Introduction to Active Directory CIT 237. Active Directory Objects Objects –Attributes that represents a network resource Object name: Computers –Attributes:

Introduction to Active DirectoryIntroduction to Active Directory

CIT 237CIT 237

Active Directory ObjectsActive Directory Objects

ObjectsObjects–Attributes that represents a network resourceAttributes that represents a network resource

Object name: ComputersObject name: Computers–Attributes: computer 1, computer 2, computer 3, etcAttributes: computer 1, computer 2, computer 3, etc..

Object: UsersObject: Users–Attributes: First name, last name, logon name, etcAttributes: First name, last name, logon name, etc..

Active Directory SchemaActive Directory Schema–Defines objects that can be stored in Active Directory Defines objects that can be stored in Active Directory

(See schema administration in Active Directory Users (See schema administration in Active Directory Users and Computers)and Computers)

Types of schema objects (metadata)Types of schema objects (metadata)–Schema class objects - Template for creating new Schema class objects - Template for creating new

objects (e.g. computer, Group, User, etc.)objects (e.g. computer, Group, User, etc.)–Schema attribute objects – Define or describes the Schema attribute objects – Define or describes the

schema class object with which they are associated schema class object with which they are associated even though they may be used in many schema classeseven though they may be used in many schema classes

Active Directory ComponentsActive Directory Components

DomainsDomainsOrganizational Units (OUs)Organizational Units (OUs)TreesTreesForestsForests

DOMAINS, TREES, AND A DOMAINS, TREES, AND A FORESTFOREST

parent

contoso.com

ou

ou

tailspintoys.com

Domain tree root

Forest root and tree root

child

west.contoso.com

child

east.contoso.com

DomainsDomains

Core unit of logical structureCore unit of logical structureStores millions of objectsStores millions of objectsA security boundaryA security boundary

–Access to objects is governed by access control lists Access to objects is governed by access control lists (ACLs), which contain permissions for each object (files, (ACLs), which contain permissions for each object (files,

folders, shares, printers, etc.). Those permissions folders, shares, printers, etc.). Those permissions control which users can gain access to an object and control which users can gain access to an object and

what type of access they can gainwhat type of access they can gain–ACL rights are not transferable from one domain to ACL rights are not transferable from one domain to

anotheranother

DomainsDomains

Default functional levelsDefault functional levels::–Windows 2000 Mixed (default for Windows Windows 2000 Mixed (default for Windows

2003 server)2003 server)–Windows 2000 NativeWindows 2000 Native–Windows 2000 InterimWindows 2000 Interim–Windows 2003Windows 2003

Windows 2000 MixedWindows 2000 Mixed

Allows functionality with domain controllers Allows functionality with domain controllers in the same domain running Windows NT 4in the same domain running Windows NT 4

Allows functionality with domain controllers Allows functionality with domain controllers in the same domain running Windows in the same domain running Windows

Server 2003Server 2003

Windows Server 2003Windows Server 2003

Allows functionality Allows functionality onlyonly with domain with domain controllers in the same domain running controllers in the same domain running

Windows server 2003Windows server 2003..–The functional level should be raised according The functional level should be raised according

to the type of domain controllers in the domainto the type of domain controllers in the domain

Organizational Units (OUs)Organizational Units (OUs)

Organizes objects within a domain into Organizes objects within a domain into logical administrative groupslogical administrative groups

–Nesting when an OU is added within another Nesting when an OU is added within another OU (like a subdirectory). This creates a OU (like a subdirectory). This creates a

hierarchical structurehierarchical structure

TreesTrees

A group or hierarchy of domains created by A group or hierarchy of domains created by adding child domain to a parentadding child domain to a parent

ForestsForests

A group or hierarchy of independent domain A group or hierarchy of independent domain treestrees

Forest functional level provides a way to Forest functional level provides a way to enable forest-wide Active Directory featuresenable forest-wide Active Directory features

Physical StructuresPhysical Structures

Physical components of Active DirectoryPhysical components of Active Directory::–SitesSites–Domains controllersDomains controllers

SitesSites

One or more connected IP subnetsOne or more connected IP subnets–Usually has the same performance boundaries Usually has the same performance boundaries

(fast network connections group with each other (fast network connections group with each other and slow with each other)and slow with each other)

–Not listed in Active Directory as OUs areNot listed in Active Directory as OUs are–Contain only computer and connection objectsContain only computer and connection objects

Domain ControllersDomain Controllers

Stores a replica of the domain portion of Stores a replica of the domain portion of Active DirectoryActive Directory

Services only one domainServices only one domainAuthenticates users and maintains domain Authenticates users and maintains domain

security policysecurity policy

ReplicationReplication

Ensures that changes in one domain Ensures that changes in one domain controller are represented in all other controller are represented in all other

domain controllers in the domaindomain controllers in the domain

What Information is ReplicatedWhat Information is Replicated

Active Directory is partitioned into four unitsActive Directory is partitioned into four units::–Schema partition – describes objects and attributes that can be Schema partition – describes objects and attributes that can be

created in a directory. This data is common to all domains in a created in a directory. This data is common to all domains in a forest and is replicatedforest and is replicated

–Configuration partition – describes domain structure and replication Configuration partition – describes domain structure and replication layout. This data is common to all domains in a forest and is layout. This data is common to all domains in a forest and is

replicatedreplicated–Domain Partition – Describes all domain objects. This is domain Domain Partition – Describes all domain objects. This is domain

specific and is specific and is notnot replicated, but data is replicated to every domain replicated, but data is replicated to every domain controller in the domaincontroller in the domain

–Application Directory partition – Stores dynamic application-specific Application Directory partition – Stores dynamic application-specific data and can contain any type of object except security type. Can data and can contain any type of object except security type. Can

be set for replication if desiredbe set for replication if desired

Stores and ReplicatesStores and Replicates

Schema partition stores data for a forestSchema partition stores data for a forestConfiguration partition stores data for all Configuration partition stores data for all

domains in a forestdomains in a forestDomain partition stores data, such as Domain partition stores data, such as

directory objects and properties for its directory objects and properties for its specific domainspecific domain

Types of ReplicationTypes of Replication

Intrasite – replication occurs within domain Intrasite – replication occurs within domain controllers in the same domain, using a ring controllers in the same domain, using a ring

structure and knowledge consistency structure and knowledge consistency checker (KCC), which runs on all domain checker (KCC), which runs on all domain

controllers to ensure consistencycontrollers to ensure consistency..Intersite replication – Performed by creating Intersite replication – Performed by creating

site links (network connections)site links (network connections)

Trust RelationshipsTrust Relationships

Link between two domains in which the Link between two domains in which the trusting domain honors the logon trusting domain honors the logon

authentication of the trusted domain using authentication of the trusted domain using NT LAN Manager (NTLM), or KerberosNT LAN Manager (NTLM), or Kerberos..

Kerberos is the default for Windows Server Kerberos is the default for Windows Server 2003. If Kerberos is not supported in a trust, 2003. If Kerberos is not supported in a trust,

NTLM is usedNTLM is used

Global CatalogGlobal Catalog

A role designation assigned to a domain A role designation assigned to a domain controller. By default is created controller. By default is created

automatically and assigned to the first (root) automatically and assigned to the first (root) domain controller in the forest. However any domain controller in the forest. However any domain in the forest can be a global catalog. domain in the forest can be a global catalog.

The information is simply replicatedThe information is simply replicatedCentral repository of information about Central repository of information about

objects in a tree or forestobjects in a tree or forest