Nt1330 Unit 3 Assignment 1 Active Directory

1 Chapter 4: Active Directory Design and Security Concepts
Chapter 4: Active Directory Design and Security Concepts

2 Objectives Work with organizational units
Work with forests, trees, and domainsDescribe the components of a siteMCTS Windows Server 2008 Active Directory2

3 Working with Organizational Units
Active Directory is based upon standards (LDAP and X.500)Lightweight Directory Access Protocol (LDAP)Created by the Internet Engineering Task Force (IETF)Based on the X.500 Directory Access Protocol (DAP)Forms the base around which Active Directory is built, which allows applications to use LDAP to integrate with Active DirectoryLDAP has presence on other operating systems as well and can be used to integrate them with Active DirectoryMCTS Windows Server 2008 Active Directory

4 Working with Organizational Units (cont.)
Benefits of using OUsYou can create familiar hierarchical structures based on an organizational chart to allow easy resource accessDelegation of administrative authorityAble to change OU structure easilyCan group users and computers for the purposes of assigning administrative and security policiesCan hide AD objects for confidentiality or security reasonsMCTS Windows Server 2008 Active Directory

5 OU Delegation of Control
Delegation of control means a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasksAllows specific control of what someone with delegated control may doCommonly delegated tasks include:Create, delete, and manager user accountsReset user passwords and force password change at next logonRead all user informationCreate, delete, and manage groupsModify the membership of a groupManage group policy linksGenerate Resultant Set of Policy (Planning)Generate Resultant Set of Policy (Logging)MCTS Windows Server 2008 Active Directory

6 OU Delegation of Control (cont.)
Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritanceKnowledge of permissions and how they work is important regardless of whether you use custom tasks or notBy default, the OU’s properties don’t show that another user has been delegated controlInstead, to verify who has been delegated control of an OU, you must view the OU’s permissionsMCTS Windows Server 2008 Active Directory

7 Active Directory Object Permissions
Three types of objects can be assigned permission to access an AD object: Users, groups, and computers; these object types are referred to as security principalsAD object’s security settings are composed of three components:Discretionary Access Control List (DACL)Each entry referred to as an access control entry (ACE)Object ownerUsually the user account that created the object or a group or user who has been assigned ownershipSystem Access Control List (SACL)Defines the settings for auditing access to an objectMCTS Windows Server 2008 Active Directory

8 Active Directory Object Permissions (cont.)
Each object has a list of standard permissions and a list of special permissionEach permission can be set to Allow or Deny, and five standard permissions are available for most objectsFull controlReadWriteCreate all child objectsDelete all child objectsMCTS Windows Server 2008 Active Directory

9 Active Directory Object Permissions (cont.)
Users can be assigned permission to an object in three different waysUser’s account is added to the object’s DACL, a method referred to as explicit permissionA group the user belongs to is added to the object’s DACLThe permission is inherited from a parent object’s DACL to which the user or group account has been addedA user’s effective permissions are a combination of the assigned permissionsDeny permissions override Allow permissionsException: When the Deny permission is inherited from a parent object and the Allow permission is explicitly added to the object’s DACL, the Allow permission takes precedenceMCTS Windows Server 2008 Active Directory

10 Using Deny in an ACEIf a security principal isn’t represented in an object’s DACL, it doesn’t have access to the objectDeny permissions are not required for every object to prevent accessDeny permission usually used in cases of exception, such as when you don’t want a user to be able to delete child objects in an OU, but still want to grant accessMCTS Windows Server 2008 Active Directory

11 Permission Inheritance in OUs
Permission inheritance defines how permissions are transmitted from a parent object to a child objectAll objects in AD are child objects of the domainBy default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OUMCTS Windows Server 2008 Active Directory

12 Advanced Features Option in Active Directory Users and Computers
Default settings in AD Users and Computers hide some system folders and advanced features, but you can display them by enabling the Advanced Features option from the view menuAfterwards, four new folders are shownLostAndFoundProgram DataSystemNTDS (NT Directory Service)MCTS Windows Server 2008 Active Directory

13 Advanced Features Option in Active Directory Users and Computers (cont
Properties dialog box of domain, folder, and OU objects will now have three new tabsObjectUsed to view detailed information about a container objectSecurityUsed to view and modify an object’s permissionsAttribute EditorUsed to view and edit an object’s attributesMCTS Windows Server 2008 Active Directory

14 Effective Permissions
Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principalCan come from assignments made directly to a single user account or to a group the user belongs toExplicit permissions override inherited permissions and can create some exceptions to the rule that Deny permissions override Allow permissionsMCTS Windows Server 2008 Active Directory

