Topics Directory Services 1 Topics lIntroduction lLogical Structure lPhysical Structure 2 Directory Services Introduction lDefinition: – Stores, organizes, retrieves information

11

1

TopicsTopics

ll IntroductionIntroduction

llLogical StructureLogical Structure

llPhysical StructurePhysical Structure

2

Directory ServicesDirectory ServicesIntroductionIntroduction

ll Definition:Definition:–– Stores, organizes, retrieves information Stores, organizes, retrieves information

about objects in a networkabout objects in a network

ll Existing Directory Services:Existing Directory Services:–– OSF DCE Directory ServiceOSF DCE Directory Service

–– BanyanBanyan StreetTalkStreetTalk

–– Novell NDSNovell NDS

–– Active DirectoryActive Directory

Active DirectoryActive DirectoryIntroductionIntroduction

DNS

Directory-Enabled

Applications

Entries

Credentials

Replicatedstorage

Address book

Directory

Class store

IPSecQoS

Computers andPrinters

Exchange

Security

Replication

COMComponents

Users andGroups

GroupPolicies

Services andResources

Directory-Enabled

Networks

comedu

mit

microsoft

AD NamespacesAD NamespacesIntroductionIntroduction

compaq

master1 master2 master3

res1 res2 res3

ll Going from a flat to a hierarchical namespace Going from a flat to a hierarchical namespace ll Going fromGoing from NetBIOSNetBIOS names to DNS namesnames to DNS names

educom

compaq

Fully qualified domain name: compaq.com

The Role of DNSThe Role of DNSIntroductionIntroduction

ll The AD uses DNS for:The AD uses DNS for:–– Resolving NT domain Resolving NT domain

namesnames

–– Service location toService location tofind servers such asfind servers such asDCDC

11

The Role of LDAPThe Role of LDAPIntroductionIntroduction

ll The Active DirectoryThe Active Directoryorganizes elementsorganizes elementsin a hierarchical formin a hierarchical form

ll LDAP is used to access LDAP is used to access these elements inside the these elements inside the domaindomain

ll LDAP is used by LDAP is used by applications to access applications to access objects inside a domainobjects inside a domain

7

Logical StructureLogical Structure

ll You define the logical structure by usingYou define the logical structure by using–– TreesTrees andand ForestsForests

–– DomainsDomains

–– Organizational unitsOrganizational units

Active Directory

What is a Domain?What is a Domain?Logical StructureLogical Structure

ll Directory and namespace partitionDirectory and namespace partition

ll Security boundary (scope of policies, groups)Security boundary (scope of policies, groups)

ll May potentially contain millions of objectsMay potentially contain millions of objects

ll AD domains are named with DNS namesAD domains are named with DNS names

ll Each domain defines a separate LDAP directoryEach domain defines a separate LDAP directory

9

Domain:Domain: AdminstrativeAdminstrative PartitionPartitionLogical StructureLogical Structure

ll Group/Security Policies do not propagate between Group/Security Policies do not propagate between domainsdomains

ll Rights/permissions do not propagate between Rights/permissions do not propagate between domainsdomains

ll A domain admin in a parent domain is not a domain A domain admin in a parent domain is not a domain admin in a child domain.admin in a child domain.

ll Domains cannot be renamedDomains cannot be renamed

ll Domains cannot be merged/splitDomains cannot be merged/split

ll Move objects insteadMove objects instead

What is an Organizational Unit?What is an Organizational Unit?Logical StructureLogical Structure

ll Resides in a domainResides in a domain

ll Is a container object (users, Is a container object (users, computers, groups, printers, computers, groups, printers, policies,policies, OUsOUs, …), …)

ll Creates a hierarchical structureCreates a hierarchical structure

ll Is not part of DNS namespaceIs not part of DNS namespace

ll IS NOT A SECURITY IS NOT A SECURITY PRINCIPALPRINCIPAL

Domain

OUs

Leafobjects

OUs

What is an Organizational Unit?What is an Organizational Unit?Logical StructureLogical Structure

Is used toIs used toll delegate administrationdelegate administration

ll replace NT4 resource domainsreplace NT4 resource domains

ll apply policiesapply policies

ll group objects with common group objects with common propertiesproperties

Domain

OUs

Leafobjects

OUs

22

Active Directory ObjectsActive Directory ObjectsLogical StructureLogical Structure

compaq.comDC=compaq,DC=com

Users

John

resources

PrinterJack Bob

CN=Jack, OU=Sales, OU=Users, DC=compaq, DC=com

Sales

See RFC2247 “DC=” naming

ll Users and GroupsUsers and Groups

ll Computers and PrintersComputers and Printers

ll ApplicationApplication--specificspecific

ll Referenced by LDAPReferenced by LDAPdistinguished namesdistinguished names

ll Trusts link domainsTrusts link domains

ll Trust relationships areTrust relationships are KerberosKerberos--basedbased

ll DownlevelDownlevel trusts aretrusts are still supported still supported

ll Trusts are transitiveTrusts are transitive

Transitive TrustsTransitive TrustsLogical StructureLogical Structure

US Europe

compaq .com

Transitive

trust

Windows NT 4.0 trusts Windows 2000 trusts

compaq.com

us.compaq.com

sales.us.compaq.com

TreesTreesLogical StructureLogical Structure

ll A tree is a set of one A tree is a set of one or more or more WindowsWindows 2000 2000 domains domains

ll A tree forms a A tree forms a contiguous contiguous namespace.. namespace..

ll A forest is a collectionA forest is a collectionof trees joined by aof trees joined by aKerberosKerberos trusttrust

ll A forest is aA forest is adiscontiguousdiscontiguousnamespacenamespace

compaq.com digital.com

products.compaq.com services.digital.com

ForestForestLogical StructureLogical Structure

Designing a Domain StructureDesigning a Domain StructureLogical StructureLogical Structure

ll Decide to use a forest or a treeDecide to use a forest or a tree

ll Define the first domainDefine the first domain

ll Examine the reasons for creating additional Examine the reasons for creating additional domainsdomains

ll Decide when to use domains or Decide when to use domains or OUsOUs

TipTip: Start design: Start design with one domainwith one domain andand proofproof,, that You need that You need moremore

TipTip:: Avoid deep nestingAvoid deep nesting ofof domainsdomainsll User1@User1@fkrfkr..munichmunich..bavariabavaria..germanygermany..emeaemea..compaqcompaq..comcom

17

OneOne or more Forestsor more Forests ??Logical StructureLogical Structure

ll Autonomous organizations unable to agree on Autonomous organizations unable to agree on Forest Change ControlForest Change Control

–– Require distinct schema or configurationRequire distinct schema or configuration–– Cannot agree on membership of Schema Cannot agree on membership of Schema

Administrators and Enterprise AdministratorsAdministrators and Enterprise Administratorsll Do not want complete trustDo not want complete trustll InterInter--forest users must be aware of directory forest users must be aware of directory

structuresstructures–– Only see objects in your forest’s GCOnly see objects in your forest’s GC–– Explicit, oneExplicit, one--way, nonway, non--transitive trust onlytransitive trust only–– NoNo KerberosKerberos mutual authenticationmutual authentication

33

18

Forest or TreeForest or Tree ??Logical StructureLogical Structure

ll Need for Need for discontigous discontigous namespacenamespace

ll Easiest Easiest upgrade path upgrade path fromfrom aacomplicatedcomplicatedNT4NT4 domain domain structurestructure

compaq.com digital.com

Domains or OUs?Domains or OUs?Logical StructureLogical Structure

OUs

DomainA

- or -

OUs

Domain

OUs

DomainB

20

Reasons to choose DomainsReasons to choose DomainsLogical StructureLogical Structure

llCConontroltrol replication trafficreplication traffic

ll Implement different security policiesImplement different security policies

llAAdministrativedministrative controlcontrol

llPolitical reasonsPolitical reasons

llNeedNeed toto havehave separateseparate domain namesdomain names

llLimit the number of objects in a Limit the number of objects in a domaindomain

Reasons for Creating Reasons for Creating OUsOUsLogical StructureLogical Structure

uuReflect your company’s organizationReflect your company’s organization

uuDelegate administrative controlDelegate administrative control

uuReplace Windows NT 4.0 resource domainsReplace Windows NT 4.0 resource domains

uuControl Group Policy application Control Group Policy application

Defining an OU HierarchyDefining an OU HierarchyLogical StructureLogical Structure

ll GeographicalGeographical

ll ObjectObject--basedbased

ll Business Cost CenterBusiness Cost Center

ll ProjectProject--based Cost Centerbased Cost Center

ll Department or Business UnitDepartment or Business Unit

ll AdministrationAdministration

Geographical OU ModelGeographical OU ModelLogical StructureLogical Structure

compaq.com

Americas

USA

EMEA AsiaPac

UK &Ireland

France Japan

44

Object Based OU ModelObject Based OU ModelLogical StructureLogical Structure

compaq.com

Users Computers

DesktopsSQLServer

25

ConclusionConclusionLogical StructureLogical Structure

uu Features NOT supportedFeatures NOT supported::ll Renaming the top level domainRenaming the top level domain

ll MovingMoving domaindomainss between forestsbetween forests

ll Forests cannot be merged or splitForests cannot be merged or split

uuObjects can be copied between forestsObjects can be copied between forests

uuCareful planning is requiredCareful planning is required !!

26

Physical StructurePhysical Structure

llYouYou designdesign the physicalthe physical structure bystructure by–– Assigning rolesAssigning roles toto domain contollersdomain contollers

–– Defining sitesDefining sites

–– Creating siteCreating site links andlinks and sitesite linklink bridgesbridges

27

Domain Controllers (Domain Controllers (DCsDCs))Physical StructurePhysical Structure

ll A DCA DC isis a Windows 2000 a Windows 2000 Server running AD Server running AD

ll DCs act as DCs act as peerspeersll Maintains aMaintains a writablewritable copy of the domain copy of the domain

database (Multidatabase (Multi--master replication model)master replication model)

ll Replication mechanism is 'loosely coupledReplication mechanism is 'loosely coupled‘‘ll Initiates and performs replication operations Initiates and performs replication operations

with its peerswith its peers

Schema Schema Physical StructurePhysical Structure

ll Contains the definition of the objects stored in the Contains the definition of the objects stored in the Active DirectoryActive Directory

ll Defines classes and attributesDefines classes and attributes

ll Is stored in the Active Directory Is stored in the Active Directory

ll Is extensible and programmable Is extensible and programmable –– New classes can be createdNew classes can be created–– New attributes can be New attributes can be

added to existing objectsadded to existing objects

ll Each domain defines a separate LDAP Each domain defines a separate LDAP directory. directory.

ll No facility in LDAPv3 for referring queries No facility in LDAPv3 for referring queries between separate directories.between separate directories.

ll It is a replica of selected attributes of every It is a replica of selected attributes of every object in the Active Directory object in the Active Directory

ll Not every DC should be a GCNot every DC should be a GC

ll Needed for login (universal groups)Needed for login (universal groups)

Global CatalogGlobal CatalogPhysical StructurePhysical Structure

11

Naming Contexts (NC)Naming Contexts (NC)Physical StructurePhysical Structure

ll DDireirectoryctory object that forms a replication unitsobject that forms a replication units

ll Replicated as distinct entities between domain Replicated as distinct entities between domain contcontrollersrollers

–– Schema NC (replicated forest wide)Schema NC (replicated forest wide)– holds objects that define the structure of the Directory Schema

–– Configuration NC (replicated forest wide)Configuration NC (replicated forest wide)– Topology of forest elements

–– Domain NC (replicated only within the domain)Domain NC (replicated only within the domain)– holds objects that represent security principals and system objects

31

Flexible Single Master Operation Flexible Single Master Operation (FSMO) Roles(FSMO) Roles

ll Multiple Master Replication with conflict Multiple Master Replication with conflict resolutionresolution isnisn‘‘t always appropriate for critical t always appropriate for critical operationsoperations ('last('last writer wins'writer wins'))

ll AA fewfew tasks must remain on a single DCtasks must remain on a single DC

ll Role Master: DC that has a particular FSMO Role Master: DC that has a particular FSMO assignedassigned

ll Roles must be transferred manuallyRoles must be transferred manually

Flexible Single Master Operation Flexible Single Master Operation (FSMO) Roles(FSMO) Roles

llSchema master (unique in the forest)Schema master (unique in the forest)–– controls write access to the schemacontrols write access to the schema

llDomain naming master (unique in the Domain naming master (unique in the forest)forest)

