Configuring Active Directory Objects and Trusts Course 6419A Module 5: Configuring Active Directory Objects and Trusts Presentation: 90 minutes Lab: 30 minutes Module 5 Configuring Active Directory Objects and Trusts After completing this module, students will be able to delegate Active Directory administration tasks . Students will also be able to configure trusts between domains in a multi forest environment. Required materials To teach this module, you need the Microsoft Office PowerPoint® file 6419A_05.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD. 1
Module 5: Configuring Active Directory Objects and Trusts Course 6419A Module Overview Module 5: Configuring Active Directory Objects and Trusts Delegate Administrative Access to Active Directory® Objects Configure Active Directory Trusts Most of the content in the module will be review for students with basic network knowledge. Change the depth of your coverage to match student interest and knowledge. For example, if students are unfamiliar with a particular area, spend more time on it.
Active Directory Object Permissions Course 6419A Active Directory Object Permissions Module 5: Configuring Active Directory Objects and Trusts Can be allowed, implicitly denied, or explicitly denied Consider opening Active Directory Users and Computers, and viewing the permissions that are set on an organizational unit (OU). Show the list of standard permissions, and then show how to access the special permissions. Discuss the difference between allowing access, and implicitly versus explicitly denying access. To implicitly deny access, you simply do not allow any access. To explicitly deny access, you select the Deny check box. Stress that explicitly denied permissions always override allowed permissions. Question: What are the risks with using special permissions to assign AD DS permissions? Answer: The primary risk is that because special permissions can be so detailed, you may forget that certain permissions are applied until an administrator cannot perform some action that they should be able to perform. If you are going to use special permissions, you must ensure that you document the permissions very carefully. Question: What permissions would a user have on an object if you granted them full control permission, and denied the user write access? Answer: The user would have read-only access. They could view all of the attributes for the object, but could not change any. References For more information on access control see Access control in Active Directory at http://go.microsoft.com/fwlink/?LinkId=101070 For more information on Active Directory objects see Assign, change, or remove permissions on Active Directory objects or attributes at http://go.microsoft.com/fwlink/?LinkId=101071 Can be set at object level, or inherited from the parent object Include standard permissions and special permissions Standard permissions are the most frequently assigned permissions Special permissions provide a finer degree of control for assigning access to objects
What Are Effective Permissions? Course 6419A What Are Effective Permissions? Module 5: Configuring Active Directory Objects and Trusts Effective permissions are the actual permissions that are granted to the specified user or group Permissions are cumulative, including permissions assigned to the user account and the group account Explicit deny permissions override inherited allow permissions Explicit allow permissions override inherited deny permissions Describe how effective permissions work. Consider drawing a diagram of an OU structure to describe how effective permissions can come from several different sources, depending on inherited permissions and permissions assigned to groups and user accounts. Consider accessing the Effective Permissions tool, and then showing the effective permissions for groups or users on an OU. Question: When retrieving effective permissions, accurate retrieval of information requires permission to read the membership information. If the specified user or group is a domain object, what type of permissions does a Domain Administrator need to have to read the object's group information on the domain. What about a Local administrator and an Authenticated domain user? Answer: Domain administrators have permission to read membership information on all objects. Local administrators on a workstation or stand-alone server cannot read membership information for a domain user. Authenticated domain users can only read membership information when the domain is in Pre- Windows 2000 compatibility mode. Reference For more information on the Effective Permissions tool see Effective Permissions tool at http://go.microsoft.com/fwlink/?LinkId=101072 Use the Effective Permissions tool to view effective permissions Special identities are not used when using the Effective Permissions tab to view special permissions Effective Permissions tool does not take into account share permissions
What Is Delegation of Control? Course 6419A What Is Delegation of Control? Module 5: Configuring Active Directory Objects and Trusts Assigns the responsibility of managing Active Directory objects to another user or group Delegated administration: Eases administration by distributing routine administrative tasks Provides users or groups more control over local network resources Eliminates the need for multiple administrative accounts Domain OU1 OU2 Admin2 Admin1 Admin3 OU3 Describe what delegation of control is. Then discuss the variety of options that are available when delegating control. Point out that you can use delegate control at the OU or the domain level.
The Delegation of Control Wizard Course 6419A The Delegation of Control Wizard Module 5: Configuring Active Directory Objects and Trusts Use the Delegation of Control Wizard to: Automatically assign appropriate permissions to users and groups Specify user or group to which you want to delegate control Specify OUs and objects that you want to grant the user or group permission to control Specify tasks that you want the user or group to be able to perform Review the Delegation of Control Wizard and describe its uses. Mention how the tool is driven by the customizable delegwiz.inf file. Modifying the Delegation of Control Wizard: List of common tasks in the wizard is controlled by templates in the delegwiz.inf file You can change the list of common tasks by modifying the delegwiz.inf file to include other templates
Module 5: Configuring Active Directory Objects and Trusts Course 6419A What Are AD DS Trusts? Module 5: Configuring Active Directory Objects and Trusts Provide a mechanism for users to gain access to resources in another domain Trust characteristics: Define what a trust is. Stress that a trust by itself does not provide access to resources in another domain. All the trust does is make it possible for users to use their credentials in one domain to access another domain’s resources. An administrator in the trusting domain must still add the user or group from the trusted domain to the DACL on the shared resource. Then define transitivity and trust direction. Consider using a diagram to illustrate the concepts of trusted and trusting domains. Question: What does a trust existing between two domains provide? Answer: Trusts help provide for controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only validated authentication requests to travel between domains. Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains Trust direction – the trust direction defines the account domain and the resource domain Authentication protocol – the protocol that you use to establish and maintain the trust
Module 5: Configuring Active Directory Objects and Trusts Course 6419A AD DS Trust Options Module 5: Configuring Active Directory Objects and Trusts Forest (root) Tree/Root Trust Shortcut Trust External Kerberos Realm Realm Domain D Forest 1 Domain B Domain A Domain E Domain F Domain P Domain Q Parent/Child Trust Forest 2 Domain C Use the diagram on the slide to discuss the different types of trusts. Most are easy to understand, but you may need to explain why an organization would implement shortcut trusts and realm trusts. Using the New Trust Wizard, you manually create the following nontransitive trusts: - External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows NT domain or a Windows 2000 domain or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive. Realm trust. A nontransitive trust between an Active Directory domain and an Kerberos V5 realm. E.g. Novell Question: If you were going to configure a trust between a Microsoft® Windows Server® 2008 domain and a Microsoft® Windows® NT 4.0 domain, what type of trust would you configure? Answer: You would have to configure an external trust. Question: If you need to share resources between domains, but do not want to configure a trust, how could you provide access to the shared resources? Answer: One option would be to allow anonymous access to the resources. For example, you could store the data on a Microsoft® Windows SharePoint® Services site and enable anonymous access to the SharePoint site. Another option is to create user accounts in the domain where the resources exist for another domain’s users that need to access the resources. When the users try to access the resource, they will need to enter the credentials from the target domain. Reference For more information on Managing Trusts see Managing Trusts in Active Directory Domains and Trusts Help.
How Trusts Work Within a Forest Course 6419A How Trusts Work Within a Forest Module 5: Configuring Active Directory Objects and Trusts Forest Root Domain Stress that within a forest, the Kerberos version 5 authentication protocol is used to maintain all trusts, and all authentication and resource access between domains. Describe what happens when a user tries to access a resource in a different domain in the forest. In this case, the Kerberos version 5 protocol travels the trust path to obtain a referral to the target domain’s domain controller. The target domain controller issues a service ticket for the requested service. The trust path is the shortest path in the trust hierarchy. When the user in the trusted domain attempts to access the resource in the other domain, the user’s computer first contacts its domain’s controller to get authentication to the resource. If the resource is not in the user’s domain, the domain controller uses the trust relationship with its parent, and refers the user’s computer to a domain controller in its parent domain. This attempt to locate a resource continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy, until contact occurs with a domain controller in the domain where the resource exists. Question: In this slide, Domain B and Domain C have a what type of Trust in this forest? What are the limitations? Answer: Domain B & Domain C have a one-way trust, Domain B can access Domain C, but Domain C can not directly access Domain B. Reference For more information on managing trusts see Managing Trusts in Active Directory Domains and Trusts Help. Tree One Tree Root Domain Domain 1 Domain A Domain 2 Tree Two Domain B Domain C
How Trusts Work Between Forests Course 6419A How Trusts Work Between Forests Module 5: Configuring Active Directory Objects and Trusts Forest 1 Forest 2 Forest trust contoso.com 6 Windows Server 2008 supports cross-forest trusts, which allow users in one forest to access resources in another forest. When a user attempts to access a resource in a trusted forest, AD DS must first locate the resource. After the resource is located, the user can be authenticated and allowed to access the resource. The following is a description of how a Microsoft® Windows® XP Professional or Microsoft® Windows Vista® Professional client computer locates and accesses a resource in another forest that has Windows Server 2008 servers. The procedure depicted in this slide includes the following steps: A user logs on to a workstation using credentials from the EMEA.WoodgroveBank.com domain. The user then attempts to access a shared resource on a fileserver located in the NA.Contoso.com forest. The workstation contacts a domain controller in its domain (EMEA.WoodgroveBank.com) and requests access to the file server. The domain controller queries the global catalog for information about this file server. The domain controller sends a referral for its parent domain back to the workstation. The workstation contacts a domain controller in WoodgroveBank.com (its parent domain) for a referral to a domain controller in the forest root domain of the contoso.com forest. The workstation contacts domain controller in the contoso.com forest for a service ticket to the requested service. The domain controller in contoso.com contacts its global catalog to find information about the requested resource, and the global catalog finds a match and sends it back to the domain controller in contoso.com. The domain controller in contoso.com then sends the referral to NA.Contoso.com back to the workstation. The workstation contacts the domain controller in NA.Contoso.com and negotiates the ticket to gain access to the fileserver. Now that the workstation has a service ticket, it sends the server service ticket to the fileserver, which reads the user’s security credentials and constructs an access token accordingly. Question: Why would clients not be able to access resources in a domain outside the forest? Answer: This can occur if there is a failure on the external trust between the domains and can be resolved by resetting and verifying the trust between the domains. Reference For more information on Domains and Forests see How Domains and Forests Work at http://go.microsoft.com/fwlink/?LinkId=101073 Global catalog Global catalog WoodgroveBank.com 5 7 4 2 8 Seattle 3 9 1 Vancouver EMEA.WoodgroveBank.com NA.Contoso.com
What Are User Principal Names? Course 6419A What Are User Principal Names? Module 5: Configuring Active Directory Objects and Trusts A UPN is a logon name that includes the user logon name and a domain suffix A UPN is a logon name that includes the user logon name and a domain suffix A UPN is a logon name that includes the user logon name and a domain suffix The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name Discuss how User Principal Names (UPNs) can simplify the user experience. Normally, the only restriction on UPN names is that all names must be unique in the forest. However, when you configure a trust between forests, the UPN suffixes in both forests must be unique. By default, when you configure a forest trust, all UPN suffixes are routed. In other words, users can log on to their home domain from a computer in the other forest by using their UPN. However, if both forests have the same UPN suffix, users will not be able to use the UPN name with that suffix when logging on to a computer in a different forest. UPN name suffix routing errors are identified when you configure forest trusts. For example, assume that you want to establish a two-way forest trust between the contoso.com forest and the fabrikam.com forest. Both contoso.com and fabrikam.com have the same UPN suffix: nwtraders.com. When you create the two-way forest trust, the New Trust Wizard detects and displays the conflict between the two UPN name suffixes. Question: Provide several scenarios where UPNs would be useful. Answer: Students answer will vary, and the student response should indicate that they understand how it simplifies the users experience. For example, an organization with multiple domains may choose to use the forest root domain as the UPN for all users. Another example is if an organization uses Simple Mail Transfer Protocol (SMTP) addresses for e-mail that are different than the domain name, administrators may choose to add the SMTP domain address as a UPN suffix so that the user’s e-mail address also can be their logon name. Reference For more information on Active Directory naming see, Active Directory naming at http://go.microsoft.com/fwlink/?LinkId=101074 Additional UPN domain suffixes can be added UPNs must be unique in a forest UPN suffixes can be used for routing authentication requests between trusted forests: UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests You can manually enable or disable name suffix routing across trusts
What Are the Selective Authentication Settings? Course 6419A What Are the Selective Authentication Settings? Module 5: Configuring Active Directory Objects and Trusts Selective authentication: Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer Configured on the security descriptor of the computer object located in AD DS Selective authentication is a security setting that you can set on inter-forest trusts. Normally, when you configure a forest or external trust, all user accounts in the trusted forest or domain can be granted access to all computers in the trusting domain. With selective authentication, you can limit which computers the users in the other domain can access, and which users in the other domain can access the computer. To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. Configuring selective authentication requires two steps: Configure the forest or external trust to use selective rather than domain-wide authentication. You can do this when you first create the trust, or you can modify an existing trust. Configure the computer accounts for selective authentication. After creating the cross-forest trust, you can grant selected accounts from the other forest using the Allowed to Authenticate permission on computer accounts in the resource forest. Accounts that do not have this permission will not be able to connect and authenticate to those computers. Question: Provide a scenario where it would be appropriate to enable selective authentication? Answer: Students answer will vary, and the student response should indicate that they understand the security that selective authentication provides. References For more information on enabling selective authentication see Enable selective authentication over a forest trust at http://go.microsoft.com/fwlink/?LinkId=101075 For more information on granting authenticated permissions see Grant the Allowed to Authenticate permission on computers in the trusting domain or forest at http://go.microsoft.com/fwlink/?LinkId=101076 To configure selective authentication: Configure the forest or external trust to use selective rather than domain-wide authentication Configure the computer accounts for selective authentication