Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Active Directory

Published byTamsin Camilla Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "Understanding Active Directory"— Presentation transcript:

1 Understanding Active Directory
1 minute Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning , Microsoft

2 Active Directory Lightweight Directory Services (AD LDS)

3 Module Overview AD LDS Overview Implementing and Administering AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Module Overview AD LDS Overview Implementing and Administering AD LDS Implementing AD LDS Replication Comparing AD DS and AD LDS

4 Lesson 1: AD LDS Overview
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 1: AD LDS Overview How AD LDS Works AD LDS Administration Tools What Is the AD LDS Schema? Demonstration: Installing AD LDS

5 How AD LDS Works AD LDS is a hierarchical file-based directory store
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A How AD LDS Works AD LDS is a hierarchical file-based directory store Uses the Extensible Storage Engine (ESE) for file storage ESE Discuss the similarities of AD LDS and AD DS. AD LDS uses a hierarchical Extensible Storage Engine (ESE) database just like AD DS and Exchange. AD LDS can be accessed via LDAP The store is organized into three partitions types: Configuration Schema Application

6 AD LDS Administration Tools
Module 3: Introduction to Active Directory® Lightweight Directory Services AD LDS Administration Tools Course 6424A Tool Usage Active Directory Lightweight Directory Services Wizard Create a new instance of AD LDS Create a new replica of an AD LDS instance ADSIEdit Modifying data Viewing data LDP Creating application partition instances Ldifde or Csvde Importing and exporting data Dsacls View or set permissions AdamSync Used to synchronize an instance of AD DS to AD LDS ADSchemaAnalyzer Used in migrating the Active Directory schema to ADAM ADSIEdit is a more friendly interface than LDP. However, it does not support Secure Sockets Layer (SSL) connections to AD LDS.

7 What Is the AD LDS Schema?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A What Is the AD LDS Schema? AD LDS Schema defines the types of objects and data that can be created and stored in an AD LDS instance using object classes and attributes Schema defines every object and attribute in a directory. In order for an object type to be created in the directory, You first must define it in the schema. All partitions in an instance share a schema and that if different schemas need to be supported, separate instances would need to be created. Schema Partition Application Partition Definition for an automobile object class Directory objects based on the automobile object class Definition for a user object class Directory objects based on the user object class

8 Demonstration: Installing AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Demonstration: Installing AD LDS In this demonstration, you will see how to install Active Directory Lightweight Directory Services

9 Lesson 2: Implementing and Administering AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 2: Implementing and Administering AD LDS What Is an AD LDS Instance? What Is an AD LDS Application Partition? Demonstration: Configuring AD LDS Instances and Application Partitions AD LDS Users and Groups How Does Access Control Work in AD LDS?

10 What Is an AD LDS Instance?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A What Is an AD LDS Instance? An AD LDS Instance is a running copy of AD LDS service that contains is own communication interface and directory store A Single AD LDS Instance AD LDS instances are similar to SQL Server® instances. Multiple SQL instances can be installed on a single server computer each functioning as separate database entities. A LDS instance is similar. A new instance of LDS can be created on the same server, and configured and used separately. Some reasons for using multiple instances, might include having separate schema applications or applications that would need to replicate differently, or even to have them isolated for security. Each instance also has separate TCP ports to which they are bound. Directory Service Interfaces (LDAP, replication) Client Directory Data Store (Adamntds.nit) The directory store has its own copy of the three partitions

11 What Is an AD LDS Application Partition?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A What Is an AD LDS Application Partition? The AD LDS application partition holds the data that is used by the application A Single AD LDS Instance This partition stores the data that your applications will use. Most likely you will use the application to manage the objects in this partition. All objects created in the application partitions must already be defined in the schema. Each of the application partitions configuration information for an instance are stored in the configuration partition in the cn=Partititions, cn=Configuration container. Application partition 1 Configuration partition Schema partition Multiple application directory partitions can be created in each LDS instance; however each partition would share a single set of configuration and schema partitions

