SlideShare a Scribd company logo

Lecture 5&6 corporate architecture

Download as PPTX, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 of 35
Lecture 5 & 6: Corporate Architecture Network Design & Administration
Summary of Last Lecture • Where possible ensure all user workstations are given the same OS build / release. • Automate the process for speed, simplicity and repeatability. Network Design & Administration • Check hardware compatibility if upgrading • If upgrading – Backup! • If installing dual boot and Linux – Backup! 2
Overview • Originally, Microsoft provided only standalone PC’s – networks were sold by large vendors with thin client terminals connected to servers. • Windows for Workgroups allowed small numbers of PC Network Design & Administration users to work together sharing files and printers. • NT 3 / 4 provided a Domain concept, whereby certain servers on the network provided centralised directory services. • Active Directory took this further, by adding layers of hierarchy to cope with large corporate structures. • Similarly, Linux machines could be used alone, then in 3 loose connectivity, then using Directory Services.
What are Directory Services?[1] • A database used to administer resources on a network. • Need to make the following basic assumptions: • The objects in the database are relatively small. • The database will be widely replicated and cached. Network Design & Administration • The information is mainly attributes. • Access is mainly read, with occasional writes. • Searching is likely to be a frequent operation. • IETF provided the Lightweight Directory Access Protocol (LDAP) as a way to access the database over a network but also specifies the data schema and search methods for a directory service. 4
Microsoft Domain vs. Workgroup Windows Server 2008 (Domain Controller) Windows Server 2008 (Domain Controller) Replication Windows Server 2008 Windows Server 2008 Active Active Directory Directory Accounts Accounts Network Design & Administration Domain Windows 7 Client Accounts Windows 7 Client Workgroup Accounts Windows Windows Server 7 Client 2008 (Member Server - Windows 7 Client Print Server ) Accounts 5 Windows Server 2008 (Print Server )
Microsoft Workgroup • A collection of computers interacting informally with no centralised authority. • Each computer in the workgroup has its own set of local user account. • User accounts stored locally in a flat-file database called the Network Design & Administration Security Accounts Manager (SAM). • Password stored in hashed format. • Question: What’s a hash function? • If a user needs to access another computer they must have a valid account there too. • This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time. 6 • Question: are there any limitations with workgroups?
Side bar: Hash Tables • Hash tables provide you with a way of storing mappings of one bit of data to another. • Some key would provide a value (e.g. h(“Pa$$word”)  76934856434) • For example, you could use a hash table to associate users names and with their accounts / passwords. • The names would be unique and somehow provide you with the associated data. 1 e.g. h(user name)  user account 2 Network Design & Administration ACT#4534 3 Clark Kent 4 Jimmy Olsen ACT#5675 5 6 Lois Lane 7 Perry White ACT#6789 8 9 10 • A hash table will need to provide: ? ACT#7898 11 7 • A hash function 12 • A bucket array/list (more on this in 3 slides)
Side bar: Hash Functions • Need to some way of converting a unique key to a value. • h(n)  v • Easy way – use ASCII Network Design & Administration • To calculate the hash value, we do: 87*314 + 104*313 + 105*312 + 116*311 + 101*310 = 83549193 h(“White”) = 83549193 Why use a large number? h(x1) = α h(x2) = α 8 • BUT! How do we access element 83,549,193 in our hash table?
Side bar: Compression function There are two methods: 1. A simple “division method” using modulo arithmetic • Bucket array has a know size (e.g. 1000 places) • Position can be found by i % array length • h(“White”) = 83549193 Network Design & Administration • But, what happens when multiple hashes point to the same point in the hash table (i.e. collisions)? • Either use a better compression function and / or implement a hash table using a bucket list/array (next slide). 2. More sophisticated method: MAD (multiply add and divide) • Would produce the position • Collisions can be handled by using: • Linear probing 9 • Quadratic probing Investigate in your own time!
Side bar: Bucket Arrays • A bucket array is just an array of N size. • However, instead of each element storing one bit of information, the element provides another array which can grow… 1 Lucy Lane 2 3 Clark Kent 4 ACT#4534 ACT#4535 Network Design & Administration Jack Kent 5 ACT#5675 ACT#5676 6 Jimmy Olsen 7 ACT#6789 Lois Lane 8 9 ACT#7898 Perry White 10 11 12 h(f) Better to use a linked list structure to store collisions 10 – will allow indefinite Now back to workgroups…. number rather than say n=9
Microsoft Workgroup • A collection of computers interacting informally with no centralised authority. • Each computer in the workgroup has its own set of local user account. • User accounts stored locally in a flat-file database called the Network Design & Administration Security Accounts Manager (SAM). Note: Hashes values and • Password stored in hashed format. hash functions are used • Question: What’s a hash function? extensively within the OS. • If a user needs to access another computer they must have a valid account there too. • This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time. 11 • Question: are there any limitations with workgroups?
Microsoft Domain • For larger networks (> approx. 10 computers), it is simpler to use a centralised Directory Service that contains a list of the resources available on a network. • The domain model is hierarchical, and Active Directory Domain Services holds the list that is trusted by all Network Design & Administration machines on the network. • Active Directory Domain Services includes: • Database of computers, users, etc. • LDAP services to mediate queries and responses • Kerberos security service • File replication service to ensure redundancy of domain information 12
Active Directory Data Store physical structure[2] LDAP: Lightweight directory access protocol REPL: Replication and domain Interfaces – LDAP, REPL, MAPI, SAM controller management interface MAPI: Messaging API SAM: Security Accounts Manager Network Design & Administration Ntdsa.dll Allows access to DB via 4 interface methods Access / mod of objects via read / write ops Directory Service Agent (DSA) General purpose DB engine Syntax checking (schema) Interface between DAS -> DB file Low level functions: indexing, transferring Maintain schema Database Layer Provides Low-level DB functionality & integrity checks (create, read, write, delete) Transaction based (i.e. ATOMIC) Esent.dll Extensible Storage Engine (ESE) 13
Active Directory Domain Services Logical Structure • This is comprised of the following: • Partitions • Domains • Network Design & Administration Domain trees • Forests • Sites • Organisational Units 14
AD DS Partitions[2] The AD data store is divided up into a number of logical partitions (also known as naming contexts): • Domain directory • Configuration directory Network Design & Administration • Schema directory • Global catalogue (covered in a later lecture) • Application directory 15
Domains[2] Domains act as an administrative boundary within the organisation and define the following: • Replication boundaries • Security policy boundaries Network Design & Administration • Resource access boundaries • Trust boundaries 16
Domain Trees • Multiple domains with contiguous DNS namespaces form a domain tree. • Aardvark.com is the Network Design & Administration aardvark.com parent (root domain) in which child domains are created. eu.aardvark.com us.aardvark.com 17
Forests Some kind of link! aardvark.com bison.com Network Design & Administration eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com • Highest level of AD DS logical structure hierarchy. • Forest can contain one or more domain trees and one or more domain namespaces. 18
