Presentation is loading. Please wait.

Presentation is loading. Please wait.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Installation Nanda Ganesan, Ph.D.

Similar presentations


Presentation on theme: "© N. Ganesan, Ph.D., All rights reserved. Active Directory Installation Nanda Ganesan, Ph.D."— Presentation transcript:

1 © N. Ganesan, Ph.D., All rights reserved. Active Directory Installation Nanda Ganesan, Ph.D.

2 Contributions Chris Rike Christian Ng Juan Herrera Pauline Cheng

3 Overview of Active Directory Directory service included in Windows server Stores information about network object and makes the information available to administrators, users, and applications Provides a single point of network management allowing people to add, remove, and relocate users and resources easily

4 1.What is Active Directory? What is the purpose of using Active Directory? 2.What is the function of a directory service? How is it structure? 3. How Active Directory communicate with a wide variety of other technologies?

5 What is Active Directory? What is the purpose of using Active Directory? Active directory is the directory service included in Windows 2000 server. Active Directory stores information about network object and makes the information available to administrators, users, and applications. Active Directory provides a single point of network management, allowing people to add, remove, and relocate users and resources easily.

6 Active Directory Provides Benefits 1). Integration with DNS 2). Flexible querying 3). Information security 4). Simplified administration 5). Scalability

7 1) Active directory as a namespace that is integrated with the Internet’s Domain Name System (DNS). Active Directory domains and DNS domains have the same hierarchical structure. DNS zones can be stored in Active Directory. Active Directory clients use DNS to locate domain controllers. (diagram 1) here:

8 2) Flexible querying Users and administrators can use the Search command on the Start menu, the My Network Places icon on the desktop, or the Active Directory Users and Computer snap-in to quickly find an object on the network using object properties. For example, one can find a user by first name, last name, e-mail name, office location, or other properties of that person’s user account.

9 3) Information security Protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.

10 4) Simplified administration Since all domain controllers in the domain are equal, the process of making changes to one domain controller can be replicated to all other domain controllers in the domain. Providing a single point of administration for all objects on the network.

11 5) Scalability With one or more domain controllers, Active Directory enables you to scale the directory to meet any network requirement. Multiple domains can be combined into a domain tree and multiple domain trees can be combined into a forest.

12 How is it structure? Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.

13 How Active Directory communicate with a wide variety of other technologies? Because Active Directory is based on standard directory access protocols, it can interoperate with other directory services and can be accessed by third-party applications that follow these protocols.

14 Figure 1 How Microsoft fits into the Internet's DNS namespace Active Directory

15 Figure 2 Comparing DNS and Active Directory namespace roots

16 Objects The entities that make up a network A distinct, named set of attributes that represents something concrete. i.e.a user A globally unique identifier (GUID) is assign when it is created

17 Schema A description of the object classes The attribute for those object classes Every Active Directory is an instance of an object class. Each attribute is define only once and can be used in multiple classes.

18 Schema Attributes and Querying Using the Active Directory Schema tool –Mark an attribute as indexed –Include attributes in the global catalog Contains a default set of attributes for every object in the forest Globally useful Not volatile Small

19 Schema Object Names LDAP display name Common name Object identifier (OID)

20 Object Naming Conventions Security principal names Security identifier LDAP-related names Object GUIDs Logon names

21 Security Principal Names Can be a user account, computer account, or a group. A name that uniquely identifies a user, computer, or group within a single domain. Unique across domains for backward compatibility.

22 Security IDs (SIDs) A unique number created by the security subsystem of the Windows 2000 operating system, and assigned to security principal object. i.e. user, group, and computer accounts. Every account on the network is issued a unique SID that account is first created.

23 LDAP-related Names Defines what operations can be perform in order to query and modify information in a directory and how information in a directory can be securely access.

24 LDAP-related Names Three object-naming format based on the LDAP distinguished name: –LDAP DN and RDN names –LDAP URLs –LDAP-based canonical names

25 LDAP-related Names Example: User = John Country = USA (forest) State = CA (tree) City = Rosemead (domain) Department = Marketing (OU)

26 LDAP-related Names LDAP DN Name: cn=John,ou=Marketing,dc=Rosemead,dc=CA,dc=US A LDAP URL Name: LDAP://server1.CA.USA.com/cm=John,ou=Marketi ng,dc=Rosemead,dc=CA,dc=USA Canonical Name: CA.USA.com/Rosemead/Marketing/John

27 Object Publishing Publishing - is the act of creating objects in the directory that either directly contain the information you want to make available or provide a reference for it. –Share Publishing –Printer Publishing

28 When to Publish Relatively static –Publish only information that changes infrequently Structured –Publish information that is structured and can be represented as a set of discrete attributes.

