Introduction to Active Directory Services

1
Introduction to Active Directory Services

• Completely integrated with Microsoft Windows 2000
  Server
• Integrates the Internet concept of namespace with
  the operating systems directory service
• Allows a single point of administration for all
  published resources

2
Understanding Active Directory Concepts

• Extensible schema
• Global catalog
• Namespace
• Naming conventions

3
Extensible Schema

• Extending the schema is an advanced operation,
  intended to be performed by experienced
  programmers and system administrators.

4
Global Catalog

• The global catalog is the central repository of
  information about objects in a domain tree or
  forest.
• The global catalog is a service as well as a
  physical storage location that contains a replica
  of selected attributes of every object in the
  Active Directory store.
• By default, the first domain controller is a
  global catalog server.
• Additional domain controllers can also be
  designated as global catalog servers by using the
  Active Directory Sites And Services snap-in.

5
Namespace
6
Naming Conventions

• Distinguished names (DNs)
• Relative distinguished names (RDNs)
• Globally unique identifiers (GUIDs)
• User principal names (UPNs)

7
Distinguished Names (DNs)

• Objects are located within Active Directory
  domains according to a hierarchical path.
• Every object in the Active Directory store has a
  DN, which uniquely identifies the object.
• The DN includes the name of the domain that holds
  the object as well as the complete path through
  the container hierarchy to the object. For
  example DCmsft/DCContoso/CNUsers/CNJohn Smith

8
Relative Distinguished Names (RDNs)

• The RDN is one of an objects attributes.
• The RDN is part of the full DN. For example
  CNJohn Smith
• Active Directory services allows duplicate RDNs
  for objects, but no two objects with the same RDN
  can exist within the same OU.

9
Globally Unique Identifiers (GUIDs)
10
User Principal Names (UPNs)

• The UPN is a friendly name that is shorter than
  the DN and easier to remember.
• The UPN consists of a shorthand name that
  represents the user and usually the DNS name of
  the domain where the object resides.
• Example johns_at_contoso.msft

11
Structure of Active Directory Architecture

• Data model
• Schema
• Security model
• Administration model

12
Access to Active Directory Services

• Protocol Support
• Application programming interfaces (APIs)
• Virtual containers

13
Protocol Support

• LDAP is the Active Directory core protocol.
• Active Directory services supports remote
  procedure call (RPC) interfaces that support
  Messaging Application Programming Interface
  (MAPI) interfaces.
• The Active Directory information model is derived
  from the X.500 information model.

14
Application Programming Interfaces (APIs)

• Active Directory Service Interfaces (ADSI)
• LDAP C API
• Windows MAPI

15
Virtual Containers

• Active Directory services supports virtual
  containers, which allow any LDAP-compliant
  directory to be accessed transparently through
  Active Directory services.
• The virtual container is implemented via location
  information in the Active Directory store.

16
Directory Service Architecture

• Interfaces
• Directory System Agent (DSA)
• Database layer
• Extensible Storage Engine (ESE)
• Data store (Ntds.dit)

17
Active Directory Key Service Components
18
Interfaces

• LDAP provides the API for LDAP clients and
  exposes the ADSI so that additional applications
  can be written that can talk to the Active
  Directory services.
• REPL is used by the replication service to
  facilitate Active Directory replication via RPC
  over Internet Protocol (IP) or Simple Mail
  Transfer Protocol (SMTP).
• SAM Provides down-level compatibility to
  facilitate communication between Microsoft
  Windows 2000 and Microsoft Windows NT 4.0
  domains.
• MAPI supports legacy MAPI clients.

19
Directory System Agent (DSA)

• Object identification
• Transaction processing
• Schema enforcement of updates
• Access control enforcement
• Support for replication
• Referrals

20
Database Layer

• Provides an object view of database information
  by applying schema semantics to database records
• Is an internal interface that is not exposed to
  the public
• Follows the parent references in the database and
  concatenates the successive RDNs to form DNs
• Translates each DN into an integer structure
  called the DN tag, which is used for internal
  access
• Is responsible for the creation, retrieval, and
  deletion of individual records, attributes, and
  values

21
Extensible Storage Engine (ESE)

• A new and improved version of the JET database
• Implements a transacted database system that uses
  log files to ensure that committed transactions
  are safe
• Stores all Active Directory objects
• Comes with a predefined schema that defines all
  the attributes required and allowed for a given
  object
• Stores attributes that can have multiple values

22
Introduction to Namespace Planning

• The Active Directory namespace is the top-level
  qualified domain name for the company.
• You must determine whether the internal and
  external namespaces will be the same or separate.

23
Defining a Namespace Architecture

• Introduction
• Root domain
• First-layer domains
• Second-layer domains

24
Introduction to OU Planning

• OUs should reflect the details of the
  organizations business structure.
• Create OUs to delegate administrative control
  over smaller groups of users, groups, and
  resources.
• OUs eliminate the need to provide users with
  administrative access at the domain level.
• OUs inherit security policies from the parent
  domain and parent OU unless inheritance is
  specifically disabled.

