1. Corso referenti S.I.R.A. – Modulo 2 06 – Active Directory 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano Viola (CSIA)

2. Overview Introduction to Active Directory Active Directory Logical Structure Active Directory Physical Structure Methods for Administering a Windows 2000 Network

3. Introduction to Active Directory Introduction to Active Directory What Is Active Directory? Active Directory Objects Active Directory Schema Lightweight Directory Access Protocol (LDAP)

4. What Is Active Directory? Directory Service Functionality Organize Manage Control Organize Manage Control Resources Centralized Management Single point of administration Full user access to directory resources by a single logon Single point of administration Full user access to directory resources by a single logon

5. Active Directory Objects Objects Represent Network Resources Attributes Store Information About an Object AttributesAttributes First Name Last Name Logon Name First Name Last Name Logon Name AttributesAttributes Printer Name Printer Location Printer Name Printer Location Active Directory Printers Printer1 Printer2 Suzan Fine Users Don Hall AttributeValueAttributeValue ObjectsObjects Printers Users Printer3

6. Active Directory Schema Objects Class Examples Objects Printers Computers Users Attributes of Users Might Contain: accountExpires department distinguishedName middleName accountExpires department distinguishedName middleName List of Attributes accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … AttributeExamplesAttributeExamples Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs

7. Lightweight Directory Access Protocol (LDAP) LDAP Provides a Way to Communicate with Active Directory by Specifying Unique Naming Paths for Each Object in the Directory LDAP Naming Paths Include : Distinguished names Relative distinguished names CN=RossiMario,OU=Studenti,DC=ds,DC=units,DC=it

8. Active Directory Logical Structure Active Directory Logical Structure Domains Organizational Units Trees and Forests

9. Domains A Domain Is a Security Boundary A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains A Domain Is a Unit of Replication Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain Windows 2000 Domain User1 User2 User1 User2 ReplicationReplication

10. Organizational Units Organizational Structure Sales Vancouver Repair Users Sales Computers Network Administrative Model Use OUs to Group Objects into a Logical Hierarchy That Best Suits the Needs of Your Organization Delegate Administrative Control over the Objects Within an OU by Assigning Specific Permissions to Users and Groups

11. Trees and Forests contoso.msft (root) au. contoso.msft au. contoso.msft asia. contoso.msft asia. contoso.msft Tree Two-Way Transitive Trusts au. nwtraders.msft au. nwtraders.msft asia. nwtraders.msft asia. nwtraders.msft Forest Tree Two-Way Transitive Trust

12. Global Catalog Global Catalog Server Global Catalog Subset of the Attributes of All Objects Domain QueriesQueries Group membership when user logs on Group membership when user logs on

13. Active Directory Physical Structure Active Directory Physical Structure Domain Controllers Sites

14. Domain Controller Domain ReplicationReplication User1 User2 User1 User2 = A Writeable Copy of the Active Directory Database Domain Controllers: Participate in Active Directory replication Perform single master operations roles in a domain

15. Sites Sites: Optimize replication traffic Enable users to log on to a domain controller by using a reliable, high-speed connection Site IP subnet Los Angeles Seattle Chicago New York

16. Methods for Administering a Windows 2000 Network Methods for Administering a Windows 2000 Network Using Active Directory for Centralized Management Managing the User Environment Delegating Administrative Control

17. Using Active Directory for Centralized Management OU1 Domain Computers Users OU2 Users Printers Computer1 User1 Printer1 User2 Domain OU2 OU1 User1 Computer1 Printer1 User2 SearchSearch Active Directory: Enables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to group objects into OUs Uses Group Policy to specify policy-based settings

18. Managing the User Environment Use Group Policy to: Control and lock down what users can do Centrally manage software installation, repairs, updates, and removal Configure user data to follow users whether they are online or offline Windows 2000 Enforces Continually Apply Group Policy Once 1 1 2 2 3 3 Domain OU1 OU2 OU3 1 1 2 2 3 3

19. Delegating Administrative Control Assign Permissions: For specific OUs to other administrators To modify specific attributes of an object in a single OU To perform the same task in all OUs Customize Administrative Tools to: Map to delegated administrative tasks Simplify interface design Domain Admin1 Admin2 Admin3 OU2 OU3 OU1