Nassau Community College Fall 2011 Session 18 Windows 7 Professional DNS, Groups, and Active Directory(Part 3) Nassau Community College ITE153 – Operating Systems Fall 2011 1 ITE153 - Operating Systems Management
Nassau Community College Fall 2011 Session 17 Windows 7 Professional Operating in Microsoft Networks Nassau Community College ITE153 – Operating Systems Fall 2011 2 ITE153 - Operating Systems Management
Nassau Community College ITE153 – Operating Systems Overview Introduction to Active Directory Structure - Objects Levels – Forest, Trees, Domains Organizational Units Physical Topology Replication Global Catalog Trust Nassau Community College ITE153 – Operating Systems Fall 2011
Nassau Community College Active Directory Fall 2011 a directory service created by Microsoft for Windows domain networks included in most Windows Server operating systems Server computers running Active Directory are called domain controllers Nassau Community College ITE153 – Operating Systems Fall 2011 ITE153 - Operating Systems Management
Nassau Community College ITE153 – Operating Systems Active Directory serves as a central location for network administration and security responsible for authenticating and authorizing all users and computers within a domain assigning and enforcing security policies for all computers in a network and installing or updating software on network computers Nassau Community College ITE153 – Operating Systems Fall 2011
Nassau Community College ITE153 – Operating Systems Active Directory Uses Lightweight Directory Access Protocol (LDAP), Kerberos, and DNS First release: Windows 2000 Server edition Revised to extend functionality and improve administration in Windows Server 2003 Windows Server 2008 the domain controller role was renamed Active Directory Domain Services Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure An Active Directory structure is a hierarchical arrangement of information about objects An object is any entity that can be manipulated by the commands of a programming language, such as a value, variable, function, or data structure An object has attributes (object elements) and behaviors (methods or subroutines) encapsulating an entity Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure An Active Directory structure is a hierarchical arrangement of information about objects An object is any entity that can be manipulated by the commands of a programming language, such as a value, variable, function, or data structure An object has attributes (object elements) and behaviors (methods or subroutines) encapsulating an entity Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure AD objects fall into two broad categories: resources (e.g., printers) security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs) A SID is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify a subject Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure The object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in the AD A Site object in an AD represents a geographic location that hosts networks Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Levels The logical divisions in an Active Directory are: Forest Tree Domain The forest represents the security boundary within which users, computers, groups, and other objects are accessible Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Levels Objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - OUs The objects held within a domain can be grouped into Organizational Units (OUs) OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. Microsoft recommends using OUs rather than domains for structure and to simplify the implementation of policies and administration. The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Physical Sites in Active Directory represent the physical structure, or topology, of your network AD uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. A site is a set of well-connected subnets Sites and subnets are represented in AD by site and subnet objects, which you create through Active Directory Sites and Services. Each site object is associated with one or more subnet objects Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Physical In AD, sites map the physical structure of your network, while domains map the logical or administrative structure of your organization You can deploy domain controllers for multiple domains within the same site You can also deploy domain controllers for the same domain in multiple sites Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Physical Physically the Active Directory information is held on one or more peer domain controllers (DCs) Each DC has a copy of the Active Directory Servers joined to Active Directory that are not domain controllers are called Member Servers Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Physical AD synchronizes changes using multi-master replication Multi-master replication is a method of database replication which allows data to be stored by a group of computers, and updated by any member of the group. Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Physical The Active Directory database is organized in partitions or naming contexts, each holding specific object types and following a specific replication pattern: schema partition defines the objects (such as users) and attributes (such as telephone numbers) that can be created in the AD, and the rules for creating and manipulating them. configuration partition contains information on the physical structure and configuration of the forest (such as the site topology) domain partition holds all objects created in that domain and replicates only to Domain Controllers within its domain Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Physical Global catalog (GC) servers provide a global listing of all objects in the Forest Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest By default, AD DS searches are directed to global catalog servers The first domain controller in a forest is automatically created as a global catalog server. Thereafter, you can designate other DCs be global catalog servers Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory Structure - Physical A domain controller designated as a global catalog server stores the objects from all domains in the forest. A global catalog server stores its own full, writable domain replica (all objects and all attributes) plus a partial, read-only replica of every other domain in the forest The global catalog is built and updated automatically by the AD DS replication system. Makes it possible for clients to search AD DS without having to be referred from server to server until a domain controller that has the domain directory partition storing the requested object is found Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory - Replication Active Directory replication is 'pull' rather than 'push', meaning that replicas pull changes from the server where the change was effected The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory - Trust To allow users in one domain to access resources in another, Active Directory uses trusts Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest Based on Kerberos Version 5 Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory - Trust One-way trust - one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust - two domains allow access to users on both domains. Trusting domain - the domain that allows access to users from a trusted domain. Trusted domain - the domain that is trusted; whose users have access to the trusting domain. Transitive trust - a trust that can extend beyond two domains to other trusted domains in the Nassau Community College ITE153 – Operating Systems Fall 2011
Active Directory - Trust Intransitive trust - a one way trust that does not extend beyond two domains. Explicit trust - a trust that an admin creates. Not transitive; is one way only Cross-link trust - an explicit trust between domains in different trees Shortcut - joins two domains in different trees, transitive, 1or 2-way Forest - applies to the entire forest. Transitive, 1or 2-way Realm - Can be transitive or nontransitive, 1or 2-way External - connect to other forests or non-AD domains. Nontransitive, 1or 2- way Nassau Community College ITE153 – Operating Systems Fall 2011
Nassau Community College ITE153 – Operating Systems Review Nassau Community College ITE153 – Operating Systems Fall 2011
Lab A: Operating in a Domain Nassau Community College ITE153 – Operating Systems Fall 2011
Nassau Community College ITE153 – Operating Systems Important URLS Active Directory - a very good overview from Wikipedia What is an object? - a very good tutorial on object and classes AD Server Roles - good description of different server roles Sites - good explanation of site and subnet objects in AD Replication SCenarios - nice overview of replication techniques, not just for ADs, but directories in general What is a Global Catalog - an update overview of that explains GCS in the context of Active Directory Domain Services (AD DS) How Domain and Forest Trusts Works - good nut & bolts description of how this works Active Directory Collection - from Microsoft's Technologies Collection, provides in-depth tech reference about the Windows Server 2003 AD Windows Server 2008 R2 Active Directory - good overview, free download, and a virtual lab Nassau Community College ITE153 – Operating Systems Fall 2011
Nassau Community College Homework Fall 2011 Review the Slides Review Lesson 17 In The Text Nassau Community College ITE153 – Operating Systems Fall 2011 ITE153 - Operating Systems Management