Wiley - Master Active Directory Visually.pdf - Active Directory - darekisap

CHAPTER

INTRODUCTION TO ACTIVE DIRECTORY

ACTIVE DIRECTORY TECHNOLOGY

If you have been in the computing and network

environment at all during the past two years, you have

heard a thing or two about the Active Directory. Some of

what you have heard is probably true—a lot is probably

not. This book can help you make sense of it all and

master the Active Directory through a visual approach.

But before you get into the details of installing and

configuring the Active Directory, you need to know some

conceptual information so that it all makes sense.

Chapters 1, 2, and 3 show you the conceptual and

background information you need to know to

implement, configure, and support the Active Directory.

information about real network objects—such as users,

shares, printers, applications, and so forth—so that

users can find the resources they need. Through the

Active Directory, users do not have to keep track of

which server holds which resource, or where a

particular printer resides. The Active Directory lists the

information, is completely searchable, and provides

users a standard folder interface so that they can find

what they need on the network.

The Active Directory is also designed to provide a single

point of administration for network administrators.

Instead of having to manage multiple servers that hold

multiple resources, the administrator can find all the

directory information located in the Active Directory,

and that information can be replicated to all Windows

2000 domain controllers. Resource access, security

permissions, and user and group accounts are all

centrally located in one place.

What is a directory?

The term directory has received a lot of use (and abuse!)

in computing environments in the last several years. As

computing environments have become larger and more

complex, the need to organize information so that

network users can locate the information they need has

become increasingly important. By definition, a directory

is an information storage location that uses a systematic

scheme, or namespace , to organize the information. A

common example is the telephone book. All information

in a telephone book is stored by city/region, last name,

and then first name. By referencing a particular name in

a particular city/region, you can find that person’s

telephone number. The phone book uses a namespace in

that all names are organized in alphabetical order using

the last and first name. If the telephone book did not

follow a namespace—in other words, if some names

listed were by first name, some by last, some by

nicknames, and some by address—you would never find

what you needed.

Understanding the features of the Active Directory

The Active Directory contains many features and

options, but you should understand the big picture and

design goals first. The following list explains the major

features and design goals of the Active Directory:

Scalability: The Active Directory is highly scalable,

which means it can function in small networking

environments or global corporations. The Active

Directory supports multiple stores and can hold

more than one million objects per store. A store is a

major grouping of Active Directory objects—and

the Active Directory even supports multiple stores.

Extensibility: The Active Directory is extensible,

which means that you can customize it to meet the

needs of an organization.

What is the Active Directory?

The Active Directory is Microsoft’s answer to directory

services. The Active Directory’s purpose is to organize

Security: The Active Directory is integrated with

Windows 2000 security, allowing administrators

to control access to objects.

Seamlessness: The Active Directory is seamlessly

integrated with the local network and the

intranet/Internet.

Open Standards: The Active Directory is based

on open communication standards, which allow

integration and communication with other

directory services, such as Novell’s NDS.

Backward Compatibility: Although Windows

2000 operating systems make the most use of the

Active Directory, the Active Directory also works

with earlier versions of Windows. This feature

allows the implementation of the Active

Directory to be taken one step at a time while

still maintaining a functioning network.

DNS and the Active Directory

Domain Name System (DNS) is the most widely used

directory namespace in the world. Each time you use

the Internet, you are finding URLs by using DNS. DNS

takes a Uniform Resource Locator (URL), such as

www.microsoft.com , and resolves the URL into a

TCP/IP address, such as 131.107.2.200, which is

required for communication on the Internet. Because

computers must have the TCP/IP address to

communicate, and users need the language-based

names to communicate, the job of DNS is to resolve

the two.

The Active Directory is integrated with DNS, and the

naming schemes used in the Active Directory are DNS

names. For example, corp.com is a valid DNS name

and can also be used as a Windows 2000 domain

name. With DNS as the locator service in the Active

Directory, the local area network (LAN) becomes more

seamless with the Internet and an intranet. Corp.com

can be an Internet name or a local area name, and

Jwilliams@corp.com can be both an Internet e-

mail address and a username in the local network.

