Active Directory

What is active directory?

Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security. Active Directory is subdivided into one or more domains.

What are the components that form the AD?                   
The AD components helps a Network Administrator in executing various jobs i.e. authorizing the users, certifying the users, network management, etc. The AD components can be classified into two types, resources and security enforcement's. Every AD component functions independently and haves its own utility.

Forests: The forest resides at the very top level in AD hierarchy. It encapsulates all the attributes and syntax.

Tree: a tree is a collection of Active Directory domains that share a contiguous namespace. In this configuration, domains fall into a parent-child relationship, which the child domain taking on the name of the parent.

Domain (DNS): DNS is the sum total of computer objects linked through policies, users and member databases. The DNS plays a major role in holding the AD database. It creates a copy of every server based activity. 

Organizational Units (OU): The Organizational units are combination of various domains. By grouping all the domains and providing a hierarchy for them it makes the network operations easy. An OU also segregates the domains for easy classification. It is also known as holder as it holds the domains. By using the Organizational Units a Network Administrator can deploy administrative and user policies.

Physical components active directory

Domain Controllers:

Domain Controllers or DCs are Physical Server Machines running Windows Server 2008 (or older versions Windows Server 2003 or Windows 2000 Server), and it contains the Active Directory Database. There can be several Domain controllers in a Microsoft Active Directory based Domain depending on the span of the organization. The primary or first domain controller of the Domain is just called DCs and every added domain controllers are called ADCs or Additional Domain Controllers.

Sites: Sites are actually the physical groups defined by IP subnets. This component helps a Network Administrator in identifying the areas of high and low connectivity. Sites help in regulating network traffic and linking clients with DC.

Global catalog:

A global catalog It stores  a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.

FSMO Roles

There are five FSMO roles:

• PDC emulator (one per domain): This role allows Windows Server 2003 to act as a Windows NT primary domain controller (PDC), and it provides replication support for Windows NT-based backup domain controllers (BDCs). In addition, this role assists with time and group policy synchronization.
• Infrastructure master (one per domain): This role is responsible for updating the group-to-user references whenever the members of groups change or receive new names
• Relative ID (RID) master (one per domain): This role ensures that every object created has a unique identification number.
• Schema master (one per forest): This role is responsible for maintaining and modifying the Active Directory schema.
• Domain naming master (one per forest): This role is responsible for the addition and deletion of domains in a forest.

DNS

Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses.

Zones

Primary DNS Zone
Primary zone in the DNS server is the read/write copy of the DNS database. This means that whenever a new DNS record is added to the DNS database either automatically by the DNS clients or manually by the administrators, it is actually written in the primary zone of the DNS server. One DNS server can have only one primary DNS zone.
Since the primary zone of the DNS server is the read/write copy of the DNS database, it must be kept at a location where it remains physically protected from attacks, and remains safe from internal or external network threats and intrusions.

Secondary DNS Zone
Unlike primary DNS zone, the secondary DNS zone is the read-only copy of the DNS records. This means that the DNS records cannot be added directly to the secondary DNS zone. The secondary DNS zone can receive the updated records only from the primary DNS zone of the DNS server.

Forward Lookup Zones 

A Forward lookup is the most common form of DNS lookup. This type of lookup converts a host name into an IP address. A Forward Lookup-Zone contains Name to IP Address mappings. Each zone file consists of a number of resource records (RR’s). Resource records (RR’s) contain information about certain resources on the network.

DNS Records
There are several types of resource records (RR’s) that can be found in a zone file:

• A (Host) Record: Is used to associate a host’s name to an IP address.
• CNAME (Alias): An IP Address can have more than one name. Some Web Sites, for example, have several Web Servers for load balancing, each with different IP Addresses. A query to www.microsoft.com will give you several possible IP Addresses all pointing to the same web-site.
• MX (Mail Exchanger): A Mail record used to indicate where mail for the domain should go.
• The Name Server Record (NS): Shows which DNS Servers are authoritative for this zone.
• Start of Authority (SOA) Record: This is the first record in the database file and contains information about the zone file.
• Service (SRV) Records. These contain the IP addresses of different services on the domain, e.g. the services used to logon and query Active Directory. Domains could not function without SRV records.

Reverse Lookup Zones

A Reverse Lookup-Zone contains IP Address to Name mappings. This allows the computer to do reverse queries, some applications need to be able to make reverse lookup queries. Reverse Lookup Zones contain the following Resource Records.

Active Directory Integrated Zones

Active Directory Integrated Zones store the same information as standard Zone Files, however the information is stored and replicated with the Active Directory. There are no Primary or Secondary Zones. All zones are multi-master, which means that you can update any of the zones and the changes will be replicated.

