mcts guide to configuring microsoft windows server 2008 active directory n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory PowerPoint Presentation
Download Presentation
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

Loading in 2 Seconds...

play fullscreen
1 / 49

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 4: Active Directory Design and Security Concepts. Work with organizational units Work with forests, trees, and domains Describe the components of a site. Objectives. 2. Working with Organizational Units.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory' - bernie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mcts guide to configuring microsoft windows server 2008 active directory

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

Chapter 4: Active Directory Design and Security Concepts

objectives
Work with organizational units

Work with forests, trees, and domains

Describe the components of a site

Objectives

MCTS Windows Server 2008 Active Directory

2

working with organizational units
Working with Organizational Units

Active Directory is based upon standards (LDAP and X.500)

Lightweight Directory Access Protocol (LDAP)

Created by the Internet Engineering Task Force (IETF)

Based on the X.500 Directory Access Protocol (DAP)

Forms the base around which Active Directory is built, which allows applications to use LDAP to integrate with Active Directory

LDAP has presence on other operating systems as well and can be used to integrate them with Active Directory

MCTS Windows Server 2008 Active Directory

working with organizational units cont
Working with Organizational Units (cont.)

Benefits of using OUs

You can create familiar hierarchical structures based on an organizational chart to allow easy resource access

Delegation of administrative authority

Able to change OU structure easily

Can group users and computers for the purposes of assigning administrative and security policies

Can hide AD objects for confidentiality or security reasons

MCTS Windows Server 2008 Active Directory

ou delegation of control
OU Delegation of Control

Delegation of control means a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks

Allows specific control of what someone with delegated control may do

Commonly delegated tasks include:

Create, delete, and manager user accounts

Reset user passwords and force password change at next logon

Read all user information

Create, delete, and manage groups

Modify the membership of a group

Manage group policy links

Generate Resultant Set of Policy (Planning)

Generate Resultant Set of Policy (Logging)

MCTS Windows Server 2008 Active Directory

ou delegation of control cont
OU Delegation of Control (cont.)

Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritance

Knowledge of permissions and how they work is important regardless of whether you use custom tasks or not

By default, the OU’s properties don’t show that another user has been delegated control

Instead, to verify who has been delegated control of an OU, you must view the OU’s permissions

MCTS Windows Server 2008 Active Directory

active directory object permissions
Active Directory Object Permissions

Three types of objects can be assigned permission to access an AD object: Users, groups, and computers; these object types are referred to as security principals

AD object’s security settings are composed of three components:

Discretionary Access Control List (DACL)

Each entry referred to as an access control entry (ACE)

Object owner

Usually the user account that created the object or a group or user who has been assigned ownership

System Access Control List (SACL)

Defines the settings for auditing access to an object

MCTS Windows Server 2008 Active Directory

active directory object permissions cont
Active Directory Object Permissions (cont.)

Each object has a list of standard permissions and a list of special permission

Each permission can be set to Allow or Deny, and five standard permissions are available for most objects

Full control

Read

Write

Create all child objects

Delete all child objects

MCTS Windows Server 2008 Active Directory

active directory object permissions cont1
Active Directory Object Permissions (cont.)

Users can be assigned permission to an object in three different ways

User’s account is added to the object’s DACL, a method referred to as explicit permission

A group the user belongs to is added to the object’s DACL

The permission is inherited from a parent object’s DACL to which the user or group account has been added

A user’s effective permissions are a combination of the assigned permissions

Deny permissions override Allow permissions

Exception: When the Deny permission is inherited from a parent object and the Allow permission is explicitly added to the object’s DACL, the Allow permission takes precedence

MCTS Windows Server 2008 Active Directory

using deny in an ace
Using Deny in an ACE

If a security principal isn’t represented in an object’s DACL, it doesn’t have access to the object

Deny permissions are not required for every object to prevent access

Deny permission usually used in cases of exception, such as when you don’t want a user to be able to delete child objects in an OU, but still want to grant access

MCTS Windows Server 2008 Active Directory

permission inheritance in ous
Permission Inheritance in OUs

Permission inheritance defines how permissions are transmitted from a parent object to a child object

All objects in AD are child objects of the domain

By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU

MCTS Windows Server 2008 Active Directory

advanced features option in active directory users and computers
Advanced Features Option in Active Directory Users and Computers

Default settings in AD Users and Computers hide some system folders and advanced features, but you can display them by enabling the Advanced Features option from the view menu

Afterwards, four new folders are shown

LostAndFound

Program Data

System

NTDS (NT Directory Service)

MCTS Windows Server 2008 Active Directory

advanced features option in active directory users and computers cont
Advanced Features Option in Active Directory Users and Computers (cont.)

Properties dialog box of domain, folder, and OU objects will now have three new tabs

Object

Used to view detailed information about a container object

Security

Used to view and modify an object’s permissions

Attribute Editor

Used to view and edit an object’s attributes

MCTS Windows Server 2008 Active Directory

effective permissions
Effective Permissions

Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principal

Can come from assignments made directly to a single user account or to a group the user belongs to

Explicit permissions override inherited permissions and can create some exceptions to the rule that Deny permissions override Allow permissions

MCTS Windows Server 2008 Active Directory

effective permissions cont
Effective Permissions (cont.)

Most common settings for permission inheritance

This object only

The permission setting isn’t inherited by child (descendant) objects

This object and all descendant objects

The permission setting applies to the current object and is inherited by all child objects

All descendant objects

The permission setting doesn’t apply to the selected object but is inherited by all child objects

Descendant [object type] objects

The permission is inherited only by specific child object types, such as user, computer, or group objects

Permission inheritance is enabled by default on child objects but can be disabled

MCTS Windows Server 2008 Active Directory

working with forests trees and domains
Working with Forests, Trees, and Domains

Smaller organizations will most likely be focused on OUs and their child objects, whereas larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests

First domain controller creates more than just a new domain, it also creates the root of a new tree and the root of a new forest

May eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structure

MCTS Windows Server 2008 Active Directory

active directory terminology
Active Directory Terminology

Directory Partitions

Operations Master Roles

Active Directory Replication

Trust Relationships

MCTS Windows Server 2008 Active Directory

directory partitions
Directory Partitions

Each section of an Active Directory database is referred to as a directory partition; there are five directory partition types in the AD database:

Domain directory partition

Contains all objects in a domain, including users, groups, computers, OUs, and so forth

Schema directory partition

Contains information needed to define AD objects and object attributes

Global catalog partition

Holds the global catalog, which is a partial replica of all objects in the forest

Application directory partition

Used by applications and services to hold information that benefits from

Configuration partition

Holds configuration information that can affect the entire forest

MCTS Windows Server 2008 Active Directory

operations master roles
Operations Master Roles

Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function

First domain controller in the forest generally takes on the role of the operations master

If necessary, responsibility for these roles can be transferred to another domain controller

MCTS Windows Server 2008 Active Directory

operations master roles cont
Operations Master Roles (cont.)

There are five operations master roles, referred to as Flexible Single Master Operation (FSMO) roles in an AD forest:

Schema master

Infrastructure master

Domain Naming master

RID master

PDC Emulator master

When removing DCs from a forest, be careful that these roles are not removed from the network accidentally

MCTS Windows Server 2008 Active Directory

active directory replication
Active Directory Replication

Replication is the process of maintaining a consistent database of information when the database is distributed among several locations

Intrasite replication

Replication between domain controllers in the same site

Intersite replication

Occurs between two or more sites

Multimaster replication

Used by AD for replacing AD objects

Knowledge Consistency Checker (KCC) runs on all DCs

Determines the replication topology, which defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCs

MCTS Windows Server 2008 Active Directory

active directory replication cont
Active Directory Replication (cont.)

MCTS Windows Server 2008 Active Directory

trust relationships
Trust Relationships

In Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domain

Since Windows 2000 AD, trust relationships are established automatically between all domains in the forest

Trusts do not equal permissions

MCTS Windows Server 2008 Active Directory

the role of forests
The Role of Forests

All domains in a forest share some common characteristics

A single schema

Forestwide administrative accounts

Operations masters

Global catalog

Trusts between domains

Replication between domains

MCTS Windows Server 2008 Active Directory

the importance of the global catalog server
The Importance of the Global Catalog Server

First DC installed in a forest is automatically designated as a Global Catalog server, but additional global catalog servers can be configured as well

Global Catalog servers perform the following vital functions:

Facilitate domain and forestwide searches

Facilitate logon across domains; users can log on to computers in any domain by using their user principal name (UPN)

Hold universal group membership information

MCTS Windows Server 2008 Active Directory

forest root domain
Forest Root Domain

First domain is the forest root and is referred to as the forest root domain

Imperative to the functionality of AD; if it disappears, the entire structure ceases to operate

Functions the forest root domain usually handles:

DNS server

Global catalog server

Forestwide administrative accounts

Operations masters

MCTS Windows Server 2008 Active Directory

forest root domain cont
Forest Root Domain (cont.)

MCTS Windows Server 2008 Active Directory

forest root domain cont1
Forest Root Domain (cont.)

Due to the importance of the forest root domain’s functionality, some organizations choose a dedicated forest root domain

The advantages of running a dedicated forest root domain include the following:

More secure

More manageable

More flexible

MCTS Windows Server 2008 Active Directory

forest root domain cont2
Forest Root Domain (cont.)

MCTS Windows Server 2008 Active Directory

choosing a single or multiple forest design
Choosing a Single or Multiple Forest Design

Most organizations operate under a single AD forest, which has a number of advantages:

A common Active Directory structure

Easy access to network resources

Centralized management

The advantages of single forest structure are also limitations in many aspects; diversity within an organization may make single forest design unfeasible

Multiple forest design includes the following advantages:

Differing schemas are possible

Security boundaries

Separate administration

MCTS Windows Server 2008 Active Directory

understanding trusts
Understanding Trusts

Trusts allow users in one domain to access resources in another domain, without requiring a user account on the other domain

Types of trust

One-way and two-way trusts

Transitive trusts

Shortcut trusts

Forest trusts

External trusts

Realm trusts

MCTS Windows Server 2008 Active Directory

understanding trusts cont
Understanding Trusts (cont.)

