1 / 66

Directory services

Directory services. Unit objectives Describe Windows networking concepts Discuss planning of a directory services “ implementation” Describe and install Microsoft’s Active Directory Discuss what’s new in Active Directory in Windows Server 2003 Discuss the Windows NT domain model

nassor
Télécharger la présentation

Directory services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Directory services Unit objectives • Describe Windows networking concepts • Discuss planning of a directory services “implementation” • Describe and install Microsoft’sActive Directory • Discuss what’s new in Active Directory in Windows Server 2003 • Discuss the Windows NT domain model • Explain the design and purpose of Novell Directory Services / eDirectory

  2. Topic A • Windows networking concepts • Directory services planning and implementation • Introduction to Active Directory • New Active Directory features in Windows Server 2003 • Windows NT domains • Novell Directory Services/eDirectory

  3. Workgroups • Logical group of computers • Decentralizedsecurity and administration (every PC for itself!) • In a workgroup, every computer holds its ownsecurity database • Security Accounts Manager (SAM) database • This way, each computer does its own authentication (i.e., ensure that the person logging in has the correct credentials). • Simple (sort of) • Doesn’t require a server

  4. Workgroups • Problems with Workgroups: • The maximum effective size for a workgroup is 10 or so computers • With more than 10 you will have problems sharing resources, keeping track of security information and so on. • In order to access resources on another computer you must, first log on to that PC. • This means that you have to have a username and password for every PC • A server in a workgroup does its normal jobs of sharing files, sending email, etc. • A server is called a standalone server.

  5. Workgroup security model

  6. Domains • Logical groups of computers • Use centralized authentication and administration • The device in the domain responsible for this is the “domain controller”, or DC

  7. Domain security model

  8. Member servers • Notdomain controllers but they run the server software, not the client. • Used for a variety of functions • File servers • Print servers • Application servers • DNS and DHCP servers • A member server can backup the DC • it can be promoted to DC if the DC goes down • and a DC can be demoted to member server • But security functions are unique to the DC

  9. Recap • Two different security models used in Windows environments • Workgroup • Domain • Three roles for a Windows Server 2003 system in a network • Standalone server • Member server • Domain controller

  10. Domain controllers • Store a copy of the Active Directory database • Service user authentication requests • Service queries about domain objects • The AD database is stored on network DCs • Changes made to anyActive Directory will be replicated across all domain controllers • Called multimaster replication • Provides fault tolerance for domain controller failure • Uses Domain Name Service (DNS) conventions for network resources • i.e., this is how devices in the domain are recognized

  11. Activity A-1 - page 16-6 Discussing Windows security models

  12. Topic B • Windows networking concepts • Directory services planning and implementation • Introduction to Active Directory • New Active Directory features in Windows Server 2003 • Windows NT domains • Novell Directory Services/eDirectory

  13. Directory service (DS) • Network service that allows users or computers to look up information • location of files, • printers, • email addresses, • security information such as passwords, • rights and permissions, etc. • Microsoft’s directory service is called Active Directory (AD)

  14. Planning and Maintaining Infrastructure & Group policy • Planning your AD is emphasized • Consider bandwidth, location, resources, etc • Security issues include password issues such as length, complexity and use time. • Group policy is used to manage servers, workstations, and user environments • Used to deploy applications to computers or users • Used to implement security policies like encrypting all client/server communication

  15. Activity B-1 -page 16-9 Planning and implementing directory services

  16. Topic C • Windows networking concepts • Directory services planning and implementation • Introduction to Active Directory • New Active Directory features in Windows Server 2003 • Windows NT domains • Novell Directory Services/eDirectory

  17. AD Features and Services • Provides the following services • Central point for storing & managingnetwork objects • Central point for administeringobjects and resources • Logon and authentication services • Delegation of administration (to member servers) • Stored on domain controllers (plural) in the network • Changes made to any Active Directory will be replicated across alldomain controllers • Multimaster replication • Fault tolerancefor domain controller failure • Uses Domain Name Service (DNS) conventions for network resources (i.e., objects are arranged in a hierarchy)

  18. Active Directory Objects • Represent network resources such as users, groups, computers, and printers • Objects have attributes depending on object type • Objects are searchable by attributes

  19. Creating a new user object

  20. Viewing user object properties

  21. Active Directory schema • Consists of two main definitions • Object classes • Attributes • Attributes and object classes have a many-to-many relationship • The Schema defines all objects • It defines the attributes available for objects • The Schema defines the set of objects for the entire Active Directory structure • Only one schema for a given Active Directory, replicated across domain controllers

  22. Schema • Elements used in the definition of each object contained in the Active Directory, including the object class and its attributes • Unique object name • Globally unique identifier (GUID) associated with each object name • Required attributes • Optional attributes • Syntax of how attributes are defined • Pointerstoparent entities

  23. Schema Sample schema information for user accounts

  24. GUID: A server-based Aside … • Short for Globally Unique Identifier, a unique 128-bit number that is produced by the Windows OS or by some Windows application to identify a particular component, application, file, database entry or user. • For instance, a Web site may generate a GUID and assign it to a user's browser to record and track the session. • A GUID is also used in the Windows Registry to identify COM DLLs. • Knowing where to look in the registry and having the correct GUID yields a lot information about a COM object (i.e., information in the type library, its physical location, etc.).

