Forests, trees, and domains



Similar documents
Active Directory. By: Kishor Datar 10/25/2007

9. Which is the command used to remove active directory from a domain controller? Answer: Dcpromo /forceremoval

Windows Server 2003 Active Directory MST 887. Course Outline

Introduction to Active Directory Services

IT ACADEMY LESSON PLAN. Microsoft Windows Server Active Directory

Windows Server 2003 Active Directory: Perspective

2003 O/S. when installed (gets installed as a stand alone server) to promoting to D.C. We have to install A.D.

Chapter 3: Building Your Active Directory Structure Objectives

LearnKey's Windows Server 2003 Active Directory Infrastructure with Dale Brice-Nash

Introduction to Auditing Active Directory

WINDOWS 2000 Training Division, NIC

Understanding. Active Directory Replication

Active Directory Restructuring Recommendations

Designing the Active Directory

Designing the Active Directory Structure

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

Managing an Active Directory Infrastructure O BJECTIVES

Module 7: Implementing Sites to Manage Active Directory Replication

Managing an Active Directory Infrastructure

70-413: Designing and Implementing a Server Infrastructure

Active Directory. Learning Objective. Active Directory

MOC 6436A: Designing Active Directory Infrastructure and Services in Windows Server 2008

Planning Domain Controller Capacity

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

With Windows Server 2003 Active Directory

Windows Server 2008 Active Directory Resource Kit

Active Directory basics. Explaining Active Directory to IT professionals

MCSE STUDY GUIDE Designing a Microsoft Windows 2000 Directory Services Infrastructure Exam Edition 1

Microsoft. Official Course. Introduction to Active Directory Domain Services. Module 2

Windows Server 2012 / Windows 8 Audit Fundamentals

How the Active Directory Installation Wizard Works

Configuring Sites and Understanding AD replication. Dante Villarroel Saavedra

Windows.NET Beta 3 Active Directory New Features

Module 1: Introduction to Active Directory Infrastructure

Chapter 2 Active Directory Design... 30

Overview of Active Directory Replication and Sites

Directory, Configuring

Windows Server 2008 Active Directory Resource Kit

Microsoft Active Directory white paper. manage. hp OpenView. how to manage Microsoft Active Directory with hp OpenView. what is Active Directory?

Microsoft Windows 2000 Active Directory Service. Technology Overview

SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

Active Directory Monitoring With PATROL

Windows 2000 Deployment Technical Challenges at the University of Colorado at Boulder

Configuring Windows Server 2008 Active Directory

MOC 20413C: Designing and Implementing a Server Infrastructure

ACTIVE DIRECTORY REPLICATION: HOW IT WORKS

Chapter. Configuring Sites and Replication MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Chapter 7: Designing the Windows 2000 Domain Structure

TestOut Course Outline for: Windows Server 2008 Active Directory

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

1DV416 Windowsadministration I, 7.5hp MODULE 3 ACTIVE DIRECTORY PART 2

R4: Configuring Windows Server 2008 Active Directory

CHAPTER THREE. Managing Groups

CGIAR Active Directory Design Assessment DRAFT. 18 September 2007

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led

Module 1: Introduction to Active Directory

Restructuring Active Directory Domains Within a Forest

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

Designing a Windows Server 2008 Active Directory Infrastructure and Services

ChangeAuditor 5.8 For Active Directory

Lesson Plans LabSim for Microsoft s Configuring Windows Server 2008 Active Directory

LDAP Directory Integration with Cisco Unity Connection

MCTS Guide to Microsoft Windows 7. Chapter 13 Enterprise Computing

Study Guide Preview Cert MSCert Microsoft Cert-1Z0-050 DBCert Oracle Cert CompCert CompTIA

MCSE STUDY GUIDE Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure Exam Edition 1

Admin Report Kit for Active Directory

ChangeAuditor 5.5. For Active Directory Event Reference Guide

6.7. Access Templates Available out of the Box

Master Thesis in Computer Engineering. Mälardalens Högskola. Integrating ABB Aspect Directory with. Microsoft Active Directory

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

Websense Support Webinar: Questions and Answers

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Windows 2000 Planning at the University of Michigan