12 Demonstration: Configuring AD LDS Instances and Application Partitions
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Demonstration: Configuring AD LDS Instances and Application Partitions In this demonstration, you will see how to configure an AD LDS instance on a computer that is already running one instance Use the AD LDS Setup wizard to demonstrate how to configure an AD LDS instance on a computer that is already running one instance: Run the AD LDS Wizard Choose instance name of “ADLDS01” Choose to add an application partition of “cn=Application1,dc=ADLDS01” Run AD LDS under Network Service Account Assign the logged on user permission Choose Windows 2007 Schema Complete Create another application partition using ADSIEdit

13 Module 3: Introduction to Active Directory® Lightweight Directory Services
AD LDS Users and Groups Course 6424A AD LDS provides four default, role-based groups stored in the roles container of the appropriate partitions A set of default groups are created when the instance is created. Additional user and group accounts can be added to the configuration partition or to a specific application partition. Role Default Members Default Access Administrators Configuration partition: AD LDS administrators that are assigned during AD LDS setup Application partitions: The Administrators group from the configuration partition Full access to all partitions Readers None Read access to the partition Users Configuration partition: Transitively, all AD LDS users Application partitions: Transitively, all AD LDS users that are created in the partition Instances Configuration partition: All instances

14 How Does Access Control Work in AD LDS?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A How Does Access Control Work in AD LDS? AD LDS Access Control: Authenticates the identity of users requesting access to the directory, allowing only successfully authenticated users into the directory 1 Describe process flow of access control: Before making a request for data, the directory-enabled application must present the user's credentials to AD LDS for authentication or binding. This request includes a user name, password, and—depending on the type of bind—a domain name or computer name. The application then can access data that AD LDS hosts. What sort of authentication can be done against AD LDS? AD LDS security principals are authenticated directly by AD LDS. Windows local security principals are authenticated by the local computer. Domain security principals are authenticated by an Active Directory Domain Services (AD DS) domain controller. What are access control lists (ACLs)? ACLs define which security principles have access to a particular object. Access can be given to users by adding them to groups or by directory assigning permissions to the user objects using dsacls. Dsacls can be used to assign users or group permissions on objects in AD LDS. References AD LDS Help topic, “Working with Authentication and Access Control” Uses security descriptors, called access control lists (ACLs), on directory objects to determine which objects an authenticated user can access 2

15 Lesson 3: Implementing AD LDS Replication
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 3: Implementing AD LDS Replication How AD LDS Replication Works Why Implement AD LDS Replication?

16 How AD LDS Replication Works
Module 3: Introduction to Active Directory® Lightweight Directory Services How AD LDS Replication Works Course 6424A AD LDS uses multimaster replication: All instances are writable Changes on one instance are replicated to the other instances Changes can be made to any of the instances and then the changes that were made are merged and replicated across the instances making all of the instances identical again. To be able to replicate partitions between instances, the instances must be installed in a configuration set. A configuration set can be joined only during the installation of the AD LDS instance. AD LDS servers replicate changes to all servers Client adds “User 2” on Server 1 Client modifies “User 1” display name on Server 2 Server 2 Server 1 Server 3

17 Why Implement AD LDS Replication?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Why Implement AD LDS Replication? Why implement AD LDS Replication? High availability Load balancing Geographic limitations

18 Lesson 4: Comparing AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 4: Comparing AD DS and AD LDS Similarities between AD DS and AD LDS Differences between AD DS and AD LDS Integrating AD DS and AD LDS

19 Similarities Between AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Similarities Between AD DS and AD LDS Similarities between AD DS and AD LDS: Support LDAP connections Support LDAP connections: both are LDAP-based, allowing LDAP connections for hierarchical storage. Multimaster Replication: both allow each instance to be written to so that change can happen on any instance and be replicated to all instances. Delegated Administration: administration can be delegated to partitions or OUs by group or role. Use Extensible Storage Engine for database: both store their data in a ESE database. Use multimaster replication Support delegated administration Use Extensible Storage Engine for the database store

