Active Directory
What Is Active Directory?
Active Directory
Directory service functionality
Organize Manage Control Resources
Centralized management
Single point of administration
What Does Active Directory Do?
Active Directory Centralized Administration Organize, Manage, and Control Resources Logical Structure Separate form Physical Structure Multiple Functional Levels Schema Modification Delegation of Administrative Control
Active Directory Supported Technologies
DNS SNTP DHCP
Internet-Standard Technologies
LDAP TCP/IP
X.509 Kerberos
LDIF
The Logical Structure of Active Directory
Forest Domain Tree Domain
Domain
Domain
Domain
OU
Domain
Domain
Objects
OU OU
Domain Organizational Unit
Forests, Trees, and Domains
Tree
Tree
Forest
Tree Forest
Domains
Logical partition in Active Directory database Collections of users, computers, groups, etc. Units of replication Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain Domain controllers do not replicate domain partition information for other domains
Replication
Windows 2000 or Windows .NET Domain
Organizational Units
Container objects within a domain
Organizational structure
Paris Sales Repair
Network administrative model
Sales Users Computers
Used to delegate administrative authority Used to apply Group Policy
Forest and Domain Functional Levels
Functional levels determine Supported domain controller operating system Active Directory features available Domain functional levels can be raised independently of one another Raising forest functional level is performed by Enterprise Admin Requires all domains to be at Windows 2000 native or Windows Server 2003 functional levels
Forest Functional Levels
Forest Functional Level
Windows 2000 (default)
Domain Controllers Supported
Windows NT 4 Windows 2000 Windows Server 2003 family Windows NT 4 Windows Server 2003 family
Windows Server 2003 Interim
Windows Server 2003 Family
Windows Server 2003 family
Domain Functional Levels
Windows 2000 Mixed ModeWindows NT 4, Windows 2000 or Windows Server 2003 DCs
Domain Controller (Windows Server 2003)
Windows 2000 Native Mode— No Windows NT 4 DCs
Domain Controller (Windows Server 2003)
Domain Controller (Windows 2000)
Domain Controller (Windows NT 4)
Domain Controller (Windows 2000)
Domain Functional Levels
Windows Server 2003 Interim— No 2000 DCs
Domain Controller (Windows Server 2003)
Windows Server 2003 Level— All Windows Server 2003 DCs
Domain Controller (Windows Server 2003)
Domain Controller (Windows NT 4)
Domain Controller (Windows Server 2003)
Trust Relationships
Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains Some trusts are automatically created Parent-child domains trust each other
Tree root domains trust forest root domain
Other trusts are manually created Forest-to-forest transitive trust relationships can be created- Windows Server 2003 forests only
Types of Trusts in Windows Server 2003
Default - two-way- transitive Kerberos trusts (intraforest) Shortcut - one or two-way – transitive Kerberos trusts (intraforest) Reduce authentication requests Forest—one or two-way—transitive Kerberos trusts* *Windows .NET Server 2003 Forests—Windows 2000 does not support forest trusts Only between Forest Roots Creates transitive domain relationships External—one-way—non-transitive NTLM trusts Used to connect to/from Windows NT or external Windows 2000 domains Manually created Realm—one or two-way—non-transitive Kerberos trusts Connect to/from UNIX MIT Kerberos realms
Trees and Forests
Forest Two-Way Transitive Trusts
Tree
Tree
Forest
Tree Forest
External One-Way Windows NT Domain Non-Transitive Trust
Shortcut Trust
Forest Two-Way Transitive Trusts
Tree Tree Forest
Shortcut Trust
Tree Forest
Directory Partitions
Forest-wide replication (every DC in forest has a replica)
Contains definitions and rules for creating and manipulating all objects and attributes
Schema
Configuration
Contains information about Active Directory structure
Domain-wide replication Configurable replication
contoso.msft Application
Contains information about all domain-specific objects created in Active Directory
Contains application data ForestDNSZone DomainDNSZone
All Partitions Together Comprise the Active Directory Database
What Is Replication Topology?
A1 A2 B2
B1
A3
A4
B3
Domain Controllers from the Same Domain Various Domains
Domain A Topology Domain A Topology Domain B Topology Schema and Configuration Schema and Configuration Topology Topology
Schema
Object Class Examples
Dynamically available, updateable, and protected by DACLs
Computers
Attributes of Users might contain:
accountExpires badPasswordTime mail name
Attribute Examples
List of attributes
accountExpires badPasswordTime mail Name …
Users
Servers
What Are Operations Masters
Schema Master (Forest Wide Role) Domain Naming Master(Forest Wide) RID Master (Domain Wide Role) PDC Emulator (Domain Wide Role) Infrastructure Master (Domain Wide Role)
Global Catalog
Resources in Active Directory can be shared across domains and forest.
The global catalog feature in Active Directory makes searching for resources across domain and forest transparent to the user
A global catalog server is a domain controller that efficiently processes intraforest queries to the catalog.
Desining an Active Directory naming Strategy
Naming, Identifing, and Accessing Active Directory Objects
Active Directory Naming Strategies
DNS Deployement Strategies for Active Directory
Naming, Identifing, and Accessing Active Directory Objects
Naming Conventions used in Active Directory Domain Name System DNS and Active Directory LDAP (Lightweight Directory Access Protocol) Locating Active Directory Objects
Naming Conventions used in Active Directory
LDAP Distinguished Name LDAP Relative Distinguished Name User Principal Name (
[email protected]) NetBIOS Name LDAP Distinguished Name Example :
DC = com , DC = contoso , CN = Users , CN = Jhon
LDAP
LDAP Allows Access to Directory Service Information Active Directory Support LDAP v.2 and v.3 LDAP Names Represent Information About Objects in Active Directory.
DNS and Active Directory
DNS and Active Directory Domains Have Distinct Roles DNS servers are used to store and manage resources records Active Directory is used to store and manage domain objects.
Locating Active Directory Objects
Resolution of Services. DNS Query Resolution of Objects within Active Directory.LDAP Query
Active Directory Naming Strategies
Determining the Scope of Active Directory Disening the Naming Hierarchy Selecting a DNS Service Using Active Directory-Integrated DNS Zones Chosing Active Directory Domain Names
Designing the Naming Hierarchy
The first Domain Is the Root Domain Domains Derived from the Root Domain Form a Hierarchical Tree
Selecting a DNS Service
Support SRV records (mandatory) Supports the Dynamic Update Protocol.DDNS (recommended) Support zone tranfers (recommended)
Using Active Directory-Integrated DNS Zones
Zone Data Can Be Stored - In text files on DNS name servers - In Active Directory Integrated Active Directory Zones Provides - Security Updates - Zone Information replicated using Active Directory replication
Secure Access to Active Directory
Active Directory Security Components Security Descriptors Access Control Entries Ownership Delegating the Ability to Grant Permissions Inheritance of Permissions
Active Directory Security Components
Security Principals Receive Permissions Security Identifiers Uniquely Identify Security Principals Security Descriptors Protect Objects
Security Principals
Security Principals are users, qroups ans computers Users Computers
• Microsoft® Windows NT® 4.0, Windows 2000, Windows XP or Windows Server 2003
Groups
Service accounts Group memberships Security policy profiles and Security identifiers,define security principals
Security Descriptors-I
Security Descriptors-II
Owner SID- The owner of an object is responsible for granding access permissions and granding rights for the objects. An owner is a security principal and is also difened by a SID Group SID – Non-Windows OS
Security Descriptors-III
Access Control Lists
- Discretionary access control list (DACL) - System access control list (SACL)
Access Control Entries (ACEs)
ACEs protect Objects Access Can Be - Denied - Granted ACEs Contain - Access Rights - GUID (Global unique identifier) that identifies object or attribute type - SID that identifies the security pricipal - Flags that control inheritance
Ownership
Every object in active directory has an owner.The person who creates the object automatically becomes the owner and, by default, has full control over the object. Members of the domain admins group always have ability to take ownership of any object in the domain, and then change the permissions.
Inheritance of Permissions
Objects inherit existing permissions Inheritance can be bloced
Type of Groups
Security Groups Distribution Groups
Security Groups
Using Active Directory for Centralized Management
Domain
Domain
OU1 Computers Computer1 Users User1 OU2 Users User2
Searc h
OU1
OU2
User1 Computer1 User2 Printer1
Active Directory: Enables a single administrator to centrally manage resources Enables administrators to easily locate information Enables administrators to group objects into organizational units Uses Group Policy to specify policy-based settings
Printers Printer1
Managing the User Environment
1
2
3
Windows .NET Server Enforces Continually
Domain OU1 OU2 OU3
Apply Group Policy Once
1 2 3
Use Group Policy to: Control and lock down what users can do
Centrally manage software installation, repairs, updates, and removal
Configure user data to follow users whether they are online or offline
Resolving Conflicts Between Group Policy Settings
All Group Policy Settings Apply Unless There Are Conflicts The Last Setting Processed Applies When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply
When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply
A Computer Setting Applies When It Conflicts with a User Setting
Overriding and Blocking Group Policy
To enforce the Group Policy settings in a specific GPO, you can specify the No Override option. If you specify this option, policy settings in GPOs that are in lower-level Active Directory containers cannot override the policy. For example, if you define a GPO at the domain level, and you specify the No Override option, the policies that the GPO contains apply to all organizational units in that domain. Lower-level organizational units will not override the policy applied at the domain level. To block inheritance of Group Policy from parent Active Directory containers, you can specify the Block inheritance option. For example, if you specify the Block inheritance option for an organizational unit, it prevents the application of policy at that level from higher-level Active Directory containers such as a higher-level organizational unit or domain. Note that the No Override option always takes precedence over the Block inheritance option. Local GPOs cannot specify the No Override or Block inheritance options.
Class Discussion: How Group Policy Is Applied
GPO1
GPO1 ensures that Favorites appears on the Start menu GPO2 and GPO3 require a password of 11 characters and remove the Windows Update icon GPO4 removes Favorites from the Start menu and adds the Windows Update icon
Site
GPO2 GPO3 Domain
What are the resultant Group Policy settings for the OU?
OU
GPO4
Class Discussion: How Group Policy Is Applied (2)
GPO1
What are the resultant Group Policy settings for the OU?
Site
A password must be at least 11 characters long The Windows Update icon appears on the Start menu
Domain
GPO2 GPO3
Favorites does not appear on the Start menu
OU
GPO4
Enabling Block Inheritance
Block Inheritance:
Stops inheritance of all GPOs from all parent containers Cannot selectively choose which GPOs are blocked
Cannot stop No Override
GPOs
Domain Production
Sales
No GPO settings apply
Enabling No Override
No Override: Overrides Block Inheritance and GPO conflicts Should be set high in the Active Directory tree Is applicable to links and not to GPOs Enforces corporate-wide rules
Domain Production No Override GPO Settings
Sales
Conflicting GPO Settings
Domain GPO settings apply
Filtering Group Policy Settings
Filter Group Policy Settings by:
Domain Sales
Explicitly denying the Apply Group Policy permission Omitting an explicit Apply Group Policy permission
Allow Read and Apply Group Policy Deny Apply Group Policy
Mengph
Kimyo
Group
Class Discussion: Changing Group Policy Inheritance
Settings That Are Needed
Contoso.com Sales
An anti-virus application must be installed on all computers in the domain The Office suite must be installed on all computers in the domain, except for those in the Payroll department An accounting application must be installed on all client computers in the Payroll department, except for the computers used by the Payroll OU administrators
Payroll
How do you set up your GPOs?
Training
Class Discussion: Changing Group Policy Inheritance (2)
How do you set up your GPOs?
Nwtraders.com Sales
A GPO linked to the domain with the antivirus application settings configured and the link configured with No Override A GPO linked to the domain that installs the Office suite Enable Block Inheritance for the Payroll OU A GPO linked to the Payroll OU to install the accounting application Modify the DACL of the GPO linked to the Payroll OU to deny the Apply Group Policy permission for the computer accounts used by the Payroll OU administrators
Payroll
Training
Delegating Administrative Control
Domain OU1 Admin1 OU2
Grant permissions: OU3 For specific organizational units to other administrators To modify specific attributes of an object in a single organizational unit To perform the same task in all organizational units Customize administrative tools to: Map to delegated administrative tasks Simplify interface design
Admin2
Admin3
The Pyhsical Structure of Active Directory
-Sites -Domain Controllers -WAN Link Site
WAN Link
Site Domain Controllers
Sites
A site is a combination of one or more Internet Protocol (IP) subnets that are connected by high-speed link. You create sites for two primary reasons: - To optimize replication trafic - To enable users to connect to a domain controller by using a reliable,high-speed connection Single site may contain many domains
Single domain may span many sites
Domain
Site
What Are Site Links?
A site link:
Enables replication traffic between sites Represents the physical connection between sites
A1 A2
IP Subnet
Site
IP Subnet
B1
B2
Site Link
IP Subnet
B3
Cost
IP Subnet
Site
Linking Multiple Sites
Site Links - Cost - Interval - Schedule Site Link Bridges
Why Disable Default Bridging of All Site Links?
B1 B2
IP Subnet
B3
IP Subnet
Site Link AB
Site B
Site Link BC
Site Link Bridge
A1 A2 C1 C2
Site A
IP Subnet IP Subnet
Site C
IP Subnet IP Subnet
Replication Components
The Konwledge Consistency checker Server Object NTDS Setting Object Connection Objects
Replication Protocols
Replication within a site uses RPC over IP Replication between sites can use: - RPC over IP - SMTP (if the replication occurs between domain)
Comparing Replication within a Site and Between Sites
Replication within a site - Change notification - Uncompressed traffic - Urgent replication Replication Between Sites - Replication scheduling - Compressed traffic
Replication Within Sites vs. Replication Between Sites
A1 IP Subnet A2
Replication Within Sites: Assumes fast and highly reliable network links Does not compress replication traffic Uses a change notification mechanism
A1
IP Subnet
IP Subnet
Replication
IP Subnet
Replication
A2
B1
IP Subnet
Replication
IP Subnet
Replication
B2
Replication Between Sites: Assumes limited available bandwidth and unreliable network links Compresses all replication traffic between sites Occurs on a manual schedule
Summary
Active Directory Centralized Administration Organize, Manage, and Control Resources Logical Structure Separate form Physical Structure Multiple Functional Levels Schema Modification Delegation of Administrative Control