Scribd
Upload
260 views18 pages

Lecture 2

Active Directory (AD) is a database and directory service that allows users to access resources on a network. It has objects like users and computers with attributes. AD uses a hierarchical structure of domains and organizational units. Domain controllers manage AD and DNS is used to locate resources by name. Trusts allow authentication and access between domains in AD.

Uploaded by

Usama Javed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
260 views18 pages

Lecture 2

Active Directory (AD) is a database and directory service that allows users to access resources on a network. It has objects like users and computers with attributes. AD uses a hierarchical structure of domains and organizational units. Domain controllers manage AD and DNS is used to locate resources by name. Trusts allow authentication and access between domains in AD.

Uploaded by

Usama Javed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 18

Active Directory and DNS

Lecture 2
Hassan Shuja
09/14/2004

Page 1
Active Directory (AD)
• Active Directory Definitions/Features
– Active Directory has two parts
– A database with information about users and resources
– A service that manages the database and enables users of computers on the
network to access the database
– Active Directory Features/Advantages
– Security - Logon process and controlling access to objects
– Administration – Hierarchical structure
– Search capabilities – Search AD for an object
– Scalable – Allows multiple domains, fits for any size network
– Flexibility – Grows with your company, allows for additions

Page 2
Active Directory
• Structure
– Objects and Classes
– An object is the smallest component that you can have in AD
– A class is a template of all attributes of an object when it is created
– Schema
– Schema governs the structure of the directory
– Allows administrators to modify and add new object classes, objects and attributes
as needed, making the schema extensible
– Active Directory Schema is the name of the snap-in in MMC and can only be
changed by Schema Admins
– Global Catalog
– A master searchable index that contains information about every object in a forest
– Created by default on first DC in a domain
– Contains a full copy of all objects in its own domain and a partial replica of all
objects in all other domains in the forest
– Serves as a central point for user authentication

Page 3
Active Directory
• AD Organization
– Smallest component in AD is an object
– Objects have attributes and are defined by classes
– Objects have permissions ACL that contains information about who has access to it
and what they can do with it
– Controlling access to object is different than having access to the objects resources
– Organizational Units (Container objects)
– Substructure of domains and are arranged hierarchically
– Used to organize related objects in AD, can also contain other OUs
– Helps simplify administration

Page 4
Active Directory
• Object IDs
– Globally Unique Identifier (GUID) – A 32 hex number assigned to an object at
the time of creation and object is stored with it. This ensures uniqueness and
avoids duplication
– Security ID (SID) – A unique security ID created by the Security subsystem
that is assigned to user, groups, and computers to grant or deny an object
access to other objects

Page 5
Domain Controller (DC)
• DC Setup
– All Domain Controllers are equal
– A change on one DC will be replicated to all other DCs
– Five Scenarios where a DC can have an additional role
– Relative ID Master
– Schema Master
– Infrastructure Master
– Domain Naming Master
– PDC Emulator

Page 6
Domains
• AD Organization
– Tree
– Grouping of one or more domains that must have a single root domain
– Parent child & child relationships
– Defined by a common and contiguous name space
– A hierarchy of domains sharing a common schema, security trust relationship, and a
Global Catalog

Page 7
Domains
• AD Organization
– Forest
– A group of one or more Domain Trees linked together by a trust
– Two different root domains
– All Trees share a common schema and global catalog
– Do not have contiguous DNS domain names

Page 8
Trusts
• NT Domains
– Each domain had its own accounts
– Need accounts in every domain that you need resources or need administrator to
setup a trust between domains
– Trust were setup explicitly as one-way or two-way trusts
– These trusts are intransitive

Page 9
Trusts
• Trusts
– A logical connection that allows users from one domain to access resources in
another domain
– Can be one way or two ways
– Trusting domain and Trusted domain

Trusted Domain Trusting Domain


(Users) (Resources)

Page 10
Trusts
• Intransitive Trusts
– Domain C trusts Domain B and Domain B trusts Domain A
– (B has access to resources in C and A has access to resources in B)
– Domain C does not trust Domain A
– Intransitive trusts are possible in Windows NT

Domain B Domain C
Domain A

Page 11
Trusts
• Transitive Trusts
– A trust between two domains in the same Tree/Forest that can extend beyond
two domains to other trusted domains within the same Tree/Forest
– Always a 2 way trust
– By default all Windows 2000 trusts within Tree/Forest are transitive
– Domain A and C trust each other

Domain B

Domain A Domain C

Page 12
Trusts
• Explicit Trusts
– A trust that is setup by an administrator
– Connect domains directly to shorten the path between them
– It can be either transitive or intransitive
– Used to manage trusts between Windows 2000 and NT domains

Page 13
Domain Name System (DNS)
• DNS
– DNS Structure
– Based on a hierarchical naming structure (inverted tree)
– A single root domain, underneath there are second-level domains
– Every computer in a DNS domain is uniquely identified by a Fully Qualified Domain
Name (FQDN)
– Dynamic DNS is supported in W2K

Root Domain Servers

A B C D

1
2

External UMBC External Northrop


DNS Server Grumman DNS
Server

WWW
Northrop
UMBC Grumman

Workstation
Internal UMBC DNS
Server

Page 14
Domain Name System
• Zone Files and DNS Servers
– Forward Lookup Zone
– This contains host name to IP address resolution
– Reverse Lookup Zone
– This contains IP address to host name resolution
– DNS Servers
– Primary – Maintains the master copy of the zone files
– Secondary – Keeps a back-up copy of the zone files
– AD-integrated – DNS entries kept in AD data store instead of zone files
– Scavenge Files
– Finds and deletes records in a zone if they have been stale for a certain amount of
time

Page 15
Active Directory & Domain Name System
• AD & DNS
– Active Directory and DNS use the same hierarchical structure
– Typically use the same FQDN
– DNS records can be stored in Active Directory
– Clients use DNS to locate Domain Controllers on the network

Page 16
Domain Name System
• Name Space
– Active Directory is based on the concept of namespace, that is a name is used
to resolve the location of an object
– Active Directory names correspond to DNS domain names
– Each name gives the location of the object in Active Directory

Page 17
Domain Name System
• Name Convention
– Relative Distinguished Name (RDN) – A name that is assigned to the object by
the administrator when it is created, a unique name
– Example – hshuja1
– Distinguished Name (DN) – Defines the RDN and also location within Active
Directory, such as OU that user belongs to
– Example – [email protected]
– User Principal Name (UPN) – A more “easier” naming convention. Combines
RDN with domain name, no OU is referenced
– Example – [email protected]

Page 18

You might also like