Active Directory Infrastructure Overview

Prepared by: MTGuillermo

Terminology and Concepts

Directory data store Directory partitions Policy-based administration DAP and LDAP Naming schemes used in Active Directory

Prepared by: MTGuillermo

Three partitions exist on any DC

Domain partition
contains information about the domain

Configuration partition
deals with the topology of Active Directory

Schema partition
Contains information that defines object classes and attributes used within the domain.

Prepared by: MTGuillermo

Policy-Based Administration
Control desktop settings that determine the display properties of a computer. Assign scripts that run at logon, logoff, startup, and shutdown. Enforce password security, such as by setting minimum password lengths, maximum length of time before a password must be changed, and so on. Redirect folders from the local computer to a folder on a networked computer Deploy applications
Prepared by: MTGuillermo 4

Directory Access Protocol

for the specific purpose of exchanging information with the directory service. Server 2003 used LDAP

Prepared by: MTGuillermo

Naming Scheme
Domain Name System (DNS) User principal name (UPN) Universal Naming Convention (UNC) Uniform Resource Locator (URL) Lightweight Directory Access Protocol Uniform Resource Locator (LDAP URL)

Prepared by: MTGuillermo

Distinguished Name
CN
The common name of the object

OU
The organizational unit. These are containers in the directory that are used to hold objects

DC - domain component

Prepared by: MTGuillermo

Directory Structure Overview

Components of AD Sites Domains Trees Forests Objects DCs Components of AD use to organize and manage hierarchy GC Schema

Prepared by: MTGuillermo

Active Directory Users and Computers

Builtin
holds groups that were created by Windows Server 2003, and can be used to control access

Computers
container is used to store computer objects

Domain Controllers
container contains objects representing DCs that reside in the domain

Users
container is used to store user accounts and groups. container is used to store stray objects whose containers no longer exist.

LostAndFound System
container is used for system settings
Prepared by: MTGuillermo 9

Active Directory Domains and Trusts

Shortcut trust Forest trust Realm trust External trust

Prepared by: MTGuillermo

10

Shortcut Trust

Prepared by: MTGuillermo

11

Forest trust

Prepared by: MTGuillermo

12

REAL TRUST

Prepared by: MTGuillermo

13

External Trust

Prepared by: MTGuillermo

14

Active Directory Sites and Services

Inter-Site Transports
container is used to create and store site links

Subnets
container is used to create and store objects containing information about subnetsBon your network.

Prepared by: MTGuillermo

15

Command-line tools for Active Directory

Dsadd Used to add users, groups, computers, contacts, and OUs. Dsget Displays the properties of an object in Active Directory. Dsmod Used to modify users, groups, computers, servers, contacts, and OUs. Dsmove Renames an object without moving it, or moves an object to a new location. Ldifde Used to create, modify, and delete objects from Active Directory. Ntdsutil Used for general management of Active Directory.

Prepared by: MTGuillermo

16

Command-line tools for Active Directory

Whoami
Provides information on the user whos currently logged on.

Cacls
Used to view and modify discretionary access control lists (DACLs) on files.

Cmdkey
Used to create, list, and delete usernames, passwords, and credentials.

Csvde
Used to import and export data from the directory.

Dcgpofix
Restores Group Policy Objects (GPOs) to the state they where in when initially installed
Prepared by: MTGuillermo 17

Access Control in Active Directory

Security descriptors Object Inheritance Authentication

Prepared by: MTGuillermo

18

Two different types of ACLs in the security descriptor

Security access control list (SACL)
used to track an objects security based on how a user or group accesses the object

Discretionary access control list (DACL)

is a listing of ACEs for users and groups, and includes information about the permissions that a user or group has to a file

Prepared by: MTGuillermo

19

2 PERMISSIONS APPLY TO AD OBJECT

Standard permissions
are those that are commonly applied to objects

special permissions
provide additional access control

Prepared by: MTGuillermo

20

Standard permissions
Full Control
Allows the user to change permissions, take ownership, and have the abilities associated with all other standard permissions.

Read
Allows the user to view objects, attributes, ownership, and permissions on an object.

Write
Allows the user to change attributes on an object.

Create All Child Objects

Allows the user to add objects to an OU.

Delete
All Child Objects Allows the user to delete objects from an OU.

Prepared by: MTGuillermo

21

Four different levels of functionality for Active Directory

Windows 2000 mixed
allows domains to contain Windows NT BDCs that can interact with Windows 2000 and Windows Server 2003 servers.

Windows 2000 native

is the highest mode available for Windows 2000 and the next highest level for Windows Server 2003 DCs

Windows 2003 interim

is a new level thats available in Windows Server 2003

Windows 2003
The highest functionality level for Active Directory. used when there are only Windows Server 2003 DCs in the domain

Prepared by: MTGuillermo

22

New Features Available Only with Windows Server 2003 Domain/Forest Functionality
Domain Controller Renaming Tool Domain Rename Utility Forest Trusts Dynamically Links Auxiliary Classes Disabling Classes Replication Raise Domain and Forest Functionality
Prepared by: MTGuillermo

23