Chapter Summary

1
Chapter Summary

• Understanding DNS
• Understanding Name Resolution
• Configuring a DNS Client
• Understanding Active Directory
• Understanding Active Directory Structure and
  Replication
• Understanding Active Directory Concepts

2
Introduction to DNS

• The Domain Name System (DNS) is a naming system
  based on a distributed database.
• DNS is used in TCP/IP networks to translate
  computer names to IP addresses.
• DNS is the default naming system for IP-based
  networks.
• The DNS Service is not available with Microsoft
  Windows XP Professional, but it ships with
  Microsoft Windows 2000 Server.

3
Benefits of Using DNS

• DNS names are user friendly.
• DNS names remain more constant than IP addresses.
• DNS uses the same naming conventions as the
  Internet.

4
Domain Namespace
5
Examples of Second-Level Domains

• ed.gov
• Microsoft.com
• Stanford.edu
• w3.org

6
Host Names

• Host names refer to specific computers on the
  Internet or an intranet.
• They are the leftmost portion of a fully
  qualified domain name (FQDN), such as
  Computer1.sales.microsoft.com.
• DNS uses a hosts FQDN to resolve a name to an IP
  address.
• Host names do not have to match the computer
  names.

7
Domain Naming Guidelines

• Limit the number of domain levels.
• Use unique names.
• Use simple names.
• Avoid lengthy domain names.

8
Domain Naming Guidelines (Cont.)

• Use standard DNS characters and Unicode
  characters.
• Windows 2000 Server supports AZ, az, 09, and
  hyphen (-).
• The DNS Service supports the Unicode character
  set.

9
Zones
10
Name Servers

• DNS name servers store the zone database file.
• They store the database files for one or multiple
  zones.
• They have authority for the domain namespace that
  the zone encompasses.
• A zone must have at least one name server.

11
Primary Zone Database File

• A name server in each domain contains the master
  database file, called the primary zone database
  file.
• Changes to a zone are performed on the primary
  zone database file.
• Multiple name servers act as a backup.

12
Benefits of Multiple Name Servers

• Provide zone transfers
• Provide redundancy
• Improve access speed
• Reduce the load

13
Name Resolution

• Name resolution is the process of resolving names
  to IP addresses.
• DNS resolves a name, such as www.microsoft.com,
  to an IP address.
• The mapping of names to addresses is stored in
  the DNS distributed database.

14
Resolving a Forward Lookup Query
15
Name Server Caching

• When a name server is processing a query, it
  might have to send out several queries to find
  the answer.
• Each query discovers other name servers that have
  authority for a portion of the domain namespace.
• The name server caches these query results to
  reduce network traffic.
• When a name server receives a query result, the
  name server caches the query result for a
  specified amount of time, referred to as Time to
  Live (TTL).

16
Time to Live (TTL)

• The zone that provides the query results
  specifies the TTL the default TTL is 60 minutes.
• When TTL expires, the name server deletes the
  query result from its cache.
• Shorter TTL values help ensure that data about
  the domain namespace is more current across the
  network.
• Shorter TTL values increase the load on name
  servers.
• Longer TTL values decrease the time required to
  resolve information.
• Longer TTL values mean it will take longer for a
  client to receive any updated information.

17
Reverse Lookup Query

• A reverse lookup query maps an IP address to a
  name.
• Troubleshooting tools such as the nslookup
  utility use reverse lookup.
• Some applications implement security based on the
  ability to connect to names rather than IP
  addresses.
• The DNS distributed database is indexed by name,
  so a reverse lookup query would require an
  exhaustive search of every domain name.

18
The in-addr.arpa Domain

• Is a special second-level domain created to
  resolve the difficulty of doing a reverse lookup
  query
• Follows the same hierarchical naming scheme as
  the rest of the domain namespace, but it is based
  on IP addresses, not domain names
• Has subdomains named after the numbers in the
  dotted-decimal representation of IP addresses
• Reverses the order of the IP address octets
• Lets companies administer subdomains of the
  in-addr.arpa domain based on their assigned IP
  addresses and subnet mask

19
Introduction to DNS Clients

• A DNS client uses DNS, a distributed database
  used in Transmission Control Protocol/Internet
  Protocol (TCP/IP) networks, for name resolution.
• TCP/IP must be installed for a computer to use
  DNS.

20
Internet Protocol (TCP/IP) Properties Dialog Box
21
Configuring DNS Query Settings

• Append Primary And Connection Specific DNS
  Suffixes
• Append the client name to the primary domain
  name, as well as the domain name defined in the
  DNS Domain Name field of each network connection
• Append Parent Suffixes Of The Primary DNS Suffix
• The DNS server strips off the leftmost portion of
  the primary DNS suffix and attempts the resulting
  domain name.
• Append These DNS Suffixes (In Order)
• The DNS resolver adds each one of these suffixes,
  one at a time and in the order you specified.
• Register This Connections Addresses In DNS
• The computer attempts to dynamically register the
  IP addresses (through DNS) of this computer with
  its full computer name.
• Use This Connections DNS Suffix In DNS
  Registration
• The computer uses dynamic updates to register the
  IP address and the connection-specific domain
  name of the connection.

22
What Is Active Directory?

• A directory service uniquely identifies users and
  resources on a network.
• Active Directory service is the directory service
  included with Microsoft Windows 2000 products.
• Active Directory provides a single point of
  network management.
• Active Directory is a network service that
• Identifies all resources on a network
• Makes all resources available to users and
  applications

23
What Is Active Directory? (Cont.)

• Active Directory includes the directory or data
  store.
• The directory is a structured database that
  stores information about network resources.
• Resources stored in the directory are referred to
  as objects.

24
Simplified Administration

• Active Directory organizes resources
  hierarchically in domains.
• A domain is a logical grouping of servers and
  other network resources under a single domain
  name.
• A domain is the basic unit of replication and
  security.
• A domain includes at least one domain controller.
• Active Directory provides
• A single point of administration for all objects
  on the network
• A single point of logon for all network resources

25
Scalability

• The directory stores information by organizing
  itself into sections that permit storage for a
  huge number of objects.
• For example, the directory can be scaled to meet
  the needs of
• Small installations with one server and a few
  hundred objects
• Huge installations with hundreds of servers and
  millions of objects

26
Open Standards Support

• Active Directory use of open standards
• Integrates the Internet concept of a namespace
  with the Windows 2000 directory service
• Allows you to unify and manage multiple
  namespaces
• Uses DNS for its name system
• Can exchange information with any application or
  directory that uses Lightweight Directory Access
  Protocol (LDAP) or Hypertext Transfer Protocol
  (HTTP)
• Can share information with other directory
  services that support LDAP version 2 or version
  3, such as Novell Directory Services (NDS)

27
Open Standards Support (Cont.)

• Domain Name System
• DNS is the domain naming and locator service for
  Active Directory.
• Windows 2000 domain names are also DNS names.
• Windows 2000 Server uses dynamic DNS (DDNS).
• Clients can update the DNS table dynamically.
• DDNS eliminates the need for other naming
  services.
• To function correctly, Active Directory and the
  associated client software require the DNS
  Service.

28
Open Standards Support (Cont.)

• Support for LDAP and HTTP
• LDAP is an Internet standard for accessing
  directory services.
• HTTP is the standard protocol for displaying
  pages on the World Wide Web.
• You can display every object in Active Directory
  as an HTML (Hypertext Markup Language) page in a
  Web browser.

29
Support for Standard Name Formats

• Request for Comments (RFC) 822
• somename_at_domain.com
• HTTP URL
• http//domain/path-to-page
• Universal Naming Convention (UNC)
• Example \\microsoft.com\xl\budget.xls
• LDAP URL
• LDAP//someserver.microsoft.com/CNFirstnameLastna
  me,OUsys,OUproduct,OUdivision,DCdevel

30
Logical Structure

• Active Directory separates the logical structure
  from the physical structure.
• Active Directory lets you organize resources in a
  logical structure.
• A resource is located by its name rather than its
  physical location.
• The networks physical structure is transparent
  to all users.

