Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

Similar presentations

Presentation on theme: "How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation."— Presentation transcript:

1 How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation

2 Presentation Outline Demystifying Active Directory Active Directory structure Interoperability standards adherence Common sense planning and deployment tips

3 What is a Directory Service? Stated simply, a directory service is a listing that helps organize and locate information There are two primary components Directory store for data Services that act on the data Service functions include data replication, security rule enforcement, data distribution … and more

4 What is Active Directory? Microsoft’s Windows 2000/.NET Server implementation of directory services Networked object store and service that locates and manages resources Authenticates authorized use of resource objects by users according to defined rules

5 Specific Enterprise Functions of AD Stores data on every object and its attributes Security - ACL authentication and domain trusts Central point for enterprise administration Mechanism for OS interoperability Consolidation of divergent directory services System to replicate object data

6 Active Directory Relationships Active Directory treats everything as an object.. users, files, computers, devices, etc. Access to object anywhere in enterprise is possible (assuming permission) DNS resolves computer name during object query LDAP (Lightweight Directory Access Protocol) resolves object locations MIT Kerberos provides user authentication

7 Administration of Active Directory Permits finite hierarchical management Supports delegation of admin functions Provides single point for enterprise management Supports open standards, APIs and scripting Provides backward compatibility with Windows NT and Novell Directory Services

8 Active Directory Structure Active Directory divides itself into Logical and Physical Structures Logical Structures include components called domains, trees, forests, organizational units and the schema (containers for data) Physical Structures include network defined sites and domain controllers (data locations & stores)

9 Logical Structure Base components are objects and their attributes Schema – mechanism for storing object classes Objects organized around hierarchical domain model Each domain has its own security permissions and relationship with other domains

10 Active Directory Domain Hierarchical infrastructure of networked computers Domain – Computer systems and network resources that share common security boundary Domain can cross physical locations and sites Viewed as grouping of resources that use a common domain name (namespace)

11 Domain Trees Multiple domains share common schema, security relationship, Global Catalog Identify domain tree by common, contiguous namespace and = child domains to domain is root domain for domain tree

12 Active Directory Domain Tree Users logon directly to a Windows 2000 Domain tree Child Root Domain

13 Domain Forest Domain forests created when domain trees with different namespaces form trust relationship & become tree when trust established All trees within forest share common Global Catalog, configuration, and schema A forest has no unique name but is reference point between trees

14 Active Directory Forest User logs-on to his/her domain, but can be granted access to any forest resource Child Root Domain Child Root Domain

15 Organizational Units (OUs) Domains can be divided into organizational units Organizational units can nest within one another Use OUs to reflect departmental divisions or units with unique security and administrative rights Administrative delegation of resources easy to apply to OU subsets

16 Active Directory OU Organization Units (OU) are sub-units within a domain Child Root Domain OU 1 OU 3OU 4OU 5 OU 2OU 3 OU User logs on to OU3 Child

17 Physical Structure Mechanism for data communication and replication Two primary components Site – IP subnet network structural component Domain controller and Global Catalog – physical server that stores and replicates data

18 Active Directory Site Physical network structure of Active Directory Purpose: provides method to regulate inter-subnet traffic Primary goal: rapid, economical data transmission Do not define sites by location boundaries; define by reliable communications No formal relationship between site and domain … they can cross each other

19 Domain Controller (DC) Server containing copy of Active Directory All domain controllers are peers that maintain replicated versions of active directory DC locates resources and authenticates users Global Catalog is special domain controller that contains abbreviated listing of objects for rapid indexing and locating resources DC assigned to site at installation

20 Role of the Domain Controller Every domain controller maintains information as part of Active Directory Data on every object and container object Metadata about other domains in tree or forest Listing of all domains in tree or forest Location of server with Global Catalog

21 Adherence to Industry Standards Greater interoperability = open standards adherence DNS Dynamic Update RFC 2052 2163 Dynamic Host Configuration Protocol RFC 2131 Kerberos v5 RFC 1510 Lightweight Directory Access Protocol RFC 2251 1823 LDAP Schema RFC 2247 2252 2256 Simple Network Time Protocol RFC 1769 Simple Mail Transfer Protocol RFC 821 TCP/IP RFC 791 793 X 509 v3 Certificates ISO X.509

22 Simplifying Planning/Deployment Active Directory planning/deployment is large task … but not overwhelming Start by gathering organizational data Design domain model on organizational structure Design site & domain controller requirements based upon network connectivity

23 Gathering Organizational Data Required data readily available Start with organization charts to help define domains & OUs Define what data resources are shared & restricted Ask HR for employee classifications for group policies Establish permissions based on common system needs Map physical locations & available connectivity Review where organizational shifts likely to occur

24 Domains vs. Organizational Units Single domain with OUs is easiest to manage Single domain model many not meet needs in more complex organizations Generally, size & need for separate identity are critical decision points

25 When to Use Domain Trees Desire for decentralized management Unique business activities dictate child domains Need to establish unique domain wide policies In large organizations, child domains lend themselves to localized vs. centralized control

26 When to Use Domain Forest Model When separate domain names required When radically different business activities exist When acquired organizations require trusts during initial merging of operations Joint venture or partnership arrangements where resources & data must be shared

27 Restricting Domain Forest Trusts Trusts between domains within tree are bi- directional (transitive) Trusts in forest established in one direction at a time; NOT automatically transitive Set all trusts in forest explicitly

28 Conclusion Active Directory is very powerful tool for enhancing administration and security Understanding basic logical & physical structure is fundamental Planning & deployment requires work but not as overwhelming as press reports

29 Further Information Contact Robert Williams References by Robert Williams Forthcoming 2002 © Copyright Robert Williams 2002

Download ppt "How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation."

Similar presentations

Ads by Google