Introduction to Active Directory Services



Similar documents
Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Active Directory. By: Kishor Datar 10/25/2007

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Network System Management. Creating an Active Directory Domain

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Microsoft. Official Course. Introduction to Active Directory Domain Services. Module 2

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Forests, trees, and domains

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425C: Five days

6425C - Windows Server 2008 R2 Active Directory Domain Services

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

R4: Configuring Windows Server 2008 Active Directory

9. Which is the command used to remove active directory from a domain controller? Answer: Dcpromo /forceremoval

MOC 6436A: Designing Active Directory Infrastructure and Services in Windows Server 2008

TestOut Course Outline for: Windows Server 2008 Active Directory

Introduction to Auditing Active Directory

Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led

COMPLETE COMPUTING, INC.

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

MOC 20413C: Designing and Implementing a Server Infrastructure

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Configuring Windows Server 2008 Active Directory

Windows Server 2003 Active Directory: Perspective

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Windows Server 2012 / Windows 8 Audit Fundamentals

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course: Configuring and Troubleshooting Windows Server 2008 Active Direct-ory Domain Services

M6425a Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Planning Domain Controller Capacity

Chapter 3: Building Your Active Directory Structure Objectives

Configuring Sites and Understanding AD replication. Dante Villarroel Saavedra

1. Name of Course: Windows Server 2008 Active Directory, Configuring

Creating a Domain Tree

Setting up Active Directory Domain Services

Outline SSS Configuring and Troubleshooting Windows Server 2008 Active Directory

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

Windows Server 2008 Active Directory Resource Kit

How To Configure An Active Directory Domain Services

Contents Introduction... 3 Introduction to Active Directory Services... 4 Installing and Configuring Active Directory Services...

IT ACADEMY LESSON PLAN. Microsoft Windows Server Active Directory

Active Directory Objectives

Searching for accepting?

70-413: Designing and Implementing a Server Infrastructure

Installing and Configuring Windows Server 2012 MOC 20410

VNLINFOTECH JOIN US & MAKE YOUR FUTURE BRIGHT. mcsa (70-413) Microsoft certified system administrator. (designing & implementing server infrasturcure)

Active Directory. Learning Objective. Active Directory

The Windows Server 2003 Environment. Introduction. Computer Roles. Introduction to Administering Accounts and Resources. Lab 2

Number: Passing Score: 700 Time Limit: 145 min

AV-006: Installing, Administering and Configuring Windows Server 2012

Designing and Implementing a Server Infrastructure

Designing the Active Directory

20410: Installing and Configuring Windows Server 2012

MS Installing and Configuring Windows Server 2012

Creating a New Domain Tree in the Forest

WINDOWS 2000 Training Division, NIC

CGIAR Active Directory Design Assessment DRAFT. 18 September 2007

Designing a Windows Server 2008 Active Directory Infrastructure and Services

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

Planning for Windows Server 2008 Servers

MCTS Guide to Microsoft Windows 7. Chapter 13 Enterprise Computing

LearnKey's Windows Server 2003 Active Directory Infrastructure with Dale Brice-Nash

70-417: Upgrading Your Skills to MCSA Windows Server 2012

6436: Designing a Windows Server 2008 Active Directory Infrastructure and Services (5 Days)

Windows.NET Beta 3 Active Directory New Features

What s in Installing and Configuring Windows Server 2012 (70-410):

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Installing Active Directory on Windows Server 2008 by Daniel Petri - January 8, 2009 Printer Friendly Version

6.1.2 Installing AD DS 7:45

SINGLE COURSE. 136 Total Hours. After completing this course, students will be able to:

VMware and VSS: Application Backup and Recovery

Course: Fundamentals of Microsoft Server 2008 Active Directory

Windows Server 2003 Active Directory MST 887. Course Outline

Designing and Implementing a Server Infrastructure

Designing and Implementing a Server Infrastructure

Faculty Details. : Assistant Professor ( OG. ),Assistant Professor (OG) Course Details. : B. Tech. Batch : : Information Technology

COURSE 20413C: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Designing and Implementing a Server Infrastructure 20413C; 5 days, Instructor-led

Transcription:

Introduction to Active Directory Services Tom Brett A DIRECTORY SERVICE A directory service allow businesses to define manage, access and secure network resources including files, printers, people and applications. 1

Prior to the introduction of directory systems (Novell Directory Services NDS etc.) all users were required to log onto many different servers in order to access different resources on the network. This required users to authenticate several times and required administrators to replicate authentication details on each server. Active Directory provides a single point of management for network resources. Active directory provides a single sign on to allow access to all resources (when permitted) from a single log on. MICROSOFT DIRECTORY SERVICES 2

Active Directory (AD) is a directory service created by Microsoft for Windows domain networks Windows server 2008 provides 2 separate roles for Active Directory Active Directory Domain Services (AD DS) This provides a full fledged directory service also referred to as directory services Active Directory Lightweight Domain Services (AD LDS) Provides a lightweight flexible platform without the weight Provides flexible support for directory enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. Mainly suited for developers who need to use APIs but don t want the complexity of the full AD DS ACTIVE DIRECTORY DOMAIN SERVICES (AD DS) 3

An Active Directory structure is a hierarchical arrangement of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs). Domain controller A windows Server computer that has been configured with Active Directory DS is known as a Domain Controller A Domain Controller is a server which stores the Active Directory database and authenticates users with the network during logon. Domain controllers : Provide authentication Host operations master roles Host the global catalog Support group policies and SYSVOL Provide for replication 4

We use dcpromo to install Active Direcroty Domain Services, dcpromo can be used to make a member server into a domain controller. Directory Database Each Domain Controller participates in storing, modifying and maintaining the Active Directory database information that is stored on each controller The Directory database is stored on each Domain Controller in a file called ntds.dit. This database is a multimaster database, this means that administrators can update it from any domain controller. Fault Tolerance Microsoft Directory Services builds in fault tolerance through its multimaster domain controller design. This is due to the fact that all Domain Controllers share the database file (ntds.dit) 5

Read Only Domain Controller Windows Server 2008 also introduced a new DC called a Read Only Domain Controller, This version cannot be modified but replicates other domain controllers, it is so that it can be used in less secure environments but changes cannot be made directly to it RODCs are designed primarily to be deployed in a branch office. What Is a Read Only Domain Controller? RODCs host read only partitions of the AD DS database, only accept replicated changes to AD DS, and never initiate replication RODC RODCs provide: Additional security for branch office with limited physical security Additional security if applications must run on a domain controller RODCs: Cannot hold operations master roles or be configured as replication bridgehead servers Can be deployed on servers running Windows Server 2008 R2 Server core for additional security Further Information AD DS: Read Only Domain Controllers http://go.microsoft.com/fwlink/?linkid=1996 62 6

Default domain policy The default domain policy is a preconfigured GPO that is added when a domain is created and linked at the domain level. Settings within the default domain policy apply to all user and computer objects within the domain. Default domain controller policy The default domain controller policy is a preconfigured GPO that is added when a domain is created and linked at the Domain Controllers OU level. The Domain Controllers OU is created when a domain is created, and all domain controllers are automatically placed in this OU Replication The process of keeping each domain controller in Synch with changes is called replication. When a domain controller transmits replication information to other Domain Controllers it is known as outbound replication. When a Domain Controller receives updates to the Active Directory Database it is known as Inbound Replication 7

An Active Directory System Most organizations use just a simple onedomain structure. Indeed, unless your organization has more than 50,000 users or you have a specific reason to add more domains, a single domain structure is not only recommended, but it s also the simplest to implement. A single domain is relatively easy to create once you have a server just choose your domain name, run the domain controller promotion wizard (DCPromo), and you re in business. The primary tool you ll use to manage the domain is Active Directory Users and Computers. You can create user and computer objects (to represent the actual users and computers) in the domain and organizethem in organizational units (OUs) using Active Directory Users and Computers. You can also create these Active Directory objects from the command line. 8

ACTIVE DIRECTORY BASICS Active Directory Domain Services (AD DS) Active Directory Domain Services (AD DS) is used to provide several services to an organization. At its core, it s a big database of objects (such as users, computers, and groups) and is used to centrally organize and manage all the objects within an organization. A single user would have a single user account in Active Directory and can use this single account to access multiple computers in the organization. This is often referred to as single sign on. Copies of Active Directory are kept on domain controllers. It s most common to have at least two domain controllers for redundancy purposes in case one goes down. Any changes to Active Directory are passed to each of the domain controllers using a process called replication. 9

Replication When any object (such as a user account) is added, deleted, or modified within Active Directory, the change is sent to all other domain controllers (DCs) in the domain. When a business is located in a single location, the changes are sent to all other DCs within a minute. Objects Objects within AD are used to represent realworld items. Common objects are user objects and computer objects that represent people and their computers. The objects can be managed and administered using AD DS Schema Every Resource in Active Directory is represented as an object. Each object has a set of attributes The schema is the definition of all the object types that Active Directory can contain, and it includes a list of properties that can be used to describe the objects. 10

