Active directory

ACTIVE DIRECTORY

Active directory is single point of reference, called directory services, to all the objects in a network, including users,

groups, computer, printer, polices and permissions.For a user or an administrator AD provides a single hierarchical

View from which to access and manage all of the network resources.

• AD utilizes ip protocol and standards like ssl(secure socket layer), transport layer security (tls) authentication, LDAP (Light weight directory protocol, DNS

ACTIVE DIRECTOR and DNS

• Active directory uses the DNS.• Dns domains are organise into a hierarchical

structure.• Different level of dns identify computer,

organisational domain, and top level domain.• DNS also maps host name i.e.(Fully qualified

name to IP ADDRESS.• Fqn for airforce name PC IN DOMAIN Defence

with top level domain def is airforce.defence.def

Core Unit Of AD

• DOMAINS

• TREE

• FOREST

• Oraganisational unit (OU)

DOMAIN

• Is a logical structure of AD.i.e Office at Aahmedabad is a physical Object,

Office at Gandhinagar is a physical object, But at Gandhinagar or Aahmendabad office we are making a logial gruouping of Users,groups,printers,polices,Faxes and computers.

You can dicide your office computer network into logical parts called domain depends upon your requirment.

Domain

• Domain is the boundary of replication : Domains within the AD replicate the information

about objects between domainsObjects likeUsersGroupsContactsOUComputer

Domain

• Doman is the boundary of authentication

: Boundary of users account

Group permission

Resource Access

• Domain is the boundary of administration

Domain• Domain is the boundary of DNS Name space Dns service recordes in AD is the way of locating services Computers in a domain defence is entered into daomin as a.defence.def b.defence.defChild domain are entered as Gandhi.defence.def **Child domain takes their name from parent DomainComputer in child domins are entered as a.gandhi.defence.def b.gandhi.defence.def

All domains have both domain name , Fully qulIFIED domain name and Netbios name for NT4 PDC and BDC

Tree

• Tree is hiaeracy of domain desined is a way to match the DNS structure.

• Tree share transit trust relationship between domain i.e Users can access their resources in a domain where

they loged in, They can also access resouces in other domain within tree if proper rights given.

They Share Schema configuration and global Catlog

SCHEMA

• Schema is defination of object in AD

Objects in AD are

Users

Groups

Contacts etc

These all objects are made from common object defination schema

All domains within tree has to aggree with this common schema.

Configuration

• Domains within tree share the configuration between them i.e Information about users, groups, resources etc

Each domain knows about other domain and their objects.

Global Catlog

• Global catlog is the centar repositary it

contains the reference to all objects in AD.

• Define a new tree with DCPROMO

FOREST

• When we create a single domain a forest is created• Within forest we can create multiple child domains or

trees with continguous namespace airforce.defa.airforce.defGandhi.airforce.def

• Within forest we can create multiple trees with disjoined namespace

airforce.def airforce.edu a.airforce.def a.airforce.edu

Forest

• All domains within forest share transit trust relationship

• All domain in forest share

Common Schema

Configuration

Global Catlog

Organisational Unit

• OU are containers within Domain

They contain objects of domain

You can create an Oraganisational unit to organise users , computers or groups etc.

For example

You can create a OU for sales team to manage sales team employe and their computers

Organisational Unit

• Distint unit of administration

You can delegate the administrative rights for administrating OU

In windows NT if you want to give administration rights on some objects of domain to any particular you have to make him domain administrator but in windows 2003 you can create OU delegare administrative rights on that particular OU to concern autherity.

Organisational Unit

• OU are unique to domain.

i.e OU can be container for objects of domain in which OU is created

1)OU can be created to Manage users and computer

2)you can create group policy and apply on 3)Delegae administration using OU

Demostration

Logical Objects

Active directory domain,tree,and forest

Users,groups and OU

Create new tree in AD using DCPROMO

Active DIRECTORY• When we promote Server DOMAIN WE ACTUALLY install Active directory database. Database file name is NTDS.dit dit--(Directory information tree)AD database is divided into four partsDomain --Users,groups,computerSchema --Object definationConfiguration –Configutaion of dominsApplication --Aapplications like DNSwhile in windows 2000 AD Database is divided into three partsDomain --uSERS, groups , computers, DNSSchemaConfiguration

Replication Model

• IN windows nt Replication is done between PDC to BDC

Known as Single master replication model

• In Wwindows 2003 all domain replicate between each other

known as Multiple master replication

Site

• A site is a well connected IP Subnet i.e if all subnets in a Network are connected

through well connected network like LAN (10/100/1000 ETHERNET) than we can treate or create it as single site

For example : If there is one office at ahmedabad and one at Gandhinagar connected by modem we can treate each as a different site

If we are having two offices at gandhinagar connected by lease line of 10 mbps than we can treate theis two offices as single site

Domain Vs Site

• Domain is logical concept

• Site is physical concept

• A site can contain multiple domain

• Now two site can have single domain

Because sites are connected through expensive low speed network there is no point is forwarding authentication process over such a slow and expensive network.

site

• Site provides local logon services and Distributed file system (DFS)

• REPLICATION: Replication between all domins in a site and during off hours between sites.

• Group Policy: Site level group policy

Site Requirment

• Member ship in enterprise admin group i.e. admin rights on forest

• Unique IP Subnet range or ranges i.e. two different site must be on different subnet or subntes

• Every site must have at least one domain controller• Inter site transport : Sites are connected with each other

with low speed network they USE IP OR SMTP protocl to replicate. IP is more traffice Insentive and SMTP is 25 % less

traffice consumin than IP but is processor hungry

Global Catlog

• Prtial replica of all the object in forest : Each site must have one global catlog ,it contains the

refference of all objects in a forest only reference not the complete information of object . This refference will help AD TO LOCATE THE object fast.

GC also known as cetral repository • Configurable subset of Aattributes : You can select what

attributes to be send to GC as refference for an object.• These attributes will help AD to locate objects fast forest

wide search.• Required for logon univarsal group membership: Global

catlog is require for logon authentication that’s why each site must have a GC.

GC

Gc is required if a site has more than 100 users

If there is relibel lease line connectivity (Means good network connectivity between two Physically saprate site than we may not require GC AT BOTH SITE.

If there is no GC Dependent server like exchange server we may avoid keeping GC AT that particular site

Demostration

• Site and global catlog

• Creating a site , gc