Other Forest issues -Trust Relationships – Transitive Two-way Trust • Trust allows the resources of one domain to be accessible from another (can be parent-child or tree-root trusts). • By default, one-way trust (non-transitive trust) is enabled between domains. • Need to explicitly set two-way for transitive trust. Network Design & Administration Two-way trust (bison trusts aardvark) one-way trust aardvark.com bison.com U1 Account U2 U2 U1 Login Account Login 19 eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com
Shortcut Trusts • Two-way transitive trust between aardvark.com and bison.com 1 hop • Example: a user in the 2 hops eu.aardvark.com domain wants to aardvark.com access a shared resource in the us.bison.com domain. Network Design & Administration • User needs to be referred to each domain controller in trust path for eu.aardvark.com bison.com 3 hops authentication. Short cut • To reduce latency times, introduce a trust short cut trust relationship. (1 hop) us.bison.com • Short cut trust can be one-way or two-way but is not transitive (only the two domains trust each other, the rest don’t). 20
Forest Trusts trust trust aardvark.com bison.com giraffe.com Network Design & Administration eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com eu.giraffe.com us.giraffe.com • Forest trusts provide two way transitive trust between two connecting forest roots. • This means that there is transitive trust between: • aardvark.com  bison.com • bison.com  giraffe.com • But no default forest trust between aardvark.com and giraffe.com 21 • Only allows authentication to occur between forests - replication does not happen.
External Trusts aardvark.com bison.com Network Design & Administration trust eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com • Used to allow a domain external from the forest to access resources. • Not the same as a forest trust as an external trust is only between two domains (i.e. non-transitive) • Usually, one way. 22
Realm Trusts • Used to connect a Windows Server 2008 domain to a non-Windows Kerberos realm. • Can be defined as one-way, two-way, transitive or non-transitive. Network Design & Administration aardvark.com trust tiger.com eu.aardvark.com us.aardvark.com • In this example, us.aardvark.com can access tiger.com resources using one- way, non-transitive trust but tiger.com not able to access shared resources in us.aardvark.com 23
Sites • Logical structure of AD DS is independent to the physical infrastructure of the network used within the organisation. • Need to consider when designing the organisational structure where users and resources are going to be located. • A site can be thought of as an area (e.g. Clifton campus) which Network Design & Administration has it's own network, comprised of one or more DC's and a number of clients. • There are a number of reasons for using a site when managing network traffic: • Replication • Authentication • Site-aware network services 24
Organisational Units • Microsoft recommend organisations to have relatively few domains and manage the administration by use of OU’s. • OU’s are containers within domains and can be layered. Network Design & Administration • OU’s can contain different types of AD DS objects: • User • Group • Printers • Organisational units • Computers • Shared folders 25 • Contacts • inetOrgPerson
Organisational Units • Objects are known by their distinguished names (DN) and have attributes – both informative and administrative (e.g. for permissions). • The Schema sets out the rules to govern what objects Network Design & Administration can be used and how they are specified. • The objects in containers (such as users or computers) that cannot contain other objects are called leaf objects. • Rights & permissions are allocated to containers (and therefore the objects in them). 26
Domains and Domain Controllers • When a server is promoted to become a Domain Controller, it hosts a replica of the AD DS database. • Typically, domains have 2+ DC’s for redundancy Network Design & Administration because the information is so critical to the workings of the network. • DC’s copy information between themselves to ensure changes are propagated – this is done via multi-master replication so no need to start from a designated Primary DC. 27
Integrating DNS & DHCP services • Microsoft encourage the integration of DNS services onto DC’s[3]. • This allows the DNS to make use of replication / redundancy features provided under Active Directory. Network Design & Administration • Provides additional security for DNS by use of group policies (see later). • Avoid need to manage DNS information separately. • When DC also does DHCP, DHCP inherits DC permissions on DNS records, so advised to configure DHCP server with credentials of a dedicated user account[4]. 28
Domain Controller Issues • AD DS is so important that the domain controller functionality was designed to allow for controlled restoration from working DC’s. • A faulty DC can be brought into line with other up-to-date ones by following this sequence: Network Design & Administration • Reboot DC under Directory Services Restore Mode (will need to use DSRM password supplied during original DC setting). • Use backup to get (out of date) DS information. • Restart, indicating non-authoritative restoration to acquire changes from other DC’s. • Authoritative restores are required when deleted objects need to be forcibly restored from AD DS backup. 29
Why is the architecture important? • Active directory involves sharing information between domain controllers. • To let users/computers in one structure access facilities in another involves different degrees of Network Design & Administration exposure depending on domain / tree / forest. • In large structures with many users and computers, want to minimise replication of information in the global catalogue. • (will look at the global catalogue in more detail 30 in a later session when working with groups)
Other DC roles: Operations Masters[2] • Certain roles within AD DS hierarchy are not suited to the replication methods used for Domain Controllers. • These are called FSMO (Flexible Single Master Operations) or Operation Masters role. • Need to specify an authoritative server to handle certain Network Design & Administration directory operations to ensure that consistency is maintained. • Type of FSMO/Operations Masters roles: • Schema master • Domain naming master • RID master • PDC emulator • Infrastructure master 31 • Roles must be carefully distributed to allow DC’s to take over after failure.
Other DC roles: Read-Only Domain Controllers[2] • Same as a “normal” domain controller within a domain. i.e. provides the same functionality (authentication , authorisation, DNS). • But:- • Is limited Network Design & Administration • No credentials stored locally. • Authentication requires access to writeable DC to authenticate requests. • Can not configure RODC with an FSMO role. • Why use them? • Ideal when physical security of DC can not be guaranteed (e.g. in an open office with no dedicated machine room) 32 • When storing data on local storage will pose a security risk.
Linux integration • Microsoft Server 2008 includes Windows Security and Directory Services for Unix to allow Linux/Unix clients in a mixed environment to use AD DS Kerberos for authentication, and LDAP to Network Design & Administration retrieve authorisation information from either Unix or AD servers. • Pure Linux can use OpenLDAP to control/share system files and attributes. • e.g. etc/passwd, etc/group, etc/hosts • (Lab 3 will introduce adding Linux clients to an Active 33 Directory domain)
Summary • Domain services provides functionality to control the logical structure of an organisation. • Domains are used within a geographical boundary (e.g. in a single company). • Forests connect multiple domains together. Network Design & Administration • Forests provide a number of trust relationships for information to flow between domains. • Organisational units provide structure and act as containers for resources which can model the real-world company structure. 34
Next Time & References • Naming and Namespaces • Objects in Active Directory – computers, users and groups. Network Design & Administration [1] “Unix and Linux Systems administration handbook”, Nemeth, E. et al, 4th Edition, Chapter 19.3. [2] Windows Server 2008 Active Directory Resource Kit [3] http://technet.microsoft.com/en-us/library/cc771613.aspx [4] http://technet.microsoft.com/en-us/library/cc787034.aspx [5] http://www.exchangeinbox.com/article.aspx?i=30 35

