Hosted by Getting Started With Active Directory Or How to Bring Logic to Your Company’s 437 Domains
Hosted by So Who is This Guy Anyway? Founder and Chief Scientist Networks Are Our Lives, Inc! Network and Directory services design Security Network Documentation Systems management/monitoring deployment Author 3 Books and over 100 articles and product reviews Currently with Network Computing Contact: Networks Are Our Lives, 1201 Hudson St. – Suite 1003s(866) Hoboken, NJ 07030WWW.NAOL.COM
Hosted by Why You’re Here Functions and applications driving update Just keeping up With the market Or the Joneses Windows NT Timeline Next week – OEM and retail sales end 1/1/ – Hot-Fixes cost $ 1/1/ – Live support and hot fixes end 1/1/ – Online support ends Easy way to get off helpdesk for 3 days
Hosted by Our Objectives Understand Active Directory Components Terminology Structure Features and benefits Identify Best Practices Implementation Tips
Hosted by Make your life easier! Our Real Objective
Hosted by Assumptions You know: Windows NT 4.0 Server TCP/IP You don’t know: Active Directory Group Policies Etc You are: Planning a Windows server rollout Have 50-10,000 users to support Awake
Hosted by ADS, then, is... Extension of and replacement for Windows NT Domains The directory service included in Windows Based on DNS, LDAP and X.500 Active Directory Services are… Secure Distributed Partitioned Replicated
Hosted by Before AD Windows NT domains Typical organization had master user domains and resource domains Each domain needed: WINS for NetBIOS names DNS for internet names The browser , Application and other directories Other vendors had true Directory Services: Banyan Streetalk Novell NDS (eDirectory)
Hosted by Why Active Directory Windows NT domains limited Each domain an island Trusts Stink Too much work to set up They “Rot Away” Large organizations need thousands Not Scalable Single master replication If PDC is down, or inaccessible, user’s can’t change passwords No delegation of administration Microsoft is forcing us that way Exchange 2000 requires AD
Hosted by Basic Definitions Forest A group of domains joined into a common directory. The largest unit in AD. All domains in forest share Schema, some administrators, 2 way trusts Tree Domains in a forest with common suffix IE:US.AD.widget.com,EURO.AD.widget.com Domain Administrative and replication boundary Conceptually the same as Windows NT but now corresponds to DNS domain Domain controllers hold all the information about objects (users, groups, computers, Etc.) in their domain
Hosted by More Definitions Organizational Units (OU) Administrative boundary smaller than domain Contain objects for administrative, organizational purposes Site A group of systems with LAN 10Mbps Site configuration effects replication Defined by IP subnets Global Catalog A server that contains a subset of attributes for all objects in the forest Think White Pages Includes address, domain (so we can ask DC for more data)
Hosted by Final Definitions Kerberos A Public Key Infrastructure based authentication system Schema All the attributes for all the objects are defined in the schema Syntax defines the type of data that can be stored in the attribute The schema definition for each object class identifies all the possible attributes for the object The schema contains a default DACL for each object class The default ACLs is used when an instance of the object is created in the directory
Hosted by AD Design Choices LDAP access Protocol was becoming industry standard X.500 data model Object hierarchy permits subtree-scoped queries Schema defines attributes and object classes Attribute-level access control Required for data sharing between applications DNS-integrated object naming Enables a globally unique namespace based on the de facto Internet locator service Security Multiple authentication paths, one authorization model In-place or side-by-side upgrade Learned from Novell: offer upgrade flexibility!
