Active Directory Fundamentals

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What Will We Cover?

Active Directory concepts
Domains, trees, forests
Domain controllers, sites
Domain Naming Service
Replication
Operations masters
Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What Is a Directory Service?

A service that helps track and locate objects on a
network
Active Directory Management
Workstations
Workstations

Services
Services

Files
Files

Users

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

What's a directory service?

A directory service is a container that provides a hierarchical structure and allows to

store objects for quick and easy access and manipulation. A directory service is like an
electronic phone directory that lets you search for Name and retrieve the phone
number, address, or other information without knowing where that person lives.

Before directory services, If you needed a file, you needed to know the name of the file,
the name of the server on which it is stored and its folder path. Now this works well on
small network, but as the network grows it becomes challenging.

Directory service is the means by which users and administrators can locate resources
regardless of where those resources are located.

Also earlier typical user could have more than one user account or password, and as
the network grows and the number of username and password also increases, like one
for File Server, one for email server, etc.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Domains

Boundary of
Policies

Boundary of
Authentication

CONTOSO.COM

Boundary of Replication
Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory
Active Directory is Microsofts answer to directory services and it does a
lot more than just locating resources.
Active Directory take care of this by using Kerberos Authentication and
Single Sign-On (SSO). SSO means ability of Kerberos to provide a user
with one set of credentials and grant them access across a range of
resources and services with that same set of credentials. Kerberos
authenticates the credentials and issues the user a ticket with which the
user gains access to the resources and services that support Kerberos.
Active Directory also makes user management more easier as it acts as a
single repository for all of this user and computer related information.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

History of Directory Service

Earlier to todays directory services is X.500 specification that emerged from the
International Telecommunications Union (ITU), formerly the CCITT (Comit Consultatif
International Tlphonique et Tlgraphique).
X.500 sits at the Application layer in the OSI model. X.500 contain several component
databases that work together as a single entity.
The primary database is the Directory Information Base (DIB), which stores information
about the objects. Major limitation was its lack of integration with Internet Protocol (IP).
Protocol it used was Directory Access Protocol, or DAP. DAP offered more functionality
than that is required for implementing directory services, so a scaled down version called
Lightweight Directory Access Protocol (LDAP) was made. Later it was considered as a
standard by Internet Engineering Task Force (IETF).

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Advantage of LDAP
LDAP relies on the TCP/IP stack rather than the OSI stack
Integrate with IP and enable IP clients to use LDAP to query directory services.
LDAP can perform hyper-searches. Giving one directory the ability to defer to another to provide
requested data.
LDAPs API is C-based
Like X.500, LDAP uses an inverted-tree hierarchical structure
LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL), and Secure
Sockets Layer (SSL)
Simple Authentication and Security Layer (SASL) is a framework for authentication and data
security in Internet protocols.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Back to Active Directory

AD is Microsofts answer to directory services and it
does a lot more than just locating resources.
AD uses LDAP as its access protocol.
AD relies on DNS as its locator service, enabling
clients to locate domain controllers through DNS
queries.
Lets Understand Active Directory in more detail.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Naming Conventions
AD contains information about objects in your enterprise.
These objects can be computers, users, printers etc.
AD is a container with nested containers holding other
containers or objects.
And we name these container and objects so that its easy
to query or search.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Requirement of DNS
DNS Server must support
Service resource (SRV) records
Dynamic update protocol specified by RFC 2136
AD relies on DNS as its primary locator service, although its not the only mechanism for locating domain controllers (DCs).
Domain Controller is the server which has Active Directory Installed.
When a Domain Controller starts,
It registers both its DNS name and NetBIOS name. More on NetBIOS name later.
It add LDAP-specific SRV records in DNS to enable LDAP clients to locate DCs through LDAP queries.
It also add Kerberos authentication protocol-specific SRV records to enable clients to locate servers running the Kerberos Key Distribution Center (KDC)
service.
Also each DC also adds an A record that enables clients that dont support SRV records to locate the DC through a simple host record lookup. You can disable
this if required.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Database

The ESE comprises of
tables that define the
structure of the directory.
The Database Layer has
three partition that define
the contents of AD with
an optional 4th table or
partition.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Partitions

Schema Partition
This stores Active Directory Schema.
Active Directory Schema defines what are the types of objects that can be created in the directory
How are those objects relate to one another, and what are the mandatory and optional attributes of each object.
And how can one create such objects.