31
Objects
32
Organizational Units

• An organizational unit (OU) is a container that
  you use to organize objects in a domain into
  logical administrative groups.
• An OU can contain objects such as user accounts,
  groups, computers, printers, applications, file
  shares, and other OUs.
• Each domain can implement its own OU hierarchy.
• There is no limit to the depth of the hierarchy,
  but shallow is better.
• An administrator can delegate administrative
  tasks by assigning permissions to OUs.

33
Domain

• The domain is the core unit of logical structure.
• All network objects exist within a domain.
• A domain stores information about only the
  objects that it contains.
• A practical limit to the number of objects in a
  domain is 1 million.

34
A Domain Is a Security Boundary

• Access control lists (ACLs) control access to
  domain objects.
• ACLs contain the permissions associated with
  objects.
• ACLs control
• Which users can access an object
• Which type of access users have to the objects
• Security policies and settings do not cross from
  one domain to another.
• A domain administrator has absolute rights to set
  policies only in that domain.

35
Tree

• A tree is a grouping of one or more Windows 2000
  domains that share a contiguous namespace.
• The domain name of a child domain is the relative
  name of that child domain appended with the name
  of the parent domain.
• All domains within a single tree share
• A common schema
• A common Global Catalog

36
Forest

• A forest is a grouping of one or more domain
  trees that form a disjointed namespace.
• All trees in a forest share a common schema.
• Trees in a forest have different naming
  structures.
• All domains in a forest share a common Global
  Catalog.
• Domains in a forest operate independently, but
  the forest enables communication across the
  entire organization.

37
Physical Structure

• The physical components of Active Directory are
• Domain controllers
• Sites
• The physical components of Active Directory are
  used to mirror the physical structure of an
  organization.

38
Domain Controllers

• Each domain controller in a domain
• Stores a complete copy of all Active Directory
  information for that domain
• Manages changes to that information
• Replicates changes to other domain controllers in
  the same domain
• Automatically replicates all objects in the
  domain to all other domain controllers in the
  domain
• Immediately replicates certain important updates,
  such as the disabling of a user account

39
Domain Controllers (Cont.)

• Active Directory uses multimaster replication, in
  which no one domain controller is the master
  domain controller.
• Domain controllers detect collisions, which can
  occur when an attribute is modified on a domain
  controller before a change to the same attribute
  on another controller is completely propagated.
• Having more than one domain controller in a
  domain provides fault tolerance.
• Domain controllers manage all aspects of user
  domain interaction, such as locating Active
  Directory objects and validating user logon
  attempts.

40
Sites

• The physical structure of Active Directory is
  based on sites.
• A site is a combination of one or more IP
  subnets.
• Typically, a site has the same boundaries as a
  local area network (LAN).
• Sites are not part of the logical namespace.
• Sites contain only computer objects and
  connection objects used to configure replication
  between sites.
• A single domain can span multiple geographical
  sites, and a single site can include accounts and
  computers from multiple domains.

41
Replication Within a Site

• Active Directory includes a replication feature.
• Replication ensures that changes to a domain
  controller are reflected by all domain
  controllers in a domain.

42
Ring Topology for Replication
43
Active Directory Terminology

• Schema
• Global Catalog
• Namespace
• Naming conventions

44
Schema

• The schema contains a formal definition of the
  contents and structure of Active Directory.
• The schema contains two types of definition
  objects
• Schema class objects define what objects can be
  stored in Active Directory.
• Schema attribute objects define the type of
  information that can be stored about each object.
• The schema defines
• The schema attribute objects required for each
  object
• The additional schema attribute objects that an
  instance of the class can have

45
Default Schema

• Installing Active Directory on the first domain
  controller in a network creates the default
  schema, which contains
• Definitions of commonly used objects and
  properties
• Definitions of objects and properties that Active
  Directory uses internally to function

46
Extensible Schema

• You can define
• New directory object types and attributes
• New attributes for existing objects
• You can extend the schema
• By using LDAP Data Interchange Format (LDIF)
  scripts
• Programmatically, or by using the Active
  Directory Services Interface (ADSI)
• By using the Active Directory Schema Manager
  snap-in
• The schema is stored in the Global Catalog and
  can be updated dynamically.

