Logical and Physical Network Design 1 Active Directory
- Slides: 28
Logical and Physical Network Design 1
Active Directory Objects Attributes Printers Users Printer Name Printer Location Printers Printer 1 Printer 2 Printer 3 Attributes First Name Last Name Logon Name Users Attribute Value Don Hall Suzan Fine • Objects Represent Network Resources (Users, Groups, Computers, Printers) • Attributes Store Information About an Object 2
Active Directory Schema Is: n Dynamically Available n Dynamically Updateable n Protected by DACLs Objects Class Examples Computers Users Printers Attribute Examples Attributes of Users Might Contain: account. Expires department distinguished. Name middle. Name List of Attributes account. Expires department distinguished. Name direct. Reports d. NSHost. Name operating. System reps. From reps. To middle. Name … 3
Active Directory Components • Logical components of the Active Directory – Provide a way to design and administer the hierarchical, logical structure of the network – Include • Domains and organizational units • Trees and forests • A global catalog 4
Active Directory Components (Continued) • Windows Server 2008 domain – Logically structured organization of objects that • Are part of a network, and • Share a common directory database • Each domain – Has a unique name – Is organized in levels – Is administered as a unit with common rules and procedures – Is defined by an IP address on the Internet 5
Active Directory Domains Boundary of Policies Boundary of Authentication CONTOSO. COM Boundary of Replication 6
Characteristics of Multiple Domains Separate Administrative Control Seattle • Geographic basis • Large number of objects Chicago Los Angeles Reduce Replication Traffic Maintain Separate and Distinct Security Policies Between Domains New York
Active Directory Components (Continued) • An organizational unit (OU) – A logical container used to organize objects within a single domain • Benefits of using OUs – Easier to locate and manage the Active Directory objects – Define more advanced features by applying Group Policy to an OU – Delegate administrative control over OUs 8
An Active Directory Domain and OU structure 9
Active Directory Components (Continued) • Trees and forests – Forest root domain • First Active Directory domain created in an organization – Tree • Hierarchical collection of domains that share a contiguous DNS namespace 10
What Is a Tree? Tree Root Domain & Forest Root Domain Parent contoso. msf t a two-way, transitive trust relationship Child Domainsales. contoso. m sft Contiguous Namespace sales. contoso. msft New Domain
Active Directory Components (Continued) – Whenever a child domain is created, a two-way, transitive trust relationship is automatically created between the child and parent domains • Transitive trust – All other trusted domains implicitly trust one another 12
Active Directory Components (Continued) • Forest – Collection of trees that do not share a contiguous DNS naming structure – The trees in a forest share a single Active Directory schema • Enterprise Admins – Special user group – Allows members to manage objects throughout the entire forest 13
Example of an Active Directory forest 14
What Is the Forest Root Domain? The Forest Root Domain Is the First Domain Created in a Forest Root Domain Global Catalog Forest Tree Root Domain Configuration and Schema contoso. msft nwtraders. msft Tree marketing. nwtraders. msft Tree Enterprise Admins Schema Admins sales. contoso. msft
Active Directory Components (Continued) • Global catalog – Index and partial replica of the objects and attributes most frequently used throughout the entire Active Directory structure – Replicated to any server within the forest that is configured to be a global catalog server – The first domain controller in Active Directory automatically becomes a global catalog server – Additional domain controllers can also be configured to be global catalog servers 16
Global Catalog S u b s e t o f th e A ttr i b u te s o f A l l O b j e c ts Domain Domain Global Catalog Server Querie s Group membership when user logs on
Active Directory Physical Structure • Relates to the actual connectivity of the physical network – Domain Controllers – Sites 18
Domain Controller • A domain controller is a server containing a copy of the Active Directory. • All domain controllers are peers, and maintain replicated versions of the Active Directory for their domains. • The domain controller plays an important role in both the logical and physical structure of the Active Directory. • It organizes all the domain's object data in a logical and hierarchical data store. • It also authenticates users, provides responses to queries about network objects, and replicates directory services. (The physical structure provides the means to transmit this data through well-connected sites. ) 19
Domain Controllers roles 20
Domain Controllers Reasons for Creating Multiple Domain Controllers: • it is recommended that each domain and each site have more than one domain controller to provide logical and physical structure redundancy and fault tolerance. Domain Controll er r 1 Use r 2 Use Replication r 1 Use r 2 Use Domain Controll er Domain = A Writeable Copy of the Active Directory Data
Sites Seattle WAN Link Chicago New York Los Angeles IP subnet Sites: IP subnet Combination of one or more Internet Protocol (IP) subnets connected by a high-speed connection • Optimize replication traffic • Enable users to log on to a domain controller by using a reliable, high-speed connection
Active Directory Physical Structure (Continued) • Aims regarding replication – Make sure that any modification to the Active Directory database is replicated as quickly as possible between domain controllers – Make sure that replication does not saturate the available network bandwidth 23
Active Directory Physical Structure (Continued) • A site link – A configurable object that represents a lowbandwidth or unreliable/occasional connection between sites – Can be adjusted for • Replication availability » Using the Schedule on. Site Links • Bandwidth costs » Higher Cost Numbers Represent Lower Priority Replication Paths • Replication frequency » by Setting the Number of Minutes Between 24
The site structure of Dovercorp. net 25
Domains & sites • No formal relationship exists between the boundaries of a site or domain. • sites and domains do not have to maintain the same namespace. • Sites Can Contain – All domain controllers in a single domain – Some of the domain controllers in a single domain – Domain controllers from different domains 26
Sites and Domains Site A US. CONTOSO. COM Site B
References • Hands-On Microsoft Windows Server 2003 Administration, Dan Di. Nicolo • Inform. IT: Understand Active Directory part. III, http: //www. informit. com/articles/article. aspx? p=26866 • Microsoft Tech. Note, Active Directory Structure and Storage Technologies, http: //technet. microsoft. com/enus/library/cc 759186(WS. 10). aspx • Microsoft Tech. Note, Introduction to Active Directory, http: //download. microsoft. com/download/3/5/4/35415 b 82 -399 d-4 ba 3 -a 24 fea 151742611 e/Introduzione_a_Active_Directory. PPT • Active Directory Fundumentals, http: //winserver. members. winisp. net/Active%20 Directory%20 Content/Active%20 Directory%20 Fun damentals/ITPROADD-01%2075%20 minute%20 version. ppt. • And much more. . 28