Tải bản đầy đủ - 0 (trang)
Chapter 30. Using the Active Directory Service

Chapter 30. Using the Active Directory Service

Tải bản đầy đủ - 0trang

IfyouhaveaheterogeneousnetworkcomposedofWindowsand

otheroperatingsystems,seePartXI,"MigrationandIntegration,"

tolearnhowtheActiveDirectorycanbeusedinthistypeof

network.



TheActiveDirectorywasintroducedbyMicrosoftwithWindows

2000.TheActiveDirectoryisanLDAP-baseddirectoryservice

thatenablesyoutostoreinformationaboutuseraccounts,

domains,andresourceobjectsinthesameplaceforeasy

management.AndbecauseLDAP(seeAppendixD,"The

LightweightDirectoryAccessProtocol")isastandardembraced

byalargenumberofvendors,fromNovelltoNetscape,itis

possibletoenablenetworksthatusedifferentdirectoryservices

tointeractwitheachother.Thiscanbeanimportantfactor

whenintegratingtwonetworks,orwhenmigratingfromone

typeofnetworktoanother.

TheActiveDirectorycanbeinstalledonaWindowsnetwork

whenyoumigratefromWindowsNT4.0toWindows2000

Server,orWindowsServer2003.Theexamplesinthischapter

arebasedonWindowsServer2003,whichincorporatesmany

newfeatures.However,theconceptsarebasicallythesame,

thoughthewindowsanddialogboxesmaylookalittledifferent

ifyouareusinganearlierversionofWindows.

WhenyouupgradefromWindowsNT,domainsbecome

containerunitswithinthedirectory.Additionally,thenatureof

trustrelationshipsbetweendomainschanges.Therearemany

othersubtledifferencesyouwillnotice,butforthemostpart

youwillfinditeasiertomanagenetworkusersandresources

usingtheMicrosoftManagementConsole(MMC)snap-insto

performroutinetasks.Othersnap-inscanbeinstalledinthe

MMCtoallowyoutoperformmorecomplicatedfunctions,such

asmodifyingtheschema.



Note

Youcancreateasmallworkgroup-stylenetwork

usingjustaboutanysupportedversionofWindows.

Ifyouwanttomaintainanenvironmentwhere

securityandadministrativetaskscanbecentralized

andcontrolled,asinthepreviousWindowsNT

domainmodels,you'llhavetousetheActive

Directory,orperhapsanotherdirectoryservice,such

astheeDirectoryfromNovell.



TheonlyinformationstoredintheWindowsNT4.0SAM

(securityaccountsmanager)databaseisuserandcomputer

accounts,alongwithsomesecurityinformation,suchastrust

relationshipsbetweendomains.Informationaboutprinters,file

shares,andotherresourcesisscatteredhereandtherein

separatedatabasesandismanagedbyseparateutilities.

Administeringnetworkresourcesusingmultipleutilitieswith

disjointedinterfacescanbecomequiteanightmareinalarge

network.Thisdisjointedmethodofadministrationhascreateda

situationinwhichmanyupgradedtheirnetworkstoWindows

NT4.0,butalsoadoptedNovellDirectoryServicesonthesame

network.AddingNDStoaWindowsNT4.0networkcansolvea

lotofproblemsbygivingyouasingleplacetoadministermany

kindsofresources.TheActiveDirectoryconsolidates

informationfromthesedifferentsourcesintoasingledatabase,

andprovidesyouwithasimplermanagementinterface.



EarlyDirectoryTechnologies

Thefirstdirectorythatcomestomindwhenyouthinkofearly

computersystemsisthefilesystemdirectory.Theorganization

ofdatafilesandprogramsintoastructureofdirectoriesand

subdirectoriesbecamemoreimportantasthesizeofthe

availablestoragegrew.WhennetworkingPCsbecamea

necessity,thecapabilitytoorganizeusersandsecuredatafrom

inappropriateaccessledtotheconceptofloggingintothe

computerornetwork,justashadbeendonewithmultiuser,

mini,andmainframecomputersformanyyears.Thismadeit

necessarytocreateanotherdatabase(thatis,adirectory)to

keeptrackofusersandsecurityinformation.

Fornetworkadministratorsandusersalike,thereisagreat

needtodaytoquicklylocateresourcesthat,inamodern

distributedcomputingenvironment,canbeanywherefromthe

computerontheuser'sdesktoafileserverhalfwayaroundthe

world.Sowhenyou'redecidingwhatkindsofinformationto

storeinadirectoryservicedatabase,theneedsofboththe

usersandtheadministratorsofthesystemmustbetakeninto

consideration.



TheDifferenceBetweentheDirectoryandthe

DirectoryService

ThefirstthingyouwillneedtounderstandabouttheActive

Directoryisthatitiscomposedofadatabaseandmany

differentprogramsthatcanbeusedtooperatewithinthe

database.Thetermdirectoryisusedtodescribetheunderlying

databasethatholdsalltheinformationmanagedbythe

directoryservice.Theactualinformationstore,thedirectory,is

storedintheExtensibleStorageEngine(ESE)ESEisaderivative

ofMicrosoft'soft-usedJETengineandavariantofthissame



technologyisalsousedbyMicrosoftExchangeServer.

Thetermdirectoryservicereferstotheprogramsthatmanage

thedatabaseandallowusersandprogramstoaccessitsdatain

ameaningfulway.Afteryou'vecreatedadomaincontrollerina

Windows2000or2003network,you'llfindseveralnewutilities

intheAdministrativeToolsfolder,suchastheActiveDirectory

SitesandServicesManagerandtheActiveDirectoryUsersand

Computerstools.You'llfindothertoolsinthisfolder,depending

onthecomponentsyouselectedwheninstallingtheoperating

system.TheEventViewerapplicationisstillpresent,butnowit

usestheMMCinterface,asdomostoftheothersystem

managementtools.

Thedirectoryserviceconsistsoftheprogramsandapplication

programminginterfacestheActiveDirectoryServiceInterface

(ADSI)andtheLDAPClower-levelAPI.Thesecanbeusedto

createadditionaltoolsforusewiththedirectory.Thedirectory

serviceoffersthenetworkanamespacethatcanbeusedto

locateobjectsthroughoutthenetworkbyqueryingbythe

object'snameoroneofitsattributes.

TheDirectorySystemAgent(DSA)providestheservice

responsibleforperformingactualqueriesandupdatestothe

database.BecauseapplicationsandAPIsmakerequeststothe

DSAinadefinedfashion,thefunctionstheyperformare

separatedfromtheactualunderlyingformatofdatastorage.



InterestingObjects

TheActiveDirectoryprovidesthecapabilitytoqueryalarge

databasethatcanbeusedtolocateanyobject,orinformation

aboutanyobject,storedinthedirectorydatabase.To

understandhowimportanttheActiveDirectoryisinWindows

2000/Server2003,youshouldfirstunderstandthekindsof

datathatwillbestoredintheobjectsthatthedirectory



organizes.

Knowingwhatkindofdatashouldbeacandidatefor

managementbyadirectoryserviceisnoteasy.Here,the

definitionofadirectoryservicegetskindoffuzzy.

Itiscommontocomparedirectoryservicestothewhiteand

yellowpagesofthetraditionalphonedirectory.Whitepagesare

specificqueriesinwhichtheinputisaperson'snameandthe

outputistheperson'stelephonenumber.Yellowpageshavea

moregeneral"browsing"capability,withmoregeneralinput

aboutasubjectorconcept.Thisresultsinaspecificoutput

selectedbytheuserfromtheinformationfound.TheActive

Directoryprovidesthebestofboth.Youcansearchfora

specificobjectifyouknowthenameyouarelookingfor(such

asausernameorcomputername),oryoucanbrowsefor

objectsbyusingthedatastoredinthemanyattributesthat

objectscanpossess.LookingupausernameintheActive

Directoryissortoflikeusingthewhitepagesofthetelephone

book.

However,supposeyouareamobileemployee.Youhavejust

walkedintotheAtlantaofficeandyouneedtoprinta

document.Youquicklysearchthedirectorytofindanobject

that

Isaprinter

IslocatedintheAtlantabranchonthethirdfloor

Supportscolorprinting

Thissituationshowsthatdirectoryservicesalsocanbeusedin

amannersimilartothetelephonebook'sYellowPagesservice.

Youcanspecifytheattributesforanobjectyouwanttofind,

andperformasearchofthedirectorytoseewhetherthereare



anymatches.Or,ifyouknowthenameofanobject,youcan

querythedatabasetofindthatobjectandthenviewits

properties.Thismethodofqueryingthedatabaseenablesyou

tofindsomethingyouknowalittleabout,ortofindthe

attributesofanobjectyoualreadyknowabout.Inthelatter

example,youmightknowthenameofaprinterlocateddown

thehallwaybutnotbeawareofwhetheritsupportsduplexprinting.TheActiveDirectorycantellyouthat,aslongasthe

informationhasbeenputintothedirectorydatabase.

Asyoucansee,theActiveDirectorystoresthetraditionalkind

ofinformationthatusuallyisfoundonanetworkcomputer

operatingsystem.Whatotherkindsofobjectscanyoustorein

thedirectory?Well,justaboutanythingyoucanthinkof,as

longasyoucanexpressitasacollectionofattributes(or

featuresoftheobject).Ifyouwant,it'spossibletocreate

objectsthatrepresentyourstampcollection.Youcancreate

objectsthatrepresentjustaboutanything.TheActiveDirectory

comeswithalargenumberofbuilt-inobjects.Theseare

definedintheschema,aconceptthatisdiscussedlaterinthis

chapter.Youcanextendtheschematoaddobjects(and

attributes)thatareparticularlyusefulforyourbusinessor

situation.However,almosteveryoneagreesthatthe

informationstoredinthedirectoryshouldbeinterestingorof

somepracticaluse.



