1 / 34

COMP091 OS1

COMP091 OS1. Active Directory. Some History. Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still foreign) No central authentication Users invent workgroup names freely

anise
Download Presentation

COMP091 OS1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COMP091 OS1 Active Directory

  2. Some History • Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still foreign) • No central authentication • Users invent workgroup names freely • Workgroup names really just make it easier to find computers on the network • Accounting • Payroll • No effective security role

  3. Windows Domains • More or less simultaneously, NT introduced real networking (tcp/ip) • And windows domain concept • Name resolution still based on primitive broadcast protocols • And self-configuring WINS servers • But a central directory was introduced to control access to domain resources and to authenticate users

  4. Domain Controllers • With central authentication and access control, there needs to be a central database • Primary Domain Controllers and Backup Domain Controllers served that function in early NT systems • Notice that centralised authentication calls for • Authentication mechanism • A database • A backup authentication mechanism • A database replication mechanism • Domain Controllers offered primitive versions of these functions

  5. NDS • While windows was deploying NT Domain controller based networking, the competition was way ahead • Novel's NDS had • Flexible and extensible LDAP based directory • Sophisticated replication strategy • Authentication service • Fine grained ACL • All types of resources in the directory • Printers, computers, users, groups

  6. NDS • MS response originally called NTDS • Maybe too similar to NDS • Now called Active Directory

  7. Active Directory • Active directory includes • Flexible and extensible LDAP based directory • Sophisticated replication strategy • Authentication service • Fine grained ACL • All types of resources in the directory • Printers, computers, users, groups • DNS based computer names • But WINS servers still required

  8. AD Data Structures • NT PDC/BDC intended to serve one domain • So Accounting might have one, and Payroll too • AD wants a unified database • So an accounting login can have access to payroll resources • AD extends this functionality to globally distributed organisations • Geographically disparate AD installations can each house a partition of an enterprise AD database • But trust relationships can be enterprise wide

  9. AD Trust Relationships • AD domains can “trust” other active directory domains • This really means that an AD domain can trust the users in another domain • Trusted users from the other domain can be given access to resources in the trusting domain • Accounting users can be given access to files owned by the Payroll Department • This is only possible because the two domains are part of the same AD database

  10. Objects and Attributes • AD database contains information on many different types of things • Collectively called objects • Some objects can be “containers” of other objects • A domain can contain sub-domains • Producing a hierarchical tree-like structure • Objects are defined by values of attributes • Objects of the same “class” have same attributes • But different attribute values

  11. Active DirectoryObjects and Attributes

  12. Forests and Trees • Container objects contain other objects, which may in turn contain objects • The resulting hierarchy is called a tree, with root objects, branch objects and leaf objects • An AD database can contain more than one tree • The collection of trees in an AD database is called a Forest

  13. Domain Tree

  14. Forest of Trees

  15. Organizational Units • An alternative to breaking a domain down into sub-domains is to establish organizational units • Think of departments • These are also containers • For users, files, computers etc. • Administration can be delegated to an OU administrator

  16. OU Container

  17. Trusts • Implicit Two-Way Transitive Trust • Parent and child domains • Automatic • If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C • Hence all domains in tree trust each other • Limited implicit trust between roots of trees in a forest

  18. Trusts • Explicit One-Way Non-transitive Trust • Must be declared • Domains in different trees or forests, or NT domains • Only applies to explicitly declared domains

  19. Two Types ofTrust Relationships

  20. Trusting Everyone -- Replication • In order to trust users in another domain, there needs to be access to the other domain's user list • Some domain data is replicated to the global catalog • Some domain controllers are designated as Global Catalog Servers • The global catalog is replicated to all Global Catalog Servers • Access to resources outside of your domain requires access to a global catalog server

  21. Replication for Redundancy • Global catalog is replicated to ensure global access • Entire domain database is replicated to ensure continuous availability • Multiple controllers for each domain • Multiple global catalog servers in the forest • Replication configuration is complex • Allows for fast replication of some data • Within site • New users • Slower replication of other data • Across slower links • Less critical information

  22. Assigning Permissions - Groups • Access to resources can be assigned to each user individually • Too much administrative overhead • Instead, users can be assigned to groups • And permissions then granted to the group • Groups can contain groups • Users get their own rights, plus the rights of their group, plus the rights of groups their group is in

  23. Types of Groups • Global Group • Members restricted to local domain • Domain Local Group • Rights restricted to resources in local domain • Universal Group • Any users, any resource • Default groups • Domain Admins • Domain Guests • Domain Users • etc.

  24. Group Policy • Not the same groups as used to assign permissions • Policy group is either: • Computer, Site, Domain or OU • Policies contain user and computer related configuration information • Can apply to any arbitrary set of users if the set of users is a complete domain or OU • But user is in only one OU, (unless contained in tree) so only one policy will apply • Which sometimes makes sense

  25. Group Policy Objects • Create specific desktop configurations for particular groups of users. • Collections of group policy settings. • Computer has one local GPO and any number of AD-based GPOs. • Local GPO can be overridden by other GPOs, • Local GPO is the least influential in an Active Directory environment.

  26. Group Policy Priority • Local GPO: • Computer has one GPO stored locally. • Site GPOs: • GPOs linked to site are processed next • Administrator specifies the order of GPOs linked to a site.

  27. Group Policy Priority • Domain GPOs: • Domain-linked GPOs are processed next • Administrator specifies the order of GPOs linked to a domain. • OU GPOs: • GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and so on

  28. Group Policy Settings • Some apply to users • Based on user's domain and OUs • Applied when user logs in • Some apply to computer • Based on computer's domain and OUs • Applied when the OS initializes • Include Software Settings, Windows Settings, and Administrative Templates

  29. GPO Contents • Scripts • Logon/Logoff and Startup/Shutdown • Security Settings • Applied after security template • Other software settings e.g. IE parameters • Administrative Templates • HKEY_LOCAL_MACHINE (HKLM) • HKEY_CURRENT_USER (HKCU)

  30. Aligning Policy Groups with Security Groups • Policy groups are based on Domains and OUs • Security Groups can be arbitrary and users can belong to multiple security groups • To have GPOs for a security group • Creat GPO for each group • Apply all GPOs at top level (Domain) • Grant security group read access to the GPO that should be applied to its members

  31. GPO for Security Group

  32. Resources • Old but authoritative • http://technet.microsoft.com/en-us/library/bb742424.aspx • A tutorial • http://searchwindowsserver.techtarget.com/tutorial/Active-Directory-Tutorial • A collection • http://www.petri.co.il/ad.htm • Wikipedia • http://en.wikipedia.org/wiki/Active_Directory

More Related