Active Directory: The Directory Service for Microsoft Windows Networks

1
Chapter 1

• Active Directory The Directory Service for
  Microsoft Windows Networks

2
Objectives

• Understand the uses of Active Directory,
  especially its role in a local area network built
  around Windows Server 2003
• Understand the important elements that comprise
  Active Directory

3
Introducing Active Directory

• Directory service for Windows 2000 Server family
• Essential to network operating system
• Provides information about server objects, such
  as
• Users
• File shares
• Printers
• E-mail mailboxes

4
Active Directory as the Directory Service for
the Operating System

• Contains crucial information for correct
  operation of the network
• Contains security information to protect
  information on the network
• Contains security information to control user
  access to resources

5
Security Principals

• Users, groups of users, computers
• Permissions granted by administrator
• Tracked by security identifier (SID)
• Automatically generated
• Stored as attribute of object
• Used in Discretionary Access Control List (DACL)
• Used to manage permissions to resources

6
Logging On

• Authentication identifies the user
• Authorization determines if the user can access
  resource
• Single sign on requires the user to enter
  password once

7
The Log On to Windows Screen
8
The Change Password Dialog Box
9
Log-on Process
10
Organizing and Finding Objects

• Containers group objects
• Organizational Units (OUs) allow the application
  of Group Policy to contained objects

11
Active Directory for Central Management

• Active Directory Users and Computers
• A snap-in for Microsoft Management Console (MMC)
• A central point of management for network

12
Active Directory as a Directory Service for
Applications

• Authentication and authorization services
• Applications are made Active Directory-aware
• Storage of proprietary information
• Highly available
• Searchable through industry standard interfaces
  and protocols

13
Active Directory is an Application Itself

• Highly optimized database application
• Uses Extensible Storage Engine (ESE) for
  database engine
• Uses write-ahead log files to prevent corruption

14
The Power of Active Directory

• Group Policy
• Enforces policies across network
• Automatically deploys software
• Control over authorization of Dynamic Host
  Configuration Protocol (DHCP) servers
• Control over Remote Installation Services (RIS)
• Allows operating system installation over network
• Easily scriptable
• Industry-standard protocols and interfaces for
  interaction with other software

15
The Building Blocks of Active Directory

• Database structures represent physical objects
  and concepts found in the real world
• Examples printers and domains
• Active Directory represents the logical design of
  the network

16
Windows Domains

• Group of computers, users, and resources
• Joint security model
• Principals can access all resources
• Same account policy for all users
• Administrators Group
• Can control all resources
• Always includes Domain Admins group
• Domain controller (DC) holds the Active
  Directory database

17
Domains, Trees, and Forests
18
Domains, Trees, and Forests (continued)

• Forest group of domains that share the same
  configuration partition
• Tree is a group of domains in a contiguous name
  space

19
The Active Directory Schema

• Set of specifications for stored information
• Represented data objects
• Required and optional properties
• Acceptable types of values per attribute

20
Active Directory Classes, Objects, and Attributes

• Objects are items of data
• Classes define objects
• Required and optional attributes
• An object is the sum of its attributes
• Some types of objects
• Users
• Computers
• Printers
• File shares

21
Active Directory Classes, Objects, and Attributes
(continued)

• Users
• Computers
• Printers
• File shares
• Groups
• Distribution groups
• Security groups

• Contacts
• Containers and OUs
• Users
• Computers
• New classes

22
Replication and Partitions

• Database copied to several controllers for
• Backup
• Shared workload
• Multiple-master technology
• Replication process includes
• Conflict resolution
• Synchronization
• Simultaneous changes between replica
• Partitions (naming contexts) replicated
  independently

23
Domain Controllers and Partitions
24
Schema and Domain Partitions

• Schema partition
• Definition of all classes and attributes
• Replication to all DCs in forest
• Changes written by operations master only
• Domain partition
• Naming context that contains users, computers,
  groups, and OUs
• Global Catalog (GC) server has partial replicas
  for all other domains in forest

25
Configuration and Application Partitions

• Configuration partition
• Information about replication topology
• Found on all DCs
• Same throughout forest
• Application partition
• Can be replicated to many different domains
• An Active Directory-aware application controls
  where it is replicated

26
Searching and GC Servers

• Some DCs designated as GC server
• GC servers contain partial replica of domain
  partition for all domains in forest
• Only the GC needs to be queried for basic
  information

27
Chapter Summary

• A directory service is used to locate, manage,
  and control network objects and resources
• Can be used to centralize authentication and
  authorization
• Application developers can extend the schema
• Application developers can create an application
  partition

28
Chapter Summary (continued)

• Administrators can secure information stored in
  Active Directory
• The Active Directory schema defines everything
  that can be stored
• A schema describes classesblueprints for
  creating objects
• DCs run Active Directory
• Partitioning allows replication of different
  parts of the database to different DC
• GC servers contain partial information of every
  object in the forest