Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Confidential Zelko Kecman Microsoft Windows 2000 Server Directory Services.

Published bySilas Lucas Hodges Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft Confidential Zelko Kecman Microsoft Windows 2000 Server Directory Services."— Presentation transcript:

1 Microsoft Confidential Zelko Kecman Microsoft Windows 2000 Server Directory Services

2 Microsoft Confidential Asia Europe Chicago San Diego Boston = Windows NT Domain = Partition Boundary = Domain Controller = Partition Replica Active Directory Design Goals Must meet enterprise requirements Must meet enterprise requirements Scalability with minimum complexity Scalability with minimum complexity Built on Internet standards Built on Internet standards Security through simplicity Security through simplicity Enable incremental upgrade and migration Enable incremental upgrade and migration Work well with existing directory investments Work well with existing directory investments Flexibility to support organizational change Flexibility to support organizational change

3 Microsoft Confidential User and Network Management Users and organization management User device management Authentication and Authorization Services Protect data and facilitate access Based on Internet technologies DirectoryManagement Directory consolidation Directory synchronization InfrastructureServices Directory-enabled networking Directory-enabled services ApplicationManagement Publish server locations for client lookup Policy-based application configuration Active Directory Delivers

4 Microsoft Confidential Root UsersMachines Applications MarketingPersonnel Devices Give ‘Personnel’ Members the HR Application Color Printer in Building 6 Delegate Management Tasks to Office Admins Simplify User And Network Management Users and organization management Users and organization management User device management User device management

5 Microsoft Confidential Root UsersMachines Applications MarketingExtranet Devices Restrict Access Rights of Extranet Users KerberosX.509 Smart Card PKI Certificates Provide Security Services Protect data while facilitating access Protect data while facilitating access Based on Internet technologies Based on Internet technologies

6 Microsoft Confidential Users MarketingPersonnel User Application: Store Application Data on User Objects Exchange Platinum: Consolidated User and Mailbox Management Directory Synchronization Simplify Directory Management Directory consolidation Directory consolidation Directory synchronization Directory synchronization

7 Microsoft Confidential Root UsersMachines Applications BillingDoctors Routers Policy: Give Doctors More Bandwidth than the Billing Department Publish file shares to facilitate location Enhanced Infrastructure Services Directory-enabled networking Directory-enabled networking Directory-enabled services Directory-enabled services

8 Microsoft Confidential Root UsersMachines Applications MarketingPersonnel Devices Policy: Give Personnel access to ‘Change Salary’ Menu Options Publish Server locations Simplified Application Management Publish server locations for client lookup Publish server locations for client lookup Enable application configuration based on policies and roles Enable application configuration based on policies and roles

9 Microsoft Confidential Windows Users Account info Account info Privileges Privileges Profiles Profiles Policy Policy Windows Clients Mgmt profile Mgmt profile Network info Network info Policy Policy Windows Servers Mgmt profile Mgmt profile Network info Network info Services Services Printers Printers File shares File shares Policy Policy Management Focal Point For: Users and resources Users and resources Security Security Delegation Delegation Policy Policy ActiveDirectory What Is Active Directory?

10 Microsoft Confidential Windows Users Account info Account info Privileges Privileges Profiles Profiles Policy Policy Applications Server config Server config Single Sign-On Single Sign-On App-specific directory info App-specific directory info Policy Policy Windows Clients Mgmt profile Mgmt profile Network info Network info Policy Policy Windows Servers Mgmt profile Mgmt profile Network info Network info Services Services Printers Printers File shares File shares Policy Policy Network Devices Configuration Configuration QoS policy QoS policy Security policy Security policy Internet Firewall Services Configuration Configuration Security Policy Security Policy VPN policy VPN policy OtherDirectories White pages White pages E-Commerce E-Commerce Other NOS User registry User registry Security Security Policy Policy E-Mail Servers Mailbox info Mailbox info Address book Address book ActiveDirectory What Is Active Directory? Management Focal Point For: Users and resources Users and resources Security Security Delegation Delegation Policy Policy

11 Microsoft Confidential The Active Directory

12 Microsoft Confidential Active Directory - Terms Directory is made of Objects Directory is made of Objects Objects have Attributes Objects have Attributes Schema is a specific definition of objects and attributes Schema is a specific definition of objects and attributes Example: Example: User Account  Name  Title  Manager  Office Location  Phone  Division  Cost Center Code  …

