Chapter 4 Chapter 4: Planning the Active Directory and Security.

Slides:



Advertisements
Similar presentations
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
Advertisements

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Active Directory (Week 8, Monday 2/26/2007) © Abdou Illia, Spring 2007.
Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 1 Windows Server 2003 Network Administration.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008
Active Directory Implementation Class 4
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Overview of Active Directory Domain Services Lesson 1.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Directory services Unit objectives
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Chapter 4 Introduction to Active Directory and Account Management
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
Windows Server 2008 Chapter 4 Last Update
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Working with domains and Active Directory
Designing Active Directory for Security
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 4 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
SERVER I SLIDE: 6. SERVER I Topics: Objective 4.3: Deploy and configure the DNS service Objective 5.1: Install domain controllers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 7 Active Directory and Account Management.
1 Windows 2008 Configuring Server Roles and Services.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
By Rashid Khan Lesson 6-Building a Directory Service.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
Module 1: Introduction to Active Directory
Logical and Physical Network Design 1. Active Directory Objects Objects Represent Network Resources (Users,Groups,Computers,Printers) Attributes Store.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 8: Planning for Windows Server 2008 Active Directory Services.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
1 Introduction to Active Directory Directory Services Uniquely identify users and resources on a network Provide a single point of network management.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Overview of Active Directory Domain Services Lesson 1.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Overview of Active Directory Domain Services
Active Directory Administration
(ITI310) SESSIONS 6-7-8: Active Directory.
Active Directory Administration
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.
Chapter 4: Planning the Active Directory and Security
Active Directory (November 7, 2016) © Abdou Illia, Fall 2016.
Chapter 9: Managing Groups, Folders, Files, and Object Security
Introduction to Active Directory Directory Services
CNT 4603: System Administration Fall 2010
Presentation transcript:

Chapter 4 Chapter 4: Planning the Active Directory and Security

Chapter 4 Learning Objectives n Explain the contents of the Active Directory n Plan how to set up Active Directory elements such as organizational units, domains, trees, forests, and sites n Plan which Windows 2000 security features to use in an organization, including interactive logon, object security, and services security

Chapter 4 Learning Objectives (continued) n Plan how to use groups, group policies, and security templates n Plan IP security measures

Chapter 4 Windows NT Domain Structure n Security Accounts Manager (SAM) database holds data on user accounts, groups, and security privileges n One primary domain controller (PDC) has master copy of the SAM n One or more backup domain controllers (BDCs) have backup copies of the SAM

Chapter 4 Using a PDC, BDCs, and the SAM database Figure 4-1 Windows NT SAM architecture

Chapter 4 Windows 2000 Active Directory n Domain objects including user accounts, computers, servers, printers, groups, security policies, domains, and other objects compose the Active Directory

Chapter 4 Active Directory Objects Figure 4-2 Domain objects in the Active Directory

Chapter 4 Multimaster Replication n Multimaster replication: In Windows 2000 there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicate it to each other. Because each DC acts as a master, replication does not stop when one is down. Each DC is a master in its own right.

Chapter 4 Multimaster Architecture Figure 4-3 Windows 2000 Active Directory architecture

Chapter 4 Schema n Schema: Elements used in the definition of each object contained in the Active Directory, including the object class and its attributes

Chapter 4 Example Schema Characteristics of the User Account Class n Unique object name n Globally unique identifier (GUID) associated with each object name n Required attributes n Optional attributes n Syntax of how attributes are defined n Pointers to parent entities

Chapter 4 Example User Account Attributes n Username n User’s full name n Password

Chapter 4 Schema Example Figure 4-4 Sample schema information for user accounts

Chapter 4 Default Object Classes n Domain n User account n Group n Shared drive n Shared folder n Computer n Printer

Chapter 4 Object Naming n Common name (CN): The most basic name of an object in the Active Directory, such as the name of a printer n Distinguished name (DN): A name in the Active Directory that contains all hierarchical components of an object, such as that object’s organizational unit and domain, in addition to the object’s common name

Chapter 4 Object Naming (continued) n Relative distinguished name (RDN): An object name in the Active Directory that has two or more related components, such as the RDN of a user account name that consists of User (a container for accounts) and the first and last name of the actual user

Chapter 4 Namespace n Namespace: A logical area on a network that contains directory services and named objects, and that has the ability to perform name resolution

Chapter 4 Types of Namespaces n Contiguous namespace: A namespace in which every child object contains the name of its parent object n Disjointed namespace: A namespace in which the child object name does not resemble the name of its parent object

Chapter 4 Active Directory Elements n Domains n Organizational units (OUs) n Trees n Forests n Sites

Chapter 4 Active Directory Architecture Figure 4-5 Active Directory hierarchical containers

Chapter 4 Functions of a Domain n Provide a security boundary for objects in a common relationship n Establish a set of data to be replicated among DCs n Expedite management of a set of objects

Chapter 4 Using a Single domain Figure 4-6 Single domain

Chapter 4 Using Multiple Domains Figure 4-7 Using multiple domains

Chapter 4 Domain Creation Dos and Don’ts

Chapter 4 Domain Creation Dos and Don’ts (continued)

Chapter 4 Functions of an OU n Group related objects, such as user accounts and printers, for easier management n Reflect the structure of an organization n Group objects to be administered using the same group policies

Chapter 4 Using OUs to Reflect Organizational Structure Figure 4-8 OUs used to reflect the divisional structure of a company

Chapter 4 Design Tips for Using OUs n Limit OUs to 10 levels or fewer n OUs use less CPU resources when they are set up horizontally instead of vertically n Each request through an OU level requires CPU time in a search

Chapter 4 OU Creation Dos and Don’ts

Chapter 4 OU Creation Dos and Don’ts (continued)

Chapter 4 Characteristics of a Tree n Member domains are in a contiguous namespace n Member domains can compose a hierarchy n Member domains use the same schema for common objects n Member domains use the same global catalog

Chapter 4 Global Catalog n Global catalog: A grand repository for all objects and the most frequently used attributes for each object in all domains. Each tree has one global catalog.

Chapter 4 Global Catalog Functions n Authenticating users n Providing lookup and access to resources in all domains n Providing replication of key Active Directory elements n Keeping a copy of the most attributes for all objects

Chapter 4 Hierarchical Domains in a Tree Figure 4-9 Tree with hierarchical domains

Chapter 4 Kerberos Transitive Trust n Kerberos Transitive Trust Relationship: A set of two-way trusts between two or more domains in which Kerberos security is used.

Chapter 4 Trusted and Trusting Domains n Trusted domain: A domain that has been granted security access to resources in another domain n Trusting domain: A domain that allows another domain security access to its resources and objects, such as servers

Chapter 4 Tree Creation Dos and Don’ts

Chapter 4 Tree Creation Dos and Don’ts (continued)

Chapter 4 Planning Tip n Make sure each tree has at least one DC that is also configured as a global catalog n Locate global catalog servers in a network design architecture that enables fast user authentication (so that authentication does not have to be performed over a WAN link, for example)

Chapter 4 Characteristics of a Forest n Member trees use a disjointed namespace (but contiguous namespaces within trees) n Member trees use the same schema n Member trees use the same global catalog

Chapter 4 Single Forest n Single forest: An Active Directory model in which there is only one forest with interconnected trees and domains that use the same schema and global catalog

Chapter 4 Single Forest Architecture Figure 4-10 A forest

Chapter 4 Separate Forest n Separate forest: An Active Directory model that links two or more forests in a partnership, but the forests cannot have Kerberos transitive trusts or use the same schema

Chapter 4 Separate Forest Architecture Figure 4-11 Separate forest model

Chapter 4 Forest Creation Dos and Don’ts

Chapter 4 Forest Creation Dos and Don’ts (continued)

Chapter 4 Design Tip n When you create a separate forest structure remember that: u Replication cannot take place between forests u The forests use different schema and global catalogs u The forests cannot be easily blended into a single forest in the future

Chapter 4 Site n Site: An option in the Active Directory to interconnect IP subnets so that it can determine the fastest route to connect clients for authentication and to connect DCs for replication of the Active Directory. Site information also enables the Active Directory to create redundant routes for DC replication.

Chapter 4 Characteristics of a Site n Reflects one or more interconnected subnets (512 Kbps or faster) n Reflects the same boundaries as the LAN n Used for DC replication n Enables clients to access the closest DC n Composed of servers and configuration objects

Chapter 4 Site Links n Site link object: An object created in the Active Directory to indicate one or more physical links between two different sites n Site link bridge: An Active Directory object (usually a router) that combines individual site link objects to create faster routes when there are three or more site links

Chapter 4 Site Link Architecture Figure 4-12 Site link bridge

Chapter 4 Site Creation Dos and Don’ts

Chapter 4 Site Creation Dos and Don’ts (continued)

Chapter 4 Design Tip n Define sites in the Active Directory on networks that have multiple global catalog servers that reside in different subnets n Use sites to enhance network performance by optimizing authentication and replication

Chapter 4 Active Directory Guidelines n Keep the Active Directory implementation as simple as possible n Implement the least number of domains possible n Implement only one domain on most small networks n Use OUs to reflect the organizational structure (instead of using domains for this purpose)

Chapter 4 Active Directory Guidelines (continued) n Create only the number of OUs that are necessary n Do not create OUs more than 10 levels deep n Use domains for natural security boundaries n Implement trees and forests only as necessary

Chapter 4 Active Directory Guidelines (continued) n Use trees for domains that have a contiguous namespace n Use forests for multiple trees that have disjointed namespaces between them n Use sites in situations where there are multiple IP subnets and geographic locations to improve performance

Chapter 4 Basic Types of Active Directory Security n Account or interactive logon security n Object security n Services security

Chapter 4 Interactive Logon Security n DC checks that the user account is in the Active Directory n DC verifies the exact user account name and password

Chapter 4 Object Security n Security descriptor: An individual security property associated with a Windows 2000 Server object, such as enabling the account MGardner (the security descriptor) to access the folder, Databases n Access control list (ACL): A list of all security descriptors that have been set up for a particular object, such as for a shared folder or a shared printer

Chapter 4 Typical ACL Types of Information n User account(s) that can access an object n Permissions that determine the type of access n Ownership of the object

Chapter 4 Typical Object Permissions n Deny: No access to the object n Read: Access to view or read the object’s contents n Write: Permission to change the object’s contents or properties n Delete: Permission to remove an object n Create: Permission to add an object n Full Control: Permission for nearly any activity

Chapter 4 Example Special Permissions Figure 4-13 Special permissions for a folder

Chapter 4 Troubleshooting Tip n Deny permission supercedes other permissions, thus if there is a permissions conflict for one of your users, check the deny permissions associated with that user’s account

Chapter 4 Services Security n Windows 2000 enables you to set up security on individual services, such as DHCP

Chapter 4 Setting Services Security Figure 4-14 DHCP security

Chapter 4 Using Groups n Set up security groups of user accounts as a way to more easily manage security

Chapter 4 Setting Up Members of a Group Figure 4-15 DHCP Administrators group

Chapter 4 Group Policies n Use group policies to manage security for local servers, OUs, and domains n Employ security templates when you need to manage several different group policies

Chapter 4 Example Areas Covered by Group Policies n Account polices n Local server and domain policies n Event log tracking policies n Group restrictions n Service access security n Registry security n File system security

Chapter 4 Setting Up Security Templates Figure 4-16 Security Templates snap-in

Chapter 4 IP Security n IP security (IPSec): A set of IP-based secure communications and encryption standards created through the Internet Engineering Task Force (IETF)

Chapter 4 IP Security Policies n IP security (IPSec) can function in three roles relative to a client: u Client (Respond Only) in which the server uses IPSec, if the client is using it first u Server (Request Security) in which the server uses IPSec by default, but will discontinue using IPSec if it is not supported by the client u Secure Server (Require Security) in which the server only communicates via IPSec

Chapter 4 Configuring IPSec Figure 4-17 IP Security Policy Wizard

Chapter 4 Troubleshooting Tip n On a network that uses IPSec, if you are having trouble gathering network performance information from some older devices that do not support IPSec, omit the SNMP communications protocol from IPSec

Chapter 4 Chapter Summary n Active Directory and security implementation are interrelated n The Active Directory is a set of services for managing Windows 2000 servers n Use Active Directory elements such as OUs, domains, trees, and forests to help manage server objects and resources

Chapter 4 Chapter Summary n Use sites to configure network communications for better performance through taking advantage of existing subnets n Groups and group policies enable you to manage security