Revision no.

: PPT/2K403/02

Introduction to Active Directory

and Network Infrastructure
(70-297)
 Revision no.: PPT/2K403/02

Lesson 1: Active Directory Overview

2

• What is Active Directory ?

• The Logical Active Directory Structure

• Trust Relationships

• The Physical Network Structure

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

What is Active Directory ?

3

• A directory is a stored collection of information about objects

that are related to one another in some way or the other
• A directory service stores all the information needed to use
and manage these objects in a centralized location, simplifying
the process of locating and managing these resources
• A directory service differs from a directory in that it is both the
source of the information and the mechanism that makes the
information available to the users
• It is the central authority that manages the identities and
manages the relationships between distributed resources,
enabling them to work together

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Why Have a Directory Service ?

4

• A directory service provides the means to organize and

simplify access to resources of a networked computer system

• Users and administrators might not know the exact name of

the objects they need, they might know one or more

characteristics of the objects in question

• A directory service makes it possible to find an object based

on one or more of its characteristics

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

The Windows Server 2003 Directory Service

5

• Centralized Data Store

• Scalability
• Extensibility
• Manageability
• Integration with DNS
• Client Configuration Management
• Policy Based Administration
• Replication of Information
• Flexible,secure authentication and authorization
• Security Integration
• Directory enabled applications and Infrastructure
• Interoperability with other Directory Services
• Signed and encrypted LDAP Traffic

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

The Logical Active Directory Structure

6

• Active Directory Objects

• Active Directory Schema

• Domains

• Trees

• Forests

• OUs

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Active Directory Objects

7

Active
Active Directory
Directory
Objects
Objects
Printers
Attributes
Attributes
Printer1
Printer
Printer Name
Name
Printer Printer2
Printer Location
Location
Printers
Printers
Printer3 Attribute
Attribute
Value
Value
Users
Attributes
Attributes
First
First Name
Name Jane Doe
Last
Last Name
Name John Doe
Users
Users Logon
Logon Name
Name

• Objects Represent Network Resources

• Attributes Store Information About an Object

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Active Directory Schema

8

Objects
Objects Active Directory Schema Is:
• Dynamically Available
Class
Class Examples
Examples • Dynamically Updateable
• Protected by DACLs

Attribute
Attribute
Examples
Examples
Computers
Computers
Attributes
Attributesof
ofUsers
Users List
Listof
ofAttributes
Attributes
Might
MightContain:
Contain:
accountExpires
accountExpires accountExpires
accountExpires
department
department department
department
distinguishedName
Users
Users distinguishedName
distinguishedName distinguishedName
directReports
middleName
middleName directReports
dNSHostName
dNSHostName
operatingSystem
operatingSystem
repsFrom
repsFrom
repsTo
repsTo
Printers
Printers middleName
middleName
……

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Domains
9

• A Domain Is a Security Boundary

– A domain administrator can administer only within the domain,
unless explicitly granted administration rights in other domains
• A Domain Is a Unit of Replication
– Domain controllers in a domain participate in replication and contain
a complete copy of the directory information for their domain

r1 Replication
Replication r1
Us e Us e
r2 r2
Us e Us e

Windows
WindowsServer
Server2003
2003
Domain
Domain
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Trees
10

• A tree is a grouping or hierarchical arrangement of one or more

Windows Server 2003 domains that you create by adding one or more
child domains to an existing parent domain
• Domains in a tree share a contiguous namespace and a hierarchical
naming structure.

microsoft.com

uk.microsoft.com us.microsoft.com

sls.uk.microsoft.com

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Forests
11

• A forest is a grouping or hierarchical arrangement of one or

more separate, completely independent domain trees.

microsoft.com msn.com

uk.microsoft.com us.microsoft.com uk.msn.com us.msn.com

sls.uk.microsoft.com sls.uk.msn.com

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Organizational Units
12

• Use OUs to Group Objects into a Logical Hierarchy That Best

Suits the Needs of Your Organization
• Delegate Administrative Control over the Objects Within an OU
by Assigning Specific Permissions to Users and Groups

microsoft.com
Orders OU

Admin
US
Computers

Users Printers ORDERS DISP

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Trust Relationships
13

Forest 1 Tree/Root
Tree/Root Forest
Forest Forest 2
Trust
Trust Trust
Trust
Parent/Child
Parent/Child
Trust
Trust Forest
Forest (root)
Domain D (root)

Domain E Domain A Domain B Domain P Domain Q

Shortcut
Shortcut Trust
Trust Realm
Realm External
External
Domain F Domain C Trust
Trust Trust
Trust

Kerberos Realm

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

The Physical Network Structure

14

• Domain Controller

• Global Catalog Server

• Site

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Domain Controllers
15

• Each domain controller stores a complete copy of all Active

Directory information for that domain, manages changes to
that information, and replicates those changes to other domain
controllers in the same domain
• Domain controllers in a domain automatically replicate
directory information for all objects in the domain to each
other
• Domain controllers immediately replicate certain important
updates, such as the disabling of a user account
• Each Domain Controller in a Domain has a writeable copy of
Directory Database

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Forest-Wide and Domain-Wide Roles

16

• Forest-Wide Roles
– Schema Master

– Domain Naming Master

• Domain-Wide Roles
– RID Master

– PDC Emulator

– Infrastructure Master

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Global Catalog Server

17

• Finding objects outside of the domain and across the

enterprise requires a mechanism that allows the domains to
act as one entity
• The global catalog is the central repository of information
about objects in a tree or forest
• Any domain controller in a forest can be a Global Catalog
Server
• Global Catalog enables a user to log on to a network by
providing universal group membership information to a
domain controller when a logon process is initiated
• Global Catalog enables finding directory information
regardless of which domain in the forest actually contains the
data

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Sites
18

Seattle
New York
Chicago

Los Angeles

IP subnet
Site
• Sites: IP subnet

– Optimize replication traffic

– Enable users to log on to a domain controller by
using a reliable, high-speed connection

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Replication in Active Directory

19

• Intra-site Replication

• Intersite Replication

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Lesson 2: Domain Naming System Overview

20

• Name Resolution

• Understanding DNS

• How Active Directory Uses DNS

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Name Resolution
21

• HOSTS Files

• LMHOSTS Files

• Domain Naming System

• Windows Internet Naming System

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Understanding DNS
22

• DNS is a service used in TCP/IP networks to locate computers

and services through user-friendly names.

• DNS provides a method of naming computers and network

services using a hierarchy of domains.

• When a user enters a user-friendly DNS name in an

application, DNS services can resolve the name to other

information associated with the name, such as an IP address.

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

DNS Name Space

23

org com net gov

Microsoft headrest yahoo cnn

sales research

Root Domain
Top-Level Domain server1 server2
Second-Level Domain
Third-Level Domain
Host Names
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Types of Zones
24

• Active Directory Integrated

• Standard Primary

• Standard Secondary

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Types Of Queries
25

• Forward Lookup

• Reverse Query

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

How Active Directory Uses DNS

26

• Active Directory uses DNS as its domain naming and location

service.

• DNS provides the following benefits:

– DNS names are user-friendly, which means they are easier to
remember than IP addresses.

– DNS names remain more constant than IP addresses. An IP

address for a server can change, but the server name remains the
same.

– DNS allows users to connect to local servers using the same

naming convention as the Internet.

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Lesson 3: TCP/IP Overview

27

• TCP/IP Architecture

• IP Addressing

• IP Routing

• Automatic IP Address Assignment Using DHCP

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

TCP/IP Architecture
28

TCP/IP Protocol Suite

Application
Layer HTTP
HTTP FTP
FTP SMTP
SMTP DNS
DNS RIP
RIP SNMP
SNMP

Transport
TCP UDP
Layer

Internet Layer IP IGMP

IGMP ICMP
ICMP
ARP
ARP

Network Token Frame

Interface layer Ethernet ATM
Ring Relay

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

IP Addressing
29

• Public IP Addressing

• Private IP Addressing

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Public IP Address
30

• Are assigned by an ISP

• Consist of unique class-based blocks

• Are kept to a limited number

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Private IP Address
31

• Do not have to be registered

• Can be assigned by the network administrator
• Are used on computers that are not accessed by the Internet

Private Address ranges

Starting Address Ending Address
10.0.0.0 10.255.255.254
172.16.0.0 172.31.255.254
192.168.0.0 192.168.255.254

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

IP Address Classes
32

Class Value of Value of Network Host ID No. Of No of

W First Bits ID N/Ws Hosts
per N/W
A 1-126 0 W XYZ 126 1,67,77,214

B 128-191 10 WX YZ 16,384 65,534

C 192-223 110 WXY Z 20,97,152 254

D 224-239 1110
Reserved for Multicast Addressing

E 240-254 1111
Reserved for experimental use

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Classless Interdomain Routing

33

Class
ClassCCExample
Example

Network ID Subnet mask (binary)

Starting 220.78.168.0 11011100 01001110 10101000 00000000

Ending 220.78.175.0 11011100 01001110 10101111 00000000

CIDR
CIDREntry
Entry
Network ID Subnet mask Subnet mask (binary)

220.78.168.0 255.255.248.0 11111111 11111110 11111000 00000000

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

IP Routing
34

• Static Routing

• Dynamic Routing

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Automatic IP Address Assignment Using

DHCP
35

• DHCP Servers can be used to dynamically/ automatically issue

IP Addresses to Client Computers

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Lesson 4: Remote Access Overview

36

• Remote Access Connection Methods

• Protocols Used by Routing And Remote Access

• Remote Access Security

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Remote Access Connection Methods

37

• Dial-Up Networking

• Virtual Private Networking

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Dial-Up Networking
38

• Dial-up networking is the process of a remote access client making a

temporary dial-up connection to a physical port on a remote access
server by using the service of a telecommunications provider

Remote Access
Server
Domain
Controller

Dial-up Client

1 Dial-up
Dial-up client
the
the RA
client calls
RA server
server
calls
3 RA
RA server
and
server authenticates
authenticates
and authorizes
authorizes the
the client
client

2 RA
RA server
server
answers
answers the
the call
call 4 RA
RA server
data
data
server transfers
transfers

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Virtual Private Networking

39

• A VPN extends the capabilities of a private network to encompass

links across shared or public networks, such as the Internet, in a
manner that emulates a point-to-point link

VPN Server
Domain
Controller

VPN Client

1 VPN
VPN client
VPN
client calls
VPN server
server
calls the
the
3 VPN
VPN server
and
server authenticates
authenticates
and authorizes
authorizes the
the client
client

2 VPN
VPN server
server
answers
answers the
the call
call 4 VPN
VPN server
data
data
server transfers
transfers

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Protocols Used by Routing And Remote

Access
40

• Point-to-Protocol (PPP)

• Serial Line Internet Protocol (SLIP)

• RAS Protocol

• NetBIOS Gateway

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

Remote Access Security

41

• Authentication Protocols
– PAP
– SPAP
– CHAP
– MSCHAP
– MSCHAP v2
– EAP

• Securing Through Connection Control

• Securing Through Access Control

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
 Revision no.: PPT/2K403/02

42

Design & Published by:

CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7,
MIDC, Marol, Andheri (E), Mumbai –400093, Tel: 91-22-28216511, 28329198
Email: [email protected]
www.cmsinstitute.co.in

© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute