Module 1: Introduction

to Active Directory in

Windows 2000

Overview

„

Introduction to Active Directory

„

Active Directory Logical Structure

„

Active Directory Physical Structure

„

Methods for Administering a Windows 2000 Network

Multimedia: Concepts of Active Directory in

Windows 2000

‹

Introduction to Active Directory

„

What Is Active Directory?

„

Active Directory Objects

„

Active Directory Schema

„

Lightweight Directory Access Protocol (LDAP)

What Is Active Directory?

Directory Service

Functionality

Directory Service

Directory Service

Functionality

Functionality

„

Organize

„

Manage

„

Control

„

Organize

„

Manage

„

Control

Resources

Resources

Centralized Management

Centralized Management

Centralized Management

„

Single point of administration

„

Full user access to directory
resources by a single logon

„

Single point of administration

„

Full user access to directory
resources by a single logon

Active Directory Objects

„

Objects Represent Network Resources

„

Attributes Store Information About an Object

Attributes

Attributes

Attributes

First Name
Last Name
Logon Name

First Name
Last Name

Logon Name

Attributes

Attributes

Attributes

Printer Name
Printer Location

Printer Name

Printer Location

Active Directory

Active Directory

Active Directory

Printers

Printer1

Printer2

Suzan Fine

Users

Don Hall

Attribute

Value

Attribute

Attribute

Value

Value

Objects

Objects

Objects

Printers

Printers

Users

Users

Printer3

Active Directory Schema

Objects

Class Examples

Objects

Objects

Class Examples

Class Examples

Printers

Printers

Computers

Computers

Users

Users

Attributes of Users

Might Contain:

Attributes of Users

Attributes of Users

Might Contain:

Might Contain:

accountExpires
department
distinguishedName
middleName

accountExpires
department
distinguishedName
middleName

List of Attributes

List of Attributes

List of Attributes

accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…

accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…

Attribute

Examples

Attribute

Attribute

Examples

Examples

Active Directory Schema Is:

„

Dynamically Available

„

Dynamically Updateable

„

Protected by DACLs

Lightweight Directory Access Protocol (LDAP)

„

LDAP Provides a Way to Communicate with Active

Directory by Specifying Unique Naming Paths for

Each Object in the Directory

„

LDAP Naming Paths Include:

z

Distinguished names

z

Relative distinguished names

CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft

Suzan Fine

‹

Active Directory Logical Structure

„

Domains

„

Organizational Units

„

Trees and Forests

„

Global Catalog

Domains

„

A Domain Is a Security Boundary

z

A domain administrator can administer only within the

domain, unless explicitly granted administration rights

in other domains

„

A Domain Is a Unit of Replication

z

Domain controllers in a domain participate in replication

and contain a complete copy of the directory

information for their domain

Windows 2000

Domain

Windows 2000

Domain

User

1

User

2

User

1

User

2

Replication

Replication

Replication

Organizational Units

Organizational Structure

Organizational Structure

Organizational Structure

Sales

Vancouver

Repair

Users

Sales

Computers

Network Administrative Model

Network Administrative Model

Network Administrative Model

„

Use OUs to Group Objects into a Logical Hierarchy That

Best Suits the Needs of Your Organization

„

Delegate Administrative Control over the Objects Within

an OU by Assigning Specific Permissions to Users and

Groups

Trees and Forests

contoso.msft

contoso.msft

(root)

au.

contoso.msft

au.

contoso.msft

asia.

contoso.msft

asia.

contoso.msft

Tree

Two-Way Transitive Trusts

Two

Two

-

-

Way Transitive Trusts

Way Transitive Trusts

au.

nwtraders.msft

au.

nwtraders.msft

asia.

nwtraders.msft

asia.

nwtraders.msft

nwtraders.msft

nwtraders.msft

Forest

Tree

Two-Way Transitive Trust

Two

Two

-

-

Way Transitive Trust

Way Transitive Trust

Global Catalog

Global Catalog Server

Global Catalog

Global Catalog

Global Catalog

Subset of the

Attributes of All

Objects

Subset of the

Attributes of All

Objects

Domain

Domain

Domain

Domain

Domain

Domain

Queries

Queries

Queries

Group membership

when user logs on

Group membership

Group membership

when user logs on

when user logs on

‹

Active Directory Physical Structure

„

Domain Controllers

„

Sites

Domain Controllers

Domain
Controller

Domain

Controller

Domain

Domain

Replication

Replication

Replication

User

1

User

2

User

1

User

2

= A Writeable Copy of the Active Directory Database

= A Writeable Copy of the Active Directory Database

Domain Controllers:

z

Participate in Active Directory replication

z

Perform single master operations roles in a domain

Sites

Sites:

z

Optimize replication traffic

z

Enable users to log on to a domain controller by using

a reliable, high-speed connection

Site

IP subnet

IP subnet

IP subnet

IP subnet

Los Angeles

Seattle

Chicago

New York

‹

Methods for Administering a Windows 2000

Network

„

Using Active Directory for Centralized Management

„

Managing the User Environment

„

Delegating Administrative Control

Using Active Directory for Centralized Management

OU1

Domain

Computers

Users

OU2

Users

Printers

Computer1

User1

Printer1

User2

Domain

Domain

OU2

OU2

OU1

OU1

User1

User1

Computer1

Computer1

Printer1

Printer1

User2

User2

Search

Search

Search

Active Directory:

z

Enables a single administrator to centrally manage resources

z

Allows administrators to easily locate information

z

Allows administrators to group objects into OUs

z

Uses Group Policy to specify policy-based settings

Managing the User Environment

Use Group Policy to:

z

Control and lock down what users can do

z

Centrally manage software installation, repairs, updates,

and removal

z

Configure user data to follow users whether they are

online or offline

Windows 2000

Enforces Continually

Windows 2000

Enforces Continually

Apply Group

Policy Once

Apply Group

Policy Once

1

1

2

2

3

3

Domain

Domain

OU1

OU1

OU2

OU2

OU3

OU3

1

1

2

2

3

3

Delegating Administrative Control

Assign Permissions:

z

For specific OUs to other

administrators

z

To modify specific attributes of

an object in a single OU

z

To perform the same task in all OUs

Customize Administrative Tools to:

z

Map to delegated administrative tasks

z

Simplify interface design

Domain

Admin1

Admin2

Admin3

OU2

OU3

OU1

Review

„

Introduction to Active Directory

„

Active Directory Logical Structure

„

Active Directory Physical Structure

„

Methods for Administering a Windows 2000 Network