active directory

Published on June 2016 | Categories: Types, Research | Downloads: 70 | Comments: 0 | Views: 1215
of 64
Download PDF   Embed   Report

active directory



Active Directory

What Is Active Directory?

Active Directory

Directory service functionality
Organize Manage Control Resources

Centralized management
Single point of administration

What Does Active Directory Do?
Active Directory  Centralized Administration  Organize, Manage, and Control Resources  Logical Structure Separate form Physical Structure  Multiple Functional Levels  Schema Modification  Delegation of Administrative Control

Active Directory Supported Technologies


Internet-Standard Technologies


X.509 Kerberos


The Logical Structure of Active Directory
Forest Domain Tree Domain








Domain Organizational Unit

Forests, Trees, and Domains




Tree Forest

Logical partition in Active Directory database Collections of users, computers, groups, etc. Units of replication  Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain  Domain controllers do not replicate domain partition information for other domains

Windows 2000 or Windows .NET Domain

Organizational Units
Container objects within a domain
Organizational structure
Paris Sales Repair

Network administrative model
Sales Users Computers

Used to delegate administrative authority Used to apply Group Policy

Forest and Domain Functional Levels
Functional levels determine  Supported domain controller operating system  Active Directory features available Domain functional levels can be raised independently of one another Raising forest functional level is performed by Enterprise Admin  Requires all domains to be at Windows 2000 native or Windows Server 2003 functional levels

Forest Functional Levels

Forest Functional Level
Windows 2000 (default)

Domain Controllers Supported
Windows NT 4 Windows 2000 Windows Server 2003 family Windows NT 4 Windows Server 2003 family

Windows Server 2003 Interim

Windows Server 2003 Family

Windows Server 2003 family

Domain Functional Levels
Windows 2000 Mixed ModeWindows NT 4, Windows 2000 or Windows Server 2003 DCs
Domain Controller (Windows Server 2003)

Windows 2000 Native Mode— No Windows NT 4 DCs
Domain Controller (Windows Server 2003)

Domain Controller (Windows 2000)

Domain Controller (Windows NT 4)

Domain Controller (Windows 2000)

Domain Functional Levels
Windows Server 2003 Interim— No 2000 DCs
Domain Controller (Windows Server 2003)

Windows Server 2003 Level— All Windows Server 2003 DCs
Domain Controller (Windows Server 2003)

Domain Controller (Windows NT 4)

Domain Controller (Windows Server 2003)

Trust Relationships
Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains Some trusts are automatically created  Parent-child domains trust each other

 Tree root domains trust forest root domain
Other trusts are manually created Forest-to-forest transitive trust relationships can be created- Windows Server 2003 forests only

Types of Trusts in Windows Server 2003
Default - two-way- transitive Kerberos trusts (intraforest) Shortcut - one or two-way – transitive Kerberos trusts (intraforest)  Reduce authentication requests Forest—one or two-way—transitive Kerberos trusts*  *Windows .NET Server 2003 Forests—Windows 2000 does not support forest trusts  Only between Forest Roots  Creates transitive domain relationships External—one-way—non-transitive NTLM trusts  Used to connect to/from Windows NT or external Windows 2000 domains  Manually created Realm—one or two-way—non-transitive Kerberos trusts  Connect to/from UNIX MIT Kerberos realms

Trees and Forests
Forest Two-Way Transitive Trusts




Tree Forest

External One-Way Windows NT Domain Non-Transitive Trust

Shortcut Trust
Forest Two-Way Transitive Trusts

Tree Tree Forest

Shortcut Trust
Tree Forest

Directory Partitions

Forest-wide replication (every DC in forest has a replica)

Contains definitions and rules for creating and manipulating all objects and attributes


Contains information about Active Directory structure

Domain-wide replication Configurable replication

contoso.msft Application

Contains information about all domain-specific objects created in Active Directory
Contains application data ForestDNSZone DomainDNSZone

All Partitions Together Comprise the Active Directory Database

What Is Replication Topology?
A1 A2 B2





Domain Controllers from the Same Domain Various Domains

Domain A Topology Domain A Topology Domain B Topology Schema and Configuration Schema and Configuration Topology Topology

Object Class Examples
Dynamically available, updateable, and protected by DACLs


Attributes of Users might contain:
accountExpires badPasswordTime mail name

Attribute Examples
List of attributes
accountExpires badPasswordTime mail Name …



What Are Operations Masters
Schema Master (Forest Wide Role) Domain Naming Master(Forest Wide) RID Master (Domain Wide Role) PDC Emulator (Domain Wide Role) Infrastructure Master (Domain Wide Role)

Global Catalog
Resources in Active Directory can be shared across domains and forest.

The global catalog feature in Active Directory makes searching for resources across domain and forest transparent to the user
A global catalog server is a domain controller that efficiently processes intraforest queries to the catalog.

Desining an Active Directory naming Strategy
Naming, Identifing, and Accessing Active Directory Objects

Active Directory Naming Strategies
DNS Deployement Strategies for Active Directory

Naming, Identifing, and Accessing Active Directory Objects
Naming Conventions used in Active Directory Domain Name System DNS and Active Directory LDAP (Lightweight Directory Access Protocol) Locating Active Directory Objects

Naming Conventions used in Active Directory
LDAP Distinguished Name LDAP Relative Distinguished Name User Principal Name ([email protected]) NetBIOS Name LDAP Distinguished Name Example :
DC = com , DC = contoso , CN = Users , CN = Jhon

LDAP Allows Access to Directory Service Information Active Directory Support LDAP v.2 and v.3 LDAP Names Represent Information About Objects in Active Directory.

DNS and Active Directory
DNS and Active Directory Domains Have Distinct Roles DNS servers are used to store and manage resources records Active Directory is used to store and manage domain objects.

Locating Active Directory Objects
Resolution of Services. DNS Query Resolution of Objects within Active Directory.LDAP Query

Active Directory Naming Strategies
Determining the Scope of Active Directory Disening the Naming Hierarchy Selecting a DNS Service Using Active Directory-Integrated DNS Zones Chosing Active Directory Domain Names

Designing the Naming Hierarchy
The first Domain Is the Root Domain Domains Derived from the Root Domain Form a Hierarchical Tree

Selecting a DNS Service
Support SRV records (mandatory) Supports the Dynamic Update Protocol.DDNS (recommended) Support zone tranfers (recommended)

Using Active Directory-Integrated DNS Zones
Zone Data Can Be Stored - In text files on DNS name servers - In Active Directory Integrated Active Directory Zones Provides - Security Updates - Zone Information replicated using Active Directory replication

Secure Access to Active Directory
Active Directory Security Components Security Descriptors Access Control Entries Ownership Delegating the Ability to Grant Permissions Inheritance of Permissions

Active Directory Security Components
Security Principals Receive Permissions Security Identifiers Uniquely Identify Security Principals Security Descriptors Protect Objects

Security Principals
Security Principals are users, qroups ans computers  Users  Computers
• Microsoft® Windows NT® 4.0, Windows 2000, Windows XP or Windows Server 2003

 Groups
 Service accounts Group memberships Security policy profiles and Security identifiers,define security principals

Security Descriptors-I

Security Descriptors-II
Owner SID- The owner of an object is responsible for granding access permissions and granding rights for the objects. An owner is a security principal and is also difened by a SID Group SID – Non-Windows OS

Security Descriptors-III
Access Control Lists

- Discretionary access control list (DACL) - System access control list (SACL)

Access Control Entries (ACEs)
ACEs protect Objects Access Can Be - Denied - Granted ACEs Contain - Access Rights - GUID (Global unique identifier) that identifies object or attribute type - SID that identifies the security pricipal - Flags that control inheritance

Every object in active directory has an owner.The person who creates the object automatically becomes the owner and, by default, has full control over the object. Members of the domain admins group always have ability to take ownership of any object in the domain, and then change the permissions.

Inheritance of Permissions
Objects inherit existing permissions Inheritance can be bloced

Type of Groups
Security Groups Distribution Groups

Security Groups

Using Active Directory for Centralized Management


OU1 Computers Computer1 Users User1 OU2 Users User2

Searc h



User1 Computer1 User2 Printer1

Active Directory:  Enables a single administrator to centrally manage resources  Enables administrators to easily locate information  Enables administrators to group objects into organizational units  Uses Group Policy to specify policy-based settings

Printers Printer1

Managing the User Environment



Windows .NET Server Enforces Continually

Domain OU1 OU2 OU3

Apply Group Policy Once

1 2 3

Use Group Policy to:  Control and lock down what users can do

 Centrally manage software installation, repairs, updates, and removal
 Configure user data to follow users whether they are online or offline

Resolving Conflicts Between Group Policy Settings
All Group Policy Settings Apply Unless There Are Conflicts The Last Setting Processed Applies  When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply

 When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply
A Computer Setting Applies When It Conflicts with a User Setting

Overriding and Blocking Group Policy
To enforce the Group Policy settings in a specific GPO, you can specify the No Override option. If you specify this option, policy settings in GPOs that are in lower-level Active Directory containers cannot override the policy. For example, if you define a GPO at the domain level, and you specify the No Override option, the policies that the GPO contains apply to all organizational units in that domain. Lower-level organizational units will not override the policy applied at the domain level. To block inheritance of Group Policy from parent Active Directory containers, you can specify the Block inheritance option. For example, if you specify the Block inheritance option for an organizational unit, it prevents the application of policy at that level from higher-level Active Directory containers such as a higher-level organizational unit or domain. Note that the No Override option always takes precedence over the Block inheritance option. Local GPOs cannot specify the No Override or Block inheritance options.

