusts are not established between computers– Trusts are not established between computers
• Once a Trust is established, all the users participate in the Trustthe Trust– Individual users cannot be excluded from a Trust
relationship
26
CISNTWK-11A.D. Intro
Trusts (continued)
Approaches for accessing resources inApproaches for accessing resources in another Domain without a Trust
• Enable the Guest Account on the Domain “owning” the resourcethe resource– generally a poor approach - you lose any accountability
27
CISNTWK-11A.D. Intro
Trusts (continued)
A h f i iApproaches for accessing resources in another Domain without a Trust
• Add the same User Account with the same password on the other Domain– this generally undermines the notion of Domains in Windows
Server– Windows Server will always try to authenticate with your AccountWindows Server will always try to authenticate with your Account
name and password• this is a built-in behavior• this allows for “transparent” access to any (>Windows 98) computer
– in any Domain or any Workgroup
– this approach scales poorly
28
this approach scales poorly– issues arise when the password expires on the originating Domain
• there is generally no provision for keeping them synchronized
CISNTWK-11A.D. Intro
Trusts (continued)
A h f i iApproaches for accessing resources in another Domain without a Trust
• You don’t - the resources are kept separate (this is the “d f l ” b h i )“default” behavior)
29
CISNTWK-11A.D. IntroActive Directory Objects
The basic nit in Acti e Director is an Obj t• The basic unit in Active Directory is an Object• An Object is a distinct, named set of attributes that
represents something concreterepresents something concrete• An Object consists of
A name– A name– A “type”– One or more attributesOne or more attributes
30
CISNTWK-11A.D. IntroActive Directory Objects
Common Obj t in Acti e Director incl de• Common Objects in Active Directory include– User– Group– Group– Computer– Printer– Shared Folder
31
CISNTWK-11A.D. IntroActive Directory Tree
• Active Directory Domains are created in an inverted tree structure with the root at the toptree structure, with the root at the top– An Active Directory tree must have a contiguous
namespace
32
CISNTWK-11A.D. IntroActive Directory Tree
• The Windows Server Domain hierarchy is based on Trust relationships each one being implicitly linkedTrust relationships, each one being implicitly linked by inter-domain Trust relationships– All the Domains in a domain tree trust one another
implicitly– The Trusts are transitive
• if Domain A trusts Domain B and Domain B trusts Domain C,then Domain A trusts Domain C
– The Trusts are bi-directional (with NT 4, this is referred to as a “two way” trust)
• Domain A trusts Domain B• Domain B trusts Domain A
33
• Domain B trusts Domain A
CISNTWK-11A.D. IntroActive Directory Tree
• This allows users to logon to the Domain tree from any computer that is a member of the Domain treeany computer that is a member of the Domain tree– The computer could be a member of Domain A and their
User Account could be a member of Domain B
• This also allows access to resources in any Domain within the Domain tree
34
CISNTWK-11A.D. IntroActive Directory Tree Example
• Here is an example of a Domain Tree
widgets.com Tree
widgets.com
support.widgets.comsales.widgets.com
catbert.support.widgets.com
35
CISNTWK-11A.D. IntroActive Directory Forest
• An Active Directory Forest is a collection of one or more Active Directory Treesmore Active Directory Trees
• For an Active Directory Forest to exist with two or more Active Directory Trees the Active Directorymore Active Directory Trees, the Active Directory trees must form a noncontiguous namespace based on different DNS “root” domain names
• The Active Directory Trees are joined together at the “root” with a two way Trust relationship
36
CISNTWK-11A.D. IntroActive Directory Forest
• All Active Directory Trees in an Active Directory Forest share a commonForest share a common– Schema– Configurationg– Global Catalog (GC)
37
CISNTWK-11A.D. IntroActive Directory Forest Example
• Here is an example of a Domain Forest
widgets.com Tree acquired.com Tree
Trust relationship
widgets.com acquired.com
Trust relationship
support.widgets.comsales.widgets.com sales.acquired.com
catbert.support.widgets.com
38
CISNTWK-11A.D. Intro
Active DirectoryOrganizational UnitOrganizational Unit
An Organi ational Unit (OU) is a t pe of Acti e• An Organizational Unit (OU) is a type of Active Directory “container” that is placed in a Domain– This allows administrators to logically organize and storeThis allows administrators to logically organize and store
objects in a Domain– Each Domain can implement its own Organizational Unit
hierarchy independent of other Domains
391 This topic is covered in a separate lecture. Refer to “Profiles and Policies” for details
CISNTWK-11A.D. Intro
Active DirectoryOrganizational UnitOrganizational Unit
• An OU can contain zero or more of the following Active Directory ObjectsActive Directory Objects– User– Groupp– Computer– Printer– Shared Folder– Organizational Unit (OU)
hi i li h O i i l U i b d• this implies that Organizational Units can be nested
40
CISNTWK-11A.D. Intro
Active DirectoryOrganizational UnitOrganizational Unit
• An OU allows an administratorto delegate administration– to delegate administration
– to apply Group Policy to subsets of your users and computers
– to keep objects with identical security requirements together
41
CISNTWK-11A.D. Intro
Active DirectoryOrganizational Unit ExampleOrganizational Unit Example
• Here is an example of an Organizational Unit hierarchy within a Domainhierarchy within a Domain
Finance Engineering Sales
Accounting
Hardware Software
Purchasing
acme.comExternal
AccountingInternal
Accounting
42
CISNTWK-11A.D. IntroDomains at Their Simplest
• Tree(s) and Forest(s) are used to help scale Active Directory at the enterpriseDirectory at the enterprise– This scaling is accomplished using the following
components• the use of an Active Directory Tree comprised of more than one
Domain• the use of an Active Directory Forest comprised of more than one y p
Tree
43
CISNTWK-11A.D. IntroDomains at Their Simplest
• At the most fundamental level of Active Directory deploymentdeployment– You start out with a single Domain– You may end up with a single Domainy p g
• This single Domain may contain no Organizational Units
• These terms - “Tree” and “Forest” - “compress” into a single Domain– As in:
This is a Tree This is a Forest
44
thatsall.acme.com
CISNTWK-11A.D. Intro
Creating a Windows 2003 Domain ControllerController
• A Windows (>NT) Server can become a Domain Controller through theController through the“Active Directory Installation” wizard– The program is called “DCPROMO” (Domain Controller p g (
promotion / demotion)• Start Menu -> Run .. (enter “DCPROMO” as the program name)
Y l f thi t k “i di tl ” th h– You can also perform this task “indirectly” through• Start Menu -> Programs -> Administrative Tools -> Configure Your
Server– choose Active Directory and select “Start the Active Directory
wizard”
45
CISNTWK-11A.D. Intro
Creating a Windows 2003 Domain ControllerController
• The Active Directory Installation wizard can create the following types of Domain Controllersthe following types of Domain Controllers– Create a new forest of Domain trees (Forest Root Domain)– Create a new Domain tree in an existing forestg– Create a new child Domain in an existing Domain tree– Create an additional Domain Controller for an existing
Domain
• You will need to have administrative rights in the i t D iappropriate Domain
• The Active Directory Installation wizard can also be sed to “demote” a Domain Controller to a member
46
used to “demote” a Domain Controller to a member Server