Configuration Partition
This contains configuration of AD.

Domain Partition
This partition stores the objects.

Application Partition
This is an optional 4th partition that an administrator can create.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Schema

Active Directory Schema defines what are the types of objects
that can be created in the directory
How are those objects relate to one another, and what are the
mandatory and optional attributes of each object.
And how can one create such objects.
Schema requires to updates whenever you need to create a new
type of object or add anything that requires new attribute.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Domain, Tree and Forest

AD Domain
Objects that are made on AD are grouped into domains.
The objects for a single domain are stored in a single database (which can
be replicated).

AD Domain Tree
A tree is a collection of one or more domains

AD Forest
A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration.

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Trees

Shared
Schema
CONTOSO.COM
Configuration
US.CONTOSO.COM

OHIO.US.CONTOSO.COM

Global Catalog

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Transitive Trusts
CONTOSO.COM

UK.CONTOSO.COM
US.CONTOSO.COM

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Forests

FABRIKAM.COM

CONTOSO.COM

US.CONTOSO.COM

UK.FABRIKAM.COM

Schema

Global
Configuration
Catalog

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Reviewing Domains and Trusts

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Organizational Units
Organized For:

OU Admin

OU Security

CONTOSO.COM

Administration
Administration
Same
Same Requirements
Requirements
Delegation
Delegation
Group
Group Policy
Configuration
Configuration
Security
Security

OU Policy

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Organizational Unit Applications

SalesLondon
Department
Desktops

Marketing
New
Department
York
Printers

Hardware Devices
Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Using Organizational Units

Review Organizational Units
Create New Organizational Units

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Domain Controllers
DC

PDC

DC

BDC

DC

BDC
Windows NT 4.0

Windows Server 2003

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Active Directory Sites

Site A

WAN Link

Sites Used To:

Locate
Locate Services
Optimize
Optimize Replication
Replication
Define
Define Policies
Policies

Site B

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Sites and Domains

Site A

US.CONTOSO.COM

CONTOSO.COM

Site B
Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Global Catalog
Spans all domains
Contains object attributes
Used for searches
Exists on domain controllers

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Using Sites and Global Catalogs

Create a Site
Review Global Catalog Settings
Choose Global Catalog Attributes

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Agenda
Logical Concepts of Active Directory
Physical Concepts of Active Directory
DNS in 10 Minutes
Overview of Active Directory Replication
The role played by Operations Masters

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

DNS
Domain Naming System locates network services
and resources.
DNS Request Process
Requested Service
Site Information
DNS
DNS Server
Server
IP Addresses
SVR Records

DC
DC
Cache
Cache

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

DNS Systems and Requirements

BIND 8.1.2 Windows
NT

Windows
2003

Dynamic Update*
AD Integration
Secure Update
SRV Records*

* Required for Active Directory

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Windows
Server 2008

DNS Migration
Upgrade to BIND 9.x
Upgrade to Microsoft DNS
Delegate to Microsoft DNS

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Working with DNS

Review DNS Zones
Review Host Records and Dynamic Update

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Replication Scope
Across Domain
Domain NC

Across Forest:
Schema NC
Configuration NC

Asmatullah Khan, CL/CP, GIOE, Secunderabad.

More Replication Scope

Intersite
(Compressed)

Intrasite
(Token Ring)
Asmatullah Khan, CL/CP, GIOE, Secunderabad.

Demo

demonstration

Working with Replication

Enable Replication
Review Replication

Asmatullah Khan, CL/CP, GIOE, Secunderabad.