Sunteți pe pagina 1din 39

Module 1:

Introduction to
Active Directory

Overview
Introduction

to Active Directory
Active Directory Logical Structure
Role of DNS in Active Directory
Active Directory Physical Structure
Methods for Administering a Windows 2000
Network

Introduction to Active Directory


What

Is Active Directory?
Active Directory Objects
Active Directory Schema
Lightweight Directory Access Protocol
(LDAP)

What Is Active Directory?

Directory
Directory Service
Service
Functionality
Functionality

Organize
Organize

Manage
Manage

Control
Control

Centralized
Centralized Management
Management

Single
Single point
point of
of administration
administration

Resources
Resources

Full
Full user
user access
access to
to directory
directory

resources
resources by
by aa single
single logon
logon

Active Directory Objects


Active
Active Directory
Directory

Objects
Objects
Attributes
Attributes

Printers
Printers

Users
Users

Objects

Printer1

Printer
Printer Name
Name
Printer
Printer Location
Location

Printer2
Printer3

Attributes
Attributes
First
First Name
Name
Last
Last Name
Name
Logon
Logon Name
Name

Users

Attribute
Attribute
Value
Value

Don Hall
Suzan Fine

Represent Network Resources

Attributes

Object

Printers

Store Information About an

Active Directory Schema


Active Directory Schema Is:
Dynamically Available
Dynamically Updateable
Protected by DACLs

Objects
Objects
Class
Class Examples
Examples

Computers
Computers

Users
Users

Printers
Printers

Attribute
Attribute
Examples
Examples
Attributes
Attributes of
of Users
Users
Might
Might Contain:
Contain:
accountExpires
accountExpires
department
department
distinguishedName
distinguishedName
middleName
middleName

List
List of
ofAttributes
Attributes
accountExpires
accountExpires
department
department
distinguishedName
distinguishedName
directReports
directReports
dNSHostName
dNSHostName
operatingSystem
operatingSystem
repsFrom
repsFrom
repsTo
repsTo
middleName
middleName

DNS and Active Directory


Namespaces
DNS Namespace
Internet

(DNS root domain)

com.

Active Directory Namespace


microsoft

microsoft.com

training
sales

training. microsoft.com
computer1

sales. microsoft.com

= DNS node (domain or computer)

= Active Directory domain

Lightweight Directory Access


Protocol (LDAP)
LDAP Provides

a Way to
Communicate with Active Directory by
Specifying Unique Naming Paths for
Each Object in the Directory
LDAP Naming Paths Include:

Distinguished names

CN=Suzan
Suzan Fine,OU=Sales,DC=contoso,DC=msft
Fine
Relative distinguished names

Active Directory Logical


Structure
Domains
Organizational

Units
Trees and Forests
Global Catalog

Domains
A

Domain Is a Security Boundary


A domain administrator can administer
only within the domain, unless
explicitly granted administration rights
in other domains

Domain Is a Unit of Replication


Domain controllers in a domain
participate in replication and contain a
complete copy of the directory
information for their domain
r1
Use
r2
Use

Replication
Replication

Windows
Windows2000
2000

r1
Use
r2
Use

Organizational Units
Network
Network Administrative
Administrative Model
Model

Sales

Use

Organizational Structure
Structure

Vancouver

Users

Sales

Computers

Repair

OUs to Group Objects into a Logical


Hierarchy That Best Suits the Needs of
Your Organization
Delegate Administrative Control over the
Objects Within an OU by Assigning
Specific Permissions to Users and Groups

Trees and Forests


(root)

Two-Way
Two-Way Transitive
Transitive Trust
Trust

Forest

contoso.msft
contoso.msft

Tree
nwtraders.msft
nwtraders.msft

au.
au.
contoso.msft
contoso.msft

Two-Way Transitive Trusts

Tree
asia.
asia.
nwtraders.msft
nwtraders.msft

asia.
asia.
contoso.msft
contoso.msft

au.
au.
nwtraders.msft
nwtraders.msft

Global Catalog
Subset
Subset of
of the
the
Attributes
Attributes of
ofAll
All
Objects
Objects

