Module 1: Introduction to Active Directory Infrastructure
Overview
• The Architecture of Active Directory
• How Active Directory Works
• Examining Active Directory
• The Active Directory Design, Planning, and Implementation Processes
Lesson:
• The Architecture of Active Directory
• What Does Active Directory Do?
• The Logical Structure of Active Directory
• The Physical Structure of Active Directory
• What Are Operations Masters?
What Is a Directory Service?
A directory service is a network service that identifies all resources on a network and makes that information available to users and applications. Directory services are important, because they provide a consistent way to name, describe, locate, access, manage, and secure information about these resources. When a user searches for a shared folder on the network, it is the directory service that identifies the resource and provides that information to the user.
What Is a Active Directory?
Active Directory is the directory service in the Windows Server family. It extends the basic functionality of a directory service to provide the following benefits: • Domain Name System integration • Scalability • Centralized management • Delegated administration
What Does Active Directory Do?
• Centralizes control of network resources
• Centralizes and decentralizes resource management
• Stores objects securely in a logical structure
• Optimizes network traffic
The Logical Structure of Active Directory DomainDomain Domain Domain Domain Domain OU OU OU Domain Tree Domain Forest Organizational Unit Objects
The logical components of the Active Directory structure Domain. The core unit of the logical structure in Active Directory is the domain. A domain is a collection of security principals such as user and computer accounts and other objects like printers and shared folders. The domain objects are defined by an administrator and share a common directory database, security policies, and trust relationships with other domains. Domains provide the following three functions: • An administrative boundary for objects • A means of managing security for shared resources • A unit of replication for objects Forest. A forest is one or more domains that share a common configuration, schema, and global catalog. Tree. A tree consists of domains in a forest that share a contiguous DNS namespace and have a two-way transitive trust relationship between parent and child domains. Organizational unit. An organizational unit is a type of container object that you use to organize objects within a domain. An organizational unit might contain objects such as user accounts, groups, computers, printers, and other organizational units.
The Physical Structure of Active Directory
• Sites
• Domain controllers
• WAN links Site Domain Controllers WAN Link Site
Domain controllers.
These computers run Microsoft® Windows® Server and Active Directory. Each domain controller performs storage and replication functions. A domain controller can support only one domain. To ensure continuous availability of Active Directory, each domain should have more than one domain controller. Active Directory sites. These sites are groups of well-connected computers. When you establish sites, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site; that is, the time required for a change that is made on one domain controller to be replicated to other domain controllers. You create sites to optimize the use of bandwidth between domain controllers that are in different locations. The physical components of the Active Directory structure
What Are Operations Masters?
First domain controller in the forest root domain Forest-wide roles Schema master Domain naming master PDC emulator RID master Infrastructure master Domain-wide roles PDC emulator RID master Infrastructure master Domain-wide roles RID master PDC emulator Infrastructure master
How Active Directory Enables a Single Sign-on Domain Controller Server XYZ Windowsxp Log On to Windows REDMOND
How to Verify the Active Directory Installation Your instructor will demonstrate how to: Verify the creation of SYSVOL and its shares The directory database and log files The default Active Directory structure Verify the installation results by examining the event logs
How to Troubleshoot the Installation of Active Directory Symptom Possible causes Access denied when creating or adding a domain controller You are not logged on using an account in the Local Administrators group Your credentials are not from a user account that is a member of the Domain Admins or Enterprise Admins group DNS or NetBIOS domain names are not unique Another domain has the same DNS or NetBIOS name Domain cannot be contacted Network error DNS error Insufficient disk space Available disk space is less than the minimum required to install Active Directory
Types of Trusts Forest (root) Tree/Root Trust Forest Trust Shortcut Trust External Trust Kerberos Realm Realm Trust Domain D Forest 1 Domain BDomain ADomain E Domain F Forest (root) Domain P Domain Q Parent/Child Trust Forest 2 Domain C
How Trusts Work Across Forests nwtraders.msft contoso.msft Forest trust Global catalog Global catalog Seattle vancouver.nwtraders.ms ft seattle.contoso.msft Vancouver 2 4 6 1 3 5 7 8 9 Forest 1 Forest 2
What Is an Organizational Unit?
• Organizes objects in a domain
• Allows you to delegate administrative control
• Simplifies the management of commonly grouped resources
Organizational Unit Hierarchical Models Function-Based Hierarchy S C M S – Sales C – Consultants M - Marketing Examples of Hybrid-Based Hierarchies Function
Organization Location
Function Organization
Location Organization-
Based Hierarchy M E R M – Manufacturing E – Engineering R - Research Location-Based Hierarchy N F I N – Norway F – France I – Indonesia
What Is a User Account?
Domain user accounts (stored in Active Directory) Local user accounts (stored on local computer) Windows Server 2008 Domain
User Account Placement in a Hierarchy Geopolitical Design Users North America Users South America Business Design Users Accounting Users Sales
User Account Password Options Account options Description User must change password at next logon Users must change their passwords the next time they log on to the network User cannot change password Users do not have the permissions to change their own password Password never expires Users’ passwords will not expire and do not need to be changed Account is disabled Users cannot log on by using the selected account
Best Practices for Creating User Accounts Best practices for creating local user accounts Limit the number of people who can log on locally Best practices for creating domain user accounts Disable any account that will not be used immediately Require users to change their passwords the first time that they log on Do not use the Users container for ordinary user accounts Rename the Administrator account Use strong passwords
What Are Groups?
Groups simplify administration by enabling you to assign permissions for resources Group type Description Security Used to assign user rights and permissions Can be used as an e-mail distribution list Distribution Can be used only with e-mail applications Cannot be used to assign permissions Group Groups are characterized by scope and type
What Are Global Groups?
