Professional Documents
Culture Documents
Services
Services
Files
Files
Users
Before directory services, If you needed a file, you needed to know the name of the file,
the name of the server on which it is stored and its folder path. Now this works well on
small network, but as the network grows it becomes challenging.
Directory service is the means by which users and administrators can locate resources
regardless of where those resources are located.
Also earlier typical user could have more than one user account or password, and as
the network grows and the number of username and password also increases, like one
for File Server, one for email server, etc.
Boundary of
Policies
Boundary of
Authentication
CONTOSO.COM
Boundary of Replication
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Active Directory
Active Directory is Microsofts answer to directory services and it does a
lot more than just locating resources.
Active Directory take care of this by using Kerberos Authentication and
Single Sign-On (SSO). SSO means ability of Kerberos to provide a user
with one set of credentials and grant them access across a range of
resources and services with that same set of credentials. Kerberos
authenticates the credentials and issues the user a ticket with which the
user gains access to the resources and services that support Kerberos.
Active Directory also makes user management more easier as it acts as a
single repository for all of this user and computer related information.
Advantage of LDAP
LDAP relies on the TCP/IP stack rather than the OSI stack
Integrate with IP and enable IP clients to use LDAP to query directory services.
LDAP can perform hyper-searches. Giving one directory the ability to defer to another to provide
requested data.
LDAPs API is C-based
Like X.500, LDAP uses an inverted-tree hierarchical structure
LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL), and Secure
Sockets Layer (SSL)
Simple Authentication and Security Layer (SASL) is a framework for authentication and data
security in Internet protocols.
Naming Conventions
AD contains information about objects in your enterprise.
These objects can be computers, users, printers etc.
AD is a container with nested containers holding other
containers or objects.
And we name these container and objects so that its easy
to query or search.
Requirement of DNS
DNS Server must support
Service resource (SRV) records
Dynamic update protocol specified by RFC 2136
AD relies on DNS as its primary locator service, although its not the only mechanism for locating domain controllers (DCs).
Domain Controller is the server which has Active Directory Installed.
When a Domain Controller starts,
It registers both its DNS name and NetBIOS name. More on NetBIOS name later.
It add LDAP-specific SRV records in DNS to enable LDAP clients to locate DCs through LDAP queries.
It also add Kerberos authentication protocol-specific SRV records to enable clients to locate servers running the Kerberos Key Distribution Center (KDC)
service.
Also each DC also adds an A record that enables clients that dont support SRV records to locate the DC through a simple host record lookup. You can disable
this if required.
Configuration Partition
This contains configuration of AD.
Domain Partition
This partition stores the objects.
Application Partition
This is an optional 4th partition that an administrator can create.
AD Domain Tree
A tree is a collection of one or more domains
AD Forest
A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration.
OHIO.US.CONTOSO.COM
Global Catalog
Transitive Trusts
CONTOSO.COM
UK.CONTOSO.COM
US.CONTOSO.COM
CONTOSO.COM
US.CONTOSO.COM
UK.FABRIKAM.COM
Schema
Global
Configuration
Catalog
Demo
demonstration
Organizational Units
Organized For:
OU Admin
OU Security
CONTOSO.COM
Administration
Administration
Same
Same Requirements
Requirements
Delegation
Delegation
Group
Group Policy
Configuration
Configuration
Security
Security
OU Policy
SalesLondon
Department
Desktops
Marketing
New
Department
York
Printers
Hardware Devices
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Demo
demonstration
Domain Controllers
DC
PDC
DC
BDC
DC
BDC
Windows NT 4.0
Site A
WAN Link
Locate
Locate Services
Optimize
Optimize Replication
Replication
Define
Define Policies
Policies
Site B
US.CONTOSO.COM
CONTOSO.COM
Site B
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Global Catalog
Spans all domains
Contains object attributes
Used for searches
Exists on domain controllers
Demo
demonstration
Agenda
Logical Concepts of Active Directory
Physical Concepts of Active Directory
DNS in 10 Minutes
Overview of Active Directory Replication
The role played by Operations Masters
DNS
Domain Naming System locates network services
and resources.
DNS Request Process
Requested Service
Site Information
DNS
DNS Server
Server
IP Addresses
SVR Records
DC
DC
Cache
Cache
Windows
2003
Dynamic Update*
AD Integration
Secure Update
SRV Records*
Windows
Server 2008
DNS Migration
Upgrade to BIND 9.x
Upgrade to Microsoft DNS
Delegate to Microsoft DNS
Demo
demonstration
Replication Scope
Across Domain
Domain NC
Across Forest:
Schema NC
Configuration NC
Intersite
(Compressed)
Intrasite
(Token Ring)
Asmatullah Khan, CL/CP, GIOE, Secunderabad.
Demo
demonstration