260 likes | 402 Vues
ACTIVE DIRECTORY. An Overview. By Karan Oberoi. What are directory services?. A directory service ( DS ) is a software application- or a set of applications - that stores and organizes information about a computer network's users and network resources.
E N D
ACTIVE DIRECTORY An Overview.. By Karan Oberoi
What are directory services? • A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer network's users and network resources. • Allows network administrators to manage users' access to the resources • Act as an abstraction layer between users and shared resources
Directory Services Common Features: • Provide file shares. • Authenticate users • Provide services, such as Email, Access to the internet, Print services etc. • Control access to services and shares.
Active Directory Active Directory is Microsoft’s version of an LDAP based network directory service. What does it do? • Active Directory allows administrators to define, arrange and manage objects, such as user data, printers and servers, so they are available to users and applications throughout the organization.
Active Directory • Microsoft’s directory service which is included in the Windows 2000 and Windows Server 2003 operating system versions. • Is an implementation of LDAP directory services. • Called: ADS,NTDS • Goals and Benefits • Open Standards • High Scalability • Simplified Administration
Domain Domain Domain Domain Domain Active Directory Structure • Hierarchical • Base objectDomain Tree Forest OU Domain OU OU Tree Objects
Objects in Active Directory • „old Friends “ • User • Group • Computer • New Elements • Distribution Lists • System Policies • Application defined custom objects • Described in the Schema
What is the Schema? • Definition of all AD • Object-Types (Classes) • Attributes • Data-Types (Syntaxes) • Can be compared to a Database Schema • ONE consistent Schema inside a single Forest • Extensible
Domain • AD Base Element (Building Block) • NT 4 Compatible • Physically Implemented on Domain Controllers (DC) • Border for - Replication Traffic • - System Policies • - Administration Firma.de
Organizational Unit (OU)? LA New York Admin Sales Admin Sales • Implements a Structure inside a Domain • Can be nested as needed • Can not be assigned any rights • Typically used for Administrative Reasons • e.g. System Policies
adiscon.com What is a Tree? • Hierarchical Domain Structure inside a single Namespace • - adiscon.com • - la.adiscon.com • - ny.adiscon.com • Transitive Trusts created automatically • Sub-Domain must be added to Root-Domain – otherwise there will be no tree Tree ny.adiscon.com la.adiscon.com
What is a Forest? • Combination of Trees • Disjunct Namespaces - adiscon.de - adiscon.com • Transitive Trusts created automatically • There is one single tree-root! • Sub-Tree must be added to Root-Tree, otherwise no Forest will be created
Terminology • Site: A site is a physical location, or LAN. This is different from a web site, which is an organization’s internet presence. • Domain: • A sub-network comprised of a group of clients and servers under the control of one security database. Dividing LANs into domains improves performance and security. • - All resources under the control of a single computer system.
LDAP • Lightweight Directory Access Protocol (LDAP) -- a protocol used to access a directory service. • Lightweight Access Directory Protocol is the primary access protocol for Active Directory.
Active Directory's Global Catalog • The global catalog is the mechanism that tracks all of the objects managed across the network, across all domains within the organization. • Elements of the catalog are replicated across all of the domain controllers within all domains across the org.
Global Catalog -Service Discovery • For Active Directory to function properly, DNS servers must support Service Location (SRV) resource records. • SRV resource records map the name of a service to the name of a server offering that service. Active Directory clients and domain controllers use SRV resource records to determine the IP addresses of domain controllers.
Domain authority • Active Directory replicates its administration information across domain controllers throughout the “forest” utilizing a “multi-master” approach. • Multi-master replication among peer domain controllers is impractical for some types changes, so only one domain controller, called the operations master, accepts requests for such changes.
Authentication • Each domain controller has information for the entire forest to support authentication and access control. • This provides the ability for local domain controllers (the “tree”) to provide a quick local lookup of authority. • Not just users but every object authenticating to Active Directory must reference the global catalog server, including every computer that boots up
What is a Domain-Controller? • Stores a physical Copy of the Active Directory Database - Currently a single Domain per DC supported! • - ESE95 Database (MS Exchange) • Logon Services • - Kerberos - LAN Manager Authentication • Its always recommended to have at least 2 Domain Controllers!
Multi Master Replication • Updates can be applied to ANY Domain Controller • Will be Replicated to each other Domain Controls (inside that Domain) within 15 Minutes • Optimized Algorithm reduces Replication Traffic • Not time based (triggered on demand, only)!
Intra-Sites Replication • All Domain Databases involved • Changes are transmitted compressed • via IP (RPC) or SMTP • -SMTP not within a single domain! • Time Replication occurs can be configured • Volume of Replication Traffic can not be restricted! • Have an Eye on GCs!
Active Directory Security • Improved Authentication • Permissions applied via ACLs • - To Objects as whole • - To specific Attributes • Fine-Tuning of Access Permissions possible • Tool-Support to visualize Security Settings . currently weak (try Visio!)
Benefits of Active Directory • Time Savings • Repository of Information • Increased Security
Active Directory Problem Spots • DNS Dependency • No „Merge-Tree“ • No Partitioning (only a single Domain per . Domain Controller) • Limited Tool-Support • Forest Global Schema • Schema-Modifications can not be undone
What are Directory-Enabled Applications? • Applications directly using and accessing the Active . Directory • - e.g. Exchange 2000 • - Many more expected! • Typically extend the Schema • May dramatically change usage pattern for Active . Directory Resources • - Replication Traffic (new Objects, Attributes) • - AD Queries (GCs!)