Module 12: Auditing Active Directory Domain Services Changes.
Domain and Active Directory
-
Upload
neil-achacoso -
Category
Documents
-
view
282 -
download
0
Transcript of Domain and Active Directory
-
8/12/2019 Domain and Active Directory
1/14
UnderstandingActive Directory in
Windows Server 2003
-
8/12/2019 Domain and Active Directory
2/14
Overview
Active DirectoryDirectory Services OverviewActive Directory Logical Components
Functional Levels
Active Directory Physical Components
Active Directory Partitions
Active Directory Objects
Administering a MicrosoftWindowsServer 2003
Network Using Active DirectoryTools
-
8/12/2019 Domain and Active Directory
3/14
Lesson: Active Directory Directory Services Overview
What Is Active Directory?Benefits of Active Directory
DNS Integration
Active Directory Naming Conventions
-
8/12/2019 Domain and Active Directory
4/14
What Is Active Directory?
Directory service functionalityOrganize
Manage
Control
Centralized management
Single point of administration
Active Directory
Resources
-
8/12/2019 Domain and Active Directory
5/14
Benefits of Active Directory
Windows Server 2003 without Active Directory provides significantbenefits
Scalable and reliable application server
Internet Information Server 6.0
Remote access and VPN server
Network Services (DNS and DHCP, for example)
Windows Server 2003 with Active Directory provides additionalbenefits
Authentication and authorization service
Single sign-on across multiple servers and services
Centralized management of servers and client computers
Centralized administration of users and computers
Centralized management of network resources
-
8/12/2019 Domain and Active Directory
6/14
DNS Integration
Name resolutionResolve names of servers and clients to IP addresses
and vice versa (possibly)
Namespace definition
An Active Directory domains name mustbe representedin DNS
Active Directory requires DNS
DNS does not require Active Directory
Locating the physical components of Active DirectoryClient computers query DNS to locate domain controllers
running specific services, such as global catalog (GC),Kerberos protocol, LDAP, and so on
-
8/12/2019 Domain and Active Directory
7/14
Active Directory Naming Conventions
LDAP Distinguished name
LDAP Relative distinguished nameUser principal name (Kerberos)
Service principal nameGlobally unique identifier (GUID)
Uniqueness of names
CN=Jeff Smith, CN=Users, DC=contoso, DC=msft
-
8/12/2019 Domain and Active Directory
8/14
Lesson: Active Directory Logical Components
What Are Domains?What Are Trees?
What Are Forests?
What Are Organizational Units?
What Are Trust Relationships?
Types of Trusts in Windows Server 2003
-
8/12/2019 Domain and Active Directory
9/14
What Are Domains?
Logical partition in Active Directory databaseCollections of users, computers, groups, and so on
Units of replication
Domain controllers in a domain replicate with each otherand contain a full copy of the domain partition for their
domain
Domain controllers do not
replicate domain partitioninformation for
other domains
Windows 2000 orWindows Server 2003 Domain
Replication
-
8/12/2019 Domain and Active Directory
10/14
What Are Trees?
One or more domains that share a contiguous DNSnamespace, for example:
nwtraders.msft
childdomain.nwtraders.msft
otherdomain.nwtraders.msft
Child domains derive their namespace from parent
Group policy, administration, and such do not flow
across domain boundaries by default
-
8/12/2019 Domain and Active Directory
11/14
What Are Forests?
One or more domains that share:
Common schema
Common configuration
Automatic transitive trust relationships
Common global catalogForests can contain from as few as one domain to manydomains and/or many trees
Domains are not required to be in a single tree or share a
namespaceFirst domain created is the forest root, which cannot bechanged without rebuilding the entire forest, although theforest root domain name can be changed inWindows Server 2003
-
8/12/2019 Domain and Active Directory
12/14
What Are Organizational Units?
Container objects within a domain
Used to organize resources to reflect administrative
divisions; may not map to organizational structureUsed to delegate administrative authority
Used to apply Group Policy
Organizational structure Network administrative model
Sales
Paris
Repair
Users
Sales
Computers
-
8/12/2019 Domain and Active Directory
13/14
What Are Trust Relationships?
Secure communication paths that allow securityprincipals in one domain to be authenticated andaccepted in other domains
Some trusts are automatically created
Parent-child domains trust each other
Tree root domains trust forest root domain
Other trusts are manually created
Forest-to-forest transitive trusts can be created betweenWindows Server 2003 forests only (ie not betweenWindows 2000 forests).
-
8/12/2019 Domain and Active Directory
14/14
Types of Trusts in Windows Server 2003
Default: two-way, transitive Kerberos trusts (intraforest)Shortcut: one- or two-way, transitive Kerberos trusts (intraforest)
Reduce authentication requests
Forest: one- or two-way, transitive Kerberos trusts
Windows Server 2003 forests; Windows 2000 does not support forest
trusts Only between forest roots
Creates transitive domain trust relationships
External: one-way, non-transitive NTLM trusts
Used to connect to/from Microsoft Windows NT or external
Windows 2000 domains Manually created
Realm: one- or two-way, non-transitive Kerberos trusts
Connect to/from UNIX MIT Kerberos realms