Basic Windows 2000/ Windows 2000 Server Installation and Configuration

Active Directory Fundamentals

How to install Small Business Server 2003 in an existing Active

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Understanding Active Directory. Heng Sovannarith

FreeIPA 3.3 Trust features

Active Directory Objectives

Core Active Directory Administration

Designing and Implementing a Server Infrastructure

Introduction. Versions Used Windows Server 2003

Network System Management. Creating an Active Directory Domain

MS 20413A: Designing and Implementing a Server Infrastructure

Designing and Implementing a Server Infrastructure

Designing and Implementing a Server Infrastructure

EXAM Designing and Implementing a Server Infrastructure. Buy Full Product.

Module 2: Implementing an Active Directory Forest and Domain Structure

Designing and Implementing a Server Infrastructure

Outline. Definition. Name spaces Name resolution Example: The Domain Name System Example: X.500, LDAP. Names, Identifiers and Addresses

COURSE 20413C: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Exam Name : Windows Server 2008,Enterprise Administrator. Version : Demo.

SKV PROPOSAL TO TLC FOR ACTIVE DIRECTORY SITE IMPLEMENTATION

1. Name of Course: Windows Server 2008 Active Directory, Configuring

Transcription:

Active Directory is a directory service used to store information about the network resources across a. An Active Directory (AD) structure is a hierarchical framework of objects. The objects fall into three broad categories: resources (e.g. printers), services (e.g. e-mail) and users (accounts, or users and groups). The AD provides information on the objects, organizes the objects, controls access and sets security. Each object represents a single entity whether a user, a computer, a printer, or a group and its attributes. Certain objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes the characteristics and information that the object can contain defined by a schema, which also determines the kind of objects that can be stored in the AD. Each attribute object can be used in several different schema class objects. These schema objects exist to allow the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of AD objects, deactivating or changing these objects can have serious consequences because it will fundamentally change the structure of AD itself. A schema object, when altered, will automatically propagate through Active Directory and once it is created it can only be deactivated not deleted. Changing the schema usually requires a fair amount of planning. [1] Forests, trees, and s The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domain and trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A has a single DNS name. The objects held within a can be grouped into containers called Organizational Units (OUs). OUs give a a hierarchy, ease its administration, and can give a semblance of the structure of the AD's company in organizational or geographical terms. OUs can contain OUs - indeed, s are containers in this sense - and can hold multiple nested OUs. Microsoft recommends as few s as possible in AD and a reliance on OUs to produce structure and improve the implementation of policies and administration. The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to s or sites (see below). The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well. AD also supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g. WAN, VPN) and high-speed (e.g. LAN) connections. Sites are independent of the and OU structure and are common across the entire forest. Sites are used to control network traffic

generated by replication and also to refer clients to the nearest controllers. Exchange 2007 also uses the site topology for mail routing. Policies can also be applied at the site level. The actual division of the company's information infrastructure into a hierarchy of one or more s and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type. These models are also often used in combination. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any in the forest must be trusted across all s in the forest. Physical structure and replication Physically the AD information is held on one or more equal peer controllers (DCs), replacing the NT PDC/BDC format. Each DC has a copy of the AD; changes on one computer being synchronized (converged) between all the DC computers by multi-master replication. Servers joined in to AD, which are not controllers, are called Member Servers. The AD database is split into different stores or partitions. Microsoft often refers to these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition, contains information on the physical structure and configuration of the forest (such as the site topology). The 'Domain' partition holds all objects created in that. The first two partitions replicate to all controllers in the Forest. The Domain partition replicates only to Domain Controllers within its. A subset of objects in the partition are also replicated to controllers that are configured as global catalogs. Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is fully integrated with DNS and TCP/IP indeed DNS is required. To be fully functional, the DNS server must support SRV resource records or service records. AD replication is 'pull' rather than 'push'. The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication. A different 'cost' can be given to each link (e.g. DS3, T1, ISDN etc.) and the site link topology will be altered accordingly by the KCC. Replication between controllers may occur transitively through several site links on same-protocol site link bridges, if the 'cost' is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. In a multi- forest the AD database becomes partitioned. That is, each maintains a list of only those objects that belong in that. So, for example, a user created in Domain A would be listed only in Domain A's controllers. Global catalog (GC) servers are used to provide a global listing of all objects in the Forest. The Global catalog is held on

