Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004
Page 2 Active Directory (AD) Active Directory Definitions/Features – Active Directory has two parts – A database with information about users and resources – A service that manages the database and enables users of computers on the network to access the database – Active Directory Features/Advantages – Security - Logon process and controlling access to objects – Administration – Hierarchical structure – Search capabilities – Search AD for an object – Scalable – Allows multiple domains, fits for any size network – Flexibility – Grows with your company, allows for additions
Page 3 Active Directory Structure – Objects and Classes – An object is the smallest component that you can have in AD – A class is a template of all attributes of an object when it is created – Schema – Schema governs the structure of the directory – Allows administrators to modify and add new object classes, objects and attributes as needed, making the schema extensible – Active Directory Schema is the name of the snap-in in MMC and can only be changed by Schema Admins – Global Catalog – A master searchable index that contains information about every object in a forest – Created by default on first DC in a domain – Contains a full copy of all objects in its own domain and a partial replica of all objects in all other domains in the forest – Serves as a central point for user authentication
Page 4 Active Directory AD Organization – Smallest component in AD is an object – Objects have attributes and are defined by classes – Objects have permissions ACL that contains information about who has access to it and what they can do with it – Controlling access to object is different than having access to the objects resources – Organizational Units (Container objects) – Substructure of domains and are arranged hierarchically – Used to organize related objects in AD, can also contain other OUs – Helps simplify administration
Page 5 Active Directory Object IDs – Globally Unique Identifier (GUID) – A 32 hex number assigned to an object at the time of creation and object is stored with it. This ensures uniqueness and avoids duplication – Security ID (SID) – A unique security ID created by the Security subsystem that is assigned to user, groups, and computers to grant or deny an object access to other objects
Page 6 Domain Controller (DC) DC Setup – All Domain Controllers are equal – A change on one DC will be replicated to all other DCs – Five Scenarios where a DC can have an additional role – Relative ID Master – Schema Master – Infrastructure Master – Domain Naming Master – PDC Emulator
Page 7 Domains AD Organization – Tree – Grouping of one or more domains that must have a single root domain – Parent child & child relationships – Defined by a common and contiguous name space – A hierarchy of domains sharing a common schema, security trust relationship, and a Global Catalog
Page 8 Domains AD Organization – Forest – A group of one or more Domain Trees linked together by a trust – Two different root domains – All Trees share a common schema and global catalog – Do not have contiguous DNS domain names
Page 9 Trusts NT Domains – Each domain had its own accounts – Need accounts in every domain that you need resources or need administrator to setup a trust between domains – Trust were setup explicitly as one-way or two-way trusts – These trusts are intransitive
Page 10 Trusts Trusts – A logical connection that allows users from one domain to access resources in another domain – Can be one way or two ways – Trusting domain and Trusted domain
Page 11 Trusts Intransitive Trusts – Domain C trusts Domain B and Domain B trusts Domain A – (B has access to resources in C and A has access to resources in B) – Domain C does not trust Domain A – Intransitive trusts are possible in Windows NT
Page 12 Trusts Transitive Trusts – A trust between two domains in the same Tree/Forest that can extend beyond two domains to other trusted domains within the same Tree/Forest – Always a 2 way trust – By default all Windows 2000 trusts within Tree/Forest are transitive – Domain A and C trust each other
Page 13 Trusts Explicit Trusts – A trust that is setup by an administrator – Connect domains directly to shorten the path between them – It can be either transitive or intransitive – Used to manage trusts between Windows 2000 and NT domains
Page 14 Domain Name System (DNS) DNS – DNS Structure – Based on a hierarchical naming structure (inverted tree) – A single root domain, underneath there are second-level domains – Every computer in a DNS domain is uniquely identified by a Fully Qualified Domain Name (FQDN) – Dynamic DNS is supported in W2K
Page 15 Domain Name System Zone Files and DNS Servers – Forward Lookup Zone – This contains host name to IP address resolution – Reverse Lookup Zone – This contains IP address to host name resolution – DNS Servers – Primary – Maintains the master copy of the zone files – Secondary – Keeps a back-up copy of the zone files – AD-integrated – DNS entries kept in AD data store instead of zone files – Scavenge Files – Finds and deletes records in a zone if they have been stale for a certain amount of time
Page 16 Active Directory & Domain Name System AD & DNS – Active Directory and DNS use the same hierarchical structure – Typically use the same FQDN – DNS records can be stored in Active Directory – Clients use DNS to locate Domain Controllers on the network
Page 17 Domain Name System Name Space – Active Directory is based on the concept of namespace, that is a name is used to resolve the location of an object – Active Directory names correspond to DNS domain names – Each name gives the location of the object in Active Directory
Page 18 Domain Name System Name Convention – Relative Distinguished Name (RDN) – A name that is assigned to the object by the administrator when it is created, a unique name – Example – hshuja1 – Distinguished Name (DN) – Defines the RDN and also location within Active Directory, such as OU that user belongs to – Example – – User Principal Name (UPN) – A more “easier” naming convention. Combines RDN with domain name, no OU is referenced – Example –