2 What is Active Directory? Microsoft‘s new Directory ServiceCalled: ADS, NTDSSuccessor to LAN Manager DomainsGoalsOpen StandardsHigh ScalabilitySimplified AdministrationCompatibility to existing Windows NT systems and applications
3 Open Standards LDAP X.500 DNS Kerberos Low-Level API to Active DirectoryX.500Active Directory StructureNot fully standard-compliantDNSResource LocationExtensions, e. G. „Dynamic DNS“KerberosAuthentication
4 Active Directory Structure HierarchicalBase object DomainDomainTreeForestDomainOUDomainDomainOUOUTreeDomainDomainObjects
5 Which objects does Active Directory contain? „old Friends “UserGroupComputerNew ElementsDistribution ListsSystem PoliciesApplication defined custom objectsDescribed in the Schema
6 What is the Schema? Definition of all AD Object-Types (Classes)AttributesData-Types (Syntaxes)Can be compared to a Database SchemaONE consistent Schema inside a single ForestExtensible
7 What is a Domain? AD Base Element (Building Block) NT 4 Compatible Physically Implemented on Domain Controllers (DC)Border forReplication TrafficSystem PoliciesAdministrationFirma.de
8 What is an Organizational Unit (OU)? Implements a Structure inside a DomainCan be nested as neededCan not be assigned any rightsTypically used for Administrative Reasonse.g. System PoliciesLANew YorkAdminSalesAdminSales
9 What is a Tree?Hierarchical Domain Structure inside a single Namespaceadiscon.comla.adiscon.comny.adiscon.comTransitive Trusts created automaticallySub-Domain must be added to Root-Domain – otherwise there will be no tree!adiscon.comTreela.adiscon.comny.adiscon.com
10 What is a Forest? Combination of Trees Disjunct Namespaces adiscon.deadiscon.comTransitive Trusts created automaticallyThere is one single tree-root!Sub-Tree must be added to Root-Tree, otherwise no Forest will be created
11 The Tree-Root First Domain installed Single Schema Absolutely vital! ForestDomainOUDomainDomainOUOUTreeDomainDomainObjects
12 Modeling the physical Structure Not related to logical StructureModeled via „Sites“A site is well connected via fast Network LinksOne Site can home multiple DomainsOne Domain can spread across many SitesDomain Database is stored on Domain Controllers
13 Sample Site Structure Site LA Site New York Logical and physical Structure are totally independent of each other!Site LASite New YorkAdiscon.comsales.adiscon.comsales.adiscon.com
14 Which Role can a Server have? Member ServerDomain ControllerGlobal CatalogFSMOSpecial Roles carried out by only a limited set of Serverse.g. PDC Emulatore.g. Schema Master
15 What is a Domain-Controller? Stores a physical Copy of the Active Directory DatabaseCurrently a single Domain per DC supported!ESE95 Database (MS Exchange)Logon ServicesKerberosLAN Manager AuthenticationRecommendation: always have at least 2 Domain Controllers!
16 What is a Global Catalog Server? Answers AD Search QueriesMust be present to successfully logonHolds a copy of all Objects of the whole Forest…...but holds only a subset of the AttributesUser definableRecommendation: at least one GC per (larger) Site
17 Multi Master Replication Updates can be applied to ANY Domain ControllerWill be Replicated to each other Domain Controls (inside that Domain) within 15 MinutesOptimized Algorithm reduces Replication TrafficNot time based (triggered on demand, only)!
18 Intra-Sites Replication All Domain Databases involvedChanges are transmitted compressedvia IP (RPC) or SMTPSMTP not within a single domain!Time Replication occurs can be configuredVolume of Replication Traffic can not be restricted!Have an Eye on GCs!
19 Mixed vs. Native Mode? Mixed Mode supports Coexistence with NT4 DefaultNT 4 BDCs continue to workEnables “Fallback Scenario” during MigrationOnly Native Mode supports all AD FeaturesMore than 40 MB Domain Database SizeMostly problem-free „MoveTree“Universal Groups, Group nestingOnce you have switched to Native Mode, there is no way back to Mixed Mode!
20 Are there still Trusts available? Old fashioned NT 4 Trusts can still be usedWork like alwaysNo additional functionalityMost be used to connect different ForestsBe careful – no common Global Catalog!Shortcut-TrustsConnect frequently used Domains to each other (Performance Optimization)
21 Shortcut-Trusts Domain A users frequently access Domain B’s Resources No Change in logical StructureDomainTreeForestDomain AOUDomainDomainOUOUTreeDomainDomain BObjects
22 Vital for AD: DNS! DNS is Active Directory’s Locator Service Without correctly configured DNS no working Active Directory!Currently TOP 1 Trouble spotCan be hosted on non MS-DNSMinimum BIND Version 8.1.2No special Characters in Computer NamesNot really an optionRecommendation: delegate a separate “AD-Zone” on non-MS DNS and use MS-DNS for that zone – saves lots of Trouble!
23 Who is using Active Directory? Windows 2000AuthenticationSystem PoliciesDirectory Enabled ApplicationsPlease do not overlook them when planning your AD!
24 What are Directory-Enabled Applications? Applications directly using and accessing the Active Directorye.g. Exchange 2000Many more expected!Typically extend the SchemaMay dramatically change usage pattern for Active Directory ResourcesReplication Traffic (new Objects, Attributes)AD Queries (GCs!)
25 Active Directory Security Improved AuthenticationPermissions applied via ACLsTo Objects as wholeTo specific AttributesFine-Tuning of Access Permissions possibleTool-Support to visualize Security Settings currently weak (try Visio!)
26 What is Kerberos? „age-old“ Internet-Standard - mature Commonly used under UnixSecure Authentication thanks to EncryptionStandard-Authentication Model under Windows 2000Microsoft Kerberos not fully compatible to other Kerberos Implementations
27 Delegation of Administration Admin rights can be delegated to Users or GroupsNOT to OUs!Delegation via WizardsCurrently “Admin Nightmare” – very hard to detect who has rightsAll objects must be viewed separately and manuallyCurrently no good tools – but expected to be available in the futureMicrosoft itself also plans to provide additional tools
28 Inheritance in Active Directory From Top to BottomInheritance can only be blocked completelyNo IRF like Novell
29 Groups Basically, like under NT 4 New: Universal Groups Local Groups are assigned PermissionsGlobal Groups contain UsersFrom a single DomainGlobal Groups are members in Local Groups for Permission assignmentNew: Universal GroupsCan be used everywhere in every Domain (Permissions, Members)Implemented via GCReplication traffic limits usability
30 Active Directory Problem Spots DNS DependencyNo „Merge-Tree“No Partitioning (only a single Domain per Domain Controller)Limited Tool-SupportForest Global SchemaSchema-Modifications can not be undoneIssues will be addressed over time by Microsoft (keep in mind AD is Version 1.0!)
31 Importance of AD for Microsoft’s Strategy Most important ProductAll new Microsoft Products need or at least work better with Active DirectoryExchange 2000SQL Server 2000...Bill Gates: „We have bet Microsoft on Active Directory.“