CHAPTER 1
PREPARED BY:
LEARNING OUTCOMES
TOPIC
At the end of this chapter, students will be able to: Understand Active Directory Objects and Components Understand Logical and Physical Structure
Slide 2 of 41
TOPIC OUTLINES
1.1 Active Directory Overview 1.1.1 AD Objects and Attributes 1.1.2 AD Definitions 1.1.3 Attributes 1.1.4 Classes
TOPIC
1.2 Active Directory Components 1.2.1 Logical Hierarchical Structure 1.2.2 Logical Structure 1.2.3 Use OUs to Handle Administrative Tasks 1.3 Domain Tree 1.3.1 Forest of Trees 1.3.2 Sites
1.4 Understanding Active Directory Concepts 1.4.1 Global Catalog is Central Repository 1.4.2 Key Directory Roles 1.4.3 Universal Group Membership 1.4.4 Global Catalog Servers 1.4.5 Directory Partitions
Slide 3 of 41
TOPIC OUTLINES
1.5 A Domain Controller Stores and Replicates 1.5.1 A Global Catalog Stores and Replicates 1.5.2 Replication Topology 1.5.3 Replication Within a Site 1.5.4 Replication Between Sites 1.6 Two Types of Trust Relationship 1.6.1 Implicit Two Way Transitive Trust 1.6.2 Explicit One Way Non Transitive Trust 1.7 DNS Namespace 1.7.1 Dynamic DNS 1.8 Domain Namespace 1.8.1 Types of Namespaces 1.8.2 Domain Namespaces Divided into Zones 1.8.3 Name Servers 1.9 Distinguished Names and Relative Distinguished Names 1.9.1 Distinguished Name(DN) 1.9.2 Relative Distinguished Name(RDN) 1.9.3 Globally Unique Identifier(GUID)
TOPIC
Slide 4 of 41
Active Directory Objects Active Directory Components Logical Structures Physical Structure
Slide 5 of 41
Slide 6 of 41
1. Resources stored in the directory, such as user data, printers, servers, databases, groups, computers, and security policies, are known as objects. 2. An object is a distinct named set of attributes that represents a network resource.
3. Attributes are characteristics of objects in the directory. 4. Objects are organized in classes, which are logical groupings of objects.
Slide 7 of 41
1.1.3 Attributes
TOPIC
Slide 8 of 41
1.1.4 Classes
TOPIC
Are collections of attributes. Describe the possible objects that can be created. Are also referred to as object classes. Every object is an instance of an object class.
Slide 9 of 41
Physical Structure
Slide 10 of 41
Slide 11 of 41
Resources should be organized in a logical structure that mirrors the logical structure of the organization. Grouping resources logically enables users and administrators to find resources by name rather than by physical location.
The networks physical structure is transparent to users.
Slide 12 of 41
Slide 13 of 41
Slide 14 of 41
Slide 15 of 41
1.3.2 Sites
1. Combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible.
TOPIC
Hub Site
2. Typically, has the same boundaries as a LAN. 3. When grouping subnets on the network, combine only those subnets that have fast, inexpensive, and reliable network connections with one another. 4. Available bandwidth of 128 Kbps or greater is sufficient.
5. Not a part of the namespace. 6. Contain only computer objects and connection objects used to configure replication between sites.
Branch Office
Slide 16 of 41
Global Catalog Replication Trust Relationships DNS Namespace Name Servers Naming Conventions
Slide 17 of 41
1 2
Slide 18 of 41
Enables network logon by providing universal group membership information to a domain controller when a logon process is initiated. Enables finding directory information regardless of which domain in the forest actually contains the data.
Slide 19 of 41
If only one domain controller exists in the domain, the domain controller and the global catalog are the same server.
If multiple domain controllers exist on the network, the global catalog is the domain controller configured as such.
If a global catalog is not available when a user initiates a network logon process, the user is able to log on to the local computer only.
