180 likes | 277 Vues
Active Directory by Jörg Bänder and Steffen Diehl. What is Active Directory?. AD is a storage for IT-masterdata It is a place to: Search for IT-masterdata Manage IT-masterdata decentrally (delegation of administration) Backup IT-masterdata centrally
E N D
What is Active Directory? • AD is a storage for IT-masterdata • It is a place to: • Search for IT-masterdata • Manage IT-masterdata decentrally (delegation of administration) • Backup IT-masterdata centrally • Windows 2000 Directory Services = IT-masterdata storage = Active Directory
Windows 2000 Active Directory • Windows Clients • Mgmt profile • Network info • Policy • Windows Servers • Mgmt profile • Network info • Services • Printers • File shares • Policy • Windows Users • Account info • Privileges • Profiles • Policy Active Directory • A Focal Point for: • Manageability • Security • Interoperability Active Directory provides a focal point for management, security, and interoperability
How is AD installed? • Active Directory needs dynamic DNS! • Use dcpromo to create your first Domaincontroller (DC) and create a Domain • The DC has a complete read/write copy of the AD for this new Domain • Information is stored in the sysvol folder and the ntds.dit file
Types of Servers • A Windows NT 4.0 server can be a: • Primary domain controller (PDC) • Backup domain controller (BDC) • Member server • A Windows 2000 Server is either a domain controller or a member server • Domain controllers (DC) have a replica of the directory database, member servers do not • DC can also be a Global Catalog (GC) server
Logical Structure of AD Terms: • Forest(Overall Structure) • Tree (Structure, Domaintree) • Domain (Domain) • Organisational Unit (Unit of administration, OU)
Forests = Grouped Domains • Domains with contiguous Domain Name System (DNS) names can be grouped into a domain tree • Roots of each tree within a forest have a discontinuous namespace contoso123.com nwtrader123.com partner.contoso123.com asia.contoso123.com sales.nwtrader123.com
Forests • A joint set of Domain Trees that: • Share a single Schema • Share a single configuration (Sites, etc) • Share the same Global Catalog • Are automatically conected by transitive Trusts • Are overseen by Enterprise Admins Group • Are represented by a Global Catalog • Different namespaces in the trees
Domain Tree More than one domain sharing same root namespace • Hierarchically arranged domains created by parent-child relationship • Users can search for all information within the Domain Tree • Bidirectional Kerberos Trust to the parent domain
Trusts 10 Domains: AD: 9 Trusts NT4: 90 (!)
AD- Domain • Next hierarchical level below forest / domain tree • Provides a replication boundary • Is a unit of partitioning • Is a unit of authentication • Is a unit of domain account policy • Is overseen by Domain Admins group • Is a security boundary in the Active Directory • OU properties are inherited within a domain only – not across domains
AD - OU • Lowest form of grouping in the Active Directory • Organizational Unit is graphically represented by a circle in the diagrams • Group Policy can be applied to the OU • Can be nested up to x levels deep • Performance considerations if using Group Policy Objects (GPOs)
Existence of OUs • Only two justifications for OUs to exist (best practise): • Delegation of administration • Use of Policies on contained objects
The Schema Domain Schema User Account • Name • Title • Manager • Office Location • Phone • Division • Cost Center Code • Certification Expires Printer • Name • Mfr • Model • Color • Duplex • Asset # • Paper Size • Defines the objects that are allowed within the Active Directory • Each object class has attributes that are also defined • The schema is extensible • Changes to the schema are permanent • Schema flexible single master operation (FSMO) replicates changes throughout the enterprise
The Global Catalog Contains a partial replica of the information contained within each of the domains • Allows for fast searching of the key information in the Active Directory, without hitting all of the domains • Enables objects to be located throughout the forest • Reduces replication overhead • Can have every DC be a GC • Administrators define which attributes are included • Replication occurs along with domain controller replication
Global CatalogDomain Tree The GC in each domain has a pointer to its own domain information (which is complete) It also has partial information from all of the other domains in the tree (or forest)
AD Best Practise • Create an empty Root Domain which holds Enterprise Admin Accounts and Schema Master FSMO Role • This Domain should remain empty! • Keep only three things in mind when designing a OU-Structure: • DoA • Policy Usage • Do not model the Business Structure • Sites reflect High Network Connectivity (LANs) • And the most important: Keep it simple!!
Finito! Thank you for your attention Questions ??