2. Summary of Last Lecture
• Where possible ensure all user workstations are
given the same OS build / release.
• Automate the process for speed, simplicity and
repeatability.
Network Design & Administration
• Check hardware compatibility if upgrading
• If upgrading – Backup!
• If installing dual boot and Linux – Backup!
2
3. Overview
• Originally, Microsoft provided only standalone PC’s –
networks were sold by large vendors with thin client
terminals connected to servers.
• Windows for Workgroups allowed small numbers of PC
Network Design & Administration
users to work together sharing files and printers.
• NT 3 / 4 provided a Domain concept, whereby certain
servers on the network provided centralised directory
services.
• Active Directory took this further, by adding layers of
hierarchy to cope with large corporate structures.
• Similarly, Linux machines could be used alone, then in 3
loose connectivity, then using Directory Services.
4. What are Directory Services?[1]
• A database used to administer resources on a network.
• Need to make the following basic assumptions:
• The objects in the database are relatively small.
• The database will be widely replicated and cached.
Network Design & Administration
• The information is mainly attributes.
• Access is mainly read, with occasional writes.
• Searching is likely to be a frequent operation.
• IETF provided the Lightweight Directory Access Protocol
(LDAP) as a way to access the database over a network
but also specifies the data schema and search methods
for a directory service. 4
5. Microsoft Domain vs. Workgroup
Windows Server 2008
(Domain Controller)
Windows Server 2008
(Domain Controller)
Replication Windows Server 2008
Windows Server 2008
Active
Active Directory
Directory Accounts Accounts
Network Design & Administration
Domain
Windows
7 Client Accounts
Windows 7 Client
Workgroup
Accounts
Windows
Windows Server 7 Client
2008
(Member Server -
Windows 7 Client
Print Server )
Accounts
5
Windows Server
2008
(Print Server )
6. Microsoft Workgroup
• A collection of computers interacting informally with no
centralised authority.
• Each computer in the workgroup has its own set of local user
account.
• User accounts stored locally in a flat-file database called the
Network Design & Administration
Security Accounts Manager (SAM).
• Password stored in hashed format.
• Question: What’s a hash function?
• If a user needs to access another computer they must have a
valid account there too.
• This can be made simpler by ensuring each user has the same
account name and password on each machine – but this costs
admin time. 6
• Question: are there any limitations with workgroups?
7. Side bar: Hash Tables
• Hash tables provide you with a way of storing mappings of one bit of data to another.
• Some key would provide a value (e.g. h(“Pa$$word”) 76934856434)
• For example, you could use a hash table to associate users names and with their
accounts / passwords.
• The names would be unique and somehow provide you with the associated data.
1
e.g. h(user name) user account 2
Network Design & Administration
ACT#4534 3
Clark Kent
4
Jimmy Olsen ACT#5675 5
6
Lois Lane
7
Perry White ACT#6789 8
9
10
• A hash table will need to provide: ? ACT#7898 11
7
• A hash function 12
• A bucket array/list (more on this in 3 slides)
8. Side bar: Hash Functions
• Need to some way of converting a unique key to a value.
• h(n) v
• Easy way – use ASCII
Network Design & Administration
• To calculate the hash value, we do:
87*314 + 104*313 + 105*312 + 116*311 + 101*310 = 83549193
h(“White”) = 83549193
Why use a large number?
h(x1) = α
h(x2) = α 8
• BUT! How do we access element 83,549,193 in our hash table?
9. Side bar: Compression function
There are two methods:
1. A simple “division method” using modulo arithmetic
• Bucket array has a know size (e.g. 1000 places)
• Position can be found by i % array length
• h(“White”) = 83549193
Network Design & Administration
• But, what happens when multiple hashes point to the same point in the
hash table (i.e. collisions)?
• Either use a better compression function and / or implement a hash table
using a bucket list/array (next slide).
