1 / 31

ACTIVE DIRECTORY II

ACTIVE DIRECTORY II. Basics of Active Directory in Windows Server 2003. Active Directory partitions Logical structures “Physical” structures Functional levels. Active Directory Partitions. Schema. Logical partition in Active Directory database “Template” for Active Directory database

ruby
Télécharger la présentation

ACTIVE DIRECTORY II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACTIVE DIRECTORY II

  2. Basics of Active Directory in Windows Server 2003 • Active Directory partitions • Logical structures • “Physical” structures • Functional levels

  3. Active Directory Partitions

  4. Schema • Logical partition in Active Directory database • “Template” for Active Directory database • Forms the database structures in which data is stored • Object classes • Attributes • Extensible • Dynamic • Protected by ACLs (Access Control Lists)- DACLs and SACLs (Discretionary ACLs and System ACLs) • One schema per Active Directory forest

  5. Schema ObjectClass Examples: Dynamically available, updateable, and protected by DACLs Attribute Examples: Computers Attributes of Users might contain: List of attributes accountExpires badPasswordTime mail name accountExpires badPasswordTime mail cAConnect dhcpType eFSPolicy fromServer governsID Name … Users Servers

  6. Configuration • Logical partition in Active Directory database • “Map” of Active Directory implementation • Contains information used for replication, logon, searches • Domains • Trust relationships • Sites & site links • Subnets • Domain controller locations

  7. Windows 2000/WS03Domain Replication User1 User2 User1 User2 Domains • Logical partition in Active Directory database • Collections of users, computers, groups, etc. • Units of replication • Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain • Domain controllers do not replicate domain partition information for other domains

  8. Directory Partitions Schema Contains definitions and rules for creating and manipulating all objects and attributes Forest-wide replication (every DC in forest has a replica) Configuration Contains information about Active Directory structure Zoom.com Contains information about all domain-specific objects created in Active Directory Domain-wide replication Application ConfigurableReplication Contains application data ForestDNSZone DomainDNSZone All Partitions Together Comprise the Active Directory Database

  9. Logical Structures

  10. Tree • One or more domains that share a contiguous DNS namespace, e.g. • ZOOM.COM • MCSE.ZOOM.COM • CCNA.ZOOM.COM

  11. Forest • One or more domains that share: • Common schema • Common configuration • Automatic transitive trust relationships • Common global catalog • Forest can contain from as few as one domain to many domains and/or many trees • First domain created is forest root- this cannot be changed without rebuilding the entire forest

  12. Trust Relationship

  13. Trust Relationships • Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains • Some trusts are automatically created • Parent-child domains trust each other • Tree root domains trust forest root domain • Other trusts are manually created • Forest-to-Forest transitive trust relationships can be created-Windows Server 2003 forests only

  14. Trust Relationships in Windows Server 2003 • Default - two-way- transitive Kerberos trusts (intraforest) • Shortcut - one or two-way – transitive Kerberos trusts (intraforest) • Reduce authentication requests • Forest – one or two-way – transitive Kerberos trusts* *.WS2003 Forests- Windows 2000 does not support forest trusts • Only between Forest Roots • Creates transitive domain relationships • External – one-way – non-transitive NTLM trusts • Used to connect to/from Windows NT or external 2000 domains • Manually created • Realm – one or two-way – non-transitive Kerberos trusts • Connect to/from UNIX MIT Kerberos realms

  15. (Tree Root) (Forest/Tree Root) (Forest/Tree Root) nwtraders.msft contoso.msft tailspintoys.msft japan. contoso.msft china. nwtraders.msft japan. nwtraders.msft (Child Domain) (Child Domain) (Child Domain) Tree Windows NT Domain Trees and Forests Forest Two-Way Transitive Trusts Tree Tree Forest External One-Way Non-Transitive Trust Forest

  16. Functional Levels

  17. Forest and Domain Functional Levels • Functional levels determine • Supported domain controller operating system • Active Directory features available • Domain functional levels can be raised independently of one another • Raising forest functional level is performed by Enterprise Admin • Requires all domains to be at Windows 2000 native or WS03 functional levels

  18. Forest Functional Levels

  19. Forest Functional Levels- Features

  20. Domain Functional Levels Windows 2000 Mixed Mode- NT4, Windows 2000 or WS03 DCs Windows 2000 Native Mode- No NT 4 DCs Domain Controller (Windows Server 2003) Domain Controller (Windows Server 2003) Domain Controller (Windows 2000) Domain controller (Windows NT 4.0) Domain Controller (Windows 2000)

  21. Domain Functional Levels Windows Server 2003 Interim- No 2000 DCs Windows Server 2003 Server Level- All WS03 DCs Domain Controller (Windows Server 2003) Domain Controller (Windows Server 2003) Domain controller (Windows NT 4.0) Domain Controller (Windows Server 2003)

  22. Domain Functional Levels- Features

  23. Physical Components

  24. Domain Site “Physical” Components of Active Directory • Sites • Areas of “good” connectivity • Single site may contain many domains • Single domain may span many sites • Domain Controllers • Store replicas of the Active Directory database • Associated with a given site

  25. Seattle New York Chicago Los Angeles Site IP Subnet IP Subnet Sites • Subnets are defined and associated with sites • Used by domain controllers to determine replication behavior • Used by computers to locate close domain controllers for authentication and searches of the directory

  26. Domain Controllers • Domain controllers replicate common partitions • Every DC in the forest has a replica of schema & configuration partitions • Every DC in a domain has a replica of that domain’s domain partition • DCs may contain replicas of application partitions

  27. Roles of Active Directory

  28. Roles of a Domain Controller Roles • Global Catalog Server Operation Masters Forest Wide Roles • Domain Naming Master • Schema Master • RID Master Domain Wide Roles • PDC Emulator • Infrastructure Master

  29. Global Catalog • Like a telephone book contains limited information about all people and businesses within a city, the global catalog contains limited information about every object in a forest • Within the schema, certain attributes are marked for inclusion in the GC • Searches are commonly performed against these attributes • By searching against the GC, individual domains do not have to be queried in most cases- GC can resolve • Servers that hold a copy of the global catalog are called global catalog servers

  30. Global Catalog Server Schema Holds full copy of the schema partition for forest Configuration Holds full copy of configuration partition for forest Mcse.com Holds full copy of domain partition for own domain Ccna.com Holds read only copy of all other domain directory partitions- all objects, but only attributes marked for GC inclusion Solaris.com Application Contains application data if configured ForestDNSZone, DomainDNSZone, user-defined application partition(s)

  31. Object Attributes Domain Domain Domain Global Catalog Servers Include in GC Telephone Email Name … Global Catalog Queries Global Catalog Server Universal Group membership when user logs on

More Related