active directory ii
TRANSCRIPT
ACTIVE DIRECTORY II
Basics of Active Directory in Windows Server 2003
• Active Directory partitions
• Logical structures
• “Physical” structures
• Functional levels
Active Directory Partitions
Schema
• Logical partition in Active Directory database• “Template” for Active Directory database• Forms the database structures in which data is stored
– Object classes– Attributes
• Extensible• Dynamic• Protected by ACLs (Access Control Lists)- DACLs and
SACLs (Discretionary ACLs and System ACLs)• One schema per Active Directory forest
Schema
Users
Servers
Attributes of Users Attributes of Users might contain:might contain:Attributes of Users Attributes of Users might contain:might contain: List of attributesList of attributesList of attributesList of attributes
accountExpiresbadPasswordTimemailcAConnectdhcpTypeeFSPolicyfromServergovernsIDName…
accountExpiresbadPasswordTimemailcAConnectdhcpTypeeFSPolicyfromServergovernsIDName…
accountExpiresbadPasswordTimemailname
accountExpiresbadPasswordTimemailname
Attribute Attribute Examples: Examples:
ObjectObjectClassClass
Examples:Examples:
Dynamically available,updateable, and protected by DACLs
Computers
Configuration
• Logical partition in Active Directory database• “Map” of Active Directory implementation• Contains information used for replication, logon,
searches– Domains– Trust relationships– Sites & site links– Subnets– Domain controller locations
Domains• Logical partition in Active Directory database• Collections of users, computers, groups, etc.• Units of replication
– Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain
– Domain controllers do not replicate domain partition information for other domains
Windows 2000/WS03
Domain
Windows 2000/WS03
Domain
ReplicationReplicationReplicationReplicationUser1
User2 User1
User2
Directory Partitions
ConfigurableReplication
ApplicationApplication
Domain-wide replication
Forest-wide replication (every DC in forest has a replica)
All Partitions Together Comprise the Active Directory Database
Zoom.comZoom.com
ConfigurationConfiguration
SchemaSchema
Contains information about all domain-specific objects created in Active Directory
Contains information about all domain-specific objects created in Active Directory
Contains information about Active Directory structureContains information about Active Directory structure
Contains definitions and rules for creating and manipulating all objects and attributes
Contains definitions and rules for creating and manipulating all objects and attributes
Contains application dataForestDNSZoneDomainDNSZone
Contains application dataForestDNSZoneDomainDNSZone
Logical Structures
Tree
• One or more domains that share a contiguous DNS namespace, e.g.– ZOOM.COM– MCSE.ZOOM.COM– CCNA.ZOOM.COM
Forest
• One or more domains that share:– Common schema– Common configuration– Automatic transitive trust relationships– Common global catalog
• Forest can contain from as few as one domain to many domains and/or many trees
• First domain created is forest root- this cannot be changed without rebuilding the entire forest
Trust Relationship
Trust Relationships
• Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains
• Some trusts are automatically created– Parent-child domains trust each other– Tree root domains trust forest root domain
• Other trusts are manually created• Forest-to-Forest transitive trust relationships can
be created-Windows Server 2003 forests only
Trust Relationships in Windows Server 2003
• Default - two-way- transitive Kerberos trusts (intraforest)• Shortcut - one or two-way – transitive Kerberos trusts
(intraforest)– Reduce authentication requests
• Forest – one or two-way – transitive Kerberos trusts**.WS2003 Forests- Windows 2000 does not support forest trusts– Only between Forest Roots– Creates transitive domain relationships
• External – one-way – non-transitive NTLM trusts– Used to connect to/from Windows NT or external 2000 domains– Manually created
• Realm – one or two-way – non-transitive Kerberos trusts– Connect to/from UNIX MIT Kerberos realms
Trees and Forests
Tree
Forest
(Forest/Tree Root)
contoso.msft
nwtraders.msft
(Forest/Tree Root)
External One-Way Non-Transitive Trust
japan.contoso.msft(Child Domain)
tailspintoys.msft
(Tree Root)
Tree
japan.nwtraders.msft(Child Domain)
china.nwtraders.msft(Child Domain)
Windows NT Domain
Tree
Forest
Forest Two-Way Transitive Trusts
Functional Levels
Forest and Domain Functional Levels
• Functional levels determine– Supported domain controller operating system
– Active Directory features available
• Domain functional levels can be raised independently of one another