2. More sophisticated method: MAD (multiply add and divide)
• Would produce the position
• Collisions can be handled by using:
• Linear probing 9
• Quadratic probing Investigate in your own time!
10. Side bar: Bucket Arrays
• A bucket array is just an array of N size.
• However, instead of each element storing one bit of information,
the element provides another array which can grow…
1
Lucy Lane 2
3
Clark Kent 4 ACT#4534 ACT#4535
Network Design & Administration
Jack Kent 5 ACT#5675 ACT#5676
6
Jimmy Olsen 7 ACT#6789
Lois Lane 8
9 ACT#7898
Perry White
10
11
12
h(f) Better to use a linked list
structure to store collisions 10
– will allow indefinite
Now back to workgroups…. number rather than say n=9
11. Microsoft Workgroup
• A collection of computers interacting informally with no
centralised authority.
• Each computer in the workgroup has its own set of local user
account.
• User accounts stored locally in a flat-file database called the
Network Design & Administration
Security Accounts Manager (SAM).
Note: Hashes values and
• Password stored in hashed format. hash functions are used
• Question: What’s a hash function? extensively within the OS.
• If a user needs to access another computer they must have a
valid account there too.
• This can be made simpler by ensuring each user has the same
account name and password on each machine – but this costs
admin time. 11
• Question: are there any limitations with workgroups?
12. Microsoft Domain
• For larger networks (> approx. 10 computers), it is
simpler to use a centralised Directory Service that
contains a list of the resources available on a network.
• The domain model is hierarchical, and Active Directory
Domain Services holds the list that is trusted by all
Network Design & Administration
machines on the network.
• Active Directory Domain Services includes:
• Database of computers, users, etc.
• LDAP services to mediate queries and responses
• Kerberos security service
• File replication service to ensure redundancy of
domain information 12
13. Active Directory Data Store
physical structure[2]
LDAP: Lightweight directory access
protocol
REPL: Replication and domain
Interfaces – LDAP, REPL, MAPI, SAM controller management interface
MAPI: Messaging API
SAM: Security Accounts Manager
Network Design & Administration
Ntdsa.dll Allows access to DB via 4 interface methods
Access / mod of objects via read / write ops
Directory Service Agent (DSA) General purpose DB engine
Syntax checking (schema)
Interface between DAS -> DB file
Low level functions: indexing, transferring
Maintain schema
Database Layer Provides Low-level DB functionality
& integrity checks
(create, read, write, delete)
Transaction based (i.e. ATOMIC)
Esent.dll
Extensible Storage Engine (ESE) 13
14. Active Directory Domain
Services Logical Structure
• This is comprised of the following:
• Partitions
• Domains
•
Network Design & Administration
Domain trees
• Forests
• Sites
• Organisational Units
14
15. AD DS Partitions[2]
The AD data store is divided up into a number of
logical partitions (also known as naming contexts):
• Domain directory
• Configuration directory
Network Design & Administration
• Schema directory
• Global catalogue (covered in a later lecture)
• Application directory
15
16. Domains[2]
Domains act as an administrative boundary within
the organisation and define the following:
• Replication boundaries
• Security policy boundaries
Network Design & Administration
• Resource access boundaries
• Trust boundaries
16
17. Domain Trees
• Multiple domains with
contiguous DNS
namespaces form a
domain tree.
• Aardvark.com is the
Network Design & Administration
aardvark.com
parent (root domain)
in which child domains
are created.
eu.aardvark.com us.aardvark.com
17
18. Forests
Some kind of link!
aardvark.com
bison.com
Network Design & Administration
eu.aardvark.com us.aardvark.com
man.bison.com nott.bison.com
• Highest level of AD DS logical structure hierarchy.
• Forest can contain one or more domain trees
and one or more domain namespaces.
18
19. Other Forest issues -Trust Relationships
– Transitive Two-way Trust
• Trust allows the resources of one domain to be accessible from
another (can be parent-child or tree-root trusts).
• By default, one-way trust (non-transitive trust) is enabled between
domains.
• Need to explicitly set two-way for transitive trust.
Network Design & Administration
Two-way trust (bison trusts aardvark)
one-way trust
aardvark.com
bison.com
U1
Account
U2 U2 U1
Login Account Login
19
eu.aardvark.com us.aardvark.com
man.bison.com nott.bison.com
20. Shortcut Trusts
• Two-way transitive trust between
aardvark.com and bison.com 1 hop
• Example: a user in the 2 hops
eu.aardvark.com domain wants to aardvark.com
access a shared resource in the
us.bison.com domain.
Network Design & Administration
• User needs to be referred to each
domain controller in trust path for eu.aardvark.com bison.com
3 hops
authentication.
Short cut
• To reduce latency times, introduce a trust
short cut trust relationship. (1 hop)
us.bison.com
• Short cut trust can be one-way or
two-way but is not transitive (only
the two domains trust each other,
the rest don’t). 20
21. Forest Trusts
trust
trust
aardvark.com
bison.com
giraffe.com
Network Design & Administration
eu.aardvark.com us.aardvark.com
man.bison.com nott.bison.com
eu.giraffe.com us.giraffe.com
• Forest trusts provide two way transitive trust between two connecting
forest roots.
• This means that there is transitive trust between:
• aardvark.com bison.com
• bison.com giraffe.com
• But no default forest trust between aardvark.com and giraffe.com
21
• Only allows authentication to occur between forests - replication does not
happen.
22. External Trusts
aardvark.com
bison.com
Network Design & Administration
trust
eu.aardvark.com us.aardvark.com
man.bison.com nott.bison.com
• Used to allow a domain external from the forest to access
resources.
• Not the same as a forest trust as an external trust is only
between two domains (i.e. non-transitive)
• Usually, one way. 22
23. Realm Trusts
• Used to connect a Windows Server 2008 domain to a non-Windows
Kerberos realm.
• Can be defined as one-way, two-way, transitive or non-transitive.
Network Design & Administration
aardvark.com
trust
tiger.com
eu.aardvark.com us.aardvark.com
• In this example, us.aardvark.com can access tiger.com resources using one-
way, non-transitive trust but tiger.com not able to access shared resources
in us.aardvark.com 23
24. Sites
• Logical structure of AD DS is independent to the physical
infrastructure of the network used within the organisation.
• Need to consider when designing the organisational structure
where users and resources are going to be located.
• A site can be thought of as an area (e.g. Clifton campus) which
Network Design & Administration
has it's own network, comprised of one or more DC's and a
number of clients.
• There are a number of reasons for using a site when managing
network traffic:
• Replication
• Authentication
• Site-aware network services 24
25. Organisational Units
• Microsoft recommend organisations to have relatively
few domains and manage the administration by use of
OU’s.
• OU’s are containers within domains and can be layered.
Network Design & Administration
• OU’s can contain different types of AD DS objects:
• User
• Group
• Printers
• Organisational units
• Computers
• Shared folders
25
• Contacts
• inetOrgPerson
26. Organisational Units
• Objects are known by their distinguished names (DN)
and have attributes – both informative and
administrative (e.g. for permissions).
• The Schema sets out the rules to govern what objects
Network Design & Administration
can be used and how they are specified.
• The objects in containers (such as users or computers)
that cannot contain other objects are called leaf objects.
• Rights & permissions are allocated to containers (and
therefore the objects in them).
26
27. Domains and Domain
Controllers
• When a server is promoted to become a Domain
Controller, it hosts a replica of the AD DS
database.
• Typically, domains have 2+ DC’s for redundancy
Network Design & Administration
because the information is so critical to the
workings of the network.
