1 ITT Technical Institute IT222 Microsoft Network Operating Systems II Unit 1: Chapters 1 & 2
2 Chapter 1 OVERVIEW OF ACTIVE DIRECTORY Chapter 1: Overview of Active Directory, pp. 1 23 Chapter 2, Implementing Active Directory, pp. 27 55
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 3 ACTIVE DIRECTORY FUNCTIONS Directory Services A tool used to define, manage, access, and secure network resources. Resources include: files, printers, groups, people, and applications. Active Directory Stored as NTDS.dit on a domain controller. Used by domain controllers to authenticate users. Domain controllers store, maintain, and replicate.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 4 ACTIVE DIRECTORY BENEFITS Centralized administration Single point of access Fault tolerance and redundancy Multiple domain controllers are used Multi-master replication Simplified resource location
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 5 CENTRALIZED ADMINISTRATION Hierarchical organization for ease of administration Common Microsoft Management Console (MMC) tool set Active Directory Users And Computers (DSA.MSC) Active Directory Domains And Trusts (DOMAIN.MSC) Active Directory Sites And Services (DSSITE.MSC)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 6 SINGLE POINT OF AUTHENTICATION Before directory services Server1 Server2 Server3 After directory services Single sign-on Active Directory
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 7 MULTI-MASTER REPLICATION Active Directory Domain Replication Process DC3 DC1 DC2 1. A change occurs on DC2. 2. DC2 notifies DC1 and DC3 that there is a change to Active Directory. 3. At the next replication interval, DC1 and DC3 request the new database information. 4. DC2 replicates the changes to DC1 and DC3. 5. DC1 and DC3 update their Active Directory database.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 8 SIMPLIFIED RESOURCE LOCATION Search features available on Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003. Search Active Directory to find: Shared folders Printers People (user accounts)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 9 ACTIVE DIRECTORY SCHEMA AD Objects are defined by attributes each object has their own set of attributes called a schema protected by ACLs. Object classes User accounts Computer accounts Printers Groups Object Attributes Name (unique) Globally unique identifier (GUID) Location (for printer) E-mail address (for users)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 10 ACTIVE DIRECTORY COMPONENTS IP Site Forest Root Domain cohowinery.com Container Objects Leaf Objects Types: OUs Domains Domain trees Forests Sites IP Site Child Domain north.cohowinery.com
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 11 ORGANIZATIONAL UNITS Container objects Look like a folder with a book icon in Active Directory Users And Computers Security is applied to OUs Inherited by child OUs Used to control access to that OU or hide subordinate OUs Allows for the delegation of administrative rights
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 12 ORGANIZATIONAL UNITS An Organizational Unit can contain: Users Groups Contacts Printers Shared folders Computers OUs InetOrgPerson
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 13 DOMAINS Logical grouping of resources; normally used for the purpose of administration as a single unit. Form security and replication boundaries. Individual access control lists (ACLs) for each domain. Group Policies are typically assigned and inherited within a domain only, not from the forest. Domain replication is independent of global catalog and schema replication. Multiple domains may be used by a single organization.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 14 DOMAINS, TREES, AND A FOREST Forest root and tree root parent ou ou Domain tree root contoso.com tailspintoys.com child child west.contoso.com east.contoso.com
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 15 SITES One or more IP subnets that are connected by fast links. Used to reflect the physical network structure Usually local area network (LAN) versus wide area network (WAN) Optimize replication Knowledge Consistency Checker (KCC) creates and maintains this structure
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 16 NAMING STANDARDS Lightweight Directory Access Protocol (LDAP) Standard naming structure and hierarchy Established by the Internet Engineering Task Force (IETF) Domain Name System (DNS) Uniform Resource Locator (URL)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 17 LDAP NAMES Created in early 1990 s by to facilitate the implementation of X.500 in email (a standard of how global directories should be structured). cohowinery.com Sales Jeffrey Smith Guy Gilbert Distinguished Name User Principal Name (UPN) Relative Distinguished or Common Name Accounting Color Printer Cn=jsmith,ou=sales,dc=cohowinery,dc=com jsmith@cohowinery.com Jsmith
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 18 PLANNING FOR ACTIVE DIRECTORY Logical and physical structure DNS and Active Directory integration and naming Functional levels of domains and forests Trust relationships and models
