1 / 19

Active Directory

Active Directory. What is Active Directory?.

randy
Download Presentation

Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory CSIT 320

  2. What is Active Directory? • Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as well as manages access to that information, Active Directory collects, organizes and manages access to information about network “objects” – such as computers, servers, printers, users, groups, etc. • For instance, one component is a Directory Service • Often likened to a phone book which one to look up numbers (from names) or services (yellow pages) • Active Directory is often just called AD • For example AD-DS is active CSIT 320

  3. Standards • Active Directory is based upon some of the following standards (though not fully compliant with all of them) • DNS – AD needs DNS to work, follows its organization and naming conventions • X.500 – directory service protocol based on the OSI model (AD does not use the full X.500 standard) • LDAP (Lightweight Directory Access Protocol ) – part of the X.500 standard was Directory Access Protocol – LDAP is a scaled down, easier version of that • Kerberos – network authentication protocol – adds the security to AD CSIT 320

  4. Hierarchical Arrangement • Whereas a database has a “relational” structure, the objects in AD have a hierarchical, tree-like structure. • Thus there is a root • Every object other than the root has one and only one parent. • However, it can get complicated in that there are various levels (domains, organizational units, groups) as well as distinctions between logical separations and physical separations. CSIT 320

  5. Domain • A domain is one of the main organizational units in Active Directory. • It collects resources and manages access to them for a set of users. • For instance users being logged in the same domain typically implies that those users will for the most part have access to the same resources and follow the same policies • In Active Directory diagrams , domains are represented by triangles. CSIT 320

  6. Domain Controller • An AD domain must have at least one AD domain controller. • The domain controller manages the authentication of users granting them access to the domain and the resources it contains. • Best Practices suggests that there are at least two domain controllers in a domain so that access to the domain can still be granted if one controller is down. CSIT 320

  7. Tree • A tree is a set of domains that obey a DNS-type hierarchical naming structure. They belong to the same “namespace”. • A namespace provides a context in which a name has a well defined meaning. lasalle.edu luna.lasalle.edu student.lasalle.edu CSIT 320

  8. Forest • As the name suggests a forest is a collection of trees. Each tree has a its own namespace, but the different trees in the forest have different namespaces. However you may want them to be connected in some way – have some kind of trust relationship, some sharing of resources or just want to administer them as a unit. lasalle.edu lasalle.museum CSIT 320 student.lasalle.edu

  9. The first tree is the root • The trees in a forest still share a common root. • The first tree in the forest serves as the root. • It will have (at least initially) the global catalog – the collection of definitions, how the forests are organized, what the trust relationships are, names for all of the objects, etc. CSIT 320

  10. Trust • If two domains have a trust relationship, it means that users from one domain can access resources from another domain. • That way an administrator does not have to give users accounts in both domains. • The domain with the resource is said to be “trusting” and the domain with the user is said to be “trusted”. Trust can be but doesn’t have to be a two-way street. CSIT 320

  11. Organizational Unit • Before we were moving up in the hierarchy from the original concept of a domain, an organizational unit on the other hand is lower in the hierarchy (farther from the root) • It is a container within a domain – resources like printers and file shares organized into smaller containers. • Example within the student.lasalle.edu domain, science students may be access to different shares and different printers from business students, etc. CSIT 320

  12. Sites: • In a large company a logical container such as a domain might cover multiple physical locations. • This can cause a problem because a lot of information is passed between domain controllers. • So AD has the notion of a site to correspond to physical differences rather than logical differences • A site can have multiple domains • A domain may be spread over multiple sites CSIT 320

  13. Some AD Objects • User • Group • Computer • Printer • Distribution Lists • System Policies CSIT 320

  14. What is the Schema? • Just like in a database, Active Directory has a schema. • Definition of all AD objects, • For example , it will define a User, what attributes a User must have, what attributes a User might have, relationships between Users and Groups, etc. • ONE schema for a forest • Extensible • While a default set of definitions gets one started with AD, one can extend or create new objects CSIT 320

  15. What is a Global Catalog? • A distributed data repository containing a searchable, partial representation of every object in every domain in a forest. • Answers AD Search Queries • Must be present to successfully logon • Holds a copy of all Objects of the whole Forest… • ...but holds only a subset of the Attribute CSIT 320

  16. Which Role can a Server have? • Member Server – server on a domain offering a non-active directory service • Domain Controller – as the name suggests its manages access to the resources within a domain • Global Catalog – while a domain controller stores the objects for the domain it “controls”, a global catalog server stores the objects from all domains in the forest. • A global catalog server is a domain controller, but a domain controller may not be a global catalog server CSIT 320

  17. Multi Master Replication • Updates can be applied to ANY Domain Controller • Will be Replicated to each other Domain Controls (inside that Domain) within 15 Minutes • Optimized Algorithm reduces Replication Traffic • Not time based (triggered on demand, only)! CSIT 320

  18. Active Directory Security • Improved Authentication • Permissions applied via ACLs • To Objects as whole • To specific Attributes • Fine-Tuning of Access Permissions possible CSIT 320

  19. References • Windows Server 2008 R2 Unleashed, Rand Morimoto, Michael Noel, Omar Droubi, Ross Mistry and Chris Amaris, SAMS. • Active Directory for Dummies, Steve Clines and Marcia Loughry, Wiley. • http://www.tech-faq.com/active-directory-terminology-and-concepts.html CSIT 320

More Related