Professional Documents
Culture Documents
Curso de WSS 2 Parte
Curso de WSS 2 Parte
Curso de WSS 2 Parte
Overview
• Windows Server 2008 R2
2007 Cenfotec IT
What Is Active
Directory?
Directory
Directory Service
Service Centralized
Centralized Management
Management
Functionality
Functionality
Organize
Organize Single
Single point
point of
of administration
administration
Manage
Manage Resources
Resources Full
Full user
user access
access to
to directory
directory resources
resources
Control
Control by
by aa single
single logon
logon
2007 Cenfotec IT
AD Architecture
2007 Cenfotec IT
Active Directory Objects
Objects
Objects Active
Active Directory
Directory
Printers
Attributes
Attributes
Printer1
Printer
Printer Name
Name Printer2
Printer
Printer Location
Location
Printers
Printers
Printer3 Attribute
Attribute
Value
Value
Users
Attributes
Attributes
First
First Name
Name Don Hall
Last
Last Name
Name Suzan Fine
Users
Users Logon
Logon Name
Name
2007 Cenfotec IT
Active Directory Schema
Examples
Class Examples
Class Active Directory Schema Is:
Objects Dynamically Available
Objects
Dynamically Updateable
Protected by DACLs
Examples
Examples
Attribute
Attribute
Computers
Computers
Attributes
Attributes of
of Users
Users List
List of
of Attributes
Attributes
Might
Might Contain:
Contain:
accountExpires
accountExpires accountExpires
accountExpires
department
department department
department
Users distinguishedName
distinguishedName distinguishedName
distinguishedName
Users directReports
middleName
middleName directReports
dNSHostName
dNSHostName
operatingSystem
operatingSystem
repsFrom
repsFrom
repsTo
repsTo
Printers
Printers middleName
middleName
……
2007 Cenfotec IT
Schema
2007 Cenfotec IT
Basics
2007 Cenfotec IT
DNS and Active Directory
Namespaces
DNS Namespace
Internet
“.”
“.” (DNS root domain)
com.
com. Active Directory Namespace
microsoft microsoft.com
training
sales
training. microsoft.com
CN=Suzan
Suzan Fine Fine,OU=Sales,DC=contoso,DC=msft
2007 Cenfotec IT
Active Directory Logical
Structure
• Domains
• Organizational Units
• Trees and Forests
• Global Catalog
2007 Cenfotec IT
AD Logical Structure
• Domains
• Organizational units
• Trees and forests
Domain
Domain
Tree
Tree
OU
OU
Domain
Domain Domain
Domain
OU
OU OU
OU
Forest
Forest
Domain
Domain
Domain
Domain
Tree
Tree
Domain
Domain Domain
Domain
2007 Cenfotec IT
AD Physical Structure
• A site can contain multiple domains
• A domain can exist in multiple sites
Site
Domain Domain
Site Site
Site Site
Domain
Domain
2007 Cenfotec IT
Domains
• A Domain Is a Security Boundary
– A domain administrator can administer only
within the domain, unless explicitly granted
administration rights in other domains
• A Domain Is a Unit of Replication
– Domain controllers in a domain participate in
replication and contain a complete copy of
the directory information for their domain
r1 Replication
Replication r1
Use Use
r2 r2
Use Use
Windows
Windows2000
2000
2007 Cenfotec IT
Domain
Organizational Units
Network
Network Administrative
Administrative Model
Model Organizational
Organizational Structure
Structure
Sales Vancouver
Users Sales
Computers Repair
2007 Cenfotec IT
Trees and Forests
(root)
Two-Way
Two-Way Transitive
Transitive Trust
Trust
contoso.msft
contoso.msft
Forest
Tree
asia.
asia. au.
au.
nwtraders.msft
nwtraders.msft contoso.msft
contoso.msft contoso.msft
contoso.msft
Two-Way
Two-Way Transitive
Transitive Trusts
Trusts
Tree
asia.
asia. au.
au.
