How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation

Presentation Outline Demystifying Active Directory Active Directory structure Interoperability standards adherence Common sense planning and deployment tips

What is a Directory Service? Stated simply, a directory service is a listing that helps organize and locate information There are two primary components Directory store for data Services that act on the data Service functions include data replication, security rule enforcement, data distribution … and more

What is Active Directory? Microsoft’s Windows 2000/.NET Server implementation of directory services Networked object store and service that locates and manages resources Authenticates authorized use of resource objects by users according to defined rules

Specific Enterprise Functions of AD Stores data on every object and its attributes Security - ACL authentication and domain trusts Central point for enterprise administration Mechanism for OS interoperability Consolidation of divergent directory services System to replicate object data

Active Directory Relationships Active Directory treats everything as an object.. users, files, computers, devices, etc. Access to object anywhere in enterprise is possible (assuming permission) DNS resolves computer name during object query LDAP (Lightweight Directory Access Protocol) resolves object locations MIT Kerberos provides user authentication

Administration of Active Directory Permits finite hierarchical management Supports delegation of admin functions Provides single point for enterprise management Supports open standards, APIs and scripting Provides backward compatibility with Windows NT and Novell Directory Services

Active Directory Structure Active Directory divides itself into Logical and Physical Structures Logical Structures include components called domains, trees, forests, organizational units and the schema (containers for data) Physical Structures include network defined sites and domain controllers (data locations & stores)

Logical Structure Base components are objects and their attributes Schema – mechanism for storing object classes Objects organized around hierarchical domain model Each domain has its own security permissions and relationship with other domains

Active Directory Domain Hierarchical infrastructure of networked computers Domain – Computer systems and network resources that share common security boundary Domain can cross physical locations and sites Viewed as grouping of resources that use a common domain name (namespace)

Domain Trees Multiple domains share common schema, security relationship, Global Catalog Identify domain tree by common, contiguous namespace Sales.xyz.com and research.xyz.com = child domains to xyz.com domain Xyz.com is root domain for domain tree

Active Directory Domain Tree Users logon directly to a Windows 2000 Domain tree Domain.com Sales.Domain.comProducts.Domain.com Child Root Domain

Domain Forest Domain forests created when domain trees with different namespaces form trust relationship Xyz.com & abc.com become tree when trust established All trees within forest share common Global Catalog, configuration, and schema A forest has no unique name but is reference point between trees

Active Directory Forest User logs-on to his/her domain, but can be granted access to any forest resource Domain.com Sales.Domain.comProducts.Domain.com Child Root Domain Domain2.com Sales.Domain2.comProducts.Domain2.com Child Root Domain

Organizational Units (OUs) Domains can be divided into organizational units Organizational units can nest within one another Use OUs to reflect departmental divisions or units with unique security and administrative rights Administrative delegation of resources easy to apply to OU subsets

Active Directory OU Organization Units (OU) are sub-units within a domain Domain.com Sales.Domain.comProducts.Domain.com Child Root Domain Sales.Domain.com OU 1 OU 3OU 4OU 5 OU 2OU 3 OU 3.Sales.Domain.com User logs on to OU3 Child

Physical Structure Mechanism for data communication and replication Two primary components Site – IP subnet network structural component Domain controller and Global Catalog – physical server that stores and replicates data

Active Directory Site Physical network structure of Active Directory Purpose: provides method to regulate inter-subnet traffic Primary goal: rapid, economical data transmission Do not define sites by location boundaries; define by reliable communications No formal relationship between site and domain … they can cross each other

Domain Controller (DC) Server containing copy of Active Directory All domain controllers are peers that maintain replicated versions of active directory DC locates resources and authenticates users Global Catalog is special domain controller that contains abbreviated listing of objects for rapid indexing and locating resources DC assigned to site at installation

Role of the Domain Controller Every domain controller maintains information as part of Active Directory Data on every object and container object Metadata about other domains in tree or forest Listing of all domains in tree or forest Location of server with Global Catalog

Adherence to Industry Standards Greater interoperability = open standards adherence DNS Dynamic Update RFC Dynamic Host Configuration Protocol RFC 2131 Kerberos v5 RFC 1510 Lightweight Directory Access Protocol RFC LDAP Schema RFC Simple Network Time Protocol RFC 1769 Simple Mail Transfer Protocol RFC 821 TCP/IP RFC X 509 v3 Certificates ISO X.509

Simplifying Planning/Deployment Active Directory planning/deployment is large task … but not overwhelming Start by gathering organizational data Design domain model on organizational structure Design site & domain controller requirements based upon network connectivity

Gathering Organizational Data Required data readily available Start with organization charts to help define domains & OUs Define what data resources are shared & restricted Ask HR for employee classifications for group policies Establish permissions based on common system needs Map physical locations & available connectivity Review where organizational shifts likely to occur

Domains vs. Organizational Units Single domain with OUs is easiest to manage Single domain model many not meet needs in more complex organizations Generally, size & need for separate identity are critical decision points

When to Use Domain Trees Desire for decentralized management Unique business activities dictate child domains Need to establish unique domain wide policies In large organizations, child domains lend themselves to localized vs. centralized control

When to Use Domain Forest Model When separate domain names required When radically different business activities exist When acquired organizations require trusts during initial merging of operations Joint venture or partnership arrangements where resources & data must be shared

Restricting Domain Forest Trusts Trusts between domains within tree are bi- directional (transitive) Trusts in forest established in one direction at a time; NOT automatically transitive Set all trusts in forest explicitly

Conclusion Active Directory is very powerful tool for enhancing administration and security Understanding basic logical & physical structure is fundamental Planning & deployment requires work but not as overwhelming as press reports

Further Information Contact Robert Williams References by Robert Williams Forthcoming 2002 © Copyright Robert Williams 2002