Directory services Unit objectives Describe Windows networking concepts Discuss planning of a directory services “implementation” Describe and install Microsoft’s Active Directory Discuss what’s new in Active Directory in Windows Server 2003 Discuss the Windows NT domain model Explain the design and purpose of Novell Directory Services / eDirectory
Topic A Windows networking concepts Directory services planning and implementation Introduction to Active Directory New Active Directory features in Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Workgroups Logical group of computers Decentralized security and administration (every PC for itself!) In a workgroup, every computer holds its own security database Security Accounts Manager (SAM) database This way, each computer does its own authentication (i.e., ensure that the person logging in has the correct credentials). Simple (sort of) Doesn’t require a server
Workgroups Problems with Workgroups: The maximum effective size for a workgroup is 10 or so computers With more than 10 you will have problems sharing resources, keeping track of security information and so on. In order to access resources on another computer you must, first log on to that PC. This means that you have to have a username and password for every PC A server in a workgroup does its normal jobs of sharing files, sending email, etc. A server is called a standalone server.
Workgroup security model
Domains Logical groups of computers Use centralized authentication and administration The device in the domain responsible for this is the “domain controller”, or DC
Domain security model
Member servers Not domain controllers but they run the server software, not the client. Used for a variety of functions File servers Print servers Application servers DNS and DHCP servers A member server can backup the DC it can be promoted to DC if the DC goes down and a DC can be demoted to member server But security functions are unique to the DC
Recap Two different security models used in Windows environments Workgroup Domain Three roles for a Windows Server 2003 system in a network Standalone server Member server Domain controller
Domain controllers Store a copy of the Active Directory database Service user authentication requests Service queries about domain objects The AD database is stored on network DCs Changes made to any Active Directory will be replicated across all domain controllers Called multimaster replication Provides fault tolerance for domain controller failure Uses Domain Name Service (DNS) conventions for network resources i.e., this is how devices in the domain are recognized
Discussing Windows security models Activity A-1 - page 16-6 Discussing Windows security models
Topic B Windows networking concepts Directory services planning and implementation Introduction to Active Directory New Active Directory features in Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Directory service (DS) Network service that allows users or computers to look up information location of files, printers, email addresses, security information such as passwords, rights and permissions, etc. Microsoft’s directory service is called Active Directory (AD)
Planning and Maintaining Infrastructure & Group policy Planning your AD is emphasized Consider bandwidth, location, resources, etc Security issues include password issues such as length, complexity and use time. Group policy is used to manage servers, workstations, and user environments Used to deploy applications to computers or users Used to implement security policies like encrypting all client/server communication
Planning and implementing directory services Activity B-1 - page 16-9 Planning and implementing directory services
Topic C Windows networking concepts Directory services planning and implementation Introduction to Active Directory New Active Directory features in Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
AD Features and Services Provides the following services Central point for storing & managing network objects Central point for administering objects and resources Logon and authentication services Delegation of administration (to member servers) Stored on domain controllers (plural) in the network Changes made to any Active Directory will be replicated across all domain controllers Multimaster replication Fault tolerance for domain controller failure Uses Domain Name Service (DNS) conventions for network resources (i.e., objects are arranged in a hierarchy)
Active Directory Objects Represent network resources such as users, groups, computers, and printers Objects have attributes depending on object type Objects are searchable by attributes
Creating a new user object
Viewing user object properties
Active Directory schema Consists of two main definitions Object classes Attributes Attributes and object classes have a many-to-many relationship The Schema defines all objects It defines the attributes available for objects The Schema defines the set of objects for the entire Active Directory structure Only one schema for a given Active Directory, replicated across domain controllers
Schema Elements used in the definition of each object contained in the Active Directory, including the object class and its attributes Unique object name Globally unique identifier (GUID) associated with each object name Required attributes Optional attributes Syntax of how attributes are defined Pointers to parent entities
Schema Sample schema information for user accounts
GUID: A server-based Aside … Short for Globally Unique Identifier, a unique 128-bit number that is produced by the Windows OS or by some Windows application to identify a particular component, application, file, database entry or user. For instance, a Web site may generate a GUID and assign it to a user's browser to record and track the session. A GUID is also used in the Windows Registry to identify COM DLLs. Knowing where to look in the registry and having the correct GUID yields a lot information about a COM object (i.e., information in the type library, its physical location, etc.).
GUID: A server-based Aside Windows also identifies user accounts by a username (computer/domain and username) and assigns it a GUID. Some database administrators even will use GUIDs as primary key values in databases. GUIDs can be created in a number of ways, but usually they are a combination of a few unique settings based on specific point in time (e.g: an IP or MAC address, clock date/time, etc.).
Discussing Active Directory Activity C-1 - page 16-13 Discussing Active Directory
AD structure and components Active Directory comprises components that: Enable design and administration of a network structure Logical Hierarchical Components include: Domains and organizational units Trees and forests A global catalog
AD Domain and OU structure
Trees and Forests Sometimes necessary to create multiple domains within an organization The first Active Directory domain is the forest root domain A tree is a hierarchical collection of domains that share a contiguous DNS naming structure A forest is a collection of trees that do not share a contiguous DNS naming structure Transitive trust relationships exist among domains in trees and, optionally, in and across forests
Domains & Organizational Units Has a unique name Is organized in hierarchical levels Has an Active Directory replicated across its domain controllers Organizational unit (OU) A logical container used to organize domain objects Makes it easy to locate and manage objects Allows you to apply Group Policy settings Allows delegation of administrative control
An Active Directory tree There is a “contiguous DNS naming structure” here; i.e., all of the OU’s in the tree on the right follow the same naming scheme – they all end with “Dovercorp .net
An Active Directory forest There is no “contiguous DNS naming structure” here; i.e., the tree on the right follows a different naming scheme.