nwtraders.msft
nwtraders.msft nwtraders.msft
nwtraders.msft
2007 Cenfotec IT
Global Catalog
Objects
Objects
Attributes of
Attributes All
of All
Subset of
Subset the
of the
Domain
Domain
Domain Domain
Domain Domain
Global
Global Catalog
Catalog
Queries
Queries
Group
Group membership
membership
when
when user
user logs
logs on
on
Global Catalog Server
2007 Cenfotec IT
Introduction to the Role of
DNS in Active Directory
• Naming Convention for Windows 2000 Domains
– Windows 2000 uses DNS naming standards for domain
names
– DNS domains and Active Directory domains share a common
hierarchical naming structure
• Name Resolution
– DNS translates computer names to IP addresses
– Computers use DNS to locate each other on the network
• Locating the Physical Components of Active Directory
– DNS identifies domain controllers by the services they provide
– Computers use DNS to locate domain controllers and global
catalog servers
2007 Cenfotec IT
AD Needs DNS
2007 Cenfotec IT
DNS Host Names and Windows 2000
Computer Names
DNS host record and Active Directory object
“.”
“.” represent the same physical computer
DNS allows computers to locate domain
com.
com.
controllers within Active Directory
Active
Active Directory
Directory
microsoft
microsoft
training.microsoft.com
sales
sales training
training
Builtin
Computers
computer1
computer1 Computer1
Computer2
FQDN
FQDN==computer1.training.microsoft.com
computer1.training.microsoft.com
Windows
Windows2000
2000Computer
ComputerNameName==Computer1
Computer1
2007 Cenfotec IT
Grouping Objects
2007 Cenfotec IT
Basic Implementation
2007 Cenfotec IT
DNS Requirements for Active
Directory
DNS
DNSRequirements
RequirementstotoSupport
SupportActive
ActiveDirectory
Directory
2007 Cenfotec IT
DNS gives the name
objects
2007 Cenfotec IT
What Is a Tree?
Tree Root Domain
Parent
Parent
Parent Domain
contoso.msft
Child
Child
Child Domain
sales.contoso.msft
Contiguous Namespace
sales.contoso.msft
New
Domain
2007 Cenfotec IT
What Is a Forest?
A Forest is One or More Trees
Trees in a Forest Do Not Share a
Contiguous Namespace
Forest
contoso.msft
contoso.msft
Tree
nwtraders.msft
nwtraders.msft
sales.
sales.
Tree All
of The Domains in acontoso.msft
Forest
contoso.msft
Share a Common
Configuration, Schema, and
marketing.
marketing. sales.
sales.
nwtraders.msft Global Catalog
nwtraders.msft
nwtraders.msft nwtraders.msft
2007 Cenfotec IT
What Is the Forest Root Domain?
The Forest Root Domain Is
the First Domain Created Forest Root Domain
in a Forest
Global Catalog
Forest
Configuration
Tree Root Domain and Schema
nwtraders.msft
nwtraders.msft Tree
Tree Enterprise Admins
contoso.msft
contoso.msft
marketing.nwtraders.msft Schema Admins sales.contoso.msft
2007 Cenfotec IT
Characteristics of Multiple
Domains
2007 Cenfotec IT
Active Directory Physical
Structure
• Domain Controllers
• Sites
2007 Cenfotec IT
Domain Controllers
Domain Controllers:
Participate in Active Directory replication
Perform single master operations roles in a domain
r1 Replication r1
Use Replication Use
r2 r2
Use Use
Domain Domain
Controller Controller
Domain
Domain
== AA Writeable
Writeable Copy
Copy of
of the
the Active
Active Directory
Directory Database
Database
2007 Cenfotec IT
Domains
• 2 domain modes:
Domain
Domain controller
controller
(Windows
(Windows 2003-
2003-
2000)
2000)
and
Domain
Domain controller
controller Domain
Domain controllers
controllers
(Windows
(Windows NT
NT 4.0)
4.0) (Windows
(Windows 2003
2003 only)
only)
2007 Cenfotec IT
Sites
Seattle
New York
Chicago
Los Angeles
IP subnet
Site
IP subnet
Sites:
Optimize replication traffic
Enable users to log on to a domain controller by using a
reliable, high-speed connection
2007 Cenfotec IT
AD Update in
Windows Server 2008 R2
AD DS
2007 Cenfotec IT 33
What Is a Directory Service?
A directory service is both the directory information source and the
service that makes the information available and usable
Centralized
Centralized Administration
Administration Dispersed
Dispersed Administration
Administration
2007 Cenfotec IT
What Is AD DS?
Active Directory Domain Services (AD DS) is a
directory service that provides the following
services in a Windows Server 2008 network:
User account management
User authentication
Domain-wide services
2007 Cenfotec IT
How Does AD DS Work
Authenticate against
domain
Access network
resources
2007 Cenfotec IT
AD DS Integration with Other
Active Directory Server
Roles • AD DS is the foundation for a
functional network
AD FS
• Most server roles depend on AD DS
to provide user and resource
information for the other server roles
AD RMS
• AD DS also provides authentication
and authorization services
AD CS
AD DS
2007 Cenfotec IT
What Is LDAP?
Lightweight Directory Access Protocol (LDAP) is:
• A directory service protocol
• Based on TCP/IP
• A client-server model
2007 Cenfotec IT
What Is AD LDS?
An
An LDAP-based
LDAP-based Used
Used for
for applications
applications
directory
directory service
service
AD LDS
LDAP
More
More flexible
flexible than
than AD
AD DS
DS
Can
Can have
have multiple
multiple instances
instances of
of AD
AD LDS
LDS run
run on
on aa single
single
computer
computer
Does
Does not
not require
require DNS
DNS infrastructure
infrastructure
Can
Can be
be modified
modified to
to meet
meet specific
specific application
application needs
needs
2007 Cenfotec IT
AD LDS Implementation
Examples
Web authentication More secure log on for
Web authentication More secure log on for
applications
applications
Store
Store application
application Directory
Directory for
for e-mail
e-mail
configuration
configuration that
that is
is located
located applications
applications
in
in aa perimeter
perimeter network
network and
and
cannot
cannot oror should
should not
not access
access
AD
AD DSDS
2007 Cenfotec IT
What Is a PKI?
Public
Public Key
Key Infrastructure
Infrastructure (PKI) is
used
used toto distribute
distribute and
and manage
manage
digital
digital certificates
certificates
• CA Management Tools
• Certificates
2007 Cenfotec IT
What Is AD CS?
Active Directory Certificate Services (AD CS)
does the following:
• Provides Certification Authority
2007 Cenfotec IT
AD CS Implementation
Examples
Secure
Secure Sockets
Sockets Layer
Layer Smartcard
Smartcard log
log on
on for
for Certificates
Certificates for
for
security
security for
for internal
internal client
client computers
computers and
and encrypted
encrypted file
file
Web
Web sites
sites VPN
VPN services
services
SSL
Certificates
Certificates for
for routers
routers for
for Certificates
Certificates for
for S/MIME
S/MIME
establishing
establishing IPsec
IPsec encrypted
encrypted and
and
communication
communication authenticated
authenticated e-mail
e-mail
S/MIME
2007 Cenfotec IT
How Does AD CS Work?
Certificates saved
into AD DS
AD DS
Auto-enrolled
certificate
CA
Mgmt Certificate
Tools Authority
Windows
Manual Client
certificate
enrollment
2007 Cenfotec IT
AD DS and AD CS
Integration
AD DS and AD CS integrate tightly in the
following ways:
• Certificates for user and computer objects can be automatically generated
2007 Cenfotec IT
What Is an Enterprise Rights
Management Solution?
A
A solution
solution that
that is
is used
used to
to protect
protect information
information stored
stored in
in documents,
documents, e-mail
e-mail
messages,
messages, andand Web
Web sites
sites from
from unauthorized
unauthorized viewing,
viewing, modification,
modification, or
or use
use
Features include:
• Helping protect sensitive information from being accessed or shared with
unauthorized users
2007 Cenfotec IT
What Is AD RMS?
Active
Active Directory
Directory Rights
Rights Management
Management Services
Services (AD
(AD RMS)
RMS) is
is the
the Windows
Windows Server
Server
2008
2008 implementation
implementation of
of an
an enterprise
enterprise rights
rights management
management solution
solution
AD RMS:
• Distributes client certificates, enforces content access policies, and
provides central management
2007 Cenfotec IT
AD RMS Implementation
Examples
22
AD DS
AD RMS
Request 33
document Request access
security to document
44
1
Send
protected
file
Content Content
Creator Consumer
2007 Cenfotec IT
AD DS and AD RMS
Integration
AD RMS integrates with AD DS in the following
ways:
• All AD RMS users must have an AD DS account
2007 Cenfotec IT
Active Directory Federation
Services
• What is AD FS?
• How AD FS Traffic Flows in a B2B Federation
Scenario
• How Does AD FS Work?
• AD DS and AD FS Integration
• Summary of the Active Directory Server Roles
2007 Cenfotec IT
What Is AD FS?
Active Directory Federation Services (AD FS):
• Enables the creation of trust relationships between two organizations
• Provides Single Sign-on (SSO) between two different directories for Web-
based applications
2007 Cenfotec IT
How AD FS Traffic Flows in a
B2B Federation Scenario
Account Resource
Federation Federation
Server Server
Internet
Web Server
Federation Trust
2007 Cenfotec IT
How Does AD FS Work?
1 A client computer connects to a Web application in a different organization
The client requests the security token from the account partner’s
4 AD FS server and passes the token back to the resource partner’s AD FS
server
5 The resource AD FS server creates a security token for the Web application
2007 Cenfotec IT
AD DS and AD FS Integration
AD DS and AD FS are integrated in the
AD
AD FS
FS uses
uses AD following
AD DS
DS and
and AD
AD ways:
AD
AD FS
FS account
account partners
partners
LDS
LDS to
to provide
provide directory
directory use
use AD
AD DS
DS to
to manage
manage their
their
services
services own
own user
user accounts
accounts
AD
AD FS
FS resource
resource partners
partners AD
AD FS
FS enables
enables
may
may use
use AD
AD DS
DS accounts
accounts to
to organizations
organizations to
to provide
provide
provide
provide access
access to
to external
external access
access toto
applications
applications applications
applications for
for internal
internal AD
AD
DS
DS accounts
accounts
2007 Cenfotec IT
Naming Conventions
2007 Cenfotec IT
Distinguished Names (DNs)
2007 Cenfotec IT
Relative Distinguished Names
(RDNs)
• The RDN is one of an object’s attributes.
• The RDN is part of the full DN. For example:
CN=John Smith
• Active Directory services allows duplicate RDNs for
objects, but no two objects with the same RDN can
exist within the same OU.
2007 Cenfotec IT
Globally Unique Identifiers
(GUIDs)
2007 Cenfotec IT
User Principal Names (UPNs)
• The UPN is a friendly name that is shorter than
the DN and easier to remember.
• The UPN consists of a shorthand name that
represents the user and usually the DNS name
of the domain where the object resides.
• Example: johns@contoso.msft
2007 Cenfotec IT
Structure of Active Directory Architecture
• Data model
• Schema
• Security model
• Administration model
2007 Cenfotec IT
Access to Active Directory
Services
• Protocol Support
• Application programming interfaces (APIs)
• Virtual containers
2007 Cenfotec IT
Protocol Support
• LDAP is the Active Directory core
protocol.
• Active Directory services supports
remote procedure call (RPC) interfaces
that support Messaging Application
Programming Interface (MAPI)
interfaces.
• The Active Directory information model is
derived from the X.500 information
model.
2007 Cenfotec IT
Application Programming
Interfaces (APIs)
2007 Cenfotec IT
Virtual Containers
2007 Cenfotec IT
Directory Service
Architecture
• Interfaces
• Directory System Agent (DSA)
• Database layer
• Extensible Storage Engine (ESE)
• Data store (Ntds.dit)
2007 Cenfotec IT
Active Directory Key Service
Components
2007 Cenfotec IT
Interfaces
• LDAP provides the API for LDAP clients and exposes the ADSI so that
additional applications can be written that can talk to the Active Directory
services.
• REPL is used by the replication service to facilitate Active Directory
replication via RPC over Internet Protocol (IP) or Simple Mail Transfer
Protocol (SMTP).
• SAM Provides down-level compatibility to facilitate communication
between Microsoft Windows 2000 and Microsoft Windows NT 4.0
domains.
• MAPI supports legacy MAPI clients.
2007 Cenfotec IT
Directory System Agent
(DSA)
• Object identification
• Transaction processing
• Schema enforcement of updates
• Access control enforcement
• Support for replication
• Referrals
2007 Cenfotec IT
Database Layer
• Provides an object view of database information by applying schema
semantics to database records
• Is an internal interface that is not exposed to the public
• Follows the parent references in the database and concatenates the
successive RDNs to form DNs
• Translates each DN into an integer structure called the DN tag, which is
used for internal access
• Is responsible for the creation, retrieval, and deletion of individual
records, attributes, and values
2007 Cenfotec IT
Extensible Storage Engine (ESE)
2007 Cenfotec IT
Defining a Namespace
Architecture
• Introduction
• Root domain
• First-layer domains
• Second-layer domains
2007 Cenfotec IT
Introduction to the Active
Directory Installation Wizard
2007 Cenfotec IT
Adding or Creating a Domain
Controller
• If you add a domain controller to an existing
domain, you create a peer domain controller.
• If you create the first domain controller for a new
domain, you are creating not only the domain
controller but also a new domain.
2007 Cenfotec IT
Adding a Domain Controller
to an Existing Domain
2007 Cenfotec IT
Creating a New Child
Domain
2007 Cenfotec IT
Creating a New Domain Tree
2007 Cenfotec IT
Adding a Domain Tree to a
Forest
2007 Cenfotec IT
The Active Directory
Database and the Shared
System Volume
2007 Cenfotec IT
The Active Directory
Database
• The database is a file named Ntds.dit, which is the directory for the new
domain.
• The default location for the database and the database log files is
%systemroot%\Ntds, although you can specify a different location.
• The database contains all the information stores in the Active Directory
store.
• The Ntds.dit file is an ESE database that contains the entire schema,
the global catalog, and all the objects stored on that domain controller.
2007 Cenfotec IT
The Shared System Volume
• The shared system volume is a folder
structure that exists on all Windows 2000
domain controllers.
• The shared system volume stores scripts
and some of the group policy objects for
the current domain as well as the
enterprise.
• Replication of the shared system volume
occurs on the same schedule as Active
Directory replication.
2007 Cenfotec IT
Domain Modes
• Mixed mode
• Native mode
2007 Cenfotec IT
Introduction to OU Planning
• OUs should reflect the details of the organization’s business
structure.
• Create OUs to delegate administrative control over smaller
groups of users, groups, and resources.
• OUs eliminate the need to provide users with administrative
access at the domain level.
• OUs inherit security policies from the parent domain and
parent OU unless inheritance is specifically disabled.
2007 Cenfotec IT
Creating the OU Structure
• You should begin your OU design by creating an
OU structure for the first domain in the namespace.
• When you create an OU, you should determine
who will be able to view and control certain objects
and what level of administration each administrator
will have over the objects.
2007 Cenfotec IT
OU Design Guidelines
• Create OUs to delegate administration.
• Create a logical and meaningful OU structure that allows OU
administrators to complete their tasks efficiently.
• Create OUs to apply security policies.
• Create OUs to manage the visibility of published resources.
• Create OU structures that are relatively static. OUs also give the
namespace flexibility to adapt to changing needs of the enterprise.
• Avoid allocating too many child objects to any OU.
2007 Cenfotec IT
Introduction to OUs and their
Objects
• Each Active Directory object is a distinct named set
of attributes that represents a specific network
resource.
• Before objects are added to Active Directory
services, you should create the OUs that will
contain those objects.
2007 Cenfotec IT
Creating Ous
2007 Cenfotec IT
Adding Objects to OUs
Contact
Group
Computer
User
2007 Cenfotec IT
What Is a User Account?
A
A user
user account
account is
is an
an Active
Active Directory
Directory Domain
Domain Services
Services (AD
(AD DS)
DS) object
object that
that
enables
enables authentication
authentication and
and access
access to
to local
local and
and network
network resources
resources
Local
Local accounts
accounts enable
enable log
log on
on to
to aa single
single computer
computer and
and local
local
resources
resources
2007 Cenfotec IT
Names Associated with
Domain User Accounts
Naming options for domain user accounts:
Object Names Example Uniqueness requirement
Relative
distinguished CN=Gregory Must be unique in OU
name (RDN)
2007 Cenfotec IT
Locating Objects
2007 Cenfotec IT
Modifying Attributes and
Deleting Objects
• You can modify the attributes of an object to
change or add information.
• You can modify an object’s attribute by opening
the properties for that object in the Active
Directory Users And Computers snap-in.
• To maintain security, delete objects when they are
no longer needed.
2007 Cenfotec IT
Moving Objects
• You can move objects from one location in the
Active Directory store to another location.
• You should move objects when organization or
administrative functions change.
2007 Cenfotec IT
Managing Active Directory
Permissions
• Use Active Directory permissions to determine who
has the permissions to gain access to the object
and what type of access is allowed.
• The object type determines which permissions you
can select.
• Permissions inheritance minimizes the number of
times you need to assign permissions for objects.
2007 Cenfotec IT
Delegating Administrative Control of Objects
2007 Cenfotec IT