1. Introducing Microsoft Active Directory Services CSIS 165 – Week 1B Exams 70-217 & 70-294

2. CSIS 165 – Week 1B  Windows 2003 Systems Overview  Ch 1 - Introduction To Active Directory  Ch 2 – Domain Naming Services (DNS)

3. Windows 2003 Security Models  Workgroups  Windows Server is not required  User accounts are managed locally  Resources are managed locally  Domains  User accounts are managed centrally  Most resources are managed centrally  Windows Server is required

4. Windows 2003 Architecture  Two major layers:  User mode  Environment subsystems  Integral subsystems  Kernel mode

5. Environment subsystems  Emulates other operating systems  Supports Win32, OS/2, POSIX (UNIX)  Restrictions on applications:  Can access only the associated API  Cannot access:  Hardware, drivers  Shared memory

6. Integral Subsystems  Security subsystem  Logon processing  Authentication  Resource access  Workstation service  Access shared resources  Server service  Provide shared resources

7. Kernel Mode  System services – Available to kernel and user mode processes  IO manager, virtual memory manager  Internal services – Available only to kernel mode processes

8. Windows 2003 Subsystems

9. Chapter 1 Introduction to Active Directory

10. Active Directory Features & Services  Authentication of users  Controlling access of resources  Advertisement of resource  Centralized administration  Replication platform  Support for open standards

11. Active Directory Architecture  Client Interfaces  LDAP/ADSI, MAPI, SAM, REPL  Directory System Agent (DSA)  Database Layer  Extensible Storage Engine  Data Store (NTDS.DIT)

12. Active Directory Architecture

13. Active Directory Object Containers  Active Directory Objects  Active Directory Schema  Active Directory Logical Structures  Domains  Organizational Units  Trees & Forests  Physical Structures  Domain Controllers  Sites

14. Active Directory Objects  Define consumers  users & groups  Define resources  Computers & servers  Shared services  Printers, etc…  Container objects  Domains  Organizational units  Groups  Sites  Forest

15. Active Directory Schema  Define objects  Classes  Represent a type of object  Contains attributes  Attributes  Define properties of objects  Name, Datatype & length, etc…  May be included in multiple classes  Schema may be extended by adding or replacing classes and attributes  Not reversible without restoring AD from system state  Requires Enterprise Admin rights & AD Schema snap-in  Done automatically when Exchange 2000 is installed

16. Active Directory Components  Domains - Security boundary  Users and resources belong to one domain.  Domain Admins defines Administration boundary.  Organizational Units  Users and resources exist in OU’s  Provide namespace  Applies group policy  Does not confer privileges – groups do that  Trees and Forests  Trees – contiguous DNS namespace  All domains in a Global Catalogue  Two-way implicit, transitive trusts  Sites - Define replication boundaries

17. Active Directory Concepts  Global Catalog  Sites and Replication  Domains and Trusts  DNS namespace

18. Global Catalog  Functions:  Indexes all objects in its domain.  Indexes a subset of all objects in the entire forest.  Is the only source of Universal group information  Required for logins, except by Domain Admins  Creating Global Catalog servers:  By default, on the first DC in a forest or domain.  Additional GC servers can be created on any DC.  Two rules:  Have a GC at every physical site.  Keep the GC and infrastructure master role on separate hosts.

19. Replication  What information is replicated?  Schema  Domain-level AD objects  Configuration  Global Catalogue information  Sites provide replication boundaries

20. Replication  Replication Within a Site:  Replication topology is automatically determined  Provides at least two paths between DCs  Replication is triggered by changes  Transmissions are not compressed - RPCs  Replication between sites:  Occurs between bridgehead servers  Occurs as scheduled  Is compressed and may use SMTP  Security changes replicate immediately.

21. Trusts  Implicit two-way transitive trusts:  exist between parent and child domains in a tree and top-level domains in a forest.  Explicit one-way non-transitive trusts:  Used between AD and NT 4.0 domains  Domains in different forests  AD Domains and Kerberos Realms

22. DNS Namespace  Forward-lookup namespace  Reverse-lookup namespace  Record types  Host, NS, MX, SRV, CNAME, PTR

23. Active Directory Namespace  Distinguished name  Relative distinguished name  GUID  Unique across all domains  Does not change when objects move or rename  Replaces NT 4.0 SID

24. The Operation Master Roles  Forest-level  Schema Master  Domain Naming Master  Domain-level  Relative ID Master  PDC Emulator - Down-level clients and BDCs  Infrastructure Master

25. Active Directory Tasks & Tools  Active Directory Users and Computers:  Create & manage user accounts, groups & OUs  Active Directory Domains & Trusts  Manage trusts  Change to native mode  Assign alternate user principal name suffix  Transfer domain naming master role  Active Directory Sites and Services  Manage replication  Active Directory Schema  Used to modify the AD schema  Not installed be default Other tools covered in lab – Know them for the exam

