CEG 2400 Fall 2012

Directory Services
Active Directory

Tree

Domain Domain Domain

 Directory Services
Active Directory
• Microsoft Directory service
• Initially released in 1999
• Originally designed for Windows 2000
Server
– Enhanced with Windows Server 2008
• Windows Server 2008 types
– Workgroup model
– Domain model
2
 Workgroups
• Peer-to-peer network
• Decentralized management
– Each computer has own database
• User accounts, security privileges
– Significantly more administration effort
• Practical for small networks
– Few users
– Simple to design, implement

3
 Directory Services
Active Directory – Domain Model
• Three main parts
– Domain
– Tree
– Forest

4
 Domains
• Client/server network with a shared
database
• Domain - Group of users, servers, and
other resources
– Share centralized account and security
information in a database
• Active Directory
– Contains domain database with objects and
attributes and schema
– Makes it easier to organize and manage
5
resources and security
 Active Directory - Domains
• Domain not confined by geographical
boundaries
• Domain controller servers
– Contains directory information about objects
in a domain
• Member servers
– Do not store directory information, can’t be
used to authenticate users
• Replication
– Process of copying directory data to multiple
domain controllers 6
 Domains

Domain model on a Windows Server 2008 network

7
 Active Directory
• Objects fall into two broad categories:
– resources (e.g., printers)
– security principals (user or computer accounts
and groups).
• Security principals are assigned unique security
identifiers (SIDs)
• This is where access rights are given
• Users must have unique names – flat database
 OUs (Organizational Units)
• Hold multiple objects having similar
characteristics
– Can be nested
– Can contain other OUs or objects
• Provides simpler, more flexible
administration
– Apply policies to OU
– Do not function as containers
– Use users or groups for access permissions
9
 Domains

Multiple domains in one organization

10
Domains
 Trees and Forests
• Directory structure above domains
– Large organizations use multiple domains
• Domain tree
– Organizes multiple domains hierarchically
• Root domain
– Active Directory tree base
• Child domains
– Branch off from root domain
12
 Trees and Forests

A tree with multiple domains and OUs

13
 Trees and Forests
• Forest
– A collection of one or more domain trees
– Trees share common schema
• Domains within a forest can communicate
• Domains within same tree
– Share common Active Directory database

14
Two Tree - Forest
 Trust Relationships
• Relationship between two domains
– One domain allows another domain to
authenticate its users
• Active Directory supports two trust
relationship types – allows users to
authenticate
– Two-way transitive trusts
– Explicit one-way trusts

16
Trust Relationships

Two-way trusts between domains in a tree

17
 Trust Relationships

Explicit one-way trust between domains in different trees

18
Trust Relationships
 Naming Conventions
• Active Directory naming conventions
(namespace)
– Collection of object names and associated
places in Windows Server 2003, Server 2008
network
– Based on LDAP naming conventions
– Follows the conventions of the internet
namespace
• Ex. dc=wright, dc=edu
• Ex. cn=server1,dc=wright,dc=edu
• Ex. cn=server2,ou=cse,dc=wright,dc=edu
20
 Naming Conventions
• Windows Server 2008 network object
– Three different names
• DN (distinguished name): DC (domain component)
and CN (common name)
• RDN (relative distinguished name)
• UPN (user principal name)
• GUID (globally unique identifier)
– Each object has one
– 128-bit number
21
 Naming Conventions
upn = [email protected]

DN:
cn=msmith,ou=legel,dc=trinketmakers,
dc=com

Distinguished name and relative distinguished name

22
 Summary
• Domains
• Forests
• Trees
• AD Objects
• Trusts
• Naming Conventions
 End of Active Directory

Directory
Services

Questions
Active
eDir LDAP Directory