The schema has two components Classes Attributes Some attributes are required, some are optional Think of a user the user name is required, the users full name is optional You can think of the schema as a set of blueprints for each of the objects. The schema is the framework of which AD DS is composed Example class objects include: Organizational units Users Computers Example attributes include: Description User name Computer location A site A site is a group of well connected computers and is sometimes referred to as a group of well connected subnets. Small to medium sized businesses often operate out of a single location, and all the computers in this location are connected via a single LAN. This is a site. 11

A Tree A tree is a group of domains with a common namespace. That simply means the two part root domain name is common to other domains in the tree. The first domain in the forest may be called Bigfirm.com. A child domain could be created named sales.bigfirm.com. Notice the common name (Bigfirm.com). It is possible to create a separate tree within a forest. For example, another domain could be created named littlefirm.com. It s not the same namespace, but since it is in the same forest, it would share a common schema and global catalog. Active Directory Trees contoso.com tailspintoys.com A tree can be a single tree or it can be multiple trees. The idea though is that a tree is the FQDN of the domain and all of it s children. A forest The largest container within Active Directory is a forest A forest is a group of one or more domains that share a common Active Directory. The forest container defines the fundamental security boundary within AD Users can access any resources across an entire Active Directory forest using a single logon. 12

The AD DS Forest Domain Trust contoso.com tailspintoys.com corp.contoso.com test.contoso.com orders.tailspintoys.com clients.tailspintoys.com Forest Domain forests are groups of domain trees. The domain trees within the domain forest do not share a naming structure, but a two way transitive trust is created among the root (toplevel) domains in each domain tree. Because the domains within the domain trees are all joined with two way trusts, in effect, resources become available to any user within the domain forest The global catalog The global catalog (GC) is a listing of all the objects in the entire forest. It is easily searchable and is often used by different applications to search AD DS for specific objects. The global catalog is hosted on domain controllers that are designated as GC servers. 13

Organizational units Organizational units are used to organize objects within Active Directory. You can think of an OU simply as a container for the objects. By placing the objects in different containers, they are easier to manage. An Active Directory OU structure can reflect the logical structure of the organisation by modelling the organisational chart depicting employees and their respective departments It can also represent users according to their needs OUs have two distinct benefits. You can delegate permissions to an OU, and you can link Group Policy to an OU. As an example, Maria may be responsible for administration for all users and computers in the sales department. If these objects were placed in the Sales OU, Maria could be delegated permission to administer the OU, and it would include all the objects in the OU. 14

An organizational unit is a container object within a domain that you can use to consolidate users, groups, computers, and other objects There are two reasons to create organizational units: Configure objects within the organizational unit Delegate administrative control You can create organizational units that represent the departments within your organization, or the geographic regions within your organization, or a combination of both Group Policy Group Policy allows you to configure a setting once and have it apply to many user and/or computer objects. You can link GPOs to OUs, entire domains, or sites. When linked, a GPO applies to all the objects within the OU, domain, or site. DNS for AD DS Considerations: You can install DNS as part of the domain controller deployment process You can integrate the DNS zone into AD DS Use secure dynamic updates for your DNS zone Use multiple DNS servers to provide for high availability and load balancing DNS records enable the location of AD DS and other services 15

A Single Domain Forest Generally, if none of the following situations applies to you, a single domain will meet your needs: You have more than 100,000 user and computer objects, and replication is slow. Replication performance is impacted by frequently changing attributes. You have multiple locations connected with slow WAN links, and replication performance is impacted. A legacy domain needs to be preserved. If you have fewer than 100,000 user and computer objects (50,000 users with their own computers) all in a single well connected network and replication works efficiently, it s highly unlikely you ll need more than a single domain. In extremely large organizations, multiple forests may be used to enable multiple schemas, to manage resources differently, to segment administrator access, or even for geographic or political reasons. A multiple domain forest requires consideration and management of trusts, but a single domain forest implementation is comparatively simple. 16

This single domain includes all the Active Directory objects (users, computers, groups, and so on) used within the organization Benefits of a Single Domain Least expensive Every domain starts with a single domain controller and usually includes a second DC for redundancy. Each additional domain requires additional servers, incurring costs for hardware and software plus the added costs of the IT professionals to manage them. Easier to manage A single domain is easier to manage than multiple domains. Each additional domain includes additional accounts, groups, group policies, and other details that must be managed. Simpler disaster recovery You only need to plan for the recovery of a single domain. Backups only need to be done for a single domain, and the overall disaster recovery plan is simpler. Further Information Understanding Active Directory http://go.microsoft.com/fwlink/?linkid=1996 63 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information