26. Review  Roles of Active Directory  Windows & Active Directory Architecture  The Windows login process  The Active Directory schema  Active Directory objects  The Global Catalogue  Replication  Trusts  Operation Master Roles  Active Directory management tools

27. Ch 2 – Understanding DNS IP Addressing & Host Naming The hosts file DNS Objectives The DNS Namespace DNS Messaging The Name Resolution Process Planning a DNS Infrastructure

28. IP Addressing & Host Naming Earliest IP network – ARPANET Single-level name identified hosts Names mapped to IP Addresses – hosts file Problems: Hosts file would become enormous New host entries require updated hosts files Administrators could not choose just any host names – only those not yet used

29. The Hosts File C:\WINNT\system32\drivers\etc\hosts # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost 10.11.200.253saicu20 10.11.200.253saicu20.mcse.wallihan.com

30. DNS Objectives Decentralize name management Flexible identification of services Identify services such as mail hosts Solutions: A hierarchic namespace Diverse resource record types

31. The Forward Lookup Namespace Resolves host names to IP addresses Locates services Root domain “.” Top-level domains – com, org, gov, etc… Second-level domains – privately managed

32. The Forward Lookup Namespace “.” COMORG SAIC WWW Hosts NS Records

33. Forward Lookup Zones Zones represent files A zone may represent one or more domains Zones represent a contiguous namespace Zones define replication boundaries

34. Forward Lookup Zones COM SAIC DOMAIN2 DOMAIN1 Zone1Zone 2 An Invalid Zone

35. DNS Messaging DNS uses UDP for name resolution (port 53) DNS uses TCP for zone file replication A single message format handles all traffic DNS Header – See book Flags Bit8 – Recursion desired Flags Bit9 – Recursion available

36. The Name Resolution Process “.” COM SAIC Recursive Query Non-Recursive Query

37. The Reverse Lookup Namespace 200 11 10 In-addr arpa “.” 253 PTR saicu20.mcse.wallihan.com

38. DNS Configuration Forwarders Enables a server to forward unknown queries Caching-only servers These servers do not maintain zones or entries Forwarders must be enabled Dynamic updates Configure in DHCP Three options No, Yes Only Secure updates (Active Directory integrated zones only)

39. Configuring DNS

40. DNS Record Types A – Host record CNAME – Canonical name NS – Name server SOA – Authoritative name server MX – Mail relay SRV – Well-known services PTR – Reverse lookup record

41. Implementing WINS

42. When to use WINS NetBIOS Naming The Lmhosts file The NetBIOS name server NetBIOS node types The WINS architecture Implementing WINS

43. NetBIOS Naming NetBIOS originally served single LANs NetBIOS names were cached locally Computers would broadcast queries Only the requested computer replied The reply was cached locally

44. The Lmhosts File Problems with NetBIOS: Computers on remote LANs – broadcast Large environments – broadcast The Lmhosts file enabled the most popular servers to be resolved locally The Lmhosts file structure: IP address name

45. Lmhosts File Records & Tags A standard record: 10.11.200.253saicu20 Tags: #PRE – preloads entry into cache #DOM:domain – Windows NT domain #INCLUDE filepath – Loads info from a centrally managed file END_ALTERNATE & BEGIN_ ALTERNATE

46. A Sample Lmhosts File # The following example illustrates all of these extensions: 102.54.94.97 rhino #PRE #DOM:networking #net group's DC 102.54.94.102 "appname \0x14" #special app server 102.54.94.123 popular #PRE #source server 102.54.94.117 localsrv #PRE #needed for the include BEGIN_ALTERNATE INCLUDE \\localsrv\public\lmhosts INCLUDE \\rhino\public\lmhosts END_ALTERNATE

47. The NetBIOS Name Server - WINS Clients are configured with the WINS server’s IP address (enables unicast) Clients register their name and IP with WINS TTL - 6 days by default Clients refresh at half TTL Name or IP address changes are registered with WINS Clients release names when they shut down Clients query the name server to resolve hosts

48. NetBIOS Node Types Node TypeRegistrationResolution B NodeBroadcast P NodeUnicast-WINS M NodeBroadcastBroadcast then WINS Modified B NodeBroadcastBroadcast then Lmhosts H Node (hybrid)Unicast-WINSWINS then Broadcast MS Enhanced NodeUnicast-WINSConfigurable

49. Configuring WINS Clients: Specify the WINS server Configure a node type (optional) MS-enhanced H-node by default WINS Servers Install WINS Create static mappings Configure Replication WINS Proxy Agents Handles broadcast name registrations Set EnableProxy to 1 in registry - Any WINS client

50. Review  Active Directory  DNS  WINS