Embed Size (px)
Citation preview
Chapter 11: Directory Services
Directory Services• A directory service is a database that contains information
about all objects on the network.
• Directory services contain data and metadata.
• Metadata is information about data.
For example: A user account is data. Metadata specifies what information is included in every user account object.
Directory Services• Information within directories is organized hierarchically.
This means that there is a strict set of rules as to where certain data is located within the directory based on the properties of that data.
• Unlike relational databases such as SQL where information is read and written often, information is usually only read from a directory service, but rarely is it input.
For example: User account data changes very little once it has been entered.
Early Directory Services• The first directory service was developed at PARC and was
called Grapevine.
• X.500 was developed as a directory service standard by the ISO and CCITT.
• Although X.500 was developed as a comprehensive standard, as with the OSI model, it was not widely deployed on real-world LANs.
• X.500 formed the basis of a standard that is widely deployed known as LDAP.
• Some X.500 conventions are used in Active Directory and eDirectory.
LDAPStands for Lightweight Directory Access Protocol.
• LDAP is a scaled-down implementation of the X.500 standard.
• Active Directory and eDirectory are based on LDAP.
• Netscape’s Directory Server was the first wide implementation of LDAP. It was used primarily for enterprise calendaring and contact management. Netscape’s product was not used for network
management.
• Most LDAP directories use a single master method of replication. Changes are made to the master databases and then propagated out to subordinate databases. The disadvantage of this scheme is that it has a single point of failure.
• Objects within an LDAP directory are referenced using the object’s DN (Distinguished Name). The DN consists of the RDN (Relative Distinguished Name) appended with the names of ancestor entries.
LDAP II
RDN of the user object in the figure is cn=ccarpenter.
DN of the user object in the figure is cn=ccarpenter,ou=mn,o=emcp,c=us.
Novell eDirectory
• eDirectory is a partitioned and loosely replicated directory service.
• eDirectory can be used to manage multiple operating systems.
• The two primary components of eDirectory are database partitions and database replicas.
• Partitions are sectioned off according to location. The partition is hosted on a server local to that location. The primary benefit of
this is that authentication is localized.
Novell eDirectory
Database replicas are copies of partitions. There are several different types of replicas.
Master replica: First copy of partition.Read-write replica: Can be used to authenticate and make changes to objects. Used for redundancy purposes.Read-only replica: Can be used to locate information, but not to change objects.Subordinate reference: Special replicate automatically created. Used as a pointer to a target replica.
eDirectoryObject Description
country two letter country code
locality city or state
organization top level container in tree
organizational unit container object, used to represent department
root top level of tree
Container objects are used to organize other objects within the directory.
For example: You might place all of the accountant user objects within the accountants organizational unit.
In eDirectory, a DN finishes at the organizational level. Objects are separated by periods. An accountant at EMCP with an user account named dmorgan, would have the DN .cn=dmorgan.ou=accountants.o=emcp.
Active Directory• Active Directory is an implementation of LDAP that uses multimaster replication.
• Active Directory runs on Windows Server 2003 and Windows 2000 Server on special computers known as domain controllers.
• Active Directory can be used to manage almost every aspect of a Windows Server 2003 network.
• Active Directory can also be used as a type of phonebook.
For example, you could query Active Directory to locate all users located on the 2nd floor of a building. Alternatively you could
locate all color printers at a particular location.
• Any domain controller can process directory updates.
• Replication uses the RPC protocol for servers on the same LAN and the SMTP protocol for servers located across WAN links.
Active Directory ComponentsDomain. All user accounts within a domain share a common password policy. Different password policies require separate domains.
Site. Used to represent a single physical location within Active Directory.
Organizational Unit (OU). Can be used to represent organizational hierarchy. OU can contain OU.
Group Policy Object (GPO). Collection of policies that can be applied to domains, sites, and OUs.
Forest. Collection of domains with common schema.
Tree. Collection of domains with common namespace.
GPO and Delegation• Control of a particular OU can be delegated.
For example: You could allow a certain user to administer all of the accountant’s user accounts, without allowing them to
administer anyone else’s account.
• GPO can be applied to sites, domains, and OU.
• GPOs can be used to install software or to configure user environment settings.
For example: You could install Microsoft Word at a particular location by creating a GPO that installs word and applying it to that location’s site. Alternatively, if you applied that same GPO to the domain, all users would have Word installed. If you applied that GPO to an OU instead, only users within that OU would have word installed.
Active Directory Naming• Active Directory naming is similar to LDAP and eDirectory,
though has a slightly different format.
• A user named Orin Thomas located within the Engineers OU in the melbourne.emcp.com domain of a Windows Server
2003 network would have the DN:
CN=Orin Thomas,OU=Engineers,DC=Melbourne,DC=EMCP,DC=COM
• DNs are often used in scripts that query information from the Active Directory database.
• As an administrator you might right a script that queries the database to determine which users have not logged on to the network in the last six months.
Summary• A directory service is a database that contains information about all objects on the network.
• LDAP is a scaled-down implementation of the X.500 standard.
• eDirectory is a partitioned and loosely replicated directory service.
• eDirectory partitions are sectioned off according to location.
• eDirectory database replicas are copies of partitions.
• Active Directory uses multimaster replication.
• Active Directory can be used to manage almost every aspect of a Windows Server 2003 network and as a type of phonebook.
Discussion Questions What is the difference between an Active Directory site and
domain?
What is the difference between an eDirectory partition and replica?
Discuss why you would apply one GPO to a domain and another GPO to an OU.
Which Directory Service can be used to manage multiple operating systems?
What weakness exists in the LDAP replication method?
![[MS-ADFSOAL]: Active Directory Federation Services …... · Active Directory Federation Services OAuth Authorization Code ... Active Directory Federation Services OAuth ... Federation](https://img.pdfslide.net/doc/110x75/5ae61a947f8b9a6d4f8c406b/ms-adfsoal-active-directory-federation-services-directory-federation-services.jpg)
![[MS-ADLS]: Active Directory Lightweight Directory Services Schema... · 2018-09-11 · [MS-ADLS]: Active Directory Lightweight Directory Services Schema Intellectual Property Rights](https://img.pdfslide.net/doc/110x75/5f237d6f1c1b500fa07b23d6/ms-adls-active-directory-lightweight-directory-services-schema-2018-09-11.jpg)
