1 / 13

CS603 Active Directory

CS603 Active Directory. February 1, 2001. What is Active Directory?. Microsoft’s Windows 2000 directory server Included in Windows 2000 Server Microsoft finally using Internet standards for network naming DNS for machine naming LDAP ( RFC 2251 ) for accounts/users

oki
Download Presentation

CS603 Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS603Active Directory February 1, 2001

  2. What is Active Directory? • Microsoft’s Windows 2000 directory server • Included in Windows 2000 Server • Microsoft finally using Internet standards for network naming • DNS for machine naming • LDAP (RFC 2251) for accounts/users • Also supports legacy Microsoft directories • ADSI (COM) • Synchronizes with Exchange and other directories

  3. What goes in Active Directory?Objects • Object: Anything that gets a name • Container objects • Leaf objects • Key object types: • User Principal Name (user@dns_name) • Security Account Manager name (compatiblity with NT) • Object publishing • Shared folders • Printers • RPC, Winsock, DCOM

  4. Active Directory Schema • Schema: Object that describes object classes, attributes • Attributes • Defined globally • Can be indexed (independent of object class) • Object classes – allowable collections of attributes • Default schema • Cannot delete from default • Can mark items as deactivated • Can be extended – but not reversible

  5. Object Naming Conventions • Names unique in a domain • LDAP Distinguished name disambiguates across domains • Also Security ID, GUID, Active Directory Canonical name • GUID is permanent, others change if object moved between domains • GUID is “real object identifier” – globally unique • Security Principal: User, computer, or group • Security ID: Used internally • Access Control Entry (read ACL) lists SIDs (not names) allowed to access object • Doesn’t support full LDAP naming convention • Cn=common name, ou=organizational unit, dc=domain component • Ldap: cn, ou, o=organization, c=country

  6. ActiveDirectory and DNS • Same Name for same machine • Different namespaces • Follow same hierarchical structure • Active Directory requires DNS • Needed to locate Active Directory server • Uses Service Location Resource records • DNS can store information in Active Directory

  7. Hierarchical Directory Structure • Domain: Individually managed subset of name space • Single controller supports one domain • Replication done at entire domain level – multimaster replication • Namespace can have multiple domains – forest • Why forest and not tree? Root tied to DNS name! • Global catalog for entire forest – used for logon requests • Security policies/settings don’t cross domains • Can only build down in hierarchy

  8. Trust Relationships • What does trust mean? • Authentication: Single system logon • Doesn’t imply permissions in multiple domains • Share common configuration information. • Share a common schema. • Share a common global catalog. • Trust relationships • Parent/child trust each other • Roots of trees in forest trust each other • Trust is transitive • “Shortcut” trust relationships to save transitive search • Can trust external methods

  9. Domain Controller Roles(Beyond directory service) • Forest-wide roles • Schema master • Domain naming master • Domain-wide roles • Relative ID master • Assigns Unique Security ID (SID) to each object • Primary Domain Controller Emulator • Emulates WindowsNT domain controller • Infrastructure master • Handles replication across domains

  10. Other Hierarchies:Organizational Units • Use to delegate authority • Can have administrative authority only over OU • Subset of domains

  11. Replication • Global Catalog contains subset of domain attributes • Allows logon, lookup without going to source domain • Replicated at multiple sites • Methods: • IP • SMTP • Determining latest update: • Universal Sequence Number • Timestamp if USNs same • Replication path may have loops • Don’t propagate already propagated updates

  12. Sites • Idea: Highly Connected Machines • Clients can request service from a domain controller in the same site (if one exists). • Active Directory tries to minimize replication latency for intra-site replication. • Active Directory tries to minimize bandwidth consumption for inter-site replication. • Sites let you schedule inter-site replication. • Independent of Domains • Can delegate authority over site

  13. Microsoft Metadirectory Services (MMS) • Goal: Single directory for multiple applications • Brokers to provide directory information to multiple vendors • Acquired from Zoomit corporation • Uses Active Directory Also moving to use Active Directory instead of internal solutions in other Microsoft products (e.g., Exchange Server)

More Related