AD: Is a centralized database where it contains the information about the objects like users,
groups, computers, printers etc.
AD is a centralized hierarchical Directory Database.
AD is a searchable Database.
2003 O/S. when installed (gets installed as a stand alone server) to promoting to
to install A.D.
Domain Controller (D.C.)
A server where A.D. is installed is called D.C.
Functionality of A.D.:
Using A.D. we can organize, manage and control resources.
It provides single point of administration.
Purpose of A.D.:
1. Provides user logon authentication services.
2. To organize and manage user A/Cs, computers, groups and n/w resources.
3. Enables authorized users to easily locate n/w resources.
Features of A.D.:
1. Fully integrated security system with the help of Kerberos.
2. Easy administration using group policy.
3. Scalable to any size n/w
4. Flexible (install/uninstall)
5. Extensible (modify the schema)
New features in 2003
6. Rename computer name & Domain names.
7. Cross –forest trust relationship.
8. Site-to-Site replication is faster.
Evolution of LDAP:
Earlier we had no database standard; hence TTU & ISO introduced X-500
LDAP (Light Weight Directory Access Protocol): It is an industry standard directory access protocol used for querying and providing communication among the objects in A.D.
It is directory access protocol.
It runs on the port no. 389.
DAP: It is based on OSI model.
LDAP: Is based on TCP/IP model
Tools used for:
Active Directory Domains and Trusts: Implementing trusts
Raising domain/forest functional levels
Adding user logon suffixes
Active Directory Sites and Services: Configuring intrasite/intersite replication, Configuring global catalog, Creation of sites, site links, subnets. ,Scheduling replication
Active Directory Users and Computers: Managing users/groups
Managing computers.
Managing OUs
Managing Group Policy (Domain Level)
Managing Operations masters.
Raising domain functional level.
Domain controller security policy:
Set account, audit and password policies
Set user rights Permissions or policies Pertains only to the DC where you set.
Domain security policy:
Set account, audit and password policies
Set user rights Permissions or policies pertain to the DC as well as to all the domains within.
ADC is a back up for DC
ADC maintains a back up copy of A.D., which will be in read only format.
ADCs provide fault tolerance & load balancing. There can be any no. of ADCs for a DC. ADCs should be placed and maintained offsite away from the DC.
ADC maintains same domain name.
Verifying whether the server is configured as DC or ADC.
Start>run>cmd>net accounts
For DC we will find “primary”
For ADC we will find “Backup”
ACTIVE DIRECTORY COMPONENTS
LOGICAL STRUCTURE PHYSICAL STRUCTURE
Domains Sites
Trees Domain controllers
Forest
Organizational units
A.D. Components:
• Logical structure is useful for organizing the network.
• Logical components cannot be seen
• Physical structure is useful for representing our organization for developing the
organizational structure.
• It reflects the organization (mirrors)
• Physical structure can be seen. Ex. Site – India, US, UK etc.
TREE:
A tree is a group of domains which share contiguous name space.
If more than one domain exits we can combine the multiple domains into hierarchical tree structures.
The first domain created is the root domain of the first tree.
Additional domains in the same domain tree are child domains.
A domain immediately above another domain in the same domain tree is its parent.
FOREST:
Multiple domain trees within a single forest do not form a contiguous namespace. I.e. they have non-contiguous DNS domain names
Although trees in a forest do not share a name space, a forest does have a single root domain, called the forest root domain
The forest root domain is, by definition, the first domain created in the forest.
The two forest wide predefined groups – Enterprise.
Administrators and schema administrators reside in this domain.
Physical structure
SITES:
Site is a combination of TCP/IP, subnets, connected with high-speed links.
Sites provide replication
There are 2 types of replications
1. Intrasite replication
2. Intersite replication
Intrasite Replication: It is a replication with in the same site. It offers full time replication between DC & ADC when they are within the same site.
Intersite Replication: It is a replication between two different sites.
Intersite replication is implemented when the sites are away from each other.
-It requires a site link
-Site link is a logical connection between sites, which can be created & scheduled.
-Site link offers communication only at scheduled intervals.
Implementing sites:
Forceful replication:
On DC
Start >programs> admin tools > ADSS > expand sites > default first site>servers
>Expand DC server > NTDS settings >right click on automatically generated>replicate now>ok.
Repeat the same for DC & ADC
Creating a site:
Open ADSS>Right click on sites>New site>Site name (e.g. UK, US)
Select default site link>Ok
Moving ADC into another site:
Select ADC>Right click on ADC>Select move>Select site.