–– Can add or remove domains in the Can add or remove domains in the forestforest

llRID master (unique in each domain)RID master (unique in each domain)–– AssignsAssigns RIDsRIDs toto DCsDCs

33

Physical Structure:Physical Structure:Flexible Single Flexible Single Master Operation (FSMO) RolesMaster Operation (FSMO) Roles

ll Infrastructure master (unique in each Infrastructure master (unique in each domain)domain)

–– Manages references of crossManages references of cross--domain domain objectsobjects

ll PDC emulator (unique in each domain))PDC emulator (unique in each domain))–– DownlevelDownlevel password updatespassword updates–– DownlevelDownlevel BDC replicationBDC replication–– Domain master browserDomain master browser

34

FSMOFSMO PlacementPlacementPhysical StructurePhysical Structure

ll SchemaSchema mastermaster and Domainand Domain naming master naming master should beshould be onon the samethe same DC (DC (data integrity in data integrity in the directory)the directory)

ll PDC EmulatorPDC Emulator should be theshould be the RIDRID mastermaster–– ((mixedmixed modemode onlyonly))

ll Infrastructure master should not beInfrastructure master should not be on GCon GC

SitesSitesPhysical StructurePhysical Structure

ll A site is a collection of IP subnets withA site is a collection of IP subnets withfast connectivityfast connectivity

ll Sites reflect localitySites reflect locality

ll Sites may span domainsSites may span domains

ll Domains may span sitesDomains may span sites

22

36

SitesSitesPhysical StructurePhysical Structure

Site

DomainControllerDomain

Controller

User Logs OnUser Logs On

Site


Controller

Replication ControlledReplication Controlled

Site RolesSite RolesPhysical StructurePhysical Structure

ll Workstation logon: used to find a DC onWorkstation logon: used to find a DC onsame site as clientsame site as client

–– Place at least on DC of the domain at each Place at least on DC of the domain at each sitesite

–– Place at least on GC at each sitePlace at least on GC at each site

ll AD replication: uses site to determineAD replication: uses site to determinehow replication is donehow replication is done

38

Types of ReplicationTypes of ReplicationPhysical StructurePhysical Structure

Site 2


Controller


Controller

Intra-SiteReplicationIntra-Site

ReplicationInter-Site

ReplicationInter-Site

Replication

Site 1


Controller


ControllerDomain

ControllerDomain

Controller


Controller


ControllerDomain

ControllerDomain

Controller


Controller


Controller

39

Site ReplicationSite ReplicationPhysical StructurePhysical Structure

ll IntraIntra--Site ReplicationSite Replication

–– Automatic Topology GenerationAutomatic Topology Generation– Should not be modified

–– Always RPC basedAlways RPC based

–– PullPull--only, based on update notificationonly, based on update notification–– Urgent Replication Urgent Replication

– Disabled or locked-out accounts– RID pool changes– Password changes

40

SiteSite ReplicationReplicationPhysical StructurePhysical Structure

ll InterInter--Site ReplicationSite Replication

–– SemiSemi--Automatic Topology GenerationAutomatic Topology Generation

–– Scheduled (No update notification)Scheduled (No update notification)

–– RPC or SMTPRPC or SMTP

41

Knowledge Consistency CheckerKnowledge Consistency CheckerPhysical StructurePhysical Structure

ll Knowledge Consistency Checker (KCC)Knowledge Consistency Checker (KCC)–– A service running on every DCA service running on every DC–– Computes and generates replication topologyComputes and generates replication topology–– Runs every 15 minutes, but can be started manuallyRuns every 15 minutes, but can be started manually–– Creates and destroys connection objects between Creates and destroys connection objects between

DCsDCsll Connection ObjectConnection Object

–– RepresentsRepresents uniuni--directional connection fromdirectional connection fromreplication partnerreplication partner

–– Can be manually created by Administrator Can be manually created by Administrator or generated by KCCor generated by KCC

