Active Directory: Final Solution to Enterprise System Integration Author: Liming Liao Date: 2/23/2001
What is Directory Services It is the central authority that manages the identities and brokers the relationships between the distributed resources, enabling them to work together. Examples: Yellow Pages, Shopping List It is composed of objects like people, printers, servers, etc.
Functions of Directory Service A place to store information about network-based entities. A consistent way to name, describe, locate, access, manage, and secure information about these individual resources.
Why Directory Service is needed local area networks (LANs) and wide area networks (WANs) grow larger and more complex. networks are connected to the Internet. applications require more from the network and are linked to other systems through corporate intranets.
Life without a Central Directory Service
Life without a Central Directory Service
Disadvantages of life without a Central Directory Service Data duplicates prone to user errors same data for one object has to be input several times enterprise-widely Update information for a single object may require changes to be made to numerous places Multiple logins for a single user trying to access different databases or networks Each database in the enterprise requires a separate login name and password Each network in the enterprise requires a separate login name and password
With Centralized Directory Services
With Centralized Directory Services
Advantages of Directory Services Entry and management of personal data, such as name, phone number and supervisor, is centralized These information is entered and stored in one place. If some of the information is entered wrongly or needs to be changed, it is easy to fix No pain for duplicate inputs and updates
Advantages of Directory Services Information on user ID and password locations for computer systems is centralized Instead of having user IDS and passwords scattered over several systems, they are managed form the central directory service Security is improved because there are much less userIDs and passwords Management of users’ userIDs is much easier for system admins
Advantages of Directory Services The procedure for determining the status and role of an individual in the organization is standardized In a large organization, there will be a number of people that will come and go. It is important to determine the exact status or relationship to the company they represent
Advantages of Directory Services Lookup of names, addresses, phone numbers and other “white pages” information is standardized Lookup of network resources like printers, servers, certificates and other “ yellow pages” information is standardized Centralizing the management of the system will increase reliability and make it easier to keep it up to date
Open Directory Service Solutions- Vendor-specific Directory Service Solution and Open Standards Directory Service Solutions Directory Services- Sun Microsystems NIS+ (Network Information Service Plus) Novell’s NDC (NetWare Directory Service) Microsoft’s Active Directory Open Directory Service Solutions- An Open Solution: X.500 An Open Gateway Service LDAP - the Lightweighted Directory Access Protocal
Microsoft Active Directory Active Directory is the first enterprise-class directory service that is scaleable, built from the ground up using Internet-standard technologies, and fully integrated with the operating system.
Characteristics of Active Directory Hierarchical Organization It uses objects to represent network resources. It uses containers to represent organizations. It organizes information in a tree structure made up of these objects and containers. Object-oriented Storage Different objects can be assigned different attributes. Administrators can assign access privileges to objects Multi-Master Replication Directories can be replicated on different servers and can be maintained locally across the network User can locate resources using the local directory service rather than contact the central domain controller every time as in NT 4.0.
Hierarchical Organization
Object-oriented Storage
Important ADS concepts Workgroup A Windows 2000 workgroup is a logical grouping of networked computers that share resources, such as files and printers, and maintain a local security database, which is a list of user accounts and resource security information for the computer it is on. Domain A Windows 2000 domain is a logical grouping of networked computers that share a central directory database, which contains user accounts and security information for the domain.
Important ADS concepts Domain Tree and Forest A domain tree refers to a hierarchical grouping of domains that share a contiguous namespace, a common schema, and a common global catalog. A domain forest is a collection of two or more domain trees that do not share a contiguous namespace, but do share common schema and global catalog. Namespace A collection of unique domain names.
Important ADS concepts Object and Organizational unit An object is a representation of a network resource, including users, computers, printers, and so forth. Organizational unit is an object that can hold other objects. Multimaster replication The process by which Active Directory domains replicate with each other and resolve conflicting updates. Lightweight Directory Access Protocol (LDAP) An Internet standard by which Active Directory clients and servers communicate.
Benefits of Active Directory Service Simplifies management- Administrators have a single point of management for user accounts, clients, servers and applications Administrators can delegate specific administrative privileges and tasks to individual users and groups to make better use of system administration resources Strengthens security It supports a number of authentication mechanisms used to prove identity upon logon to Windows 2000 It support a fully integrated public key infrastructure and Internet secure protocols to let organizations securely extend selected directory information beyond their firewall to Extranet users and e-commerce customers
Benefits of Active Directory Service Extends interoperatbility Expose all of the Windows 2000 directory features through standards-based interfaces. It provides a development platform for directory-enabled applications. More efficient usage of resources Centralized security control and shared logon information saves the trouble of creating security-admin functions of each specific system Users are exempted of the headache of maintaining multiple security information within a single domain
How to implement ADS LDAP ??? Multi-Platform (Unix, Windows NT, OS2 and IBM mainframes) Multi-Vendor support (Microsoft, Netscape, Sun and Novell) Common standard Centralizes the entry and management of personal data like name, phone number, and supervisor Centralizes the location of user ID and passwords for computer systems Provides the Simple Authentication and Security Layer(SASL) providers, and the Secure Socket Layer(SSL) Protocol Centralizes the procedure for determining the status and role of an individual in the organization Centralizes the lookup of names, addresses, phone numbers and other ‘white page’ information
Summary Directory Services are essential to daily life in a networked world Personal information that is needed for the running of any organization is being kept in many separate systems Centralized directory services can improve productivity and increase security while reducing management overhead