Domain
Domain
Domain

Global
Global Catalog
Catalog

Domain
Domain

Domain

Queries
Queries
Group
Group membership
membership
when
when user
user logs
logs on
on
Global Catalog Server

Introduction to the Role of DNS


in Active Directory
Name

Resolution

DNS translates computer names to IP addresses


Computers use DNS to locate each other on the
network

Naming

Convention for Windows 2000 Domains

Windows 2000 uses DNS naming standards for


domain names
DNS domains and Active Directory domains share a
common hierarchical naming structure

Locating

Directory

the Physical Components of Active

DNS identifies domain controllers by the services they


provide
Computers use DNS to locate domain controllers and
global catalog servers

DNS Host Names and Windows


2000 Computer Names

DNS host record and Active Directory


object represent the same physical
computer

DNS allows computers to locate domain


controllers within Active Directory

.
com.
com.

Active Directory

microsoft
microsoft
sales

training.microsoft.com

training

Builtin

computer1

Computers
Computer1
Computer2

FQDN
FQDN==computer1.training.microsoft.com
computer1.training.microsoft.com
Windows
Windows2000
2000Computer
ComputerName
Name==Computer1
Computer1

DNS Requirements for Active


Directory
DNS
DNS Requirements
Requirements to
to Support
Support Active
Active Directory
Directory
Support for SRV records (mandatory)
Support for the dynamic update
protocol (recommended)
Support for incremental zone transfers
(recommended)

What Is a Tree?
Tree Root Domain

Parent
Parent

Parent Domain

contoso.msft

Child
Child

Child Domain

sales.contoso.msft

Contiguous Namespace
sales.contoso.msft

New
Domain

What Is a Forest?
A Forest

is One or More Trees


Trees in a Forest Do Not Share a
Contiguous Namespace

Forest

contoso.msft
contoso.msft

Tree

nwtraders.msft
nwtraders.msft
sales.

of The Domainscontoso.msft
in asales.
Tree
contoso.msft
Forest Share a Common
Configuration, Schema, and
marketing.
sales.
marketing.
sales.
nwtraders.msft
nwtraders.msft
nwtraders.msft
nwtraders.msft Global Catalog
All

What Is the Forest Root


Domain?
The

Forest Root Domain Is


the First Domain Created
in a Forest
Forest
Tree Root Domain

nwtraders.msft
nwtraders.msft

Tree
marketing.nwtraders.msft

Forest Root Domain


Global Catalog
Configuration
and Schema

Tree
Enterprise Admins
contoso.msft
contoso.msft
Schema Admins

sales.contoso.msft

Characteristics of Multiple
Domains
Reduce Replication Traffic

Maintain Separate and Distinct


Security Policies Between Domains
Preserve the Domain Structure of
Earlier Versions of Windows NT

Separate Administrative Control

Active Directory Physical


Structure
Domain
Sites

Controllers

Domain Controllers
Domain Controllers:
Participate in Active Directory replication
Perform single master operations roles in a domain

Domain
Controller

r1
Use
r2
Use

Replication
Replication

r1
Use
r2
Use

Domain
Controller

Domain
Domain

= A Writeable Copy of the Active Directory Database

Sites
Seattle
Chicago

New York

Los Angeles

IP
IP subnet
subnet

Site

IP subnet

Sites:
Optimize
Enable

replication traffic

users to log on to a domain controller


by using a reliable, high-speed connection

Introduction to Active Directory


Replication
Multimaster Replication with
a Loose Convergence

Domain
Controller B

Replication
Domain
Controller A
Domain
Controller C

Replication Components and


Processes
How

Replication Works
Replication Latency
Resolving Replication Conflicts
Optimizing Replication