29 How to Publish Remote Procedure Call (RPC) Windows Sockets Distributed Component Object Model (DCOM)

30 You Use Domains to Accomplish the Following Network Management Goals: Administrative boundaries Replicate information Apply group policy Structure the network Delegate administrative authority

31 Domains: Trees Forests Trusts And Ous (organizational units )

32 Figure 3 Parent and child domains in a domain tree. Double-headed arrows indicate two-way transitive trust relationships Tree

33 Figure 4 One forest with three domain trees. The three root domains are not contiguous with each other, but EuropeRoot.com and AsiaRoot.com are child domains of HQ- Root.com. Forests

34 Figure 5 Shortcut trusts between Domains B and D, and between Domains D and 2 Forest

35 Trust Relationships Transitive Two-way Shortcut trusts External trusts

36 Figure 7 A network with two forests and one extranet Trust Relationships

37 Figure 9 Intra-site replication with just one domain Organizational Units

38 Figure 10 Intra-site replication with two domains and two global catalogs Trust Relationships

39 Figure 11 Two sites connected by a site link. Each site's preferred bridgehead server is used preferentially for inter-site information exchange. Trust Relationships

40 Domain Common Tasks You Can Delegate Organizational Unit Common Tasks You Can Delegate  Join a computer to a domain  Manage Group Policy links  Create, delete, and manage user accounts  Reset passwords for user accounts  Read all user information  Create, delete, and manage groups  Modify the membership of a group  Manage printers  Create and delete printers  Manage Group Policy links Domain and OU Delegation

41 Groups (or Users)Security Permission Authenticated UserRead with Apply Group Policy ACE Domain Administrators Enterprise Administrators Creator Owner Local System Full control without Apply Group Policy ACE Table 4 Security Permission Settings for a GPO

42 Group Policy Group Policy (GP): Defines a variety of user’s environments that administrators can manage. GP configurations apply to computers. GP settings apply to users and computers in sites, domains & OU’s.

43 Group Policy Components: Registry based policies Security options Software deployment options Scripts Redirections to special folders

44 Group Policy GP affect all users and computers in the linked container unless the administrators explicitly change permissions. By using security groups, policies are applied specifically to sets of objects within a container. Within security groups, Group Policy Objects (GPO) determine the following for specific containers: Using security groups to represent business organizational structure is more efficient than using domains or organizational units for administration. Policy settings that are domain wide applied to OU’s containing other OU”s are inherited by child containers, unless inheritance is otherwise specified.

45 Delegating Control of Group Policies  Network administrators which is composed of enterprise administrators or domain administrators can determine which other administrators groups can modify policy settings.  Delegation can also be granted to other administrators to perform the following tasks: –managing group policy for domains, sites and organizational units. –creating group policy objects –editing group policy objects

46 Interoperability  Active Directory (A.D) supports a number of standards to ensure interoperability of Windows 2000 environment with other vendors (Novell, Unix) The following are supported by Active Directory: Lightweight Directory Access Protocol (LDAP) which is an industry std for directory access. This service is on the Internet Engineering Task Force (IETF) for becoming an internet std. o LDAP it is used to add, modify, delete and query information stored in AD. o LDAP to AD is like SQL to Oracle o LDAP determines how a client can access the directory, operations within the directory and share directory data o Application Programming Interfaces (API) uses

47 Active Directory Service Interfaces and LDAP C API for: ADSI enables access to AD by exposing objects stored in the directory as Component Object Model (COM) objects through scripts COM’s have access to different types of directories for which a provider exists Several providers: Novell Directory Services (NDS), WinNT, LDAP and Internet Information Services metabase. Do you guys know what an object is?

48 Active Directory Service Interfaces and LDAP C API for: Example: You can add a method to the user object that creates an Exchange mailbox for a user when the method is invoked. LDAP C API (RFC 1823) is a set of low level C- language API’s to the LDAP protocol. Used by developers, however, ADSI is more powerful and more appropriate for developers.

49 Synchronizing AD with other Directory Services (DS) AD interacts with other DS by using an Active Directory Connector which offers bi- directional synchronization for:  MS Exchange (Email)  Lotus Notes (Email)  GroupWise (Email and common attributes)  LDAP Data Interchange Format (LDIFDE): Supports importing and exporting directory information. This is an internet std format.

50 (LDIFDE): Usage: Perform batch operations such as add, delete, rename, modify Can be also used to backup or extend the schema.

51 Internal and external references Administrators can create cross-reference object that points to a server in a directory in another forest. They take the form of containers. Internally, the external reference will appear as a child of an existing AD object Externally, it will not appear at all For both internal and external references, AD contains the name of the DNS server holding a copy of the external directory and the distinguished name of the root external directory.

