AD Presentation

Download Report

Transcript AD Presentation 

Active Directory
by Jörg Bänder and
Steffen Diehl
What is Active Directory?


AD is a storage for IT-masterdata
It is a place to:




Search for IT-masterdata
Manage IT-masterdata decentrally
(delegation of administration)
Backup IT-masterdata centrally
Windows 2000 Directory Services =
IT-masterdata storage = Active
Directory
Windows 2000 Active Directory
Windows Users
• Account info
• Privileges
• Profiles
• Policy
Windows Clients
• Mgmt profile
• Network info
• Policy
Windows Servers
• Mgmt profile
• Network info
• Services
• Printers
• File shares
• Policy
Active
A Focal Point for:
Directory • Manageability
• Security
• Interoperability
Active Directory provides a focal point for management,
security, and interoperability
How is AD installed?




Active Directory needs dynamic DNS!
Use dcpromo to create your first
Domaincontroller (DC) and create a
Domain
The DC has a complete read/write copy
of the AD for this new Domain
Information is stored in the sysvol folder
and the ntds.dit file
Types of Servers
A
Windows NT 4.0 server can be a:
 Primary
domain controller (PDC)
 Backup domain controller (BDC)
 Member server
A
Windows 2000 Server is either a
domain controller or a member server
 Domain
controllers (DC) have a replica
of the directory database, member servers
do not
 DC can also be a Global Catalog (GC)
server
Logical Structure of AD
Terms:
 Forest
(Overall Structure)

Tree
(Structure, Domaintree)

Domain
(Domain)

Organisational Unit
(Unit of administration, OU)
Forests = Grouped Domains
 Domains
with contiguous Domain Name
System (DNS) names can be grouped
into a domain tree
 Roots of each tree within a forest have a
discontinuous namespace
contoso123.com
nwtrader123.com
partner.contoso123.com asia.contoso123.com
sales.nwtrader123.com
Forests

A joint set of Domain Trees that:
 Share a single Schema
 Share a single configuration (Sites, etc)
 Share the same Global Catalog
 Are automatically conected by transitive
Trusts
 Are overseen by Enterprise Admins
Group
 Are represented by a Global Catalog
 Different namespaces in the trees
Domain Tree
More than one domain sharing same root
namespace
 Hierarchically arranged domains created
by parent-child relationship
 Users can search for all information
within the Domain Tree
 Bidirectional Kerberos Trust to the
parent domain
Trusts
10 Domains:
AD: 9 Trusts
NT4: 90 (!)
AD- Domain

Next hierarchical level below forest /
domain tree







Provides a replication boundary
Is a unit of partitioning
Is a unit of authentication
Is a unit of domain account policy
Is overseen by Domain Admins group
Is a security boundary in the Active
Directory
OU properties are inherited within a domain
only – not across domains
AD - OU

Lowest form of grouping in the Active
Directory



Organizational Unit is graphically
represented by a circle in the diagrams
Group Policy can be applied to the OU
Can be nested up to x levels deep

Performance considerations if using Group
Policy Objects (GPOs)
Existence of OUs

Only two justifications for OUs to
exist (best practise):


Delegation of administration
Use of Policies on contained objects
The Schema

Domain Schema
User Account

Defines the objects that are
allowed within the Active
Directory
Each object class has attributes
that are also defined
The schema is extensible
Printer
Changes to the schema are
Name
Mfr
permanent









Name
Title
Manager
Office
Location
Phone
Division
Cost Center
Code
Certification
Expires





Schema flexible single master
operation (FSMO) replicates
changes throughout the
enterprise




Model
Color
Duplex
Asset #
Paper Size
The Global Catalog
Contains a partial replica of the information
contained within each of the domains
 Allows for fast searching of the key
information in the Active Directory,
without hitting all of the domains
 Enables objects to be located throughout
the forest
 Reduces replication overhead
 Can have every DC be a GC
 Administrators define which attributes
are included
 Replication occurs along with domain
controller replication
Global Catalog
Domain Tree
The GC in each domain has a
pointer to its own domain
information (which is complete)
It also has partial information from all of the
other domains in the tree (or forest)
AD Best Practise



Create an empty Root Domain which holds
Enterprise Admin Accounts and Schema Master
FSMO Role
This Domain should remain empty!
Keep only three things in mind when designing
a OU-Structure:





DoA
Policy Usage
Do not model the Business Structure
Sites reflect High Network Connectivity (LANs)
And the most important: Keep it simple!!
Finito!
Thank you for your attention 
Questions ??