How Replication Works


Active Directory Update

Add

Move

Modify

Delete

Originating Update

Domain
Controller B
Replicated Update

Replication

Domain
Controller A
Domain Replicated Update
Controller C

Replication Latency

Default Replication Latency (Change Notification) = 5 minutes

When No Changes, Scheduled Replication = One Hour

Urgent Replication = Immediate Change


Notification
Change Notification

Replicated Update
Domain
Controller B

Originating Update

Replication

Domain
Controller A
Change Notification

Replicated Update

Domain Controller C

Resolving Replication Conflicts


Domain Controller A

Domain Controller B
Stamp
Originating Update

Stamp
Originating Update
Conflict

Conflict
Stamp

Version Number

Timestamp

Server GUID

Conflicts Can Be Due to:


Attribute Value

Adding/Moving Under a Deleted Container Object


or the Deletion of a Container Object
Sibling Name

Replication Topology
Directory

Partitions
What Is Replication Topology?
Global Catalog and Replication of
Partitions

Directory Partitions
Directory
Partitions

Forest

Schema
Configuration

Domain

contoso.msft
Active Directory
Database

Contains
Contains definitions
definitions and
and rules
rules for
for
creating
creating and
and manipulating
manipulating all
all objects
objects
and
and attributes
attributes
Contains
Contains information
information about
about Active
Active
Directory
Directory structure
structure
Holds
Holds information
information about
about all
all domaindomainspecific
specific objects
objects created
created in
in Active
Active
Directory
Directory

What Is Replication Topology?


A1

A2

B2

A3

A4

B3

B1

Domain Controllers
Controllers
Domain
fromthe
Different
from
SameDomains
Domains

Domain
DomainAATopology
Topology
Domain
DomainAATopology
Topology
Domain
Domain BBTopology
Topology
Schema/Configuration
Schema/ConfigurationTopology
Topology
Schema/Configuration
Schema/ConfigurationTopology
Topology

What Is Replication Topology?


A1

A2

B2

A3

A4

B3

B1

Domain
Domain Controllers
Controllers
from
Domains
fromDifferent
the Same Domains

Domain
DomainAATopology
Topology
Domain
DomainAATopology
Topology
Domain
Domain BBTopology
Topology
Schema/Configuration
Schema/ConfigurationTopology
Topology
Schema/Configuration
Schema/ConfigurationTopology
Topology

Global Catalog and Replication


of Partitions
Partial Directory
Partition Replica

Schema
Configuration
Holds read
read only
only copy
copy of
of all
all
contoso.msft Holds

domain
domain directory
directory partitions
partitions
namerica.contoso.msft
Global Catalog
Server

Global Catalog and Replication


of Partitions
A1

A2

B2

A3

A4

B3

B1

Domain
DomainAATopology
Topology
Domain
Domain BBTopology
Topology
Schema/Configuration
Schema/ConfigurationTopology
Topology

Methods for Administering a


Windows 2000 Network
Using Active

Directory for Centralized

Management
Managing the User Environment
Delegating Administrative Control

Using Active Directory for


Centralized Management
Domain
OU1

Search
OU1

Computers

Domain
Domain

Computer1

OU2

Users
User1
OU2

User1 Computer1 User2 Printer1

Active Directory:

Users
User2
Printers
Printer1

Enables a single administrator to centrally manage resources


Allows administrators to easily locate information
Allows administrators to group objects into OUs
Uses Group Policy to specify policy-based settings

Managing the User


Environment
12

Domain
Domain

Apply
Apply Group
Group
Policy
Policy Once
Once

OU1
Windows
Windows 2000
2000
Enforces
Enforces Continually
Continually

OU2

OU3

1 2

Use Group Policy to:


Control

and lock down what users can do

Centrally

manage software installation, repairs, updates,


and removal

Configure

user data to follow users whether they are


online or offline

Delegating Administrative
Control

Domain

OU1

Assign Permissions:
For specific OUs to other
administrators
To modify specific attributes of
an object in a single OU
To perform the same task in all OUs

Customize Administrative Tools to:


Map

to delegated administrative tasks

Simplify

interface design

Admin1

OU2

Admin2
OU3

Admin3

Review
Introduction

to Active Directory
Active Directory Logical Structure
Role of DNS in Active Directory
Active Directory Physical Structure
Methods for Administering a Windows 2000
Network

S-ar putea să vă placă și