active directory basics 2003
TRANSCRIPT
-
8/6/2019 Active Directory Basics 2003
1/46
Active Directory Basics
-
8/6/2019 Active Directory Basics 2003
2/46
2
Active Directory
Having a foundational knowledge of active directory is immensely
helpful in the MCSE 2003 Certification Track.
All courses require a knowledge and understanding of the active
directory environment.
Active Directory is the foundation of the Microsoft 2003 client /
server environment.
-
8/6/2019 Active Directory Basics 2003
3/46
3
Overview
Active Directory is the directory service for all Windows servereditions except for Web Server.
Active Directory stores information about objects on the network in
a centralized location, making it easy for administrators and usersto find and use this information.
Active Directory uses a structured database, modeled after theMicrosoft Access product, as the basis for a logical, hierarchicalorganization of directory information .
-
8/6/2019 Active Directory Basics 2003
4/46
4
Overview
This presentation discusses the basics of the
Active Directory environment, including:
The Physical Structure of Active Directory
The Logical Structure of Active Directory
-
8/6/2019 Active Directory Basics 2003
5/46
The Physical Structure of Active
Directory
-
8/6/2019 Active Directory Basics 2003
6/46
6
Directory DatabaseDefinition
This database is often simply
referred to as the directory.
The directory contains informationabout objects such as users,
groups, computers, domains,
organizational units (OUs), and
security policies.
This information can be publishedfor use by users and
administrators.
-
8/6/2019 Active Directory Basics 2003
7/46
7
Directory DatabaseStorage and Replication
The directory is stored on servers known as domain controllers andcan be accessed by network applications or services.
A domain can have one or more domain controllers.
Each domain controller has a writeable copy of the directory for thedomain in which it is located.
Changes made to the directory are replicated from the originatingdomain controller to other domain controllers in the domain, domaintree, or forest.
Because the directory is replicated, and because each domaincontroller has a writeable copy of the directory,
the directory is highly available to users andadministrators throughout the domain.
-
8/6/2019 Active Directory Basics 2003
8/46
8
Directory DatabasePhysical Files
Directory data is stored in
the Ntds.dit file on the
domain controller. It must be
stored on an NTFS partition.
Some data is stored in the
directory database file, and
some data is stored in a
replicated file system, like
logon scripts and GroupPolicies.
-
8/6/2019 Active Directory Basics 2003
9/46
9
Directory DatabaseInformation
There are three categories of data replicated
between domain controllers:
Domain Data
Configuration Data
Schema Data
-
8/6/2019 Active Directory Basics 2003
10/46
-
8/6/2019 Active Directory Basics 2003
11/46
11
Directory DatabaseConfiguration Data
The configuration data describes
the topology of the directory.
This configuration data includes
a list of all domains, trees, and
forests, and the locations of the
domain controllers and global
catalogs.
-
8/6/2019 Active Directory Basics 2003
12/46
12
Directory DatabaseSchema Data
The schema is the formal definition of all object and attributedata that can be stored in the directory. Windows Server 2003includes a default schema that defines many object types, suchas user and computer accounts, groups, domains,
organizational units, and security policies.
Only enterprise admins or schema admins can modify theschema. They can extend the schema by defining new objecttypes and attributes, or by adding new attributes for existingobjects.
Schema objects are protected by access control lists (ACLs),ensuring that only authorized users can alter the schema.
-
8/6/2019 Active Directory Basics 2003
13/46
13
Active Directory SecurityOverview
Security is Integrated
with Active Directory:
Through logon
authentication
Through access control of
objects in the directory
-
8/6/2019 Active Directory Basics 2003
14/46
-
8/6/2019 Active Directory Basics 2003
15/46
15
Active Directory SecurityLogon Authentication
MicrosoftUses Kerberos to create and encrypt AuthenticationKeys.
Kerberos is a network authentication protocol.
It is designed to provide strong authentication for client/serverapplications by using secret-key cryptography.
Cryptography consists of the sending of multiple encryptedmessages between a client and server to ensure that the client iswho they say they are.Once this is verified, the client isissued a ticket, granting them
access to the network.
-
8/6/2019 Active Directory Basics 2003
16/46
16
Active Directory SecurityAccess Control Lists
Active Directory Data is protected by limiting access to usersthrough the use of Access Control Lists.
Users who log on to the network have to obtain both authenticationand authorization to access system resources.
When a user logs on to the network, the security systemauthenticates the user with information stored in Active Directory.Then, when the user attempts to access a service on the network,the system checks the properties defined in the discretionaryaccess control list (DACL) for that service.
This multi-tier system creates a more protected environment andgranular control of resource access.
-
8/6/2019 Active Directory Basics 2003
17/46
17
Global CatalogOverview
A global catalog is a domain controllerthat stores a copy of all ActiveDirectory objects in a forest.
In addition, the global catalog storeseach objects most common
searchable attributes. The global catalog stores a full copy of
all objects in the directory for its hostdomain and a partial copy of allobjects for all other domains in theforest, which provides efficientsearches without unnecessary
referrals to domain controllers.
A global catalog is created automatically on the initial domaincontroller in the forest. You can add global catalog functionality toother domain controllers or change the default location of the globalcatalog to another domain controller.
-
8/6/2019 Active Directory Basics 2003
18/46
18
Global CatalogRoles
A global catalog performs the following roles:
Finds Objects
Provides User Authentication Information across multiple domains. If
a DC cant find a user located in a second domain, it contacts theglobal catalog server for the authentication information
Supplies Universal Group Membership information across domains
-
8/6/2019 Active Directory Basics 2003
19/46
19
Active Directory
Search Capabilities Database search tools allow easy search and access of users,
groups, and objects stored in the active directory database.
Administrators can use the advanced Find dialogs in the Active
DirectoryU
sers and Computers snap-in to performmanagement tasks with greater efficiency and to easilycustomize and filter data retrieved from the directory.
Administrators can add objects to groups quickly and withminimal network impact by utilizing browse-less queries to helpfind likely members.
-
8/6/2019 Active Directory Basics 2003
20/46
-
8/6/2019 Active Directory Basics 2003
21/46
21
Active DirectoryReplication
A domain controller stores and replicates:
Schema Information. The schema is the objects that are created inactive directory and their attributes.
Configuration Information. This is the logical database designincluding the domain structure and replication information.
Domain Information. Describes all objects in a domain only storedin that domain. A subset is stored in the global catalog in a multi-domain environment.
Application Information. Application information is stored to limitreplication traffic among domain controllers.
-
8/6/2019 Active Directory Basics 2003
22/46
The Logical Structure of ActiveDirectory
-
8/6/2019 Active Directory Basics 2003
23/46
-
8/6/2019 Active Directory Basics 2003
24/46
24
DomainsOverview
A domain is a logical grouping of computers and users managedthrough a central security accounts database.
Domains act as the basic building blocks of an AD environment. Assuch, AD design starts here, at the domain level.
Its imperative that you have a solid, secure, and efficient domainplan in place before you move to any other aspect of creating yourActive Directory tree.
-
8/6/2019 Active Directory Basics 2003
25/46
25
DomainsRoot Domain
The first domain created in your active directory environment isknown as the root domain.
The name given to the root domain will act as the base for thename of all domains created later.
As each subsequent domain is added to the structure, it will beadded somewhere below the root domain. Additional domains arealways children of some other domain in the tree.
The only domain that is not a child is the root (topmost) domain.
-
8/6/2019 Active Directory Basics 2003
26/46
26
DomainsRoot and Child Domains
TechSkills.com
IT.Chicago.TechSkills.com
Dallas.TechSkills.com
Medical.Chicago.TechSkills.com
Chicago.TechSkills.com
Root
Child
Child Child
Child
-
8/6/2019 Active Directory Basics 2003
27/46
-
8/6/2019 Active Directory Basics 2003
28/46
28
DomainsNumber ofObjects
There is really no limit to
the amount of users,
groups and objects that
can be supported in the
Active Directory
Database.
Tests have been performed with literally millions ofrecords.
-
8/6/2019 Active Directory Basics 2003
29/46
29
DomainsReplication Traffic
All domain controllers within a domain must contain the samedatabase. In other words, a replication process is used tosynchronize any changes made to the database to all domaincontrollers for the domain. The net effect is more network traffic.
The larger the database (meaning more users, computers, groups,and other types of records), the more potential replication trafficwill be generated.
A corollary to this is that the more domain controllers you have, themore replication traffic will travel through your network.
-
8/6/2019 Active Directory Basics 2003
30/46
30
DomainsSecurity Boundaries
Since a domain represents a separate database, the domain
boundary is often seen as a built-in security boundary.
Administrators of a domain are limited (by default) to the
management of resources within their own domain.
While administrative accounts can be given privileges in more than
one domain, this is a manual configuration -- in other words, a
conscious decision, rather than a default.
-
8/6/2019 Active Directory Basics 2003
31/46
31
DomainsLanguage Considerations
Within a domain, servers can beconfigured for a single language:French, German, etc., although English
is supported by all installations.