Stub Zones

A stub-zone contains a partial copy of another zone. The zone contains only the NS and SOA records for its master zone. Stub zones identify the servers that are authoritative for the master zone and the servers that are authoritative for its child zones below the master in the namespace.
Stub zones are mainly used to keep track of name servers in delegated child zones when there are a great deal of children.

Introduction to DHCP

In large networks the task of assigning TCP/IP addresses can be troublesome. The administrator will have to manually give every machine an IP address and subnet mask, as well as additional information such as DNS and WINS server addresses. A lot of operator errors can occur and TCP/IP information can be difficult to manage.

DHCP Scope:

A Dynamic Host Configuration Protocol (DHCP) scope is the consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. Scopes typically define a single physical subnet on your network to which DHCP services are offered.

ADFS:
Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement.
Claims-based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication.

 

 

Microsoft Exchange server

Microsoft Exchange server 2010

Welcome to the technical library for Microsoft Exchange, the messaging platform that provides email, scheduling, and tools for custom collaboration and messaging service applications. Easily create and manage all your communications both in the workplace and on your mobile device using Exchange.

Exchange Server 2010 editions

                                          

·         Exchange Server 2010 Standard

Designed to provide essential messaging Services for small to medium-size organizations and branch office locations. This server edition supports a limited number of databases.

·         Exchange Server 2010 enterprise

Designed to provide essential messaging services for organizations with increased availability, reliability, and man-age ability needs. This server edition supports up to 100 databases (including all active databases and copies of databases) on a particular server.

                                                                           

·         Understand the Exchange Server Roles in Exchange Server 2010

With Exchange Server Setup, you can deploy servers with specific roles throughout the enterprise. Prior to setup and configuration, you need to decide how you will use Exchange Server 2010, what roles you will deploy, and where you will locate those roles. Afterward, you can plan for your deployment and then roll out Exchange Server.

Exchange Server 2010 should be installed on a member server and not a domain controller.

·         The five roles are:

1. Mailbox Role
2. Client Access (CAS)
3. Hub Transport (Bridgehead)
4. Unified Messaging
5. Edge Transport (Gateway)

Mailbox Server This is a back-end server that hosts mailboxes, public folders, and related messaging data, such as address lists, resource scheduling, and meeting items. For high availability of mailbox databases, you can use database availability groups.

Client Access Server This is a middle-tier server that accepts connections to Exchange Server from a variety of clients. This server hosts the protocols used by all clients when checking messages. On the local network, Outlook MAPI clients are connected directly to the Client Access server to check mail. Remote users can check their mail over the Internet by using Outlook Anywhere, Outlook Web App, Exchange ActiveSync, POP3, or IMAP4.

Unified Messaging Server This is a middle-tier server that integrates a private branch exchange (PBX) system with Exchange Server 2010, allowing voice messages and faxes to be stored with e-mail in a user’s mailbox. Unified messaging supports call answering with automated greetings and message recording, fax receiving, and dial-in access. With dial-in access, users can use Outlook Voice Access to check voice mail, e-mail, and calendar information; to review or dial contacts; and to configure preferences and personal options. Note that to receive faxes, you need an integrated solution from a Microsoft partner.

Hub Transport Server This is a mail routing server that handles mail flow, routing, and delivery within the Exchange organization. This server processes all mail that is sent inside the organization before it is delivered to a mailbox in the organization or routed to users outside the organization. Processing ensures that senders and recipients are resolved and filtered as appropriate, content is filtered and has its format converted if necessary, and attachments are screened. To meet any regulatory or organizational compliance requirements, the Hub Transport server can also record, or journal, messages and add disclaimers to them.

Edge Transport Server This serves as an additional mail routing server that routes mail into and out of the Exchange organization. This server is designed to be deployed in an organization’s perimeter network and is used to establish a secure boundary between the organization and the Internet. This server accepts mail coming into the organization from the Internet and from trusted servers in external organizations, processes the mail to protect against some types of spam messages and viruses, and routes all accepted messages to a Hub Transport server inside the organization.

These five roles are the building blocks of an Exchange organization. Note that you can combine all of the roles except for the Edge Transport server role on a single server. One of the most basic Exchange organizations you can create is one that includes a single Exchange server that provides the Mailbox server, Client Access server, and Hub Transport server roles. These three roles are the minimum required for routing and delivering messages to both local and remote messaging clients. For added security, you could deploy the Edge Transport server role in a perimeter network on one or more separate servers.