Curso de WSS 2 Parte

 2007 Cenfotec IT
Overview
• Windows Server 2008 R2
What Is Active
Directory?
Directory
Directory Service
Service Centralized
Centralized Management
Management
Functionality
Functionality
 Organize
 Organize  Single
 Single point
point of
of administration
administration
 Manage
 Manage Resources
Resources  Full
 Full user
user access
access to
to directory
directory resources
resources
 Control
 Control by
by aa single
single logon
logon
AD Architecture
Active Directory Objects
Objects
Objects Active
Active Directory
Directory
Printers
Attributes
Attributes
Printer1
Printer
Printer Name
Name Printer2
Printer
Printer Location
Location
Printers
Printers
Printer3 Attribute
Attribute
Value
Value
Users
Attributes
Attributes
First
First Name
Name Don Hall
Last
Last Name
Name Suzan Fine
Users
Users Logon
Logon Name
Name
• Objects Represent Network Resources

• Attributes Store Information About an Object
Active Directory Schema
Examples
Class Examples
Class Active Directory Schema Is:
Objects  Dynamically Available
Objects
 Dynamically Updateable
 Protected by DACLs
Examples
Examples
Attribute
Attribute
Computers
Computers
Attributes
Attributes of
of Users
Users List
List of
of Attributes
Attributes
Might
Might Contain:
Contain:
accountExpires
accountExpires accountExpires
accountExpires
department
department department
department
Users distinguishedName
distinguishedName distinguishedName
distinguishedName
Users directReports
middleName
middleName directReports
dNSHostName
dNSHostName
operatingSystem
operatingSystem
repsFrom
repsFrom
repsTo
repsTo
Printers
Printers middleName
middleName
……
Schema
Basics
DNS and Active Directory
Namespaces
DNS Namespace
Internet
“.”
“.” (DNS root domain)
com.
com. Active Directory Namespace
microsoft microsoft.com
training
sales
training. microsoft.com
computer1 sales. microsoft.com
= DNS node (domain or computer) = Active Directory domain

Lightweight Directory Access
Protocol (LDAP)
• LDAP Provides a Way to Communicate
with Active Directory by Specifying
Unique Naming Paths for Each Object in
the Directory
• LDAP Naming Paths Include:
– Distinguished names
CN=Suzan
Suzan Fine Fine,OU=Sales,DC=contoso,DC=msft
– Relative distinguished names
Active Directory Logical
Structure
• Domains
• Organizational Units
• Trees and Forests
• Global Catalog
AD Logical Structure
• Domains
• Organizational units
• Trees and forests
Domain
Domain
Tree
Tree
OU
OU
Domain
Domain Domain
Domain
OU
OU OU
OU
Forest
Forest
Domain
Domain
Domain
Domain
Tree
Tree
Domain
Domain Domain
Domain
AD Physical Structure
• A site can contain multiple domains
• A domain can exist in multiple sites
Site
Domain Domain
Site Site
Site Site
Domain
Domain
Domains
• A Domain Is a Security Boundary
– A domain administrator can administer only
within the domain, unless explicitly granted
administration rights in other domains
• A Domain Is a Unit of Replication
– Domain controllers in a domain participate in
replication and contain a complete copy of
the directory information for their domain
r1 Replication
Replication r1
Use Use
r2 r2
Use Use
Windows
Windows2000
2000
Domain
Organizational Units
Network
Network Administrative
Administrative Model
Model Organizational
Organizational Structure
Structure
Sales Vancouver
Users Sales
Computers Repair
• Use OUs to Group Objects into a Logical Hierarchy That

Best Suits the Needs of Your Organization
• Delegate Administrative Control over the Objects Within
an OU by Assigning Specific Permissions to Users and
Groups
Trees and Forests
(root)
Two-Way
Two-Way Transitive
Transitive Trust
Trust
contoso.msft
contoso.msft
Forest
Tree
asia.
asia. au.
au.
nwtraders.msft
nwtraders.msft contoso.msft
contoso.msft contoso.msft
contoso.msft
Two-Way
Two-Way Transitive
Transitive Trusts
Trusts
Tree
asia.
asia. au.
au.
nwtraders.msft
nwtraders.msft nwtraders.msft
nwtraders.msft
Global Catalog
Objects
Objects
Attributes of
Attributes All
of All
Subset of
Subset the
of the
Domain
Domain
Domain Domain
Domain Domain
Global
Global Catalog
Catalog
Queries
Queries
Group
Group membership
membership
when
when user
user logs
logs on
on
Global Catalog Server
Introduction to the Role of
DNS in Active Directory
• Naming Convention for Windows 2000 Domains
– Windows 2000 uses DNS naming standards for domain
names
– DNS domains and Active Directory domains share a common
hierarchical naming structure
• Name Resolution
– DNS translates computer names to IP addresses
– Computers use DNS to locate each other on the network
• Locating the Physical Components of Active Directory
– DNS identifies domain controllers by the services they provide
– Computers use DNS to locate domain controllers and global
catalog servers
AD Needs DNS
DNS Host Names and Windows 2000
Computer Names
 DNS host record and Active Directory object
“.”
“.” represent the same physical computer
 DNS allows computers to locate domain
com.
com.
controllers within Active Directory
Active
Active Directory
Directory
microsoft
microsoft
training.microsoft.com
sales
sales training
training
Builtin
Computers
computer1
computer1 Computer1
Computer2
FQDN
FQDN==computer1.training.microsoft.com
computer1.training.microsoft.com
Windows
Windows2000
2000Computer
ComputerNameName==Computer1
Computer1
Grouping Objects
Basic Implementation
DNS Requirements for Active
Directory
DNS
DNSRequirements
RequirementstotoSupport
SupportActive
ActiveDirectory
Directory
Support for SRV records (mandatory)
Support for the dynamic update protocol (recommended)
Support for incremental zone transfers (recommended)
DNS gives the name
objects
What Is a Tree?
Tree Root Domain
Parent
Parent
Parent Domain
contoso.msft
Child
Child
Child Domain
sales.contoso.msft
Contiguous Namespace
sales.contoso.msft
New
Domain
What Is a Forest?
A Forest is One or More Trees
 Trees in a Forest Do Not Share a
Contiguous Namespace
Forest
contoso.msft
contoso.msft
Tree
nwtraders.msft
nwtraders.msft
sales.
sales.
Tree  All
of The Domains in acontoso.msft
Forest
contoso.msft
Share a Common
Configuration, Schema, and
marketing.
marketing. sales.
sales.
nwtraders.msft Global Catalog
nwtraders.msft
nwtraders.msft nwtraders.msft
What Is the Forest Root Domain?
 The Forest Root Domain Is
the First Domain Created Forest Root Domain
in a Forest
Global Catalog
Forest
Configuration
Tree Root Domain and Schema
nwtraders.msft
nwtraders.msft Tree
Tree Enterprise Admins
contoso.msft
contoso.msft
marketing.nwtraders.msft Schema Admins sales.contoso.msft
Characteristics of Multiple
Domains
Reduce Replication Traffic
Maintain Separate and Distinct

Security Policies Between Domains
Preserve the Domain Structure of

Earlier Versions of Windows NT
Separate Administrative Control
Active Directory Physical
Structure
• Domain Controllers
• Sites
Domain Controllers
Domain Controllers:
 Participate in Active Directory replication
 Perform single master operations roles in a domain
r1 Replication r1
Use Replication Use
r2 r2
Use Use
Domain Domain
Controller Controller
Domain
Domain
== AA Writeable
Writeable Copy
Copy of
of the
the Active
Active Directory
Directory Database
Database
Domains
• 2 domain modes:
Mixed Mode Native Mode
Domain
Domain controller
controller
(Windows
(Windows 2003-
2003-
2000)
2000)
and
Domain
Domain controller
controller Domain
Domain controllers
controllers
(Windows
(Windows NT
NT 4.0)
4.0) (Windows
(Windows 2003
2003 only)
only)
Sites
Seattle
New York
Chicago
Los Angeles
IP subnet
Site
IP subnet
Sites:
 Optimize replication traffic
 Enable users to log on to a domain controller by using a
reliable, high-speed connection
AD Update in
Windows Server 2008 R2
AD DS
 2007 Cenfotec IT 33
What Is a Directory Service?
A directory service is both the directory information source and the
service that makes the information available and usable
Centralized
Centralized Administration
Administration Dispersed
Dispersed Administration
Administration
What Is AD DS?
Active Directory Domain Services (AD DS) is a
directory service that provides the following
services in a Windows Server 2008 network:
User account management
User authentication
Computer account management
Access to networked resources
Domain-wide services
How Does AD DS Work
Authenticate against
domain
Access network
resources
11 User and computer objects are created in the directory
2 Groups of these objects then can be created
33 A client can use the user account to authenticate against AD DS
44 The user can try to access networked resources
5 The resources will again validate the authenticated user against AD DS
AD DS Integration with Other
Active Directory Server
Roles • AD DS is the foundation for a
functional network
AD FS
• Most server roles depend on AD DS
to provide user and resource
information for the other server roles
AD RMS
• AD DS also provides authentication
and authorization services
AD CS
AD DS
What Is LDAP?
Lightweight Directory Access Protocol (LDAP) is:
• A directory service protocol
• Based on TCP/IP
• A method for accessing, searching, and modifying a

directory service
• A client-server model
What Is AD LDS?
An
An LDAP-based
LDAP-based Used
Used for
for applications
applications
directory
directory service
service
AD LDS
LDAP
More
More flexible
flexible than
than AD
AD DS
DS
Can
Can have
have multiple
multiple instances
instances of
of AD
AD LDS
LDS run
run on
on aa single
single
computer
computer
Does
Does not
not require
require DNS
DNS infrastructure
infrastructure
Can
Can be
be modified
modified to
to meet
meet specific
specific application
application needs
needs
AD LDS Implementation
Examples
Web authentication More secure log on for
Web authentication More secure log on for
applications
applications
Store
Store application
application Directory
Directory for
for e-mail
e-mail
configuration
configuration that
that is
is located
located applications
applications
in
in aa perimeter
perimeter network
network and
and
cannot
cannot oror should
should not
not access
access
AD
AD DSDS
What Is a PKI?
Public
Public Key
Key Infrastructure
Infrastructure (PKI) is
used
used toto distribute
distribute and
and manage
manage
digital
digital certificates
certificates
A PKI includes the following main components:

• Certification Authorities (CAs)
• Certificate Revocation Lists (CRLs)
• CA Management Tools
• Certificates
What Is AD CS?
Active Directory Certificate Services (AD CS)
does the following:
• Provides Certification Authority
• Provides automated and manual tools for creating, distributing, and

revoking certificates
• Provides certificate revocation services
• Integrates Certification Authority services with AD DS
AD CS Implementation
Examples
Secure
Secure Sockets
Sockets Layer
Layer Smartcard
Smartcard log
log on
on for
for Certificates
Certificates for
for
security
security for
for internal
internal client
client computers
computers and
and encrypted
encrypted file
file
Web
Web sites
sites VPN
VPN services
services
SSL
Certificates
Certificates for
for routers
routers for
for Certificates
Certificates for
for S/MIME
S/MIME
establishing
establishing IPsec
IPsec encrypted
encrypted and
and
communication
communication authenticated
authenticated e-mail
e-mail
S/MIME
How Does AD CS Work?
Certificates saved
into AD DS
AD DS
Auto-enrolled
certificate
CA
Mgmt Certificate
Tools Authority
Windows
Manual Client
certificate
enrollment
AD DS and AD CS
Integration
AD DS and AD CS integrate tightly in the
following ways:
• Certificates for user and computer objects can be automatically generated
• Certificates for computer and user objects can be stored in AD DS
• Policies for granting and revoking certificates, and configuring trusted

certificates, can be managed through Group Policy settings
What Is an Enterprise Rights
Management Solution?
A
A solution
solution that
that is
is used
used to
to protect
protect information
information stored
stored in
in documents,
documents, e-mail
e-mail
messages,
messages, andand Web
Web sites
sites from
from unauthorized
unauthorized viewing,
viewing, modification,
modification, or
or use
use
Features include:
• Helping protect sensitive information from being accessed or shared with
unauthorized users
• Helping ensure that data content is protected and tamper-resistant
• Controlling when data will expire
What Is AD RMS?
Active
Active Directory
Directory Rights
Rights Management
Management Services
Services (AD
(AD RMS)
RMS) is
is the
the Windows
Windows Server
Server
2008
2008 implementation
implementation of
of an
an enterprise
enterprise rights
rights management
management solution
solution
AD RMS:
• Distributes client certificates, enforces content access policies, and
provides central management
• Requires use of RMS-enabled applications such as Microsoft Office 2007