AD naming standards: Namespaces Contiguous namespace: A namespace in which every child object contains the name of its parent object - Tree Disjointed namespace: A namespace in which the child object name does not resemble the name of its parent object - Forest
Multimaster Replication Multimaster replication: In Windows 2003 there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicate it to each other. Because each DC acts as a master, its replication doesn’t stop when one is down. Each DC is a master in its own right.
Global Catalog An index and partial replica of most frequently used objects and attributes of an Active Directory Replicated to any server in a forest configured to be a “global catalog server” Contains all information from the root and partial information for all other domains Allows authentication using the User Principal Name (JSmith@pbcc.edu)
Global Catalog (continued) Four main functions Enable users to find Active Directory information Provide universal group membership information Supply authentication services when a user logs on from another domain Respond to directory lookup requests from Exchange 2000 and other applications
An Active Directory Forest
Discussing components of Active Directory Activity C-2 - Page 16-18,19 Discussing components of Active Directory
Installing Active Directory Activity C-3 - page 16-20, 21 Installing Active Directory
Active Directory naming standards Active Directory uses the DNS naming standard for hostname resolution providing information on the location of network services and resources Lightweight Directory Access Protocol (LDAP) is used to query or update the Active Directory database Distinguished name Relative distinguished name
AD Communications Standards The Lightweight Directory Access Protocol (LDAP) is used to query or update an Active Directory database directly LDAP follows convention using naming paths with two components Distinguished name: the unique name of an object in Active Directory Relative distinguished name: the portion of a distinguished name that is unique within the context of its container
LDAP Naming Paths Common name (CN): Distinguished name (DN): The most basic name of an object in the Active Directory, such as the name of a printer Distinguished name (DN): A name in the Active Directory that contains all hierarchical components of an object, such as that object’s organizational unit and domain, in addition to the object’s common name. CN=JSmith, OU=Accounting, DC=pbcc, DC=edu Relative distinguished name (RDN): An object name in the Active Directory that has two or more related components, such as the RDN of a user account name that consists of User (a container for accounts) and the first and last name of the actual user (CN=JSmith)
AD Physical Structure Physical structure distinct from logical structure Physical structure relates to the actual connectivity of the physical network A Logical structure used to organize network resources Important to consider the effect of Active Directory traffic and authentication requests on physical resources A site is a combination of Internet Protocol (IP) subnets connected by a high-speed link A site link is a configurable object that represents a connection between sites
Site structure for Dovercorp.net
Discussing Active Directory naming standards and physical structure Activity C-4 - page 16-24 Discussing Active Directory naming standards and physical structure
Topic D Windows networking concepts Directory services planning and implementation Introduction to Active Directory New Active Directory features in Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
New Active Directory features Renaming domains in case you misnamed a domain, to comply with new company policy The company is sold, buys another company or merges Improved migration tools E.g., from earlier versions, as from NT to 2000 or from 2000 to 2003. Makes deployment easier One feature of the “AD Migration Tool” (ADMT) is aimed specifically at allowing passwords to be migrated between different OS versions. New management features Multi-object selection Better drag-and-drop capabilities Improvements in Group Policy
Discussing deployment and management Activity D-1 Page 16-27 Discussing deployment and management
Discussing performance and dependability Activity D-2 - Page 16-28 Discussing performance and dependability
Topic E Windows networking concepts Directory services planning and implementation Introduction to Active Directory New Active Directory features in Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Windows NT Domains Windows NT Server acts as the Primary Domain Controller (PDC), providing centralized management of resources, user accounts, group accounts, permissions, and rights Multiple domains By using Trust relationships, you can set up different types of domain models The flexibility of these models is one of the advantages of using Windows NT Server
Trust relationships Provide a way of combining domains into a single management unit Are of two types: One-way trust Two-way trust
Trust relationships, an example
One-way trusts, an example
Two-way trusts, an example
Discussing Windows NT and trust relationships Activity E-1 - Page 16-31 Discussing Windows NT and trust relationships
Domain models Several domain models: Single Master Multiple master Complete trust
Discussing Windows NT domains Activity E-2 Discussing Windows NT domains
Topic F Windows networking concepts Directory services planning and implementation Introduction to Active Directory New Active Directory features in Windows Server 2003 Windows NT domains Novell Directory Services/eDirectory
Bindery files In the earlier versions of NetWare, bindery files were used to store information about users, groups, file servers, and other logical and physical entities on the network Network information, such as passwords, account balances, and trustee assignments, were also kept in the bindery files
Novell Directory Services/eDirectory Replaces the bindery files Commonly referred to as the Directory tree Can be organized the way your organization is structured
Objects and object classes NDS objects Objects represent items defined in the NDS/eDirectory database Objects are maintained globally for the entire network NDS object classes The three classes of objects are root, container, and leaf
NDS object classes
Bindery emulation in the NDS To provide backward compatibility with NetWare bindery applications and third-party bindery products, NetWare 4.x and 5.x and 6.x provide bindery emulation The NetWare 3.x bindery consists of three files: NET$OBJ.SYS NET$PROP.SYS NET$VAL.SYS
Discussing NDS/eDirectory Activity F-1 Discussing NDS/eDirectory
Unit summary Learned about Windows networking concepts Discussed planning of a directory services implementation Described and installed Microsoft’s Active Directory Learned what’s new in Active Directory in Windows Server 2003 Discussed the Windows NT domain model Learned about the design and purpose of Novell Directory Services/eDirectory