1 / 46

Essential Services

Essential Services. Lesson 5. Objectives. Naming Resolution. In today’s networks, you assign logical addresses, such as with IP addressing. Unfortunately, these addresses tend to be hard to remember, especially in the case of newer, more complicated IPv6 addresses.

leland
Download Presentation

Essential Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Essential Services Lesson 5

  2. Objectives

  3. Naming Resolution • In today’s networks, you assign logical addresses, such as with IP addressing. • Unfortunately, these addresses tend to be hard to remember, especially in the case of newer, more complicated IPv6 addresses. • Therefore, you need to use some form of naming service that will allow you to translate logical names, which are easier to remember, into logical addresses. • The most common naming service is Domain Name System, or DNS.

  4. HOST File

  5. Domain Name System • DNS is short for Domain Name System. • DNS is a hierarchical client/server-based distributed database management system that translates domain/hosts names to IP addresses. • The top of the tree is known as the root domain. • Below the root domain, you will find top-level domains, such as .com, .edu, .org, and .net, as well as two-letter country codes, such as .uk, .ca, and .us.

  6. Resource Records in a Forward Lookup Zone

  7. DNS Zones Types • When you define DNS zones, you create the zone as either a forward lookup zone or a reverse lookup zone. • The forward lookup zone (such as technet.microsoft.com or microsoft.com) has the majority of the resource records, including A and CNAME records, whereas the reverse lookup zone has PTR records. • The reverse lookup zone is defined by reverse lookup format.

  8. DNS Round Robin • DNS servers use a mechanism called round-robin to share and distribute loads for a network resource. • Round-robin rotates the order of resource records with the same name that point to different IP addresses.

  9. DNQ Queries and Transfers • DNS queries and DNS transfers between primary and secondary zones occur over TCP/UDP port 53. • So, if you have any firewall between servers (including firewalls running on the servers), you will need to open port 53.

  10. Windows Internet Service (WINS) • Windows Internet Name Service (WINS) is a legacy naming service that translates from NetBIOS (computer name) to specify a network resource. • A WINS sever contains a database of IP addresses and NetBIOS names that update dynamically. Unfortunately, WINS is not a hierarchy system like DNS, so it is only good for your organization; also, it functions only for Windows operating systems. • Typically, other network devices and services cannot register with a WINS server. • Therefore, you have to add static entries for these devices if you want name resolution using WINS.

  11. DHCP • Dynamic Host Configuration Protocol (DHCP) services automatically assign IP addresses and related parameters (including subnet mask and default gateway and length of the lease) so that a host can immediately communicate on an IP network when it starts. • A DHCP server maintains a list of IP addresses called a pool. • When a DHCP client starts and needs an IP address assigned to it, it broadcasts to a DHCP server asking for a leased address. • The client sends messages to UDP port 67, and the server sends messages to UDP port 68.

  12. DHCP

  13. Directory Services • A directory service stores, organizes, and provides access to information in a directory. • Directory services are used for locating, managing, administering, and organizing common items and network resources, such as volumes, folders, files, printers, users, groups, devices, telephone numbers, and other objects. • One popular directory service used by many organizations is Microsoft’s Active Directory.

  14. Active Directory • Active Directory is a technology created by Microsoft that provides a variety of network services, including the following: • LDAP • Kerberos-based and single sign-on authentication • DNS-based naming and other network information • A central location for network administration and delegation of authority • Active Directory requires DNS.

  15. Active Directory Logical Structure • Active Directory domains, trees, and forests are logical representations of your network organization, which allow you to organize them in the best way to manage them. • Domain • Tree • Forest • To allow users in one domain to access resources in another domain, Active Directory uses trust relationships.

  16. Physical Structure • Although domains, trees, and forests are logical representations of your organization, sites and domain controllers represent the physical structure of your network. • Sites: A site is one or more IP subnets that are connected by a high-speed link, typically defined by a geographical location. • Domain Controllers: A Windows server that stores a replica of the account and security information for the domain and defines the domain boundaries.

  17. Active Directory Management Tools • After you have promoted a computer to a domain controller, you can use several MMC snap-in consoles to manage Active Directory. • These consoles are as follows: • Active Directory Users and Computers • Active Directory Domains and Trusts • Active Directory Sites and Services • Active Directory Administrative Center • Group Policy Management Console (GPMC)

  18. Member Server • A server that is not running as a domain controller is known as a member server. • To demote a domain controller to a member server, you would rerun the dcpromo program.

  19. FSMO Roles • Active Directory uses multimaster replication, which means that there is no master domain controller, commonly referred to as a primary domain controller within Windows NT domains. • However, because there are certain functions that can be handled by only one domain controller at a time, Active Directory uses Flexible Single Master Operations (FSMO) roles, also known as operations master roles.

  20. FSMO Roles

  21. FSMO Roles

  22. Global Catalogs • Because the domain controller only has information for the domain and does not store a copy of the objects for other domains, you still need a way to find and access objects in other domains within your tree and forest. • A global catalog replicates the information of every object in a tree and forest. • By default, a global catalog is created automatically on the first domain controller in the forest, but any domain controller can be made into a global catalog.

