1 Chapter Summary Understanding DNS Understanding Name Resolution Configuring a DNS Client Understanding Active Directory Understanding Active Directory Structure and Replication Understanding Active Directory Concepts

2 Introduction to DNS The Domain Name System (DNS) is a naming system based on a distributed database. DNS is used in TCP/IP networks to translate computer names to IP addresses. DNS is the default naming system for IP- based networks. The DNS Service is not available with Microsoft Windows XP Professional, but it ships with Microsoft Windows 2000 Server.

3 Benefits of Using DNS DNS names are user friendly. DNS names remain more constant than IP addresses. DNS uses the same naming conventions as the Internet.

4 Domain Namespace

5 Examples of Second-Level Domains ed.gov Microsoft.com Stanford.edu w3.org

6 Host Names Host names refer to specific computers on the Internet or an intranet. They are the leftmost portion of a fully qualified domain name (FQDN), such as Computer1.sales.microsoft.com. DNS uses a host’s FQDN to resolve a name to an IP address. Host names do not have to match the computer names.

7 Domain Naming Guidelines Limit the number of domain levels. Use unique names. Use simple names. Avoid lengthy domain names.

8 Domain Naming Guidelines (Cont.) Use standard DNS characters and Unicode characters. Windows 2000 Server supports A–Z, a–z, 0–9, and hyphen (-). The DNS Service supports the Unicode character set.

9 Zones

10 Name Servers DNS name servers store the zone database file. They store the database files for one or multiple zones. They have authority for the domain namespace that the zone encompasses. A zone must have at least one name server.

11 Primary Zone Database File A name server in each domain contains the master database file, called the primary zone database file. Changes to a zone are performed on the primary zone database file. Multiple name servers act as a backup.

12 Benefits of Multiple Name Servers Provide zone transfers Provide redundancy Improve access speed Reduce the load

13 Name Resolution Name resolution is the process of resolving names to IP addresses. DNS resolves a name, such as to an IP address. The mapping of names to addresses is stored in the DNS distributed database.

14 Resolving a Forward Lookup Query

15 Name Server Caching When a name server is processing a query, it might have to send out several queries to find the answer. Each query discovers other name servers that have authority for a portion of the domain namespace. The name server caches these query results to reduce network traffic. When a name server receives a query result, the name server caches the query result for a specified amount of time, referred to as Time to Live (TTL).

16 Time to Live (TTL) The zone that provides the query results specifies the TTL; the default TTL is 60 minutes. When TTL expires, the name server deletes the query result from its cache. Shorter TTL values help ensure that data about the domain namespace is more current across the network. Shorter TTL values increase the load on name servers. Longer TTL values decrease the time required to resolve information. Longer TTL values mean it will take longer for a client to receive any updated information.

17 Reverse Lookup Query A reverse lookup query maps an IP address to a name. Troubleshooting tools such as the nslookup utility use reverse lookup. Some applications implement security based on the ability to connect to names rather than IP addresses. The DNS distributed database is indexed by name, so a reverse lookup query would require an exhaustive search of every domain name.

18 The in-addr.arpa Domain Is a special second-level domain created to resolve the difficulty of doing a reverse lookup query Follows the same hierarchical naming scheme as the rest of the domain namespace, but it is based on IP addresses, not domain names Has subdomains named after the numbers in the dotted-decimal representation of IP addresses Reverses the order of the IP address octets Lets companies administer subdomains of the in-addr.arpa domain based on their assigned IP addresses and subnet mask

19 Introduction to DNS Clients A DNS client uses DNS, a distributed database used in Transmission Control Protocol/Internet Protocol (TCP/IP) networks, for name resolution. TCP/IP must be installed for a computer to use DNS.

20 Internet Protocol (TCP/IP) Properties Dialog Box

21 Configuring DNS Query Settings Append Primary And Connection Specific DNS Suffixes Append the client name to the primary domain name, as well as the domain name defined in the DNS Domain Name field of each network connection Append Parent Suffixes Of The Primary DNS Suffix The DNS server strips off the leftmost portion of the primary DNS suffix and attempts the resulting domain name. Append These DNS Suffixes (In Order) The DNS resolver adds each one of these suffixes, one at a time and in the order you specified. Register This Connection’s Addresses In DNS The computer attempts to dynamically register the IP addresses (through DNS) of this computer with its full computer name. Use This Connection’s DNS Suffix In DNS Registration The computer uses dynamic updates to register the IP address and the connection-specific domain name of the connection.

