Topics Directory Services 1 Topics lIntroduction lLogical Structure lPhysical Structure 2 Directory Services Introduction lDefinition: – Stores, organizes, retrieves information
Post on 05-May-2019
217 Views
Preview:
Transcript
11
1
TopicsTopics
ll IntroductionIntroduction
llLogical StructureLogical Structure
llPhysical StructurePhysical Structure
2
Directory ServicesDirectory ServicesIntroductionIntroduction
ll Definition:Definition:–– Stores, organizes, retrieves information Stores, organizes, retrieves information
about objects in a networkabout objects in a network
ll Existing Directory Services:Existing Directory Services:–– OSF DCE Directory ServiceOSF DCE Directory Service
–– BanyanBanyan StreetTalkStreetTalk
–– Novell NDSNovell NDS
–– Active DirectoryActive Directory
Active DirectoryActive DirectoryIntroductionIntroduction
DNS
Directory-Enabled
Applications
Entries
Credentials
Replicatedstorage
Address book
Directory
Class store
IPSecQoS
Computers andPrinters
Exchange
Security
Replication
COMComponents
Users andGroups
GroupPolicies
Services andResources
Directory-Enabled
Networks
comedu
mit
microsoft
AD NamespacesAD NamespacesIntroductionIntroduction
compaq
master1 master2 master3
res1 res2 res3
ll Going from a flat to a hierarchical namespace Going from a flat to a hierarchical namespace ll Going fromGoing from NetBIOSNetBIOS names to DNS namesnames to DNS names
educom
compaq
Fully qualified domain name: compaq.com
The Role of DNSThe Role of DNSIntroductionIntroduction
ll The AD uses DNS for:The AD uses DNS for:–– Resolving NT domain Resolving NT domain
namesnames
–– Service location toService location tofind servers such asfind servers such asDCDC
11
The Role of LDAPThe Role of LDAPIntroductionIntroduction
ll The Active DirectoryThe Active Directoryorganizes elementsorganizes elementsin a hierarchical formin a hierarchical form
ll LDAP is used to access LDAP is used to access these elements inside the these elements inside the domaindomain
ll LDAP is used by LDAP is used by applications to access applications to access objects inside a domainobjects inside a domain
7
Logical StructureLogical Structure
ll You define the logical structure by usingYou define the logical structure by using–– TreesTrees andand ForestsForests
–– DomainsDomains
–– Organizational unitsOrganizational units
Active Directory
What is a Domain?What is a Domain?Logical StructureLogical Structure
ll Directory and namespace partitionDirectory and namespace partition
ll Security boundary (scope of policies, groups)Security boundary (scope of policies, groups)
ll May potentially contain millions of objectsMay potentially contain millions of objects
ll AD domains are named with DNS namesAD domains are named with DNS names
ll Each domain defines a separate LDAP directoryEach domain defines a separate LDAP directory
9
Domain:Domain: AdminstrativeAdminstrative PartitionPartitionLogical StructureLogical Structure
ll Group/Security Policies do not propagate between Group/Security Policies do not propagate between domainsdomains
ll Rights/permissions do not propagate between Rights/permissions do not propagate between domainsdomains
ll A domain admin in a parent domain is not a domain A domain admin in a parent domain is not a domain admin in a child domain.admin in a child domain.
ll Domains cannot be renamedDomains cannot be renamed
ll Domains cannot be merged/splitDomains cannot be merged/split
ll Move objects insteadMove objects instead
What is an Organizational Unit?What is an Organizational Unit?Logical StructureLogical Structure
ll Resides in a domainResides in a domain
ll Is a container object (users, Is a container object (users, computers, groups, printers, computers, groups, printers, policies,policies, OUsOUs, …), …)
ll Creates a hierarchical structureCreates a hierarchical structure
ll Is not part of DNS namespaceIs not part of DNS namespace
ll IS NOT A SECURITY IS NOT A SECURITY PRINCIPALPRINCIPAL
Domain
OUs
Leafobjects
OUs
What is an Organizational Unit?What is an Organizational Unit?Logical StructureLogical Structure
Is used toIs used toll delegate administrationdelegate administration
ll replace NT4 resource domainsreplace NT4 resource domains
ll apply policiesapply policies
ll group objects with common group objects with common propertiesproperties
Domain
OUs
Leafobjects
OUs
22
Active Directory ObjectsActive Directory ObjectsLogical StructureLogical Structure
compaq.comDC=compaq,DC=com
Users
John
resources
PrinterJack Bob
CN=Jack, OU=Sales, OU=Users, DC=compaq, DC=com
Sales
See RFC2247 “DC=” naming
ll Users and GroupsUsers and Groups
ll Computers and PrintersComputers and Printers
ll ApplicationApplication--specificspecific
ll Referenced by LDAPReferenced by LDAPdistinguished namesdistinguished names
ll Trusts link domainsTrusts link domains
ll Trust relationships areTrust relationships are KerberosKerberos--basedbased
ll DownlevelDownlevel trusts aretrusts are still supported still supported
ll Trusts are transitiveTrusts are transitive
Transitive TrustsTransitive TrustsLogical StructureLogical Structure
US Europe
compaq .com
Transitive
trust
Windows NT 4.0 trusts Windows 2000 trusts
compaq.com
us.compaq.com
sales.us.compaq.com
TreesTreesLogical StructureLogical Structure
ll A tree is a set of one A tree is a set of one or more or more WindowsWindows 2000 2000 domains domains
ll A tree forms a A tree forms a contiguous contiguous namespace.. namespace..
ll A forest is a collectionA forest is a collectionof trees joined by aof trees joined by aKerberosKerberos trusttrust
ll A forest is aA forest is adiscontiguousdiscontiguousnamespacenamespace
compaq.com digital.com
products.compaq.com services.digital.com
ForestForestLogical StructureLogical Structure
Designing a Domain StructureDesigning a Domain StructureLogical StructureLogical Structure
ll Decide to use a forest or a treeDecide to use a forest or a tree
ll Define the first domainDefine the first domain
ll Examine the reasons for creating additional Examine the reasons for creating additional domainsdomains
ll Decide when to use domains or Decide when to use domains or OUsOUs
TipTip: Start design: Start design with one domainwith one domain andand proofproof,, that You need that You need moremore
TipTip:: Avoid deep nestingAvoid deep nesting ofof domainsdomainsll User1@User1@fkrfkr..munichmunich..bavariabavaria..germanygermany..emeaemea..compaqcompaq..comcom
17
OneOne or more Forestsor more Forests ??Logical StructureLogical Structure
ll Autonomous organizations unable to agree on Autonomous organizations unable to agree on Forest Change ControlForest Change Control
–– Require distinct schema or configurationRequire distinct schema or configuration–– Cannot agree on membership of Schema Cannot agree on membership of Schema
Administrators and Enterprise AdministratorsAdministrators and Enterprise Administratorsll Do not want complete trustDo not want complete trustll InterInter--forest users must be aware of directory forest users must be aware of directory
structuresstructures–– Only see objects in your forest’s GCOnly see objects in your forest’s GC–– Explicit, oneExplicit, one--way, nonway, non--transitive trust onlytransitive trust only–– NoNo KerberosKerberos mutual authenticationmutual authentication
33
18
Forest or TreeForest or Tree ??Logical StructureLogical Structure
ll Need for Need for discontigous discontigous namespacenamespace
ll Easiest Easiest upgrade path upgrade path fromfrom aacomplicatedcomplicatedNT4NT4 domain domain structurestructure
compaq.com digital.com
Domains or OUs?Domains or OUs?Logical StructureLogical Structure
OUs
DomainA
- or -
OUs
Domain
OUs
DomainB
20
Reasons to choose DomainsReasons to choose DomainsLogical StructureLogical Structure
llCConontroltrol replication trafficreplication traffic
ll Implement different security policiesImplement different security policies
llAAdministrativedministrative controlcontrol
llPolitical reasonsPolitical reasons
llNeedNeed toto havehave separateseparate domain namesdomain names
llLimit the number of objects in a Limit the number of objects in a domaindomain
Reasons for Creating Reasons for Creating OUsOUsLogical StructureLogical Structure
uuReflect your company’s organizationReflect your company’s organization
uuDelegate administrative controlDelegate administrative control
uuReplace Windows NT 4.0 resource domainsReplace Windows NT 4.0 resource domains
uuControl Group Policy application Control Group Policy application
Defining an OU HierarchyDefining an OU HierarchyLogical StructureLogical Structure
ll GeographicalGeographical
ll ObjectObject--basedbased
ll Business Cost CenterBusiness Cost Center
ll ProjectProject--based Cost Centerbased Cost Center
ll Department or Business UnitDepartment or Business Unit
ll AdministrationAdministration
Geographical OU ModelGeographical OU ModelLogical StructureLogical Structure
compaq.com
Americas
USA
EMEA AsiaPac
UK &Ireland
France Japan
44
Object Based OU ModelObject Based OU ModelLogical StructureLogical Structure
compaq.com
Users Computers
DesktopsSQLServer
25
ConclusionConclusionLogical StructureLogical Structure
uu Features NOT supportedFeatures NOT supported::ll Renaming the top level domainRenaming the top level domain
ll MovingMoving domaindomainss between forestsbetween forests
ll Forests cannot be merged or splitForests cannot be merged or split
uuObjects can be copied between forestsObjects can be copied between forests
uuCareful planning is requiredCareful planning is required !!
