1 CSIT 320
Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as well as manages access to that information, Active Directory collects, organizes and manages access to information about network “objects” – such as computers, servers, printers, users, groups, etc. For instance, one component is a Directory Service Often likened to a phone book which one to look up numbers (from names) or services (yellow pages) Active Directory is often just called AD For example AD-DS is active 2 CSIT 320
Active Directory is based upon some of the following standards (though not fully compliant with all of them) DNS – AD needs DNS to work, follows its organization and naming conventions X.500 – directory service protocol based on the OSI model (AD does not use the full X.500 standard) LDAP (Lightweight Directory Access Protocol ) – part of the X.500 standard was Directory Access Protocol – LDAP is a scaled down, easier version of that Kerberos – network authentication protocol – adds the security to AD 3 CSIT 320
Whereas a database has a “relational” structure, the objects in AD have a hierarchical, tree-like structure. Thus there is a root Every object other than the root has one and only one parent. However, it can get complicated in that there are various levels (domains, organizational units, groups) as well as distinctions between logical separations and physical separations. 4 CSIT 320
A domain is one of the main organizational units in Active Directory. It collects resources and manages access to them for a set of users. For instance users being logged in the same domain typically implies that those users will for the most part have access to the same resources and follow the same policies In Active Directory diagrams, domains are represented by triangles. 5 CSIT 320
An AD domain must have at least one AD domain controller. The domain controller manages the authentication of users granting them access to the domain and the resources it contains. Best Practices suggests that there are at least two domain controllers in a domain so that access to the domain can still be granted if one controller is down. 6 CSIT 320
A tree is a set of domains that obey a DNS-type hierarchical naming structure. They belong to the same “namespace”. A namespace provides a context in which a name has a well defined meaning. 7 CSIT 320 lasalle.edu student.lasalle.edu luna.lasalle.edu
As the name suggests a forest is a collection of trees. Each tree has a its own namespace, but the different trees in the forest have different namespaces. However you may want them to be connected in some way – have some kind of trust relationship, some sharing of resources or just want to administer them as a unit. 8 CSIT 320 lasalle.edu lasalle.museum student.lasalle.edu
The trees in a forest still share a common root. The first tree in the forest serves as the root. It will have (at least initially) the global catalog – the collection of definitions, how the forests are organized, what the trust relationships are, names for all of the objects, etc. 9 CSIT 320
If two domains have a trust relationship, it means that users from one domain can access resources from another domain. That way an administrator does not have to give users accounts in both domains. The domain with the resource is said to be “trusting” and the domain with the user is said to be “trusted”. Trust can be but doesn’t have to be a two-way street. CSIT
Before we were moving up in the hierarchy from the original concept of a domain, an organizational unit on the other hand is lower in the hierarchy (farther from the root) It is a container within a domain – resources like printers and file shares organized into smaller containers. Example within the student.lasalle.edu domain, science students may be access to different shares and different printers from business students, etc. 11 CSIT 320
In a large company a logical container such as a domain might cover multiple physical locations. This can cause a problem because a lot of information is passed between domain controllers. So AD has the notion of a site to correspond to physical differences rather than logical differences A site can have multiple domains A domain may be spread over multiple sites 12 CSIT 320
User Group Computer Printer Distribution Lists System Policies 13 CSIT 320
Just like in a database, Active Directory has a schema. Definition of all AD objects, For example, it will define a User, what attributes a User must have, what attributes a User might have, relationships between Users and Groups, etc. ONE schema for a forest Extensible While a default set of definitions gets one started with AD, one can extend or create new objects 14 CSIT 320
A distributed data repository containing a searchable, partial representation of every object in every domain in a forest. Answers AD Search Queries Must be present to successfully logon Holds a copy of all Objects of the whole Forest…...but holds only a subset of the Attribute 15 CSIT 320
Member Server – server on a domain offering a non- active directory service Domain Controller – as the name suggests its manages access to the resources within a domain Global Catalog – while a domain controller stores the objects for the domain it “controls”, a global catalog server stores the objects from all domains in the forest. A global catalog server is a domain controller, but a domain controller may not be a global catalog server 16 CSIT 320
Updates can be applied to ANY Domain Controller Will be Replicated to each other Domain Controls (inside that Domain) within 15 Minutes Optimized Algorithm reduces Replication Traffic Not time based (triggered on demand, only)! 17 CSIT 320
Improved Authentication Permissions applied via ACLs To Objects as whole To specific Attributes Fine-Tuning of Access Permissions possible 18 CSIT 320
Windows Server 2008 R2 Unleashed, Rand Morimoto, Michael Noel, Omar Droubi, Ross Mistry and Chris Amaris, SAMS. Active Directory for Dummies, Steve Clines and Marcia Loughry, Wiley. terminology-and-concepts.html 19 CSIT 320