SlideShare a Scribd company logo

Active directory - an introduction

Download as PPT, PDF
P
pepoluan

The document provides an overview of Active Directory including key elements such as domain controllers, the schema, security groups, SYSVOL, group policy objects, sites and subnets. It discusses features of Active Directory such as authentication, privileges, policies, auditing, replication, and trust relationships. It also describes important Active Directory elements in more detail including the roles of domain controllers, importance of the schema, best practices for assigning security groups and permissions, and functions of SYSVOL and group policy objects.

Technology
1 of 20
Downloaded 38 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Eng Ing Eng ! <Insert tada.wav here>
About The Speaker • Name: Pandu Poluan • Email: pandu@poluan.info • Experience: – Senior Instructor (of instructors) for Cisco, Microsoft, Certified Ethical Hackers – IT Manager of Infrastructure, PT Panin Sekuritas Tbk • 25 branches, 500 employees, 1 domain – Systems Administration Manager, PT Carrefour Indonesia • 85 branches, 10’000+ employees, 2 domains
Active Directory An Introduction
What is Active Directory? • Directory • Authentication – Database of Objects in – Into the network the Domain – Uses “Kerberos” • Users mechanism • Computers • • Privileges Printers • Scanners – For network resources • Shares – For admin tasks • Refrigerators • Active • Coffee Makers • Toilet
Why called “Active” • Not just auth • Policies • Grouping (Many-to- – Restrictions Many) – Forced settings – Based on Org Struct – “Push” installation – Based on Functional • Audit Team • Replication – Based on Ad Hoc – One way & Two way needs – Bandwidth-adapting • Delegation • ‘Trust’ Relationship – Of admin tasks – Of management tasks
Overview of AD Elements • Domain Controllers – Writable & RODC • Schema • Security Groups • SYSVOL • Group Policy Objects (GPO) • Sites & Subnets • ... (and many others, but let’s just focus on the above for this “Introduction”)
Domain Controllers • Where AD database(s) are kept • Replicate between themselves – Two way with writeable DCs, One-way to RODCs – Also replicate “SYSVOL” • MUST be secured at all costs!! – Physical security – Logical security  RODC – Hardening: • Allow only special ‘elevated’ accounts ‘administrator-level’ access to the DCs
The AD “Schema” • Definition of Objects in AD – Properties/Attributes – ‘Nature’ of Object • E.g., container, custom container, leaf object • AMAT SANGAT VITAL SEKALI BANGET !!! – *IMMEDIATELY* replicated to other DCs – Feel free to commit suicide if someone gained Schema-editing ability … and botched the schema
Security Groups • Used to manage privileges/permissions practically, systematically, and healthily – Managing privileges per user in a big enterprise is not good for your health • Microsoft-recommended Best Practice: A G U DL P Account Global Universal Domain Local Permissions
A-P • The Worst privilege-assignment strategy – Imagine having to give 1’000 users the same privileges … – … to 100 network shares • Only suitable for … nothing
A-G-P • NEVER assign permissions directly to accounts • At least, assign permissions to Global SGs • Then, gather user Accounts into Gs • Only suitable for small domains
A-G-DL-P • Good Enough™ for Most organizations • In principle: – Gather Accounts into Groups – Assign Permissions onto Domain Locals – Associate Groups into Domain Locals A G DL P
A-G-U-DL-P • Necessary for huge organizations – Allows assignment of privileges for other ‘trusted’ domains • Similar to A-G-DL-P, but – Create Universal SGs spanning multi domains – Put Global SGs in a domain inside a U – Then, associate Us in DLs U A G DL P A G DL P
SYSVOL • The mysterious, enigmatic area where important AD thingies are kept – Group Policy Objects – Startup/Shutdown/Logon/Logoff Scripts – Other small-sized SysAdmin supporting files • Employs mysterious “Junctions” – Must be hosted on NTFS – Please please please for the love of all things holy: Do not delete any directory in here if you don’t understand its structure • Automatically replicated to other DCs – (Except SYSVOL on RODCs – won’t replicate, but will be overwritten instead) – FRS on Windows Server 2003, DFSR on Windows Server 2008 – Please do not put anything too big in SYSVOL … • else, your NetAdmin is going to find you and hurt you…
Group Policy Objects • A method to apply: – Common restrictions – Common settings – Common applications • Attached to one (or more) “Organizational Units” • Two kinds of policies – Machine policies – set on boot-complete – User policies – set on login • Machine policies *may* get re-applied when user login • Can be selectively applied
Sites and Subnets • Active Directory enables the definition of “sites” – Basically, a grouping of subnets in the enterprise – Also, a collection of DCs in those subnets • Features enabled by “sites” – Definition of replication topology – Definition of replication connection “costs” – Custom scheduling of replication – Nearest-DC (for login, SYSVOL access, etc.)
Other Important Things You Should Know If You Are A Windows Systems Administrator • FSMO Roles • Time Synchronization • Deployment tools • Management tools • Diagnostic tools
Tararengkiyu !
Sesi Tanya dan (semoga di-) Jawab
Active directory - an introduction

More Related Content

What's hot (20)

PPTX
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
Rajesh Kalyanam
 
PPTX
2015 deploying flash in the data center
Howard Marks
 
PDF
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Leighton Nelson
 
PPTX
Reaching the Cloud: The Architecture
Society of Women Engineers
 
PDF
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
Tobias Koprowski
 
PPT
Life After Sharding: Monitoring and Management of a Complex Data Cloud
OSCON Byrum
 
PDF
MongoDB webiner01
Creationline,inc.
 
PPTX
Cloud Computing101 Azure, updated june 2017
Fernando Mejía
 
PPTX
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
DataWorks Summit
 
PPTX
Extending your data to the cloud
Microsoft TechNet - Belgium and Luxembourg
 
PDF
The Power of Postgres Plus Cloud Database
EDB
 
PPTX
Docker y azure container service
Fernando Mejía
 
PDF
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
Tobias Koprowski
 
PDF
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 
PDF
Database as a Service on the Oracle Database Appliance Platform
Maris Elsins
 
PDF
KoprowskiT - SQLBITS X - 2am a disaster just began
Tobias Koprowski
 
PDF
5 Postgres DBA Tips
EDB
 
PDF
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Lars Platzdasch
 
PPTX
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
Maris Elsins
 
PDF
Scalability, Availability & Stability Patterns
Jonas Bonér
 
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
Rajesh Kalyanam
 
2015 deploying flash in the data center
Howard Marks
 
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Leighton Nelson
 
Reaching the Cloud: The Architecture
Society of Women Engineers
 
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
Tobias Koprowski
 
Life After Sharding: Monitoring and Management of a Complex Data Cloud
OSCON Byrum
 
MongoDB webiner01
Creationline,inc.
 
Cloud Computing101 Azure, updated june 2017
Fernando Mejía
 
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
DataWorks Summit
 
Extending your data to the cloud
Microsoft TechNet - Belgium and Luxembourg
 
The Power of Postgres Plus Cloud Database
EDB
 
Docker y azure container service
Fernando Mejía
 
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
Tobias Koprowski
 
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 
Database as a Service on the Oracle Database Appliance Platform
Maris Elsins
 
KoprowskiT - SQLBITS X - 2am a disaster just began
Tobias Koprowski
 
5 Postgres DBA Tips
EDB
 
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Lars Platzdasch
 
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
Maris Elsins
 
Scalability, Availability & Stability Patterns
Jonas Bonér
 

Viewers also liked (8)

PPT
Active directory slides
Timothy Moffatt
 
PPT
Active directory and application
aminpathan11
 
PDF
MCSA 70-410 5 introduction to active directory and basic installation
Tarek Amer
 
PPT
Active directory
Muuluu
 
PPTX
Microsoft Offical Course 20410C_02
gameaxt
 
PPT
1.2 active directory
Muuluu
 
PPTX
Introduction to Active Directory
thoms1i
 
PPT
Active Directory
Sandeep Kapadane
 
Active directory slides
Timothy Moffatt
 
Active directory and application
aminpathan11
 
MCSA 70-410 5 introduction to active directory and basic installation
Tarek Amer
 
Active directory
Muuluu
 
Microsoft Offical Course 20410C_02
gameaxt
 
1.2 active directory
Muuluu
 
Introduction to Active Directory
thoms1i
 
Active Directory
Sandeep Kapadane
 
Ad

Similar to Active directory - an introduction (20)

PDF
Mtc learnings from isv & enterprise interaction
Govind Kanshi
 
PPTX
Mtc learnings from isv & enterprise (dated - Dec -2014)
Govind Kanshi
 
PDF
Docker in the Enterprise
Saul Caganoff
 
PPTX
Securing Windows with Group Policy
Josh Rickard
 
PDF
Storage Systems For Scalable systems
elliando dias
 
PPT
Drupal -Introduction to Drupal
Vibrant Technologies & Computers
 
PPTX
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
PDF
How to Build a Compute Cluster
Ramsay Key
 
PPTX
Drupal performance
Gabi Lee
 
PPTX
Nagios XI Best Practices
Nagios
 
PPTX
Hafslund SESAM - Semantic integration in practice
Lars Marius Garshol
 
PPTX
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
rwgorrel
 
PPTX
Operating OpenStack on a Budget
Samir Ibradzic
 
PPTX
Operating OpenStack on a Budget
Susan Wu
 
PPTX
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
PPTX
5 Things that Make Hadoop a Game Changer
Caserta
 
PPT
Drupal intro
Geetanjali Srivastava
 
PPT
Drupal intro
Antonio Perez
 
PPT
Introduction_to_Active_Directory and Windows Server
navneetyohaya
 
ODP
MySQL for Oracle DBAs
Ben Krug
 
Mtc learnings from isv & enterprise interaction
Govind Kanshi
 
Mtc learnings from isv & enterprise (dated - Dec -2014)
Govind Kanshi
 
Docker in the Enterprise
Saul Caganoff
 
Securing Windows with Group Policy
Josh Rickard
 
Storage Systems For Scalable systems
elliando dias
 
Drupal -Introduction to Drupal
Vibrant Technologies & Computers
 
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
How to Build a Compute Cluster
Ramsay Key
 
Drupal performance
Gabi Lee
 
Nagios XI Best Practices
Nagios
 
Hafslund SESAM - Semantic integration in practice
Lars Marius Garshol
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
rwgorrel
 
Operating OpenStack on a Budget
Samir Ibradzic
 
Operating OpenStack on a Budget
Susan Wu
 
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
5 Things that Make Hadoop a Game Changer
Caserta
 
Drupal intro
Geetanjali Srivastava
 
Drupal intro
Antonio Perez
 
Introduction_to_Active_Directory and Windows Server
navneetyohaya
 
MySQL for Oracle DBAs
Ben Krug
 
Ad

Recently uploaded (20)

PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
PDF
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PDF
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
PDF
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
PPTX
Wondershare Filmora Crack Free Download 2025
josanj305
 
PDF
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
PDF
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
PPTX
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
PDF
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
PDF
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
PPTX
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...
Michele Kryston
 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
PDF
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
PDF
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
PDF
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
PDF
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
PDF
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 
Kubernetes - Architecture & Components.pdf
geethak285
 
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
Wondershare Filmora Crack Free Download 2025
josanj305
 
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...
Michele Kryston
 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 

Active directory - an introduction

  • 1. Eng Ing Eng ! <Insert tada.wav here>
  • 2. About The Speaker • Name: Pandu Poluan • Email: [email protected] • Experience: – Senior Instructor (of instructors) for Cisco, Microsoft, Certified Ethical Hackers – IT Manager of Infrastructure, PT Panin Sekuritas Tbk • 25 branches, 500 employees, 1 domain – Systems Administration Manager, PT Carrefour Indonesia • 85 branches, 10’000+ employees, 2 domains
  • 3. Active Directory An Introduction
  • 4. What is Active Directory? • Directory • Authentication – Database of Objects in – Into the network the Domain – Uses “Kerberos” • Users mechanism • Computers • • Privileges Printers • Scanners – For network resources • Shares – For admin tasks • Refrigerators • Active • Coffee Makers • Toilet
  • 5. Why called “Active” • Not just auth • Policies • Grouping (Many-to- – Restrictions Many) – Forced settings – Based on Org Struct – “Push” installation – Based on Functional • Audit Team • Replication – Based on Ad Hoc – One way & Two way needs – Bandwidth-adapting • Delegation • ‘Trust’ Relationship – Of admin tasks – Of management tasks
  • 6. Overview of AD Elements • Domain Controllers – Writable & RODC • Schema • Security Groups • SYSVOL • Group Policy Objects (GPO) • Sites & Subnets • ... (and many others, but let’s just focus on the above for this “Introduction”)
  • 7. Domain Controllers • Where AD database(s) are kept • Replicate between themselves – Two way with writeable DCs, One-way to RODCs – Also replicate “SYSVOL” • MUST be secured at all costs!! – Physical security – Logical security  RODC – Hardening: • Allow only special ‘elevated’ accounts ‘administrator-level’ access to the DCs
  • 8. The AD “Schema” • Definition of Objects in AD – Properties/Attributes – ‘Nature’ of Object • E.g., container, custom container, leaf object • AMAT SANGAT VITAL SEKALI BANGET !!! – *IMMEDIATELY* replicated to other DCs – Feel free to commit suicide if someone gained Schema-editing ability … and botched the schema
  • 9. Security Groups • Used to manage privileges/permissions practically, systematically, and healthily – Managing privileges per user in a big enterprise is not good for your health • Microsoft-recommended Best Practice: A G U DL P Account Global Universal Domain Local Permissions
  • 10. A-P • The Worst privilege-assignment strategy – Imagine having to give 1’000 users the same privileges … – … to 100 network shares • Only suitable for … nothing
  • 11. A-G-P • NEVER assign permissions directly to accounts • At least, assign permissions to Global SGs • Then, gather user Accounts into Gs • Only suitable for small domains
  • 12. A-G-DL-P • Good Enough™ for Most organizations • In principle: – Gather Accounts into Groups – Assign Permissions onto Domain Locals – Associate Groups into Domain Locals A G DL P
  • 13. A-G-U-DL-P • Necessary for huge organizations – Allows assignment of privileges for other ‘trusted’ domains • Similar to A-G-DL-P, but – Create Universal SGs spanning multi domains – Put Global SGs in a domain inside a U – Then, associate Us in DLs U A G DL P A G DL P
  • 14. SYSVOL • The mysterious, enigmatic area where important AD thingies are kept – Group Policy Objects – Startup/Shutdown/Logon/Logoff Scripts – Other small-sized SysAdmin supporting files • Employs mysterious “Junctions” – Must be hosted on NTFS – Please please please for the love of all things holy: Do not delete any directory in here if you don’t understand its structure • Automatically replicated to other DCs – (Except SYSVOL on RODCs – won’t replicate, but will be overwritten instead) – FRS on Windows Server 2003, DFSR on Windows Server 2008 – Please do not put anything too big in SYSVOL … • else, your NetAdmin is going to find you and hurt you…
  • 15. Group Policy Objects • A method to apply: – Common restrictions – Common settings – Common applications • Attached to one (or more) “Organizational Units” • Two kinds of policies – Machine policies – set on boot-complete – User policies – set on login • Machine policies *may* get re-applied when user login • Can be selectively applied
  • 16. Sites and Subnets • Active Directory enables the definition of “sites” – Basically, a grouping of subnets in the enterprise – Also, a collection of DCs in those subnets • Features enabled by “sites” – Definition of replication topology – Definition of replication connection “costs” – Custom scheduling of replication – Nearest-DC (for login, SYSVOL access, etc.)
  • 17. Other Important Things You Should Know If You Are A Windows Systems Administrator • FSMO Roles • Time Synchronization • Deployment tools • Management tools • Diagnostic tools