13 Microsoft Confidential Active Directory - Terms Organizational Unit Lowest form of grouping in the Active Directory Lowest form of grouping in the Active Directory Group Policy can be applied to the Organizational Units Group Policy can be applied to the Organizational Units Can be nested up to 12 levels deep Can be nested up to 12 levels deep Organizational Unit is graphically represented by a circle in the diagrams Organizational Unit is graphically represented by a circle in the diagrams

14 Microsoft Confidential Nice, Artistic View

15 Microsoft Confidential More Realistic View MarketingFinanceR&D SalesAdminManufacturingDistribution OUs reflect the corporate organization OUs reflect the corporate organization May be geographical and/or business model hierarchy May be geographical and/or business model hierarchy Some levels may have children, while others do not Some levels may have children, while others do not

16 Microsoft Confidential Active Directory - Terms Domain Next hierarchical level above Organizational Units (OUs) Next hierarchical level above Organizational Units (OUs) Is a security boundary in the Active Directory Is a security boundary in the Active Directory OU properties are inherited within a domain only - not across domains OU properties are inherited within a domain only - not across domains Provides a replication boundary Provides a replication boundary Represented by a triangle in the Active Directory diagrams Represented by a triangle in the Active Directory diagrams

17 Microsoft Confidential Active Directory - Terms Domain Tree Hierarchically arranged domains created by parent-child relationship Hierarchically arranged domains created by parent-child relationship All domains within a domain tree share the same root namespace All domains within a domain tree share the same root namespace Users can search for all information within the Domain Tree Users can search for all information within the Domain Tree Schema is the same within the Domain Tree Schema is the same within the Domain Tree

18 Microsoft Confidential Active Directory - Terms Global Catalog Contains a Partial replica of the information contained within each of the domains Contains a Partial replica of the information contained within each of the domains Network administrator designates which Objects and Attributes get placed in the Global Catalog Network administrator designates which Objects and Attributes get placed in the Global Catalog Allows for fast searching of the key information in the AD, without hitting all of the domains Allows for fast searching of the key information in the AD, without hitting all of the domains Reduces replication overhead Reduces replication overhead

19 Microsoft Confidential Domain Schema Global Catalog User Account  Name  Title  Manager  Office Location  Phone  Division  Cost Center Code  Certification Expires …Printer  Name  Mfr  Model  Color  Duplex  Asset #  Paper Size Global Catalog User Account  Name  Title  Manager  Office Location  Phone Printer  Name  Mfr  Model  Color  Duplex

20 Microsoft Confidential Global Catalog Domain Tree The GC in each domain has a pointer to it’s own domain information (which is complete) Plus it has partial information from all of the other domains in the tree (or forest)

21 Microsoft Confidential Q: What is a Group of Domain Trees? Answer: A Forest

22 Microsoft Confidential Active Directory - Terms Forest Forest A joined set of Domain Trees that: A joined set of Domain Trees that: Use the same schema Use the same schema Share the same Global Catalog Share the same Global Catalog Joined by Kerberos Trust Joined by Kerberos Trust Very useful for groups of subsidiary companies that want autonomy in administrative roles Very useful for groups of subsidiary companies that want autonomy in administrative roles Provides for multiple public Internet names (microsoft.com, msnbc.com, etc.) Provides for multiple public Internet names (microsoft.com, msnbc.com, etc.)

23 Microsoft Confidential Active Directory - Terms Site Site Relates directly to the network topology and network connectivity Relates directly to the network topology and network connectivity Defined as an area of “good” network connectivity Defined as an area of “good” network connectivity Primarily affects Primarily affects User logon, distributed file system User logon, distributed file system Replication traffic Replication traffic Site boundaries are independent of domain boundaries Site boundaries are independent of domain boundaries

24 Microsoft Confidential Defining Sites Sites are areas of “good” network connectivity, defined by IP subnets Sites are areas of “good” network connectivity, defined by IP subnets Current thinking is a T1 (1.5 Mb/s) link or higher Current thinking is a T1 (1.5 Mb/s) link or higher Intra-site replication takes place automatically via RPC Intra-site replication takes place automatically via RPC Inter-site replication is configured by the network administrator Inter-site replication is configured by the network administrator Time of day, frequency Time of day, frequency

25 Microsoft Confidential Sites Controls replication Controls replication Controls client locating DC’s Controls client locating DC’s Where to locate GC Servers Where to locate GC Servers Applications can be site aware - DFS Applications can be site aware - DFS

26 Microsoft Confidential Sites - Intra Domain

27 Microsoft Confidential Domain Name System (DNS) Windows 2000 DNS owns the root Windows 2000 DNS owns the root Windows 2000 DNS owns a delegated sub-domain Windows 2000 DNS owns a delegated sub-domain No Windows 2000 DNS implemented No Windows 2000 DNS implemented

28 Microsoft Confidential DNS Integration Choices Windows 2000 owns the root Pros Pros No dependency on existing DNS servers No dependency on existing DNS servers No AD integration testing required No AD integration testing required Multi-master replication with AD-based DNS Multi-master replication with AD-based DNS A shorter familiar name is more user friendly A shorter familiar name is more user friendly Cons Cons Requires effort to replace existing DNS servers Requires effort to replace existing DNS servers widgets.org na.widgets.orgeuro.widgets.orgasia.widgets.org

29 Microsoft Confidential widgets.org DNS Integration Choices Delegated sub-domain Pros Pros Requires no upgrade to existing DNS servers Requires no upgrade to existing DNS servers Minimizes dependency of Active Directory on existing DNS servers Minimizes dependency of Active Directory on existing DNS servers Cons Cons Names are longer Names are longer The added component is arbitrary, therefore unmemorable The added component is arbitrary, therefore unmemorable Continued dependency on existing DNS servers Continued dependency on existing DNS servers w2k.widgets.org na.w2k.widgets.org euro.w2k.widgets.org asia.w2k.widgets.org

30 Microsoft Confidential DNS Integration Choices No Windows 2000 DNS Pros Pros No political change No political change Cons Cons Single point of failure for dynamic registrations Single point of failure for dynamic registrations Must upgrade servers to support SRV recs (RFC 2052) Must upgrade servers to support SRV recs (RFC 2052) Must manually enter contents of NETLOGON.DNS if no support for DDNS (RFC 2136) Must manually enter contents of NETLOGON.DNS if no support for DDNS (RFC 2136) Must perform integration testing with MS DHCP server Must perform integration testing with MS DHCP server More integration testing with third-party server More integration testing with third-party server widgets.org na.widgets.orgeuro.widgets.orgasia.widgets.org

31 Microsoft Confidential DNS Naming considerations Use Internet-standard characters Use Internet-standard characters ‘A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123) ‘A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123) Microsoft DNS supports wider range Microsoft DNS supports wider range Users not exposed to domain names Users not exposed to domain names E-mail style login name does not have to be related to domain name E-mail style login name does not have to be related to domain name Most interaction is query to global catalog Most interaction is query to global catalog Admins exposed to domain names Admins exposed to domain names

32 Microsoft Confidential DNS Requirements The Locator Domain controllers dynamically register Service Location records Domain controllers dynamically register Service Location records SRV resource record (RFC 2052) SRV resource record (RFC 2052) Maps (service) --> (hosts offering service) Maps (service) --> (hosts offering service) General rendezvous mechanism General rendezvous mechanism Analogous to SMTP and the MX record Analogous to SMTP and the MX record NETLOGON service sends updates NETLOGON service sends updates Dynamic update protocol (RFC 2136) Dynamic update protocol (RFC 2136)

33 Microsoft Confidential DNS Requirements Locator records SRV records are named like SRV records are named like ldap.tcp.. ldap.tcp.. i.e. ldap.tcp.nt.microsoft.com. i.e. ldap.tcp.nt.microsoft.com. More like that, all ending in More like that, all ending in DNS server that owns DNS server that owns MUST support the SRV record MUST support the SRV record SHOULD support dynamic update SHOULD support dynamic update

34 Microsoft Confidential Upgrading Windows NT 4.0 Start with Windows NT 4.0 domains Start with Windows NT 4.0 domains Implement Mixed mode domains Implement Mixed mode domains Migrate over time to Native mode domains Migrate over time to Native mode domains

35 Microsoft Confidential Summary Active Directory Terms Active Directory Terms Plan Your Domains Plan Your Domains OUs, Group Policy OUs, Group Policy Sites, Global Catalog, DNS Sites, Global Catalog, DNS Plan The Upgrade Plan The Upgrade Review the Plan Review the Plan

36

Download ppt "Microsoft Confidential Zelko Kecman Microsoft Windows 2000 Server Directory Services."

Similar presentations

Microsoft Active Directory

Microsoft Active Directory
Active Directory: Beyond The Basics

Active Directory: Beyond The Basics
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
Understanding Active Directory

Understanding Active Directory
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory

Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 1 Windows Server 2003 Network Administration.

Hands-On Microsoft Windows Server 2003 Administration Chapter 1 Windows Server 2003 Network Administration.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google