Recommended

Print Manager Plus
Print Manager PlusPrint Manager Plus
Print Manager PlusBUSINESS SOFTWARES & SOLUTIONS
 
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5Marek Zawadzki
 
Managing Windows Server Systems For Midsize Organizations
Managing Windows Server Systems For Midsize OrganizationsManaging Windows Server Systems For Midsize Organizations
Managing Windows Server Systems For Midsize OrganizationsMicrosoft TechNet
 
Ibm lotus domino integration using ibm tivoli directory integrator redp4629
Ibm lotus domino integration using ibm tivoli directory integrator redp4629Ibm lotus domino integration using ibm tivoli directory integrator redp4629
Ibm lotus domino integration using ibm tivoli directory integrator redp4629Banking at Ho Chi Minh city
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDarren Duke
 
Beyond the Basics: An Overview of User LifeCycle and Managing Users with TDI
Beyond the Basics: An Overview of User LifeCycle and Managing Users with TDIBeyond the Basics: An Overview of User LifeCycle and Managing Users with TDI
Beyond the Basics: An Overview of User LifeCycle and Managing Users with TDIStuart McIntyre
 
Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Alexey Kovyazin
 
PLESK 7.5 RELOADED
PLESK 7.5 RELOADEDPLESK 7.5 RELOADED
PLESK 7.5 RELOADEDwebhostingguy
 

Recommended

Print Manager Plus
Print Manager PlusPrint Manager Plus
Print Manager PlusBUSINESS SOFTWARES & SOLUTIONS
 
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5
LOT-925 Installing and Configuring IBM Lotus Notes and Domino 8.5Marek Zawadzki
 
Managing Windows Server Systems For Midsize Organizations
Managing Windows Server Systems For Midsize OrganizationsManaging Windows Server Systems For Midsize Organizations
Managing Windows Server Systems For Midsize OrganizationsMicrosoft TechNet
 
Ibm lotus domino integration using ibm tivoli directory integrator redp4629
Ibm lotus domino integration using ibm tivoli directory integrator redp4629Ibm lotus domino integration using ibm tivoli directory integrator redp4629
Ibm lotus domino integration using ibm tivoli directory integrator redp4629Banking at Ho Chi Minh city
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDarren Duke
 
