corso referenti s.i.r.a. – modulo 2 06 – active directory 20/11 – 27/11 – 05/12 11/12 –...
TRANSCRIPT
Corso referenti S.I.R.A. – Modulo 2Corso referenti S.I.R.A. – Modulo 2
06 – Active Directory06 – Active Directory
20/11 – 27/11 – 05/1220/11 – 27/11 – 05/12
11/12 – 13/12 (gruppo 1)11/12 – 13/12 (gruppo 1)
12/12 – 15/12 (gruppo 2)12/12 – 15/12 (gruppo 2)
Cristiano Gentili, Massimiliano Viola (CSIA)Cristiano Gentili, Massimiliano Viola (CSIA)
OverviewOverview
Introduction to Active DirectoryIntroduction to Active Directory
Active Directory Logical StructureActive Directory Logical Structure
Active Directory Physical StructureActive Directory Physical Structure
Methods for Administering a Windows 2000 Methods for Administering a Windows 2000 NetworkNetwork
• Introduction to Active DirectoryIntroduction to Active Directory
What Is Active Directory?What Is Active Directory?
Active Directory ObjectsActive Directory Objects
Active Directory SchemaActive Directory Schema
Lightweight Directory Access Protocol (LDAP)Lightweight Directory Access Protocol (LDAP)
What Is Active Directory?What Is Active Directory?
Directory Service Directory Service FunctionalityFunctionality
Directory Service Directory Service FunctionalityFunctionality
Organize Manage Control
Organize Manage Control
ResourcesResources
Centralized ManagementCentralized ManagementCentralized ManagementCentralized Management
Single point of administration
Full user access to directory resources by a single logon
Single point of administration
Full user access to directory resources by a single logon
Active Directory ObjectsActive Directory Objects
Objects Represent Network ResourcesObjects Represent Network Resources
Attributes Store Information About an ObjectAttributes Store Information About an Object
AttributesAttributesAttributesAttributesFirst NameLast NameLogon Name
First NameLast NameLogon Name
AttributesAttributesAttributesAttributes
Printer NamePrinter LocationPrinter NamePrinter Location
Active DirectoryActive DirectoryActive DirectoryActive Directory
PrintersPrinter1
Printer2
Suzan Fine
UsersDon Hall
AttributeAttributeValueValue
AttributeAttributeValueValue
ObjectsObjectsObjectsObjects
PrintersPrinters
UsersUsers
Printer3
Active Directory SchemaActive Directory Schema
ObjectsObjectsClass ExamplesClass Examples
ObjectsObjectsClass ExamplesClass Examples
PrintersPrinters
ComputersComputers
UsersUsers
Attributes of Users Attributes of Users Might Contain:Might Contain:
Attributes of Users Attributes of Users Might Contain:Might Contain:
accountExpiresdepartmentdistinguishedNamemiddleName
accountExpiresdepartmentdistinguishedNamemiddleName
List of AttributesList of AttributesList of AttributesList of Attributes
accountExpiresdepartmentdistinguishedNamedirectReportsdNSHostNameoperatingSystemrepsFromrepsTomiddleName…
accountExpiresdepartmentdistinguishedNamedirectReportsdNSHostNameoperatingSystemrepsFromrepsTomiddleName…
Attribute Attribute ExamplesExamplesAttribute Attribute ExamplesExamples
Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs
Lightweight Directory Access Protocol (LDAP)Lightweight Directory Access Protocol (LDAP)
LDAP Provides a Way to Communicate with Active LDAP Provides a Way to Communicate with Active Directory by Specifying Unique Naming Paths for Directory by Specifying Unique Naming Paths for Each Object in the Directory Each Object in the Directory
LDAP Naming Paths IncludeLDAP Naming Paths Include: :
Distinguished namesDistinguished names
Relative distinguished namesRelative distinguished names
CN=RossiMario,OU=Studenti,DC=ds,DC=units,DC=it
• Active Directory Logical StructureActive Directory Logical Structure
DomainsDomains
Organizational UnitsOrganizational Units
Trees and ForestsTrees and Forests
DomainsDomains
A Domain Is a Security BoundaryA Domain Is a Security Boundary
A domain administrator can administer only A domain administrator can administer only within the domain, unless explicitly granted within the domain, unless explicitly granted administration rights in other domainsadministration rights in other domains
A Domain Is a Unit of ReplicationA Domain Is a Unit of Replication
Domain controllers in a domain participate Domain controllers in a domain participate in replication and contain a complete copy in replication and contain a complete copy of the directory information for their domainof the directory information for their domain
Windows 2000Domain
