580 likes | 757 Views
Chapter Summary. Understanding DNS Understanding Name Resolution Configuring a DNS Client Understanding Active Directory Understanding Active Directory Structure and Replication Understanding Active Directory Concepts. Introduction to DNS.
E N D
Chapter Summary • Understanding DNS • Understanding Name Resolution • Configuring a DNS Client • Understanding Active Directory • Understanding Active Directory Structure and Replication • Understanding Active Directory Concepts
Introduction to DNS • The Domain Name System (DNS) is a naming system based on a distributed database. • DNS is used in TCP/IP networks to translate computer names to IP addresses. • DNS is the default naming system for IP-based networks. • The DNS Service is not available with Microsoft Windows XP Professional, but it ships with Microsoft Windows 2000 Server.
Benefits of Using DNS • DNS names are user friendly. • DNS names remain more constant than IP addresses. • DNS uses the same naming conventions as the Internet.
Examples of Second-Level Domains • ed.gov • Microsoft.com • Stanford.edu • w3.org
Host Names • Host names refer to specific computers on the Internet or an intranet. • They are the leftmost portion of a fully qualified domain name (FQDN), such as Computer1.sales.microsoft.com. • DNS uses a host’s FQDN to resolve a name to an IP address. • Host names do not have to match the computer names.
Domain Naming Guidelines • Limit the number of domain levels. • Use unique names. • Use simple names. • Avoid lengthy domain names.
Domain Naming Guidelines (Cont.) • Use standard DNS characters and Unicode characters. • Windows 2000 Server supports A–Z, a–z, 0–9, and hyphen (-). • The DNS Service supports the Unicode character set.
Name Servers • DNS name servers store the zone database file. • They store the database files for one or multiple zones. • They have authority for the domain namespace that the zone encompasses. • A zone must have at least one name server.
Primary Zone Database File • A name server in each domain contains the master database file, called the primary zone database file. • Changes to a zone are performed on the primary zone database file. • Multiple name servers act as a backup.
Benefits of Multiple Name Servers • Provide zone transfers • Provide redundancy • Improve access speed • Reduce the load
Name Resolution • Name resolution is the process of resolving names to IP addresses. • DNS resolves a name, such as www.microsoft.com, to an IP address. • The mapping of names to addresses is stored in the DNS distributed database.
Name Server Caching • When a name server is processing a query, it might have to send out several queries to find the answer. • Each query discovers other name servers that have authority for a portion of the domain namespace. • The name server caches these query results to reduce network traffic. • When a name server receives a query result, the name server caches the query result for a specified amount of time, referred to as Time to Live (TTL).
Time to Live (TTL) • The zone that provides the query results specifies the TTL; the default TTL is 60 minutes. • When TTL expires, the name server deletes the query result from its cache. • Shorter TTL values help ensure that data about the domain namespace is more current across the network. • Shorter TTL values increase the load on name servers. • Longer TTL values decrease the time required to resolve information. • Longer TTL values mean it will take longer for a client to receive any updated information.
Reverse Lookup Query • A reverse lookup query maps an IP address to a name. • Troubleshooting tools such as the nslookup utility use reverse lookup. • Some applications implement security based on the ability to connect to names rather than IP addresses. • The DNS distributed database is indexed by name, so a reverse lookup query would require an exhaustive search of every domain name.
The in-addr.arpa Domain • Is a special second-level domain created to resolve the difficulty of doing a reverse lookup query • Follows the same hierarchical naming scheme as the rest of the domain namespace, but it is based on IP addresses, not domain names • Has subdomains named after the numbers in the dotted-decimal representation of IP addresses • Reverses the order of the IP address octets • Lets companies administer subdomains of the in-addr.arpa domain based on their assigned IP addresses and subnet mask
Introduction to DNS Clients • A DNS client uses DNS, a distributed database used in Transmission Control Protocol/Internet Protocol (TCP/IP) networks, for name resolution. • TCP/IP must be installed for a computer to use DNS.
Configuring DNS Query Settings • Append Primary And Connection Specific DNS Suffixes • Append the client name to the primary domain name, as well as the domain name defined in the DNS Domain Name field of each network connection • Append Parent Suffixes Of The Primary DNS Suffix • The DNS server strips off the leftmost portion of the primary DNS suffix and attempts the resulting domain name. • Append These DNS Suffixes (In Order) • The DNS resolver adds each one of these suffixes, one at a time and in the order you specified. • Register This Connection’s Addresses In DNS • The computer attempts to dynamically register the IP addresses (through DNS) of this computer with its full computer name. • Use This Connection’s DNS Suffix In DNS Registration • The computer uses dynamic updates to register the IP address and the connection-specific domain name of the connection.
What Is Active Directory? • A directory service uniquely identifies users and resources on a network. • Active Directory service is the directory service included with Microsoft Windows 2000 products. • Active Directory provides a single point of network management. • Active Directory is a network service that • Identifies all resources on a network • Makes all resources available to users and applications
What Is Active Directory? (Cont.) • Active Directory includes the directory or data store. • The directory is a structured database that stores information about network resources. • Resources stored in the directory are referred to as objects.
Simplified Administration • Active Directory organizes resources hierarchically in domains. • A domain is a logical grouping of servers and other network resources under a single domain name. • A domain is the basic unit of replication and security. • A domain includes at least one domain controller. • Active Directory provides • A single point of administration for all objects on the network • A single point of logon for all network resources
Scalability • The directory stores information by organizing itself into sections that permit storage for a huge number of objects. • For example, the directory can be scaled to meet the needs of • Small installations with one server and a few hundred objects • Huge installations with hundreds of servers and millions of objects
Open Standards Support • Active Directory use of open standards • Integrates the Internet concept of a namespace with the Windows 2000 directory service • Allows you to unify and manage multiple namespaces • Uses DNS for its name system • Can exchange information with any application or directory that uses Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP) • Can share information with other directory services that support LDAP version 2 or version 3, such as Novell Directory Services (NDS)
Open Standards Support (Cont.) • Domain Name System • DNS is the domain naming and locator service for Active Directory. • Windows 2000 domain names are also DNS names. • Windows 2000 Server uses dynamic DNS (DDNS). • Clients can update the DNS table dynamically. • DDNS eliminates the need for other naming services. • To function correctly, Active Directory and the associated client software require the DNS Service.
Open Standards Support (Cont.) • Support for LDAP and HTTP • LDAP is an Internet standard for accessing directory services. • HTTP is the standard protocol for displaying pages on the World Wide Web. • You can display every object in Active Directory as an HTML (Hypertext Markup Language) page in a Web browser.
Support for Standard Name Formats • Request for Comments (RFC) 822 • somename@domain.com • HTTP URL • http://domain/path-to-page • Universal Naming Convention (UNC) • Example: \\microsoft.com\xl\budget.xls • LDAP URL • LDAP://someserver.microsoft.com/CN=FirstnameLastname,OU=sys,OU=product,OU=division,DC=devel
Logical Structure • Active Directory separates the logical structure from the physical structure. • Active Directory lets you organize resources in a logical structure. • A resource is located by its name rather than its physical location. • The network’s physical structure is transparent to all users.
Organizational Units • An organizational unit (OU) is a container that you use to organize objects in a domain into logical administrative groups. • An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs. • Each domain can implement its own OU hierarchy. • There is no limit to the depth of the hierarchy, but shallow is better. • An administrator can delegate administrative tasks by assigning permissions to OUs.
Domain • The domain is the core unit of logical structure. • All network objects exist within a domain. • A domain stores information about only the objects that it contains. • A practical limit to the number of objects in a domain is 1 million.
A Domain Is a Security Boundary • Access control lists (ACLs) control access to domain objects. • ACLs contain the permissions associated with objects. • ACLs control • Which users can access an object • Which type of access users have to the objects • Security policies and settings do not cross from one domain to another. • A domain administrator has absolute rights to set policies only in that domain.
Tree • A tree is a grouping of one or more Windows 2000 domains that share a contiguous namespace. • The domain name of a child domain is the relative name of that child domain appended with the name of the parent domain. • All domains within a single tree share • A common schema • A common Global Catalog
Forest • A forest is a grouping of one or more domain trees that form a disjointed namespace. • All trees in a forest share a common schema. • Trees in a forest have different naming structures. • All domains in a forest share a common Global Catalog. • Domains in a forest operate independently, but the forest enables communication across the entire organization.
Physical Structure • The physical components of Active Directory are • Domain controllers • Sites • The physical components of Active Directory are used to mirror the physical structure of an organization.
Domain Controllers • Each domain controller in a domain • Stores a complete copy of all Active Directory information for that domain • Manages changes to that information • Replicates changes to other domain controllers in the same domain • Automatically replicates all objects in the domain to all other domain controllers in the domain • Immediately replicates certain important updates, such as the disabling of a user account
Domain Controllers (Cont.) • Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. • Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another controller is completely propagated. • Having more than one domain controller in a domain provides fault tolerance. • Domain controllers manage all aspects of user domain interaction, such as locating Active Directory objects and validating user logon attempts.
Sites • The physical structure of Active Directory is based on sites. • A site is a combination of one or more IP subnets. • Typically, a site has the same boundaries as a local area network (LAN). • Sites are not part of the logical namespace. • Sites contain only computer objects and connection objects used to configure replication between sites. • A single domain can span multiple geographical sites, and a single site can include accounts and computers from multiple domains.
Replication Within a Site • Active Directory includes a replication feature. • Replication ensures that changes to a domain controller are reflected by all domain controllers in a domain.
Active Directory Terminology • Schema • Global Catalog • Namespace • Naming conventions
Schema • The schema contains a formal definition of the contents and structure of Active Directory. • The schema contains two types of definition objects: • Schema class objects define what objects can be stored in Active Directory. • Schema attribute objects define the type of information that can be stored about each object. • The schema defines • The schema attribute objects required for each object • The additional schema attribute objects that an instance of the class can have
Default Schema • Installing Active Directory on the first domain controller in a network creates the default schema, which contains • Definitions of commonly used objects and properties • Definitions of objects and properties that Active Directory uses internally to function
Extensible Schema • You can define • New directory object types and attributes • New attributes for existing objects • You can extend the schema • By using LDAP Data Interchange Format (LDIF) scripts • Programmatically, or by using the Active Directory Services Interface (ADSI) • By using the Active Directory Schema Manager snap-in • The schema is stored in the Global Catalog and can be updated dynamically.
Global Catalog • The Global Catalog is the central repository of information about objects in a tree or forest. • Active Directory automatically generates the contents of the Global Catalog. • The Global Catalog is a service and a physical storage location. • It contains a full replica (all information) for its host domain and a partial replica of all information in all other domains in the tree or forest. • It enables finding directory information regardless of which domain in the tree or forest actually contains the data.
Global Catalog Servers • Installing Active Directory on the first computer in a new forest makes that domain controller a Global Catalog server. • The Active Directory Sites and Services snap-in allows you to designate additional Global Catalog servers. • More Global Catalog servers means more replication traffic. • More Global Catalog servers can provide quicker responses. • Every major site should have a Global Catalog server.
Namespace • Contiguous namespace • The name of the child object in an object hierarchy always contains the name of the parent domain. • A tree is a contiguous namespace. • Disjointed namespace • The names of a parent object and of a child of the same parent object are not directly related to one another. • A forest is a disjointed namespace.
Naming Conventions • Every object in Active Directory is identified by a name. • Active Directory uses a variety of naming conventions: • Distinguished name (DN) • Relative distinguished name (RDN) • Globally unique identifier (GUID) • User principal name (UPN)