Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS603 Active Directory February 1, 2001.

Similar presentations

Presentation on theme: "CS603 Active Directory February 1, 2001."— Presentation transcript:

1 CS603 Active Directory February 1, 2001

2 What is Active Directory?
Microsoft’s Windows 2000 directory server Included in Windows 2000 Server Microsoft finally using Internet standards for network naming DNS for machine naming LDAP (RFC 2251) for accounts/users Also supports legacy Microsoft directories ADSI (COM) Synchronizes with Exchange and other directories

3 What goes in Active Directory? Objects
Object: Anything that gets a name Container objects Leaf objects Key object types: User Principal Name Security Account Manager name (compatiblity with NT) Object publishing Shared folders Printers RPC, Winsock, DCOM

4 Active Directory Schema
Schema: Object that describes object classes, attributes Attributes Defined globally Can be indexed (independent of object class) Object classes – allowable collections of attributes Default schema Cannot delete from default Can mark items as deactivated Can be extended – but not reversible

5 Object Naming Conventions
Names unique in a domain LDAP Distinguished name disambiguates across domains Also Security ID, GUID, Active Directory Canonical name GUID is permanent, others change if object moved between domains GUID is “real object identifier” – globally unique Security Principal: User, computer, or group Security ID: Used internally Access Control Entry (read ACL) lists SIDs (not names) allowed to access object Doesn’t support full LDAP naming convention Cn=common name, ou=organizational unit, dc=domain component Ldap: cn, ou, o=organization, c=country

6 ActiveDirectory and DNS
Same Name for same machine Different namespaces Follow same hierarchical structure Active Directory requires DNS Needed to locate Active Directory server Uses Service Location Resource records DNS can store information in Active Directory

7 Hierarchical Directory Structure
Domain: Individually managed subset of name space Single controller supports one domain Replication done at entire domain level – multimaster replication Namespace can have multiple domains – forest Why forest and not tree? Root tied to DNS name! Global catalog for entire forest – used for logon requests Security policies/settings don’t cross domains Can only build down in hierarchy

8 Trust Relationships What does trust mean? Trust relationships
Authentication: Single system logon Doesn’t imply permissions in multiple domains Share common configuration information. Share a common schema. Share a common global catalog. Trust relationships Parent/child trust each other Roots of trees in forest trust each other Trust is transitive “Shortcut” trust relationships to save transitive search Can trust external methods

9 Domain Controller Roles (Beyond directory service)
Forest-wide roles Schema master Domain naming master Domain-wide roles Relative ID master Assigns Unique Security ID (SID) to each object Primary Domain Controller Emulator Emulates WindowsNT domain controller Infrastructure master Handles replication across domains

10 Other Hierarchies: Organizational Units
Use to delegate authority Can have administrative authority only over OU Subset of domains

11 Replication Global Catalog contains subset of domain attributes
Allows logon, lookup without going to source domain Replicated at multiple sites Methods: IP SMTP Determining latest update: Universal Sequence Number Timestamp if USNs same Replication path may have loops Don’t propagate already propagated updates

12 Sites Idea: Highly Connected Machines Independent of Domains
Clients can request service from a domain controller in the same site (if one exists). Active Directory tries to minimize replication latency for intra-site replication. Active Directory tries to minimize bandwidth consumption for inter-site replication. Sites let you schedule inter-site replication. Independent of Domains Can delegate authority over site

13 Microsoft Metadirectory Services (MMS)
Goal: Single directory for multiple applications Brokers to provide directory information to multiple vendors Acquired from Zoomit corporation Uses Active Directory Also moving to use Active Directory instead of internal solutions in other Microsoft products (e.g., Exchange Server)

Download ppt "CS603 Active Directory February 1, 2001."

Similar presentations

Ads by Google