1.73k likes | 3.46k Vues
ACTIVE DIRECTORY II. Basics of Active Directory in Windows Server 2003. Active Directory partitions Logical structures “Physical” structures Functional levels. Active Directory Partitions. Schema. Logical partition in Active Directory database “Template” for Active Directory database
E N D
Basics of Active Directory in Windows Server 2003 • Active Directory partitions • Logical structures • “Physical” structures • Functional levels
Schema • Logical partition in Active Directory database • “Template” for Active Directory database • Forms the database structures in which data is stored • Object classes • Attributes • Extensible • Dynamic • Protected by ACLs (Access Control Lists)- DACLs and SACLs (Discretionary ACLs and System ACLs) • One schema per Active Directory forest
Schema ObjectClass Examples: Dynamically available, updateable, and protected by DACLs Attribute Examples: Computers Attributes of Users might contain: List of attributes accountExpires badPasswordTime mail name accountExpires badPasswordTime mail cAConnect dhcpType eFSPolicy fromServer governsID Name … Users Servers
Configuration • Logical partition in Active Directory database • “Map” of Active Directory implementation • Contains information used for replication, logon, searches • Domains • Trust relationships • Sites & site links • Subnets • Domain controller locations
Windows 2000/WS03Domain Replication User1 User2 User1 User2 Domains • Logical partition in Active Directory database • Collections of users, computers, groups, etc. • Units of replication • Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain • Domain controllers do not replicate domain partition information for other domains
Directory Partitions Schema Contains definitions and rules for creating and manipulating all objects and attributes Forest-wide replication (every DC in forest has a replica) Configuration Contains information about Active Directory structure Zoom.com Contains information about all domain-specific objects created in Active Directory Domain-wide replication Application ConfigurableReplication Contains application data ForestDNSZone DomainDNSZone All Partitions Together Comprise the Active Directory Database
Tree • One or more domains that share a contiguous DNS namespace, e.g. • ZOOM.COM • MCSE.ZOOM.COM • CCNA.ZOOM.COM
Forest • One or more domains that share: • Common schema • Common configuration • Automatic transitive trust relationships • Common global catalog • Forest can contain from as few as one domain to many domains and/or many trees • First domain created is forest root- this cannot be changed without rebuilding the entire forest
Trust Relationships • Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains • Some trusts are automatically created • Parent-child domains trust each other • Tree root domains trust forest root domain • Other trusts are manually created • Forest-to-Forest transitive trust relationships can be created-Windows Server 2003 forests only
Trust Relationships in Windows Server 2003 • Default - two-way- transitive Kerberos trusts (intraforest) • Shortcut - one or two-way – transitive Kerberos trusts (intraforest) • Reduce authentication requests • Forest – one or two-way – transitive Kerberos trusts* *.WS2003 Forests- Windows 2000 does not support forest trusts • Only between Forest Roots • Creates transitive domain relationships • External – one-way – non-transitive NTLM trusts • Used to connect to/from Windows NT or external 2000 domains • Manually created • Realm – one or two-way – non-transitive Kerberos trusts • Connect to/from UNIX MIT Kerberos realms
(Tree Root) (Forest/Tree Root) (Forest/Tree Root) nwtraders.msft contoso.msft tailspintoys.msft japan. contoso.msft china. nwtraders.msft japan. nwtraders.msft (Child Domain) (Child Domain) (Child Domain) Tree Windows NT Domain Trees and Forests Forest Two-Way Transitive Trusts Tree Tree Forest External One-Way Non-Transitive Trust Forest
Forest and Domain Functional Levels • Functional levels determine • Supported domain controller operating system • Active Directory features available • Domain functional levels can be raised independently of one another • Raising forest functional level is performed by Enterprise Admin • Requires all domains to be at Windows 2000 native or WS03 functional levels
Domain Functional Levels Windows 2000 Mixed Mode- NT4, Windows 2000 or WS03 DCs Windows 2000 Native Mode- No NT 4 DCs Domain Controller (Windows Server 2003) Domain Controller (Windows Server 2003) Domain Controller (Windows 2000) Domain controller (Windows NT 4.0) Domain Controller (Windows 2000)
Domain Functional Levels Windows Server 2003 Interim- No 2000 DCs Windows Server 2003 Server Level- All WS03 DCs Domain Controller (Windows Server 2003) Domain Controller (Windows Server 2003) Domain controller (Windows NT 4.0) Domain Controller (Windows Server 2003)
Domain Site “Physical” Components of Active Directory • Sites • Areas of “good” connectivity • Single site may contain many domains • Single domain may span many sites • Domain Controllers • Store replicas of the Active Directory database • Associated with a given site
Seattle New York Chicago Los Angeles Site IP Subnet IP Subnet Sites • Subnets are defined and associated with sites • Used by domain controllers to determine replication behavior • Used by computers to locate close domain controllers for authentication and searches of the directory
Domain Controllers • Domain controllers replicate common partitions • Every DC in the forest has a replica of schema & configuration partitions • Every DC in a domain has a replica of that domain’s domain partition • DCs may contain replicas of application partitions
Roles of a Domain Controller Roles • Global Catalog Server Operation Masters Forest Wide Roles • Domain Naming Master • Schema Master • RID Master Domain Wide Roles • PDC Emulator • Infrastructure Master
Global Catalog • Like a telephone book contains limited information about all people and businesses within a city, the global catalog contains limited information about every object in a forest • Within the schema, certain attributes are marked for inclusion in the GC • Searches are commonly performed against these attributes • By searching against the GC, individual domains do not have to be queried in most cases- GC can resolve • Servers that hold a copy of the global catalog are called global catalog servers
Global Catalog Server Schema Holds full copy of the schema partition for forest Configuration Holds full copy of configuration partition for forest Mcse.com Holds full copy of domain partition for own domain Ccna.com Holds read only copy of all other domain directory partitions- all objects, but only attributes marked for GC inclusion Solaris.com Application Contains application data if configured ForestDNSZone, DomainDNSZone, user-defined application partition(s)
Object Attributes Domain Domain Domain Global Catalog Servers Include in GC Telephone Email Name … Global Catalog Queries Global Catalog Server Universal Group membership when user logs on