Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004

Page 1

Active Directory and DNSActive Directory and DNS

Lecture 2Hassan Shuja

09/14/2004

Page 2

Active Directory (AD)Active Directory (AD)

• Active Directory Definitions/Features– Active Directory has two parts

– A database with information about users and resources– A service that manages the database and enables users of computers on the

network to access the database

– Active Directory Features/Advantages– Security - Logon process and controlling access to objects– Administration – Hierarchical structure– Search capabilities – Search AD for an object– Scalable – Allows multiple domains, fits for any size network– Flexibility – Grows with your company, allows for additions

Page 3

Active DirectoryActive Directory

• Structure– Objects and Classes

– An object is the smallest component that you can have in AD– A class is a template of all attributes of an object when it is created

– Schema– Schema governs the structure of the directory– Allows administrators to modify and add new object classes, objects and attributes

as needed, making the schema extensible– Active Directory Schema is the name of the snap-in in MMC and can only be

changed by Schema Admins

– Global Catalog– A master searchable index that contains information about every object in a forest– Created by default on first DC in a domain

– Contains a full copy of all objects in its own domain and a partial replica of all objects in all other domains in the forest

– Serves as a central point for user authentication

Page 4


• AD Organization– Smallest component in AD is an object

– Objects have attributes and are defined by classes– Objects have permissions ACL that contains information about who has access to it

and what they can do with it– Controlling access to object is different than having access to the objects resources

– Organizational Units (Container objects)– Substructure of domains and are arranged hierarchically– Used to organize related objects in AD, can also contain other OUs– Helps simplify administration

Page 5


• Object IDs– Globally Unique Identifier (GUID) – A 32 hex number assigned to an object at

the time of creation and object is stored with it. This ensures uniqueness and avoids duplication

– Security ID (SID) – A unique security ID created by the Security subsystem that is assigned to user, groups, and computers to grant or deny an object access to other objects

Page 6

Domain Controller (DC)Domain Controller (DC)

• DC Setup– All Domain Controllers are equal

– A change on one DC will be replicated to all other DCs

– Five Scenarios where a DC can have an additional role– Relative ID Master– Schema Master– Infrastructure Master– Domain Naming Master– PDC Emulator

Page 7

DomainsDomains

• AD Organization– Tree

– Grouping of one or more domains that must have a single root domain– Parent child & child relationships

– Defined by a common and contiguous name space– A hierarchy of domains sharing a common schema, security trust relationship, and a

Global Catalog

Page 8

DomainsDomains

• AD Organization– Forest

– A group of one or more Domain Trees linked together by a trust– Two different root domains

– All Trees share a common schema and global catalog– Do not have contiguous DNS domain names

Page 9

TrustsTrusts

• NT Domains– Each domain had its own accounts

– Need accounts in every domain that you need resources or need administrator to setup a trust between domains

– Trust were setup explicitly as one-way or two-way trusts– These trusts are intransitive

Page 10

TrustsTrusts

• Trusts– A logical connection that allows users from one domain to access resources in

another domain– Can be one way or two ways– Trusting domain and Trusted domain

Trusted Domain(Users)

Trusting Domain(Resources)

Page 11

TrustsTrusts

• Intransitive Trusts– Domain C trusts Domain B and Domain B trusts Domain A

– (B has access to resources in C and A has access to resources in B)

– Domain C does not trust Domain A– Intransitive trusts are possible in Windows NT

Domain A Domain CDomain B

Page 12

TrustsTrusts

• Transitive Trusts– A trust between two domains in the same Tree/Forest that can extend beyond

two domains to other trusted domains within the same Tree/Forest– Always a 2 way trust– By default all Windows 2000 trusts within Tree/Forest are transitive– Domain A and C trust each other

Domain A Domain C

Domain B

Page 13

TrustsTrusts

• Explicit Trusts– A trust that is setup by an administrator

– Connect domains directly to shorten the path between them

– It can be either transitive or intransitive

– Used to manage trusts between Windows 2000 and NT domains

Page 14

Domain Name System (DNS)Domain Name System (DNS)

• DNS– DNS Structure

– Based on a hierarchical naming structure (inverted tree)– A single root domain, underneath there are second-level domains– Every computer in a DNS domain is uniquely identified by a Fully Qualified Domain

Name (FQDN)– Dynamic DNS is supported in W2K

Root Domain Servers

WWW

NorthropGrumman

Workstation

Internal UMBC DNSServer

External UMBCDNS Server

External NorthropGrumman DNS

Server

UMBC

1

A B C D

2

3

4

Page 15

Domain Name SystemDomain Name System

• Zone Files and DNS Servers– Forward Lookup Zone

– This contains host name to IP address resolution

– Reverse Lookup Zone– This contains IP address to host name resolution

– DNS Servers– Primary – Maintains the master copy of the zone files– Secondary – Keeps a back-up copy of the zone files– AD-integrated – DNS entries kept in AD data store instead of zone files

– Scavenge Files– Finds and deletes records in a zone if they have been stale for a certain amount of

time

Page 16

Active Directory & Domain Name SystemActive Directory & Domain Name System

• AD & DNS– Active Directory and DNS use the same hierarchical structure

– Typically use the same FQDN

– DNS records can be stored in Active Directory

– Clients use DNS to locate Domain Controllers on the network

Page 17


• Name Space– Active Directory is based on the concept of namespace, that is a name is used

to resolve the location of an object

– Active Directory names correspond to DNS domain names

– Each name gives the location of the object in Active Directory

Page 18


• Name Convention– Relative Distinguished Name (RDN) – A name that is assigned to the object by

the administrator when it is created, a unique name– Example – hshuja1

– Distinguished Name (DN) – Defines the RDN and also location within Active Directory, such as OU that user belongs to

– Example – [email protected]

– User Principal Name (UPN) – A more “easier” naming convention. Combines RDN with domain name, no OU is referenced

– Example – [email protected]

Documents

Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004