1 / 52

The world before the Active Directory

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory. The world before the Active Directory.

tulia
Download Presentation

The world before the Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 1: Introduction to Active Directory

  2. The world before the Active Directory • The overwhelming majority of network today run without any single unified directory service. Many companies store information in various disconnected system. For example: • Companies record data about its employees in a human resource database. • While network account reside on a Windows NT 4 domain controller. • Other information such as security setting for applications- reside within various other systems. • And there’s always the classic: paper-based forms!

  3. Windows NT to the rescue! • Windows NT is a NOS (Networking Operating System) • Goal of Windows NT was to bring security, organization, and accessibility to information throughout a company’s network. • GUI interface got rid of cryptic command-line interfaces and it simplified management. • Windows NT offered reliability, scalability, performance, and flexibility and compatibility with a large installed base of current software products.

  4. Domain Model in Windows NT 4 • 1 Domain Controller per network (PDC) • Several Backup Domain Controller (BDC) • All network security accounts are stored within PDC. To improve performance and reliability the database is replicated to BDC. • There can only be one master copy of the account databases. This copy resides in the PDC. All user and security account changes must be recorded by the PDC. • This model only works well for small – to – medium sized organizations.

  5. Domain Model in Windows NT 4

  6. Limitations of Windows NT 4 • Multiple Domain are complicated and management intensive. • Trust relationship can grow out of control! • Flat entities, cannot be organized in hierarchical fashion (using sub domain for admin purposes) • No allowing of nesting of users and groups. • Extremely tedious and error prone when setting permissions. (because above bullet item)

  7. Limitations of Windows NT 4 (Cont.) • Security allowed for complete control over the domain controller. Some users had too much permissions. (This poses several potential problems – both business and technical) • Nevertheless, Windows NT 4 provided an excellent solution to many business. But as with almost any technical solution, there were areas which improvements could be made.

  8. Active Directory Design • Before setting up a server environment, you must design a suitable Active Directory. Several choices need to be made and many consideration to take into account: • Political Issues • How does current business operate – as single, independent business or centralized environment? Who will be responsible for administering portions of network? • Network Issues • Types of connections between remote offices? How reliable are connections? What are domain name requirements? • Organizational Issues • How are the areas of the business structured? For example, do the department operate individually, with separate networks administrators for each department? Or is the environment much more centralized?

  9. Planning and Implementing an Active Directory Infrastructure • Planning • Most crucial step • Poor planning may cause poor performance • Must consider pre-existing network, hardware, etc.

  10. Managing and Maintaining an Active Directory Infrastructure • Small changes are constantly required • Upgrades involve changes • Regular maintenance ensures good performance • Troubleshooting required when problems occur

  11. Planning and Implementing User, Computer, and Group Strategies • Authentication • Identifying user to network • Password is most common method • Authorization • Determines what resources user can access • Users are typically grouped together for authorization

  12. Planning and Implementing Group Policy • Group Policy • Used to manage the way workstations, servers, and user environments behave • Examples: • Require all communications between clients and servers to be encrypted • Control how user’s desktop appears • Perform maintenance tasks

  13. Planning and Implementing Group Policy (continued) • Examples: • Deploy applications to computers or users throughout the network • Influenced by: • User requirements • Corporate policies • Network design • Who manages policies

  14. Managing and Maintaining Group Policy • Changes to policies and troubleshooting result of policies may be required. • Updates can be applied to computers that had applications installed via group. • Example. Older version of antivirus on machines installed can be upgraded via group policy to newer version.

  15. Windows Networking Concepts Overview • Network models: • Domain • Workgroup • Windows Server 2003 system roles: • Standalone server • Member server • Domain controller

  16. Workgroups • Logical group of computers • Characterized by decentralized security and administration model • Every computer holds own security database • Known as Security Accounts Manager (SAM) database • Each computer must authenticate users independently

  17. Workgroups (continued) • Benefits • Simple • Does not explicitly require a server • Drawbacks: • Time consuming to manage • Windows 2003 server participates as standalone server

  18. Workgroup Security Model

  19. Domains • Logical group of computers • Characterized by centralized authentication and administration • All domain computers use centralized security database • Domain controllers (DC) • Special server • Responsible for managing security database • Responsible for authenticating users on domain

  20. Domains (continued) • Active Directory • Stored on one or more computers configured as domain controllers • DC can be: • Windows 2000 Server • Windows Server 2003

  21. Domain Security Model

  22. Domains • Other domain computers: • “domain members" • “member servers” • Can authorize access to a particular resource based on the domain authentication • Highly recommended in environment that consists of more than 10 users or workstations

  23. Domains (continued) • Requires at least one server configured as domain controller • Additional expense • Minimum of two domain controllers preferred • Provides fault tolerance • Load balancing

  24. Logging on to a Domain

  25. Domains • Member servers: • Windows Server 2003 system that has computer accountin a domain • Not configured as a domain controller • Used for wide variety of functions including: • File server • Print server • Application server

  26. Domains (continued) • Member servers: • Commonly host network services such as: • Domain Name Service (DNS) • Dynamic Host Configuration Protocol (DHCP) • Domain controller: • Windows Server 2003 system • Explicitly configured to store copy of Active Directory database • Responsible for servicing user authentication requests and queries about domain objects

  27. Introduction to Windows Server 2003 Active Directory • Native directory service included with Windows Server 2003 operating systems • Provides: • Central point for: • Storing • Organizing • Managing • Controlling network objects • Single point of administration of objects

  28. Introduction to Windows Server 2003 Active Directory (continued) • Provides: • Logon and authentication services for users • Delegation of administration • Each domain controller has writeable copy of directory database • Make Active Directory changes to any domain controller • Changes are replicated to all other domain controllers

  29. Introduction to Windows Server 2003 Active Directory (continued) • Multi-master replication • Provides form of fault tolerance • DNS: • Used maintain domain-naming structures • Locate network resources

  30. Active Directory Objects • Object • Represents network resources such as: • Users • Groups • Computers • Printers • Various attributes are assigned to objects • Examples: 1st name, last name, user logon, etc.

  31. User Object

  32. Active Directory Schema • Defines all of objects and attributes available in Active Directory • Only one schema for each Active Directory implementation • Consists of two main definitions: • Object classes • example: users, printers • Attributes • example: description to maintain consistency.

  33. Active Directory Logical Structure and Components • Logical components: • Domains and Organizational Units • Trees and Forests • Trusts

  34. Domains and Organizational Units • Domain • Logically structured organization of objects • Part of a network • Share common directory database • Has unique name • Organized in levels • Administered as a unit with common rules and procedures • Provides administrative benefits

  35. Domains and Organizational Units (continued) • Organizational unit (OU) • Logical container • Used to organize objects within a single domain • Stores objects such as: • Users • Groups • Computers • Other organizational units • Ability to delegate administrative control over OU • Example: Organize users based on department in which they work! Delegate admin rights / permissions to add and remove users within OU

  36. Domains and Organizational Units (continued)

  37. Trees and Forests • Reasons for multiple domains: • Geographic separation • Different password policies. • Large number of objects • Replication performance • Forest root domain • First domain defined in deployment

  38. Trees and Forests (continued) • Tree • Hierarchical collection of domains • Share contiguous DNS namespace • Forest • Collection of trees • Do not share contiguous DNS naming structure

  39. Trees

  40. Forests

  41. Trusts • Two-way, transitive trust relationship • Automatically created for child domain • Transitive trust • All other trusted domains implicitly trust one another

  42. Activity 1-4: Creating a Child Domain in an Existing Domain Tree • Objective: Promote a member server to a domain controller for a new child domain in an existing domain tree • Use the Active Directory Installation Wizard or the Configure Your Server Wizard to create a domain

  43. Child Domain Installation Window

  44. Active Directory Communications Standards • DNS naming standard • Hostname resolution • Provides information on location of network services and resources • Lightweight Directory Access Protocol (LDAP) • Used to query or update Active Directory database • Naming paths: • Distinguished name • Relative distinguished name

  45. Active Directory Physical Structure • Make sure any modification to database is replicated as quickly as possible • Design topology so that replication does not saturate available network bandwidth • Control logon traffic • See page 25: Logical vs. Physical Structure.

  46. Active Directory Physical Structure (continued) • Site • Combination of one or more Internet Protocol (IP) subnets • Connected by high-speed connection • Site link • Configurable object • Represents connection between sites

  47. Site Structure

  48. Global Catalog • Used primarily for: • Finding Active Directory information from anywhere in forest • Universal group membership information • Authentication services • Directory lookup requests from Exchange 2000/2003 • First domain controller in Active Directory automatically becomes Global Catalog server

  49. New Active Directory Features in Windows Server 2003 • Windows Server 2003 brings new features and capabilities • Primary benefits: • Flexibility • Lower the total cost of ownership (TCO)

  50. Deployment and Management • Active Directory Migration Tool (ADMT) 2.0 • Domain Rename • Schema Redefine

More Related