Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4: Planning the Active Directory and Security

Published bySiska Kusnadi Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter 4: Planning the Active Directory and Security"— Presentation transcript:

1 Chapter 4: Planning the Active Directory and Security

2 Learning Objectives Explain the contents of the Active Directory
Plan how to set up Active Directory elements such as organizational units, domains, trees, forests, and sites Plan which Windows 2000 security features to use in an organization, including interactive logon, object security, and services security

3 Learning Objectives (continued)
Plan how to use groups, group policies, and security templates Plan IP security measures

4 Windows NT Domain Structure
Security Accounts Manager (SAM) database holds data on user accounts, groups, and security privileges One primary domain controller (PDC) has master copy of the SAM One or more backup domain controllers (BDCs) have regularly backed up copies of the SAM If PDC Fails, BDC is promoted

5 Using a PDC, BDCs, and the SAM database
Figure 4-1 Windows NT SAM architecture

6 Windows 2000 Active Directory
Domain objects including user accounts, computers, servers, printers, groups, security policies, domains, and other objects compose the Active Directory

7 Windows 2000 Active Directory
Made up of the following files NTDIS.DIT single file of the database EDB*.LOG Log files associated with database transactions EDB.CHK error tracking/correction info for database RES1.LOG and RES2.LOG reserve disk space

8 Active Directory Objects
Figure 4-2 Domain objects in the Active Directory

9 Active Directory Objects
Object Types User Account Computer Account Domain Controller Groups Organizational Unit Printers

10 Multimaster Replication
Multimaster replication: In Windows 2000 there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicate it to each other. Because each DC acts as a master, replication does not stop when one is down. Each DC is a master in its own right.

11 Multimaster Replication
Can create account on any of the DCs Other DCs automatically updated Can be done for changed data only, don’t have to replicate whole file If one DC fails, others are up-to-date and system systems up Don’t have to stop to promote a BDC

12 Schema Schema: Elements used in the definition of each object contained in the Active Directory, including the object class and its attributes

13 Example Schema Characteristics of the User Account Class
Unique object name Globally unique identifier (GUID) associated with each object name Required attributes Optional attributes Syntax of how attributes are defined Pointers to parent entities

14 Example User Account Attributes
Username User’s full name Password

15 Schema Example Figure 4-4 Sample schema information for user accounts

16 Default Object Classes
Domain User account Group Shared drive Shared folder Computer Printer

17 Object Naming Common name (CN): The most basic name of an object in the Active Directory, such as the name of a printer E.g. HPLaserMain Distinguished name (DN): A name in the Active Directory that contains all hierarchical components of an object, such as that object’s organizational unit and domain, in addition to the object’s common name CN=<object Name>, OU=<organizatoional unit, O=<Organization>, C=<CountryCode>

18 Namespace Namespace: Can be set up as a DNS server

19 Active Directory Elements
Domains Organizational units (OUs) Trees Forests Sites

20 Active Directory Architecture
Figure 4-5 Active Directory hierarchical containers

21 Functions of a Domain Provide a security boundary for objects in a common relationship Establish a set of data to be replicated among DCs Expedite management of a set of objects

22 Using a Single domain Figure 4-6 Single domain

23 Using Multiple Domains
Figure 4-7 Using multiple domains

24 Domain Creation Dos and Don’ts

25 Domain Creation Dos and Don’ts (continued)

26 Functions of an OU Group related objects, such as user accounts and printers, for easier management Reflect the structure of an organization Group objects to be administered using the same group policies

27 Using OUs to Reflect Organizational Structure
Figure 4-8 OUs used to reflect the divisional structure of a company

28 Design Tips for Using OUs
Limit OUs to 10 levels or fewer OUs use less CPU resources when they are set up horizontally instead of vertically Each request through an OU level requires CPU time in a search

29 OU Creation Dos and Don’ts

30 OU Creation Dos and Don’ts (continued)

31 Characteristics of a Tree
Member domains are in a contiguous namespace chi.devry.edu tp.devry.edu under devry tree Member domains can compose a hierarchy Member domains use the same schema for common objects Member domains use the same global catalog (encyclopedia of info about object)

32 Global Catalog Global catalog: A grand repository for all objects and the most frequently used attributes for each object in all domains. Each tree has one global catalog.

33 Global Catalog Functions
Authenticating users Providing lookup and access to resources in all domains Providing replication of key Active Directory elements Keeping a copy of the most attributes for all objects

34 Hierarchical Domains in a Tree
Figure 4-9 Tree with hierarchical domains

35 Kerberos Transitive Trust
Kerberos Transitive Trust Relationship: A set of two-way trusts between two or more domains in which Kerberos security is used.