  25. GUID: A server-based Aside • Windows also identifies user accounts by a username (computer/domain and username) and assigns it a GUID. • Some database administrators even will use GUIDs as primary key values in databases. • GUIDs can be created in a number of ways, but usually they are a combination of a few unique settings based on specific point in time (e.g: an IP or MAC address, clock date/time, etc.).

  26. Activity C-1 - page 16-13 Discussing Active Directory

  27. AD structure and components • Active Directory comprises components that: • Enable design and administration of a network structure • Logical • Hierarchical • Components include: • Domains and organizational units • Trees and forests • A global catalog

  28. AD Domain and OU structure

  29. Trees and Forests • Sometimes necessary to create multiple domains within an organization • The first Active Directory domain is the forest root domain • A tree is a hierarchical collection of domains that share a contiguous DNS naming structure • A forest is a collection of trees that do not share a contiguous DNS naming structure • Transitive trust relationships exist among domains in treesand, optionally, in and acrossforests

  30. Domains & Organizational Units • Domain • Has a unique name • Is organized in hierarchical levels • Has an Active Directory replicatedacross its domain controllers • Organizational unit (OU) • A logical container used to organize domain objects • Makes it easy to locate and manage objects • Allows you to apply Group Policy settings • Allows delegation of administrative control

  31. An Active Directory tree There is a “contiguous DNS naming structure” here; i.e., all of the OU’s in the tree on the right follow the same naming scheme – they all end with “Dovercorp .net

  32. An Active Directory forest There is no “contiguous DNS naming structure” here; i.e., the tree on the right follows a different naming scheme.

  33. AD naming standards: Namespaces • Contiguous namespace: • A namespace in which every child objectcontains the name of its parent object - Tree • Disjointed namespace: • A namespace in which the child object namedoes not resemble the name of its parent object - Forest

  34. Multimaster Replication • Multimaster replication: In Windows 2003 there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicateit to each other. • Because each DC acts as a master, its replicationdoesn’t stop when one is down. • Each DC is a master in its own right.

  35. Global Catalog • An index and partial replica of most frequently usedobjects and attributes of an Active Directory • Replicated to any server in a forest configured to be a “global catalog server” • Contains all information from the root and partial information for all other domains • Allows authentication using the User Principal Name (JSmith@pbcc.edu)

  36. Global Catalog (continued) • Four main functions • Enable users to find Active Directory information • Provide universal group membership information • Supply authentication services when a user logs on from another domain • Respond to directory lookup requests from Exchange 2000 and other applications

  37. An Active Directory Forest

  38. Activity C-2 - Page 16-18,19 Discussing components of Active Directory

  39. Activity C-3 - page 16-20, 21 Installing Active Directory

  40. Active Directory naming standards • Active Directory uses the DNS naming standard for • hostname resolution • providing information on the location of network services and resources • Lightweight Directory Access Protocol (LDAP) is used to query or update the Active Directory database • Distinguished name • Relative distinguished name

  41. AD Communications Standards • The Lightweight Directory Access Protocol (LDAP) is used to query or update an Active Directory database directly • LDAP follows convention using naming paths with two components • Distinguished name: the unique name of an object in Active Directory • Relative distinguished name: the portion of a distinguished name that is unique within the context of its container

  42. LDAP Naming Paths • Common name (CN): • The most basic name of an object in the Active Directory, such as the name of a printer • Distinguished name (DN): • A name in the Active Directory that contains all hierarchical componentsof an object, such as that object’s organizational unit and domain, in addition to the object’s common name. • CN=JSmith, OU=Accounting, DC=pbcc, DC=edu • Relative distinguished name (RDN): • An object name in the Active Directory that has two or more related components, such as the RDN of a user account name that consists of User (a container for accounts) and the first and last name of the actual user (CN=JSmith)

  43. AD Physical Structure • Physical structure distinct from logical structure • Physical structure relates to the actual connectivity of the physical network • A Logical structure used to organize network resources • Important to consider the effect of Active Directory traffic and authentication requests on physical resources • A site is a combination of Internet Protocol (IP) subnetsconnected by a high-speed link • A site link is a configurable object that represents a connection between sites

  44. Site structure for Dovercorp.net

  45. Activity C-4 - page 16-24 Discussing Active Directory naming standards and physical structure

  46. Topic D • Windows networking concepts • Directory services planning and implementation • Introduction to Active Directory • New Active Directory features in Windows Server 2003 • Windows NT domains • Novell Directory Services/eDirectory

  47. New Active Directory features • Renaming domains • in case you misnamed a domain, • to comply with new company policy • The company is sold, buys another company or merges • Improved migration tools • E.g., from earlier versions, as from NT to 2000 or from 2000 to 2003. • Makes deployment easier • One feature of the “AD Migration Tool” (ADMT) is aimed specifically at allowing passwords to be migrated between different OS versions. • New management features • Multi-object selection • Better drag-and-drop capabilities • Improvements in Group Policy

  48. Activity D-1 Page 16-27 Discussing deployment and management

  49. Activity D-2 - Page 16-28 Discussing performance and dependability

  50. Topic E • Windows networking concepts • Directory services planning and implementation • Introduction to Active Directory • New Active Directory features in Windows Server 2003 • Windows NT domains • Novell Directory Services/eDirectory

More Related