47
Global Catalog

• The Global Catalog is the central repository of
  information about objects in a tree or forest.
• Active Directory automatically generates the
  contents of the Global Catalog.
• The Global Catalog is a service and a physical
  storage location.
• It contains a full replica (all information) for
  its host domain and a partial replica of all
  information in all other domains in the tree or
  forest.
• It enables finding directory information
  regardless of which domain in the tree or forest
  actually contains the data.

48
Global Catalog Servers

• Installing Active Directory on the first computer
  in a new forest makes that domain controller a
  Global Catalog server.
• The Active Directory Sites and Services snap-in
  allows you to designate additional Global Catalog
  servers.
• More Global Catalog servers means more
  replication traffic.
• More Global Catalog servers can provide quicker
  responses.
• Every major site should have a Global Catalog
  server.

49
Namespace

• Contiguous namespace
• The name of the child object in an object
  hierarchy always contains the name of the parent
  domain.
• A tree is a contiguous namespace.
• Disjointed namespace
• The names of a parent object and of a child of
  the same parent object are not directly related
  to one another.
• A forest is a disjointed namespace.

50
Naming Conventions

• Every object in Active Directory is identified by
  a name.
• Active Directory uses a variety of naming
  conventions
• Distinguished name (DN)
• Relative distinguished name (RDN)
• Globally unique identifier (GUID)
• User principal name (UPN)

51
Distinguished Name

• Every object has a DN that
• Uniquely identifies the object
• Contains sufficient information for a client to
  retrieve the object from the directory
• Includes the name of the domain that holds the
  object
• Includes the complete path through the container
  hierarchy to the object
• DNs must be unique in the directory.

52
Relative Distinguished Name

• Active Directory supports querying by attributes,
  so that
• You can locate an object even if the exact DN is
  unknown
• You can locate an object even if the DN has
  changed
• The RDN of an object is the part of the name that
  is an attribute of the object itself.
• You can have duplicate RDNs for Active Directory
  objects, but not in the same OU.

53
Globally Unique Identifier

• A GUID is a 128-bit number that is guaranteed to
  be unique.
• GUIDs are assigned when the object is created.
• The GUID for an object never changes.
• Applications use GUIDs to retrieve objects
  regardless of their current DNs.

54
User Principal Name

• User accounts have a friendly name, the UPN.
• The UPN is composed of the shorthand name for the
  user account and the DNS name of the tree where
  the user account object resides.

55
Chapter Summary

• DNS is the default naming system for IP-based
  networks. (It is not included in Windows XP
  Professional.)
• DNS resolves computer names to IP addresses and
  locates computers within local networks and on
  the Internet.
• The DNS database is indexed by name, so each
  domain must have a name.
• The domain namespace consists of a root domain,
  top-level domains, second-level domains, and host
  names.
• A forward lookup query resolves a name to an IP
  address, and a reverse lookup query resolves an
  IP address to a name.
• The DNS distributed database is indexed by name
  and not by IP address, but in-addr.arpa is based
  on IP addresses instead of domain names.
• You can configure a DNS client to obtain the
  address of the DNS server automatically, or you
  can manually enter multiple addresses for DNS
  servers.

56
Chapter Summary (Cont.)

• Active Directory is the directory service
  included in the Windows 2000 Server products. (It
  is not included in Windows XP Professional.)
• Active Directory includes the directory or data
  store, which stores information about network
  resources.
• Windows 2000 Server uses DDNS.
• Active Directory completely separates the logical
  structure of the domain hierarchy from the
  physical structure.
• The schema contains a formal definition of the
  contents and structure of Active Directory.
• The Active Directory schema is extensible.

57
Chapter Summary (Cont.)

• In a contiguous namespace, the name of the child
  object in an object hierarchy always contains the
  name of the parent domain.
• In a disjointed namespace, the name of the parent
  object and the name of a child object are not
  directly related.
• The Global Catalog contains select information
  about every object in all domains in the
  directory.
• Active Directory uses a variety of naming
  conventions
• DN
• RDN
• GUID
• UPN