• Raising forest functional level is performed by Enterprise Admin– Requires all domains to be at Windows 2000 native or
WS03 functional levels
Forest Functional Levels
Forest Functional LevelDomain Controllers
Supported
Windows 2000 (default)Windows NT 4.0, Windows 2000, Windows Server 2003 Server family
Windows Server 2003 Interim Windows NT 4.0,
Windows Server 2003 Server family
Windows Server 2003 Server family
Windows Server 2003 Server family
Forest Functional Levels- Features
Functional Level Features Supported
Windows 2000 Universal group caching
Windows Server 2003 Interim
Same as Windows 2000, plus:
LVR replication (Linked Value Replication- new group structuring)
Improved ISTG (Inter-Site Topology Generator- generates replication connections)
Windows Server 2003 Server Family
Same as Windows Server 2003 Interim, plus:
Schema de-/reactivation
Domain rename
Forest trust
Domain Functional Levels
Windows 2000 Mixed Mode-NT4, Windows 2000 or WS03 DCs
Domain Controller (Windows 2000)
Domain controller (Windows NT 4.0)
Domain Controller (Windows Server 2003)
Windows 2000 Native Mode- No NT 4 DCs
Domain Controller (Windows Server 2003)
Domain Controller (Windows 2000)
Domain Functional Levels
Windows Server 2003 Interim- No 2000 DCs
Domain controller (Windows NT 4.0)
Domain Controller (Windows Server 2003)
Windows Server 2003 Server Level- All WS03 DCs
Domain Controller (Windows Server 2003)
Domain Controller (Windows Server 2003)
Domain Functional Levels- FeaturesFunctional Level Features Supported
Windows 2000 mixed
Universal group caching
Application directory partitions
Windows 2000 Native/Windows Server 2003 Interim
Same as Windows 2000 mixed, plus:
Group nesting and converting
Universal security and distribution groups
Universal group membership caching
SID history
Windows 2003 Server Family
Same as Windows 2000 Native, plus:
Kerberos KDC version numbers
Domain Rename
Physical Components
“Physical” Components of Active Directory
• Sites– Areas of “good” connectivity
– Single site may contain many domains
– Single domain may span many sites
• Domain Controllers– Store replicas of the Active Directory database
– Associated with a given site
SiteDomainDomain
ChicagoChicago
SeattleSeattle
New YorkNew York
Los AngelesLos Angeles
IP SubnetIP SubnetSiteSite
IP SubnetIP Subnet
Sites• Subnets are defined and associated with sites• Used by domain controllers to determine replication
behavior• Used by computers to locate close domain controllers
for authentication and searches of the directory
Domain Controllers
–Domain controllers replicate common partitions
–Every DC in the forest has a replica of schema & configuration partitions
–Every DC in a domain has a replica of that domain’s domain partition
–DCs may contain replicas of application partitions
Roles of Active Directory
Roles of a Domain Controller
Roles
► Global Catalog Server
► Domain Naming Master
► Schema Master
► RID Master
► PDC Emulator
► Infrastructure Master
Operation Masters Forest Wide Roles
Domain Wide Roles
Global Catalog
• Like a telephone book contains limited information about all people and businesses within a city, the global catalog contains limited information about every object in a forest
• Within the schema, certain attributes are marked for inclusion in the GC– Searches are commonly performed against these attributes– By searching against the GC, individual domains do not have to be
queried in most cases- GC can resolve
• Servers that hold a copy of the global catalog are called global catalog servers
Application
Solaris.com
Ccna.com
Mcse.com
Configuration
Schema
Holds read only copy of all other domain directory partitions- all objects, but only attributes marked for GC inclusion
Holds read only copy of all other domain directory partitions- all objects, but only attributes marked for GC inclusion
Global Catalog Server
Holds full copy of domain partition for own domainHolds full copy of domain partition for own domain
Holds full copy of configuration partition for forestHolds full copy of configuration partition for forest
Holds full copy of the schema partition for forestHolds full copy of the schema partition for forest
Contains application data if configuredForestDNSZone, DomainDNSZone, user-defined application partition(s)
Contains application data if configuredForestDNSZone, DomainDNSZone, user-defined application partition(s)
Global Catalog Servers
Global Catalog Server
Object Attributes
Object Attributes
Universal Group membershipwhen user logs on
Global Catalog
Domain
Domain DomainQueries
Include in GCInclude in GCInclude in GCInclude in GC
TelephoneEmailName…
TelephoneEmailName…