Beyond the Basics: An Overview of User LifeCycle and Managing Users with TDI
Beyond the Basics: An Overview of User LifeCycle and Managing Users with TDIBeyond the Basics: An Overview of User LifeCycle and Managing Users with TDI
Beyond the Basics: An Overview of User LifeCycle and Managing Users with TDIStuart McIntyre
 
Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Alexey Kovyazin
 
PLESK 7.5 RELOADED
PLESK 7.5 RELOADEDPLESK 7.5 RELOADED
PLESK 7.5 RELOADEDwebhostingguy
 
Windows sever 2008
Windows sever 2008Windows sever 2008
Windows sever 2008Harish Konala
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewAlexander Schek
 
Storage migration and consolidation with ibm total storage products redp3888
Storage migration and consolidation with ibm total storage products redp3888Storage migration and consolidation with ibm total storage products redp3888
Storage migration and consolidation with ibm total storage products redp3888Banking at Ho Chi Minh city
 
The Art & Sience of Optimization
The Art & Sience of OptimizationThe Art & Sience of Optimization
The Art & Sience of OptimizationHertzel Karbasi
 
Pivotal CRM for iPad
Pivotal CRM for iPadPivotal CRM for iPad
Pivotal CRM for iPadAptean
 
Presentation building the ibm®lotus®domino®8.5 infrastructure
Presentation building the ibm®lotus®domino®8.5 infrastructurePresentation building the ibm®lotus®domino®8.5 infrastructure
Presentation building the ibm®lotus®domino®8.5 infrastructurexKinAnx
 
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012ITCamp
 
Adam bloom bi_server_diag
Adam bloom bi_server_diagAdam bloom bi_server_diag
Adam bloom bi_server_diagJyothi John
 
SQL Server Workshop Paul Bertucci
SQL Server Workshop Paul BertucciSQL Server Workshop Paul Bertucci
SQL Server Workshop Paul BertucciMark Ginnebaugh
 
Pivotal CRM: Optimize your Pivotal Implementation
Pivotal CRM: Optimize your Pivotal ImplementationPivotal CRM: Optimize your Pivotal Implementation
Pivotal CRM: Optimize your Pivotal ImplementationAptean
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 AdministrationLearnItFirst.com
 
User management through administration process 2307
User management through administration process 2307User management through administration process 2307
User management through administration process 2307Hansraj Mali
 
Project
ProjectProject
Projectsalimfarhin
 
Monitoring Windows Server Systems Demo Setup
Monitoring Windows Server Systems Demo SetupMonitoring Windows Server Systems Demo Setup
Monitoring Windows Server Systems Demo SetupMicrosoft TechNet
 
Trans Flow Product Presentation
Trans Flow Product PresentationTrans Flow Product Presentation
Trans Flow Product PresentationMayura Coodli
 
Windows Server 2008 R2 Overview 1225768142880746 9
Windows Server 2008 R2 Overview 1225768142880746 9Windows Server 2008 R2 Overview 1225768142880746 9
Windows Server 2008 R2 Overview 1225768142880746 9Stephan - Gabriel Georgescu
 
09 necto architecture_ready
09 necto architecture_ready09 necto architecture_ready
09 necto architecture_readywww.panorama.com
 
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationDutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationVladislav Tatarincev
 
working with sql server agent-2
working with sql server agent-2working with sql server agent-2
working with sql server agent-2Antonios Chatzipavlis
 
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server PerformanceBIOVIA
 
Mcts chapter 1 (1)
Mcts chapter 1 (1)Mcts chapter 1 (1)
Mcts chapter 1 (1)Ankit Kumar
 
Upgrading To Notes Domino 8.5
Upgrading To Notes Domino 8.5Upgrading To Notes Domino 8.5
Upgrading To Notes Domino 8.5Chris Sparshott
 

More Related Content

What's hot

Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewAlexander Schek
 
Storage migration and consolidation with ibm total storage products redp3888
Storage migration and consolidation with ibm total storage products redp3888Storage migration and consolidation with ibm total storage products redp3888
Storage migration and consolidation with ibm total storage products redp3888Banking at Ho Chi Minh city
 
The Art & Sience of Optimization
The Art & Sience of OptimizationThe Art & Sience of Optimization
The Art & Sience of OptimizationHertzel Karbasi
 
Pivotal CRM for iPad
Pivotal CRM for iPadPivotal CRM for iPad
Pivotal CRM for iPadAptean
 
Presentation building the ibm®lotus®domino®8.5 infrastructure
Presentation building the ibm®lotus®domino®8.5 infrastructurePresentation building the ibm®lotus®domino®8.5 infrastructure
Presentation building the ibm®lotus®domino®8.5 infrastructurexKinAnx
 
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012ITCamp
 
Adam bloom bi_server_diag
Adam bloom bi_server_diagAdam bloom bi_server_diag
Adam bloom bi_server_diagJyothi John
 
SQL Server Workshop Paul Bertucci
SQL Server Workshop Paul BertucciSQL Server Workshop Paul Bertucci
SQL Server Workshop Paul BertucciMark Ginnebaugh
 
Pivotal CRM: Optimize your Pivotal Implementation
Pivotal CRM: Optimize your Pivotal ImplementationPivotal CRM: Optimize your Pivotal Implementation
Pivotal CRM: Optimize your Pivotal ImplementationAptean
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 AdministrationLearnItFirst.com
 
