Download document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Data model wikipedia , lookup

Clusterpoint wikipedia , lookup

Versant Object Database wikipedia , lookup

Data vault modeling wikipedia , lookup

Information privacy law wikipedia , lookup

Design of the FAT file system wikipedia , lookup

Operational transformation wikipedia , lookup

Open data in the United Kingdom wikipedia , lookup

Business intelligence wikipedia , lookup

Files-11 wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Welcome to this TechNet Event
We would like to bring your attention to the key elements of the
TechNet programme; the central information and community resource
for IT professionals in the UK:
FREE bi-weekly technical newsletter
FREE regular technical events hosted across the UK
FREE weekly UK & US led technical webcasts
FREE comprehensive technical web site
Monthly CD / DVD subscription with the latest technical tools & resources
FREE quarterly technical magazine
To subscribe to the newsletter or just to find out more, please visit
www.microsoft.com/uk/technet or speak to a Microsoft representative
during the break
Understanding the Active Directory Platform
in the Real World
John Howard, Mark Cribben, Mike Brannigan
Microsoft UK
Today’s Sessions
Architectural Overview
Recommended design practices
In-place upgrades
Lunch: The Business case for Active Directory
Directory migration
Extending the value of the directory
Managing and Securing Active Directory
Today’s Sessions
Architectural Overview
Recommended design practices
In-place upgrades
Lunch: The Business case for Active Directory
Directory migration
Extending the value of the directory
Managing and Securing Active Directory
Introduction to Directories
What is a directory?
– At a basic level a structured way of organising useful information.
The classic example is that of a telephone directory.
What a directory is not.
– It is not a database. Although they share common features the
emphasis between the two is different.
Types of directory.
– NOS based directories
– Application directories
– General purpose directories
Directories vs. Databases
Directory
Database
Hierarchical; Object Oriented
Relational Model
Entry and Attribute Based
Table and Record Based
Transaction Model
High Read to Write Ratio
High Write to Read Ratio
(Usually)
Data Distribution
Usually Distributed
Can be Distributed
Information Model
Easily Replicated
Performance
Optimized for Searching
Optimized for
Transactions
Standardization
Data Model (Schema) Open to
Many Applications
Data Model Specific to
Each Application
More Easily Extended
Proprietary RDBMS (Less
Support and Need for
Standards)
Loosely Consistent
Highly Consistent
Updates Not Instantly
Replicated
Record Locking and
Referential Integrity is
Constantly Enforced
Data Consistency
Common uses for directories
NOS
– Core directory service for network management and administration
– Authentication of network users
– Examples such as Active Directory and eDirectory
Application
– Specific applications that store configuration information without the need
for a database
– Examples include firewalls, HR applications
General purpose
– Internal white pages
– A driver for provisioning
– Simple applications for which a directory is better suited than a database
Introduction to LDAP
Firstly it is a protocol defined through RFC’s
Secondly it is a set of four models
– An information model to describe what you can put in the
directory
– A naming model that describes how data is arranged within the
directory
– A functional model that describes what you can do with the data
– A security model that defines how the data in the directory can be
protected from unauthorised access
LDAP Protocol - 1
A message oriented protocol
The LDAP protocol consists of 9 basic operations divided
into 3 categories:
– Interrogation Operations:
search, compare
– Update Operations:
add, delete, modify, modify DN (rename)
– Authentication and control:
bind, unbind, abandon
LDAP Protocol - 2
A typical LDAP exchange
1. Open connection and bind
2. Result of bind operation
3. Search operation
4. Entries returned
5. Result of search operation
6. Unbind operation
7. Close connection
LDAP compliance
Common request these days but what does it mean?
– As with all things it depends on a number of things. Principally
though the question is “do you conform to the LDAP standards as
defined in RFC’s”
– Open Group / DIF test certifications: LDAP Ready and LDAP
Certified.
– Dependent on the standards. Compliant does not mean you
implement every possible RFC for a technology. Rather that you
meet the required standards.
Providers of directories
There are a number of commercial LDAP directory products available
today including:
– Microsoft Active Directory and ADAM
– Computer Associates eTrust Directory 8
– IBM Tivoli Directory Server 5.x
– Nexor Directory 5.1
– Novell eDirectory 8.7.x
– Oracle Internet Directory v 10g
– Sun Microsystems Sun ONE Directory Server 5.2
Plus there are non commercial products:
– OpenLDAP
Typical Company scenario
Network
– Probably a directory of some description providing authentication services and
network management for all users in the company
HR
– A significant number of companies have an HR system that is separate from the
Network directory.
Firewall
– Several firewall products use authentication to determine internet access
permissions. These are stored in a directory
Applications
– Commercial applications may be deployed that provide a specific function in the
company and ships with its own directory.
– In house applications such as a provisioning application or a white pages or
“global directory”
Without realising it most organisations are now awash with directories.
The directory challenges! (1)
Management
– How accurate is the data? Who is responsible for inputting the data?
How current is the data? How available is the directory?
Information consistency
– Identities that are shared between multiple directories can become
inconsistent. Representation of common data.
Interoperability
– How accessible is the data?
Synchronisation
– Do we have the right information? Where is the authoritative data stored?
Synchronisation rules? Synchronisation logic?
The directory challenges! (2)
Ownership
– Who owns the data? Are they happy to share it?
Security
– How do we secure the data in the directory? Is access control important
for the data stored?
Extending the directory
– How do we extend the directory? Do schema extensions clash? Are the
extensions universally important?
Use
– How do we use the directory effectively? Are we doing all that we can
with the directories we have?
What is Active Directory?
Microsoft’s core directory service offering
– Enterprise capable NOS Directory Service providing network
authentication, authorisation, location and application services
– Available since 2000 as part of Windows 2000 Server
– Supports LDAP v2 and v3 industry standards
– Ships free as part of the Windows Server Operating System
AD concepts – 1(Logical)
Boundaries
– Security
– Administrative
Forest
– A forest is the security boundary for a single Active Directory deployment.
– Shared schema and configuration
– A single, logical entity
– Comprised of one or more domain trees
Domain
– A Domain is an administrative boundary within an AD forest.
– Boundary for password / security policy
– Partition / control replication of AD data
AD concepts – 2 (Logical)
Tree
– AD domains a logically organised in trees
A contiguous DNS based
name space eg.
Ad.microsoft.com is the forest
root domain. It has two child
domains that form a single
Ad.microsoft.com
domain tree within the
forest:
eu.ad.microsoft.com
Eu.ad.microsoft.com
and
Na.ad.microsoft.com
na.ad.microsoft.com
AD concepts – 3 (Logical)
Organisational Units (OU’s)
– A way of further partitioning data within a domain for the purposes
of delegating administration or applying Group Policy
– Hierarchical within the domain
– Can be easily moved or renamed
AD concepts – 4 (Logical)
Schema
– The definition of the objects that can be created within a forest.
Eg. Users, computers, printers.
– The boundaries of the individual attributes.
– Default permissions on attributes
– Unique OID’s essential.
– Once defined cannot be removed from AD
– Objects and attributes can be deactivated in Windows Server
2003
AD concepts – 5 (Logical)
Trusts. Defines the relationship between different logical
components of an AD installation.
– Within a forest all domains are trusted.
– External trusts
– Forest trusts
– Kerberos trusts
AD concepts – 6 (Physical)
Sites
– A logical representation of the physical nature of your underlying network
infrastructure.
– Used for controlling authentication process, replication and accessing “local”
resources.
– Requires defining IP subnets.
Domain Controllers (DC’s)
– Servers that physically host the Directory.
– Replicate directory information
– Authoritative for their domain NC
– Writable (operations such as creating new objects or updating existing objects)
Global Catalog (GC)
– A DC that holds read only copies of other domain NC’s within the forest as well as
the writable copy of the domain NC for which it is authoritative.
– Easy and known way to search the forest for information
AD and DNS
DNS is a name resolution service and is separate from AD.
– Used to provide the name space rules for AD
– Used to locate AD and AD resources
DNS information can be stored in AD
– Can improve the security of DNS information
– Improves replication / transfer of zone data
How AD distributes data
Domain Controllers
– DC’s are distributed around the organisation to facilitate local
operations
Replication
– The mechanism for ensuring all DC’s contain up to date
information
– Multimaster loose consistency with convergence
– Intra site replication for DC’s in the same site
– Inter site replication between sites
Roles for AD
NOS
– Primary role for managing the network, users and machines
Authentication
– Provides the authentication service for the network.
– Default in Active Directory is Kerberos
– Can also be utilised as an authentication service for other applications
Application
– AD can be extended to support applications
– A number of MS applications utilise AD (Exchange, SMS, ISA to name a
few)
Scalability
AD as a NOS Directory has the capacity to handle any organisation
– Tested with millions of objects
– Technically could support 1 billion objects!
– Currently supporting many of the largest companies in the world
There are some technical limitations for some objects
– Number of DC’s in a domain
– Number of DNS Name Servers
– Number of Groups a user can belong to
– Number of users in a group*
The Microsoft directory strategy
Authentication
Active Directory
Synchronisation
ADAM
Authorisation
MIIS
Provisioning
IIFP
Security
ADFS
Management
GPMC
Directory Technologies
Directory Architecture
Federation
Getting to a Single Directory
Very difficult in the enterprise
– Existing application requirements
– Scope of application (local vs. global)
– Schema requirements
– Control of application/identity information
How to deal with multiple account stores
– Infrastructure Directory – Global
– Application Directories – Local to Application
– Meta-Directory – Integration/Business Process
Where We Are Today
Centralized
management
(Non-existent)
Ad-hoc
sync
HR/ERP
app
LDAP
eDirectory
LDAP
Database Generic
dump
Policy & SSO
for Windows
Active Directory
iPlanet
iPlanet
Directories deployed per-app; little re-use
Provisioning, sync are ad-hoc
LDAP
Portal
application
Generic
LDAP-based
app
Whitepages
MAPI Outlook/
Exchange
The Solution
Centralized
identity
management
HR/ERP
app
3rd-party DS
App DS
MIIS 2003
ADAM
App DS
Database
Integration
Services
access
sync
DS-enabled
app
ADAM
App DS
Active
Directory
Infrastructure Directory
DS-enabled
app
DS-enabled
app
Today’s Sessions
Architectural Overview
Recommended design practices
In-place upgrades
Lunch: The Business case for Active Directory
Directory migration
Extending the value of the directory
Managing and Securing Active Directory
Related documents
FoxFiles: Getting Started What is FoxFiles?
FoxFiles: Getting Started What is FoxFiles?
Network Services
Network Services
Slide 1 - JMSC Courses
Slide 1 - JMSC Courses
here
here
FILE SYSTEMS INTERFACE
FILE SYSTEMS INTERFACE
Regulatory statistics and information
Regulatory statistics and information
ch03
ch03
DBA 102:NOW WHAT
DBA 102:NOW WHAT
Operating Systems (OS)
Operating Systems (OS)
Introduction
Introduction