or Internet Explorer® 7.0 and the RMS client
AD RMS Implementation
Examples
22
AD DS
AD RMS
Request 33
document Request access
security to document
44
1
Send
protected
file
Content Content
Creator Consumer
AD DS and AD RMS
Integration
AD RMS integrates with AD DS in the following
ways:
• All AD RMS users must have an AD DS account
• AD DS provides e-mail addresses required for AD RMS
• AD RMS services are registered in AD DS as a service-connection point
Active Directory Federation
Services
• What is AD FS?
• How AD FS Traffic Flows in a B2B Federation
Scenario
• How Does AD FS Work?
• AD DS and AD FS Integration
• Summary of the Active Directory Server Roles
What Is AD FS?
Active Directory Federation Services (AD FS):
• Enables the creation of trust relationships between two organizations
• Provides access to applications between organizations
• Provides Single Sign-on (SSO) between two different directories for Web-
based applications
How AD FS Traffic Flows in a
B2B Federation Scenario
Account Resource
Federation Federation
Server Server
Internet
Web Server
Federation Trust
Tailspin Toys Online Retailer
How Does AD FS Work?
1 A client computer connects to a Web application in a different organization
2 The Web application redirects the authentication request to the

AD FS Server
3 The resource partner AD FS server responds to the client requesting that it

obtain a security token from the AD FS server in the account partner domain
The client requests the security token from the account partner’s
4 AD FS server and passes the token back to the resource partner’s AD FS
server
5 The resource AD FS server creates a security token for the Web application
6 The client now can gain access to the Web application
AD DS and AD FS Integration
AD DS and AD FS are integrated in the
AD
AD FS
FS uses
uses AD following
AD DS
DS and
and AD
AD ways:
AD
AD FS
FS account
account partners
partners
LDS
LDS to
to provide
provide directory
directory use
use AD
AD DS
DS to
to manage
manage their
their
services
services own
own user
user accounts
accounts
AD
AD FS
FS resource
resource partners
partners AD
AD FS
FS enables
enables
may
may use
use AD
AD DS
DS accounts
accounts to
to organizations
organizations to
to provide
provide
provide
provide access
access to
to external
external access
access toto
applications
applications applications
applications for
for internal
internal AD
AD
DS
DS accounts
accounts
Naming Conventions
• Distinguished names (DNs)

• Relative distinguished names (RDNs)
• Globally unique identifiers (GUIDs)
• User principal names (UPNs)
Distinguished Names (DNs)
• Objects are located within Active Directory domains

according to a hierarchical path.
• Every object in the Active Directory store has a DN,
which uniquely identifies the object.
• The DN includes the name of the domain that holds the
object as well as the complete path through the
container hierarchy to the object. For example:
DC=msft/DC=Contoso/CN=Users/CN=John Smith
Relative Distinguished Names
(RDNs)
• The RDN is one of an object’s attributes.
• The RDN is part of the full DN. For example:
CN=John Smith
• Active Directory services allows duplicate RDNs for
objects, but no two objects with the same RDN can
exist within the same OU.
Globally Unique Identifiers
(GUIDs)
User Principal Names (UPNs)
• The UPN is a friendly name that is shorter than
the DN and easier to remember.
• The UPN consists of a shorthand name that
represents the user and usually the DNS name
of the domain where the object resides.
• Example: johns@contoso.msft
Structure of Active Directory Architecture
• Data model
• Schema
• Security model
• Administration model
Access to Active Directory
Services
• Protocol Support
• Application programming interfaces (APIs)
• Virtual containers
Protocol Support
• LDAP is the Active Directory core
protocol.
• Active Directory services supports
remote procedure call (RPC) interfaces
that support Messaging Application
Programming Interface (MAPI)
interfaces.
• The Active Directory information model is
derived from the X.500 information
model.
Application Programming
Interfaces (APIs)
• Active Directory Service Interfaces (ADSI)

