Installation
Overview of Active
Directory
Directory service included in Windows
server
Stores information about network object
and makes the information available to
administrators, users, and applications
Provides a single point of network
management allowing people to add,
remove, and relocate users and
resources easily
1).
2).
3).
4).
5).
(diagram 1) here:
2) Flexible querying
Users and administrators can use the
Search command on the Start menu, the
My Network Places icon on the desktop, or
the Active Directory Users and Computer
snap-in to quickly find an object on the
network using object properties.
For example, one can find a user by first
name, last name, e-mail name, office
location, or other properties of that
persons user account.
3) Information security
Protects network objects from
unauthorized access and replicates
objects across a network so that
data is not lost if one domain
controller fails.
4) Simplified
administration
Since all domain controllers in the
domain are equal, the process of
making changes to one domain
controller can be replicated to all other
domain controllers in the domain.
Providing a single point of
administration for all objects on the
network.
5) Scalability
With one or more domain
controllers, Active Directory
enables you to scale the directory
to meet any network requirement.
Multiple domains can be combined
into a domain tree and multiple
domain trees can be combined into
a forest.
How is it structure?
Active Directory
Active Directory
Objects
The entities that make up a
network
A distinct, named set of attributes
that represents something
concrete. i.e.a user
A globally unique identifier (GUID)
is assign when it is created
Schema
A description of the object classes
The attribute for those object classes
Every Active Directory is an instance
of an object class. Each attribute is
define only once and can be used in
multiple classes.
Globally useful
Not volatile
Small
Object Naming
Conventions
Security principal names
Security identifier
LDAP-related names
Object GUIDs
Logon names
LDAP-related Names
Defines what operations can be
perform in order to query and
modify information in a directory
and how information in a directory
can be securely access.
LDAP-related Names
Three object-naming format based
on the LDAP distinguished name:
LDAP DN and RDN names
LDAP URLs
LDAP-based canonical names
LDAP-related Names
Example:
User = John
Country = USA (forest)
State = CA (tree)
City = Rosemead (domain)
Department = Marketing (OU)
LDAP-related Names
LDAP DN Name:
cn=John,ou=Marketing,dc=Rosemead,dc=CA,dc=USA
Canonical Name:
CA.USA.com/Rosemead/Marketing/John
Object Publishing
Publishing - is the act of creating
objects in the directory that either
directly contain the information
you want to make available or
provide a reference for it.
Share Publishing
Printer Publishing
When to Publish
Relatively static
Publish only information that changes
infrequently
Structured
Publish information that is structured
and can be represented as a set of
discrete attributes.
How to Publish
Remote Procedure Call (RPC)
Windows Sockets
Distributed Component Object
Model (DCOM)
Administrative boundaries
Replicate information
Apply group policy
Structure the network
Delegate administrative authority
Domains:
Trees
Forests
Trusts
And Ous (organizational units )
Tree
Forests
Figure 4 One forest with three domain trees. The three root
domains are not contiguous with each other, but
EuropeRoot.com and AsiaRoot.com are child domains of HQRoot.com.
Forest
Trust Relationships
Transitive
Two-way
Shortcut trusts
External trusts
Trust
Relationships
Trust Relationships
Organizational Units
Trust Relationships
Trust Relationships
Domain and OU
Delegation
Domain Common Tasks You Can
Delegate
Security Permission
Authenticated User
Domain Administrators
Enterprise Administrators
Creator Owner Local System
Group Policy
Group Policy (GP): Defines a
variety of users environments that
administrators can manage. GP
configurations apply to computers.
GP settings apply to users and
computers in sites, domains &
OUs.
Group Policy
Components:
Registry based policies
Security options
Software deployment options
Scripts
Redirections to special folders
Group Policy
GP affect all users and computers in the linked container
unless the administrators explicitly change permissions.
By using security groups, policies are applied
specifically to sets of objects within a container.
Within security groups, Group Policy Objects (GPO)
determine the following for specific containers:
Using security groups to represent business
organizational
structure is more efficient than using
domains or organizational units for administration.
Policy settings that are domain wide applied to OUs
containing other OUs are inherited by child containers,
unless inheritance is otherwise specified.
Interoperability
Active Directory (A.D) supports a number of
standards to ensure interoperability of Windows 2000
environment with other vendors (Novell, Unix)
The following are supported by Active Directory:
Lightweight Directory Access Protocol (LDAP) which is an
industry std for directory access. This service is on the Internet
Engineering Task Force (IETF) for becoming an internet std.
o LDAP it is used to add, modify, delete and query
information stored in AD.
o LDAP to AD is like SQL to Oracle
o LDAP determines how a client can access the directory,
operations within the directory and share directory data
(LDIFDE):
Usage:
Perform batch operations such as
add, delete, rename, modify
Can be also used to backup or
extend the schema.
Summary
Active Directory helps centralize and simplify
network manageability and provides the necessary
resources to support the organizations objectives.
AD stores information about network objects and
makes information available to administrators,
users and applications.
Interacts with Domain Name Space (DNS) by
providing a name space that defines all objects.
Summary
Uses domains, trees, forests, trust
relationships, organizational units, and sites
to structure the network and its objects.
Administrative tasks can be delegated to
manage OUs, domains, sites to appropriate
support groups
AD is built on std directory access protocols
and along with APIs can access other
Directory Services to expand its flexibility
Data can be exported or imported as
required.
Glossary
Active Directory
An enterprise-class directory service that is
scalable, built from the ground up using
Internet-standard technologies, and fully
integrated at the operating-system level.
Active Directory simplifies administration and
makes it easier for users to find resources.
Active Directory provides a wide range of
features and capabilities, including group
policy, scalability without complexity, support
for multiple authentication protocol, and the
use of Internet standards.
Glossary
Active Directory Service Interfaces
(ADSI)
ADSI is a directory service model and a set
of Component Object Model (COM)
interfaces. It enables Windows 95,
Windows 98, Windows NT, and Windows
2000 applications to access several
network directory service, including Actives
Directory. It is supplied as a Software
Development Kit (SDK).
Glossary
Asynchronous Transfer Mode (ATM)
ATM is a high-speed, connection-oriented
protocol designed to transport multiple
types of traffic across a network. It is
applicable to both local area networks
(LANs) and wide area networks (WANs).
Using ATM, your network can
simultaneously transport a wide variety of
network traffic; voice, data, image, and
video.
Glossary
Dynamic Host Configuration Protocol
(DHCP) with Domain Name System
(DNS) and Active Directory
DHCP works with DNS and Active Directory
on Internet Protocol (IP) networks, freeing
you from assigning and tracking static IP
addresses. DHCP dynamically assigns IP
addresses to computers or other resources
connected to an IP network.
Glossary
Indexing Service
Indexing provides a fast, easy, and secure
way for users to search for information
locally or on the network. User can use
powerful queries to search in files in
different formats and languages, either
through the Start menu Search command
or through Hypertext Markup Language
(HTML) pages that they view in a browser.
Glossary
Internet Authentication Service (IAS)
IAS provides you with a central point for
managing authentication, authorization,
accounting, and auditing of dial-up or
Virtual Private Network users. IAS uses
the Internet Engineering Task Force
(IETF) protocol called Remote
Authentication Dial-In User Service
(RADIUS).
Glossary
Internet Information Services (IIS) 5.0
The powerful features in Internet
Information Service (IIS), a part of Microsoft
Windows 2000 Server, make it easy to share
documents and information across a
company intranet or the Internet. Using IIS,
you can deploy scalable and reliable Webbased applications, and you can bring
existing data and applications to the Web,
IIS includes Active Server Pages and other
features.
Glossary
Lightweight Directory Access
Protocol (LDAP) support
LDAP, an industry standard, is the
primary access protocol for Active
Directory. LDAP version 3 was
defined by the IETF.
Glossary
Terminal Services
The Windows 2000 Server family offers the only
server operating systems that integrate terminal
emulation services. Using Terminal Services, a
user can access programs running on the server
from a variety of older devices. For example, a
user could access a virtual Windows 2000
Professional desktop and 32-bit Windows-based
applications from hardware that couldnt run the
software locally. Terminal Services provides this
capability for both Windows and non-Windowsbased client devices.
Glossary
Virtual Private Network (VPN)
You can allow users ready access to the network even
when theyre out of the office, and reduce the cost of this
access, by implementing a VPN. Using VPNs, users can
easily and securely connect to the corporate network.
The connection is through a local Internet Service
Provider (ISP), which reduces connect-time charges. With
Windows 2000 Server, you can use several new, more
secure protocols for creating Virtual Private networks,
including: L2TP, a more secure version of PPTP (L2TP is
used for tunneling, address assignment, and
authentication) and IPSec, a standard-based protocol that
provides the highest levels of VPN security. Using IPSec,
virtually everything above the networking layer can
END