This structure enables you to find items on your

network in the same manner you find them on the

Internet.

Understanding domains and domain controllers

If you have worked with Windows NT at all, you

should be familiar with the concepts of domain and

domain controllers. A domain is a logical grouping of

users, computers, and resources. In actuality, the

domain is a security boundary that enables

administrators to control the resources in that domain

and keep unauthorized users out of the domain. The

Active Directory is built through the domain. Domain

controllers are the servers that manage the domain.

Primary domain controllers (PDC) and backup domain

no longer exist in Windows 2000; all the domain

controllers simply act as peers. Through trust

relationships, the Active Directory is replicated using

multimaster replication, which means that all domain

controllers are responsible for maintaining the Active

Directory and replicating changes to other domain

controllers. You learn more about managing trusts in

Windows 2000 later in this book.

Windows 2000 also supports Dynamic DNS (DDNS), a

new addition to the DNS standard. DDNS can

dynamically update a DNS server with new or changed

values, which had to be manually updated in the past.

Because name records can be dynamically updated,

pure Windows 2000 networks no longer need to use

Windows Internet Naming Service (WINS). In mixed

environments, however, WINS is used for backwards

compatibility with older versions of Windows. You can

learn all about WINS and DNS in Chapters 5 and 6.

CHAPTER

INTRODUCTION TO ACTIVE DIRECTORY

Understanding LDAP

DNS is the namespace used in the Active Directory, and

Lightweight Directory Access Protocol (LDAP) is how you

access the Active Directory.

a directory service and is not restricted to X.500

directories like DAP is. Another major difference is that

LDAP is not a client-based service. The service runs on

the server and the information is returned to the client.

The Active Directory is not an X.500 directory, but it

supports the information model without requiring

systems to implement the X.500 overhead. The result is

an LDAP-based directory that supports high levels of

interoperability.

To understand LDAP, you need a brief history lesson.

The X.500 standard is a directory specification that

introduced Directory Access Protocol (DAP) to read and

modify the directory database. DAP is an extensible

protocol in that it can handle directory requests and

changes, as well as directory security. However, DAP

places much of the processing burden on the client

computers and is considered to be a high overhead

protocol. LDAP, which is not defined within the X.500

specification, was developed to overcome the

weaknesses of DAP. LDAP is an open standard, which

means that it can be used by anyone wishing to develop

LDAP is widely supported on the Internet. If you have

participated in newsgroups or searched the World Wide

Web with a search engine, you more than likely have

used LDAP. This open standard is directly supported in

the Active Directory so that users can find the resources

they need.

THE STRUCTURE OF THE ACTIVE

structure, and before installing and

implementing the Active Directory, you must

have a firm understanding of the structure as well as

the components that make up the Active Directory.

You may see these components as terms that you need

to learn, but you must also know how these

components or terms relate to each other and how

they fit into the hierarchy.

Directory objects are users, groups, printers, shared

folders, applications, databases, contacts, and so forth.

Each of these objects represents something tangible on

the network.

Each object contains attributes. An attribute is a

quality that helps define the actual object. For

example, a user object could have attributes of a

username, actual name, and e-mail address. Attributes

for each kind of object are defined in the Active

Directory. The attributes define the object itself and

enable users to search for the particular object.

Technically attributes are called “metadata”—which is

simply “data about data”—and are a portion of the

Active Directory “schema,’’ which defines what objects

and object attributes can be stored in the Active

Directory.

In this chapter, you begin with the smallest component

in the hierarchy and work your way up to the top of

the hierarchy. This section gives you a complete view

of the Active Directory’s structure.

Object

An Active Directory object represents a physical object

of some kind on the network. Common Active

Users

Active Directory Objects

MicroFLOPPY

Double Sided

720 K

Apps

Groups

AD3

Computers

Databases

Printers

Wiley - Master Active Directory Visually.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: