1 csit 320. just as the combination of a database and a database management system collects and...
TRANSCRIPT
Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as well as manages access to that information, Active Directory collects, organizes and manages access to information about network “objects” – such as computers, servers, printers, users, groups, etc.
For instance, one component is a Directory Service Often likened to a phone book which one to look up
numbers (from names) or services (yellow pages)Active Directory is often just called AD
For example AD-DS is active 2CSIT 320
Active Directory is based upon some of the following standards (though not fully compliant with all of them) DNS – AD needs DNS to work, follows its
organization and naming conventions X.500 – directory service protocol based on the OSI
model (AD does not use the full X.500 standard)LDAP (Lightweight Directory Access Protocol )
– part of the X.500 standard was Directory Access Protocol – LDAP is a scaled down, easier version of that
Kerberos – network authentication protocol – adds the security to AD
3CSIT 320
Whereas a database has a “relational” structure, the objects in AD have a hierarchical, tree-like structure. Thus there is a rootEvery object other than the root has one and
only one parent. However, it can get complicated in that there
are various levels (domains, organizational units, groups) as well as distinctions between logical separations and physical separations.
4CSIT 320
A domain is one of the main organizational units in Active Directory.
It collects resources and manages access to them for a set of users.For instance users being logged in the same
domain typically implies that those users will for the most part have access to the same resources and follow the same policies
In Active Directory diagrams , domains are represented by triangles.
5CSIT 320
An AD domain must have at least one AD domain controller.
The domain controller manages the authentication of users granting them access to the domain and the resources it contains.
Best Practices suggests that there are at least two domain controllers in a domain so that access to the domain can still be granted if one controller is down.
6CSIT 320
A tree is a set of domains that obey a DNS-type hierarchical naming structure. They belong to the same “namespace”.A namespace provides a context in which a
name has a well defined meaning.
7CSIT 320
lasalle.edu
student.lasalle.edu
luna.lasalle.edu
As the name suggests a forest is a collection of trees. Each tree has a its own namespace, but the different trees in the forest have different namespaces. However you may want them to be connected in some way – have some kind of trust relationship, some sharing of resources or just want to administer them as a unit.
8CSIT 320
lasalle.edu lasalle.museum
student.lasalle.edu
The trees in a forest still share a common root.
The first tree in the forest serves as the root. It will have (at least initially) the global
catalog – the collection of definitions, how the forests are organized, what the trust relationships are, names for all of the objects, etc.
9CSIT 320
If two domains have a trust relationship, it means that users from one domain can access resources from another domain. That way an administrator does not have to
give users accounts in both domains. The domain with the resource is said to be
“trusting” and the domain with the user is said to be “trusted”. Trust can be but doesn’t have to be a two-way street.
CSIT 320 10
Before we were moving up in the hierarchy from the original concept of a domain, an organizational unit on the other hand is lower in the hierarchy (farther from the root)
It is a container within a domain – resources like printers and file shares organized into smaller containers.
Example within the student.lasalle.edu domain, science students may be access to different shares and different printers from business students, etc.
11CSIT 320
In a large company a logical container such as a domain might cover multiple physical locations.
This can cause a problem because a lot of information is passed between domain controllers.
So AD has the notion of a site to correspond to physical differences rather than logical differencesA site can have multiple domainsA domain may be spread over multiple sites
12CSIT 320
Just like in a database, Active Directory has a schema.
Definition of all AD objects, For example , it will define a User, what
attributes a User must have, what attributes a User might have, relationships between Users and Groups, etc.
ONE schema for a forestExtensible
While a default set of definitions gets one started with AD, one can extend or create new objects
14CSIT 320
A distributed data repository containing a searchable, partial representation of every object in every domain in a forest.
Answers AD Search QueriesMust be present to successfully logon Holds a copy of all Objects of the whole
Forest…...but holds only a subset of the Attribute
15CSIT 320
Member Server – server on a domain offering a non-active directory service
Domain Controller – as the name suggests its manages access to the resources within a domain
Global Catalog – while a domain controller stores the objects for the domain it “controls”, a global catalog server stores the objects from all domains in the forest.A global catalog server is a domain controller, but
a domain controller may not be a global catalog server
16CSIT 320
Updates can be applied to ANY Domain Controller
Will be Replicated to each other Domain Controls (inside that Domain) within 15 Minutes
Optimized Algorithm reduces Replication Traffic
Not time based (triggered on demand, only)!
17CSIT 320
Improved AuthenticationPermissions applied via ACLs
To Objects as wholeTo specific Attributes
Fine-Tuning of Access Permissions possible
18CSIT 320