Upload
gonzalo-santiago
View
290
Download
10
Tags:
Embed Size (px)
Citation preview
Christopher Chapman | MCTContent PM, Microsoft Learning, PDG Planning , Microsoft
Understanding Active Directory
Click to edit Master subtitle style
Microsoft Virtual AcademyActive Directory Lightweight
Directory Services (AD LDS)
Module Overview
• AD LDS Overview
• Implementing and Administering AD LDS
• Implementing AD LDS Replication
• Comparing AD DS and AD LDS
Lesson 1: AD LDS Overview
• How AD LDS Works
• AD LDS Administration Tools
• What Is the AD LDS Schema?
• Demonstration: Installing AD LDS
How AD LDS Works
AD LDS can be accessed via LDAPAD LDS can be accessed via LDAP
The store is organized into three partitions types:
Configuration
Schema
Application
The store is organized into three partitions types:
Configuration
Schema
Application
AD LDS is a hierarchical file-based directory storeAD LDS is a hierarchical file-based directory store
Uses the Extensible Storage Engine (ESE) for file storage Uses the Extensible Storage Engine (ESE) for file storage
ESE
AD LDS Administration Tools
Tool Usage
Active Directory Lightweight Directory Services Wizard
• Create a new instance of AD LDS
• Create a new replica of an AD LDS instance
ADSIEdit • Modifying data
• Viewing data
LDP
• Creating application partition instances
• Modifying data
• Viewing data
Ldifde or Csvde • Importing and exporting data
Dsacls • View or set permissions
AdamSync • Used to synchronize an instance of AD DS to AD LDS
ADSchemaAnalyzer• Used in migrating the Active Directory schema to
ADAM
What Is the AD LDS Schema?
AD LDS Schema defines the types of objects and data that can be created and stored in an AD LDS instance using object classes and attributes
AD LDS Schema defines the types of objects and data that can be created and stored in an AD LDS instance using object classes and attributes
Directory objects based on the automobile object class
Directory objects based on the automobile object class
Definition for an automobile object class
Definition for an automobile object class
Schema Partition
Directory objects based on the user object class
Directory objects based on the user object class
Application Partition
Definition for a user object classDefinition for a user object class
Demonstration: Installing AD LDS
• In this demonstration, you will see how to install Active Directory Lightweight Directory Services
Lesson 2: Implementing and Administering AD LDS• What Is an AD LDS Instance?
• What Is an AD LDS Application Partition?
• Demonstration: Configuring AD LDS Instances and Application Partitions
• AD LDS Users and Groups
• How Does Access Control Work in AD LDS?
What Is an AD LDS Instance?
An AD LDS Instance is a running copy of AD LDS service that contains is own communication interface and directory storeAn AD LDS Instance is a running copy of AD LDS service that contains is own communication interface and directory store
Directory Service
Client
A Single AD LDS Instance
Interfaces (LDAP, replication)
The directory store has its own copy of the three partitions
Directory Data Store (Adamntds.nit)
What Is an AD LDS Application Partition?
The AD LDS application partition holds the data that is used by the applicationThe AD LDS application partition holds the data that is used by the application
A Single AD LDS Instance
Multiple application directory partitions can be created in each LDS instance; however each partition would share a single set of configuration and schema partitions
Application partition 1
Configuration partition
Schema partition
Demonstration: Configuring AD LDS Instances and Application Partitions• In this demonstration, you will see how to configure
an AD LDS instance on a computer that is already running one instance
AD LDS provides four default, role-based groups stored in the roles container of the appropriate partitions
AD LDS Users and Groups
Role Default Members Default Access
Administrators
Configuration partition: AD LDS administrators that are assigned during AD LDS setup
Application partitions: The Administrators group from the configuration partition
Full access to all partitions
Readers None Read access to the partition
Users
Configuration partition: Transitively, all AD LDS users
Application partitions: Transitively, all AD LDS users that are created in the partition
None
Instances Configuration partition: All instances
How Does Access Control Work in AD LDS?
AD LDS Access Control:Authenticates the identity of users requesting access to the directory, allowing only successfully authenticated users into the directory
Uses security descriptors, called access control lists (ACLs), on directory objects to determine which objects an authenticated user can access
11
22
Lesson 3: Implementing AD LDS Replication • How AD LDS Replication Works
• Why Implement AD LDS Replication?
How AD LDS Replication Works
AD LDS uses multimaster replication:• All instances are writable• Changes on one instance are replicated to the other instances
AD LDS servers replicate changes to all servers
Client adds “User 2” on Server 1
Client modifies “User 1” display name on Server 2
Server 2Server 1
Server 3
Why Implement AD LDS Replication?
Why implement AD LDS Replication?
• High availability
• Load balancing
• Geographic limitations
Lesson 4: Comparing AD DS and AD LDS • Similarities between AD DS and AD LDS
• Differences between AD DS and AD LDS
• Integrating AD DS and AD LDS
Similarities Between AD DS and AD LDS
Similarities between AD DS and AD LDS:• Support LDAP connections
• Use multimaster replication
• Support delegated administration
• Use Extensible Storage Engine for the database store
Differences Between AD DS and AD LDS
Features AD LDS AD DS
Capable of multiple instances running on one server X
Runs on nondomain controllers X
Does not require DNS infrastructure X
Group policy X
Global Catalog functions X
Kerberos V5 Protocol authentication X
Full-featured administrator tools X
Automatic failover of services X
Integrating AD DS and AD LDS To integrate AD DS and AD LDS:
Prepare the schema for synchronization
Prepare the configuration for AdamSync
Run AdamSync
11
33
22
Module Review and Takeaways• Review Questions
• Summary of AD LDS
Thanks for Watching!
©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.