Slide 20 of 41
1. The administrator can optionally configure any domain controller or designate additional domain controllers as global catalog servers. 2. When considering which domain controllers to designate as global catalog servers, base the decision on the ability of the network structure to handle replication and query traffic. 3. Additional servers can provide quicker responses to user inquiries, as well as redundancy. 4. Every major site in the enterprise should have at least one global catalog server.
Slide 21 of 41
Schema Information
Configuration Information
Domain Data
Defines the objects that can be created in the directory and the attributes associated with those objects.
Describes the logical structure of the deployment, containing information such as domain structure or replication topology. Common to all domains in the domain tree or forest.
Describes all of the objects in a domain. Domain-specific and not distributed to any other domains. A subset of the properties for all objects in all domains is stored in the global catalog.
Slide 22 of 41
1. 2.
Schema information for the domain tree or forest. Configuration information for all domains in the domain tree or forest.
All directory objects and properties for its domain. A subset of the properties of all objects in the domain (replicated to the global catalog).
3. 4.
Slide 23 of 41
1. 2. 3.
Schema information for a forest. Configuration information for all domains in a forest. A subset of the properties for all directory objects in the forest (replicated between global catalog servers only). All directory objects and all their properties for the domain in which the global catalog is located.
4.
Slide 24 of 41
Slide 25 of 41
1. Active Directory automatically generates a topology for replication among domain controllers in the same domain using a ring structure. 2. Topology defines the path for directory updates to flow from one domain controller to another until all domain controllers receive the directory updates.
3. Ring structure ensures that at least two replication paths exist from one domain controller to another. 4. Active Directory periodically analyzes the replication topology within a site to ensure that it is still efficient. 5. If a domain controller is added or removed from the network or a site, Active Directory reconfigures the topology to reflect the change.
TOPIC
Slide 26 of 41
1. To ensure replication between sites, Active Directory must be customized to replicate information using site links to represent network connections. 2. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance. 3. Information is provided about the replication protocol used, cost of a site link, times when the link is available for use, and how often the link should be used. 4. Active Directory uses this information to determine which site link will be used to replicate information.
Slide 27 of 41
Slide 28 of 41
Trust relationship between parent and child domains within a tree and between the top-level domains in a forest.
Established and maintained automatically. Feature of the Kerberos authentication protocol. If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C.
Slide 29 of 41
1. Trust relationship between domains that are not part of the same tree.
2. Bounded by the two domains in the trust relationship and does not flow to any other domains in the forest.
3. This is the only form of trust possible with; I. A Microsoft Windows 2003 domain and a Windows NT domain. II. A Windows 2003 domain in one forest and a Windows 2003 domain in another forest. III. A Windows 2003 domain and an MIT Kerberos V5 realm.
Slide 30 of 41
Active Directory is primarily a namespace, a bounded area in which a name can be resolved. Name resolution is the process of translating a name into some object or information that the name represents. The Active Directory namespace is based on the DNS naming scheme. Private networks use DNS extensively to resolve computer names and to locate computers within their local networks and the Internet.
Slide 31 of 41
Slide 32 of 41
Slide 33 of 41
Contiguous namespace
The name of the child object in an object hierarchy always contains the name of the parent domain. A tree is a contiguous namespace.
Disjointed namespace
Names of a parent object and a child of the same parent object are not directly related to one another. A forest is a disjointed namespace.
Slide 34 of 41
Slide 35 of 41
1. A DNS name server stores the zone database file. 2. Store data for one zone or multiple zones. 3. Have authority for the domain namespace that the zone encompasses.
Slide 36 of 41
Slide 37 of 41
Uniquely identifies an object and contains sufficient information for a client to retrieve the object from the directory.
Includes the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object.
Must be unique.
Slide 38 of 41
The part of the name that is an attribute of the object itself. Duplicate RDNs are allowed for Active Directory objects, but two objects with the same RDN cannot exist in the same OU.
Objects with duplicate RDNs can exist in separate OUs because they have different DNs.
Slide 39 of 41
A 128-bit number that is guaranteed to be unique across all domains. Assigned to an object when the object is created. Never changes, even if the object is moved or renamed. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.
Objects can be moved from domain to domain, and they will still have a unique identifier.
Slide 40 of 41
Trust Relationship