22 What Is Active Directory? A directory service uniquely identifies users and resources on a network. Active Directory service is the directory service included with Microsoft Windows 2000 products. Active Directory provides a single point of network management. Active Directory is a network service that Identifies all resources on a network Makes all resources available to users and applications

23 What Is Active Directory? (Cont.) Active Directory includes the directory or data store. The directory is a structured database that stores information about network resources. Resources stored in the directory are referred to as objects.

24 Simplified Administration Active Directory organizes resources hierarchically in domains. A domain is a logical grouping of servers and other network resources under a single domain name. A domain is the basic unit of replication and security. A domain includes at least one domain controller. Active Directory provides A single point of administration for all objects on the network A single point of logon for all network resources

25 Scalability The directory stores information by organizing itself into sections that permit storage for a huge number of objects. For example, the directory can be scaled to meet the needs of Small installations with one server and a few hundred objects Huge installations with hundreds of servers and millions of objects

26 Open Standards Support Active Directory use of open standards Integrates the Internet concept of a namespace with the Windows 2000 directory service Allows you to unify and manage multiple namespaces Uses DNS for its name system Can exchange information with any application or directory that uses Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP) Can share information with other directory services that support LDAP version 2 or version 3, such as Novell Directory Services (NDS)

27 Open Standards Support (Cont.) Domain Name System DNS is the domain naming and locator service for Active Directory. Windows 2000 domain names are also DNS names. Windows 2000 Server uses dynamic DNS (DDNS). Clients can update the DNS table dynamically. DDNS eliminates the need for other naming services. To function correctly, Active Directory and the associated client software require the DNS Service.

28 Open Standards Support (Cont.) Support for LDAP and HTTP LDAP is an Internet standard for accessing directory services. HTTP is the standard protocol for displaying pages on the World Wide Web. You can display every object in Active Directory as an HTML (Hypertext Markup Language) page in a Web browser.

29 Support for Standard Name Formats Request for Comments (RFC) 822 HTTP URL Universal Naming Convention (UNC) Example: \\microsoft.com\xl\budget.xls LDAP URL LDAP://someserver.microsoft.com/CN=FirstnameLastname, OU=sys,OU=product,OU=division,DC=devel

30 Logical Structure Active Directory separates the logical structure from the physical structure. Active Directory lets you organize resources in a logical structure. A resource is located by its name rather than its physical location. The network’s physical structure is transparent to all users.

31 Objects

32 Organizational Units An organizational unit (OU) is a container that you use to organize objects in a domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs. Each domain can implement its own OU hierarchy. There is no limit to the depth of the hierarchy, but shallow is better. An administrator can delegate administrative tasks by assigning permissions to OUs.

33 Domain The domain is the core unit of logical structure. All network objects exist within a domain. A domain stores information about only the objects that it contains. A practical limit to the number of objects in a domain is 1 million.

34 A Domain Is a Security Boundary Access control lists (ACLs) control access to domain objects. ACLs contain the permissions associated with objects. ACLs control Which users can access an object Which type of access users have to the objects Security policies and settings do not cross from one domain to another. A domain administrator has absolute rights to set policies only in that domain.

35 Tree A tree is a grouping of one or more Windows 2000 domains that share a contiguous namespace. The domain name of a child domain is the relative name of that child domain appended with the name of the parent domain. All domains within a single tree share A common schema A common Global Catalog

36 Forest A forest is a grouping of one or more domain trees that form a disjointed namespace. All trees in a forest share a common schema. Trees in a forest have different naming structures. All domains in a forest share a common Global Catalog. Domains in a forest operate independently, but the forest enables communication across the entire organization.

37 Physical Structure The physical components of Active Directory are Domain controllers Sites The physical components of Active Directory are used to mirror the physical structure of an organization.

38 Domain Controllers Each domain controller in a domain Stores a complete copy of all Active Directory information for that domain Manages changes to that information Replicates changes to other domain controllers in the same domain Automatically replicates all objects in the domain to all other domain controllers in the domain Immediately replicates certain important updates, such as the disabling of a user account

39 Domain Controllers (Cont.) Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another controller is completely propagated. Having more than one domain controller in a domain provides fault tolerance. Domain controllers manage all aspects of user domain interaction, such as locating Active Directory objects and validating user logon attempts.

40 Sites The physical structure of Active Directory is based on sites. A site is a combination of one or more IP subnets. Typically, a site has the same boundaries as a local area network (LAN). Sites are not part of the logical namespace. Sites contain only computer objects and connection objects used to configure replication between sites. A single domain can span multiple geographical sites, and a single site can include accounts and computers from multiple domains.

