Active Directory

What Is Active Directory?

Active Directory

Directory service functionality

Organize Manage Control Resources

Centralized management
Single point of administration

What Does Active Directory Do?

Active Directory Centralized Administration Organize, Manage, and Control Resources Logical Structure Separate form Physical Structure Multiple Functional Levels Schema Modification Delegation of Administrative Control

Active Directory Supported Technologies

DNS SNTP DHCP

Internet-Standard Technologies

LDAP TCP/IP

X.509 Kerberos

LDIF

The Logical Structure of Active Directory

Forest Domain Tree Domain

Domain

Domain

Domain

OU

Domain

Domain

Objects
OU OU

Domain Organizational Unit

Forests, Trees, and Domains

Tree

Tree

Forest

Tree Forest

Domains
Logical partition in Active Directory database Collections of users, computers, groups, etc. Units of replication Domain controllers in a domain replicate with each other and contain a full copy of the domain partition for their domain Domain controllers do not replicate domain partition information for other domains
Replication

Windows 2000 or Windows .NET Domain

Organizational Units
Container objects within a domain
Organizational structure
Paris Sales Repair

Network administrative model

Sales Users Computers

Used to delegate administrative authority Used to apply Group Policy

Forest and Domain Functional Levels

Functional levels determine Supported domain controller operating system Active Directory features available Domain functional levels can be raised independently of one another Raising forest functional level is performed by Enterprise Admin Requires all domains to be at Windows 2000 native or Windows Server 2003 functional levels

Forest Functional Levels

Forest Functional Level

Windows 2000 (default)

Domain Controllers Supported

Windows NT 4 Windows 2000 Windows Server 2003 family Windows NT 4 Windows Server 2003 family

Windows Server 2003 Interim

Windows Server 2003 Family

Windows Server 2003 family

Domain Functional Levels

Windows 2000 Mixed ModeWindows NT 4, Windows 2000 or Windows Server 2003 DCs
Domain Controller (Windows Server 2003)

Windows 2000 Native Mode No Windows NT 4 DCs

Domain Controller (Windows Server 2003)

Domain Controller (Windows 2000)

Domain Controller (Windows NT 4)

Domain Controller (Windows 2000)

Domain Functional Levels

Windows Server 2003 Interim No 2000 DCs
Domain Controller (Windows Server 2003)

Windows Server 2003 Level All Windows Server 2003 DCs

Domain Controller (Windows Server 2003)

Domain Controller (Windows NT 4)

Domain Controller (Windows Server 2003)

Trust Relationships
Secure communication paths that allow security principals in one domain to be authenticated and accepted in other domains Some trusts are automatically created Parent-child domains trust each other

Tree root domains trust forest root domain

Other trusts are manually created Forest-to-forest transitive trust relationships can be created- Windows Server 2003 forests only

Types of Trusts in Windows Server 2003

Default - two-way- transitive Kerberos trusts (intraforest) Shortcut - one or two-way transitive Kerberos trusts (intraforest) Reduce authentication requests Forestone or two-waytransitive Kerberos trusts* *Windows .NET Server 2003 ForestsWindows 2000 does not support forest trusts Only between Forest Roots Creates transitive domain relationships Externalone-waynon-transitive NTLM trusts Used to connect to/from Windows NT or external Windows 2000 domains Manually created Realmone or two-waynon-transitive Kerberos trusts Connect to/from UNIX MIT Kerberos realms

Trees and Forests

Forest Two-Way Transitive Trusts

Tree

Tree

Forest

Tree Forest

External One-Way Windows NT Domain Non-Transitive Trust

Shortcut Trust
Forest Two-Way Transitive Trusts

Tree Tree Forest

Shortcut Trust
Tree Forest

Directory Partitions

Forest-wide replication (every DC in forest has a replica)

Contains definitions and rules for creating and manipulating all objects and attributes

Schema
Configuration

Contains information about Active Directory structure

Domain-wide replication Configurable replication

contoso.msft Application

Contains information about all domain-specific objects created in Active Directory

Contains application data ForestDNSZone DomainDNSZone

All Partitions Together Comprise the Active Directory Database

What Is Replication Topology?

A1 A2 B2

B1

A3

A4

B3

Domain Controllers from the Same Domain Various Domains

Domain A Topology Domain A Topology Domain B Topology Schema and Configuration Schema and Configuration Topology Topology

Schema
Object Class Examples
Dynamically available, updateable, and protected by DACLs

Computers

Attributes of Users might contain:

accountExpires badPasswordTime mail name

Attribute Examples
List of attributes
accountExpires badPasswordTime mail Name

Users

Servers

What Are Operations Masters

Schema Master (Forest Wide Role) Domain Naming Master(Forest Wide) RID Master (Domain Wide Role) PDC Emulator (Domain Wide Role) Infrastructure Master (Domain Wide Role)

Global Catalog
Resources in Active Directory can be shared across domains and forest.

The global catalog feature in Active Directory makes searching for resources across domain and forest transparent to the user
A global catalog server is a domain controller that efficiently processes intraforest queries to the catalog.

Desining an Active Directory naming Strategy

Naming, Identifing, and Accessing Active Directory Objects

Active Directory Naming Strategies

DNS Deployement Strategies for Active Directory

Naming, Identifing, and Accessing Active Directory Objects

Naming Conventions used in Active Directory Domain Name System DNS and Active Directory LDAP (Lightweight Directory Access Protocol) Locating Active Directory Objects

Naming Conventions used in Active Directory

LDAP Distinguished Name LDAP Relative Distinguished Name User Principal Name ([email protected]) NetBIOS Name LDAP Distinguished Name Example :
DC = com , DC = contoso , CN = Users , CN = Jhon

LDAP
LDAP Allows Access to Directory Service Information Active Directory Support LDAP v.2 and v.3 LDAP Names Represent Information About Objects in Active Directory.

DNS and Active Directory

DNS and Active Directory Domains Have Distinct Roles DNS servers are used to store and manage resources records Active Directory is used to store and manage domain objects.

Locating Active Directory Objects

Resolution of Services. DNS Query Resolution of Objects within Active Directory.LDAP Query

Active Directory Naming Strategies

Determining the Scope of Active Directory Disening the Naming Hierarchy Selecting a DNS Service Using Active Directory-Integrated DNS Zones Chosing Active Directory Domain Names

Designing the Naming Hierarchy

The first Domain Is the Root Domain Domains Derived from the Root Domain Form a Hierarchical Tree

Selecting a DNS Service

Support SRV records (mandatory) Supports the Dynamic Update Protocol.DDNS (recommended) Support zone tranfers (recommended)

Using Active Directory-Integrated DNS Zones

Zone Data Can Be Stored - In text files on DNS name servers - In Active Directory Integrated Active Directory Zones Provides - Security Updates - Zone Information replicated using Active Directory replication

Secure Access to Active Directory

Active Directory Security Components Security Descriptors Access Control Entries Ownership Delegating the Ability to Grant Permissions Inheritance of Permissions

Active Directory Security Components

Security Principals Receive Permissions Security Identifiers Uniquely Identify Security Principals Security Descriptors Protect Objects

Security Principals
Security Principals are users, qroups ans computers Users Computers
Microsoft Windows NT 4.0, Windows 2000, Windows XP or Windows Server 2003

Groups
Service accounts Group memberships Security policy profiles and Security identifiers,define security principals

Security Descriptors-I

Security Descriptors-II
Owner SID- The owner of an object is responsible for granding access permissions and granding rights for the objects. An owner is a security principal and is also difened by a SID Group SID Non-Windows OS

Security Descriptors-III
Access Control Lists

- Discretionary access control list (DACL) - System access control list (SACL)

Access Control Entries (ACEs)

ACEs protect Objects Access Can Be - Denied - Granted ACEs Contain - Access Rights - GUID (Global unique identifier) that identifies object or attribute type - SID that identifies the security pricipal - Flags that control inheritance

Ownership
Every object in active directory has an owner.The person who creates the object automatically becomes the owner and, by default, has full control over the object. Members of the domain admins group always have ability to take ownership of any object in the domain, and then change the permissions.

Inheritance of Permissions
Objects inherit existing permissions Inheritance can be bloced

Type of Groups
Security Groups Distribution Groups

Security Groups

Using Active Directory for Centralized Management

Domain

Domain

OU1 Computers Computer1 Users User1 OU2 Users User2

Searc h

OU1

OU2

User1 Computer1 User2 Printer1

Active Directory: Enables a single administrator to centrally manage resources Enables administrators to easily locate information Enables administrators to group objects into organizational units Uses Group Policy to specify policy-based settings

Printers Printer1

Managing the User Environment

3
Windows .NET Server Enforces Continually

Domain OU1 OU2 OU3

Apply Group Policy Once

1 2 3

Use Group Policy to: Control and lock down what users can do

Centrally manage software installation, repairs, updates, and removal

Configure user data to follow users whether they are online or offline

Resolving Conflicts Between Group Policy Settings

All Group Policy Settings Apply Unless There Are Conflicts The Last Setting Processed Applies When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply

When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply
A Computer Setting Applies When It Conflicts with a User Setting

Overriding and Blocking Group Policy

To enforce the Group Policy settings in a specific GPO, you can specify the No Override option. If you specify this option, policy settings in GPOs that are in lower-level Active Directory containers cannot override the policy. For example, if you define a GPO at the domain level, and you specify the No Override option, the policies that the GPO contains apply to all organizational units in that domain. Lower-level organizational units will not override the policy applied at the domain level. To block inheritance of Group Policy from parent Active Directory containers, you can specify the Block inheritance option. For example, if you specify the Block inheritance option for an organizational unit, it prevents the application of policy at that level from higher-level Active Directory containers such as a higher-level organizational unit or domain. Note that the No Override option always takes precedence over the Block inheritance option. Local GPOs cannot specify the No Override or Block inheritance options.

Class Discussion: How Group Policy Is Applied

GPO1

GPO1 ensures that Favorites appears on the Start menu GPO2 and GPO3 require a password of 11 characters and remove the Windows Update icon GPO4 removes Favorites from the Start menu and adds the Windows Update icon

Site

GPO2 GPO3 Domain

What are the resultant Group Policy settings for the OU?

OU

GPO4

Class Discussion: How Group Policy Is Applied (2)

GPO1

What are the resultant Group Policy settings for the OU?

Site

A password must be at least 11 characters long The Windows Update icon appears on the Start menu
Domain

GPO2 GPO3

Favorites does not appear on the Start menu

OU

GPO4

Enabling Block Inheritance

Block Inheritance:

Stops inheritance of all GPOs from all parent containers Cannot selectively choose which GPOs are blocked
Cannot stop No Override
GPOs

Domain Production

Sales

No GPO settings apply

Enabling No Override
No Override: Overrides Block Inheritance and GPO conflicts Should be set high in the Active Directory tree Is applicable to links and not to GPOs Enforces corporate-wide rules

Domain Production No Override GPO Settings

Sales

Conflicting GPO Settings

Domain GPO settings apply

Filtering Group Policy Settings

Filter Group Policy Settings by:

Domain Sales

Explicitly denying the Apply Group Policy permission Omitting an explicit Apply Group Policy permission
Allow Read and Apply Group Policy Deny Apply Group Policy

Mengph

Kimyo
Group

Class Discussion: Changing Group Policy Inheritance

Settings That Are Needed

Contoso.com Sales

An anti-virus application must be installed on all computers in the domain The Office suite must be installed on all computers in the domain, except for those in the Payroll department An accounting application must be installed on all client computers in the Payroll department, except for the computers used by the Payroll OU administrators

Payroll

How do you set up your GPOs?

Training

Class Discussion: Changing Group Policy Inheritance (2)

How do you set up your GPOs?

Nwtraders.com Sales

A GPO linked to the domain with the antivirus application settings configured and the link configured with No Override A GPO linked to the domain that installs the Office suite Enable Block Inheritance for the Payroll OU A GPO linked to the Payroll OU to install the accounting application Modify the DACL of the GPO linked to the Payroll OU to deny the Apply Group Policy permission for the computer accounts used by the Payroll OU administrators

Payroll

Training

Delegating Administrative Control

Domain OU1 Admin1 OU2

Grant permissions: OU3 For specific organizational units to other administrators To modify specific attributes of an object in a single organizational unit To perform the same task in all organizational units Customize administrative tools to: Map to delegated administrative tasks Simplify interface design

Admin2

Admin3

The Pyhsical Structure of Active Directory

-Sites -Domain Controllers -WAN Link Site

WAN Link

Site Domain Controllers

Sites
A site is a combination of one or more Internet Protocol (IP) subnets that are connected by high-speed link. You create sites for two primary reasons: - To optimize replication trafic - To enable users to connect to a domain controller by using a reliable,high-speed connection Single site may contain many domains

Single domain may span many sites

Domain

Site

What Are Site Links?

A site link:
Enables replication traffic between sites Represents the physical connection between sites
A1 A2

IP Subnet

Site

IP Subnet

B1

B2

Site Link

IP Subnet

B3

Cost
IP Subnet

Site

Linking Multiple Sites

Site Links - Cost - Interval - Schedule Site Link Bridges

Why Disable Default Bridging of All Site Links?

B1 B2

IP Subnet

B3

IP Subnet

Site Link AB

Site B

Site Link BC

Site Link Bridge

A1 A2 C1 C2

Site A
IP Subnet IP Subnet

Site C
IP Subnet IP Subnet

Replication Components
The Konwledge Consistency checker Server Object NTDS Setting Object Connection Objects

Replication Protocols
Replication within a site uses RPC over IP Replication between sites can use: - RPC over IP - SMTP (if the replication occurs between domain)

Comparing Replication within a Site and Between Sites

Replication within a site - Change notification - Uncompressed traffic - Urgent replication Replication Between Sites - Replication scheduling - Compressed traffic

Replication Within Sites vs. Replication Between Sites

A1 IP Subnet A2

Replication Within Sites: Assumes fast and highly reliable network links Does not compress replication traffic Uses a change notification mechanism
A1
IP Subnet

IP Subnet

Replication

IP Subnet

Replication

A2

B1
IP Subnet

Replication

IP Subnet

Replication

B2

Replication Between Sites: Assumes limited available bandwidth and unreliable network links Compresses all replication traffic between sites Occurs on a manual schedule

Summary
Active Directory Centralized Administration Organize, Manage, and Control Resources Logical Structure Separate form Physical Structure Multiple Functional Levels Schema Modification Delegation of Administrative Control