• LDAP C API
• Windows MAPI
Virtual Containers
• Active Directory services supports virtual

containers, which allow any LDAP-compliant
directory to be accessed transparently
through Active Directory services.
• The virtual container is implemented via
location information in the Active Directory
store.
Directory Service
Architecture
• Interfaces
• Directory System Agent (DSA)
• Database layer
• Extensible Storage Engine (ESE)
• Data store (Ntds.dit)
Active Directory Key Service
Components
Interfaces
• LDAP provides the API for LDAP clients and exposes the ADSI so that
additional applications can be written that can talk to the Active Directory
services.
• REPL is used by the replication service to facilitate Active Directory
replication via RPC over Internet Protocol (IP) or Simple Mail Transfer
Protocol (SMTP).
• SAM Provides down-level compatibility to facilitate communication
between Microsoft Windows 2000 and Microsoft Windows NT 4.0
domains.
• MAPI supports legacy MAPI clients.
Directory System Agent
(DSA)
• Object identification
• Transaction processing
• Schema enforcement of updates
• Access control enforcement
• Support for replication
• Referrals
Database Layer
• Provides an object view of database information by applying schema
semantics to database records
• Is an internal interface that is not exposed to the public
• Follows the parent references in the database and concatenates the
successive RDNs to form DNs
• Translates each DN into an integer structure called the DN tag, which is
used for internal access
• Is responsible for the creation, retrieval, and deletion of individual
records, attributes, and values
Extensible Storage Engine (ESE)
• A new and improved version of the JET database

• Implements a transacted database system that uses log
files to ensure that committed transactions are safe
• Stores all Active Directory objects
• Comes with a predefined schema that defines all the
attributes required and allowed for a given object
• Stores attributes that can have multiple values
Defining a Namespace
Architecture
• Introduction
• Root domain
• First-layer domains
• Second-layer domains
Introduction to the Active
Directory Installation Wizard
Adding or Creating a Domain
Controller
• If you add a domain controller to an existing
domain, you create a peer domain controller.
• If you create the first domain controller for a new
domain, you are creating not only the domain
controller but also a new domain.
Adding a Domain Controller
to an Existing Domain
Creating a New Child
Domain
Creating a New Domain Tree
Adding a Domain Tree to a
Forest
The Active Directory
Database and the Shared
System Volume
Created when Active Directory Services is

installed
The Active Directory
Database
• The database is a file named Ntds.dit, which is the directory for the new
domain.
• The default location for the database and the database log files is
%systemroot%\Ntds, although you can specify a different location.
• The database contains all the information stores in the Active Directory
store.
• The Ntds.dit file is an ESE database that contains the entire schema,
the global catalog, and all the objects stored on that domain controller.
The Shared System Volume
• The shared system volume is a folder
structure that exists on all Windows 2000
domain controllers.
• The shared system volume stores scripts
and some of the group policy objects for
the current domain as well as the
enterprise.
• Replication of the shared system volume
occurs on the same schedule as Active
Directory replication.
Domain Modes
• Mixed mode
• Native mode
Introduction to OU Planning
• OUs should reflect the details of the organization’s business
structure.
• Create OUs to delegate administrative control over smaller
groups of users, groups, and resources.
• OUs eliminate the need to provide users with administrative
access at the domain level.
• OUs inherit security policies from the parent domain and
parent OU unless inheritance is specifically disabled.
Creating the OU Structure
• You should begin your OU design by creating an
OU structure for the first domain in the namespace.
• When you create an OU, you should determine
who will be able to view and control certain objects
and what level of administration each administrator
will have over the objects.
OU Design Guidelines
• Create OUs to delegate administration.
• Create a logical and meaningful OU structure that allows OU
administrators to complete their tasks efficiently.
• Create OUs to apply security policies.
• Create OUs to manage the visibility of published resources.
• Create OU structures that are relatively static. OUs also give the
namespace flexibility to adapt to changing needs of the enterprise.
• Avoid allocating too many child objects to any OU.
Introduction to OUs and their
Objects
• Each Active Directory object is a distinct named set
of attributes that represents a specific network
resource.
• Before objects are added to Active Directory
services, you should create the OUs that will
contain those objects.
Creating Ous
Adding Objects to OUs
Contact
Group
Computer
Printer Shared Folder
User
What Is a User Account?
A
A user
user account
account is
is an
an Active
Active Directory
Directory Domain
Domain Services
Services (AD
(AD DS)
DS) object
object that
that
enables
enables authentication
authentication and
and access
access to
to local
local and
and network
network resources
resources
A user account can be stored:

