You are on page 1of 35

Active Directory Fundamentals

Active Directory Fundamentals Asmatullah Khan , CL/CP, GIOE, Secunderabad.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What Will We Cover?

Active Directory concepts Domains, trees, forests Domain controllers, sites Domain Naming Service Replication Operations masters

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What Is a Directory Service?

A service that helps track and locate objects on a A service that helps track and
A service that helps track and locate objects on a
A service that helps track and locate objects on a
network
network
Active Directory Management Workstations Workstations Services Services Files Files Users Users
Active Directory Management
Workstations
Workstations
Services
Services
Files
Files
Users
Users

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What's a directory service?

A directory service is a container that provides a hierarchical structure and allows to store objects for quick and easy access and manipulation. A directory service is like an electronic phone directory that lets you search for Name and retrieve the phone number, address, or other information without knowing where that person lives.

Before directory services, If you needed a file, you needed to know the name of the file, the name of the server on which it is stored and its folder path. Now this works well on small network, but as the network grows it becomes challenging.

Directory service is the means by which users and administrators can locate resources regardless of where those resources are located.

Also earlier typical user could have more than one user account or password, and as the network grows and the number of username and password also increases, like one for File Server, one for email server, etc.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Domains

CONTOSO.COM
CONTOSO.COM

Boundary of

Boundary of

Policies

Authentication

Boundary of Replication

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory

Active Directory is Microsoft’s answer to directory services and it does a lot more than just locating resources.

Active Directory take care of this by using Kerberos Authentication and Single Sign-On (SSO). SSO means ability of Kerberos to provide a user with one set of credentials and grant them access across a range of resources and services with that same set of credentials. Kerberos authenticates the credentials and issues the user a ticket with which the user gains access to the resources and services that support Kerberos.

Active Directory also makes user management more easier as it acts as a single repository for all of this user and computer related information.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

History of Directory Service

Earlier to today’s directory services is X.500 specification that emerged from the International Telecommunications Union (ITU), formerly the CCITT (Comité Consultatif International Téléphonique et Télégraphique).

X.500 sits at the Application layer in the OSI model. X.500 contain several component databases that work together as a single entity.

The primary database is the Directory Information Base (DIB), which stores information about the objects. Major limitation was its lack of integration with Internet Protocol (IP).

Protocol it used was Directory Access Protocol, or DAP. DAP offered more functionality than that is required for implementing directory services, so a scaled down version called Lightweight Directory Access Protocol (LDAP) was made. Later it was considered as a standard by Internet Engineering Task Force (IETF).

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Advantage of LDAP

LDAP relies on the TCP/IP stack rather than the OSI stack

Integrate with IP and enable IP clients to use LDAP to query directory services.

LDAP can perform hyper-searches. Giving one directory the ability to defer to another to provide requested data.

LDAP’s API is C-based

Like X.500, LDAP uses an inverted-tree hierarchical structure

LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL), and Secure Sockets Layer (SSL)

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Back to Active Directory

AD is Microsoft’s answer to directory services and it does a lot more than just locating resources.

AD uses LDAP as its access protocol.

AD relies on DNS as its locator service, enabling clients to locate domain controllers through DNS queries.

Lets Understand Active Directory in more detail.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Naming Conventions

AD contains information about objects in your enterprise.

These objects can be computers, users, printers etc.

AD is a container with nested containers holding other containers or objects.

And we name these container and objects so that its easy to query or search.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Requirement of DNS

DNS Server must support Service resource (SRV) records Dynamic update protocol specified by RFC 2136 AD relies on DNS as its primary locator service, although its not the only mechanism for locating domain controllers (DCs). Domain Controller is the server which has Active Directory Installed. When a Domain Controller starts,

It registers both its DNS name and NetBIOS name. More on NetBIOS name later.

It add LDAP-specific SRV records in DNS to enable LDAP clients to locate DCs through LDAP queries.

It also add Kerberos authentication protocol-specific SRV records to enable clients to locate servers running the Kerberos Key Distribution Center (KDC) service.

Also each DC also adds an A record that enables clients that don’t support SRV records to locate the DC through a simple host record lookup. You can disable this if required.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Database

The ESE comprises of tables that define the structure of the directory.

The Database Layer has three partition that define the contents of AD with an optional 4th table or partition.

Active Directory Database • The ESE comprises of tables that define the structure of the directory.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Partitions

Schema Partition

This stores Active Directory Schema. Active Directory Schema defines what are the types of objects that can be created in the directory How are those objects relate to one another, and what are the mandatory and optional attributes of each object. And how can one create such objects.

Configuration Partition

This contains configuration of AD.

Domain Partition

This partition stores the objects.