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 19 STRUCTURING ACTIVE DIRECTORY Security and administrative goals are important when defining the logical structure. Group Policy application and inheritance Delegating administrative control Permission inheritance Logical structure often reflects the business or administrative model. Sites are used to reflect the physical structure of the network.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 20 ROLE OF DNS Resolves friendly names to Internet Protocol (IP) addresses. Required by Active Directory. Domain members use service locator (SRV) records to find domain controllers. Dynamic DNS (DDNS) is supported and recommended.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 21 FUNCTIONAL LEVELS Designed to support downlevel compatibility Increasing functional level allows for use of new features Two types of functional level Domain functional level Forest functional level
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 22 DOMAIN FUNCTIONAL LEVELS Windows 2000 mixed Windows 2000 native Windows Server 2003 interim Windows Server 2003
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 23 WINDOWS 2000 MIXED FUNCTIONAL LEVEL Domain controllers can run on the following operating systems: Windows NT Server 4.0 Windows 2000 Server Windows Server 2003 Features at this functional level include: Install from media Application directory partitions Enhanced user interface (UI)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 24 WINDOWS 2000 NATIVE FUNCTIONAL LEVEL Domain controllers can run on the following operating systems: Windows 2000 Server Windows Server 2003 Features at this functional level include: Group nesting Universal groups Security Identifier History (SIDHistory)
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 25 WINDOWS SERVER 2003 INTERIM FUNCTIONAL LEVEL Designed for organizations that have not upgraded to Windows 2000 Active Directory. Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported. Windows 2000 Server domain controllers are NOT allowed. No extra features over any other functional level.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 26 WINDOWS SERVER 2003 FUNCTIONAL LEVEL Only Windows Server 2003 domain controllers Features at this functional level include: Replicated last logon timestamp Key Distribution Center (KDC) version numbers User password on inetorgperson objects Domain renaming
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 27 RAISING THE DOMAIN FUNCTIONAL LEVEL Must be logged on as a member of the Domain Admins group. Performed using the Primary Domain Controller (PDC) emulator. All domain controllers must support the new level. Irreversible.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 28 FOREST FUNCTIONAL LEVELS Windows 2000 Windows Server 2003 interim Windows Server 2003
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 29 WINDOWS 2000 FOREST FUNCTIONAL LEVEL Domain controllers can be running Windows Server 2003, Windows 2000, or Windows NT 4.0 operating systems. Features supported at this functional level include: Install from media Universal group caching Application directory partitions
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 30 WINDOWS 2003 INTERIM FOREST FUNCTIONAL LEVEL Only Windows Server 2003 and Windows NT Server 4.0 domain controllers are supported. Windows 2000 Server domain controllers are NOT allowed. Features at this level include: Improved inter-site topology generator (ISTG) Improved linked value replication
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 31 WINDOWS SERVER 2003 FOREST FUNCTIONAL LEVEL Only Windows Server 2003 domain controllers are supported. Features at this level include: Dynamic auxiliary class objects User objects can be converted to inetorgperson objects Schema redefinitions permitted Domain renames permitted Cross-forest trusts permitted
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 32 RAISING THE FOREST FUNCTIONAL LEVEL Must be logged on as a member of the Enterprise Administrators group. Must be connected to the Schema Operations Master. All domain controllers must support the new functional level. Irreversible.
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 33 ACTIVE DIRECTORY TRUST MODELS Transitivity: If A trusts B and B trusts C, then A trusts C Forest Root Domain Child Domain A Child Domain C Child Domain B Child Domain D
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 34 SHORTCUT TRUST Forest Root Domain Child Domain A Child Domain C Shortcut Trust Child Domain B Child Domain D
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 35 WINDOWS NT SERVER 4.0 TRUST MODEL Domain A Domain B Domain C Domain D
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 36 CROSS-FOREST TRUST New in Windows Server 2003 Trusts between two forests Requires Windows Server 2003 forest functional level Uses Kerberos as do all Windows 2000 and Windows Server 2003 intra-forest trust relationships
Chapter 1: OVERVIEW OF ACTIVE DIRECTORY 37 SUMMARY Active Directory is a database (NTDS.dit). DNS is required by Active Directory. Schema defines object types and attributes. Domain and forest functional levels provide a balance between backward compatibility and new functionality. Active Directory allows for two-way transitive (Kerberos) trusts. Trusts allow domain hierarchies to be created. Cross-forest trusts are a new feature for Windows Server 2003 Active Directory.