In AD DS (AD DS account)
AD
AD DS
DS accounts
accounts enable
enable log
log on
on to
to domains
domains and
and provide
provide access
access to
to
shared
shared network
network resources
resources
On the local computer (local account)
Local
Local accounts
accounts enable
enable log
log on
on to
to aa single
single computer
computer and
and local
local
resources
resources
Creating a user account also creates a Security ID (SID)
Names Associated with
Domain User Accounts
Naming options for domain user accounts:
Object Names Example Uniqueness requirement
Must be unique within

User logon name Gregory
domain
User logon name
Must be unique within
(pre-Microsoft® Woodgrove\Gregory
domain
Windows® 2000)
User principal Gregory@WoodgroveBank Must be unique within
name (UPN) .com forest
LDAP Will be globally unique,

CN=Gregory,OU=IT,DC=
distinguished combining RDN, container
WoodgroveBank,DC=com
name name, and domain names
Relative
distinguished CN=Gregory Must be unique in OU
name (RDN)
Locating Objects
Modifying Attributes and
Deleting Objects
• You can modify the attributes of an object to
change or add information.
• You can modify an object’s attribute by opening
the properties for that object in the Active
Directory Users And Computers snap-in.
• To maintain security, delete objects when they are
no longer needed.
Moving Objects
• You can move objects from one location in the
Active Directory store to another location.
• You should move objects when organization or
administrative functions change.
Managing Active Directory
Permissions
• Use Active Directory permissions to determine who
has the permissions to gain access to the object
and what type of access is allowed.
• The object type determines which permissions you
can select.
• Permissions inheritance minimizes the number of
times you need to assign permissions for objects.
Delegating Administrative Control of Objects
• You can delegate administrative control of objects to

individuals.
• Use the Delegation Of Control wizard to delegate control
of objects.
• An administrator can delegate specific types of control.
• The most common method of delegating control is to
assign permissions at the OU level.
• To delegate administrative control, you should try to
follow specific guidelines.
• You can access the Delegation Of Control wizard through
the Active Directory Users And Computers snap-in.

Curso de WSS 2 Parte

Uploaded by

Copyright:

Available Formats

You might also like

Curso de WSS 2 Parte

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Curso de WSS 2 Parte

Uploaded by

Copyright:

Available Formats

 2007 Cenfotec IT

• Objects Represent Network Resources

computer1 sales. microsoft.com

= DNS node (domain or computer) = Active Directory domain

– Relative distinguished names

• Use OUs to Group Objects into a Logical Hierarchy That

Support for SRV records (mandatory)

Support for the dynamic update protocol (recommended)

Support for incremental zone transfers (recommended)

Reduce Replication Traffic

Maintain Separate and Distinct

Preserve the Domain Structure of

Separate Administrative Control

Mixed Mode Native Mode

Computer account management

Access to networked resources

11 User and computer objects are created in the directory

2 Groups of these objects then can be created

33 A client can use the user account to authenticate against AD DS

44 The user can try to access networked resources

5 The resources will again validate the authenticated user against AD DS

• A method for accessing, searching, and modifying a

A PKI includes the following main components:

• Certificate Revocation Lists (CRLs)

• Provides automated and manual tools for creating, distributing, and

• Provides certificate revocation services

• Integrates Certification Authority services with AD DS

• Certificates for computer and user objects can be stored in AD DS

• Policies for granting and revoking certificates, and configuring trusted

• Helping ensure that data content is protected and tamper-resistant

• Controlling when data will expire

• Requires use of RMS-enabled applications such as Microsoft Office 2007

• AD DS provides e-mail addresses required for AD RMS

• AD RMS services are registered in AD DS as a service-connection point

• Provides access to applications between organizations

Tailspin Toys Online Retailer

2 The Web application redirects the authentication request to the

3 The resource partner AD FS server responds to the client requesting that it

6 The client now can gain access to the Web application

• Distinguished names (DNs)

• Objects are located within Active Directory domains

• Active Directory Service Interfaces (ADSI)

• Active Directory services supports virtual

• A new and improved version of the JET database

Created when Active Directory Services is

Printer Shared Folder

A user account can be stored:

On the local computer (local account)

Creating a user account also creates a Security ID (SID)

Must be unique within

LDAP Will be globally unique,

• You can delegate administrative control of objects to

You might also like