• DC’s copy information between themselves to
ensure changes are propagated – this is done via
multi-master replication so no need to start from
a designated Primary DC. 27
28. Integrating DNS & DHCP
services
• Microsoft encourage the integration of DNS services onto
DC’s[3].
• This allows the DNS to make use of replication /
redundancy features provided under Active Directory.
Network Design & Administration
• Provides additional security for DNS by use of group
policies (see later).
• Avoid need to manage DNS information separately.
• When DC also does DHCP, DHCP inherits DC permissions
on DNS records, so advised to configure DHCP server
with credentials of a dedicated user account[4].
28
29. Domain Controller Issues
• AD DS is so important that the domain controller functionality
was designed to allow for controlled restoration from working
DC’s.
• A faulty DC can be brought into line with other up-to-date
ones by following this sequence:
Network Design & Administration
• Reboot DC under Directory Services Restore Mode (will need to use
DSRM password supplied during original DC setting).
• Use backup to get (out of date) DS information.
• Restart, indicating non-authoritative restoration to acquire changes
from other DC’s.
• Authoritative restores are required when deleted objects need to
be forcibly restored from AD DS backup.
29
30. Why is the architecture
important?
• Active directory involves sharing information
between domain controllers.
• To let users/computers in one structure access
facilities in another involves different degrees of
Network Design & Administration
exposure depending on domain / tree / forest.
• In large structures with many users and
computers, want to minimise replication of
information in the global catalogue.
• (will look at the global catalogue in more detail
30
in a later session when working with groups)
31. Other DC roles: Operations
Masters[2]
• Certain roles within AD DS hierarchy are not suited to the
replication methods used for Domain Controllers.
• These are called FSMO (Flexible Single Master Operations) or
Operation Masters role.
• Need to specify an authoritative server to handle certain
Network Design & Administration
directory operations to ensure that consistency is maintained.
• Type of FSMO/Operations Masters roles:
• Schema master
• Domain naming master
• RID master
• PDC emulator
• Infrastructure master
31
• Roles must be carefully distributed to allow DC’s to take over
after failure.
32. Other DC roles: Read-Only
Domain Controllers[2]
• Same as a “normal” domain controller within a domain. i.e.
provides the same functionality (authentication ,
authorisation, DNS).
• But:-
• Is limited
Network Design & Administration
• No credentials stored locally.
• Authentication requires access to writeable DC to authenticate
requests.
• Can not configure RODC with an FSMO role.
• Why use them?
• Ideal when physical security of DC can not be guaranteed (e.g. in
an open office with no dedicated machine room) 32
• When storing data on local storage will pose a security risk.
33. Linux integration
• Microsoft Server 2008 includes Windows
Security and Directory Services for Unix to allow
Linux/Unix clients in a mixed environment to use
AD DS Kerberos for authentication, and LDAP to
Network Design & Administration
retrieve authorisation information from either
Unix or AD servers.
• Pure Linux can use OpenLDAP to control/share
system files and attributes.
• e.g. etc/passwd, etc/group, etc/hosts
• (Lab 3 will introduce adding Linux clients to an Active 33
Directory domain)
34. Summary
• Domain services provides functionality to control the logical
structure of an organisation.
• Domains are used within a geographical boundary (e.g. in a
single company).
• Forests connect multiple domains together.
Network Design & Administration
• Forests provide a number of trust relationships for
information to flow between domains.
• Organisational units provide structure and act as containers
for resources which can model the real-world company
structure.
34
35. Next Time & References
• Naming and Namespaces
• Objects in Active Directory – computers, users and groups.
Network Design & Administration
[1] “Unix and Linux Systems administration handbook”, Nemeth,
E. et al, 4th Edition, Chapter 19.3.
[2] Windows Server 2008 Active Directory Resource Kit
[3] http://technet.microsoft.com/en-us/library/cc771613.aspx
[4] http://technet.microsoft.com/en-us/library/cc787034.aspx
[5] http://www.exchangeinbox.com/article.aspx?i=30
35