260 likes | 633 Views
Active Directory and DNS. Lecture 2 Hassan Shuja 09/14/2004. Active Directory (AD). Active Directory Definitions/Features Active Directory has two parts A database with information about users and resources
E N D
Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004
Active Directory (AD) • Active Directory Definitions/Features • Active Directory has two parts • A database with information about users and resources • A service that manages the database and enables users of computers on the network to access the database • Active Directory Features/Advantages • Security - Logon process and controlling access to objects • Administration – Hierarchical structure • Search capabilities – Search AD for an object • Scalable – Allows multiple domains, fits for any size network • Flexibility – Grows with your company, allows for additions
Active Directory • Structure • Objects and Classes • An object is the smallest component that you can have in AD • A class is a template of all attributes of an object when it is created • Schema • Schema governs the structure of the directory • Allows administrators to modify and add new object classes, objects and attributes as needed, making the schema extensible • Active Directory Schema is the name of the snap-in in MMC and can only be changed by Schema Admins • Global Catalog • A master searchable index that contains information about every object in a forest • Created by default on first DC in a domain • Contains a full copy of all objects in its own domain and a partial replica of all objects in all other domains in the forest • Serves as a central point for user authentication
Active Directory • AD Organization • Smallest component in AD is an object • Objects have attributes and are defined by classes • Objects have permissions ACL that contains information about who has access to it and what they can do with it • Controlling access to object is different than having access to the objects resources • Organizational Units (Container objects) • Substructure of domains and are arranged hierarchically • Used to organize related objects in AD, can also contain other OUs • Helps simplify administration
Active Directory • Object IDs • Globally Unique Identifier (GUID) – A 32 hex number assigned to an object at the time of creation and object is stored with it. This ensures uniqueness and avoids duplication • Security ID (SID) – A unique security ID created by the Security subsystem that is assigned to user, groups, and computers to grant or deny an object access to other objects
Domain Controller (DC) • DC Setup • All Domain Controllers are equal • A change on one DC will be replicated to all other DCs • Five Scenarios where a DC can have an additional role • Relative ID Master • Schema Master • Infrastructure Master • Domain Naming Master • PDC Emulator
Domains • AD Organization • Tree • Grouping of one or more domains that must have a single root domain • Parent child & child relationships • Defined by a common and contiguous name space • A hierarchy of domains sharing a common schema, security trust relationship, and a Global Catalog
Domains • AD Organization • Forest • A group of one or more Domain Trees linked together by a trust • Two different root domains • All Trees share a common schema and global catalog • Do not have contiguous DNS domain names
Trusts • NT Domains • Each domain had its own accounts • Need accounts in every domain that you need resources or need administrator to setup a trust between domains • Trust were setup explicitly as one-way or two-way trusts • These trusts are intransitive
Trusts • Trusts • A logical connection that allows users from one domain to access resources in another domain • Can be one way or two ways • Trusting domain and Trusted domain
Trusts • Intransitive Trusts • Domain C trusts Domain B and Domain B trusts Domain A • (B has access to resources in C and A has access to resources in B) • Domain C does not trust Domain A • Intransitive trusts are possible in Windows NT
Trusts • Transitive Trusts • A trust between two domains in the same Tree/Forest that can extend beyond two domains to other trusted domains within the same Tree/Forest • Always a 2 way trust • By default all Windows 2000 trusts within Tree/Forest are transitive • Domain A and C trust each other
Trusts • Explicit Trusts • A trust that is setup by an administrator • Connect domains directly to shorten the path between them • It can be either transitive or intransitive • Used to manage trusts between Windows 2000 and NT domains
Domain Name System (DNS) • DNS • DNS Structure • Based on a hierarchical naming structure (inverted tree) • A single root domain, underneath there are second-level domains • Every computer in a DNS domain is uniquely identified by a Fully Qualified Domain Name (FQDN) • Dynamic DNS is supported in W2K
Domain Name System • Zone Files and DNS Servers • Forward Lookup Zone • This contains host name to IP address resolution • Reverse Lookup Zone • This contains IP address to host name resolution • DNS Servers • Primary – Maintains the master copy of the zone files • Secondary – Keeps a back-up copy of the zone files • AD-integrated – DNS entries kept in AD data store instead of zone files • Scavenge Files • Finds and deletes records in a zone if they have been stale for a certain amount of time
Active Directory & Domain Name System • AD & DNS • Active Directory and DNS use the same hierarchical structure • Typically use the same FQDN • DNS records can be stored in Active Directory • Clients use DNS to locate Domain Controllers on the network
Domain Name System • Name Space • Active Directory is based on the concept of namespace, that is a name is used to resolve the location of an object • Active Directory names correspond to DNS domain names • Each name gives the location of the object in Active Directory
Domain Name System • Name Convention • Relative Distinguished Name (RDN) – A name that is assigned to the object by the administrator when it is created, a unique name • Example – hshuja1 • Distinguished Name (DN) – Defines the RDN and also location within Active Directory, such as OU that user belongs to • Example – hshuja1@research.umbc.edu • User Principal Name (UPN) – A more “easier” naming convention. Combines RDN with domain name, no OU is referenced • Example – hshuja1@umbc.edu