Introduction to Active Directory Directory Services

Introduction to Active Directory Directory Services

• Uniquely identify users and resources on a network

• Provide a single point of network management

What Are Active Directory Directory Services?

The directory service included with Microsoft Windows 2000 Server products

• A directory service is a network service.• A directory service identifies all resources on a network.• A directory service makes all resources available.

What Are Active Directory Directory Services? (continued)Active Directory directory services include the Directory.

• The Directory stores information about network resources.• Resources stored in the Directory are referred to as objects.

Simplified Administration

Active Directory directory services organize resources hierarchically in domains.

• A domain is a logical grouping of servers andother network resources under a single domain name.

• A domain is the basic unit of replication and security.• A domain includes at least one domain controller.

Simplified Administration (continued)

Active Directory directory services provide• A single point of administration for all objects on the

network• A single point of logon for all network resources

Scalability

• The Directory stores information by organizing itselfinto sections that permit storage for a huge number of objects.

• The Directory can expand to meet the needs of• Small installations with one server and a few hundred

objects.• Huge installations with hundreds of servers and millions of

objects.

Open Standards Support

Active Directory directory services• Integrate the Internet concepts of a namespace

with the Windows 2000 directory service• Allow you to unify and manage multiple namespaces• Use DNS for its name system• Exchange information with any application or

directory that uses LDAP or HTTP

Domain Name System

• DNS is the domain naming and locator service for Active Directory.

• Windows 2000 domain names are also DNS names.

• Windows 2000 Server uses dynamic DNS (DDNS).• Clients can update the DNS table dynamically.• DDNS eliminates the need for other naming services.

Support for LDAP and HTTP

• LDAP is an Internet standard for accessing directory services.

• HTTP is the standard protocol for displaying pages on the World Wide Web.

• You can display every object in Active Directory as an HTML page in a Web browser.

Support for Standard Name Formats

RFC 822 [email protected]

HTTP URL http://domain/path-to-page

UNC \\microsoft.com\xl\budget.xls

LDAP URL LDAP://someserver.microsoft.com/CN=FirstnameLastname,OU=sys,OU=product,OU=division,DC=devel

Logical Structure

• The logical structure is separate from the physical structure.

• Organize resources in a logical structure.• Find a resource by its name rather than its physical

location.• The network’s physical structure is transparent to the users.

Objects

Organizational Units

Domain

• The domain is the core unit of logical structure.

• All network objects exist within a domain.

• A domain stores information about only the objects that it contains.

• A practical limit to the number of objects in a domain is 1 million.

A Domain Is a Security Boundary

• Access to domain objects is controlled by ACLs.

• ACLs contain the permission associated with objects.

• ACLs control which users can gain access to an object.

• ACLs control which type of access users can gain to the objects.

• Security policies and settings do not cross from one domain to another.

• A domain administrator has absolute rights to set policies only within that domain.

Tree

• A tree is a grouping of one or more Windows 2000 domains.

• All domains within a single tree share a contiguous namespace.

• The domain name of a child domain is the relative nameof that child domain appended with the name of the parent domain.

• All domains within a single tree share a common schema.

• All domains within a single tree share a common global catalog.

Forest

• A forest is a grouping of one or more domain trees.

• The trees in a forest form a disjointed namespace.

• All trees in a forest share a common schema.

• Trees in a forest have different naming structures.

• All domains in a forest share a common global catalog.

• Domains in a forest operate independently.

Sites

• The physical structure is based on sites.

• A site is a combination of one or more IP subnets.

• Typically a site has the same boundaries as a LAN.

• Sites are not part of the logical namespace.

• Sites contain computer objects and connection objects.

Replication Within a Site

• The Active Directory directory services include a replication feature.

• Replication ensures that changes to a domain controllerare reflected by all domain controllers within a domain.

Functions of Domain Controllers in a Domain

• Store a complete copy of all Active Directory information

• Replicate all objects in the domain to each other automatically

• Replicate certain important updates immediately

• Use multimaster replication

• Provide fault tolerance

• Manage all aspects of user domain interactions

Ring Topology for Replication

Schema

• Contains a formal definition of the contents andstructure of Active Directory directory services

• Defines attributes for each object class

Default Schema

• Created by installing Active Directory on first computer in a new forest

• Contains definitions of commonly used objects and properties

• Contains definitions of objects and properties used by Active Directory

Extensible Schema

• You can define new directory object types and attributes.

• You can define new attributes for existing objects.

• You can extend the schema• By using LDAP Data Interchange Format (LDIF) scripts. • Programmatically or by using the Active Directory

Services Interface (ADSI).• By using the Active Directory Schema snap-in.

• The schema is stored in the global catalog and can be updated dynamically.

Global Catalog

Global Catalog Servers

• Installing Active Directory on the first computer in a newforest makes that domain controller a global catalog server.

• The Active Directory Sites and Services snap-in allows you to designate additional global catalog servers.

• More global catalog servers means more replication traffic.

• More global catalog servers can provide quicker responses.

• Every major site should have a global catalog server.

Namespace

Naming Conventions

• Every object in Active Directory is identified by a name.

• Active Directory uses a variety of naming conventions.

Distinguished Name

• Every object has a distinguished name (DN).

• The DN uniquely identifies the object.

• The DN contains sufficient information for a client to retrieve the object.

• The DN includes the name of the domain that holds the object.

• The DN includes the complete path to the object.

Relative Distinguished Name

Globally Unique Identifier

• A globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique.

• GUIDs are assigned when the object is created.

• The GUID for an object never changes.

• Applications use GUIDs to retrieve objects regardless of current DNs.

User Principal Name

• User accounts have a friendly name, the user principal name (UPN).

• The UPN is composed of the shorthand name for the user account and the DNS name of the tree where the user account object resides.