chapter 4 planning the active directory and security
Skip this Video
Download Presentation
Chapter 4: Planning the Active Directory and Security

Loading in 2 Seconds...

play fullscreen
1 / 73

Chapter 4: Planning the Active Directory and Security - PowerPoint PPT Presentation

  • Uploaded on

Chapter 4: Planning the Active Directory and Security. Learning Objectives. Explain the contents of the Active Directory Plan how to set up Active Directory elements such as organizational units, domains, trees, forests, and sites

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Chapter 4: Planning the Active Directory and Security' - nibal

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
learning objectives
Learning Objectives
  • Explain the contents of the Active Directory
  • Plan how to set up Active Directory elements such as organizational units, domains, trees, forests, and sites
  • Plan which Windows 2000 security features to use in an organization, including interactive logon, object security, and services security
learning objectives continued
Learning Objectives (continued)
  • Plan how to use groups, group policies, and security templates
  • Plan IP security measures
windows nt domain structure
Windows NT Domain Structure
  • Security Accounts Manager (SAM) database holds data on user accounts, groups, and security privileges
  • One primary domain controller (PDC) has master copy of the SAM
  • One or more backup domain controllers (BDCs) have backup copies of the SAM
using a pdc bdcs and the sam database
Using a PDC, BDCs, and the SAM database

Figure 4-1

Windows NT

SAM architecture

windows 2000 active directory
Windows 2000 Active Directory
  • Domain objects including user accounts, computers, servers, printers, groups, security policies, domains, and other objects compose the Active Directory
active directory objects
Active Directory Objects

Figure 4-2

Domain objects in

the Active Directory

multimaster replication
Multimaster Replication
  • Multimaster replication: In Windows 2000 there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicate it to each other. Because each DC acts as a master, replication does not stop when one is down. Each DC is a master in its own right.
multimaster architecture
Multimaster Architecture

Figure 4-3

Windows 2000 Active

Directory architecture

  • Schema: Elements used in the definition of each object contained in the Active Directory, including the object class and its attributes
example schema characteristics of the user account class
Example Schema Characteristics of the User Account Class
  • Unique object name
  • Globally unique identifier (GUID) associated with each object name
  • Required attributes
  • Optional attributes
  • Syntax of how attributes are defined
  • Pointers to parent entities
example user account attributes
Example User Account Attributes
  • Username
  • User’s full name
  • Password
schema example
Schema Example

Figure 4-4

Sample schema

information for

user accounts

default object classes
Default Object Classes
  • Domain
  • User account
  • Group
  • Shared drive
  • Shared folder
  • Computer
  • Printer
object naming
Object Naming
  • Common name (CN): The most basic name of an object in the Active Directory, such as the name of a printer
  • Distinguished name (DN): A name in the Active Directory that contains all hierarchical components of an object, such as that object’s organizational unit and domain, in addition to the object’s common name
object naming continued
Object Naming (continued)
  • Relative distinguished name (RDN): An object name in the Active Directory that has two or more related components, such as the RDN of a user account name that consists of User (a container for accounts) and the first and last name of the actual user
  • Namespace: A logical area on a network that contains directory services and named objects, and that has the ability to perform name resolution
types of namespaces
Types of Namespaces
  • Contiguous namespace: A namespace in which every child object contains the name of its parent object
  • Disjointed namespace: A namespace in which the child object name does not resemble the name of its parent object
active directory elements
Active Directory Elements
  • Domains
  • Organizational units (OUs)
  • Trees
  • Forests
  • Sites
active directory architecture
Active Directory Architecture

Figure 4-5

Active Directory

hierarchical containers

functions of a domain
Functions of a Domain
  • Provide a security boundary for objects in a common relationship
  • Establish a set of data to be replicated among DCs
  • Expedite management of a set of objects
using a single domain
Using a Single domain

Figure 4-6

Single domain

using multiple domains
Using Multiple Domains

Figure 4-7

Using multiple


functions of an ou
Functions of an OU
  • Group related objects, such as user accounts and printers, for easier management
  • Reflect the structure of an organization
  • Group objects to be administered using the same group policies
using ous to reflect organizational structure
Using OUs to Reflect Organizational Structure

Figure 4-8

OUs used to reflect

the divisional

structure of a company

design tips for using ous
Design Tips for Using OUs
  • Limit OUs to 10 levels or fewer
  • OUs use less CPU resources when they are set up horizontally instead of vertically
  • Each request through an OU level requires CPU time in a search
characteristics of a tree
Characteristics of a Tree
  • Member domains are in a contiguous namespace
  • Member domains can compose a hierarchy
  • Member domains use the same schema for common objects
  • Member domains use the same global catalog
global catalog
Global Catalog
  • Global catalog: A grand repository for all objects and the most frequently used attributes for each object in all domains. Each tree has one global catalog.
global catalog functions
Global Catalog Functions
  • Authenticating users
  • Providing lookup and access to resources in all domains
  • Providing replication of key Active Directory elements
  • Keeping a copy of the most attributes for all objects
hierarchical domains in a tree
Hierarchical Domains in a Tree