controllers configured as global catalog servers. Global Catalog servers replicate to themselves all objects from all s and hence, provide a global listing of objects in the forest. However, in order to minimize replication traffic and to keep the GC's database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC. Replication of Active Directory uses RPCs (Remote Procedure Calls). Between Sites you can also choose to use SMTP for replication, but only for changes in the Schema or Configuration. SMTP cannot be used for replicating the Domain partition. In other words, if a exists on both sides of a WAN connection, you must use RPCs for replication. The AD database, the directory store, in Windows 2000 uses the JET Blue-based Extensible Storage Engine (ESE98), limited to 16 terabytes and 1 billion objects in each controller's database. Microsoft has created NTDS databases with more than 2 billion objects. (NT4's Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. In Windows 2003 a third main table was added for security descriptor single instancing. Active Directory is a necessary component for many Windows services in an organization such as Exchange. FSMO Roles Flexible Single Master Operations (FSMO) roles are also known as operations master roles. Although the AD controllers operate in a multi-master model, i.e. updates can occur in multiple places at once, there are several roles that are necessarily single instance: Role Name Scope Description Schema Master forest Controls updates to the Schema Domain Naming Master forest Controls the addition and removal of s from the forest PDC Emulator Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDCe also runs specific processes such as the Security Descriptor Propagator (SDPROP), and is the master time server within the.

RID Master Allocates pools of unique identifier to controllers for use when creating objects Infrastructure Master Synchronizes cross- group membership changes. The infrastructure master cannot run on a global catalog server (unless all DCs are also GCs.) Naming AD supports UNC (\), URL (/), and LDAP URL names for object access. AD internally uses the LDAP version of the X.500 naming structure. Every object has a Distinguished name (DN), so a printer object called HPLaser3 in the OU Marketing and the foo.org, would have the DN: CN=HPLaser3,OU=Marketing,DC=foo,DC=org where CN is common name and DC is object class, DNs can have many more than four parts. The object can also have a Canonical name, essentially the DN in reverse, without identifiers, and using slashes: foo.org/marketing/hplaser3. To identify the object within its container the Relative distinguished name (RDN) is used: CN=HPLaser3. Each object also has a Globally Unique Identifier (GUID), a unique and unchanging 128-bit string which is used by AD for search and replication. Certain objects also have a User principal name (UPN), an objectname@ name form. Trust To allow users in one to access resources in another, AD uses trusts. Trusts inside a forest are automatically created when s are created. The forest sets the default boundaries of trust, not the, and implicit, transitive trust is automatic for all s within a forest. As well as two-way transitive trust, AD trusts can be shortcut (joins two s in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-ad s. Trusts in Windows 2000 (native mode) One way trust - When one allows access to users on another, but the other does not allow access to users on the first. Two way trust - When two s allow access to users on the other. Trusting - The that allows access to users on another. Trusted - The that is trusted; whose users have access to the trusting.

Transitive trust - A trust that can extend beyond two s to other trusted s in the tree. Intransitive trust - A one way trust that does not extend beyond two s. Explicit trust - A trust that an admin creates. It is not transitive and is one way only. Cross link trust - An explicit trust between s in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two s. Windows 2000 - supports the following types of trusts: Two way transitive trusts. One way non transitive trusts. Additional trusts can be created by administrators. These trusts can be: Shortcut Windows 2003 offers a new trust type - the forest root trust. This type of trust can be used to connect Windows 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the s in the forests that are trusted. ADAM Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a simple user service. Due to its small resource requirements, multiple ADAM instances are able to run on the same server. The API is identical to that of a full-blown Active Directory implementation, so developers do not need to learn new skills to utilize it. Active Directory and ADAM share the same code base, so performance of ADAM is nearly identical to Active Directory when comparing like operations. Alternatives There is presently no practical alternative to AD for most organizations with large Windows environments. There is a common misconception that Active Directory provides software distribution. This is run by a separate service that uses additional proprietary schema attributes that work in conjunction with the LDAP Protocol. Active Directory does not automate software distribution, but provides a mechanism in which other services can provide software distribution.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information