  23. Functional Levels • In Active Directory, you can have domain controllers running different versions of Windows servers, such as Windows 2000, Windows Server 2003, or Windows Server 2008. • The functional level of a domain or forest depends on which Windows Server operating system versions are running on the domain controllers in that domain or forest. • The functional level also controls which advanced features are available in the domain or forest.

  24. Organizational Units

  25. Delegation of Control • By delegating administration, you can assign a range of administrative tasks to the appropriate users and groups.

  26. Active Directory Objects • An object is a distinct, named set of attributes or characteristics that represent a network resource. • Common objects used within Active Directory are computers, users, groups, and printers. • Attributes have values that define the specific object. • Active Directory objects are assigned a 128-bit unique number called a globally unique identifier (GUID), sometimes referred to as a security identifier (SID), to uniquely identify an object.

  27. User Accounts • A user account enables a user to log on to a computer and domain. • As a result, it can be used to prove the identity of a user, and this identity information can then be used to determine what the user can access and what kind of authorization he or she has. • It can also be used for auditing. • On today’s Windows networks, there are two types of user accounts: Local user accounts and Domain user accounts

  28. User Accounts

  29. User Profile Tab

  30. Computer Accounts • Like user accounts, Windows computer accounts provide a means for authenticating and auditing a computer’s access to a Windows network and access to domain resources. • Each Windows computer to which you want to grant access must have a unique computer account. • A computer account can also be used for auditing purposes, specifying what system was used when something was accessed.

  31. Groups • A group is a collection or list of user accounts or computer accounts. • Different from a container, a group does not store user or computer information; rather, it just lists it. • The advantage of using groups is that they simplify administration, especially when assigning rights and permissions. • In Windows Active Directory, there are there are two types of groups: Security and Distribution group

  32. Group Types and Scopes

  33. Using Groups • To effectively manage the use of groups when assigning access to a network resource using global groups and domain local groups, remember the mnemonic AGDLP • Accounts • Global • Domain Local • Permissions • If you are using universal groups, the mnemonic is expanded to AGUDLP:

  34. Built-In Groups • Similar to the administrator and guest accounts, Windows has default groups called built-in groups. • These default groups are granted specific rights and permissions to get you started. Various built-in groups are as follows: • Domain Admins • Domain Users • Account Operators • Backup Operators • Authenticated Users • Everyone

  35. Group Policies • Group Policy is one of the most powerful features of Active Directory that controls the working environment for user accounts and computer accounts. • Group Policy provides centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment.

  36. Group Policies

  37. Apply Group Policies • Group Policy can be set locally on a workstation or set at different levels (site, domain, or organizational unit) within Active Directory. • Generally speaking, you will not find as many settings locally as you will at the site, domain, or OU level. When group policies are applied, they are applied in the following order: • Local • Site • Domain • OU

  38. Group Policy Management Console

  39. User Rights

  40. Permissions • A permission defines the type of access that is granted to an object (an object can be identified with a security identifier) or object attribute. • The most common objects assigned permissions are NTFS files and folders, printers, and Active Directory objects. • Which users can access an object and what actions those users are authorized to perform are recorded in the access control list (ACL), which lists all users and groups that have access to the object.

  41. Summary • Besides becoming the standard for the Internet, DNS, short for Domain Name System, is a hierarchical client/server-based distributed database management system that translates domain/hosts names to IP addresses. • A fully qualified domain name (FQDN) describes the exact position of a host within a DNS hierarchy. • The legacy naming service is Windows Internet Name Service or WINS, which translates from NetBIOS (computer name) to specify a network resource.

  42. Summary • When you share a directory, drive, or printer on a PC running Microsoft Windows or on a Linux machine running Samba, you can access the resource by using the Universal Naming Convention (UNC), also known as Uniform Naming Convention, to specify the location of the resource. • Dynamic Host Configuration Protocol (DHCP) services automatically assign IP addresses and related parameters (including subnet mask and default gateway and length of the lease) so that a host can immediately communicate on an IP network when it starts.

  43. Summary • The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying data using directory services running over TCP/IP. • Active Directory domains, trees, and forests are logical representations of network organization, which allow you to organize them in the best way to manage them.

  44. Summary • Sites and domain controllers represent the physical structure of a network. • A site is one or more IP subnets that are connected by a high-speed link, typically defined by a geographical location. • A domain controller is a Windows server that stores a replica of the account and security information for the domain and defines the domain boundaries. • A server that is not running as a domain controller is known as a member server.

  45. Summary • Because there are certain functions that can only be handled by one domain controller at a time, Active Directory uses Flexible Single Master Operations (FSMO) roles. • A global catalog holds replicate information of every object in a tree and forest. • The functional level of a domain or forest controls which advanced features are available in the domain or forest.

  46. Summary • A right authorizes a user to perform certain actions on a computer. • A permission defines the type of access that is granted to an object (an object can be identified with a security identifier) or object attribute.

More Related