COMP1321COMP1321

Digital InfrastructureDigital Infrastructure

Richard HensonRichard Henson

FebruaryFebruary 20142014

Week 15: Active Directory and Week 15: Active Directory and Enterprise NetworksEnterprise Networks

Objectives:Objectives:Explain the importance of X500 compliance Explain the importance of X500 compliance

for Internet-based databasefor Internet-based database

Explain how Active Directory can control Explain how Active Directory can control login and access to network resourceslogin and access to network resources

Explain how Active directory can provide Explain how Active directory can provide trust across multiple domainstrust across multiple domains

More about Active DirectoryMore about Active Directory An LDAP network-wide directory service An LDAP network-wide directory service

for providing paths to files and servicesfor providing paths to files and services available from Windows 2000 onwardsavailable from Windows 2000 onwards of limited use on networks with NT v4 clientsof limited use on networks with NT v4 clients

All domain controllers contribute to, share, and All domain controllers contribute to, share, and are part of the Active Directory systemare part of the Active Directory system data on network resources, services & users all data on network resources, services & users all

stored in a single filestored in a single file» ntds.ditntds.dit

tools available for AD system managementtools available for AD system management» e.g. ntdsutile.g. ntdsutil

X500 complianceX500 compliance

Many rules laid doown for applications Many rules laid doown for applications and data structures held on Internetand data structures held on Internet

Database: object-oriented (X500 Database: object-oriented (X500 compliant)compliant)

Query of database through LDAP Query of database through LDAP (lightweight database access protocol)(lightweight database access protocol)

What is Active Directory?What is Active Directory?

Object-oriented database (compliant Object-oriented database (compliant with X500 standard)with X500 standard)hierarchy of data objects (& their hierarchy of data objects (& their

properties)properties)» domain controllersdomain controllers» computerscomputers» users & groups of usersusers & groups of users» network resourcesnetwork resources

Backing up the DatabaseBacking up the Database

Goes without saying that the loss of Goes without saying that the loss of Active Directory will be bad for the Active Directory will be bad for the networknetworkpeople won’t even be able to log on!people won’t even be able to log on!

Should be backed up… regularly!Should be backed up… regularly! Best way to do this is on another Best way to do this is on another

computer…computer…

Fault ToleranceFault Tolerance General engineering principle…General engineering principle…

if it can go wrong… it will!if it can go wrong… it will! To maintain availability for users, the To maintain availability for users, the

whole domain controller should be whole domain controller should be backed up!backed up!active directory designed as a distributed active directory designed as a distributed

database that backs up to a reserve database that backs up to a reserve domain controllerdomain controller

backup domain controller software set up backup domain controller software set up using same active directory wizardusing same active directory wizard

Fault Tolerance Fault Tolerance (hardware fault)(hardware fault)

E.g. Hard disks E.g. Hard disks can crash or become corruptcan crash or become corrupt

System needed for a backup to take System needed for a backup to take over “seamlessly” over “seamlessly” i.e. without the user noticing…i.e. without the user noticing…

Achieved by disk mirroringAchieved by disk mirroringexact copy available to take over at a exact copy available to take over at a

moment’s noticemoment’s notice

Domain TrustDomain Trust

This allows users on one domain to log This allows users on one domain to log onto resources on another domainonto resources on another domain

Trusts can be one or two-wayTrusts can be one or two-way

Domain A

Domain B

Enterprise Structure of Enterprise Structure of Active DirectoryActive Directory

A hierarchical A hierarchical system of system of organisational organisational data objectsdata objectsi.e. domains,i.e. domains,

A Tree can be A Tree can be » a single a single

domaindomain» group of group of

domainsdomains

Domain Trees & ForestsDomain Trees & Forests

Active Directory provides “trust” between the Active Directory provides “trust” between the databases of domains that are linked in this databases of domains that are linked in this wayway

A “Tree” is the domains and links between A “Tree” is the domains and links between themthem

A “Forest” contains data needed to connect A “Forest” contains data needed to connect all objects in the tree:all objects in the tree: domain objects in the tree are logically linked together in the domain objects in the tree are logically linked together in the

forest and their users can “trust” each otherforest and their users can “trust” each other

Active Directory and UsersActive Directory and Users Active directory allows set up and Active directory allows set up and

management of domain usersmanagement of domain users Can also define domain groups, and Can also define domain groups, and

allow domain users to become part of allow domain users to become part of domain groupsdomain groupsaids administrationaids administrationpolicy file can be set uppolicy file can be set up

» interacts with user machines registry during logininteracts with user machines registry during login» controls user desktopcontrols user desktop

Organisations, Organisational Organisations, Organisational Units, and DomainsUnits, and Domains

An organisation may:An organisation may: have several locationshave several locations have several functions have several functions

in same locationin same location

Alternative to Alternative to

multiple domains…multiple domains…organisational unitsorganisational unitsgroup policy can be group policy can be

applied selectivelyapplied selectively

WINS (Windows Internet WINS (Windows Internet Names Service)Names Service)

Used on earlier Windows TCP/IP networks to Used on earlier Windows TCP/IP networks to enable computer devices to communicate enable computer devices to communicate using IPusing IP manages a dynamic database of IP addresses and manages a dynamic database of IP addresses and

local network (NetBIOS) nameslocal network (NetBIOS) names clients request IP addresses for particular NetBIOS clients request IP addresses for particular NetBIOS

names names WINS server provides that informationWINS server provides that information

Active Directory and DNS Active Directory and DNS

In Active directory, each domain in the In Active directory, each domain in the tree has a unique DNS identitytree has a unique DNS identitytherefore a unique IP address…therefore a unique IP address…can cause confusion when setting up can cause confusion when setting up

domain structure!!domain structure!! Also, each device within a domain can Also, each device within a domain can

also made use of DNS, via its IP also made use of DNS, via its IP address…address…no need for WINS…no need for WINS…

Microsoft TCP/IP stackMicrosoft TCP/IP stack

Differs from UNIX TCP/IP (e.g. no FTP, Differs from UNIX TCP/IP (e.g. no FTP, SMTP or Telnet)SMTP or Telnet)

DNS is available as a network serviceDNS is available as a network service Application layer components:Application layer components:

Windows sockets - to interface with sockets-based Windows sockets - to interface with sockets-based applicationsapplications

NetBT - to interface with NetBIOS applicationsNetBT - to interface with NetBIOS applications

SNMP, TCP, UDP, IP as with Unix protocol SNMP, TCP, UDP, IP as with Unix protocol stackstack

Configuring Configuring TCP/IP on WindowsTCP/IP on Windows

Requires local administrator access!!Requires local administrator access!!1. Find “Local Area Connection”:1. Find “Local Area Connection”:

» either through Control Panel/Network & Dial up either through Control Panel/Network & Dial up connectionsconnections

» or by right-clicking on Network Places and or by right-clicking on Network Places and choosing Propertieschoosing Properties

2. Right click on Local Area connection2. Right click on Local Area connection3. Click on “properties”3. Click on “properties”

TCP/IP Configuration (2)TCP/IP Configuration (2)

Locate and double-click TCP/IPLocate and double-click TCP/IP If DHCP (dynamic host configuration If DHCP (dynamic host configuration

protocol) is running, IP addressing is protocol) is running, IP addressing is dealt with automatically by the DHCP dealt with automatically by the DHCP serverserver

Otherwise, three IP addresses need to Otherwise, three IP addresses need to be added:be added:Local static machine IP addressLocal static machine IP addressSubnet maskSubnet maskDefault gatewayDefault gateway

TCP/IP Configuration (3)TCP/IP Configuration (3) Local machine IP addressLocal machine IP address

DHCP protocol can automatically assign IP DHCP protocol can automatically assign IP addresses from a Windows 2000 server machine addresses from a Windows 2000 server machine running DHCP serverrunning DHCP server

Alternatively, a static IP address can be keyed in Alternatively, a static IP address can be keyed in manuallymanually

Subnet mask:Subnet mask: normally 255.255.255.0 for small networksnormally 255.255.255.0 for small networks 255.255.x.0 for larger networks 255.255.x.0 for larger networks

» x -> 0 as the network gets largerx -> 0 as the network gets larger

Default gateway is the IP address of the LAN-Default gateway is the IP address of the LAN-Internet interface computer…Internet interface computer…

Windows TCP/IP utilitiesWindows TCP/IP utilities Located in the system32 directoryLocated in the system32 directory Not available from the GUINot available from the GUI Only accessible via the NT prompt (Ping Only accessible via the NT prompt (Ping

(packet internet groper):(packet internet groper): FTPFTP TelnetTelnet FingerFinger (retrieval of system information from a (retrieval of system information from a

computer running TCP/IP & fingercomputer running TCP/IP & fingerARPARP (displays local IP addresses according to (displays local IP addresses according to

equivalent MAC or “physical” addresses)equivalent MAC or “physical” addresses) ipconfigipconfig (displays local IP configuration) (displays local IP configuration) tracerttracert (checks route to a remote IP address) (checks route to a remote IP address)

Some Other Windows Some Other Windows Network ServicesNetwork Services

Terminal ServicesTerminal Services RIS (remote installation…)RIS (remote installation…) DNS (Domain name/IP address look up)DNS (Domain name/IP address look up) Virtualisation (Hyper-V)Virtualisation (Hyper-V) RAS (remote access) & Secure Remote RAS (remote access) & Secure Remote

LoginLogin Internet Information Server (IIS)Internet Information Server (IIS)

Installation of Installation of Client-Server ServicesClient-Server Services

Don’t need a domain controllerDon’t need a domain controller Many run quite happily on a ServerMany run quite happily on a Server Investigation after the break…Investigation after the break…

““Internet of Things”Internet of Things”

http://www.bcs.org/upload/pdf/internet-things-190213.pdf

http://www.youtube.com/watch?v=fj_xwgLW_4I