26
Physical StructurePhysical Structure
llYouYou designdesign the physicalthe physical structure bystructure by–– Assigning rolesAssigning roles toto domain contollersdomain contollers
–– Defining sitesDefining sites
–– Creating siteCreating site links andlinks and sitesite linklink bridgesbridges
27
Domain Controllers (Domain Controllers (DCsDCs))Physical StructurePhysical Structure
ll A DCA DC isis a Windows 2000 a Windows 2000 Server running AD Server running AD
ll DCs act as DCs act as peerspeersll Maintains aMaintains a writablewritable copy of the domain copy of the domain
database (Multidatabase (Multi--master replication model)master replication model)
ll Replication mechanism is 'loosely coupledReplication mechanism is 'loosely coupled‘‘ll Initiates and performs replication operations Initiates and performs replication operations
with its peerswith its peers
Schema Schema Physical StructurePhysical Structure
ll Contains the definition of the objects stored in the Contains the definition of the objects stored in the Active DirectoryActive Directory
ll Defines classes and attributesDefines classes and attributes
ll Is stored in the Active Directory Is stored in the Active Directory
ll Is extensible and programmable Is extensible and programmable –– New classes can be createdNew classes can be created–– New attributes can be New attributes can be
added to existing objectsadded to existing objects
ll Each domain defines a separate LDAP Each domain defines a separate LDAP directory. directory.
ll No facility in LDAPv3 for referring queries No facility in LDAPv3 for referring queries between separate directories.between separate directories.
ll It is a replica of selected attributes of every It is a replica of selected attributes of every object in the Active Directory object in the Active Directory
ll Not every DC should be a GCNot every DC should be a GC
ll Needed for login (universal groups)Needed for login (universal groups)
Global CatalogGlobal CatalogPhysical StructurePhysical Structure
11
Naming Contexts (NC)Naming Contexts (NC)Physical StructurePhysical Structure
ll DDireirectoryctory object that forms a replication unitsobject that forms a replication units
ll Replicated as distinct entities between domain Replicated as distinct entities between domain contcontrollersrollers
–– Schema NC (replicated forest wide)Schema NC (replicated forest wide)– holds objects that define the structure of the Directory Schema
–– Configuration NC (replicated forest wide)Configuration NC (replicated forest wide)– Topology of forest elements
–– Domain NC (replicated only within the domain)Domain NC (replicated only within the domain)– holds objects that represent security principals and system objects
31
Flexible Single Master Operation Flexible Single Master Operation (FSMO) Roles(FSMO) Roles
ll Multiple Master Replication with conflict Multiple Master Replication with conflict resolutionresolution isnisn‘‘t always appropriate for critical t always appropriate for critical operationsoperations ('last('last writer wins'writer wins'))
ll AA fewfew tasks must remain on a single DCtasks must remain on a single DC
ll Role Master: DC that has a particular FSMO Role Master: DC that has a particular FSMO assignedassigned
ll Roles must be transferred manuallyRoles must be transferred manually
Flexible Single Master Operation Flexible Single Master Operation (FSMO) Roles(FSMO) Roles
llSchema master (unique in the forest)Schema master (unique in the forest)–– controls write access to the schemacontrols write access to the schema
llDomain naming master (unique in the Domain naming master (unique in the forest)forest)
–– Can add or remove domains in the Can add or remove domains in the forestforest
llRID master (unique in each domain)RID master (unique in each domain)–– AssignsAssigns RIDsRIDs toto DCsDCs
33
Physical Structure:Physical Structure:Flexible Single Flexible Single Master Operation (FSMO) RolesMaster Operation (FSMO) Roles
