The Role of Lightweight Directory Access Protocol - Speech or Presentation Example

? Full Paper Introduction to Active Directory Microsoft Active Directory operates in a client/server centralized environment, where the administration and configuration is managed from a single point. The secure Lightweight Directory Access Protocol (LDAP) ensures data encryption by Kerberos and other popular encryption algorithms. The Light Weight Directory Access Protocol is a communication standard that provides a communication channel for the clients within a directory service. A comprehensive definition of LDAP is defined as “Lightweight Directory Access Protocol, a protocol which helps find people, computers and other resources on a network. Designed to work with existing address-book standards and improve compatibility between widely differing systems, the ldap standard was adopted by the ietf in 1997 and now forms the basis of many white-page directories on the web. It has also been incorporated directly into some software programs and operating systems, making it possible to find e-mail addresses without visiting a directory site” (Ldap. 2003). LDAP was established after X.500 protocol, which was also a directory service standard protocol. However, X.500 incorporated high overhead and consequent dawdling response due to heavy X.500 clients. Consequently, keeping in mind the overheads of X.500 slow response, Light Weight Directory Access Protocol (LDAP) was created. LDAP is implemented for both Microsoft Windows and Linux / UNIX clients. In order to make LDAP operational for Linux / UNIX, windows active directory configuration is required. LDAP is proficient in terms of accessing directory information due to integration of a designed database. The architecture integrates the security protocols including Kerberos that is defined as “An access control system that was developed at MIT in the 1980s. Turned over to the IETF for standardization in 2003, it was designed to operate in both small companies and large enterprises with multiple domains and authentication servers. The Kerberos concept uses a "master ticket" obtained at logon, which is used to obtain additional "service tickets" when a particular resource is required” (Gallaher, Link, & Brent R. Rowe,). Kerberos provides authentication and authorization. Moreover, LDAP services provide, automated imitation of information to multiple workstations, providing towering performance, redundancy and elevated availability. In order to provide elasticity wile storing data, extensible schemas are incorporated. The protocols including Kerberos and LDAP are compatible to various system platforms due to standardization (Likewise storage services). However, LDAP implementations with vendor-defined directories are not efficient with the Windows environments, resulting in management of several directories and store identifications. Active directory is “an implementation of LDAP directory services by Microsoft for use in Windows environments. Active Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates to an entire organization. An Active Directory stores information and settings relating to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects” (Active Directory. 2007). Few checklists are applicable including the network connectivity testing and raising the Active directory domain functional level to Windows 2003. The business benefit focusing on business continuity is also managed efficiently, as the user profiles along with sensitive data is stored in centralized Active directory servers. In case of a system failure, or crash, data can be recovered from user profiles to a new system. Moreover, total cost of ownership is also decreased, as it can be configured and managed by a centralized location. Furthermore, effective IT resource management is carried out via the entire network that will provide a certain information criteria for business to work on. Information criteria may include confidentiality, integrity, availability, effectiveness and reliability. As a result, "A directory service presents the opportunity to consolidate the number of repositories in use and realise a number of benefits: reduced administrative overheads, enhanced operational efficiency and tighter control over the security of user information" (Mohamed, 2005). The forest Structure for FPF main office located in New York City and satellite offices in Houston, Indianapolis, and Los Angeles is demonstrated in Fig 1.1 Figure 1.1(Forest Structure) If the server, holding the PDC Emulator Flexible Single Master Operating Roles (FSMO) role has inexplicably gone offline, there is a requirement of seizing of domain naming master role to a standby FSMO server. However, at the initial point, repadmin.exe will be executed, as it will provide information associated with the synchronization status. Repadmin is a tool that is already present within Windows Server 2008. Likewise, it is a command line tool that is utilized by administrators to determine replication topology, establish replication topology and force replication on the entire directory (Posey, n.d). Moreover, the tool can be used for monitoring the forest of an Active Directory. The PDC emulator server is the busiest of them all and handles all the master operations, as it is