Active Directory and DNS - UMBC An Honors Universi

ActiveDirectoryLecture3ActiveDirectoryDefinitionsADisMicrosoft’sconsolidationofthemajorenterprise-widedirectoryserviceswithinasingle,replicabledatastoreandadministrativeinterfaceADisanetwork-basedobjectstoreandservicethatlocatesandmanagesresources,andmakestheseresourcesavailabletoauthorizedusersandgroups.The2componentsofADaretheDataStoreandtheADServicesthatactonthatdataADAdvantagesProvidescentralizedlogonandauthenticationpointforuserstoaccessresourcesAfocalpointforcentralizedadministrationandmanagementAsearchablestoreforinfoabouteverynetworkobjectanditsattributesStandard-basedstructuresandinterfacesallowforproductinteroperabilityandcompatibilitywith3rdpartyproductsScalable(virtuallynolimitonnumberofobjects)NewFeaturesRestartcapabilityRead-onlyDomainControllerAuditingimprovementsMultiplePassword/AccountLockoutPoliciesinaDomainADLightweightDirectoryServicesRoleDNSDNSisanInternetstandardservicethattranslateseasilyreadablehostnames,suchasmycomputer.microsoft.com,tonumericIPaddresses.DomainnamesforDNSarebasedonthehierarchicalnamingstructure(invertedtreestructure):asinglerootdomain,underneathwhichcanbeparentandchilddomains(branchesandleaves).EachcomputerinaDNSdomainisuniquelyidentifiedbyitsDNSfullyqualifieddomainname(FQDN),e.g.server1.ifsm.umbc.eduDynamicDNS–newerstandard,requiredforADADandDNSintegration•ActiveDirectoryandDNShavethesamehierarchicalstructure.•AllADnamesfollowDNSconventions•DNSrecords(zones)canbestoredinActiveDirectory.•ActiveDirectoryclientsuseDNStolocatedomaincontrollers.ADOrganizationAnunderlyingprincipleoftheADisthateverythingisconsideredandobject–people,servers,workstations,printers,etc.EachobjectalsohascertainattributesObjectclassesaredefinitionsoftheobjecttypesthatcanbecreatedintheAD.ControllingObjectAccessEveryobjecthasanACLthatcontainsinformationaboutwhohasaccesstoitandwhattheycandowithit.ControllingaccesstotheobjectinADisnotthesameasaccesstotheobjectitself.ADpermissionsonlyspecifywhetherauser,grouporcomputercanviewormodifyanobject’spropertiesinAD.AccesscanbesetupforindividualobjectpropertiesSchemaAsetofobjectdefinitions(objectclasses)andtheirassociatedattributesProvidesinfoonwhatobjectsandattributesareavailabletotheDirectoryAllowsadministratorstomodifyandaddnewobjectclasses,objectsandattributesasneeded,makingtheschemaextensibleBecauseofthisflexibility,ADiscapableofbeingthesinglepointofadministrationforallpublishedresources(files,peripheraldevices,hostconnections,databases,Webaccess,users)ADOrganizationADobjectsareorganizedaroundahierarchicaldomainmodelthatallowsscalabilityandexpandabilityDomainmodelbuildingblocksare:-domains-domaintrees-forests-organizationunitsNameSpaceADisbasedontheconceptofanamespace,thatisanameisusedtoresolvethelocationofanobjectADdomainnamescorrespondtoDNSdomainnamesEachobjecthasdifferentwaystorefertoit,andeachnamepinpointsthelocationofobjectinADDomainLogicalpartitioncomprisedofusers,computersandnetworkresourcesthatshareacommonlogicalsecurityboundaryandutilizeacommonnamespace(e.g.ifsm.umbc.edu)Domainscanbearrangedintoahierarchicalparent-childstructureAlldomainsmaintaintheirownsecuritypoliciesandsecurityrelationshipswithotherdomainsRequiresatleast1DomainController(whereADdatabaseisstored)Ifmorethan1DC(recommended)–theyusemulti-masterreplicationTrustsLogicalconnectionsbetweendomainstoallowusersfromonedomaintoaccessresourcesinanotherdomainCanbeone-ortwo-wayCanbetransitive,intransitiveorexplicitTrustterminology:TrustingtrustsTrustedDomainTrustedDomain(Users)TrustingDomain(Resources)TransitiveTrustsAtransitivetrustisatrustbetweentwodomainsinthesamedomaintree/forestthatcanextendbeyondthesetwodomainstoothertrusteddomainswithinthesamedomaintree/forest.Atransitivetrustisalwaysa2-waytrust-bothof.thedomainstrusteachother.Bydefault,allWindowsServer2008trustswithinadomaintree/forestaretransitivetrusts.DomainADomainBDomainCDomainTreeConsistsofhierarchyofdomainssharingacommonschema,securitytrustrelationship,andaGlobalCatalogFormedthroughtheexpansionofchilddomains,andthere’sonerootdomain(thefirstcreateddomain)DefinedbyacommonandcontiguousnamespaceDomainTreeExampleMarketing.toysrus.comToysrus.comSales.toysrus.comny.marketing.toysrus.comDomainForestsDomaintreeswithdifferentnamespacesconnectedbytrustrelationshipsAlltreeswithintheforestshareaGlobalCatalog,configurationandschema.Simplyareferencepointbetweentreesanddoesn’thaveitsownname.DomainForestExampleMarketing.toysrus.comtoysrus.comSales.toysrus.comNy.marketing.toysrus.comHR.Babiesrus.comBabiesrus.comSales.babiesrus.comNy.sales.babiesrus.comOrganizationalUnitAdministrativesubstructureofdomains,arrangedhierarchically,canbenestedSpecialtypeofobjectcalledcontainer;includesusers,computersystems,printers,etc.AlogicalsubsetdefinedbysecurityoradministrativeparameterswherespecificsystemadminfunctionscanbeeasilysegmentanddelegatedOUExampleMarketing.toysrus.comToysrus.comny.marketing.toysrus.comTeams.sales.toysrus.comOnline.teams…Retail.teams…Sales.toysrus.comGlobalCatalogADusesaglobalcatalogi