User management through administration process 2307
User management through administration process 2307User management through administration process 2307
User management through administration process 2307Hansraj Mali
 
Monitoring Windows Server Systems Demo Setup
Monitoring Windows Server Systems Demo SetupMonitoring Windows Server Systems Demo Setup
Monitoring Windows Server Systems Demo SetupMicrosoft TechNet
 
Trans Flow Product Presentation
Trans Flow Product PresentationTrans Flow Product Presentation
Trans Flow Product PresentationMayura Coodli
 
Windows Server 2008 R2 Overview 1225768142880746 9
Windows Server 2008 R2 Overview 1225768142880746 9Windows Server 2008 R2 Overview 1225768142880746 9
Windows Server 2008 R2 Overview 1225768142880746 9Stephan - Gabriel Georgescu
 

What's hot (16)

Windows sever 2008
Windows sever 2008Windows sever 2008
Windows sever 2008
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 Overview
 
Storage migration and consolidation with ibm total storage products redp3888
Storage migration and consolidation with ibm total storage products redp3888Storage migration and consolidation with ibm total storage products redp3888
Storage migration and consolidation with ibm total storage products redp3888
 
The Art & Sience of Optimization
The Art & Sience of OptimizationThe Art & Sience of Optimization
The Art & Sience of Optimization
 
Pivotal CRM for iPad
Pivotal CRM for iPadPivotal CRM for iPad
Pivotal CRM for iPad
 
Presentation building the ibm®lotus®domino®8.5 infrastructure
Presentation building the ibm®lotus®domino®8.5 infrastructurePresentation building the ibm®lotus®domino®8.5 infrastructure
Presentation building the ibm®lotus®domino®8.5 infrastructure
 
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012
ITCamp 2012 - Adrian Stoian - Migrating from CFG MGR 2007 to CFG MGR 2012
 
Adam bloom bi_server_diag
Adam bloom bi_server_diagAdam bloom bi_server_diag
Adam bloom bi_server_diag
 
SQL Server Workshop Paul Bertucci
SQL Server Workshop Paul BertucciSQL Server Workshop Paul Bertucci
SQL Server Workshop Paul Bertucci
 
Pivotal CRM: Optimize your Pivotal Implementation
Pivotal CRM: Optimize your Pivotal ImplementationPivotal CRM: Optimize your Pivotal Implementation
Pivotal CRM: Optimize your Pivotal Implementation
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 Administration
 
User management through administration process 2307
User management through administration process 2307User management through administration process 2307
User management through administration process 2307
 
Project
ProjectProject
Project
 
Monitoring Windows Server Systems Demo Setup
Monitoring Windows Server Systems Demo SetupMonitoring Windows Server Systems Demo Setup
Monitoring Windows Server Systems Demo Setup
 
Trans Flow Product Presentation
Trans Flow Product PresentationTrans Flow Product Presentation
Trans Flow Product Presentation
 
Windows Server 2008 R2 Overview 1225768142880746 9
Windows Server 2008 R2 Overview 1225768142880746 9Windows Server 2008 R2 Overview 1225768142880746 9
Windows Server 2008 R2 Overview 1225768142880746 9
 

Similar to Lecture 5&6 corporate architecture

09 necto architecture_ready
09 necto architecture_ready09 necto architecture_ready
09 necto architecture_readywww.panorama.com
 
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationDutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationVladislav Tatarincev
 
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server PerformanceBIOVIA
 
Mcts chapter 1 (1)
Mcts chapter 1 (1)Mcts chapter 1 (1)
Mcts chapter 1 (1)Ankit Kumar
 
Upgrading To Notes Domino 8.5
Upgrading To Notes Domino 8.5Upgrading To Notes Domino 8.5
Upgrading To Notes Domino 8.5Chris Sparshott
 
[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web Architectures[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web ArchitecturesCarles Farré
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Windows Server 2008 R2 Dev Session 01
Windows Server 2008 R2 Dev Session 01Windows Server 2008 R2 Dev Session 01
Windows Server 2008 R2 Dev Session 01Clint Edmonson
 
2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical Update2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical UpdateWSO2
 
We4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshell
We4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshellWe4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshell
We4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshellWe4IT Group
 
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)BIOVIA
 
Notes Domino Symphony Strategy May2009
Notes Domino Symphony Strategy May2009Notes Domino Symphony Strategy May2009
Notes Domino Symphony Strategy May2009Ed Brill
 
Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)JSantanderQ
 
Configuring and administrate server
Configuring and administrate serverConfiguring and administrate server
Configuring and administrate serverGera Paulos
 
RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012
RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012
RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012RES Software Nederland
 
pdf to ppt window configuration .pptx
pdf to ppt window configuration .pptxpdf to ppt window configuration .pptx
pdf to ppt window configuration .pptxTadeseBeyene
 

Similar to Lecture 5&6 corporate architecture (20)

09 necto architecture_ready
09 necto architecture_ready09 necto architecture_ready
09 necto architecture_ready
 
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationDutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning Presentation
 
working with sql server agent-2
working with sql server agent-2working with sql server agent-2
working with sql server agent-2
 
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance
(ATS4-APP09)Tips and tricks for Managing Symyx Notebook Server Performance
 
Mcts chapter 1 (1)
Mcts chapter 1 (1)Mcts chapter 1 (1)
Mcts chapter 1 (1)
 