33

42

DC1

compaq.com

compaq.com domain NC TopologyConfiguration/Schema NC Topology

DC2

DC3 DC4

Connection ObjectSales.

compaq.com

DC1

DC2

sales.compaq.com domain NC Topology

IntraIntra--site Replication Topologysite Replication TopologyPhysical StructurePhysical Structure

43

InterInter--site Replication: Site Linksite Replication: Site LinkPhysical StructurePhysical Structure

ll Represents a network link between sitesRepresents a network link between sites–– One area with similar network connectionsOne area with similar network connections

–– One WAN linkOne WAN link

ll Does not connect DCs, connects sitesDoes not connect DCs, connects sites

ll May connect two or more sitesMay connect two or more sites

ll Has associated schedule that reflects availability of Has associated schedule that reflects availability of linklink

ll Has associated costHas associated cost

ll Created by Administrators, Created by Administrators, used by the KCC to used by the KCC to determine the cost of replication between two sitesdetermine the cost of replication between two sites

44

Site Link D

Site Link A

Site L

ink

B

Site Link C

Site Link E

DOMAIN sales.compaq.com

( )Site Link cost

It costs 10 to replicatefrom DC1 to DC4

LA Site

ChicagoSite

Atlanta Site

NY Site

Site Links Site Links –– CostCostPhysical StructurePhysical Structure

(1)

(8)

(1)

Seattle Site

DC1

DC2

DC3

DC4

DC5

(15)

(30)

45

Bridgehead ServersBridgehead ServersPhysical StructurePhysical Structure

ll Is a DC performing replication operations withIs a DC performing replication operations with DCsDCsin another site. in another site.

–– Usually the first DC in a siteUsually the first DC in a site

–– Can be specified by administratorsCan be specified by administrators

ll Transport used is either RPC or SMTPTransport used is either RPC or SMTP

ll SMTP only forSMTP only for–– Configuration NC/Schema NCConfiguration NC/Schema NC

–– Global Catalog replicationGlobal Catalog replication

46

Site Link A

Site L

ink

B

Site Link C

Dial Upconnection

LA Site

ChicagoSite

Atlanta Site

Connection Object

NY Site

Seattle SiteConnection Object


DOMAIN compaq.com

Non-transitive Site Links

Site Links Site Links -- ImplementationImplementation

DC1

DC2

DC3

DC4

DC5

DC1

DC3

DC2

47

Site Link A

Site L

ink

B

Site Link C

Dial Upconnection

LA Site

ChicagoSite

Atlanta Site

Connection Object

NY Site



DOMAIN compaq.com

Site Links BridgeSite Links BridgeSite Links Bridge

DC1

DC2

DC3

DC4

DC5

DC1

DC3

DC2

Site LinkBridge

44

48

Site Link A

Site L

ink

B

Site Link C

Dial Upconnection

LA Site

ChicagoSite

Atlanta Site

Connection Object

NY Site



DOMAIN compaq.com

Site Links BridgeSite Links BridgeSite Links Bridge

DC1

DC2

DC3

DC4

DC5

DC1

DC3

DC2

49

How to create a TopologyHow to create a TopologyPhysical StructurePhysical Structure

ll Gather subnets into sitesGather subnets into sites–– LAN speed or higherLAN speed or higher

ll Connect sites with site linksConnect sites with site links–– Assign link costAssign link cost–– Set replication schedule, polling intervalSet replication schedule, polling interval

ll Place domain controllersPlace domain controllers–– At least one GC per siteAt least one GC per site–– At least one DC per siteAt least one DC per site–– At least one DNS server per siteAt least one DNS server per site

50

How to create a TopologyHow to create a TopologyPhysical StructurePhysical Structure

ll Site topology is easily restructuredSite topology is easily restructured–– Create, delete, modify sites, subnetsCreate, delete, modify sites, subnets

–– Server objects moved between Server objects moved between sitessites manuallymanually

–– Replication subReplication sub--system system automaticallyautomatically compensatescompensates

QuestionsQuestions ??

Topics Directory Services 1 Topics lIntroduction lLogical Structure lPhysical Structure 2 Directory Services Introduction lDefinition: – Stores, organizes, retrieves information

Documents