MCTS Windows Server 2008 Active Directory

one way and two way trusts
One-Way and Two-Way Trusts

One-way trust exists when one domain trusts another, but the reverse is not true

When domainA trusts domainB, users in domainB may access resources in domainA but not vice versa

In this case, domainA is the Trusting domain, and domainB is the Trusted domain

More common is the two-way trust, in which users from both domains can be given access to resources in the other domain

MCTS Windows Server 2008 Active Directory

transitive trusts
Transitive Trusts

A transitive trust is named after the transitive rule of equality in mathematics: if A=B and B=C, then A=C

If one domain trusts another domain and that domain trusts a third domain, then the first domain has a transitive trust with the third domain

In order to authenticate a user, a referral must be made to a domain controller in each domain in the path to the destination; this can cause substantial delays

MCTS Windows Server 2008 Active Directory

transitive trusts cont
Transitive Trusts (cont.)

MCTS Windows Server 2008 Active Directory

shortcut trusts
Shortcut Trusts

A shortcut trust is configured manually between domains to bypass the normal referral process

Shortcut trusts are transitive and can be configured as one-way or two-way trusts between domains in the same forest

Shortcut trusts can reduce delays caused by referral processes

MCTS Windows Server 2008 Active Directory

shortcut trusts cont
Shortcut Trusts (cont.)

MCTS Windows Server 2008 Active Directory

forest trusts
Forest Trusts

A forest trust provides a one-way or two-way transitive trust between forests that allows security principals in one forest to access resources in any domain in another forest

Are not possible in Windows 2000 forests

They are transitive in the sense that all domains in one forest trust all domains in another forest, but the trust isn’t transitive from one forest to another

MCTS Windows Server 2008 Active Directory

external trusts
External Trusts

An external trust is a one-way or two-way nontransitive trust between two domains that aren’t in the same forest

Generally used in these circumstances:

To create a trust between two domains in different forests

To create a trust with a Windows 2000 or Windows NT domain

MCTS Windows Server 2008 Active Directory

realm trusts
Realm Trusts

Can be used to integrate users of other OSs into a Windows Server 2008 domain or forest

This requires the OS to be running the Kerberos V5 authentication system that AD uses

Kerberos is an open-standard security protocol used to secure authentication and identification between parties in a network

MCTS Windows Server 2008 Active Directory

designing the domain structure
Designing the Domain Structure

Most small and medium businesses choose a single domain for reasons that include the following:

Simplicity

Lower costs

Easier management

Easier access to resources

MCTS Windows Server 2008 Active Directory

designing the domain structure cont
Designing the Domain Structure (cont.)

Using multiple domains makes sense or is even a necessity in the following circumstances:

Compatibility with a Windows NT domain

Need for differing account policies

Need for different name identities

Replication control

Need for internal versus external domains

Need for tight security

MCTS Windows Server 2008 Active Directory

understanding sites
Understanding Sites

AD site represents a physical location where DCs are placed and group policies can be applied

First DC of a forest creates a site named Default-First-Site-Name once installed

Three main reasons for establishing multiple sites:

Authentication efficiency

Replication efficiency

Application efficiency

Sites are created using Active Directory Sites and Services

MCTS Windows Server 2008 Active Directory

understanding sites cont
Understanding Sites (cont.)

MCTS Windows Server 2008 Active Directory

site components
Site Components

Subnets

Each site is associated with one or more IP subnets, and a subnet can only be associated with a single site

Site Links

A site link is needed to connect two or more sites for replication purposes

Determine replication schedule and frequency between two sites

Bridgehead Servers

Intersite replication occurs between bridgehead servers

One DC is designated as the Inter-Site topology Generator (ISTG), which then designates a bridgehead server to handle replication for each directory partition

MCTS Windows Server 2008 Active Directory

site links
Site Links

Intersite replication topology is determined by cost value associate with site links

MCTS Windows Server 2008 Active Directory

chapter summary
Chapter Summary

Active Directory is based on the X.500 and LDAP standards, which are standard protocols for defining, storing, and accessing directory service objects

OUs, the building blocks of the AD structure in a domain, can be designed to mirror a company’s organizational chart; delegation of control can be used to give users some management authority in an OU

MCTS Windows Server 2008 Active Directory

chapter summary cont
Chapter Summary (cont.)

Large organizations might require multiple domains, trees, and forests

Directory partitions are sections of the AD database that hold varied types of data and are managed by different processes

The forest is the broadest logical AD component; all domains in a forest share some common characteristics, such as a single schema, the global catalog, and trusts between domains

MCTS Windows Server 2008 Active Directory

chapter summary cont1
Chapter Summary (cont.)

Trusts permit domains to accept user authentication from another domain and facilitate cross-domain and cross-forest resource access with a single logon

A domain is the primary identifying and administrative unit of AD; each domain has a unique name, and there’s an administrative account with full control over objects in the domain

An AD site represents a physical location where domain controllers reside

MCTS Windows Server 2008 Active Directory