52 Kerberos Role and Interoperability Win 2000 and above operating systems support multiple configurations for cross platform interoperability ranging from: Clients: A domain controller will authenticate clients running RFC-1510 Kerberos. This will include other clients running other operating systems. Unix clients and services: A Kerberos principal is mapped to a Windows 2000 user or computer account.

53 Kerberos Role and Interoperability Applications and operating systems: Applications and other operating systems can obtain tickets for services within a Windows 2000 environment. Provides backwards support for earlier versions of operating systems through a mixed-mode network configuration. Mixed mode domain is a networked set of computers that run both NT 4.0 and Win 2000 and above

54 Summary Active Directory helps centralize and simplify network manageability and provides the necessary resources to support the organizations objectives. AD stores information about network objects and makes information available to administrators, users and applications. Interacts with Domain Name Space (DNS) by providing a name space that defines all objects.

55 Summary Uses domains, trees, forests, trust relationships, organizational units, and sites to structure the network and its objects. Administrative tasks can be delegated to manage OU’s, domains, sites to appropriate support groups AD is built on std directory access protocols and along with API’s can access other Directory Services to expand its flexibility Data can be exported or imported as required.

56 Glossary Active Directory An enterprise-class directory service that is scalable, built from the ground up using Internet-standard technologies, and fully integrated at the operating-system level. Active Directory simplifies administration and makes it easier for users to find resources. Active Directory provides a wide range of features and capabilities, including group policy, scalability without complexity, support for multiple authentication protocol, and the use of Internet standards.

57 Glossary Active Directory Service Interfaces (ADSI) ADSI is a directory service model and a set of Component Object Model (COM) interfaces. It enables Windows 95, Windows 98, Windows NT, and Windows 2000 applications to access several network directory service, including Actives Directory. It is supplied as a Software Development Kit (SDK).

58 Glossary Asynchronous Transfer Mode (ATM) ATM is a high-speed, connection-oriented protocol designed to transport multiple types of traffic across a network. It is applicable to both local area networks (LANs) and wide area networks (WANs). Using ATM, your network can simultaneously transport a wide variety of network traffic; voice, data, image, and video.

59 Glossary Dynamic Host Configuration Protocol (DHCP) with Domain Name System (DNS) and Active Directory DHCP works with DNS and Active Directory on Internet Protocol (IP) networks, freeing you from assigning and tracking static IP addresses. DHCP dynamically assigns IP addresses to computers or other resources connected to an IP network.

60 Glossary Indexing Service Indexing provides a fast, easy, and secure way for users to search for information locally or on the network. User can use powerful queries to search in files in different formats and languages, either through the Start menu Search command or through Hypertext Markup Language (HTML) pages that they view in a browser.

61 Glossary Internet Authentication Service (IAS) IAS provides you with a central point for managing authentication, authorization, accounting, and auditing of dial-up or Virtual Private Network users. IAS uses the Internet Engineering Task Force (IETF) protocol called Remote Authentication Dial-In User Service (RADIUS).

62 Glossary Internet Information Services (IIS) 5.0 The powerful features in Internet Information Service (IIS), a part of Microsoft Windows 2000 Server, make it easy to share documents and information across a company intranet or the Internet. Using IIS, you can deploy scalable and reliable Web-based applications, and you can bring existing data and applications to the Web, IIS includes Active Server Pages and other features.

63 Glossary Lightweight Directory Access Protocol (LDAP) support LDAP, an industry standard, is the primary access protocol for Active Directory. LDAP version 3 was defined by the IETF.

64 Glossary Terminal Services The Windows 2000 Server family offers the only server operating systems that integrate terminal emulation services. Using Terminal Services, a user can access programs running on the server from a variety of older devices. For example, a user could access a virtual Windows 2000 Professional desktop and 32-bit Windows-based applications from hardware that couldn ’ t run the software locally. Terminal Services provides this capability for both Windows and non-Windows-based client devices.

65 Glossary Virtual Private Network (VPN) You can allow users ready access to the network even when they ’ re out of the office, and reduce the cost of this access, by implementing a VPN. Using VPNs, users can easily and securely connect to the corporate network. The connection is through a local Internet Service Provider (ISP), which reduces connect-time charges. With Windows 2000 Server, you can use several new, more secure protocols for creating Virtual Private networks, including ’ : L2TP, a more secure version of PPTP (L2TP is used for tunneling, address assignment, and authentication) and IPSec, a standard-based protocol that provides the highest levels of VPN security. Using IPSec, virtually everything above the networking layer can

66 END


Download ppt "© N. Ganesan, Ph.D., All rights reserved. Active Directory Installation Nanda Ganesan, Ph.D."

Similar presentations


Ads by Google