Upgrading To Notes Domino 8.5
Upgrading To Notes Domino 8.5Upgrading To Notes Domino 8.5
Upgrading To Notes Domino 8.5
 
Data In Cloud
Data In CloudData In Cloud
Data In Cloud
 
[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web Architectures[DSBW Spring 2009] Unit 05: Web Architectures
[DSBW Spring 2009] Unit 05: Web Architectures
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Så er lotus notes domino 8.5.3 kommet
Så er lotus notes domino 8.5.3 kommetSå er lotus notes domino 8.5.3 kommet
Så er lotus notes domino 8.5.3 kommet
 
Windows Server 2008 R2 Dev Session 01
Windows Server 2008 R2 Dev Session 01Windows Server 2008 R2 Dev Session 01
Windows Server 2008 R2 Dev Session 01
 
2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical Update2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical Update
 
We4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshell
We4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshellWe4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshell
We4IT LCTY 2013 - x-pages-men - ibm domino xpages - performance in a nutshell
 
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
 
Notes Domino Symphony Strategy May2009
Notes Domino Symphony Strategy May2009Notes Domino Symphony Strategy May2009
Notes Domino Symphony Strategy May2009
 
Mcts chapter 1
Mcts chapter 1Mcts chapter 1
Mcts chapter 1
 
Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)
 
Configuring and administrate server
Configuring and administrate serverConfiguring and administrate server
Configuring and administrate server
 
RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012
RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012
RES Automation Manager 2012 - What's new...Online Seminar 17 July 2012
 
pdf to ppt window configuration .pptx
pdf to ppt window configuration .pptxpdf to ppt window configuration .pptx
pdf to ppt window configuration .pptx
 

More from Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

More from Wiliam Ferraciolli (20)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissions
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 

