Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Active Directory An Overview. What is Active Directory? Microsofts new Directory Service Microsofts new Directory Service Called: ADS, NTDS.

Similar presentations


Presentation on theme: "Microsoft Active Directory An Overview. What is Active Directory? Microsofts new Directory Service Microsofts new Directory Service Called: ADS, NTDS."— Presentation transcript:

1 Microsoft Active Directory An Overview

2 What is Active Directory? Microsofts new Directory Service Microsofts new Directory Service Called: ADS, NTDS Called: ADS, NTDS Successor to LAN Manager Domains Successor to LAN Manager Domains Goals Goals Open Standards Open Standards High Scalability High Scalability Simplified Administration Simplified Administration Compatibility to existing Windows NT systems and applications Compatibility to existing Windows NT systems and applications

3 Open Standards LDAP LDAP Low-Level API to Active Directory Low-Level API to Active Directory X.500 X.500 Active Directory Structure Active Directory Structure Not fully standard-compliant Not fully standard-compliant DNS DNS Resource Location Resource Location Extensions, e. G. Dynamic DNS Extensions, e. G. Dynamic DNS Kerberos Kerberos Authentication Authentication

4 Active Directory Structure Hierarchical Hierarchical Base object Domain Base object Domain OU Domain OU Objects Domain Tree Domain Tree Forest

5 Which objects does Active Directory contain? old Friends old Friends User User Group Group Computer Computer New Elements New Elements Distribution Lists Distribution Lists System Policies System Policies Application defined custom objects Application defined custom objects Described in the Schema Described in the Schema

6 What is the Schema? Definition of all AD Definition of all AD Object-Types (Classes) Object-Types (Classes) Attributes Attributes Data-Types (Syntaxes) Data-Types (Syntaxes) Can be compared to a Database Schema Can be compared to a Database Schema ONE consistent Schema inside a single Forest ONE consistent Schema inside a single Forest Extensible Extensible

7 What is a Domain? AD Base Element (Building Block) AD Base Element (Building Block) NT 4 Compatible NT 4 Compatible Physically Implemented on Domain Controllers (DC) Physically Implemented on Domain Controllers (DC) Border for Border for Replication Traffic Replication Traffic System Policies System Policies Administration Administration Firma.de

8 What is an Organizational Unit (OU)? Implements a Structure inside a Domain Implements a Structure inside a Domain Can be nested as needed Can be nested as needed Can not be assigned any rights Can not be assigned any rights Typically used for Administrative Reasons Typically used for Administrative Reasons e.g. System Policies e.g. System Policies LA Admin New York SalesAdminSales

9 What is a Tree? Hierarchical Domain Structure inside a single Namespace Hierarchical Domain Structure inside a single Namespace adiscon.com adiscon.com la.adiscon.com la.adiscon.com ny.adiscon.com ny.adiscon.com Transitive Trusts created automatically Transitive Trusts created automatically Sub-Domain must be added to Root- Domain – otherwise there will be no tree! Sub-Domain must be added to Root- Domain – otherwise there will be no tree! la.adiscon.com adiscon.com ny.adiscon.com Tree

10 What is a Forest? Combination of Trees Combination of Trees Disjunct Namespaces Disjunct Namespaces adiscon.de adiscon.de adiscon.com adiscon.com Transitive Trusts created automatically Transitive Trusts created automatically There is one single tree-root! There is one single tree-root! Sub-Tree must be added to Root-Tree, otherwise no Forest will be created Sub-Tree must be added to Root-Tree, otherwise no Forest will be created

11 Domain The Tree-Root First Domain installed First Domain installed Single Schema Single Schema Absolutely vital! Absolutely vital! OU Domain OU Objects Domain Tree Domain Tree Forest

12 Modeling the physical Structure Not related to logical Structure Not related to logical Structure Modeled via Sites Modeled via Sites A site is well connected via fast Network Links A site is well connected via fast Network Links One Site can home multiple Domains One Site can home multiple Domains One Domain can spread across many Sites One Domain can spread across many Sites Domain Database is stored on Domain Controllers Domain Database is stored on Domain Controllers

13 Site New YorkSite LA Sample Site Structure Logical and physical Structure are totally independent of each other! Logical and physical Structure are totally independent of each other! Adiscon.com sales.adiscon.com

14 Which Role can a Server have? Member Server Member Server Domain Controller Domain Controller Global Catalog Global Catalog FSMO FSMO Special Roles carried out by only a limited set of Servers Special Roles carried out by only a limited set of Servers e.g. PDC Emulator e.g. PDC Emulator e.g. Schema Master e.g. Schema Master

15 What is a Domain-Controller? Stores a physical Copy of the Active Directory Database Stores a physical Copy of the Active Directory Database Currently a single Domain per DC supported! Currently a single Domain per DC supported! ESE95 Database (MS Exchange) ESE95 Database (MS Exchange) Logon Services Logon Services Kerberos Kerberos LAN Manager Authentication LAN Manager Authentication Recommendation: always have at least 2 Domain Controllers! Recommendation: always have at least 2 Domain Controllers!

16 What is a Global Catalog Server? Answers AD Search Queries Answers AD Search Queries Must be present to successfully logon Must be present to successfully logon Holds a copy of all Objects of the whole Forest… Holds a copy of all Objects of the whole Forest…...but holds only a subset of the Attributes...but holds only a subset of the Attributes User definable User definable Recommendation: at least one GC per (larger) Site Recommendation: at least one GC per (larger) Site

17 Multi Master Replication Updates can be applied to ANY Domain Controller Updates can be applied to ANY Domain Controller Will be Replicated to each other Domain Controls (inside that Domain) within 15 Minutes Will be Replicated to each other Domain Controls (inside that Domain) within 15 Minutes Optimized Algorithm reduces Replication Traffic Optimized Algorithm reduces Replication Traffic Not time based (triggered on demand, only)! Not time based (triggered on demand, only)!

18 Intra-Sites Replication All Domain Databases involved All Domain Databases involved Changes are transmitted compressed Changes are transmitted compressed via IP (RPC) or SMTP via IP (RPC) or SMTP SMTP not within a single domain! SMTP not within a single domain! Time Replication occurs can be configured Time Replication occurs can be configured Volume of Replication Traffic can not be restricted! Volume of Replication Traffic can not be restricted! Have an Eye on GCs! Have an Eye on GCs!

19 Mixed vs. Native Mode? Mixed Mode supports Coexistence with NT4 Mixed Mode supports Coexistence with NT4 Default Default NT 4 BDCs continue to work NT 4 BDCs continue to work Enables Fallback Scenario during Migration Enables Fallback Scenario during Migration Only Native Mode supports all AD Features Only Native Mode supports all AD Features More than 40 MB Domain Database Size More than 40 MB Domain Database Size Mostly problem-free MoveTree Mostly problem-free MoveTree Universal Groups, Group nesting Universal Groups, Group nesting Once you have switched to Native Mode, there is no way back to Mixed Mode! Once you have switched to Native Mode, there is no way back to Mixed Mode!

20 Are there still Trusts available? Old fashioned NT 4 Trusts can still be used Old fashioned NT 4 Trusts can still be used Work like always Work like always No additional functionality No additional functionality Most be used to connect different Forests Most be used to connect different Forests Be careful – no common Global Catalog! Be careful – no common Global Catalog! Shortcut-Trusts Shortcut-Trusts Connect frequently used Domains to each other (Performance Optimization) Connect frequently used Domains to each other (Performance Optimization)

21 Shortcut-Trusts Domain A users frequently access Domain Bs Resources Domain A users frequently access Domain Bs Resources No Change in logical Structure No Change in logical Structure Domain OU Domain OU Objects Domain A Tree Domain Domain B Tree Forest

22 Vital for AD: DNS! DNS is Active Directorys Locator Service DNS is Active Directorys Locator Service Without correctly configured DNS no working Active Directory! Without correctly configured DNS no working Active Directory! Currently TOP 1 Trouble spot Currently TOP 1 Trouble spot Can be hosted on non MS-DNS Can be hosted on non MS-DNS Minimum BIND Version 8.1.2 Minimum BIND Version 8.1.2 No special Characters in Computer Names No special Characters in Computer Names Not really an option Not really an option Recommendation: delegate a separate AD- Zone on non-MS DNS and use MS-DNS for that zone – saves lots of Trouble! Recommendation: delegate a separate AD- Zone on non-MS DNS and use MS-DNS for that zone – saves lots of Trouble!

