Active Directory Outline

ACTIVE DIRECTORY OUTLINE

Active Directory is the flagship component of Windows 2000 Server and Advanced Server

• From logon to application installation

• Definition of Directory

• Directories have been around since the 60’s

• Current examples are:

• Domain Name System (DNS)

• Windows Internet Name Service (WINS)

• Novell Directory Services (NDS)

• A database used to store and organize data

What is a Directory Service?

• A stored collection of information about defined objects that are related to each other in some way

• Telephone directory – stores names of entities and telephone numbers

• In a modern computing environment many objects need to be located and used:

• Servers

• Printers

• Fax Servers

• Databases

• Admins and users must be able to locate and use these objects

• A directory service stores all the information needed to use and mange these objects centrally

• Provides the means of storing the information AND the services making this information available to users

• It is the main switchboard and central authority of your network operating system that;

o Manages the identities

o Controls the relationships (access) between resources

• Because of this it must be tightly coupled with the OS’s management and security mechanisms to be effective.

• Allows the definition and maintenance of the network infrastructure

• Allowing system admin

• Control the user experience

Why Have a Directory Service?

• A simplified and centralized means of organizing and administering access to resources of a network

• NT4 Domains, flat and very limited

• Users only need to know attributes of an object to find something (provided they were added!)

• Is an administrative and end user tool

• Other Functions

• Enforce security

• Distributes a Directory across many computers in the Network

• Replicate information to make it available and resist failure

• Partitioning allows multiple stores across a network for larger amounts of data and allow for more space

Simplified Administration

• Resources organized hierarchically in Domains

• A Domain has one or more linked Domain Controllers

• A change made to one DC is made to all DC’s in the Domain

• A single point of admin for all objects in the network

Scalability

• Directory can be broken into sections to allow for a large number of objects

• Can easily be expanded (or contracted)

Open Standards Support

• Uses DNS for it’s name system

• Integrate the internet concept of a name space

• Allows you to unify and manage multiple name spaces that (if they) already exist

• Can exchange information with any app or directory that uses LDAP or HTTP

DNS

• W2K (Active Directory) are DNS names

• Dynamic DNS allows auto update of DNS table

Support for LDAP and HTTP

• LDAP

• Version of the X.500 directory access protocol

• AD supports LDAP 2 and 3

• HTTP support can display every object in a web browser

Support Standard Name Formats

• RFC 822

• Someone@Domain

• HTTP Uniform Resource Locator (URL)

• http://domain/path-to-page

• Universal Naming Convention (UNC)

• domainfoldernamefile.doc

• LDAP URL

• LDAP://server.domain.com/CN=firstname, OU=admin, OU=Division, DC=services

Directories must address four business principles:

• Cost

o Business decisions are based on return on investment and expected result at a given cost

o Perceived value must outweigh the actual costs

• Security

o “Money is Power” has changed to “Information is Power”

o Information includes competitive and proprietary data

o This information must be secure

• Reliability

o Uptime is the key word in business networks

o If the information is not available…it is of no value

• Performance

o Good network design can produce results

o Bad design impacts the ability to perform

Before Directories

• Network operating systems (NOS) were server based

• Account management done on a server-by-server basis

• Each server maintained its own list of user accounts

• Accounts database

• Each server also maintained a list of user permissions

• Access Control List (ACL)

• Server-based networking does not scale!

Windows NT solution

• Small groups of servers share one list of users

• Central accounts database

• Single point of management for administration

• Domain-based networking but still does not scale

In a Domain

• All user information is stored in a single place and managed with a single set of tools

• Users can access the network via a single account

Network Directory Environment

• Holds ALL user and resource information across the entire network

• Users ARE resources

Network directories

• are databases that hold network information including:

o User account info (logon names, passwords, restrictions)

o User personal info (phone numbers, addresses, employee ID numbers)

o Peripheral configuration info (printers, modems, faxes)

o Applications configurations (Desktop preferences, default directories)

o Security information

o Network infrastructure configuration (routers, proxies, Internet access settings)

o Information stored in a centrally controlled, standards-based database

o Becomes the central control point for many different network processes.