Class Discussion: How Group Policy Is Applied

GPO1 ensures that Favorites appears on the Start menu GPO2 and GPO3 require a password of 11 characters and remove the Windows Update icon GPO4 removes Favorites from the Start menu and adds the Windows Update icon


GPO2 GPO3 Domain

What are the resultant Group Policy settings for the OU?



Class Discussion: How Group Policy Is Applied (2)

What are the resultant Group Policy settings for the OU?


A password must be at least 11 characters long The Windows Update icon appears on the Start menu


Favorites does not appear on the Start menu



Enabling Block Inheritance
Block Inheritance:

 Stops inheritance of all GPOs from all parent containers  Cannot selectively choose which GPOs are blocked
 Cannot stop No Override

Domain Production


No GPO settings apply

Enabling No Override
No Override:  Overrides Block Inheritance and GPO conflicts  Should be set high in the Active Directory tree  Is applicable to links and not to GPOs  Enforces corporate-wide rules

Domain Production No Override GPO Settings


Conflicting GPO Settings

Domain GPO settings apply

Filtering Group Policy Settings
Filter Group Policy Settings by:

Domain Sales

Explicitly denying the Apply Group Policy permission Omitting an explicit Apply Group Policy permission
Allow Read and Apply Group Policy Deny Apply Group Policy



Class Discussion: Changing Group Policy Inheritance
Settings That Are Needed Sales

An anti-virus application must be installed on all computers in the domain The Office suite must be installed on all computers in the domain, except for those in the Payroll department An accounting application must be installed on all client computers in the Payroll department, except for the computers used by the Payroll OU administrators


How do you set up your GPOs?


Class Discussion: Changing Group Policy Inheritance (2)
How do you set up your GPOs? Sales

A GPO linked to the domain with the antivirus application settings configured and the link configured with No Override A GPO linked to the domain that installs the Office suite Enable Block Inheritance for the Payroll OU A GPO linked to the Payroll OU to install the accounting application Modify the DACL of the GPO linked to the Payroll OU to deny the Apply Group Policy permission for the computer accounts used by the Payroll OU administrators


 


Delegating Administrative Control
Domain OU1 Admin1 OU2

Grant permissions: OU3  For specific organizational units to other administrators  To modify specific attributes of an object in a single organizational unit  To perform the same task in all organizational units Customize administrative tools to:  Map to delegated administrative tasks  Simplify interface design



The Pyhsical Structure of Active Directory

-Sites -Domain Controllers -WAN Link Site

WAN Link

Site Domain Controllers

A site is a combination of one or more Internet Protocol (IP) subnets that are connected by high-speed link. You create sites for two primary reasons: - To optimize replication trafic - To enable users to connect to a domain controller by using a reliable,high-speed connection  Single site may contain many domains

 Single domain may span many sites



What Are Site Links?
A site link:
Enables replication traffic between sites Represents the physical connection between sites
A1 A2

IP Subnet


IP Subnet



Site Link

IP Subnet


IP Subnet


Linking Multiple Sites
Site Links - Cost - Interval - Schedule Site Link Bridges

Why Disable Default Bridging of All Site Links?
B1 B2

IP Subnet


IP Subnet

Site Link AB

Site B

Site Link BC

Site Link Bridge
A1 A2 C1 C2

Site A
IP Subnet IP Subnet

Site C
IP Subnet IP Subnet

Replication Components
The Konwledge Consistency checker Server Object NTDS Setting Object Connection Objects

Replication Protocols
Replication within a site uses RPC over IP Replication between sites can use: - RPC over IP - SMTP (if the replication occurs between domain)

Comparing Replication within a Site and Between Sites

Replication within a site - Change notification - Uncompressed traffic - Urgent replication Replication Between Sites - Replication scheduling - Compressed traffic

Replication Within Sites vs. Replication Between Sites
A1 IP Subnet A2

Replication Within Sites: Assumes fast and highly reliable network links Does not compress replication traffic Uses a change notification mechanism
IP Subnet

IP Subnet


IP Subnet



IP Subnet


IP Subnet



Replication Between Sites: Assumes limited available bandwidth and unreliable network links Compresses all replication traffic between sites Occurs on a manual schedule

Active Directory  Centralized Administration  Organize, Manage, and Control Resources  Logical Structure Separate form Physical Structure  Multiple Functional Levels  Schema Modification  Delegation of Administrative Control

Sponsor Documents

Or use your account on


Forgot your password?

Or register your new account on


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in