23 Who is using Active Directory? Windows 2000 Windows 2000 Authentication Authentication System Policies System Policies Directory Enabled Applications Directory Enabled Applications Please do not overlook them when planning your AD! Please do not overlook them when planning your AD!

24 What are Directory-Enabled Applications? Applications directly using and accessing the Active Directory Applications directly using and accessing the Active Directory e.g. Exchange 2000 e.g. Exchange 2000 Many more expected! Many more expected! Typically extend the Schema Typically extend the Schema May dramatically change usage pattern for Active Directory Resources May dramatically change usage pattern for Active Directory Resources Replication Traffic (new Objects, Attributes) Replication Traffic (new Objects, Attributes) AD Queries (GCs!) AD Queries (GCs!)

25 Active Directory Security Improved Authentication Improved Authentication Permissions applied via ACLs Permissions applied via ACLs To Objects as whole To Objects as whole To specific Attributes To specific Attributes Fine-Tuning of Access Permissions possible Fine-Tuning of Access Permissions possible Tool-Support to visualize Security Settings currently weak (try Visio!) Tool-Support to visualize Security Settings currently weak (try Visio!)

26 What is Kerberos? age-old Internet-Standard - mature age-old Internet-Standard - mature Commonly used under Unix Commonly used under Unix Secure Authentication thanks to Encryption Secure Authentication thanks to Encryption Standard-Authentication Model under Windows 2000 Standard-Authentication Model under Windows 2000 Microsoft Kerberos not fully compatible to other Kerberos Implementations Microsoft Kerberos not fully compatible to other Kerberos Implementations

27 Delegation of Administration Admin rights can be delegated to Users or Groups Admin rights can be delegated to Users or Groups NOT to OUs! NOT to OUs! Delegation via Wizards Delegation via Wizards Currently Admin Nightmare – very hard to detect who has rights Currently Admin Nightmare – very hard to detect who has rights All objects must be viewed separately and manually All objects must be viewed separately and manually Currently no good tools – but expected to be available in the future Currently no good tools – but expected to be available in the future Microsoft itself also plans to provide additional tools Microsoft itself also plans to provide additional tools

28 Inheritance in Active Directory From Top to Bottom From Top to Bottom Inheritance can only be blocked completely Inheritance can only be blocked completely No IRF like Novell No IRF like Novell

29 Groups Basically, like under NT 4 Basically, like under NT 4 Local Groups are assigned Permissions Local Groups are assigned Permissions Global Groups contain Users Global Groups contain Users From a single Domain From a single Domain Global Groups are members in Local Groups for Permission assignment Global Groups are members in Local Groups for Permission assignment New: Universal Groups New: Universal Groups Can be used everywhere in every Domain (Permissions, Members) Can be used everywhere in every Domain (Permissions, Members) Implemented via GC Implemented via GC Replication traffic limits usability Replication traffic limits usability

30 Active Directory Problem Spots DNS Dependency DNS Dependency No Merge-Tree No Merge-Tree No Partitioning (only a single Domain per Domain Controller) No Partitioning (only a single Domain per Domain Controller) Limited Tool-Support Limited Tool-Support Forest Global Schema Forest Global Schema Schema-Modifications can not be undone Schema-Modifications can not be undone Issues will be addressed over time by Microsoft (keep in mind AD is Version 1.0!) Issues will be addressed over time by Microsoft (keep in mind AD is Version 1.0!)

31 Importance of AD for Microsofts Strategy Most important Product Most important Product All new Microsoft Products need or at least work better with Active Directory All new Microsoft Products need or at least work better with Active Directory Exchange 2000 Exchange 2000 SQL Server 2000 SQL Server 2000...... Bill Gates: We have bet Microsoft on Active Directory. Bill Gates: We have bet Microsoft on Active Directory.

32 Questions? rgerhards@adiscon.com rgerhards@adiscon.com rgerhards@adiscon.com www.windows-expert.net www.windows-expert.net


Download ppt "Microsoft Active Directory An Overview. What is Active Directory? Microsofts new Directory Service Microsofts new Directory Service Called: ADS, NTDS."

Similar presentations


Ads by Google