If your company crosses internationalboundaries, you might need additionaldomains so that local administratorscan manage their resources in their
native tongue.
-
8/6/2019 Active Directory Basics 2003
32/46
32
Domains
Security Policies Security Policies control and limit access to resources on the
network.
Certain policy elements are domainwide. These include somevery common settings, things like password policies (complexity,
length, and lifetime), account lockout policies (when and for howlong an account will be locked due to unsuccessful logonattempts), and Kerberos v5 policies (ticket lifetimes, renewal, andlogon restrictions).
If you have different areas of your environment in which thesepolicy elements need to differ, you must create multiple domains.
-
8/6/2019 Active Directory Basics 2003
33/46
33
Organizational UnitsOverview
An organizational unit (OU) is a container used to organize objects
within a domain into logical administrative groups. Those groups
should mirror your organizational structure.
OUs are the smallest scope to which you can delegateadministrative authority. Therefore, they can provide a means for
handling administrative tasks and a way to delegate administration
of users and resources.
-
8/6/2019 Active Directory Basics 2003
34/46
34
Organizational UnitsOUs and Objects
TechSkills.com Domain
SalesOU
Medical
OU
IT OU
IT OU Objects
-
8/6/2019 Active Directory Basics 2003
35/46
35
Organizational UnitsOverview
An OU can contain objects such as:
User accounts
Groups
Computers
Printers
Applications,
File shares Other OUs from the same domain
-
8/6/2019 Active Directory Basics 2003
36/46
36
Organizational Units
Security Objects: User Accounts
User Accounts represent people and are used to log on to aWindows domain.User accounts are used for the following:
Authentication This is the process of proving your identity. User accountsand passwords are used to authenticate users to a domain.
Authorization This is the process ofbeing granted permissions to a resource.
Auditing By requiring all your users touse a unique user account, you caneasily audit access to resources.
Active Directory contains three
default user accounts:Administrator, Guest, and Help Assistant.
-
8/6/2019 Active Directory Basics 2003
37/46
37
Organizational Units
Security Objects: Groups Overview
Without groups, you would have tomanually assign all permissions toindividual user accounts.
Groups enable you to organize yourusers. You can group useraccounts and assign permissionsto everyone in the group at once.
Any permissions assigned to a
group are automatically granted tomembers of that group.
-
8/6/2019 Active Directory Basics 2003
38/46
-
8/6/2019 Active Directory Basics 2003
39/46
39
Organizational Units
Security Objects: Group Scopes Scope is the range that a group will extend over a domain, tree, and
forest.
The scope is used to determine the level of security that will applyto a group, which users can be added to its membership, and the
resources that they will have permission to access.
Active Directory provides three different scopes for groups:
Universal
Global
Domain Local
-
8/6/2019 Active Directory Basics 2003
40/46
40
Organizational Units
Security Objects: Group Scopes Universal. Universal groups have the widest scope of any of the
different group scopes. Members of this group are able to containaccounts and groups from any domain in the forest, and can beassigned permissions to resources in any domain in the forest.
Global.A global group can contain accounts and groups from thedomain in which it is created, and be assigned permissions toresources in any domain in a tree or forest.
Domain Local. The difference between domain local and globalgroups is that user accounts, global groups, and universal groupsfrom any domain can be added to a domain local group. Because of
its limited scope, however, members can only be assignedpermissions within the domain in which this group is created.
-
8/6/2019 Active Directory Basics 2003
41/46
-
8/6/2019 Active Directory Basics 2003
42/46
-
8/6/2019 Active Directory Basics 2003
43/46
43
Trees
Trusts You can set up your system so that a small group of administrators
have security privileges over the entire structure, or you can give agroup administrative abilities in a select few domains.
You can also give users permission to access resources
throughout the tree. This permission is granted through the use oftrusts.
Trusts can be granted from one domain to another and back again.This creates a logical link between domains for the selectindividuals granted that right.
-
8/6/2019 Active Directory Basics 2003
44/46
-
8/6/2019 Active Directory Basics 2003
45/46
45
Forest
Diagram
TechSkills.com Edgia.com
Chicago Columbus Houston Dallas
-
8/6/2019 Active Directory Basics 2003
46/46
46
Conclusion
Active Directory is the foundation of the Microsoft 2003 client /
server environment.
The physical structure of Active Directory includes the directory
database that stores information about active directory objects in
the ntds file.
The logical structure of active directory indicates the organization
of users, groups, computers, applications and data into logical
units: domains, organizational units, trees and forests.