41 Replication Within a Site Active Directory includes a replication feature. Replication ensures that changes to a domain controller are reflected by all domain controllers in a domain.

42 Ring Topology for Replication

43 Active Directory Terminology Schema Global Catalog Namespace Naming conventions

44 Schema The schema contains a formal definition of the contents and structure of Active Directory. The schema contains two types of definition objects: Schema class objects define what objects can be stored in Active Directory. Schema attribute objects define the type of information that can be stored about each object. The schema defines The schema attribute objects required for each object The additional schema attribute objects that an instance of the class can have

45 Default Schema Installing Active Directory on the first domain controller in a network creates the default schema, which contains Definitions of commonly used objects and properties Definitions of objects and properties that Active Directory uses internally to function

46 Extensible Schema You can define New directory object types and attributes New attributes for existing objects You can extend the schema By using LDAP Data Interchange Format (LDIF) scripts Programmatically, or by using the Active Directory Services Interface (ADSI) By using the Active Directory Schema Manager snap-in The schema is stored in the Global Catalog and can be updated dynamically.

47 Global Catalog The Global Catalog is the central repository of information about objects in a tree or forest. Active Directory automatically generates the contents of the Global Catalog. The Global Catalog is a service and a physical storage location. It contains a full replica (all information) for its host domain and a partial replica of all information in all other domains in the tree or forest. It enables finding directory information regardless of which domain in the tree or forest actually contains the data.

48 Global Catalog Servers Installing Active Directory on the first computer in a new forest makes that domain controller a Global Catalog server. The Active Directory Sites and Services snap-in allows you to designate additional Global Catalog servers. More Global Catalog servers means more replication traffic. More Global Catalog servers can provide quicker responses. Every major site should have a Global Catalog server.

49 Namespace Contiguous namespace The name of the child object in an object hierarchy always contains the name of the parent domain. A tree is a contiguous namespace. Disjointed namespace The names of a parent object and of a child of the same parent object are not directly related to one another. A forest is a disjointed namespace.

50 Naming Conventions Every object in Active Directory is identified by a name. Active Directory uses a variety of naming conventions: Distinguished name (DN) Relative distinguished name (RDN) Globally unique identifier (GUID) User principal name (UPN)

51 Distinguished Name Every object has a DN that Uniquely identifies the object Contains sufficient information for a client to retrieve the object from the directory Includes the name of the domain that holds the object Includes the complete path through the container hierarchy to the object DNs must be unique in the directory.

52 Relative Distinguished Name Active Directory supports querying by attributes, so that You can locate an object even if the exact DN is unknown You can locate an object even if the DN has changed The RDN of an object is the part of the name that is an attribute of the object itself. You can have duplicate RDNs for Active Directory objects, but not in the same OU.

53 Globally Unique Identifier A GUID is a 128-bit number that is guaranteed to be unique. GUIDs are assigned when the object is created. The GUID for an object never changes. Applications use GUIDs to retrieve objects regardless of their current DNs.

54 User Principal Name User accounts have a friendly name, the UPN. The UPN is composed of the shorthand name for the user account and the DNS name of the tree where the user account object resides.

55 Chapter Summary DNS is the default naming system for IP-based networks. (It is not included in Windows XP Professional.) DNS resolves computer names to IP addresses and locates computers within local networks and on the Internet. The DNS database is indexed by name, so each domain must have a name. The domain namespace consists of a root domain, top-level domains, second-level domains, and host names. A forward lookup query resolves a name to an IP address, and a reverse lookup query resolves an IP address to a name. The DNS distributed database is indexed by name and not by IP address, but in-addr.arpa is based on IP addresses instead of domain names. You can configure a DNS client to obtain the address of the DNS server automatically, or you can manually enter multiple addresses for DNS servers.

56 Chapter Summary (Cont.) Active Directory is the directory service included in the Windows 2000 Server products. (It is not included in Windows XP Professional.) Active Directory includes the directory or data store, which stores information about network resources. Windows 2000 Server uses DDNS. Active Directory completely separates the logical structure of the domain hierarchy from the physical structure. The schema contains a formal definition of the contents and structure of Active Directory. The Active Directory schema is extensible.

57 Chapter Summary (Cont.) In a contiguous namespace, the name of the child object in an object hierarchy always contains the name of the parent domain. In a disjointed namespace, the name of the parent object and the name of a child object are not directly related. The Global Catalog contains select information about every object in all domains in the directory. Active Directory uses a variety of naming conventions: DN RDN GUID UPN