20 Differences Between AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Differences Between AD DS and AD LDS Course 6424A Features AD LDS AD DS Capable of multiple instances running on one server X Runs on nondomain controllers Does not require DNS infrastructure Group policy Global Catalog functions Kerberos V5 Protocol authentication Full-featured administrator tools Automatic failover of services Features that AD LDS has that AD DS does not: Have multiple instances running on one server: AD DS can only have a single instance on a single server. Runs on non-domain controllers: AD DS has a specific role dedicated to domain controllers. Does not require DNS infrastructure: AD DS requires DNS to be configured for all client machines so that they can find services. Features that AD DS has that AD LDS does not: Group Policy: Group Policy can be used to enforce settings on objects in the directory. Global Catalog functions: Having a central repository for searching objects in multiple domains in a forest. Kerberos Authentication: AD DS uses Kerberos for some authentication tasks. Full featured administrator tools: AD DS has Active Directory Users and Computers, Active Directory Site and Services, and other administrative tools for managing AD DS. Automatic failover of services: Because AD DS relies on DNS if a domain controller fails clients can find a operational domain controller with DNS. AD LDS would need to have an application aware of how to deal with that scenario.

21 Integrating AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Integrating AD DS and AD LDS To integrate AD DS and AD LDS: Prepare the schema for synchronization 1 Since AD DS is the foundation for enterprises today, there is no doubt that the data in AD DS is valuable. Many applications may want to use this data. Rather than extending the schema of AD DS, AD LDS can synchronize the data from AD DS allowing in the AD LDS schema to be changed to meet the application needs. Also, the application requesting this data may be outside of the direct control of the enterprise IT staff. Allowing AD LDS to synchronize the data from AD DS and allowing that application access AD LDS provides a layer of protection for AD DS. Discuss the process of configuring the synchronization: Prepare the Schema Prepare the Configuration for AdamSync Configure AdamSync Run AdamSync 2 Prepare the configuration for AdamSync Run AdamSync 3

22 Module Review and Takeaways
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Module Review and Takeaways Review Questions Summary of AD LDS Review Questions  1. What are the three core partition types in an AD LDS instance? Answer: The three main partition types are Schema, Configuration, and Application. 2. What ways are AD DS and AD LDS similar? Answer: AD LDS and AD DS use the Extensible Storage Engine, enable LDAP client connections, use multimaster replication, and allow for delegated administration. 3. What tools are used to administer AD LDS and for what are each used? Answer: Active Directory Lightweight Directory Services Wizard is used for creating new instances and new replicas of an AD LDS instance. ADSIEdit and LDP are used for viewing and modifying data. Ldifde and Csvde are used for importing and exporting data. Dsacls is used for viewing and setting permissions. AdamSync is used to synchronizing AD LDS and AD DS. 4. What are some reasons for deploying multiple AD LDS replicas? Answer: Deploying multiple replicas can provide for high availability, load balancing, and geographic limitations. 5. How would you configure AD LDS if two applications required schema attributes that conflict with one another? Answer: Because all application partitions in an AD LDS instance share a schema partition, the only way to provide multiple schemas is to deploy two instances of AD LDS, one for each application. Summary of AD LDS AD LDS is an LDAP directory service in Windows Server  It provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for AD DS. AD LDS can have multiple writable replicas of the data on several servers. Having multiple writable copies eliminates the single point of failure. Replication provides high availability, allows for load balancing, and better serves geographically dispersed application access. AD LDS and AD DS are similar because they both use an ESE database, enable LDAP client connections, use multimaster replication, and allow delegated administration. They provide different functionality as AD DS is an enterprise directory for administration and management, and AD LDS is a lightweight customizable solution for applications to use for authentication and data storage.    

23 Thanks for Watching!

24

Download ppt "Understanding Active Directory"

Similar presentations

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)

Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)
Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Koen Stox | Application Consultant 1998 MCT 2005 Co-owner of Plataan (CPLS in Belgium)

Koen Stox | Application Consultant 1998 MCT 2005 Co-owner of Plataan (CPLS in Belgium)
Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Understanding Active Directory

Understanding Active Directory
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Feature: OLE Notes Migration Utility

Feature: OLE Notes Migration Utility
Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Session 1.

Session 1.
Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
 Rico Mariani Architect Microsoft Corporation.

 Rico Mariani Architect Microsoft Corporation.
Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.

Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.
Migrating to Windows Azure SQL Database Name Title Microsoft Corporation.

Migrating to Windows Azure SQL Database Name Title Microsoft Corporation.

Similar presentations

Ads by Google