the only server that is labeled as a ‘master’ (Price, Scott Fenstermacher, & Brad Price, 2008). The name of this server confuses new network administrators, as they determine that this role is only needed in a situation where all NT backup domain controllers become offline. Moreover, the PDC emulator server enables the replication of directory information to Windows and the two more functions of a PDC emulator server are time synchronization and global policy centralization (Price, Scott Fenstermacher, & Brad Price, 2008). In case of a PDC emulator server mal functioning or not working correctly, the process of processing logon client request for the clients of old operating systems will not take place. For addressing network outage, a plan is required. Figure 1.2 (Domain Connectivity) Establishing a Global Catalog and FSMO Role Assignment Server Site Domain Global Catalog Available or Not Role Assignment DC 1 New York A DC 2 New York A DC 3 New York A DC 4 New York B DC 5 New York B DC 6 Houston C DC 7 Houston C DC 8 Los Angeles D DC 9 Indiana Polis B DC 10 Indiana Polis B Figure 1.2 (FSMO ROLE PLACEMENTS) Proposed Solution Server Site Domain Global Catalog Available or Not Role Assignment DC 1 New York A Available Domain Naming Master, Schema Master DC 2 New York A RID Master DC 3 New York A PDC Emulator, Infrastructure Master DC 4 New York B Available RID Master DC 5 New York B PDC Emulator, Infrastructure Master DC 6 Houston C PDC Emulator, Infrastructure Master DC 7 Houston C Available RID Master DC 8 Los Angeles D Available RID Master, PDC Emulator, Infrastructure Master DC 9 Indiana Polis B Not Applicable DC 10 Indiana Polis B Not Applicable Figure 1.3 (FSMO ROLE PLACEMENTS) However, for unavailability of the two other FSMO roles, a contingency plan must be created that will incorporate a recovery method in terms of steps for the schema master, Infrastructure Master, RID Master, Domain Naming Master and PDC Emulator role. Every role must incorporate an established list in case of role migration or seizure. For addressing data replication issues for augmenting replication efficiency within the network, network administrators can deactivate site link bridging. The site link bridge establishes a logical connection via two site links that provides a transitive path via two disconnected sites by utilizing the interim site. The physical connectivity is applied to the interim site for the persistence of Intersite Topology Generator (ISTG) (Sobh, n.d). Likewise, the bridge does not determine that the domain controller located in the interim site will provision a replicated path. However, in case of replicating a directory partition, hosted by a domain controller located at the interim site, there is no requirement of site link bridge (Sobh, n.d). The deactivation of site Link Bridge along with manual construction of the adequate link bridge works, as all the sites may not be 100% routed, as a result, manual site links can be established. However, prior to establish a site link, there is a requirement of deactivating site link bridging. If a Wide Area Network (WAN) connection is available at the remote site of FPF, the global catalog server located at a remote site will enhance the performance of logon times, as the users will be authenticated in a shortest possible time. For this reason, the location and configuration of a global catalog server will reduce excessive traffic on the network. Likewise, along with robust server response times, applications associated with network authentication and data transfer or exchange will only become efficient. All the mentioned reasons can facilitate a network administrator to take a decision of placing a global catalog server at remote sites, as the server will replicate the functionality of the secondary domain controller (Shapiro, ). However, there is also one drawback of this scenario, in spite of a replicated global catalog server located at a remote site; authentication is still required for all the users logging in the directory services. In case of unavailability of a global catalog server at a remote site, no one will be authenticated and no one can log in the network. Therefore, it will be considered as a 100% downtime of the whole remote office that are dependent on WAN connections used for establishing connectivity with the PDC, in case of a link goes down (Shapiro, ) References Active directory.(2007). Network Dictionary, , 21-21. Gallaher, M. P., Link, A. N., & Brent R. Rowe. Cyber security: Economic strategies and public policy alternatives Edward Elgar Publishing. Ldap.(2003). Essential Internet, , 121-121. Likewise storage services Retrieved 4/16/2012, 2012, from http://www.likewise.com/products/likewise_storage_services/index.php Mohamed, A. (2005). Understand directory services to maintain control of network information and users. Computer Weekly, , 30-32. Posey, B. The real MCTS/MCITP exam 70-649 prep kit: Independent and complete self-paced solutions Syngress. Price, J., Scott Fenstermacher, & Brad Price. (2008). Mastering active directory for windows server 2008 . Indianapolis, Ind.: Wiley Pub. Sobh, T. Innovations and advanced techniques in computer and information sciences and engineering Springer. Shapiro, J. R. Windows server 2008 bible Hoboken, N.J. : Wiley ; 2008. Read More