Active Directory
From Wikipedia,
Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems.
An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is asystem administrator or normal user.[1]
Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
End
Contents
Introduction
Active Directory contain 4 partitions:
Partition
name
|
Console
|
Domain Partition
|
Active
Directory Users and Computers
|
Configuration Partition
|
Active
Directory Sites and Services
|
Schema Partition
|
mmc
_ Active Directory Schema (regsrv32 schmmgmt.dll)
|
Application Partition
|
DNS
Console
|
In order to install these 4 partition, we must have an NTSF partition, and a minimum space of 250 mb.
Before we start our tour, keep in mind
that every operation related to a partition, can basically configured, and
managed from the console attached to that partition.
Domain Partition
Configuration Partition
Global Catalogue
Schema Partition
Application Partition
Inheritance
Installation
Setting IP Address
Active Directory Schema
ADSI Edit
Domain Partition
Contain all the objects inside my domain
controller, means (users, OU, computers, groups, contacts …), any time you
touch one of these object, you basically interact with the domain partition.
For the other object like (printers, and
shared folder, …) they must have a link on active directory, so you manipulate
them as a part of the domain partition, because shared folder for example can
be located inside a server file, and can have no relation at all with the
domain controller.
Configuration Partition
Before we go to the notion of this
partition, let’s first discuss the philosophie used by Microsoft servers, to
let a users access a particular data:
Now, you that understand how the authentication
method is, let’s take another concept
Let’s assume that we have two sites, and a
new user just hired as described in the following scheme:
Ok, how the domain controller, know about
the new user, and how he decide to give him access to the data?
Global Catalogue
Is like a center contain information about
all the ressources on the forest, and in order to keep track of these
ressources, he do something called replication, wich mean replicate information
between authorized domain controllers.
This is how the additional domain
controller knew about the ressources on the 1 site, and this is how the new
user gain access to the ressources that have permission on.
All of that require configuration, and all
of it happen inside the configuration partition.
Schema Partition
Contain two parts: classes and attributes (properties of the classes), his role is to write information about users and
computers.
For example when you install exchange
server, you execute the command prepare id, for what?
Of course, to extend the schema, which
means add extra properties to the classes, for example users and computers, all
of that will be clear soon, don’t worry J.
Application Partition
Is the DNS, and he is optional, means that
if the type of the zone is integrated zone, then you have 4 partitions,
otherwise if it’s primary zone, then you only have 3 partitions.
Inheritance
Additional domain controller, toke whatever
partitions available on the primary domain controller.
Child and tree toke only the schema and the configuration
partition, configuration because he need to access the ressources,
defined by the global catalogue, we saw before, schema as we will see
later in exchange you can install it once on the whole forest.
Domain partition did not inherited because
its unique, every one has its on st of object, where is the application
partition optional, wich mean you can decide, by the type of the zone you
chose.
Installation
I said before that the application
partition is optional, but in reality its not, it’s the must important
component, why?
Because it contain the DNS, and the DNS
must be installed with the active directory, not later, but with the
installation of active directory, or you domain will suffer a horrible life,
tel you reformat it again, and you don’t wanna do that.
Now, let’s start the fun part J
Start you clean server 2008, no
installation no configuration just clean as virgin J
Setting IP Address
We need to tel our domain controller that
his is the DNS server, and we do that by specifying the same IP, both field as
you see here:
In other word: “the server contain active
directory, need to be one with the DNS”
Of course you can, if you ask you can
install a secondary DNS in completely different server DHCP server for example,
or even workgroup.
Another experiment, to better understand
this concept, when you finish installation, change the type of the zone, to
primary zone, then go and check ‘System32\DNS’ and you will find the
database, no change the type of the zone to integrated zone, then go back to
the previous location, what do you see, where is the database?
Now the database is in ‘\NTDS’,
take a look (DNS_database.avi).
Run dcpromo, and chose advanced feature,
and hit next, make sure you are here:
Keep in mind when you take this option,
that the 1st forest take the 1st domain name as its name.
Hit next
Enter the domain name, and hit next, the
forest name in this case will be also ‘hun7r.local’, because as I said
before, the first forest take the name of the 1st domain within this
forest.
Accept the default NetBIOS name, and hit
next.
Before I continue, I want to mention that
the NetBIOS name used for the broadcast, where the FQDN name used with the DNS.
Chose the forest functional level, every
mode open new features, read the detail section the review these features, for
now I’ll just stick with 2000, do as I do if you follow my tutorials, I’ll be
explain later why, whene we rich advanced stuff.
For now, you can assume that the forest
functional level, decid what kind of servers this forest will have.
Accept the default, and hit next, make
sure DNS is checked, otherwise you will suffer, then continue.
We discuss NTDS and log file, before on
the introductory, for the SYSVOL that is for the policies, by default its
shared and follow the users every where.
And that’s its couple of more next’s,
before I forget you may wanna export the settings you just set in case ..
This is where the wizard start creating
all the partitions we discuss early, one by one
Wait tel the installation end, restart
your computer, and happy new domain controller J
Note
There is a couple of thing I want to
mention here,
- · There is no such thing as SAM file, all the users even the local user that was there before installing the domain controller, are now inside active directory, and they can not access this computer that unless you enable access domain controller locally, you cab check that from (computer, manage),
- · Open (active directory users and computers), any new thing you add modification you do anything from this console, that mean that you are playing on the domain partition ground.
- · For the story I said before about the published folder, you may wanna take a look at this demo (publish_folder.avi)
- on this demo the time I set the folder to be published, the time LDAP can reach it from users and computers console, this mean that its now one of the component that you can play with, within the domain partition.
Consoles
Active Directory Sites and Services
From this console, you can manage the
configuration partition, but before there is also a couple of note I want to
mention:
- · Sites is the physical location where you can find the serves, by default windows create (Default-First-Sites-Name), which contain all the available servers, but you can create multiple sites, according to how many location you have.
- · Subnet , now we create the sites, but how windows is gonna tel that this Server/Child is from this site? Every site has its own subnet, so from this console, we tel the server the subnet used by each site, and when we create a server with a particular subnet, the configuration partition will magically put that server to the preferred site.
Then you add the subnet, and select a site
and hit OK button:
We will delve into this in more detail, in
later tutorial J
Active Directory Schema
From where you manage Schema Partition, in
order to run this console you need 1st to register schmmgmt.dll
file, using this command regsvr32 schmmgmt.dll,then run it from mmc, the video (run_schema_console.avi)
explain how to do that in more detail J
ADSI Edit
Allow you to manage all Active Directory
Partition from one place, it’s by default installed on Server 2008, but on
Server 2003, you need to install it.
You can take a look at (install_adsiEdit_2003.avi).
That’s it
Feel home and be my guest
Dr_Hun74
No comments :
Post a Comment