Hosted by Replication Design Choices Multi-master Need local password update Approximately “last writer wins” Eventual convergence Attribute granularity When attribute changes, replicate entire new value Reduces network traffic and lost updates versus object granularity State-based Send current state not a log Predictable storage overhead, needed anyway for full sync Implies tombstones for deletes Transitive Communicate update to somebody not everybody Big win with mixed link speed - once per slow link Automated topology generation (“KCC”)
Hosted by Logical Structure Relationships Global Catalog Forest Chevy.GM.COM Trucks.chevy.gm.com SAAB.CO.SA NA.SAAB.CO.SA OU Objects Schema Tree
Hosted by So What do We Get? True Multi-Domain Integration Transitive Trusts Global Catalog Group Policy Objects Controllable Replication Directory Security Granular Administration
Hosted by When to Use Multiple Trees Public view requires different root domain names IE: Kraft Foods doesn’t want.PhillipMorris.com suffix Politics require divisions to keep their names There is no technical advantage to multiple trees
Hosted by When to use multiple forests When, and only when, the service owners of multiple trees don’t trust each other Multiple forest implementations do NOT: Share a common global catalog No exchange GAL Trust each other You can set up old style trusts between domains in different forests Rule of thumb: 1 forest per CIO
Hosted by Domain Controller Roles Flexible Single Master Operations (FSMOs) 1 Per Forest: Domain Naming Master Schema Master Time Reference Server 1 Per Domain: PDC Emulator RID (Relative ID)Master Infrastructure Master KCC/ ISTG (generates inter-site topology) ISM (inter-site messaging) Global catalog
Hosted by Reasons for Creating Domains Physical location Network traffic International differences Administrative considerations All users share restrictions (Password Length Etc) Politics NOT: Defining spheres of administration (OUs can do that)
Hosted by Break sponsored by
Hosted by What are OUs They are distinct units of administration that can be delegated They are containers that organize objects and other containers Examples are geographic locations, projects, cost centers, business units, and divisions
Hosted by What OUs Can Contain Users Printers Computers Other OUs Security Policies Applications Groups OUOU OUOU File Shares
Hosted by Reasons for Creating OUs Enhancing administrative control Maintaining a consistent number of objects Controlling application of group policy objects Holding other OUs Replacing windows NT 4.0 resource domains
Hosted by Remember:Domains are Expensive Every domain Must have a DC Most should have 2-3 or more Logins require connectivity to home DC Logins more traffic than replication
Hosted by Hierarchical OU Models Geographic Object-based Cost center Project-based Division or business unit Administration
Hosted by Define an OU Naming Convention OUs are not part of the DNS namespace OUs are identified by LDAP and canonical names only While domains are difficult to reorganize, OUs within domains can be easily renamed or moved
Hosted by OU1 DACL for “Group” objects Jill can add users OU2 DACL for “Group” objects John can add users Group object Delegating Administration The ability to set ACLs for contained objects at OU level means that you can define “who can do what” to a particular object in the OU Groups created in OU1 can be administered by Jill Groups created in OU2 can be administered by John
Hosted by Delegation of Control Wizard Good news There is a delegation of control wizard Bad news There is no undelegation of control wizard After of delegation of control, the users must be given visibility permissions to the objects/containers they control Learn to edit and document ACL’s Only delegate control to groups, not users
Hosted by Delegation of Control Wizard
Hosted by ADS Security Features - Review Objects have an Access Control List (ACL) Permissions can be delegated to users by a higher authority Inheritance allows permissions to be propagated to all objects in child containers Trusts are established among all domains in an ADS forest Explicit trusts can be established between domains in foreign forests or legacy NT domains
Hosted by Group Types Security Groups Allow you to assign permissions Allow you to use groups as an distribution list Windows NT uses only security groups Distribution Groups Do not allow you to assign permissions Allow you to use groups as an distribution list
Hosted by Rules for Group Membership Universal groups only available in native mode Group Group members Can be a member of Global User accounts and global groups from the same domain Universal and domain local groups in any domain Global groups in the same domain Universal and domain local groups in any domain Global groups in the same domain Domain Local User accounts, universal, and global groups from any domain Domain local groups from the same domain Universal User accounts, universal, and global groups from any domain Domain local groups in the same domain Domain local or universal groups in any domain
Hosted by Group Scopes Domain Local Group Open membership Use for access to resources in one domain Open membership Use for access to resources in one domain Global Group Limited membership Use for access to resources in any domain Limited membership Use for access to resources in any domain Universal Group Open membership Use for access to resources in any domain Open membership Use for access to resources in any domain
Hosted by How does AD use DNS? Windows 2000 uses DNS as a domain locator and name-to-IP translator Domain controllers are registered in DNS Clients query DNS to locate DCs Analogous to Internet mail (the MX record) Better-scaling long-term replacement for NetBIOS Name Services (aka WINS) Requires DNS servers that support Dynamic Updates (Windows or Bind 8+)
Hosted by Migrating to AD Single Domain Migrate in place Clean up Later 2-3 Domains Migrate “root” domain in place Use ADMT for additional domains You’re stuck with SIDHistory Bigger Now Redesign from scratch Use 3 rd party tools from Aelita or NetIQ
Hosted by Audience Response Question? Hosted by