Application Partition

This is an optional 4th partition that an administrator can create.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Schema

Active Directory Schema defines what are the types of objects that can be created in the directory

How are those objects relate to one another, and what are the mandatory and optional attributes of each object.

And how can one create such objects.

Schema requires to updates whenever you need to create a new type of object or add anything that requires new attribute.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Domain, Tree and Forest

AD Domain

Objects that are made on AD are grouped into domains.

The objects for a single domain are stored in a single database (which can be replicated).

AD Domain Tree

A tree is a collection of one or more domains

AD Forest

A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Trees

Active Directory Trees CONTOSO.COM US.CONTOSO.COM OHIO.US.CONTOSO.COM Shared Schema Configuration Global Catalog Asmatullah Khan , CL/CP, GIOE,

CONTOSO.COM

US.CONTOSO.COM

OHIO.US.CONTOSO.COM

Shared Schema Configuration Global Catalog
Shared
Schema
Configuration
Global Catalog

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Transitive Trusts

Transitive Trusts CONTOSO.COM UK.CONTOSO.COM US.CONTOSO.COM Asmatullah Khan , CL/CP, GIOE, Secunderabad.

CONTOSO.COM

UK.CONTOSO.COM

US.CONTOSO.COM

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Forests

CONTOSO.COM FABRIKAM.COM US.CONTOSO.COM UK.FABRIKAM.COM Global Schema Configuration Catalog
CONTOSO.COM
FABRIKAM.COM
US.CONTOSO.COM
UK.FABRIKAM.COM
Global
Schema
Configuration
Catalog

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Reviewing Domains and Trusts

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Organizational Units

OU Admin OU Security OU Policy CONTOSO.COM
OU Admin
OU Security
OU Policy
CONTOSO.COM
Organized For: Organized For: • • Administration Administration • • Same Same Requirements Requirements • •
Organized For:
Organized For:
• • Administration Administration
• • Same Same Requirements Requirements
• • Delegation Delegation
• • Group Group Policy Policy
• • Configuration Configuration
• • Security Security

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Organizational Unit Applications

Sales London Desktops Department Marketing Department Printers New York
Sales
London
Desktops
Department
Marketing Department
Printers
New York

Hardware Devices

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Using Organizational Units

Review Organizational Units

Create New Organizational Units

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Domain Controllers

PDC BDC BDC Windows NT 4.0
PDC
BDC
BDC
Windows NT 4.0
DC DC DC Windows Server 2003
DC
DC
DC
Windows Server 2003

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Sites Site A WAN Link Sites Used To: Sites Used To: • • Locate
Active Directory Sites
Site A
WAN Link
Sites Used To:
Sites Used To:
• • Locate Locate Services Services
• • Optimize Optimize Replication Replication
Site B
• • Define Define Policies Policies

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Sites and Domains

Site A Site B
Site A
Site B

US.CONTOSO.COM

CONTOSO.COM

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Global Catalog

Spans all domains Contains object attributes Used for searches Exists on domain controllers

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Using Sites and Global Catalogs

Create a Site

Review Global Catalog Settings

Choose Global Catalog Attributes

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Agenda

Logical Concepts of Active Directory Physical Concepts of Active Directory DNS in 10 Minutes Overview of Active Directory Replication The role played by Operations Masters

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

DNS

Domain Naming System locates network services Domain Naming System locates network services and resources. and resources.
Domain Naming System locates network services
Domain Naming System locates network services
and resources.
and resources.
DNS Request Process • Requested Service • Site Information DCDC DNS DNS Server Server • IP
DNS Request Process
• Requested Service
• Site Information
DCDC
DNS
DNS Server
Server
• IP Addresses
Cache
• SVR Records
Cache

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

DNS Systems and Requirements

BIND 8.1.2

Windows

NT

Windows

Windows

  • 2003 Server 2008

Dynamic Update* AD Integration Secure Update SRV Records*
Dynamic Update*
AD Integration
Secure Update
SRV Records*

* Required for Active Directory

DNS Migration

Upgrade to BIND 9.x Upgrade to Microsoft DNS Delegate to Microsoft DNS

DNS Migration • Upgrade to BIND 9.x • Upgrade to Microsoft DNS • Delegate to Microsoft

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Working with DNS

Review DNS Zones

Review Host Records and Dynamic Update

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Replication Scope

• Domain NC
• Domain NC

Across Domain

Across Forest:

Schema NC

Configuration NC

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

More Replication Scope

Intersite (Compressed) Intrasite (Token Ring)
Intersite
(Compressed)
Intrasite
(Token Ring)

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Working with Replication

Enable Replication

Review Replication

Asmatullah Khan, CL/CP, GIOE, Secunderabad.