WhatActiveDirectoryDelivers

BecausetheActiveDirectoryisbasedonindustrystandards,it

canoffermanyservicestoanetwork.TheActiveDirectory

providessomeveryimportantfeaturestoaWindowsnetwork,

oraheterogeneousnetworkmadeupofcomputersusing

differentoperatingsystems:

Asinglelogonfortheentirenetwork.Thiswaspresent,



moreorless,inpreviousversionsofWindows,butitcanbe

extendedtodaytoincorporateNetWare,Unix,Linux,and

otheroperatingsystems.Forexamples,seePartXI.

Ahierarchicalstructurethatorganizesobjectsandtasks

intoalogicalformatsothatyoucanquicklyandeasily

locatetheinformationyouneed.TheX.500hierarchical

formathasbeenadoptedintheActiveDirectory.

Anextensibleformatthatenablesthedirectoryto

encompassnewobjectsasoperatingsystemsand

managementfunctionsevolve.Thismeansthattheschema

ofthedirectoryshouldbeeasytomodify.UsingMMCsnapins,thiscanbeasimplechorewiththeActiveDirectory.

Note,though,thatMicrosofthascreatedaschemaforthe

ActiveDirectorythatshouldsufficeformostnetworks,and

youshouldmodifytheschemaonlyafteryoubecomeaware

ofthepossibleconsequencesofyourchanges.Changesto

theActiveDirectoryschemaarepermanentandcannotbe

undonebyanymeansshortofrecoveringalldomain

controllersfrombackupsmadepriortoextendingthe

schema.

Faulttoleranceandadistributeddatabase.Youdon'tneed

tocreatenumerousdomainswithprimarydomain

controllerstoreceiveupdatesandbackupdomain

controllersto"holdthefort"whenaPDCisn'tavailable,as

wasthecasewithNT.Instead,alldomaincontrollersina

native-modeActiveDirectorynetworkarepeers,andeach

domaincontrollerinthedomainholdsacopyofthat

domain'sportionoftheActiveDirectorydatabase.Thereis

noneedto"promote"abackupdomaincontrollerifa

primaryonefails,becausealldomaincontrollersina

domainareconsideredtobethesame.

Scalability.Managementtaskscannowbecentralizedor



distributedasyouradministrativeneedsdictate.Youcan

delegateauthorityoverpartsofthedatabase(suchasa

domainorpartofadomain)asyouseefit.

Programmability.Applicationdevelopersandscriptwriters

canusemanytoolstointerfacewiththedatabase.

Manageablesecuritymechanisms.Fromthesmalldesktop

systemtotheworldwideenterprise,youcangrowthe

networktoonethatconsistsofmillionsofusers.

Oneofthemostimportantfeaturesthatlargeenterpriseswould

liketoseeisastandards-basedimplementationsothatyoudo

notgetlockedintoasinglevendorforallyoursoftwareneeds.

Migrationtools,bothtoandfromthedirectorydatabase,are

neededuntilthestandardsissuessettledownandproducts

fromdifferentvendorsworktogetherasseamlesslyastheydo

inthetelephonenetwork.



EvolutionofDirectoryServicesfromX.500to

LDAP

Whenyouthinkofstandards,thenameInternational

OrganizationforStandardization(ISO)probablycomestomind.

Afterall,theISOhasbeeninvolvedineffortsformanyyearsto

helpmaketheinterchangeofdatabetweencomputerslessofa

proprietarychoreandmoreofafreeflowofinformation.The

ISO,alongwiththeInternationalTelecommunicationsUnion

(ITU),developedtheX.500groupofstandardstopromulgatea

globalwhitepagesdirectoryservice.Undertheumbrellaof

X.500therearemanystandards,whichincludenaming

conventionsandnetworkingprotocols(OSItheOpenSystems

Interconnectionprotocols).



Note

AlthoughmanybooksstatethatthelettersISOare

anabbreviationforInternationalStandards

Organization,thatisnotthecase.Instead,the

actualnameoftheorganization,inEnglish,was

originallyInternationalOrganizationfor

Standardization.ThetermISOwaseventually

selectedbythisgroupbecauseofitsrootmeaning

fromtheoriginalGreekwordisos,whichtranslates

generallyto"equal."Thisnamewaschosenbecause

itprettymuchindicatesstandardization,without

havingtouseaparticularlanguagetocreatean

acronym.Thus,theISOworkswithstandardsbodies

frommanydifferentcountries,attemptingtomake

technologicalthings"equal"sothattheywillwork

together.YoucanfindoutmoreaboutISOandits

memberorganizationsbyvisitingwww.iso.org/.



However,theOSInetworkingprotocolneverdidtakeoffas

expected,althoughsomevendorsimplementedpartsofit.

DigitalEquipmentCorporation(DECwasabsorbedbyCompaq

ComputerCorporation,andCompaqwasofcourseacquiredby

HP)triedforyearstogetOSIstandardsadoptedbyevolvingits

ownproprietarynetworkingprotocolDECnetintoanOSIcompliantprotocolandbyreleasinganoperatingsystem(OSF)

basedonOSIstandards.Eventodaythevenerableoperating

systemoncecalledVMS(forVirtualMemorySystem)hasbeen

calledOpenVMSformanyyearsbecauseofthisattemptto

adoptopenstandards.

Whileallthisdiscussionofstandardswasgoingonin

committeesandprotocolswerebeingdiscussed,debated,and



refined,theInternettookoff.Andaseveryonenowknows,itis

TCP/IPthatgluestogethertheInternet,notOSI.It'sfunnyina

waythatstandardizationcameaboutadhocinsteadofthrough

anorderlyprocess.

ButitwasnotjustthelackofinterestinOSInetworkprotocols

thatstifledtheacceptanceofX.500proposals.Severalother

importantfactorswereinvolved,suchastheoverhead

associatedwithimplementingmanyoftheX.500protocols.

AlthoughX.500(et.al)doesagoodjobdefiningprotocols,it

doesnotattempttodefinestandardprogramminginterfaces

(APIs,whichmakeiteasyfordifferentvendorstowrite

applicationsthatimplementtheprotocols).

Anotherreasonyouwon'tfindX.500standardsimplementedin

manyplacesisitscomplicatednamingscheme.Thehierarchical

organizationofthedirectory,whichcanbeseeninitsnaming

format,isagoodidea,butthelong-windednameisnot.For

example,whichofthefollowingwouldyourathertryto

rememberwhensendingsomeoneanemailmessage:the

X.500formatortheRFC822name?

X.500

CN=Ono,OU=StudioOne,OU=NewYork,O=mydomain,C=US

RFC822

Ono@mydomain.com

TheX.500name,inthisexample,revealstheorganization

structureofthedirectory,whereastheRFC822namedoesnot.

Buteveryusershouldn'thavetobefullycognizantofthe

directorystructureinordertouseit.IfyouwanttosendOnoa

messageviaemail,youshouldnothavetoknowthatsheworks

inStudioOne(organizationalunit=StudioOne)andthatsheis

inthecompany'sNewYorkdivision(organizationalunit=New



York).Youshouldn'thavetospecifythatsheisintheUnited

StatesbecauseyoualreadyindicatedthatsheisinNewYork.

Andbecauseyoucanhaveadditionalorganizationalunits(OU=)

inthedirectory,theX.500addressactuallycouldhavebeen

much,muchlonger.Notethatintheprecedingexampleone

containerobjectcancontainothercontainerobjectsbeforeyou

eventuallygettothe"leaf"objectthatistheobjectcontaining

theattributesyouwantedtolocateinthefirstplace.

Directoryservicesshouldmakethingseasier,notmoredifficult.

Microsoft'sActiveDirectory(aswellasotherLDAP-based

directories)usesthehierarchicaltreelikeorganizationasspelled

outbytheX.500standards,buttheActiveDirectoryalso

adaptstheWindowsNTdomainsystem,byusingDNSasa

locatorservice,tothestructure.Thatis,inadditiontothe

standardcontainertypessuchasOUfororganizationalunit,

andsoon,theActiveDirectoryhasaDC,ordomain

component,containerobjectwhichisdefinedintheschema

thatcanbeusedtohousedomainsinthedirectory.By

incorporatingdomainsintothedirectory,ratherthansimply

discardingthedomainconcept,Microsofthasmadeiteasierfor

usersofWindowsNT4.0tointeractwithormakethemigration

toWindows2000,Server2003,andfutureversionsof

Windows.Domainscanbeimportedintothedirectorywhen

migratingexistingWindowsNTnetworks.Youcanlearnmore

aboutthisinChapter56,"MigratingfromWindowsNT4.0to

Windows2000,Windows2003,andWindowsXP."

TheoverheadassociatedwithotherX.500recommendations

alsoneedstobeovercome.Four"wire"(orcommunication)

protocolsweredefined:

DirectoryAccessProtocol(DAP)

DirectorySystemProtocol(DSP)



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 30. Using the Active Directory Service

Tải bản đầy đủ ngay(0 tr)

×