15 Effective Permissions (cont.)
Most common settings for permission inheritanceThis object onlyThe permission setting isn’t inherited by child (descendant) objectsThis object and all descendant objectsThe permission setting applies to the current object and is inherited by all child objectsAll descendant objectsThe permission setting doesn’t apply to the selected object but is inherited by all child objectsDescendant [object type] objectsThe permission is inherited only by specific child object types, such as user, computer, or group objectsPermission inheritance is enabled by default on child objects but can be disabledMCTS Windows Server 2008 Active Directory

16 Working with Forests, Trees, and Domains
Smaller organizations will most likely be focused on OUs and their child objects, whereas larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forestsFirst domain controller creates more than just a new domain, it also creates the root of a new tree and the root of a new forestMay eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structureMCTS Windows Server 2008 Active Directory

17 Active Directory Terminology
Directory PartitionsOperations Master RolesActive Directory ReplicationTrust RelationshipsMCTS Windows Server 2008 Active Directory

18 Directory PartitionsEach section of an Active Directory database is referred to as a directory partition; there are five directory partition types in the AD database:Domain directory partitionContains all objects in a domain, including users, groups, computers, OUs, and so forthSchema directory partitionContains information needed to define AD objects and object attributesGlobal catalog partitionHolds the global catalog, which is a partial replica of all objects in the forestApplication directory partitionUsed by applications and services to hold information that benefits fromConfiguration partitionHolds configuration information that can affect the entire forestMCTS Windows Server 2008 Active Directory

19 Operations Master Roles
Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the functionFirst domain controller in the forest generally takes on the role of the operations masterIf necessary, responsibility for these roles can be transferred to another domain controllerMCTS Windows Server 2008 Active Directory

20 Operations Master Roles (cont.)
There are five operations master roles, referred to as Flexible Single Master Operation (FSMO) roles in an AD forest:Schema masterInfrastructure masterDomain Naming masterRID masterPDC Emulator masterWhen removing DCs from a forest, be careful that these roles are not removed from the network accidentallyMCTS Windows Server 2008 Active Directory

21 Active Directory Replication
Replication is the process of maintaining a consistent database of information when the database is distributed among several locationsIntrasite replicationReplication between domain controllers in the same siteIntersite replicationOccurs between two or more sitesMultimaster replicationUsed by AD for replacing AD objectsKnowledge Consistency Checker (KCC) runs on all DCsDetermines the replication topology, which defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCsMCTS Windows Server 2008 Active Directory

22 Active Directory Replication (cont.)
MCTS Windows Server 2008 Active Directory

23 Trust RelationshipsIn Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domainSince Windows 2000 AD, trust relationships are established automatically between all domains in the forestTrusts do not equal permissionsMCTS Windows Server 2008 Active Directory

24 The Role of ForestsAll domains in a forest share some common characteristicsA single schemaForestwide administrative accountsOperations mastersGlobal catalogTrusts between domainsReplication between domainsMCTS Windows Server 2008 Active Directory

25 The Importance of the Global Catalog Server
First DC installed in a forest is automatically designated as a Global Catalog server, but additional global catalog servers can be configured as wellGlobal Catalog servers perform the following vital functions:Facilitate domain and forestwide searchesFacilitate logon across domains; users can log on to computers in any domain by using their user principal name (UPN)Hold universal group membership informationMCTS Windows Server 2008 Active Directory

26 Forest Root DomainFirst domain is the forest root and is referred to as the forest root domainImperative to the functionality of AD; if it disappears, the entire structure ceases to operateFunctions the forest root domain usually handles:DNS serverGlobal catalog serverForestwide administrative accountsOperations mastersMCTS Windows Server 2008 Active Directory

27 Forest Root Domain (cont.)
MCTS Windows Server 2008 Active Directory

28 Forest Root Domain (cont.)
Due to the importance of the forest root domain’s functionality, some organizations choose a dedicated forest root domainThe advantages of running a dedicated forest root domain include the following:More secureMore manageableMore flexibleMCTS Windows Server 2008 Active Directory

29 Forest Root Domain (cont.)
MCTS Windows Server 2008 Active Directory

30 Choosing a Single or Multiple Forest Design
Most organizations operate under a single AD forest, which has a number of advantages:A common Active Directory structureEasy access to network resourcesCentralized managementThe advantages of single forest structure are also limitations in many aspects; diversity within an organization may make single forest design unfeasibleMultiple forest design includes the following advantages:Differing schemas are possibleSecurity boundariesSeparate administrationMCTS Windows Server 2008 Active Directory

31 Understanding TrustsTrusts allow users in one domain to access resources in another domain, without requiring a user account on the other domainTypes of trustOne-way and two-way trustsTransitive trustsShortcut trustsForest trustsExternal trustsRealm trustsMCTS Windows Server 2008 Active Directory

