Title: Active Directory: The Directory Service for Microsoft Windows Networks
1Chapter 1
- Active Directory The Directory Service for
Microsoft Windows Networks
2Objectives
- Understand the uses of Active Directory,
especially its role in a local area network built
around Windows Server 2003 - Understand the important elements that comprise
Active Directory
3Introducing Active Directory
- Directory service for Windows 2000 Server family
- Essential to network operating system
- Provides information about server objects, such
as - Users
- File shares
- Printers
- E-mail mailboxes
4Active Directory as the Directory Service for
the Operating System
- Contains crucial information for correct
operation of the network - Contains security information to protect
information on the network - Contains security information to control user
access to resources
5Security Principals
- Users, groups of users, computers
- Permissions granted by administrator
- Tracked by security identifier (SID)
- Automatically generated
- Stored as attribute of object
- Used in Discretionary Access Control List (DACL)
- Used to manage permissions to resources
6Logging On
- Authentication identifies the user
- Authorization determines if the user can access
resource - Single sign on requires the user to enter
password once
7The Log On to Windows Screen
8The Change Password Dialog Box
9Log-on Process
10Organizing and Finding Objects
- Containers group objects
- Organizational Units (OUs) allow the application
of Group Policy to contained objects
11Active Directory for Central Management
- Active Directory Users and Computers
- A snap-in for Microsoft Management Console (MMC)
- A central point of management for network
12Active Directory as a Directory Service for
Applications
- Authentication and authorization services
- Applications are made Active Directory-aware
- Storage of proprietary information
- Highly available
- Searchable through industry standard interfaces
and protocols
13Active Directory is an Application Itself
- Highly optimized database application
- Uses Extensible Storage Engine (ESE) for
database engine - Uses write-ahead log files to prevent corruption
14The Power of Active Directory
- Group Policy
- Enforces policies across network
- Automatically deploys software
- Control over authorization of Dynamic Host
Configuration Protocol (DHCP) servers - Control over Remote Installation Services (RIS)
- Allows operating system installation over network
- Easily scriptable
- Industry-standard protocols and interfaces for
interaction with other software
15The Building Blocks of Active Directory
- Database structures represent physical objects
and concepts found in the real world - Examples printers and domains
- Active Directory represents the logical design of
the network
16Windows Domains
- Group of computers, users, and resources
- Joint security model
- Principals can access all resources
- Same account policy for all users
- Administrators Group
- Can control all resources
- Always includes Domain Admins group
- Domain controller (DC) holds the Active
Directory database
17Domains, Trees, and Forests
18Domains, Trees, and Forests (continued)
- Forest group of domains that share the same
configuration partition - Tree is a group of domains in a contiguous name
space
19The Active Directory Schema
- Set of specifications for stored information
- Represented data objects
- Required and optional properties
- Acceptable types of values per attribute
20Active Directory Classes, Objects, and Attributes
- Objects are items of data
- Classes define objects
- Required and optional attributes
- An object is the sum of its attributes
- Some types of objects
- Users
- Computers
- Printers
- File shares
21Active Directory Classes, Objects, and Attributes
(continued)
- Users
- Computers
- Printers
- File shares
- Groups
- Distribution groups
- Security groups
- Contacts
- Containers and OUs
- Users
- Computers
- New classes
22Replication and Partitions
- Database copied to several controllers for
- Backup
- Shared workload
- Multiple-master technology
- Replication process includes
- Conflict resolution
- Synchronization
- Simultaneous changes between replica
- Partitions (naming contexts) replicated
independently
23Domain Controllers and Partitions
24Schema and Domain Partitions
- Schema partition
- Definition of all classes and attributes
- Replication to all DCs in forest
- Changes written by operations master only
- Domain partition
- Naming context that contains users, computers,
groups, and OUs - Global Catalog (GC) server has partial replicas
for all other domains in forest
25Configuration and Application Partitions
- Configuration partition
- Information about replication topology
- Found on all DCs
- Same throughout forest
- Application partition
- Can be replicated to many different domains
- An Active Directory-aware application controls
where it is replicated
26Searching and GC Servers
- Some DCs designated as GC server
- GC servers contain partial replica of domain
partition for all domains in forest - Only the GC needs to be queried for basic
information
27Chapter Summary
- A directory service is used to locate, manage,
and control network objects and resources - Can be used to centralize authentication and
authorization - Application developers can extend the schema
- Application developers can create an application
partition
28Chapter Summary (continued)
- Administrators can secure information stored in
Active Directory - The Active Directory schema defines everything
that can be stored - A schema describes classesblueprints for
creating objects - DCs run Active Directory
- Partitioning allows replication of different
parts of the database to different DC - GC servers contain partial information of every
object in the forest