1. Trang chủ
  2. » Công Nghệ Thông Tin

Networking: A Beginner’s Guide Fifth Edition- P27 pot

5 246 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 5
Dung lượng 120,39 KB

Nội dung

112 Networking: A Beginner’s Guide You should know about five important directory services: Novell eDirectory, Microsoft’s Windows NT domains, Microsoft’s Active Directory, X.500 Directory Access Protocol, and Lightweight Directory Access Protocol. These are described later in this chapter. Forests, Roots, Trees, and Leaves One thing common to all directory services is a tree-based organization (with the tree usually depicted upside-down with the root at the top), somewhat similar to the organization of directories on a hard disk. A forest is a collection of trees managed collectively. At the top of each directory tree is the root entry, which contains other entries. These other entries can be containers or leaves. A container object is one that contains other objects, which can also include more containers and leaves. A leaf object represents an actual resource on the network, such as a workstation, printer, shared directory, file, or user account. Leaf objects cannot contain other objects. Figure 9-1 shows a typical directory tree. Figure 9-1. A typical directory tree Root Asia U.S. Europe Country (C) Anyco, Inc. Otherco, Ltd. Organization (O) Accounting HR Manufacturing Distribution Organizational Unit (OU) T. WilsonF. Thomas Controller Accounting printer Accounting folder Common name (CN) 113 Chapter 9: Exploring Directory Services All the objects in a directory tree have attributes (sometimes called properties), which vary depending on the type of object to which the attribute is attached. For example, a printer leaf object might contain attributes that describe the printer, who can administer the printer, what the printer’s name is on the network, and so forth. A user account leaf object might contain attributes that include the full name of the user account, its password, and resources that the user can access. The details of what attributes attach to what leaf or container objects vary among all the directory services, although they generally use similar attributes. Department of Redundancy Department Keeping directory services running is essential for any network that relies on them. Because they contain all details about accounts, resources, and security, the absence of directory services means the network won’t work—at all! Since the directory services become so important to a network, you must protect them with some degree of redundancy. As mentioned earlier, keeping duplicate copies of the directory on multiple servers provides the necessary redundancy. This is done using one of two approaches: N In the primary/backup model, a single primary database contains the primary (or “real”) directory on one server, while other servers hold one or more backup copies. If the primary copy stops working for some reason, the backups can continue to provide directory services to the network without the user even knowing that the primary copy isn’t available. Windows NT domains use a primary/backup approach. N In the multimaster model, multiple directory servers exist, but they are all peers to one another. If one goes down, the other peers continue to operate normally. The advantage of the multimaster model is that each directory server can fully participate in doing the work of the directory service. Active Directory (in Windows 2000 Server and later) uses the multimaster approach. Directory servers—whether they use the primary/backup or multimaster approach—must keep in sync with changes on the network. The separate databases are kept synchronized through a process called replication, in which changes to any of the individual directory databases are transparently updated to all the other directory service databases. A potential problem exists with any replication process, though: If two changes are made to the same leaf object on two different directory servers and the changes are different, what does the system do when the changes “collide” during replication? The various directory services handle this problem in slightly different ways. In the case of Novell eDirectory, the timestamps of the changes drive which of two conflicting changes will win. (Because of this, servers running eDirectory must carefully keep their time synchronized; this synchronization is also handled during replication.) Microsoft’s Active Directory doesn’t use timestamps, but instead uses sequence numbers in a clever scheme that avoids the potential problems of a timestamp approach. (Even though eDirectory servers synchronize their time, their time can still become out of sync between synchronizations.) 114 Networking: A Beginner’s Guide Some directory services also allow a concept called partitioning, in which different directory servers keep different parts of the entire directory tree. In this case, a controlling directory server usually manages the entire tree (called the global catalog in Active Directory), and then other directory servers can manage smaller pieces of the total tree. Partitioning is important for networks with multiple LANs connected by a wide area network (WAN). In such cases, you want to host a partition that relates to a particular LAN locally, yet still allow access to the entire tree for resources accessed over the WAN. Each LAN hosts its own partition, but can still access the total tree when needed. You arrange the partitions (and set the scheduled replication times) to make the best use of the WAN’s performance, which usually is slower than that of a LAN. Learning About Specific Directory Services Quite a few different directory services are available. Choosing one usually goes hand in hand with choosing a main network operating system, although this isn’t always the case. Both eDirectory and Active Directory can handle non-Novell and non-Microsoft servers, respectively. Consequently, even a network that currently uses mostly Windows servers might still rely on eDirectory for directory services through the use of Novell’s eDirectory for Windows product. Using a single directory service with different network operating systems often happens because an organization starts out favoring a particular network operating system and then later finds itself forced to support additional ones, but the organization still wants to maintain a coherent, single directory service to manage the network operating systems. The following are the main directory services: N Novell eDirectory (previously called Novell Directory Services, or NDS) is the network directory service that has been available for the longest time. eDirectory runs on NetWare 4.x and later servers, and is also available for other server operating systems (such as Solaris, Linux, and Windows), enabling you to use eDirectory as a single directory service for managing a multivendor network. N Windows NT domains (introduced with Windows NT 4) are not actually complete directory services, but they provide some of the features and advantages of directory services. N Microsoft’s Active Directory debuted with the Windows 2000 Server line of products. This is a true directory service, and it brings the full features of a directory service to a network predominantly built using Windows servers. N X.500 Directory Access Protocol (DAP) is an international standard directory service that is full of features. However, X.500 provides so many features that its overhead makes deploying and managing it prohibitive. Consequently, X.500 is in an interesting position: it is an important standard, yet, paradoxically, it is not actually used. 115 Chapter 9: Exploring Directory Services N The Lightweight Directory Access Protocol (LDAP) was developed by a consortium of vendors as a subset of X.500 to offer an alternative with less complexity than X.500. LDAP is in wide use for e-mail directories and is suitable for other directory service tasks. The most recent versions of eDirectory and Active Directory are compatible with LDAP. These are the predominant directory services that you will encounter, although others exist. For instance, a number of companies offer different software that provides LDAP-compliant directory services on different platforms. eDirectory Novell eDirectory has been available since 1993, introduced as NDS as part of NetWare 4.x. This product was a real boon and was rapidly implemented in Novell networks, particularly in larger organizations that had many NetWare servers and desperately needed its capabilities. eDirectory is a reliable, robust directory service that has continued to evolve since its introduction. Version 8.8 is now available, and it incorporates the latest directory service features. eDirectory uses a primary/backup approach to directory servers and also allows partitioning of the tree. In addition to running on Novell network operating systems, eDirectory is also available for Windows, Solaris, AIX, and Linux systems. The product’s compatibility with such a variety of systems makes it a good choice for managing all these platforms under a single directory structure. You manage the eDirectory tree from a client computer logged in to the network with administrative privileges. You can use a graphical tool designed to manage the tree, such as Novell Identity Manager, or other tools that mimic the look and feel of the operating system on which they run and that are also available from Novell. The eDirectory tree contains a number of different object types. The standard directory service types—countries, organizations, and organizational units—are included. The system also has objects to represent NetWare security groups, NetWare servers, and NetWare server volumes. eDirectory can manage more than a billion objects in a tree. Windows NT Domains The Windows NT domain model breaks an organization into chunks called domains, all of which are part of an organization. The domains are usually organized geographically, which helps minimize domain-to-domain communication requirements across WAN links, although you’re free to organize domains as you wish. Each domain is controlled by a primary domain controller (PDC), which might have one or more backup domain controllers (BDCs) to kick in if the PDC fails. All changes within the domain are made to the PDC, which then replicates those changes to any BDCs. BDCs are read-only, except for valid updates received from the PDC. In case of a PDC failure, BDCs automatically continue authenticating users. To make administrative changes to a domain that suffers PDC failure, any of the BDCs can be promoted to PDC. Once the PDC is ready to come back online, the promoted BDC can be demoted back to BDC status. 116 Networking: A Beginner’s Guide Windows NT domains can be organized into one of four domain models. N Single domain In this model, only one domain contains all network resources. N Master domain The master model usually puts users at the top-level domain and then places network resources, such as shared folders or printers, in lower-level domains (called resource domains). In this model, the resource domains trust the master domain. N Multiple master domain This is a slight variation on the master domain model, in which users might exist in multiple master domains, all of which trust one another, and in which resources are located in resource domains, all of which trust all the master domains. N Complete trust This variation of the single-domain model spreads users and resources across all domains, which all trust each other. You choose an appropriate domain model depending on the physical layout of the network, the number of users to be served, and other factors. (If you’re planning a domain model, you should review the white papers on Microsoft’s web site for details on planning large domains, because the process can be complex.) Explicit trust relationships must be maintained between domains using the master or multiple master domain model and must be managed on each domain separately. Maintaining these relationships is one of the biggest difficulties in the Windows NT domain structure approach, at least for larger organizations. If you have 100 domains, you must manage the 99 possible trust relationships for each domain, for a total of 9,900 trust relationships. For smaller numbers of domains (for example, less than 10 domains), management of the trust relationships is less of a problem, although it can still cause difficulties. Active Directory Windows NT domains work relatively well for smaller networks, but they can become difficult to manage for larger networks. Moreover, the system is not nearly as comprehensive as, for example, eDirectory. Microsoft recognized this problem and developed a directory service called Active Directory, which is a comprehensive directory service that runs on Windows 2000 Server and later. Active Directory is fully compatible with LDAP (versions 2 and 3) and also with the Domain Name System (DNS) used on the Internet. Active Directory uses a peer approach to domain controllers; all domain controllers are full participants at all times. As mentioned earlier in this chapter, this arrangement is called multimaster because there are many “master” domain controllers but no backup controllers. Active Directory is built on a structure that allows “trees of trees,” which is called a forest. Each tree is its own domain and has its own domain controllers. Within a domain, separate organizational units are allowed to make administration easier and more logical. . individual directory databases are transparently updated to all the other directory service databases. A potential problem exists with any replication process, though: If two changes are made to. tree. Windows NT Domains The Windows NT domain model breaks an organization into chunks called domains, all of which are part of an organization. The domains are usually organized geographically, which. on a structure that allows “trees of trees,” which is called a forest. Each tree is its own domain and has its own domain controllers. Within a domain, separate organizational units are allowed

Ngày đăng: 05/07/2014, 04:20

TỪ KHÓA LIÊN QUAN