32 Understanding Trusts (cont.)
MCTS Windows Server 2008 Active Directory

33 One-Way and Two-Way Trusts
One-way trust exists when one domain trusts another, but the reverse is not trueWhen domainA trusts domainB, users in domainB may access resources in domainA but not vice versaIn this case, domainA is the Trusting domain, and domainB is the Trusted domainMore common is the two-way trust, in which users from both domains can be given access to resources in the other domainMCTS Windows Server 2008 Active Directory

34 Transitive TrustsA transitive trust is named after the transitive rule of equality in mathematics: if A=B and B=C, then A=CIf one domain trusts another domain and that domain trusts a third domain, then the first domain has a transitive trust with the third domainIn order to authenticate a user, a referral must be made to a domain controller in each domain in the path to the destination; this can cause substantial delaysMCTS Windows Server 2008 Active Directory

35 Transitive Trusts (cont.)
MCTS Windows Server 2008 Active Directory

36 Shortcut TrustsA shortcut trust is configured manually between domains to bypass the normal referral processShortcut trusts are transitive and can be configured as one-way or two-way trusts between domains in the same forestShortcut trusts can reduce delays caused by referral processesMCTS Windows Server 2008 Active Directory

37 Shortcut Trusts (cont.)
MCTS Windows Server 2008 Active Directory

38 Forest TrustsA forest trust provides a one-way or two-way transitive trust between forests that allows security principals in one forest to access resources in any domain in another forestAre not possible in Windows 2000 forestsThey are transitive in the sense that all domains in one forest trust all domains in another forest, but the trust isn’t transitive from one forest to anotherMCTS Windows Server 2008 Active Directory

39 External TrustsAn external trust is a one-way or two-way nontransitive trust between two domains that aren’t in the same forestGenerally used in these circumstances:To create a trust between two domains in different forestsTo create a trust with a Windows 2000 or Windows NT domainMCTS Windows Server 2008 Active Directory

40 Realm TrustsCan be used to integrate users of other OSs into a Windows Server 2008 domain or forestThis requires the OS to be running the Kerberos V5 authentication system that AD usesKerberos is an open-standard security protocol used to secure authentication and identification between parties in a networkMCTS Windows Server 2008 Active Directory

41 Designing the Domain Structure
Most small and medium businesses choose a single domain for reasons that include the following:SimplicityLower costsEasier managementEasier access to resourcesMCTS Windows Server 2008 Active Directory

42 Designing the Domain Structure (cont.)
Using multiple domains makes sense or is even a necessity in the following circumstances:Compatibility with a Windows NT domainNeed for differing account policiesNeed for different name identitiesReplication controlNeed for internal versus external domainsNeed for tight securityMCTS Windows Server 2008 Active Directory

43 Understanding SitesAD site represents a physical location where DCs are placed and group policies can be appliedFirst DC of a forest creates a site named Default-First-Site-Name once installedThree main reasons for establishing multiple sites:Authentication efficiencyReplication efficiencyApplication efficiencySites are created using Active Directory Sites and ServicesMCTS Windows Server 2008 Active Directory

44 Understanding Sites (cont.)
MCTS Windows Server 2008 Active Directory

45 Site Components Subnets Site Links Bridgehead Servers
Each site is associated with one or more IP subnets, and a subnet can only be associated with a single siteSite LinksA site link is needed to connect two or more sites for replication purposesDetermine replication schedule and frequency between two sitesBridgehead ServersIntersite replication occurs between bridgehead serversOne DC is designated as the Inter-Site topology Generator (ISTG), which then designates a bridgehead server to handle replication for each directory partitionMCTS Windows Server 2008 Active Directory

46 Site LinksIntersite replication topology is determined by cost value associate with site linksMCTS Windows Server 2008 Active Directory

47 Chapter SummaryActive Directory is based on the X.500 and LDAP standards, which are standard protocols for defining, storing, and accessing directory service objectsOUs, the building blocks of the AD structure in a domain, can be designed to mirror a company’s organizational chart; delegation of control can be used to give users some management authority in an OUMCTS Windows Server 2008 Active Directory

48 Chapter Summary (cont.)
Large organizations might require multiple domains, trees, and forestsDirectory partitions are sections of the AD database that hold varied types of data and are managed by different processesThe forest is the broadest logical AD component; all domains in a forest share some common characteristics, such as a single schema, the global catalog, and trusts between domainsMCTS Windows Server 2008 Active Directory

49 Chapter Summary (cont.)
Trusts permit domains to accept user authentication from another domain and facilitate cross-domain and cross-forest resource access with a single logonA domain is the primary identifying and administrative unit of AD; each domain has a unique name, and there’s an administrative account with full control over objects in the domainAn AD site represents a physical location where domain controllers resideMCTS Windows Server 2008 Active Directory