Lecture 5&6 corporate architecture

  • 1. Lecture 5 & 6: Corporate Architecture Network Design & Administration
  • 2. Summary of Last Lecture • Where possible ensure all user workstations are given the same OS build / release. • Automate the process for speed, simplicity and repeatability. Network Design & Administration • Check hardware compatibility if upgrading • If upgrading – Backup! • If installing dual boot and Linux – Backup! 2
  • 3. Overview • Originally, Microsoft provided only standalone PC’s – networks were sold by large vendors with thin client terminals connected to servers. • Windows for Workgroups allowed small numbers of PC Network Design & Administration users to work together sharing files and printers. • NT 3 / 4 provided a Domain concept, whereby certain servers on the network provided centralised directory services. • Active Directory took this further, by adding layers of hierarchy to cope with large corporate structures. • Similarly, Linux machines could be used alone, then in 3 loose connectivity, then using Directory Services.
  • 4. What are Directory Services?[1] • A database used to administer resources on a network. • Need to make the following basic assumptions: • The objects in the database are relatively small. • The database will be widely replicated and cached. Network Design & Administration • The information is mainly attributes. • Access is mainly read, with occasional writes. • Searching is likely to be a frequent operation. • IETF provided the Lightweight Directory Access Protocol (LDAP) as a way to access the database over a network but also specifies the data schema and search methods for a directory service. 4
  • 5. Microsoft Domain vs. Workgroup Windows Server 2008 (Domain Controller) Windows Server 2008 (Domain Controller) Replication Windows Server 2008 Windows Server 2008 Active Active Directory Directory Accounts Accounts Network Design & Administration Domain Windows 7 Client Accounts Windows 7 Client Workgroup Accounts Windows Windows Server 7 Client 2008 (Member Server - Windows 7 Client Print Server ) Accounts 5 Windows Server 2008 (Print Server )
  • 6. Microsoft Workgroup • A collection of computers interacting informally with no centralised authority. • Each computer in the workgroup has its own set of local user account. • User accounts stored locally in a flat-file database called the Network Design & Administration Security Accounts Manager (SAM). • Password stored in hashed format. • Question: What’s a hash function? • If a user needs to access another computer they must have a valid account there too. • This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time. 6 • Question: are there any limitations with workgroups?
  • 7. Side bar: Hash Tables • Hash tables provide you with a way of storing mappings of one bit of data to another. • Some key would provide a value (e.g. h(“Pa$$word”)  76934856434) • For example, you could use a hash table to associate users names and with their accounts / passwords. • The names would be unique and somehow provide you with the associated data. 1 e.g. h(user name)  user account 2 Network Design & Administration ACT#4534 3 Clark Kent 4 Jimmy Olsen ACT#5675 5 6 Lois Lane 7 Perry White ACT#6789 8 9 10 • A hash table will need to provide: ? ACT#7898 11 7 • A hash function 12 • A bucket array/list (more on this in 3 slides)
  • 8. Side bar: Hash Functions • Need to some way of converting a unique key to a value. • h(n)  v • Easy way – use ASCII Network Design & Administration • To calculate the hash value, we do: 87*314 + 104*313 + 105*312 + 116*311 + 101*310 = 83549193 h(“White”) = 83549193 Why use a large number? h(x1) = α h(x2) = α 8 • BUT! How do we access element 83,549,193 in our hash table?
  • 9. Side bar: Compression function There are two methods: 1. A simple “division method” using modulo arithmetic • Bucket array has a know size (e.g. 1000 places) • Position can be found by i % array length • h(“White”) = 83549193 Network Design & Administration • But, what happens when multiple hashes point to the same point in the hash table (i.e. collisions)? • Either use a better compression function and / or implement a hash table using a bucket list/array (next slide). 2. More sophisticated method: MAD (multiply add and divide) • Would produce the position • Collisions can be handled by using: • Linear probing 9 • Quadratic probing Investigate in your own time!
  • 10. Side bar: Bucket Arrays • A bucket array is just an array of N size. • However, instead of each element storing one bit of information, the element provides another array which can grow… 1 Lucy Lane 2 3 Clark Kent 4 ACT#4534 ACT#4535 Network Design & Administration Jack Kent 5 ACT#5675 ACT#5676 6 Jimmy Olsen 7 ACT#6789 Lois Lane 8 9 ACT#7898 Perry White 10 11 12 h(f) Better to use a linked list structure to store collisions 10 – will allow indefinite Now back to workgroups…. number rather than say n=9
  • 11. Microsoft Workgroup • A collection of computers interacting informally with no centralised authority. • Each computer in the workgroup has its own set of local user account. • User accounts stored locally in a flat-file database called the Network Design & Administration Security Accounts Manager (SAM). Note: Hashes values and • Password stored in hashed format. hash functions are used • Question: What’s a hash function? extensively within the OS. • If a user needs to access another computer they must have a valid account there too. • This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time. 11 • Question: are there any limitations with workgroups?
  • 12. Microsoft Domain • For larger networks (> approx. 10 computers), it is simpler to use a centralised Directory Service that contains a list of the resources available on a network. • The domain model is hierarchical, and Active Directory Domain Services holds the list that is trusted by all Network Design & Administration machines on the network. • Active Directory Domain Services includes: • Database of computers, users, etc. • LDAP services to mediate queries and responses • Kerberos security service • File replication service to ensure redundancy of domain information 12
  • 13. Active Directory Data Store physical structure[2] LDAP: Lightweight directory access protocol REPL: Replication and domain Interfaces – LDAP, REPL, MAPI, SAM controller management interface MAPI: Messaging API SAM: Security Accounts Manager Network Design & Administration Ntdsa.dll Allows access to DB via 4 interface methods Access / mod of objects via read / write ops Directory Service Agent (DSA) General purpose DB engine Syntax checking (schema) Interface between DAS -> DB file Low level functions: indexing, transferring Maintain schema Database Layer Provides Low-level DB functionality & integrity checks (create, read, write, delete) Transaction based (i.e. ATOMIC) Esent.dll Extensible Storage Engine (ESE) 13
  • 14. Active Directory Domain Services Logical Structure • This is comprised of the following: • Partitions • Domains • Network Design & Administration Domain trees • Forests • Sites • Organisational Units 14
  • 15. AD DS Partitions[2] The AD data store is divided up into a number of logical partitions (also known as naming contexts): • Domain directory • Configuration directory Network Design & Administration • Schema directory • Global catalogue (covered in a later lecture) • Application directory 15
  • 16. Domains[2] Domains act as an administrative boundary within the organisation and define the following: • Replication boundaries • Security policy boundaries Network Design & Administration • Resource access boundaries • Trust boundaries 16
  • 17. Domain Trees • Multiple domains with contiguous DNS namespaces form a domain tree. • Aardvark.com is the Network Design & Administration aardvark.com parent (root domain) in which child domains are created. eu.aardvark.com us.aardvark.com 17
  • 18. Forests Some kind of link! aardvark.com bison.com Network Design & Administration eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com • Highest level of AD DS logical structure hierarchy. • Forest can contain one or more domain trees and one or more domain namespaces. 18
