Introducing Microsoft Active Directory Services CSIS 165 – Week 1B Exams &
CSIS 165 – Week 1B Windows 2003 Systems Overview Ch 1 - Introduction To Active Directory Ch 2 – Domain Naming Services (DNS)
Windows 2003 Security Models Workgroups Windows Server is not required User accounts are managed locally Resources are managed locally Domains User accounts are managed centrally Most resources are managed centrally Windows Server is required
Windows 2003 Architecture Two major layers: User mode Environment subsystems Integral subsystems Kernel mode
Environment subsystems Emulates other operating systems Supports Win32, OS/2, POSIX (UNIX) Restrictions on applications: Can access only the associated API Cannot access: Hardware, drivers Shared memory
Integral Subsystems Security subsystem Logon processing Authentication Resource access Workstation service Access shared resources Server service Provide shared resources
Kernel Mode System services – Available to kernel and user mode processes IO manager, virtual memory manager Internal services – Available only to kernel mode processes
Windows 2003 Subsystems
Chapter 1 Introduction to Active Directory
Active Directory Features & Services Authentication of users Controlling access of resources Advertisement of resource Centralized administration Replication platform Support for open standards
Active Directory Architecture Client Interfaces LDAP/ADSI, MAPI, SAM, REPL Directory System Agent (DSA) Database Layer Extensible Storage Engine Data Store (NTDS.DIT)
Active Directory Architecture
Active Directory Object Containers Active Directory Objects Active Directory Schema Active Directory Logical Structures Domains Organizational Units Trees & Forests Physical Structures Domain Controllers Sites
Active Directory Objects Define consumers users & groups Define resources Computers & servers Shared services Printers, etc… Container objects Domains Organizational units Groups Sites Forest
Active Directory Schema Define objects Classes Represent a type of object Contains attributes Attributes Define properties of objects Name, Datatype & length, etc… May be included in multiple classes Schema may be extended by adding or replacing classes and attributes Not reversible without restoring AD from system state Requires Enterprise Admin rights & AD Schema snap-in Done automatically when Exchange 2000 is installed
Active Directory Components Domains - Security boundary Users and resources belong to one domain. Domain Admins defines Administration boundary. Organizational Units Users and resources exist in OU’s Provide namespace Applies group policy Does not confer privileges – groups do that Trees and Forests Trees – contiguous DNS namespace All domains in a Global Catalogue Two-way implicit, transitive trusts Sites - Define replication boundaries
Active Directory Concepts Global Catalog Sites and Replication Domains and Trusts DNS namespace
Global Catalog Functions: Indexes all objects in its domain. Indexes a subset of all objects in the entire forest. Is the only source of Universal group information Required for logins, except by Domain Admins Creating Global Catalog servers: By default, on the first DC in a forest or domain. Additional GC servers can be created on any DC. Two rules: Have a GC at every physical site. Keep the GC and infrastructure master role on separate hosts.
Replication What information is replicated? Schema Domain-level AD objects Configuration Global Catalogue information Sites provide replication boundaries
Replication Replication Within a Site: Replication topology is automatically determined Provides at least two paths between DCs Replication is triggered by changes Transmissions are not compressed - RPCs Replication between sites: Occurs between bridgehead servers Occurs as scheduled Is compressed and may use SMTP Security changes replicate immediately.