ll Infrastructure master (unique in each Infrastructure master (unique in each domain)domain)
–– Manages references of crossManages references of cross--domain domain objectsobjects
ll PDC emulator (unique in each domain))PDC emulator (unique in each domain))–– DownlevelDownlevel password updatespassword updates–– DownlevelDownlevel BDC replicationBDC replication–– Domain master browserDomain master browser
34
FSMOFSMO PlacementPlacementPhysical StructurePhysical Structure
ll SchemaSchema mastermaster and Domainand Domain naming master naming master should beshould be onon the samethe same DC (DC (data integrity in data integrity in the directory)the directory)
ll PDC EmulatorPDC Emulator should be theshould be the RIDRID mastermaster–– ((mixedmixed modemode onlyonly))
ll Infrastructure master should not beInfrastructure master should not be on GCon GC
SitesSitesPhysical StructurePhysical Structure
ll A site is a collection of IP subnets withA site is a collection of IP subnets withfast connectivityfast connectivity
ll Sites reflect localitySites reflect locality
ll Sites may span domainsSites may span domains
ll Domains may span sitesDomains may span sites
22
36
SitesSitesPhysical StructurePhysical Structure
Site
DomainControllerDomain
Controller
User Logs OnUser Logs On
Site
DomainControllerDomain
Controller
Replication ControlledReplication Controlled
Site RolesSite RolesPhysical StructurePhysical Structure
ll Workstation logon: used to find a DC onWorkstation logon: used to find a DC onsame site as clientsame site as client
–– Place at least on DC of the domain at each Place at least on DC of the domain at each sitesite
–– Place at least on GC at each sitePlace at least on GC at each site
ll AD replication: uses site to determineAD replication: uses site to determinehow replication is donehow replication is done
38
Types of ReplicationTypes of ReplicationPhysical StructurePhysical Structure
Site 2
DomainControllerDomain
Controller
DomainControllerDomain
Controller
Intra-SiteReplicationIntra-Site
ReplicationInter-Site
ReplicationInter-Site
Replication
Site 1
DomainControllerDomain
Controller
DomainControllerDomain
ControllerDomain
ControllerDomain
Controller
DomainControllerDomain
Controller
DomainControllerDomain
ControllerDomain
ControllerDomain
Controller
DomainControllerDomain
Controller
DomainControllerDomain
Controller
39
Site ReplicationSite ReplicationPhysical StructurePhysical Structure
ll IntraIntra--Site ReplicationSite Replication
–– Automatic Topology GenerationAutomatic Topology Generation– Should not be modified
–– Always RPC basedAlways RPC based
–– PullPull--only, based on update notificationonly, based on update notification–– Urgent Replication Urgent Replication
– Disabled or locked-out accounts– RID pool changes– Password changes
40
SiteSite ReplicationReplicationPhysical StructurePhysical Structure
ll InterInter--Site ReplicationSite Replication
–– SemiSemi--Automatic Topology GenerationAutomatic Topology Generation
–– Scheduled (No update notification)Scheduled (No update notification)
–– RPC or SMTPRPC or SMTP
41
Knowledge Consistency CheckerKnowledge Consistency CheckerPhysical StructurePhysical Structure
ll Knowledge Consistency Checker (KCC)Knowledge Consistency Checker (KCC)–– A service running on every DCA service running on every DC–– Computes and generates replication topologyComputes and generates replication topology–– Runs every 15 minutes, but can be started manuallyRuns every 15 minutes, but can be started manually–– Creates and destroys connection objects between Creates and destroys connection objects between
DCsDCsll Connection ObjectConnection Object
–– RepresentsRepresents uniuni--directional connection fromdirectional connection fromreplication partnerreplication partner
–– Can be manually created by Administrator Can be manually created by Administrator or generated by KCCor generated by KCC
33
42
DC1
compaq.com
compaq.com domain NC TopologyConfiguration/Schema NC Topology
DC2
DC3 DC4
Connection ObjectSales.
compaq.com
DC1
DC2
sales.compaq.com domain NC Topology
IntraIntra--site Replication Topologysite Replication TopologyPhysical StructurePhysical Structure
43
InterInter--site Replication: Site Linksite Replication: Site LinkPhysical StructurePhysical Structure
ll Represents a network link between sitesRepresents a network link between sites–– One area with similar network connectionsOne area with similar network connections
–– One WAN linkOne WAN link
ll Does not connect DCs, connects sitesDoes not connect DCs, connects sites
ll May connect two or more sitesMay connect two or more sites
ll Has associated schedule that reflects availability of Has associated schedule that reflects availability of linklink
ll Has associated costHas associated cost
ll Created by Administrators, Created by Administrators, used by the KCC to used by the KCC to determine the cost of replication between two sitesdetermine the cost of replication between two sites
44
Site Link D
Site Link A
Site L
ink
B
Site Link C
Site Link E
DOMAIN sales.compaq.com
( )Site Link cost
It costs 10 to replicatefrom DC1 to DC4
LA Site
ChicagoSite
Atlanta Site
NY Site
Site Links Site Links –– CostCostPhysical StructurePhysical Structure
(1)
(8)
(1)
Seattle Site
DC1
DC2
DC3
DC4
DC5
(15)
(30)
45
Bridgehead ServersBridgehead ServersPhysical StructurePhysical Structure
ll Is a DC performing replication operations withIs a DC performing replication operations with DCsDCsin another site. in another site.
–– Usually the first DC in a siteUsually the first DC in a site
–– Can be specified by administratorsCan be specified by administrators
ll Transport used is either RPC or SMTPTransport used is either RPC or SMTP
ll SMTP only forSMTP only for–– Configuration NC/Schema NCConfiguration NC/Schema NC
–– Global Catalog replicationGlobal Catalog replication
46
Site Link A
Site L
ink
B
Site Link C
Dial Upconnection
LA Site
ChicagoSite
Atlanta Site
Connection Object
NY Site
Seattle SiteConnection Object
DOMAIN sales.compaq.com
DOMAIN compaq.com
Non-transitive Site Links
Site Links Site Links -- ImplementationImplementation
DC1
DC2
DC3
DC4
DC5
DC1
DC3
DC2
47
Site Link A
Site L
ink
B
Site Link C
Dial Upconnection
LA Site
ChicagoSite
Atlanta Site
Connection Object
NY Site
Seattle SiteConnection Object
DOMAIN sales.compaq.com
DOMAIN compaq.com
Site Links BridgeSite Links BridgeSite Links Bridge
DC1
DC2
DC3
DC4
DC5
DC1
DC3
DC2
Site LinkBridge
44
48
Site Link A
Site L
ink
B
Site Link C
Dial Upconnection
LA Site
ChicagoSite
Atlanta Site
Connection Object
NY Site
Seattle SiteConnection Object
DOMAIN sales.compaq.com
DOMAIN compaq.com
Site Links BridgeSite Links BridgeSite Links Bridge
DC1
DC2
DC3
DC4
DC5
DC1
DC3
DC2
49
How to create a TopologyHow to create a TopologyPhysical StructurePhysical Structure
ll Gather subnets into sitesGather subnets into sites–– LAN speed or higherLAN speed or higher
ll Connect sites with site linksConnect sites with site links–– Assign link costAssign link cost–– Set replication schedule, polling intervalSet replication schedule, polling interval
ll Place domain controllersPlace domain controllers–– At least one GC per siteAt least one GC per site–– At least one DC per siteAt least one DC per site–– At least one DNS server per siteAt least one DNS server per site
50
How to create a TopologyHow to create a TopologyPhysical StructurePhysical Structure
ll Site topology is easily restructuredSite topology is easily restructured–– Create, delete, modify sites, subnetsCreate, delete, modify sites, subnets
–– Server objects moved between Server objects moved between sitessites manuallymanually
–– Replication subReplication sub--system system automaticallyautomatically compensatescompensates
QuestionsQuestions ??
top related