  • 19. Other Forest issues -Trust Relationships – Transitive Two-way Trust • Trust allows the resources of one domain to be accessible from another (can be parent-child or tree-root trusts). • By default, one-way trust (non-transitive trust) is enabled between domains. • Need to explicitly set two-way for transitive trust. Network Design & Administration Two-way trust (bison trusts aardvark) one-way trust aardvark.com bison.com U1 Account U2 U2 U1 Login Account Login 19 eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com
  • 20. Shortcut Trusts • Two-way transitive trust between aardvark.com and bison.com 1 hop • Example: a user in the 2 hops eu.aardvark.com domain wants to aardvark.com access a shared resource in the us.bison.com domain. Network Design & Administration • User needs to be referred to each domain controller in trust path for eu.aardvark.com bison.com 3 hops authentication. Short cut • To reduce latency times, introduce a trust short cut trust relationship. (1 hop) us.bison.com • Short cut trust can be one-way or two-way but is not transitive (only the two domains trust each other, the rest don’t). 20
  • 21. Forest Trusts trust trust aardvark.com bison.com giraffe.com Network Design & Administration eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com eu.giraffe.com us.giraffe.com • Forest trusts provide two way transitive trust between two connecting forest roots. • This means that there is transitive trust between: • aardvark.com  bison.com • bison.com  giraffe.com • But no default forest trust between aardvark.com and giraffe.com 21 • Only allows authentication to occur between forests - replication does not happen.
  • 22. External Trusts aardvark.com bison.com Network Design & Administration trust eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com • Used to allow a domain external from the forest to access resources. • Not the same as a forest trust as an external trust is only between two domains (i.e. non-transitive) • Usually, one way. 22
  • 23. Realm Trusts • Used to connect a Windows Server 2008 domain to a non-Windows Kerberos realm. • Can be defined as one-way, two-way, transitive or non-transitive. Network Design & Administration aardvark.com trust tiger.com eu.aardvark.com us.aardvark.com • In this example, us.aardvark.com can access tiger.com resources using one- way, non-transitive trust but tiger.com not able to access shared resources in us.aardvark.com 23
  • 24. Sites • Logical structure of AD DS is independent to the physical infrastructure of the network used within the organisation. • Need to consider when designing the organisational structure where users and resources are going to be located. • A site can be thought of as an area (e.g. Clifton campus) which Network Design & Administration has it's own network, comprised of one or more DC's and a number of clients. • There are a number of reasons for using a site when managing network traffic: • Replication • Authentication • Site-aware network services 24
  • 25. Organisational Units • Microsoft recommend organisations to have relatively few domains and manage the administration by use of OU’s. • OU’s are containers within domains and can be layered. Network Design & Administration • OU’s can contain different types of AD DS objects: • User • Group • Printers • Organisational units • Computers • Shared folders 25 • Contacts • inetOrgPerson
  • 26. Organisational Units • Objects are known by their distinguished names (DN) and have attributes – both informative and administrative (e.g. for permissions). • The Schema sets out the rules to govern what objects Network Design & Administration can be used and how they are specified. • The objects in containers (such as users or computers) that cannot contain other objects are called leaf objects. • Rights & permissions are allocated to containers (and therefore the objects in them). 26
  • 27. Domains and Domain Controllers • When a server is promoted to become a Domain Controller, it hosts a replica of the AD DS database. • Typically, domains have 2+ DC’s for redundancy Network Design & Administration because the information is so critical to the workings of the network. • DC’s copy information between themselves to ensure changes are propagated – this is done via multi-master replication so no need to start from a designated Primary DC. 27
  • 28. Integrating DNS & DHCP services • Microsoft encourage the integration of DNS services onto DC’s[3]. • This allows the DNS to make use of replication / redundancy features provided under Active Directory. Network Design & Administration • Provides additional security for DNS by use of group policies (see later). • Avoid need to manage DNS information separately. • When DC also does DHCP, DHCP inherits DC permissions on DNS records, so advised to configure DHCP server with credentials of a dedicated user account[4]. 28
  • 29. Domain Controller Issues • AD DS is so important that the domain controller functionality was designed to allow for controlled restoration from working DC’s. • A faulty DC can be brought into line with other up-to-date ones by following this sequence: Network Design & Administration • Reboot DC under Directory Services Restore Mode (will need to use DSRM password supplied during original DC setting). • Use backup to get (out of date) DS information. • Restart, indicating non-authoritative restoration to acquire changes from other DC’s. • Authoritative restores are required when deleted objects need to be forcibly restored from AD DS backup. 29
  • 30. Why is the architecture important? • Active directory involves sharing information between domain controllers. • To let users/computers in one structure access facilities in another involves different degrees of Network Design & Administration exposure depending on domain / tree / forest. • In large structures with many users and computers, want to minimise replication of information in the global catalogue. • (will look at the global catalogue in more detail 30 in a later session when working with groups)
  • 31. Other DC roles: Operations Masters[2] • Certain roles within AD DS hierarchy are not suited to the replication methods used for Domain Controllers. • These are called FSMO (Flexible Single Master Operations) or Operation Masters role. • Need to specify an authoritative server to handle certain Network Design & Administration directory operations to ensure that consistency is maintained. • Type of FSMO/Operations Masters roles: • Schema master • Domain naming master • RID master • PDC emulator • Infrastructure master 31 • Roles must be carefully distributed to allow DC’s to take over after failure.
  • 32. Other DC roles: Read-Only Domain Controllers[2] • Same as a “normal” domain controller within a domain. i.e. provides the same functionality (authentication , authorisation, DNS). • But:- • Is limited Network Design & Administration • No credentials stored locally. • Authentication requires access to writeable DC to authenticate requests. • Can not configure RODC with an FSMO role. • Why use them? • Ideal when physical security of DC can not be guaranteed (e.g. in an open office with no dedicated machine room) 32 • When storing data on local storage will pose a security risk.
  • 33. Linux integration • Microsoft Server 2008 includes Windows Security and Directory Services for Unix to allow Linux/Unix clients in a mixed environment to use AD DS Kerberos for authentication, and LDAP to Network Design & Administration retrieve authorisation information from either Unix or AD servers. • Pure Linux can use OpenLDAP to control/share system files and attributes. • e.g. etc/passwd, etc/group, etc/hosts • (Lab 3 will introduce adding Linux clients to an Active 33 Directory domain)
  • 34. Summary • Domain services provides functionality to control the logical structure of an organisation. • Domains are used within a geographical boundary (e.g. in a single company). • Forests connect multiple domains together. Network Design & Administration • Forests provide a number of trust relationships for information to flow between domains. • Organisational units provide structure and act as containers for resources which can model the real-world company structure. 34
  • 35. Next Time & References • Naming and Namespaces • Objects in Active Directory – computers, users and groups. Network Design & Administration [1] “Unix and Linux Systems administration handbook”, Nemeth, E. et al, 4th Edition, Chapter 19.3. [2] Windows Server 2008 Active Directory Resource Kit [3] http://technet.microsoft.com/en-us/library/cc771613.aspx [4] http://technet.microsoft.com/en-us/library/cc787034.aspx [5] http://www.exchangeinbox.com/article.aspx?i=30 35