Trusts Implicit two-way transitive trusts: exist between parent and child domains in a tree and top-level domains in a forest. Explicit one-way non-transitive trusts: Used between AD and NT 4.0 domains Domains in different forests AD Domains and Kerberos Realms
DNS Namespace Forward-lookup namespace Reverse-lookup namespace Record types Host, NS, MX, SRV, CNAME, PTR
Active Directory Namespace Distinguished name Relative distinguished name GUID Unique across all domains Does not change when objects move or rename Replaces NT 4.0 SID
The Operation Master Roles Forest-level Schema Master Domain Naming Master Domain-level Relative ID Master PDC Emulator - Down-level clients and BDCs Infrastructure Master
Active Directory Tasks & Tools Active Directory Users and Computers: Create & manage user accounts, groups & OUs Active Directory Domains & Trusts Manage trusts Change to native mode Assign alternate user principal name suffix Transfer domain naming master role Active Directory Sites and Services Manage replication Active Directory Schema Used to modify the AD schema Not installed be default Other tools covered in lab – Know them for the exam
Review Roles of Active Directory Windows & Active Directory Architecture The Windows login process The Active Directory schema Active Directory objects The Global Catalogue Replication Trusts Operation Master Roles Active Directory management tools
Ch 2 – Understanding DNS IP Addressing & Host Naming The hosts file DNS Objectives The DNS Namespace DNS Messaging The Name Resolution Process Planning a DNS Infrastructure
IP Addressing & Host Naming Earliest IP network – ARPANET Single-level name identified hosts Names mapped to IP Addresses – hosts file Problems: Hosts file would become enormous New host entries require updated hosts files Administrators could not choose just any host names – only those not yet used
The Hosts File C:\WINNT\system32\drivers\etc\hosts # Copyright (c) Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # rhino.acme.com # source server # x.acme.com # x client host localhost saicu saicu20.mcse.wallihan.com
DNS Objectives Decentralize name management Flexible identification of services Identify services such as mail hosts Solutions: A hierarchic namespace Diverse resource record types
The Forward Lookup Namespace Resolves host names to IP addresses Locates services Root domain “.” Top-level domains – com, org, gov, etc… Second-level domains – privately managed
The Forward Lookup Namespace “.” COMORG SAIC WWW Hosts NS Records
Forward Lookup Zones Zones represent files A zone may represent one or more domains Zones represent a contiguous namespace Zones define replication boundaries
Forward Lookup Zones COM SAIC DOMAIN2 DOMAIN1 Zone1Zone 2 An Invalid Zone
DNS Messaging DNS uses UDP for name resolution (port 53) DNS uses TCP for zone file replication A single message format handles all traffic DNS Header – See book Flags Bit8 – Recursion desired Flags Bit9 – Recursion available
The Name Resolution Process “.” COM SAIC Recursive Query Non-Recursive Query
The Reverse Lookup Namespace In-addr arpa “.” 253 PTR saicu20.mcse.wallihan.com
DNS Configuration Forwarders Enables a server to forward unknown queries Caching-only servers These servers do not maintain zones or entries Forwarders must be enabled Dynamic updates Configure in DHCP Three options No, Yes Only Secure updates (Active Directory integrated zones only)
Configuring DNS
DNS Record Types A – Host record CNAME – Canonical name NS – Name server SOA – Authoritative name server MX – Mail relay SRV – Well-known services PTR – Reverse lookup record
Implementing WINS
When to use WINS NetBIOS Naming The Lmhosts file The NetBIOS name server NetBIOS node types The WINS architecture Implementing WINS
NetBIOS Naming NetBIOS originally served single LANs NetBIOS names were cached locally Computers would broadcast queries Only the requested computer replied The reply was cached locally
The Lmhosts File Problems with NetBIOS: Computers on remote LANs – broadcast Large environments – broadcast The Lmhosts file enabled the most popular servers to be resolved locally The Lmhosts file structure: IP address name
Lmhosts File Records & Tags A standard record: saicu20 Tags: #PRE – preloads entry into cache #DOM:domain – Windows NT domain #INCLUDE filepath – Loads info from a centrally managed file END_ALTERNATE & BEGIN_ ALTERNATE
A Sample Lmhosts File # The following example illustrates all of these extensions: rhino #PRE #DOM:networking #net group's DC "appname \0x14" #special app server popular #PRE #source server localsrv #PRE #needed for the include BEGIN_ALTERNATE INCLUDE \\localsrv\public\lmhosts INCLUDE \\rhino\public\lmhosts END_ALTERNATE
The NetBIOS Name Server - WINS Clients are configured with the WINS server’s IP address (enables unicast) Clients register their name and IP with WINS TTL - 6 days by default Clients refresh at half TTL Name or IP address changes are registered with WINS Clients release names when they shut down Clients query the name server to resolve hosts
NetBIOS Node Types Node TypeRegistrationResolution B NodeBroadcast P NodeUnicast-WINS M NodeBroadcastBroadcast then WINS Modified B NodeBroadcastBroadcast then Lmhosts H Node (hybrid)Unicast-WINSWINS then Broadcast MS Enhanced NodeUnicast-WINSConfigurable
Configuring WINS Clients: Specify the WINS server Configure a node type (optional) MS-enhanced H-node by default WINS Servers Install WINS Create static mappings Configure Replication WINS Proxy Agents Handles broadcast name registrations Set EnableProxy to 1 in registry - Any WINS client
Review Active Directory DNS WINS