Introduction to Active Directory Directory Services

1
Introduction to Active Directory Directory
Services

• Uniquely identify users and resources on a
  network
• Provide a single point of network management

2
What Are Active Directory Directory Services?

• The directory service included with Microsoft
  Windows 2000 Server products
• A directory service is a network service.
• A directory service identifies all resources on a
  network.
• A directory service makes all resources available.

3
What Are Active Directory Directory Services?
(continued)

• Active Directory directory services include the
  Directory.
• The Directory stores information about network
  resources.
• Resources stored in the Directory are referred to
  as objects.

4
Simplified Administration

• Active Directory directory services organize
  resources hierarchically in domains.
• A domain is a logical grouping of servers
  andother network resources under a single domain
  name.
• A domain is the basic unit of replication and
  security.
• A domain includes at least one domain controller.

5
Simplified Administration (continued)

• Active Directory directory services provide
• A single point of administration for all objects
  on the network
• A single point of logon for all network resources

6
Scalability

• The Directory stores information by organizing
  itselfinto sections that permit storage for a
  huge number of objects.
• The Directory can expand to meet the needs of
• Small installations with one server and a few
  hundred objects.
• Huge installations with hundreds of servers and
  millions of objects.

7
Open Standards Support

• Active Directory directory services
• Integrate the Internet concepts of a
  namespacewith the Windows 2000 directory service
• Allow you to unify and manage multiple namespaces
• Use DNS for its name system
• Exchange information with any application
  ordirectory that uses LDAP or HTTP

8
Domain Name System

• DNS is the domain naming and locator service for
  Active Directory.
• Windows 2000 domain names are also DNS names.
• Windows 2000 Server uses dynamic DNS (DDNS).
• Clients can update the DNS table dynamically.
• DDNS eliminates the need for other naming
  services.

9
Support for LDAP and HTTP

• LDAP is an Internet standard for accessing
  directory services.
• HTTP is the standard protocol for displaying
  pages on the World Wide Web.
• You can display every object in Active Directory
  as an HTML page in a Web browser.

10
Support for Standard Name Formats
RFC 822 somename_at_domain.com
HTTP URL http//domain/path-to-page
UNC \\microsoft.com\xl\budget.xls
LDAP URL LDAP//someserver.microsoft.com/CNFirstnameLastname,OUsys,OUproduct,OUdivision,DCdevel
11
Logical Structure

• The logical structure is separate from the
  physical structure.
• Organize resources in a logical structure.
• Find a resource by its name rather than its
  physical location.
• The networks physical structure is transparent
  to the users.

12
Objects
13
Organizational Units
14
Domain

• The domain is the core unit of logical structure.
• All network objects exist within a domain.
• A domain stores information about only the
  objects that it contains.
• A practical limit to the number of objects in a
  domain is 1 million.

15
A Domain Is a Security Boundary

• Access to domain objects is controlled by ACLs.
• ACLs contain the permission associated with
  objects.
• ACLs control which users can gain access to an
  object.
• ACLs control which type of access users can gain
  to the objects.
• Security policies and settings do not cross from
  one domain to another.
• A domain administrator has absolute rights to set
  policies only within that domain.

16
Tree

• A tree is a grouping of one or more Windows 2000
  domains.
• All domains within a single tree share a
  contiguous namespace.
• The domain name of a child domain is the relative
  nameof that child domain appended with the name
  of the parent domain.
• All domains within a single tree share a common
  schema.
• All domains within a single tree share a common
  global catalog.

17
Forest

• A forest is a grouping of one or more domain
  trees.
• The trees in a forest form a disjointed
  namespace.
• All trees in a forest share a common schema.
• Trees in a forest have different naming
  structures.
• All domains in a forest share a common global
  catalog.
• Domains in a forest operate independently.

18
Sites

• The physical structure is based on sites.
• A site is a combination of one or more IP
  subnets.
• Typically a site has the same boundaries as a
  LAN.
• Sites are not part of the logical namespace.
• Sites contain computer objects and connection
  objects.

19
Replication Within a Site

• The Active Directory directory services include a
  replication feature.
• Replication ensures that changes to a domain
  controllerare reflected by all domain
  controllers within a domain.

20
Functions of Domain Controllers in a Domain

• Store a complete copy of all Active Directory
  information
• Replicate all objects in the domain to each other
  automatically
• Replicate certain important updates immediately
• Use multimaster replication
• Provide fault tolerance
• Manage all aspects of user domain interactions

21
Ring Topology for Replication
22
Schema

• Contains a formal definition of the contents
  andstructure of Active Directory directory
  services
• Defines attributes for each object class

23
Default Schema

• Created by installing Active Directory on first
  computer in a new forest
• Contains definitions of commonly used objects and
  properties
• Contains definitions of objects and properties
  used by Active Directory

24
Extensible Schema

• You can define new directory object types and
  attributes.
• You can define new attributes for existing
  objects.
• You can extend the schema
• By using LDAP Data Interchange Format (LDIF)
  scripts.
• Programmatically or by using the Active Directory
  Services Interface (ADSI).
• By using the Active Directory Schema snap-in.
• The schema is stored in the global catalog and
  can be updated dynamically.

25
Global Catalog
26
Global Catalog Servers

• Installing Active Directory on the first computer
  in a newforest makes that domain controller a
  global catalog server.
• The Active Directory Sites and Services snap-in
  allows you to designate additional global catalog
  servers.
• More global catalog servers means more
  replication traffic.
• More global catalog servers can provide quicker
  responses.
• Every major site should have a global catalog
  server.

27
Namespace
28
Naming Conventions

• Every object in Active Directory is identified by
  a name.
• Active Directory uses a variety of naming
  conventions.

29
Distinguished Name

• Every object has a distinguished name (DN).
• The DN uniquely identifies the object.
• The DN contains sufficient information for a
  client to retrieve the object.
• The DN includes the name of the domain that holds
  the object.
• The DN includes the complete path to the object.

30
Relative Distinguished Name
31
Globally Unique Identifier

• A globally unique identifier (GUID) is a 128-bit
  number that is guaranteed to be unique.
• GUIDs are assigned when the object is created.
• The GUID for an object never changes.
• Applications use GUIDs to retrieve objects
  regardless of current DNs.

32
User Principal Name

• User accounts have a friendly name, the user
  principal name (UPN).
• The UPN is composed of the shorthand name for the
  user account and the DNS name of the tree where
  the user account object resides.