Windows 2000Domain
User1
User2User1
User2ReplicationReplicationReplicationReplication
Organizational UnitsOrganizational Units
Organizational StructureOrganizational StructureOrganizational StructureOrganizational Structure
Sales
Vancouver
Repair
Users
Sales
Computers
Network Administrative ModelNetwork Administrative ModelNetwork Administrative ModelNetwork Administrative Model
Use OUs to Group Objects into a Logical Hierarchy Use OUs to Group Objects into a Logical Hierarchy That Best Suits the Needs of Your OrganizationThat Best Suits the Needs of Your Organization
Delegate Administrative Control over the Objects Delegate Administrative Control over the Objects Within an OUWithin an OU by Assigning Specific Permissions to by Assigning Specific Permissions to Users and GroupsUsers and Groups
Trees and ForestsTrees and Forests
contoso.msftcontoso.msft
(root)
au. contoso.msft
au. contoso.msft
asia. contoso.msft
asia. contoso.msft
Tree
Two-Way Transitive TrustsTwo-Way Transitive TrustsTwo-Way Transitive TrustsTwo-Way Transitive Trusts
au. nwtraders.msft
au. nwtraders.msft
asia. nwtraders.msft
asia. nwtraders.msft
nwtraders.msftnwtraders.msft
Forest
Tree
Two-Way Transitive TrustTwo-Way Transitive TrustTwo-Way Transitive TrustTwo-Way Transitive Trust
Global CatalogGlobal Catalog
Global Catalog Server
Global CatalogGlobal CatalogGlobal CatalogGlobal Catalog
Subset of the Attributes of All
Objects
Subset of the Attributes of All
Objects
DomainDomain
Domain
DomainDomain
Domain
QueriesQueriesQueriesQueries
Group membershipGroup membershipwhen user logs onwhen user logs on
Group membershipGroup membershipwhen user logs onwhen user logs on
• Active Directory Physical Active Directory Physical StructureStructure
Domain ControllersDomain Controllers
SitesSites
Domain ControllersDomain Controllers
Domain Controller
Domain Controller
DomainDomain
ReplicationReplicationReplicationReplicationUser1
User2User1
User2
= A Writeable Copy of the Active Directory Database= A Writeable Copy of the Active Directory Database
Domain Controllers:
Participate in Active Directory replication
Perform single master operations roles in a domain
SitesSites
Sites:
Optimize replication traffic
Enable users to log on to a domain controller by using a reliable, high-speed connection
SiteIP subnetIP subnetIP subnetIP subnet
IP subnetIP subnetIP subnetIP subnet
Los Angeles
Seattle
ChicagoNew York
• Methods for Administering a Methods for Administering a Windows 2000 NetworkWindows 2000 Network
Using Active Directory for Centralized Using Active Directory for Centralized ManagementManagement
Managing the User EnvironmentManaging the User Environment
Delegating Administrative ControlDelegating Administrative Control
Using Active Directory for Centralized ManagementUsing Active Directory for Centralized Management
OU1
Domain
Computers
Users
OU2
Users
Printers
Computer1
User1
Printer1
User2
DomainDomainOU2OU2OU1OU1
User1User1 Computer1Computer1 Printer1Printer1User2User2
SearchSearchSearchSearch
Active Directory:Active Directory:Enables a single administrator to centrally manage Enables a single administrator to centrally manage resourcesresourcesAllows administrators to easily locate information Allows administrators to easily locate information Allows administrators to group objects into OUsAllows administrators to group objects into OUsUses Group Policy to specify policy-based settingsUses Group Policy to specify policy-based settings
Managing the User EnvironmentManaging the User Environment
Use Group Policy to:Use Group Policy to:Control and lock down what users can doControl and lock down what users can do
Centrally manage software installation, repairs, updates, Centrally manage software installation, repairs, updates, and removaland removal
Configure user data to follow users whether they are Configure user data to follow users whether they are online or offlineonline or offline
Windows 2000 Enforces Continually
Windows 2000 Enforces Continually
Apply Group Policy Once
Apply Group Policy Once
11 22 33DomainDomain
OU1OU1 OU2OU2 OU3OU3
11 22 3 3
Delegating Administrative ControlDelegating Administrative Control
Assign Permissions:For specific OUs to other
administratorsTo modify specific attributes of
an object in a single OUTo perform the same task in all OUs
Customize Administrative Tools to:Map to delegated administrative tasksSimplify interface design
Domain
Admin1
Admin2
Admin3
OU2
OU3
OU1