Active DirectoryLearning ObjectiveSlide 3Active Directory structureReplicationGlobal catalog (GC)Global Catalog (GC)Namespace and DNSTypes of namespacesActive directory and DNSSlide 11TreeForestSiteOrganizational Unit (OU)Summary QuestionsSlide 171Active Directory(Week 8, Monday 2/26/2007)© Abdou Illia, Spring 20072Learning ObjectiveUse Active Directory conceptsNamespaceDNSGlobal CatalogSchemaClassTreeForestOrganizational Units3Active DirectoryA Central Database on a Domain Controller for storing Network resources and security policies +Tools for managing network resources (find, add, remove, etc.)Used for:Resource lookup (Searching for specific resources)User authentication (login)AD =4Active Directory structureIndividual resources are called objectsObjects belong to classesEach Class has its own attributes defined in the SchemaUser account Computer Printer DomainObject classes• Object name• Object’s Globally Unique Identifier (GUID)• Required attributes• Optional attributes• Syntax• Parent relationship• Username• User’s full name• Password• Account description• Remote access OKDefault classesDomain Shared folderUser Account ComputerGroup PrinterShared Drive……SchemaExamples:Examples:Schema = Database design.Elements used in the definition of each object contained in the Active Directory5ReplicationIn a Windows 2003 network, you can create multiple domain controllers (DCs)Each DC stores a copy of the Active DirectoryEach DC replicates changes in its copy of Active Directory to other DCs. Replications6Global catalog (GC)During AD installation, W2003 Server creates a Global Catalog on the 1st DCThe Global Catalog stores:►Information about all objects in the initial DC►Partial information about objects in other domains (attributes needed for search).An index and partial replica of objects and attributes most often used in AD database7Global Catalog (GC)Common attributes stored in the GC: users’ first and last names, logon names, email addressGC is primarily for:Enabling users to find AD information from anywhere in the forestProviding authentication services when a user from another domain logs on with a User Principal Name (eg. [email protected])Responding to directory lookup from application programs like Microsoft Exchange.When a Global Catalog server is not available, the user can only logon to the local computer.8Namespace and DNSDomain Name Service (DNS): Service that performs name resolutions, i.e. conversions between IP addresses and domain namesName resolutions take place in a logical area of the network called NamespaceA Namespace includes (1) the Active Directory, which contains named objects and (2) one or more DNS servers9Types of namespacesContiguous namespace: A namespace in which every child object contains the name of its parent objectabc.comdiv1.abc.com div2.abc.comdept1.div1.abc.com dept1.div2.abc.comContiguous NamespaceDisjointed namespace: A namespace in which the child object name does not resemble the name of its parent objectuniversity.eduethicsresearch.com technology.combio.ethicsresearch.com cell.technology.comDisjointed Namespace10Active directory and DNSAD cooperates with DNS during logon process10.1.10.16DomainController10.1.10.25WorkstationDNSServer10.1.0.11 2I need Domain Controller IP addressIP address is 10.1.10.16Log on request for userID = john; pswd = ab10; protocol = LDAPAuthentication = Yes; userID = john; pswd = ab10; protocol = LDAP34fname lname userID OU domainLizza Frulla Liz Sales contoso.comJohn Doe John Mktg contoso.com: : : : :: : : : :Workstation sends a DNS request for getting a DC IP addressDNS server sends requested IP addressWorkstation sends a log on request to DC by user’s credentialsDC sends back authentication response to workstation11Active directory and DNSAD cooperates with DNS in locating network resources and services10.1.10.16DomainController10.1.10.25WorkstationDNSServer10.1.0.11 2I need Domain Controller IP addressIP address is 10.1.10.16Lookup request for firstname = john; lastname = Doe; protocol = LDAPCN = John Doe, OU = Mktg, DC = contoso, DC = com34fname lname userID OU domainLizza Frulla Liz Sales contoso.comJohn Doe John Mktg contoso.com: : : : :: : : : :Workstation sends a DNS request for getting a DC IP addressDNS server sends requested IP addressWorkstation sends the DC a request for locating a user account DC sends back user’s Unique Distinguish Name12TreeA tree contains one or more domains and has the following characteristics:1) Domains are represented in a contiguous namespace2) Two-way trust relationships between domains (each domain can access other domain resources)3) Member domains use the same Schema and Global Catalogtracksport.comeast.tracksport.comwest.tracksport.comsouth.tracksport.comnorth.tracksport.com13ForestUsually, a forest consists in more than one tree and has the following characteristics:1) The trees use a disjoined namespace2) All trees use the same Schema and Global Catalogatlanta.radiators.comradiators.comflorence.radiators.combeijing.engine.comengine.commexicocity.engine.comchicago.radiators.comvalencia.engine.comdetroit.partplus.compartplus.comtoronto.partplus.comTrust relationship between root domains of each tree14SiteA TCP/IP concept used to reflect the physical design of the network. It has the following characteristics:1) Represents one or more IP subnets at the same location2) High speed connection in the same site3) Low speed connection between sitesMicrosoft.comSingle domain with single site Site 1 Site 2 Site 3Microsoft.comSingle domain with multiple sitesLow speed connections15Organizational Unit (OU)Grouping of related objects, such as user accounts, computers and printers for easier management.OUs reflect functional structure of organizationObjects are grouped in an OU to be administered using the same group policy.Active DirectoryManufacturing Division OUActive DirectoryDistribution Division OUSimilar to havingsubfolders ina folder16Summary Questions1) In AD, a __________ stores information about all the objects in the initial DC and partial information about objects in other domainsa) Forestb) Global Catalogc) Namespaced) Schemae) Site2) Which of the following is a 128-bit number (that cannot change) assigned to an