User Logon

• Client software will request authentication from the directory

• Directory service will identify if the account name is valid

• Check for a password

• Validate the submitted password

• Check for any restrictions on the account

• Determine if the logon request should be granted

Resource access

• Directory queried each time user tries to access a network access

• Directory authenticates the request

• Determines if user has appropriate permissions

• Returns resource’s physical address to the client

Personal preferences

• Upon logon; Desktop settings, default printer, home directory location, application icons are downloaded to whatever computer the user logs on from

• All settings are centrally located

• Can be centrally controlled

Network Directories – Active Directory

• Contains information used to access, manage or configure a network

• Records are called objects

• Definition of how those records are formed and what properties are available is stored in the schema

• Extensible because the schema can be modified

• Is a hierarchical not relational database

• Objects are contained in multiple classes

Central Database of Network Resources

• Object classes have properties pertaining to their function

• All information about all network resources in a single database has advantages

• Administrators have a single interface

• Reduced learning curve for new personnel

• Reduced redundant management

• Extensible as new object classes can be created

• Classes can be modified by developers

For Administrators

• Only one user account per user

• Simpler hardware setup – configuration can be copied to multiple pieces of hardware

• Database can be replicated for redundancy

For Users

• Single sign-on

• Application self-management/restoration

• Modeled after the company business structure

Active Directory components

• Security subsystem

• Applications running in user mode do not have direct access to the operating system or hardware

• Each request for resources must be passed through various components to determine whether the request is valid

• Access control lists protect objects in the AD structure

• Security infrastructure has four functions

• To store security policies and account information

• To implement and enforce security models

• To manage authentication requests to AD objects

• To store and manage trust information

• Directory Service Module

• Multiple components that work together to control access to the actual database itself

• Agents layer

• Directory System Agent layer

• Database layer

Active Directory Structure

• How the information is stored in the database

• Built on X.500 recommendations

• X.500 is not a standard but a recommendation for organizing directories

• X.500 originally developed along the OSI model

• The goal of the specification was to provide a mechanism that would give products from different vendors the capability to access and share information

• What is defined is a common method of organizing, naming and accessing information

• Recommendation includes defining the hierarchical structure; referred to as the directory tree

X.500 hierarchical Structure

• Two main goals for structure design

• Object identification – ensures each object has some sort of unique identified

• Object organization – allows the data to be broken into subsets for administrative proposes

X.500 Tree

• Structure defines different types of container objects, like leaves on a tree

• Country – “C” object

• Highest container object in the schema

• Organization – “O” object

• Can only exist off the root of the tree or below a country

• Location – “L” object

• Grouping object that can exist at any level of the tree except directly below the root

• Organizational unit – “OU” object

• Grouping object that can exist under O’s or OU’s

Building Active Directory Trees

• Objects used to build a tree

• Functional objects

• Concepts

• Active directory provides a method for designing a directory structure

• Show you the objects to be found in Active Directory and the functions of it’s components:

o Building Blocks

o Objects

o Schema

o Components

o Functionality

o Replication

o Global Catalog

o Trust Relationships

o DNS

Objects

• An object is a distinct names set of attributes that represents a network resource

o Typical Object Classes

•User accounts

•Groups

•Computers

•Domains

•Organizational Units

• NOTE: Some objects are containers which can contain other objects.

Schema

• Is a list of definitions that defines objects that can be stored in Active Directory

• There are two types of definitions

• Attributes

• Classes (objects)

• Attributes

o Are defined only once

o Can be used in multiple classes

• Classes (Objects) 0 also referred to as object classes

o Describe the possible AD objects that can be created

o Is a collection of attributes

• Example:

• The user class is composed of many attributes, Firstname Lastname, home directory, email addresses, etc.

• You can extend the schema by adding more classes and attributes for each class

Components

• AD uses components to build a directory structure that fits your organization

• The logical structures of your organization are represented by the following components:

•Domains

•Organizational Units (OU’s)

•Trees

•Forests

• The physical structure is represented by

• Sites (Physical Subnets)

• Domain Controllers

Logical Structures

• In AD you organize resources in a logical structure that mirrors the logical structure of the organization

• Grouping logically enables you to:

• Find a resource by it’s name rather than a physical location

• The physical network is (should be) completely transparent to users

Domains

• Core unit of logical structure in AD

• Can store millions of objects

• Objects stored in a Domain are those which are interesting to the network

• All network objects exist within a Domain

• Each Domain stores info only about objects it contains

• Domains can span more than one physical location

• Is a security boundary

• Access control lists (ACL’s) control access to Domain objects

• Objects protected this way include:

• Files

• Folders

• Shares

• Printers

Organizational Units

• Is a container used to organize objects within a Domain

• OU’s can contain:

• User accounts

• Groups

• Computers

• Printers

• Applications

• File Shares

• Other OU’s

• All objects must be from the same Domain

• Each OU hierarchy within a Domain is totally independent of any other Domain structure

• OU’s can provide a means of handling admin tasks, they are the smallest scope to which you can delegate admin authority

• Reflect the structure within the Domain

• Delegate Admin Control

• Easier to move users between OU’s rather than Domain

• Group objects to locate similar resources and simplify admin and locating objects

• Restrict visibility of network resources

• Guidelines

• Shallow trees perform better

• OU’s should represent structures which are not subject to change

Trees

• A hierarchical arrangement of one or more Domains

• Domains in a tree share:

•A contiguous name space

•Hierarchical naming structure

• Share the following characteristics

• Domain name of the child Domain is the relative name of that child Domain appended with the name of the parent Domain

• All Domains share a common schema

• All Domains share a global catalog

Forests

• Have the following characteristics

• Share a common schema

• Tress have a different naming structure (according to their Domain)

• All Domains in a forest share a global catalog

• Domains in a forest operate independently, but a forest enable communication across the organizations structure

• Implicit two way transitive trust exists between Domains and Domain trees

Distributed, Replicated Directory Database

• AD is broken into pieces called partitions

• Partitions are placed on servers close to the users that use them

• Fault tolerance is provided by replicating those partitions to multiple servers

The Business Case

• Active Directory allows users and administrators to see their network as a logical set of resources

• Design of the infrastructure relates to the physical network

• Two sets of standards or models are considered:

• Geographic model – determined by the number of physical locations and the connectivity between them

• Three levels of models; regional, national & international

• Business model – refers to the business relationship between sites and services

• Determine the relationship between location and its relationship to the company

Focusing on the Business Model

• Analysis of more than just bandwidth

• Political relationships

• Uses for the network ( just email or real time database access)

• Similarities and differences between the sites – physical makeup and management philosophy

• Corporate offices vs. branch offices vs. subsidiary offices

Analyzing the Business Environment

• Departmental model – traditional method of managing a business

• Project-Based model – “new age” management – company is broken into small groups or teams which contain all the resources they need to support a project

• Product/Service-Based model – groups are organized to support specific products or services

• Cost Center model – hybrid of the above – groups are divided across cost centers

Analyze the Existing and Planned Organizational Structures

• Management model

• Company Organization

• Vendor, partner and customer relationships

• Acquisition plans

• Analyze Factors that Influence Company Strategies

• Identify:

• The company priorities

• The projected growth and growth strategy

• The relevant laws and regulations

• The company’s tolerance for risk

• The total cost of operations

Analyzing the IT Environment

• Type of Administration – central or de-centralized

• Funding model

• Outsourcing

• Decision-making process

• Change-management process

Evaluate the company’s existing and planned technical environment

• Analyze performance requirements

• Analyze data and system access patterns

• Analyze network roles and responsibilities

• Analyze security considerations

Analyze the impact of AD on the existing and planned technical environment

• Assess existing systems and applications

• Identify existing and planned upgrades and rollouts

• Analyze technical support structure

• Analyze existing and planned network and systems management

Active Directory Naming Strategies

• Establish the scope of the Active Directory

• Design the namespace

• Plan DNS strategy

Design the placement of DNS servers

• Considerations include:

• Performance

• Fault tolerance

• Functionality

• Manageability

• Plan for interoperability with the existing DNS

Planning a Domain and OU Structure

• Design an AD forest and domain structure

• Design a forest and schema structure

• Design a domain structure

• Analyze a optimize trust relationships

• Design and plan the structure of organizational units (OU)

• Considerations include:

• Administration control

• Existing resource domains

• Administrative policy

• Geographic and company structure

• Develop an OU delegation plan

• Plan Group Policy object management

• Plan policy management for client computers

Summary

• Access to all resources is managed through a single database

• Point of initial logon to using a printer is controlled by the AD directory

• All resources include identified permissions

• Network can be viewed as a single system rather than a series of connected resources

• Network based verses server or domain based management

• Active Directory as a Service

• The Active Directory service uses the Active Directory database to provide functionality

• Without the service the database could not be accessed

References

Active Directory in Windows 2000

http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp

Windows Server 2003 Active Directory

http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx