Active Directory Lecture 3 – Domain Services Primer

Learning Goals I will be able to install a functionally operable domain server for a Windows Active Directory Domain I will be able to organize a Windows Domain to maximize logical design and Security I will be able to distinguish between different types of Domain Objects

What is AD A directory server – a common place for information about groups, people, workstations and security to reside One ring to rule them all – The borg collective – Once joined to the domain one trusts the domain and all the security settings that goes with it.

Why do we care? Single most effective tool for managing security in a distributed environment If setup correctly can control users, servers, workstations and audit everything

Evolution of AD Windows NT 4 Windows 2000 – Domain Services – DNS Windows 2003 – Internet Integration Windows 2008 – Federated Management and Sharing Windows 2012 – The clouds are coming!

Standards Like the OSI model, AD is built on standards X.500 LDAP Compatable

Understanding Domains Single Domain One spot for a organization Container for user and company records Trees including domains and sub domains organize different parts of the company together

Some Rules Domains are designed to be built around internet names – DNS is an important part of Active Directory Public namespace names should be avoided unless you actually own the domain name – otherwise name resolution problems will crop up DNS Management – Either create a new subdomain for AD (ad.company.com) and let AD run it. Or create a new DNS name and let AD run it.

AD Authentication Modes NTLM – Legacy system which included hashes of passwords being sent over the network Kerberos – No sending of hashes over the network Because of it’s ability to send usernames and passwords quickly, in a central store and securely AD becomes the favorite of any single sign on container

LDAP Naming Convention Logical Flow

Trusting Relationships Explicit Trust - Works between domains to create trust between the two Partners – External Entities Different organizations within the same forest

Shortcut Trusts

OU’s Units for Organizing Users and Objects in the Domain Security Organization Can create OU’s inside OU’s

Some More Rules OU’s should not follow a managerial or political structure of the organization. Organize for the user separation for top level departments Organize between different types of Objects (Computers, Servers and Users)

Groups Groups are created to manage security on a specific level Used for assigning permissions or distributing information (exchange groups) Enterprises will have a TON of these – unrealistic for IT to manage Managers organize via political levels IT manages for permissions Managed Groups vs Standard Groups

Domain Controllers Domain Controllers Control the Domain – When a domain is created a database is installed that contains all the information about objects in the domain This database is replaced to all domain controllers inside the domain Domain controllers should be placed in physical locations of the same domain Remember to follow WAN Segments When the database is changed on one domain controller the changes are replicated on the other DC’s For security you may wish to install a domain controller as a “read only” domain controller. This would allow associated applications to read information without being able to make changes