Creating a Site link:
Expand inter site transports>Right click on IP>Select new site link
Link name (ex. Link US –UK)
Scheduling a site link:
Expand inter site transport>IP>Double click on site link>Change schedule
Click on replication not available>set the timings>click on replication available.
KCC: (Knowledge Consistency Checker): It is a service of A.D., which is responsible for intimating,
or updating the changes made either in DC or ADC.
Active Directory is saved in a file called NTDS.DIT
C:\windows\ntds\ntds.dit
NTDS.DIT - New Technology Directory Services. Directory Information Tree
It is a file logically divided into four partitions.
1. Schema partition
2. Configuration partition
3. Domain partition
4. Application partition
It is a set of rules schema defines AD, it is of 2 parts classes & attributes.
Ad is constructed with the help of classes and attributes.
. Schema: Logical partition in AD database “template” for AD database.
• Forms the database structures in which data is stored.
• Extensible
• Dynamic
Protect by ACL (Access Control Lists) DACL’s and SACL’s (Directory&System
ACL’s)
One schema for AD forest.
Collection of objects is called class.
Piece of information about the object is called attribute.
Configuration Partition: Logical partition in AD database.
• “map” of AD implementation
• Contains information used for replication logon searches.
• Domains
• Trust relationships
• Sites& site links
• Subnets
• Domain controller locations.
. Domain Partition:
• Logical partition in AD database.
• Collections of users, computers, groups etc.
• Units of replication.
• Domain controllers in a domain replicate with each other and contain a full copy of the
domain partition for their domain.
• DCs do not replicate domain partition information for other domains
Application Partition:
• It is a newly added partition in win2003. It can be added or removed
• It can be replicated only to the specified DCs.
• Useful when we are using AD integrated services like DNS, TAPI services etc..
FSMO roles: (Flexible Single Master Operations):
Forest wide Master Operation
1. Schema master
2.Domain Naming master
Domain wide master operation
3. PDC emulator
4. RID master
5. Infrastructure master
Schema Master:
Responsible for overall management of the entire schema in a forest.
The first DC installed acts as a schema master in the entire forest.
There can be only one schema master in the entire forest
Domain Naming Master:
Responsible for addition /removal of domains.
It maintains the uniqueness of domain names.
There can be only one DNM in the entire forest.
PDC emulator:
PDC provides backward compatibility for existing NT BDCs and workstations. (If it is running in
mixed mode)
PDC updates the password changes made by the users.
It is also responsible for synchronizing the time.
There can be only one PDC emulator per domain.
RID master:
Responsible for assigning unique IDs to the objects created in the domain.
There can be only one RID master per domain
SID – Security Identifier it maintains a access control list. It is divided into two
1. DID (Domain Identifier)
2. RID (Relative Identifier)
parts.
For knowing the SID of the user
>Start>run>cmd> who am I /user
Infrastructure master:
Responsible for maintaining the updates made to the user & group membership. It also maintains universal group membership.
There can be only one infrastructure master per domain
The term flexibility means we can transfer any of the 5 roles from DC to ADC.
Transfer of Roles
We can transfer the roles for some temporary maintenance issues on to ADC and again we can transfer back the roles onto DC.
We can transfer the roles in two ways
1. Command mode
2. Graphical mode
GLOBAL CATALOG
It is a service responsible for maintaining information about the objects and serving the requests made by the users by providing the location of the object. Global Catalog runs on the port number 3268.
All types of queries are first heard on this port number and forward the query to port no.389
(LDAP’s).Maintains the complete information about the objects within the same domain and partial
information about other domains.
GC communicates to infrastructure master.
If DC & ADC are located in the same location only one GC is enough.
If the DC&ADC are located remotely to avoid network traffic we need to configure ADC as GC Infrastructure master contacts global catalog for obtaining the updates about user & group
membership and universal group membership.
The primary functions of GC is to maintain universal group membership information, to easily locate the objects with in the AD.:
Configuring a Global catalog server.
Either on ADC or on Child DC
>Start >program>admin tools> ADSS> expand sites >default first site>server>
On NTDS right click> properties>check the box Global Catalog.
Installing Child DC:
Requirements:
Parent DC
Member server or stand alone server
Static IP
DNS
NTFS volume with 250 MB of free HDD space
Functional Levels:
1. Domain Functional Level:
A) Windows 2000 mixed
B) Windows 2000 native
C) Interim
D) Windows 2003 server
2. Forest Functional Level:
a) Windows 2000 mixed
b) Interim
c) Windows 2003 server.
Windows 2000 mixed:
By default when we install 2000 or 2003 o/s it gets installed in win 2000 mixed mode. This mode supports older versions of win2003. We can add NT, 2000 flavors in 2003 networks.
Windows 2000 native:
It supports only 2000 and 2003; Native mode can have 2000&2003 flavors only.
Interim:
This mode can have NT and 2003. Useful when we upgrade NT to 2003
Windows 2003 server:
This mode supports only 2003 server family.
We can’t join NT/2000 domains.
Types of Trusts:
Trust relationships in Windows server2003:
Default two way transitive Kerberos trusts (intra forest)
Shortcut – one or two away transitive Kerberos trusts (intraforest)
Reduce authentication requests
Forest-one or two way- transitive Kerberos trusts.
WS2003 forests WIN 2000 does not support forest trusts
> Only between forest roots
>Creates transitive domain relationships.
External – one way non-transitive NTLM trusts.
Used to connect to /from win NT or external 2000 domains.- manually created.
Realm – one or two way non-transitive Kerberos trusts.
Connect to /from UNIX MT Kerberos realm.
Establishing Trusts:
The Domain where we have user accounts is called trusted domain.
The domain where we have resource is called trusting domain.
Trust between parent and child is two way transitive trusts.
Ex; A trusts B, automatically B trusts A this is a two way trust.
Trust between parent and Grandchild domain is called implicit trust.
One-way trust or Non-transitive Trust: A trusts B, but B doesn’t trust A.
Transitive trust (2 ways):
If A trusts B, B automatically trusts A
One way incoming trust:
It means A is getting the resources from B and B is offering the resources.
One way out going trust:
A is offering resources to B and B is getting resources from A
Benefits of Domain Functional Level:
Win 2003 server Level:
The moment we raise the functional level, form mixed mode to win 2003 mode we get the following benefits.
Universal groups
Group nesting
Domain renaming tools
User Management:
User Account: User A/Cs is useful for assigning to the user to participate in the network.
There are two types of accounts
Domain User Accounts
Local User Accounts
1. Domain User Accounts: These are created in the AD and they proved centralized management of users besides easy administration.
2. Local User Accounts: These can be created on the Local machines where the client works. Ex.
2000 prof. XP prof. < win2003 member server etc.
These accounts do not provide centralized management.
Suitable only for smaller organizations where there is no server.
groups, computers, printers etc.
AD is a centralized hierarchical Directory Database.
AD is a searchable Database.
2003 O/S. when installed (gets installed as a stand alone server) to promoting to
to install A.D.
Domain Controller (D.C.)
A server where A.D. is installed is called D.C.
Functionality of A.D.:
Using A.D. we can organize, manage and control resources.
It provides single point of administration.
Purpose of A.D.:
1. Provides user logon authentication services.
2. To organize and manage user A/Cs, computers, groups and n/w resources.
3. Enables authorized users to easily locate n/w resources.
Features of A.D.:
1. Fully integrated security system with the help of Kerberos.
2. Easy administration using group policy.
3. Scalable to any size n/w
4. Flexible (install/uninstall)
5. Extensible (modify the schema)
New features in 2003
6. Rename computer name & Domain names.
7. Cross –forest trust relationship.
8. Site-to-Site replication is faster.
Evolution of LDAP:
Earlier we had no database standard; hence TTU & ISO introduced X-500
LDAP (Light Weight Directory Access Protocol): It is an industry standard directory access protocol used for querying and providing communication among the objects in A.D.
It is directory access protocol.
It runs on the port no. 389.
DAP: It is based on OSI model.
LDAP: Is based on TCP/IP model
Tools used for:
Active Directory Domains and Trusts: Implementing trusts
Raising domain/forest functional levels
Adding user logon suffixes
Active Directory Sites and Services: Configuring intrasite/intersite replication, Configuring global catalog, Creation of sites, site links, subnets. ,Scheduling replication
Active Directory Users and Computers: Managing users/groups
Managing computers.
Managing OUs
Managing Group Policy (Domain Level)
Managing Operations masters.
Raising domain functional level.
Domain controller security policy:
Set account, audit and password policies
Set user rights Permissions or policies Pertains only to the DC where you set.
Domain security policy:
Set account, audit and password policies
Set user rights Permissions or policies pertain to the DC as well as to all the domains within.
ADC is a back up for DC
ADC maintains a back up copy of A.D., which will be in read only format.
ADCs provide fault tolerance & load balancing. There can be any no. of ADCs for a DC. ADCs should be placed and maintained offsite away from the DC.
ADC maintains same domain name.
Verifying whether the server is configured as DC or ADC.
Start>run>cmd>net accounts
For DC we will find “primary”
For ADC we will find “Backup”
ACTIVE DIRECTORY COMPONENTS
LOGICAL STRUCTURE PHYSICAL STRUCTURE
Domains Sites
Trees Domain controllers
Forest
Organizational units
A.D. Components:
• Logical structure is useful for organizing the network.
• Logical components cannot be seen
• Physical structure is useful for representing our organization for developing the
organizational structure.
• It reflects the organization (mirrors)
• Physical structure can be seen. Ex. Site – India, US, UK etc.
TREE:
A tree is a group of domains which share contiguous name space.
If more than one domain exits we can combine the multiple domains into hierarchical tree structures.
The first domain created is the root domain of the first tree.
Additional domains in the same domain tree are child domains.
A domain immediately above another domain in the same domain tree is its parent.
FOREST:
Multiple domain trees within a single forest do not form a contiguous namespace. I.e. they have non-contiguous DNS domain names
Although trees in a forest do not share a name space, a forest does have a single root domain, called the forest root domain
The forest root domain is, by definition, the first domain created in the forest.
The two forest wide predefined groups – Enterprise.
Administrators and schema administrators reside in this domain.
Physical structure
SITES:
Site is a combination of TCP/IP, subnets, connected with high-speed links.
Sites provide replication
There are 2 types of replications
1. Intrasite replication
2. Intersite replication
Intrasite Replication: It is a replication with in the same site. It offers full time replication between DC & ADC when they are within the same site.
Intersite Replication: It is a replication between two different sites.
Intersite replication is implemented when the sites are away from each other.
-It requires a site link
-Site link is a logical connection between sites, which can be created & scheduled.
-Site link offers communication only at scheduled intervals.
Implementing sites:
Forceful replication:
On DC
Start >programs> admin tools > ADSS > expand sites > default first site>servers
>Expand DC server > NTDS settings >right click on automatically generated>replicate now>ok.
Repeat the same for DC & ADC
Creating a site:
Open ADSS>Right click on sites>New site>Site name (e.g. UK, US)
Select default site link>Ok
Moving ADC into another site:
Select ADC>Right click on ADC>Select move>Select site.
Creating a Site link:
Expand inter site transports>Right click on IP>Select new site link
Link name (ex. Link US –UK)
Scheduling a site link:
Expand inter site transport>IP>Double click on site link>Change schedule
Click on replication not available>set the timings>click on replication available.
KCC: (Knowledge Consistency Checker): It is a service of A.D., which is responsible for intimating,
or updating the changes made either in DC or ADC.
Active Directory is saved in a file called NTDS.DIT
C:\windows\ntds\ntds.dit
NTDS.DIT - New Technology Directory Services. Directory Information Tree
It is a file logically divided into four partitions.
1. Schema partition
2. Configuration partition
3. Domain partition
4. Application partition
It is a set of rules schema defines AD, it is of 2 parts classes & attributes.
Ad is constructed with the help of classes and attributes.
. Schema: Logical partition in AD database “template” for AD database.
• Forms the database structures in which data is stored.
• Extensible
• Dynamic
Protect by ACL (Access Control Lists) DACL’s and SACL’s (Directory&System
ACL’s)
One schema for AD forest.
Collection of objects is called class.
Piece of information about the object is called attribute.
Configuration Partition: Logical partition in AD database.
• “map” of AD implementation
• Contains information used for replication logon searches.
• Domains
• Trust relationships
• Sites& site links
• Subnets
• Domain controller locations.
. Domain Partition:
• Logical partition in AD database.
• Collections of users, computers, groups etc.
• Units of replication.
• Domain controllers in a domain replicate with each other and contain a full copy of the
domain partition for their domain.
• DCs do not replicate domain partition information for other domains
Application Partition:
• It is a newly added partition in win2003. It can be added or removed
• It can be replicated only to the specified DCs.
• Useful when we are using AD integrated services like DNS, TAPI services etc..
FSMO roles: (Flexible Single Master Operations):
Forest wide Master Operation
1. Schema master
2.Domain Naming master
Domain wide master operation
3. PDC emulator
4. RID master
5. Infrastructure master
Schema Master:
Responsible for overall management of the entire schema in a forest.
The first DC installed acts as a schema master in the entire forest.
There can be only one schema master in the entire forest
Domain Naming Master:
Responsible for addition /removal of domains.
It maintains the uniqueness of domain names.
There can be only one DNM in the entire forest.
PDC emulator:
PDC provides backward compatibility for existing NT BDCs and workstations. (If it is running in
mixed mode)
PDC updates the password changes made by the users.
It is also responsible for synchronizing the time.
There can be only one PDC emulator per domain.
RID master:
Responsible for assigning unique IDs to the objects created in the domain.
There can be only one RID master per domain
SID – Security Identifier it maintains a access control list. It is divided into two
1. DID (Domain Identifier)
2. RID (Relative Identifier)
parts.
For knowing the SID of the user
>Start>run>cmd> who am I /user
Infrastructure master:
Responsible for maintaining the updates made to the user & group membership. It also maintains universal group membership.
There can be only one infrastructure master per domain
The term flexibility means we can transfer any of the 5 roles from DC to ADC.
Transfer of Roles
We can transfer the roles for some temporary maintenance issues on to ADC and again we can transfer back the roles onto DC.
We can transfer the roles in two ways
1. Command mode
2. Graphical mode
GLOBAL CATALOG
It is a service responsible for maintaining information about the objects and serving the requests made by the users by providing the location of the object. Global Catalog runs on the port number 3268.
All types of queries are first heard on this port number and forward the query to port no.389
(LDAP’s).Maintains the complete information about the objects within the same domain and partial
information about other domains.
GC communicates to infrastructure master.
If DC & ADC are located in the same location only one GC is enough.
If the DC&ADC are located remotely to avoid network traffic we need to configure ADC as GC Infrastructure master contacts global catalog for obtaining the updates about user & group
membership and universal group membership.
The primary functions of GC is to maintain universal group membership information, to easily locate the objects with in the AD.:
Configuring a Global catalog server.
Either on ADC or on Child DC
>Start >program>admin tools> ADSS> expand sites >default first site>server>
On NTDS right click> properties>check the box Global Catalog.
Installing Child DC:
Requirements:
Parent DC
Member server or stand alone server
Static IP
DNS
NTFS volume with 250 MB of free HDD space
Functional Levels:
1. Domain Functional Level:
A) Windows 2000 mixed
B) Windows 2000 native
C) Interim
D) Windows 2003 server
2. Forest Functional Level:
a) Windows 2000 mixed
b) Interim
c) Windows 2003 server.
Windows 2000 mixed:
By default when we install 2000 or 2003 o/s it gets installed in win 2000 mixed mode. This mode supports older versions of win2003. We can add NT, 2000 flavors in 2003 networks.
Windows 2000 native:
It supports only 2000 and 2003; Native mode can have 2000&2003 flavors only.
Interim:
This mode can have NT and 2003. Useful when we upgrade NT to 2003
Windows 2003 server:
This mode supports only 2003 server family.
We can’t join NT/2000 domains.
Types of Trusts:
Trust relationships in Windows server2003:
Default two way transitive Kerberos trusts (intra forest)
Shortcut – one or two away transitive Kerberos trusts (intraforest)
Reduce authentication requests
Forest-one or two way- transitive Kerberos trusts.
WS2003 forests WIN 2000 does not support forest trusts
> Only between forest roots
>Creates transitive domain relationships.
External – one way non-transitive NTLM trusts.
Used to connect to /from win NT or external 2000 domains.- manually created.
Realm – one or two way non-transitive Kerberos trusts.
Connect to /from UNIX MT Kerberos realm.
Establishing Trusts:
The Domain where we have user accounts is called trusted domain.
The domain where we have resource is called trusting domain.
Trust between parent and child is two way transitive trusts.
Ex; A trusts B, automatically B trusts A this is a two way trust.
Trust between parent and Grandchild domain is called implicit trust.
One-way trust or Non-transitive Trust: A trusts B, but B doesn’t trust A.
Transitive trust (2 ways):
If A trusts B, B automatically trusts A
One way incoming trust:
It means A is getting the resources from B and B is offering the resources.
One way out going trust:
A is offering resources to B and B is getting resources from A
Benefits of Domain Functional Level:
Win 2003 server Level:
The moment we raise the functional level, form mixed mode to win 2003 mode we get the following benefits.
Universal groups
Group nesting
Domain renaming tools
User Management:
User Account: User A/Cs is useful for assigning to the user to participate in the network.
There are two types of accounts
Domain User Accounts
Local User Accounts
1. Domain User Accounts: These are created in the AD and they proved centralized management of users besides easy administration.
2. Local User Accounts: These can be created on the Local machines where the client works. Ex.
2000 prof. XP prof. < win2003 member server etc.
These accounts do not provide centralized management.
Suitable only for smaller organizations where there is no server.
No comments:
Post a Comment