Active Directory:Final Solution to Enterprise

System Integration

Author: Liming Liao

Date: 2/23/2001

What is Directory Services

It is the central authority that manages the identities and brokers the relationships between the distributed resources, enabling them to work together.

• Examples: Yellow Pages, Shopping List• It is composed of objects like people, printers,

servers, etc.

Functions of Directory Service

A place to store information about network-based entities.

A consistent way to name, describe, locate, access, manage, and secure information about these individual resources.

Why Directory Service is needed

local area networks (LANs) and wide area networks (WANs) grow larger and more complex.

networks are connected to the Internet.applications require more from the network

and are linked to other systems through corporate intranets.

Life without a Central Directory Service

HR DB1

HR Application1

HR Form1

HR Form2

Security

Office Admin

Office AdminDB

Security DB

HR DB2

HR Application2

Security Application

Office Admin Application

Life without a Central Directory Service

Database

DatabaseDatabase

DatabaseDatabase

Database

Liming

LimingLimingLiming

LimingLiming

Disadvantages of life without a Central Directory Service

• Data duplicates prone to user errors

– same data for one object has to be input several times enterprise-widely

– Update information for a single object may require changes to be made to numerous places

• Multiple logins for a single user trying to access different databases or networks

– Each database in the enterprise requires a separate login name and password

– Each network in the enterprise requires a separate login name and password

With Centralized Directory Services

HR Application1

HR Form1

HR Form2

Security

Office Admin

HR DB2

HR Application2

Security Application

Office Admin Application

Office Admin Application

With Centralized Directory Services

Liming

Directory Service

HumanResources

SecurityOffice

NovellAccount

Windows NTAccount

SolarisAccount

Advantages of Directory Services

• Entry and management of personal data, such as name, phone number and supervisor, is centralized– These information is entered and stored in one

place. If some of the information is entered wrongly or needs to be changed, it is easy to fix

– No pain for duplicate inputs and updates

Advantages of Directory Services

• Information on user ID and password locations for computer systems is centralized

– Instead of having user IDS and passwords scattered over several systems, they are managed form the central directory service

– Security is improved because there are much less userIDs and passwords

– Management of users’ userIDs is much easier for system admins

Advantages of Directory Services

• The procedure for determining the status and role of an individual in the organization is standardized – In a large organization, there will be a number

of people that will come and go. It is important to determine the exact status or relationship to the company they represent

Advantages of Directory Services

• Lookup of names, addresses, phone numbers and other “white pages” information is standardized

• Lookup of network resources like printers, servers, certificates and other “ yellow pages” information is standardized

• Centralizing the management of the system will increase reliability and make it easier to keep it up to date

Vendor-specific Directory Service Solution and Open Standards Directory Service Solutions

• Directory Services-– Sun Microsystems NIS+ (Network Information Service Plus)– Novell’s NDC (NetWare Directory Service)– Microsoft’s Active Directory

• Open Directory Service Solutions-– An Open Solution: X.500

– An Open Gateway Service

– LDAP - the Lightweighted Directory Access Protocal

Microsoft Active Directory

• Active Directory is the first enterprise-class directory service that is scaleable, built from the ground up using Internet-standard technologies, and fully integrated with the operating system.

Characteristics of Active Directory Hierarchical Organization

It uses objects to represent network resources. It uses containers to represent organizations. It organizes information in a tree structure made up of these objects and

containers.

Object-oriented Storage

Different objects can be assigned different attributes.

Administrators can assign access privileges to objects

Multi-Master Replication

Directories can be replicated on different servers and can be maintained locally across the

network

User can locate resources using the local directory service rather than contact the central

domain controller every time as in NT 4.0.

Hierarchical Organization

Object-oriented Storage

Important ADS concepts• Workgroup A Windows 2000 workgroup is a logical grouping of

networked computers that share resources, such as files and printers, and maintain a local security database, which is a list of user accounts and resource security information for the computer it is on.

• Domain A Windows 2000 domain is a logical grouping of

networked computers that share a central directory database, which contains user accounts and security information for the domain.

Important ADS concepts

• Domain Tree and Forest A domain tree refers to a hierarchical grouping of domains

that share a contiguous namespace, a common schema, and a common global catalog.

A domain forest is a collection of two or more domain trees that do not share a contiguous namespace, but do share common schema and global catalog.

• Namespace

A collection of unique domain names.

Important ADS concepts

• Object and Organizational unit An object is a representation of a network resource, including

users, computers, printers, and so forth.

Organizational unit is an object that can hold other objects.

• Multimaster replication The process by which Active Directory domains replicate

with each other and resolve conflicting updates.

• Lightweight Directory Access Protocol (LDAP) An Internet standard by which Active Directory clients and

servers communicate.

Benefits of Active Directory Service

• Simplifies management-– Administrators have a single point of management for user accounts,

clients, servers and applications– Administrators can delegate specific administrative privileges and tasks

to individual users and groups to make better use of system administration resources

• Strengthens security– It supports a number of authentication mechanisms used to prove

identity upon logon to Windows 2000– It support a fully integrated public key infrastructure and Internet secure

protocols to let organizations securely extend selected directory information beyond their firewall to Extranet users and e-commerce customers

Benefits of Active Directory Service

• Extends interoperatbility– Expose all of the Windows 2000 directory features through

standards-based interfaces.

– It provides a development platform for directory-enabled applications.

• More efficient usage of resources– Centralized security control and shared logon information saves

the trouble of creating security-admin functions of each specific system

– Users are exempted of the headache of maintaining multiple security information within a single domain

How to implement ADS

• LDAP ???– Multi-Platform (Unix, Windows NT, OS2 and IBM mainframes)

– Multi-Vendor support (Microsoft, Netscape, Sun and Novell)

– Common standard

– Centralizes the entry and management of personal data like name, phone number, and supervisor

– Centralizes the location of user ID and passwords for computer systems

– Provides the Simple Authentication and Security Layer(SASL) providers, and the Secure Socket Layer(SSL) Protocol

– Centralizes the procedure for determining the status and role of an individual in the organization

– Centralizes the lookup of names, addresses, phone numbers and other ‘white page’ information

Summary

• Directory Services are essential to daily life in a networked world

• Personal information that is needed for the running of any organization is being kept in many separate systems

• Centralized directory services can improve productivity and increase security while reducing management overhead