Presentation on theme: "70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory."— Presentation transcript:
1 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory
2 The world before the Active Directory The overwhelming majority of network today run without any single unified directory service. Many companies store information in various disconnected system. For example:Companies record data about its employees in a human resource database.While network account reside on a Windows NT 4 domain controller.Other information such as security setting for applications- reside within various other systems.And there’s always the classic: paper-based forms!
3 Windows NT to the rescue! Windows NT is a NOS (Networking Operating System)Goal of Windows NT was to bring security, organization, and accessibility to information throughout a company’s network.GUI interface got rid of cryptic command-line interfaces and it simplified management.Windows NT offered reliability, scalability, performance, and flexibility and compatibility with a large installed base of current software products.
4 Domain Model in Windows NT 4 1 Domain Controller per network (PDC)Several Backup Domain Controller (BDC)All network security accounts are stored within PDC. To improve performance and reliability the database is replicated to BDC.There can only be one master copy of the account databases. This copy resides in the PDC. All user and security account changes must be recorded by the PDC.This model only works well for small – to – medium sized organizations.
6 Limitations of Windows NT 4 Multiple Domain are complicated and management intensive.Trust relationship can grow out of control!Flat entities, cannot be organized in hierarchical fashion (using sub domain for admin purposes)No allowing of nesting of users and groups.Extremely tedious and error prone when setting permissions. (because above bullet item)
7 Limitations of Windows NT 4 (Cont.) Security allowed for complete control over the domain controller. Some users had too much permissions. (This poses several potential problems – both business and technical)Nevertheless, Windows NT 4 provided an excellent solution to many business. But as with almost any technical solution, there were areas which improvements could be made.
8 Active Directory Design Before setting up a server environment, you must design a suitable Active Directory. Several choices need to be made and many consideration to take into account:Political IssuesHow does current business operate – as single, independent business or centralized environment? Who will be responsible for administering portions of network?Network IssuesTypes of connections between remote offices? How reliable are connections? What are domain name requirements?Organizational IssuesHow are the areas of the business structured? For example, do the department operate individually, with separate networks administrators for each department? Or is the environment much more centralized?
9 Planning and Implementing an Active Directory Infrastructure Most crucial stepPoor planning may cause poor performanceMust consider pre-existing network, hardware, etc.
10 Managing and Maintaining an Active Directory Infrastructure Small changes are constantly requiredUpgrades involve changesRegular maintenance ensures good performanceTroubleshooting required when problems occur
11 Planning and Implementing User, Computer, and Group Strategies AuthenticationIdentifying user to networkPassword is most common methodAuthorizationDetermines what resources user can accessUsers are typically grouped together for authorization
12 Planning and Implementing Group Policy Used to manage the way workstations, servers, and user environments behaveExamples:Require all communications between clients and servers to be encryptedControl how user’s desktop appearsPerform maintenance tasks
13 Planning and Implementing Group Policy (continued) Examples:Deploy applications to computers or users throughout the networkInfluenced by:User requirementsCorporate policiesNetwork designWho manages policies
14 Managing and Maintaining Group Policy Changes to policies and troubleshooting result of policies may be required.Updates can be applied to computers that had applications installed via group.Example. Older version of antivirus on machines installed can be upgraded via group policy to newer version.
15 Windows Networking Concepts Overview Network models:DomainWorkgroupWindows Server 2003 system roles:Standalone serverMember serverDomain controller
16 Workgroups Logical group of computers Characterized by decentralized security and administration modelEvery computer holds own security databaseKnown as Security Accounts Manager (SAM) databaseEach computer must authenticate users independently
17 Workgroups (continued) BenefitsSimpleDoes not explicitly require a serverDrawbacks:Time consuming to manageWindows 2003 server participates as standalone server
19 Domains Logical group of computers Characterized by centralized authentication and administrationAll domain computers use centralized security databaseDomain controllers (DC)Special serverResponsible for managing security databaseResponsible for authenticating users on domain
20 Domains (continued) Active Directory Stored on one or more computers configured as domain controllersDC can be:Windows 2000 ServerWindows Server 2003
22 Domains Other domain computers: “domain members"“member servers”Can authorize access to a particular resource based on the domain authenticationHighly recommended in environment that consists of more than 10 users or workstations
23 Domains (continued)Requires at least one server configured as domain controllerAdditional expenseMinimum of two domain controllers preferredProvides fault toleranceLoad balancing
25 Domains Member servers: Windows Server 2003 system that has computer account in a domainNot configured as a domain controllerUsed for wide variety of functions including:File serverPrint serverApplication server
26 Domains (continued) Member servers: Domain controller: Commonly host network services such as:Domain Name Service (DNS)Dynamic Host Configuration Protocol (DHCP)Domain controller:Windows Server 2003 systemExplicitly configured to store copy of Active Directory databaseResponsible for servicing user authentication requests and queries about domain objects
27 Introduction to Windows Server 2003 Active Directory Native directory service included with Windows Server 2003 operating systemsProvides:Central point for:StoringOrganizingManagingControlling network objectsSingle point of administration of objects
28 Introduction to Windows Server 2003 Active Directory (continued) Provides:Logon and authentication services for usersDelegation of administrationEach domain controller has writeable copy of directory databaseMake Active Directory changes to any domain controllerChanges are replicated to all other domain controllers
29 Introduction to Windows Server 2003 Active Directory (continued) Multi-master replicationProvides form of fault toleranceDNS:Used maintain domain-naming structuresLocate network resources
30 Active Directory Objects Represents network resources such as:UsersGroupsComputersPrintersVarious attributes are assigned to objectsExamples: 1st name, last name, user logon, etc.
32 Active Directory Schema Defines all of objects and attributes available in Active DirectoryOnly one schema for each Active Directory implementationConsists of two main definitions:Object classesexample: users, printersAttributesexample: description to maintain consistency.
33 Active Directory Logical Structure and Components Logical components:Domains and Organizational UnitsTrees and ForestsTrusts
34 Domains and Organizational Units Logically structured organization of objectsPart of a networkShare common directory databaseHas unique nameOrganized in levelsAdministered as a unit with common rules and proceduresProvides administrative benefits
35 Domains and Organizational Units (continued) Organizational unit (OU)Logical containerUsed to organize objects within a single domainStores objects such as:UsersGroupsComputersOther organizational unitsAbility to delegate administrative control over OUExample: Organize users based on department in which they work! Delegate admin rights / permissions to add and remove users within OU
37 Trees and Forests Reasons for multiple domains: Forest root domain Geographic separationDifferent password policies.Large number of objectsReplication performanceForest root domainFirst domain defined in deployment
38 Trees and Forests (continued) Hierarchical collection of domainsShare contiguous DNS namespaceForestCollection of treesDo not share contiguous DNS naming structure
41 Trusts Two-way, transitive trust relationship Automatically created for child domainTransitive trustAll other trusted domains implicitly trust one another
42 Activity 1-4: Creating a Child Domain in an Existing Domain Tree Objective: Promote a member server to a domain controller for a new child domain in an existing domain treeUse the Active Directory Installation Wizard or the Configure Your Server Wizard to create a domain
44 Active Directory Communications Standards DNS naming standardHostname resolutionProvides information on location of network services and resourcesLightweight Directory Access Protocol (LDAP)Used to query or update Active Directory databaseNaming paths:Distinguished nameRelative distinguished name
45 Active Directory Physical Structure Make sure any modification to database is replicated as quickly as possibleDesign topology so that replication does not saturate available network bandwidthControl logon trafficSee page 25: Logical vs. Physical Structure.
46 Active Directory Physical Structure (continued) SiteCombination of one or more Internet Protocol (IP) subnetsConnected by high-speed connectionSite linkConfigurable objectRepresents connection between sites
48 Global Catalog Used primarily for: Finding Active Directory information from anywhere in forestUniversal group membership informationAuthentication servicesDirectory lookup requests from Exchange 2000/2003First domain controller in Active Directory automatically becomes Global Catalog server
49 New Active Directory Features in Windows Server 2003 Windows Server 2003 brings new features and capabilitiesPrimary benefits:FlexibilityLower the total cost of ownership (TCO)
50 Deployment and Management Active Directory Migration Tool (ADMT) 2.0Domain RenameSchema Redefine