Figure 4-9 Tree with hierarchical domains

kerberos transitive trust
Kerberos Transitive Trust
  • Kerberos Transitive Trust Relationship: A set of two-way trusts between two or more domains in which Kerberos security is used.
trusted and trusting domains
Trusted and Trusting Domains
  • Trusted domain: A domain that has been granted security access to resources in another domain
  • Trusting domain: A domain that allows another domain security access to its resources and objects, such as servers
planning tip
Planning Tip
  • Make sure each tree has at least one DC that is also configured as a global catalog
  • Locate global catalog servers in a network design architecture that enables fast user authentication (so that authentication does not have to be performed over a WAN link, for example)
characteristics of a forest
Characteristics of a Forest
  • Member trees use a disjointed namespace (but contiguous namespaces within trees)
  • Member trees use the same schema
  • Member trees use the same global catalog
single forest
Single Forest
  • Single forest:An Active Directory model in which there is only one forest with interconnected trees and domains that use the same schema and global catalog
single forest architecture
Single Forest Architecture

Figure 4-10 A forest

separate forest
Separate Forest
  • Separate forest: An Active Directory model that links two or more forests in a partnership, but the forests cannot have Kerberos transitive trusts or use the same schema
separate forest architecture
Separate Forest Architecture

Figure 4-11

Separate forest


design tip
Design Tip
  • When you create a separate forest structure remember that:
    • Replication cannot take place between forests
    • The forests use different schema and global catalogs
    • The forests cannot be easily blended into a single forest in the future
  • Site: An option in the Active Directory to interconnect IP subnets so that it can determine the fastest route to connect clients for authentication and to connect DCs for replication of the Active Directory. Site information also enables the Active Directory to create redundant routes for DC replication.
characteristics of a site
Characteristics of a Site
  • Reflects one or more interconnected subnets (512 Kbps or faster)
  • Reflects the same boundaries as the LAN
  • Used for DC replication
  • Enables clients to access the closest DC
  • Composed of servers and configuration objects
site links
Site Links
  • Site link object: An object created in the Active Directory to indicate one or more physical links between two different sites
  • Site link bridge: An Active Directory object (usually a router) that combines individual site link objects to create faster routes when there are three or more site links
site link architecture
Site Link Architecture

Figure 4-12 Site link bridge

design tip1
Design Tip
  • Define sites in the Active Directory on networks that have multiple global catalog servers that reside in different subnets
  • Use sites to enhance network performance by optimizing authentication and replication
active directory guidelines
Active Directory Guidelines
  • Keep the Active Directory implementation as simple as possible
  • Implement the least number of domains possible
  • Implement only one domain on most small networks
  • Use OUs to reflect the organizational structure (instead of using domains for this purpose)
active directory guidelines continued
Active Directory Guidelines (continued)
  • Create only the number of OUs that are necessary
  • Do not create OUs more than 10 levels deep
  • Use domains for natural security boundaries
  • Implement trees and forests only as necessary
active directory guidelines continued1
Active Directory Guidelines (continued)
  • Use trees for domains that have a contiguous namespace
  • Use forests for multiple trees that have disjointed namespaces between them
  • Use sites in situations where there are multiple IP subnets and geographic locations to improve performance
basic types of active directory security
Basic Types of Active Directory Security
  • Account or interactive logon security
  • Object security
  • Services security
interactive logon security
Interactive Logon Security
  • DC checks that the user account is in the Active Directory
  • DC verifies the exact user account name and password
object security
Object Security
  • Security descriptor: An individual security property associated with a Windows 2000 Server object, such as enabling the account MGardner (the security descriptor) to access the folder, Databases
  • Access control list (ACL): A list of all security descriptors that have been set up for a particular object, such as for a shared folder or a shared printer
typical acl types of information
Typical ACL Types of Information
  • User account(s) that can access an object
  • Permissions that determine the type of access
  • Ownership of the object
typical object permissions
Typical Object Permissions
  • Deny: No access to the object
  • Read: Access to view or read the object’s contents
  • Write: Permission to change the object’s contents or properties
  • Delete: Permission to remove an object
  • Create: Permission to add an object
  • Full Control: Permission for nearly any activity
example special permissions
Example Special Permissions

Figure 4-13 Special permissions for a folder

troubleshooting tip
Troubleshooting Tip
  • Deny permission supercedes other permissions, thus if there is a permissions conflict for one of your users, check the deny permissions associated with that user’s account
services security
Services Security
  • Windows 2000 enables you to set up security on individual services, such as DHCP
setting services security
Setting Services Security

Figure 4-14 DHCP security

using groups
Using Groups
  • Set up security groups of user accounts as a way to more easily manage security
setting up members of a group
Setting Up Members of a Group

Figure 4-15 DHCP Administrators group

group policies
Group Policies
  • Use group policies to manage security for local servers, OUs, and domains
  • Employ security templates when you need to manage several different group policies
example areas covered by group policies
Example Areas Covered by Group Policies
  • Account polices
  • Local server and domain policies
  • Event log tracking policies
  • Group restrictions
  • Service access security
  • Registry security
  • File system security
setting up security templates
Setting Up Security Templates

Figure 4-16 Security Templates snap-in

chapter summary
Chapter Summary
  • Active Directory and security implementation are interrelated
  • The Active Directory is a set of services for managing Windows 2000 servers
  • Use Active Directory elements such as OUs, domains, trees, and forests to help manage server objects and resources
chapter summary1
Chapter Summary
  • Use sites to configure network communications for better performance through taking advantage of existing subnets
  • Groups and group policies enable you to manage security