36 Trusted and Trusting Domains
Trusted domain: A domain that has been granted security access to resources in another domain Trusting domain: A domain that allows another domain security access to its resources and objects, such as servers

37 Tree Creation Dos and Don’ts

38 Tree Creation Dos and Don’ts (continued)

39 Planning Tip Make sure each tree has at least one DC that is also configured as a global catalog Locate global catalog servers in a network design architecture that enables fast user authentication (so that authentication does not have to be performed over a WAN link, for example)

40 Characteristics of a Forest
Member trees use a disjointed namespace (but contiguous namespaces within trees) Member trees use the same schema Member trees use the same global catalog

41 Single Forest Single forest: An Active Directory model in which there is only one forest with interconnected trees and domains that use the same schema and global catalog

42 Single Forest Architecture
Figure A forest

43 Separate Forest Separate forest: An Active Directory model that links two or more forests in a partnership, but the forests cannot have Kerberos transitive trusts or use the same schema

44 Separate Forest Architecture
Figure 4-11 Separate forest model

45 Forest Creation Dos and Don’ts

46 Forest Creation Dos and Don’ts (continued)

47 Design Tip When you create a separate forest structure remember that:
Replication cannot take place between forests The forests use different schema and global catalogs The forests cannot be easily blended into a single forest in the future

48 Site Site: An option in the Active Directory to interconnect IP subnets so that it can determine the fastest route to connect clients for authentication and to connect DCs for replication of the Active Directory. Site information also enables the Active Directory to create redundant routes for DC replication.

49 Characteristics of a Site
Reflects one or more interconnected subnets (512 Kbps or faster) Reflects the same boundaries as the LAN Used for DC replication Enables clients to access the closest DC Composed of servers and configuration objects

50 Site Links Site link object: An object created in the Active Directory to indicate one or more physical links between two different sites Site link bridge: An Active Directory object (usually a router) that combines individual site link objects to create faster routes when there are three or more site links

51 Site Link Architecture
Figure Site link bridge

52 Site Creation Dos and Don’ts

53 Site Creation Dos and Don’ts (continued)

54 Design Tip Define sites in the Active Directory on networks that have multiple global catalog servers that reside in different subnets Use sites to enhance network performance by optimizing authentication and replication

55 Active Directory Guidelines
Keep the Active Directory implementation as simple as possible Implement the least number of domains possible Implement only one domain on most small networks Use OUs to reflect the organizational structure (instead of using domains for this purpose)

56 Active Directory Guidelines (continued)
Create only the number of OUs that are necessary Do not create OUs more than 10 levels deep Use domains for natural security boundaries Implement trees and forests only as necessary

57 Active Directory Guidelines (continued)
Use trees for domains that have a contiguous namespace Use forests for multiple trees that have disjointed namespaces between them Use sites in situations where there are multiple IP subnets and geographic locations to improve performance

58 Basic Types of Active Directory Security
Account or interactive logon security Object security Services security

59 Interactive Logon Security
DC checks that the user account is in the Active Directory DC verifies the exact user account name and password

60 Object Security Security descriptor: An individual security property associated with a Windows 2000 Server object, such as enabling the account MGardner (the security descriptor) to access the folder, Databases Access control list (ACL): A list of all security descriptors that have been set up for a particular object, such as for a shared folder or a shared printer

61 Typical ACL Types of Information
User account(s) that can access an object Permissions that determine the type of access Ownership of the object

62 Typical Object Permissions
Deny: No access to the object Read: Access to view or read the object’s contents Write: Permission to change the object’s contents or properties Delete: Permission to remove an object Create: Permission to add an object Full Control: Permission for nearly any activity

63 Example Special Permissions
Figure Special permissions for a folder

64 Troubleshooting Tip Deny permission supercedes other permissions, thus if there is a permissions conflict for one of your users, check the deny permissions associated with that user’s account

65 Services Security Windows 2000 enables you to set up security on individual services, such as DHCP

66 Setting Services Security
Figure DHCP security

67 Using Groups Set up security groups of user accounts as a way to more easily manage security

68 Setting Up Members of a Group
Figure DHCP Administrators group

69 Group Policies Use group policies to manage security for local servers, OUs, and domains Employ security templates when you need to manage several different group policies

70 Example Areas Covered by Group Policies
Account polices Local server and domain policies Event log tracking policies Group restrictions Service access security Registry security File system security

71 Setting Up Security Templates
Figure Security Templates snap-in

72 IP Security IP security (IPSec): A set of IP-based secure communications and encryption standards created through the Internet Engineering Task Force (IETF)

73 IP Security Policies IP security (IPSec) can function in three roles relative to a client: Client (Respond Only) in which the server uses IPSec, if the client is using it first Server (Request Security) in which the server uses IPSec by default, but will discontinue using IPSec if it is not supported by the client Secure Server (Require Security) in which the server only communicates via IPSec

74 Figure 4-17 IP Security Policy Wizard
Configuring IPSec Figure IP Security Policy Wizard

75 Troubleshooting Tip On a network that uses IPSec, if you are having trouble gathering network performance information from some older devices that do not support IPSec, omit the SNMP communications protocol from IPSec

76 Chapter Summary Active Directory and security implementation are interrelated The Active Directory is a set of services for managing Windows 2000 servers Use Active Directory elements such as OUs, domains, trees, and forests to help manage server objects and resources

77 Chapter Summary Use sites to configure network communications for better performance through taking advantage of existing subnets Groups and group policies enable you to manage security

Download ppt "Chapter 4: Planning the Active Directory and Security"

Similar presentations

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
1 Active Directory (Week 8, Monday 2/26/2007) © Abdou Illia, Spring 2007.

1 Active Directory (Week 8, Monday 2/26/2007) © Abdou Illia, Spring 2007.
Introduction to Active Directory

Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google