Global group rules Membership can include Mixed functional level: User and computer accounts from same domain Native functional level: User and computer accounts and global groups from same domain Can be a member of Mixed functional level: Domain local groups Native functional level: Universal and domain local groups in any trusting domain and global groups in the same domain Scope Visible in its own domain and all trusting domains Permissions All domains in the forest and trusting domains
What Are Universal Groups?
Universal group rules Membership can include Mixed functional level: Not applicable Native functional level: User accounts, global groups, and universal groups from any domain in the forest Can be a member of Mixed functional level: Not applicable Native functional level: Domain local or universal groups in any domain Scope Visible in all domains in the forest and all trusting domains Permissions All domains in the forest and all trusting domains
What Are Domain Local Groups?
Domain local group rules Membership can include Mixed functional level and Windows interim 2003: User and computer accounts and global groups from any trusted domain Native functional level: User and computer accounts, global and universal groups from any domain in the forest or trusted domains, plus domain local groups from the same domain Can be a member of Mixed functional level and Windows interim 2003: None Native functional level: Domain local groups in the same domain Scope Visible only in its own domain Permissions Domain to which the domain local group belongs
What Are Local Groups?
Local group rules Membership can include Local user accounts, domain user and computer accounts, global and universal groups from the computer's domain and trusted domains Can be a member of Not applicable
What Is Group Policy?
All computers with Microsoft Windows® 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8 or Windows Server 2008 operating systems are capable of accepting Group Policy settings. The local Group Policy settings can be used to manage the local computer in a standalone or domain environment. The Active directory® directory service can use Group Policy to manage users and computers in a domain. For example, you can define Group Policy settings that affect the entire domain or define settings that affect specific organizational units (OUs) or use local Group Policy settings to affect a single computer.
What Is a GPO Link?
Site Domain OU Domain GPO Organizationa l Unit GPO Organizational Unit GPO Site GPO OUOU
What Is Remote Desktop for Administration? Administrator LAN Remote computer running Remote Desktop Connection Remote Desktop Service enabled on Windows Server 2003/2008 Terminal Services Remote Desktop Protocol (LAN, WAN, or dial-up connection)
Why Use Remote Desktop for Administration?
Provide remote access to most configuration settings Diagnose a problem and test multiple solutions quickly Allow access to servers from anywhere in the world Perform time-consuming batch administrative jobs, such as tape backups Upgrade server applications and operating systems remotely
What Is Terminal Services Manager?
• Monitors user sessions • Manually forces user logoff or session disconnect • You can oversee all users and sessions on a server from one location
What Is Event Viewer?
• A tool for viewing and configuring event logs • A way to view the application log • A collection of log files with a 16 MB default size • Filter events based on type, source, computer, and time
Why Use DHCP? DHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configuration Manual TCP/IP Configuration IP addresses are entered manually IP address could be entered incorrectly Communication and network issues can result Frequent computer moves increase administrative effort Automatic TCP/IP Configuration IP addresses are supplied automatically Correct configuration information is ensured Client configuration is updated automatically A common source of network problems is eliminated
What Is Automatic Private IP Addressing? APIPA automatically self-configures addresses when there is no DHCP server available Advantages Serves as a DHCP server failover mechanism for small networks Automatically assigns an IP address in a specific range Disadvantages Forces assignment of addresses typically not used Conceals possible connectivity problems Does not work outside 169.254.x.x subnet Is not routable
How the DHCP Lease Generation Process Works DHCP client broadcasts a DHCPDISCOVER packet1 DHCP servers broadcast a DHCPOFFER packet2 DHCP client broadcasts a DHCPREQUEST packet3 DHCP Server1 broadcasts a DHCPACK packet4 DHCP Client DHCP Server1 DHCP Server2 DHCP client broadcasts a DHCPDISCOVER packet1 DHCP servers broadcast a DHCPOFFER packet2 DHCP client broadcasts a DHCPREQUEST packet3 DHCP Server1 broadcasts a DHCPACK packet4 DHCP Client DHCP Server1 DHCP Server2
Host Name Resolution Process Host name resolution is the process of resolving a host name to an IP address What is the IP address for Salescomputer2? Salescomputer2 1 2 3 192.168.1.35Salescomputer2 DNS NetBIOS Name Cache WINS Broadcast Lmhost FileClient Resolver Cache/Hosts File
Overview of Domain Name System Domain Name System is a hierarchical distributed database DNS is the foundation of the Internet naming scheme DNS supports accessing resources by using alphanumeric names InterNIC is responsible for managing the domain namespace DNS was created to support the Internet’s growing number of hosts
What Is a Domain Namespace? Root Domain Subdomain Second-Level Domain Top-Level Domain FQDN: SERVER1.sales.south.nwtraders.com south nwtraders com sales west east orgnet Host: SERVER1
What Are Resource Records and Record Types?
Type Description A Resolves a host name to an IP address PTR Resolves an IP address to a host name SOA The first record in any zone file SRV Resolves names of servers providing services NS Identifies the DNS server for each zone MX The mail server CNAME Resolves an alias to a host name
What Are DNS Zone Types?
Zones Description Primary Read/write copy of a DNS database Secondary Read-only copy of a DNS database Active Directory integrated Zone data is stored in Active Directory rather than in zone files
What Are Forward and Reverse Lookup Zones?
Namespace: training.nwtraders.msft DNS Client1 DNS Client2 DNS Client3 DNS Server Authorized for training Forward zone Training DNS Client1 192.168.2.45 DNS Client2 192.168.2.46 DNS Client3 192.168.2.47 Reverse zone 1.168.192.in- addr.arpa 192.168.2.45 DNS Client1 192.168.2.46 DNS Client2 192.168.2.47 DNS Client3 DNS Client2 = ? 192.168.2.46 = ?
0 comments:
Post a Comment