Overview of Active Directory Overview of Active Directory Domain ServicesDomain Services

Lesson 1

Chapter ObjectivesChapter Objectives

• Identify Active Directory functions and Benefits.

• Identify the major components that make up an Active Directory structure.

• Identify how DNS relates to Active Directory.

• Identify Forest and Domain Functional Levels.

Directory ServiceDirectory Service

• A network service that identifies all resources on a network and makes those resources accessible to users and applications.

• The most common directory service standards are:– X.500– Lightweight Directory Access

Protocol (LDAP)

X.500X.500

• Uses a hierarchical approach in which objects are organized in a similar way to the files and folders on a hard drive.

Lightweight Directory Access Protocol Lightweight Directory Access Protocol (LDAP)(LDAP)

• Industry standard.• Slim-down version of X.500

modified to run over the TCP/IP network.

Active DirectoryActive Directory• A directory service that uses the

“tree” concept for managing resources on a Windows network.

• Stores information about the network resources and services, such as user data, printer, servers, databases, groups, computers, and security policies.

• Identifies all resources on a network and makes them accessible to users and applications.

Active DirectoryActive Directory

• Used in:– Windows 2000– Windows Server 2003– Windows Server 2008

• Subsequent versions of Active Directory have introduced new functionality and security features.

Active DirectoryActive Directory

• Windows Server 2008 provides two directory services:– Active Directory Domain Services

(AD DS)– Active Directory Lightweight

Directory Services (AD LDS)

Active Directory Domain Services (AD Active Directory Domain Services (AD DS)DS)

• Provides the full-fledged directory service that is referred to as Active Directory in Windows Server 2008 and previous versions of Windows Server.

Active Director Lightweight Directory Active Director Lightweight Directory Services (AD LDS)Services (AD LDS)

• Provides a lightweight, flexible directory platform that can be used by Active Directory developers without incurring the overhead of the full-fledged Active Directory DS directory service.

Domain Controller (DC)Domain Controller (DC)• Server that stores the Active

Directory database and authenticates users with the network during logon.

• Stores database information in a file called ntds.dit.

• Active Directory is a multimaster database.– Information is automatically replicated

between multiple domain controllers.

Active Directory Functions and Active Directory Functions and BenefitsBenefits

• Centralized resource and security administration.

• Single logon for access to global resources.

• Fault tolerance and redundancy.• Simplified resource location.

Centralizing Resources and Security Centralizing Resources and Security AdministrationAdministration• Active Directory provides a single

point from which administrators can manage network resources and their associates’ security objects:

• MMC Consoles found in Administrator Tools:– Active Directory Users and

Computers– Active Directory Sites and Services– Active Directory Domains and Trusts– ADSI Edit

Fault Tolerance and RedundancyFault Tolerance and Redundancy

• Active Directory uses a multimaster domain controller design.

• Changes made on one domain controller are replicated to all other domain controllers in the environment.

• It is recommended to have two or more domain controllers for each domain.

Read-Only Domain Controller (RODC)Read-Only Domain Controller (RODC)

• Introduced with Windows Server 2008.

• A domain controller that contains a copy of the ntds.dit file that cannot be modified and that does not replicate its changes to other domain controllers with Active Directory.

Simplifying Resource LocationSimplifying Resource Location

• Allows file and print resources to be published within Active Directory.

• Examples include:– Shared folders– Printers

Active Directory ComponentsActive Directory Components

• Forests – One or more domain trees, with each tree having its own unique name space.

• Domain trees – One or more domains with contiguous name space.

• Domains – A logical unit of computers and network resources that defines a security boundary.

Active Directory ComponentsActive Directory Components

• Some of these common attributes are as follows:– Unique name– Globally unique identifier (GUID)– Required object attributes– Optional object attributes

Understanding the SchemaUnderstanding the Schema

• Defines the objects stored within Active Directory the properties (attributes) associated within each object.– User has different properties,

which has different properties than a group, which has different properties of a computer.

Active Directory Naming StandardActive Directory Naming Standard

• Example:– cn=JSmith, ou=sales,

dc=lucernepublishing, dc=com

Domain Name System (DNS)Domain Name System (DNS)• Provides name resolution for a

TPC/IP network.• Active Directory requires DNS as

the default name resolution method.

• Example Resource Records (RR):– Host (A) – Host name to IP.– Pointer (PTR) – IP to Host name.– Service (SRV) – Locator service for

LDAP/Domain controllers services.

Functional LevelsFunctional Levels

• Allows interoperability with prior versions of Microsoft Windows.

• Higher levels of functional level will not allow older versions of Windows to function but will add additional functionality or features.

• Raising functional level is a one-way process.

Domain Functional LevelsDomain Functional Levels

Forest Functional LevelsForest Functional Levels

Using Forest Functional LevelsUsing Forest Functional Levels

• To raise the functional level of a forest, you must be logged on as a member of the Enterprise Admins group.

• The functional level of a forest can be raised only on a server that holds the Schema Master role.

Trust RelationshipsTrust Relationships• Active Directory uses trust

relationships to allow access between multiple domains and/or forests, either within a single forest or across multiple enterprise networks.

• A trust relationship allows administrators from a particular domain to grant access to their domain’s resources to users in other domains.

Trust RelationshipsTrust Relationships

• When a child domain is created, it automatically receives a two-way transitive trust with its parent domain.

• Trusts are transitive:If domain A trusts domain BAnd domain B trusts CThen domain A trusts domain C

Chapter SummaryChapter Summary• Active Directory is a database of objects

that are used to organize resources according to a logical plan. – These objects include containers such as

domains and OUs in addition to resources such as users, computers, and printers.

• The Active Directory schema includes definitions of all objects and attributes within a single forest. – Each forest maintains its own Active

Directory schema.

Chapter SummaryChapter Summary

• Active Directory requires DNS to support SRV records. – Microsoft recommends that DNS

support dynamic updates.

Chapter SummaryChapter Summary• Domain and forest functional levels

are new features of Windows Server 2008. – The levels defined for each of these

are based on the type of server operating systems that are required by the Active Directory design.

– The Windows Server 2003 forest functional level is the highest functional level available and includes support for all Windows Server 2003 features.

Chapter SummaryChapter Summary

• Two-way transitive trusts are automatically generated within the Active Directory domain structure.– Parent and child domains form the

trust path by which all domains in the forest can traverse to locate resources.

– The ISTG is responsible for this process.

Chapter SummaryChapter Summary

• Cross-forest trusts are new to Windows Server 2003, and they are only available when the forest functionality is set to Windows Server 2003. – They must be manually created

and maintained.