1CSIT 320

Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as well as manages access to that information, Active Directory collects, organizes and manages access to information about network “objects” – such as computers, servers, printers, users, groups, etc.

For instance, one component is a Directory Service Often likened to a phone book which one to look up

numbers (from names) or services (yellow pages)Active Directory is often just called AD

For example AD-DS is active 2CSIT 320

Active Directory is based upon some of the following standards (though not fully compliant with all of them) DNS – AD needs DNS to work, follows its

organization and naming conventions X.500 – directory service protocol based on the OSI

model (AD does not use the full X.500 standard)LDAP (Lightweight Directory Access Protocol )

– part of the X.500 standard was Directory Access Protocol – LDAP is a scaled down, easier version of that

Kerberos – network authentication protocol – adds the security to AD

3CSIT 320

Whereas a database has a “relational” structure, the objects in AD have a hierarchical, tree-like structure. Thus there is a rootEvery object other than the root has one and

only one parent. However, it can get complicated in that there

are various levels (domains, organizational units, groups) as well as distinctions between logical separations and physical separations.

4CSIT 320

A domain is one of the main organizational units in Active Directory.

It collects resources and manages access to them for a set of users.For instance users being logged in the same

domain typically implies that those users will for the most part have access to the same resources and follow the same policies

In Active Directory diagrams , domains are represented by triangles.

5CSIT 320

An AD domain must have at least one AD domain controller.

The domain controller manages the authentication of users granting them access to the domain and the resources it contains.

Best Practices suggests that there are at least two domain controllers in a domain so that access to the domain can still be granted if one controller is down.

6CSIT 320

A tree is a set of domains that obey a DNS-type hierarchical naming structure. They belong to the same “namespace”.A namespace provides a context in which a

name has a well defined meaning.

7CSIT 320

lasalle.edu

student.lasalle.edu

luna.lasalle.edu

As the name suggests a forest is a collection of trees. Each tree has a its own namespace, but the different trees in the forest have different namespaces. However you may want them to be connected in some way – have some kind of trust relationship, some sharing of resources or just want to administer them as a unit.

8CSIT 320

lasalle.edu lasalle.museum

student.lasalle.edu

The trees in a forest still share a common root.

The first tree in the forest serves as the root. It will have (at least initially) the global

catalog – the collection of definitions, how the forests are organized, what the trust relationships are, names for all of the objects, etc.

9CSIT 320

If two domains have a trust relationship, it means that users from one domain can access resources from another domain. That way an administrator does not have to

give users accounts in both domains. The domain with the resource is said to be

“trusting” and the domain with the user is said to be “trusted”. Trust can be but doesn’t have to be a two-way street.

CSIT 320 10

Before we were moving up in the hierarchy from the original concept of a domain, an organizational unit on the other hand is lower in the hierarchy (farther from the root)

It is a container within a domain – resources like printers and file shares organized into smaller containers.

Example within the student.lasalle.edu domain, science students may be access to different shares and different printers from business students, etc.

11CSIT 320

In a large company a logical container such as a domain might cover multiple physical locations.

This can cause a problem because a lot of information is passed between domain controllers.

So AD has the notion of a site to correspond to physical differences rather than logical differencesA site can have multiple domainsA domain may be spread over multiple sites

12CSIT 320

UserGroupComputerPrinterDistribution ListsSystem Policies

13CSIT 320

Just like in a database, Active Directory has a schema.

Definition of all AD objects, For example , it will define a User, what

attributes a User must have, what attributes a User might have, relationships between Users and Groups, etc.

ONE schema for a forestExtensible

While a default set of definitions gets one started with AD, one can extend or create new objects

14CSIT 320

A distributed data repository containing a searchable, partial representation of every object in every domain in a forest.

Answers AD Search QueriesMust be present to successfully logon Holds a copy of all Objects of the whole

Forest…...but holds only a subset of the Attribute

15CSIT 320

Member Server – server on a domain offering a non-active directory service

Domain Controller – as the name suggests its manages access to the resources within a domain

Global Catalog – while a domain controller stores the objects for the domain it “controls”, a global catalog server stores the objects from all domains in the forest.A global catalog server is a domain controller, but

a domain controller may not be a global catalog server

16CSIT 320

Updates can be applied to ANY Domain Controller

Will be Replicated to each other Domain Controls (inside that Domain) within 15 Minutes

Optimized Algorithm reduces Replication Traffic

Not time based (triggered on demand, only)!

17CSIT 320

Improved AuthenticationPermissions applied via ACLs

To Objects as wholeTo specific Attributes

Fine-Tuning of Access Permissions possible

18CSIT 320

Windows Server 2008 R2 Unleashed, Rand Morimoto, Michael Noel, Omar Droubi, Ross Mistry and Chris Amaris, SAMS.

Active Directory for Dummies, Steve Clines and Marcia Loughry, Wiley.

http://www.tech-faq.com/active-directory-terminology-and-concepts.html

19CSIT 320