25
Creating the OU Structure

• You should begin your OU design by creating an OU
  structure for the first domain in the namespace.
• When you create an OU, you should determine who
  will be able to view and control certain objects
  and what level of administration each
  administrator will have over the objects.

26
OU Design Guidelines

• Create OUs to delegate administration.
• Create a logical and meaningful OU structure that
  allows OU administrators to complete their tasks
  efficiently.
• Create OUs to apply security policies.
• Create OUs to manage the visibility of published
  resources.
• Create OU structures that are relatively static.
  OUs also give the namespace flexibility to adapt
  to changing needs of the enterprise.
• Avoid allocating too many child objects to any OU.

27
Structure the OU Hierarchy

• Administration-based or object-based OUs
• Geographical-based OUs
• Business functionbased OUs
• Department-based OUs
• Project-based OUs

28
Introduction to Site Planning

• The physical design of a Windows 2000 network is
  demarcated by site.
• The Active Directory replication engine allows
  you to differentiate between replication over a
  LAN and replication over a WAN.
• How you set up your sites affects Windows 2000
  with respect to workstation logon and directory
  replication.
• In Active Directory services, sites are not part
  of the namespace.
• Properly planned sites ensure that network links
  are not saturated by replication traffic, that
  Active Directory services stay current, and that
  client computers access resources that are
  closest to them.
• When planning how to group subnets into sites,
  consider the connection speed between the subnets.

29
Optimizing Workstation Logon Traffic

• When planning sites, consider which domain
  controllers workstations should use.
• To have a particular workstation log on to a
  specific set of domain controllers, define the
  sites so that only those domain controllers are
  on the same site as the workstation.

30
Optimizing Directory Replication

• When planning sites, consider where the domain
  controllers will be located.
• Configure sites so that replication occurs at
  times or intervals that will not interfere with
  network performance.
• When implementing sites in branch offices, base
  your planning on the size of the branch office.

31
Introduction to the Active Directory Installation
Wizard
32
Adding or Creating a Domain Controller

• If you add a domain controller to an existing
  domain, you create a peer domain controller.
• If you create the first domain controller for a
  new domain, you are creating not only the domain
  controller but also a new domain.

33
Adding a Domain Controller to an Existing Domain
34
Creating a New Child Domain
35
Creating a New Domain Tree
36
Adding a Domain Tree to a Forest
37
The Active Directory Database and the Shared
System Volume

• Created when Active Directory Services is
  installed

38
The Active Directory Database

• The database is a file named Ntds.dit, which is
  the directory for the new domain.
• The default location for the database and the
  database log files is systemroot\Ntds, although
  you can specify a different location.
• The database contains all the information stores
  in the Active Directory store.
• The Ntds.dit file is an ESE database that
  contains the entire schema, the global catalog,
  and all the objects stored on that domain
  controller.

39
The Shared System Volume

• The shared system volume is a folder structure
  that exists on all Windows 2000 domain
  controllers.
• The shared system volume stores scripts and some
  of the group policy objects for the current
  domain as well as the enterprise.
• Replication of the shared system volume occurs on
  the same schedule as Active Directory replication.

40
Domain Modes

• Mixed mode
• Native mode

41
Introduction to OUs and their Objects

• Each Active Directory object is a distinct named
  set of attributes that represents a specific
  network resource.
• Before objects are added to Active Directory
  services, you should create the OUs that will
  contain those objects.

42
Creating Ous
43
Adding Objects to OUs
44
Locating Objects
45
Modifying Attributes and Deleting Objects

• You can modify the attributes of an object to
  change or add information.
• You can modify an objects attribute by opening
  the properties for that object in the Active
  Directory Users And Computers snap-in.
• To maintain security, delete objects when they
  are no longer needed.

46
Moving Objects

• You can move objects from one location in the
  Active Directory store to another location.
• You should move objects when organization or
  administrative functions change.

47
Managing Active Directory Permissions

• Use Active Directory permissions to determine who
  has the permissions to gain access to the object
  and what type of access is allowed.
• The object type determines which permissions you
  can select.
• Permissions inheritance minimizes the number of
  times you need to assign permissions for objects.

48
Delegating Administrative Control of Objects

• You can delegate administrative control of
  objects to individuals.
• Use the Delegation Of Control wizard to delegate
  control of objects.
• An administrator can delegate specific types of
  control.
• The most common method of delegating control is
  to assign permissions at the OU level.
• To delegate administrative control, you should
  try to follow specific guidelines.
• You can access the Delegation Of Control wizard
  through the Active Directory Users And Computers
  snap-in.

49
Guidelines for Administering Active Directory
Services

• Coordinate Active Directory structure with other
  administrators.
• Complete all attributes when creating objects.
• Use deny permissions sparingly.
• Ensure that at least one user has Full Control
  permission for each object.
• Ensure that delegated users take responsibility
  and can be held accountable.
• Provide training for users who control objects.