Module 14
-
Upload
harrison-mcintyre -
Category
Documents
-
view
33 -
download
1
description
Transcript of Module 14
Module Overview
Overview of AD LDS
Deploying AD LDS
Configuring AD LDS Instances and Partitions•Configuring AD LDS Replication
Lesson 1: Overview of AD LDS
What Is AD LDS?
AD LDS Deployment Scenarios•Discussion: AD LDS or AD DS?
What Is AD LDS?
AD LDS is:•An LDAP-based directory service•Used for applications
AD LDS can be more flexible than AD DS because:•You can run multiple instances of AD LDS on a single computer•A DNS infrastructure is not required•You can modify AD LDS to meet specific application requirements
AD LDS Deployment Scenarios
AD LDS is used most commonly in the following usage scenarios:•Providing an LDAP-based application directory•Providing an extranet authentication store•Consolidating identity systems•Providing a development environment forAD DS•Providing a configuration store for distributed applications•Migrating legacy directory-enabled applications
Discussion: AD LDS or AD DS?
AD LDS or AD DS for: •Creating a phone book application?•Creating an ordering application?•Deploying Exchange Server 2013?•Splitting into two separate companies?
Lesson 2: Deploying AD LDS
Components of AD LDS
Demonstration: Installing the AD LDS Server Role
AD LDS Schema
Client Connections to AD LDS
AD LDS SPNs•AD LDS Service Publication
Components of AD LDS
An AD LDS deployment consists of the following components:• Instance•Database• Partitions• Schema
Demonstration: Installing the AD LDS Server Role
In this demonstration, you will learn how to install the AD LDS server role
AD LDS Schema
•An AD LDS schema defines the types of objects and data that can be used by an instance•The schema is stored in a configuration set
Client Connections to AD LDS
To connect to AD LDS, you:• Can use LDAP or LDAP over SSL
•Must use the port numbers assigned to the AD LDS instance
•Must configure the IP address or DNS name of the AD LDS server
To secure client connections to AD LDS:• Install a digital certificate on the server
• Configure clients to use LDAP over SSL to connect to the server
AD LDS SPNs
Integrated component Benefits of integration
SPN
• Used when AD LDS and AD DS co-exist on the same network to allow users to locate available services
Parts of the SPN• Service class, service type• Instance name, port number
SPN registration
• Service account or Network Service account
• Automatic registration sometimes fails. To perform registration manually
Replication with AD DS• Can force the use of SPNs for
replicating between AD LDS and AD DS
AD LDS Service Publication
AD DS
1
2
3
Service publication is the act of sending service information about AD LDS to AD DS. which helps client computers locate information about the AD LDS service. The process steps are:
AD LDS
(domain joined)
Publish a service connection pointto AD DS
Query AD DS for
service connection points
Query DNS for A
D LDS
Lesson 3: Configuring AD LDS Instances and Partitions
What Is an AD LDS Instance?
Demonstration: Creating AD LDS Instances
AD LDS Authentication and Authorization
How Access Control Works in AD LDS
Demonstration: Creating a User in AD LDS•What Is an AD LDS Partition?
What Is an AD LDS Instance?
Instance 1
SchemaPartitions
PartitionD:\App1
D:\App2
Schema
Instance 2
Admin 1
Admin 2
AD LDS Server
Demonstration: Creating AD LDS Instances
In this demonstration, you will learn how to create an AD LDS instance on one server
AD LDS Authentication and Authorization
Internet or Partner Network
Internal Network
Perimeter
AD DS
AD LDS ServerWeb ServerApplication Server
Authen
ticat
ion
How Access Control Works in AD LDS
•Access control is used to limit the information that users can access in AD LDS partitions•AD LDS provides access control that:•Authenticates the identity of all users•Uses ACLs to determine if users have permissions to access specific objects
•AD LDS uses access control to restrict access to AD LDS data
Demonstration: Creating a User in AD LDS
In this demonstration, you will learn how to create a user account in AD LDS
What Is an AD LDS Partition?
•An AD LDS application partition holds the data that is used by an application •A single AD LDS Instance:
•Multiple application directory partitions can be created in each AD LDS instance. However, each partition shares a single schema
Application Partition 1Configuration Partition
Schema Partition
Lesson 4: Configuring AD LDS Replication
Why Implement AD LDS Replication?
How AD LDS Replication Works
What Is a Configuration Set?
AD LDS Replication Topology•Demonstration: Configuring AD LDS Replication
Why Implement AD LDS Replication?
AD LDS replication:•Enables multiple copies of an AD LDS instanceto be stored on different servers •Provides high availability for criticalapplications•Provides load balancing•Enables geographically distributed applications
How AD LDS Replication Works
AD LDS uses multimaster replication, which means that:• All instances are writable• Changes on one instance are replicated to other
instances
Administrator updates User 2 on Server 1 at 9:25 P.M. Server
1
Server 3
Server 2
Administrator updates User 2 on Server 2 at 9:26 P.M.
AD LDS servers replicate changes to all servers
What Is a Configuration Set?
Configuration Partition
Schema Partition
App 1 Partition
Configuration Set 1
Configuration Partition
Schema Partition
App 2 Partition
Instance B
Configuration Set 2
Configuration Partition
Schema Partition
App 3 Partition
App 4 Partition
Configuration Partition
Schema Partition
App 3 Partition
Instance C
AD LDS-SRV 2 AD LDS-SRV 3AD LDS-SRV 1
(AD LDS-SRV 2) (AD LDS-SRV 2)
App 2 Partition
AD LDS Replication Topology
Site 1
Site 2
Site 3
• KCC maintain the replication topology in a configuration set• Active Directory Sites and Services can be used to manage• ISTG builds and maintains connections between partners• Replication topology is stored in the configuration partition
After-hours replication only
Demonstration: Configuring AD LDS Replication
In this demonstration, you will learn how to:• Create an AD LDS replica
• Verify AD LDS replication
Lab: Implementing and Administering AD LDS
Exercise 1: Configuring AD LDS Instances and Partitions•Exercise 2: Configuring AD LDS Replication
Logon Information:Virtual machines: 10969A-LON-DC1
10969A-LON-SVR1User name: Adatum\AdministratorPassword: Pa$$w0rd
Estimated Time: 60 minutes
Lab Scenario
A. Datum Corporation is now implementing a number of new line-of-business (LOB) applications that users in various regions will use. In addition to London, A. Datum has users in Toronto, Canada and Sydney, Australia. Users in these locations will access the new LOB applications. These appli-cations have some specific schema requirements, so they will use AD LDS for authentication and authorization. You must deploy and configure AD LDS to support these new LOB applications.
Lab Review
In the lab, when you deployed AD LDS to LON-SVR1, what was the default port number? Why was this different from LON-DC1?
What are the options for high availability for AD LDS?•Do the instances that are part of the same configuration set run on the same computer or on separate computers?