Introduction to Active Directory CIT 237
Active Directory Objects Attributes that represents a network resource Object name: Computers Attributes: computer 1, computer 2, computer 3, etc. Object: Users Attributes: First name, last name, logon name, etc.
Active Directory Schema Defines objects that can be stored in Active Directory (See schema administration in Active Directory Users and Computers) Types of schema objects (metadata) Schema class objects - Template for creating new objects (e.g. computer, Group, User, etc.) Schema attribute objects – Define or describes the schema class object with which they are associated even though they may be used in many schema classes
Active Directory Components Domains Organizational Units (OUs) Trees Forests
DOMAINS, TREES, AND A FOREST parent contoso . com ou tailspintoys Domain tree root Forest root and tree root child west east Describe the following: This is a single forest with multiple domain trees, contoso.com, and tailspintoys.com. Contoso.com is the forest root and tree root. Tailspintoys.com is a tree root. They have a disjointed namespace. Briefly mention automatic two-way transitive trusts (Kerberos). Point out the parent/child relationships. Mention that even the child domains could have child domains. For example, west.contoso.com could have a child domain named region1.west.contoso.com. OUs are also depicted in the graphic, just to illustrate that they are created within individual domains. OUs can have their own hierarchy. Figures 1-5, 1-6, and 1-7 in the textbook also illustrate domains, trees, and forests. Use ADSIEdit.msc to illustrate the data structure divisions between the Domain NC (domain objects), Configuration Container (forest-wide), and Schema (forest-wide). Mention that there is a global catalog that is also replicated forest-wide, but it is not considered one of the partitions.
Domains Core unit of logical structure Stores millions of objects A security boundary Access to objects is governed by access control lists (ACLs), which contain permissions for each object (files, folders, shares, printers, etc.). Those permissions control which users can gain access to an object and what type of access they can gain ACL rights are not transferable from one domain to another
Domains Default functional levels: Windows 2000 Mixed (default for Windows 2003 server) Windows 2000 Native Windows 2000 Interim Windows 2003
Windows 2000 Mixed Allows functionality with domain controllers in the same domain running Windows NT 4 Allows functionality with domain controllers in the same domain running Windows Server 2003
Windows Server 2003 Allows functionality only with domain controllers in the same domain running Windows server 2003. The functional level should be raised according to the type of domain controllers in the domain
Organizational Units (OUs) Organizes objects within a domain into logical administrative groups Nesting when an OU is added within another OU (like a subdirectory). This creates a hierarchical structure
Trees A group or hierarchy of domains created by adding child domain to a parent
Forests A group or hierarchy of independent domain trees Forest functional level provides a way to enable forest-wide Active Directory features
Physical Structures Physical components of Active Directory: Sites Domains controllers
Sites One or more connected IP subnets Usually has the same performance boundaries (fast network connections group with each other and slow with each other) Not listed in Active Directory as OUs are Contain only computer and connection objects
Domain Controllers Stores a replica of the domain portion of Active Directory Services only one domain Authenticates users and maintains domain security policy
Replication Ensures that changes in one domain controller are represented in all other domain controllers in the domain
What Information is Replicated Active Directory is partitioned into four units: Schema partition – describes objects and attributes that can be created in a directory. This data is common to all domains in a forest and is replicated Configuration partition – describes domain structure and replication layout. This data is common to all domains in a forest and is replicated Domain Partition – Describes all domain objects. This is domain specific and is not replicated, but data is replicated to every domain controller in the domain Application Directory partition – Stores dynamic application-specific data and can contain any type of object except security type. Can be set for replication if desired
Stores and Replicates Schema partition stores data for a forest Configuration partition stores data for all domains in a forest Domain partition stores data, such as directory objects and properties for its specific domain
Types of Replication Intrasite – replication occurs within domain controllers in the same domain, using a ring structure and knowledge consistency checker (KCC), which runs on all domain controllers to ensure consistency. Intersite replication – Performed by creating site links (network connections)
Trust Relationships Link between two domains in which the trusting domain honors the logon authentication of the trusted domain using NT LAN Manager (NTLM), or Kerberos. Kerberos is the default for Windows Server 2003. If Kerberos is not supported in a trust, NTLM is used
Global Catalog A role designation assigned to a domain controller. By default is created automatically and assigned to the first (root) domain controller in the forest. However any domain in the forest can be a global catalog. The information is simply replicated Central repository of information about objects in a tree or forest