490 likes | 513 Views
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 4: Active Directory Design and Security Concepts. Work with organizational units Work with forests, trees, and domains Describe the components of a site. Objectives. 2. Working with Organizational Units.
E N D
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 4: Active Directory Design and Security Concepts
Work with organizational units Work with forests, trees, and domains Describe the components of a site Objectives MCTS Windows Server 2008 Active Directory 2
Working with Organizational Units Active Directory is based upon standards (LDAP and X.500) Lightweight Directory Access Protocol (LDAP) Created by the Internet Engineering Task Force (IETF) Based on the X.500 Directory Access Protocol (DAP) Forms the base around which Active Directory is built, which allows applications to use LDAP to integrate with Active Directory LDAP has presence on other operating systems as well and can be used to integrate them with Active Directory MCTS Windows Server 2008 Active Directory
Working with Organizational Units (cont.) Benefits of using OUs You can create familiar hierarchical structures based on an organizational chart to allow easy resource access Delegation of administrative authority Able to change OU structure easily Can group users and computers for the purposes of assigning administrative and security policies Can hide AD objects for confidentiality or security reasons MCTS Windows Server 2008 Active Directory
OU Delegation of Control Delegation of control means a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks Allows specific control of what someone with delegated control may do Commonly delegated tasks include: Create, delete, and manager user accounts Reset user passwords and force password change at next logon Read all user information Create, delete, and manage groups Modify the membership of a group Manage group policy links Generate Resultant Set of Policy (Planning) Generate Resultant Set of Policy (Logging) MCTS Windows Server 2008 Active Directory
OU Delegation of Control (cont.) Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritance Knowledge of permissions and how they work is important regardless of whether you use custom tasks or not By default, the OU’s properties don’t show that another user has been delegated control Instead, to verify who has been delegated control of an OU, you must view the OU’s permissions MCTS Windows Server 2008 Active Directory
Active Directory Object Permissions Three types of objects can be assigned permission to access an AD object: Users, groups, and computers; these object types are referred to as security principals AD object’s security settings are composed of three components: Discretionary Access Control List (DACL) Each entry referred to as an access control entry (ACE) Object owner Usually the user account that created the object or a group or user who has been assigned ownership System Access Control List (SACL) Defines the settings for auditing access to an object MCTS Windows Server 2008 Active Directory
Active Directory Object Permissions (cont.) Each object has a list of standard permissions and a list of special permission Each permission can be set to Allow or Deny, and five standard permissions are available for most objects Full control Read Write Create all child objects Delete all child objects MCTS Windows Server 2008 Active Directory
Active Directory Object Permissions (cont.) Users can be assigned permission to an object in three different ways User’s account is added to the object’s DACL, a method referred to as explicit permission A group the user belongs to is added to the object’s DACL The permission is inherited from a parent object’s DACL to which the user or group account has been added A user’s effective permissions are a combination of the assigned permissions Deny permissions override Allow permissions Exception: When the Deny permission is inherited from a parent object and the Allow permission is explicitly added to the object’s DACL, the Allow permission takes precedence MCTS Windows Server 2008 Active Directory
Using Deny in an ACE If a security principal isn’t represented in an object’s DACL, it doesn’t have access to the object Deny permissions are not required for every object to prevent access Deny permission usually used in cases of exception, such as when you don’t want a user to be able to delete child objects in an OU, but still want to grant access MCTS Windows Server 2008 Active Directory
Permission Inheritance in OUs Permission inheritance defines how permissions are transmitted from a parent object to a child object All objects in AD are child objects of the domain By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU MCTS Windows Server 2008 Active Directory
Advanced Features Option in Active Directory Users and Computers Default settings in AD Users and Computers hide some system folders and advanced features, but you can display them by enabling the Advanced Features option from the view menu Afterwards, four new folders are shown LostAndFound Program Data System NTDS (NT Directory Service) MCTS Windows Server 2008 Active Directory
Advanced Features Option in Active Directory Users and Computers (cont.) Properties dialog box of domain, folder, and OU objects will now have three new tabs Object Used to view detailed information about a container object Security Used to view and modify an object’s permissions Attribute Editor Used to view and edit an object’s attributes MCTS Windows Server 2008 Active Directory
Effective Permissions Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principal Can come from assignments made directly to a single user account or to a group the user belongs to Explicit permissions override inherited permissions and can create some exceptions to the rule that Deny permissions override Allow permissions MCTS Windows Server 2008 Active Directory
Effective Permissions (cont.) Most common settings for permission inheritance This object only The permission setting isn’t inherited by child (descendant) objects This object and all descendant objects The permission setting applies to the current object and is inherited by all child objects All descendant objects The permission setting doesn’t apply to the selected object but is inherited by all child objects Descendant [object type] objects The permission is inherited only by specific child object types, such as user, computer, or group objects Permission inheritance is enabled by default on child objects but can be disabled MCTS Windows Server 2008 Active Directory
Working with Forests, Trees, and Domains Smaller organizations will most likely be focused on OUs and their child objects, whereas larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests First domain controller creates more than just a new domain, it also creates the root of a new tree and the root of a new forest May eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structure MCTS Windows Server 2008 Active Directory
Active Directory Terminology Directory Partitions Operations Master Roles Active Directory Replication Trust Relationships MCTS Windows Server 2008 Active Directory
Directory Partitions Each section of an Active Directory database is referred to as a directory partition; there are five directory partition types in the AD database: Domain directory partition Contains all objects in a domain, including users, groups, computers, OUs, and so forth Schema directory partition Contains information needed to define AD objects and object attributes Global catalog partition Holds the global catalog, which is a partial replica of all objects in the forest Application directory partition Used by applications and services to hold information that benefits from Configuration partition Holds configuration information that can affect the entire forest MCTS Windows Server 2008 Active Directory
Operations Master Roles Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function First domain controller in the forest generally takes on the role of the operations master If necessary, responsibility for these roles can be transferred to another domain controller MCTS Windows Server 2008 Active Directory
Operations Master Roles (cont.) There are five operations master roles, referred to as Flexible Single Master Operation (FSMO) roles in an AD forest: Schema master Infrastructure master Domain Naming master RID master PDC Emulator master When removing DCs from a forest, be careful that these roles are not removed from the network accidentally MCTS Windows Server 2008 Active Directory
Active Directory Replication Replication is the process of maintaining a consistent database of information when the database is distributed among several locations Intrasite replication Replication between domain controllers in the same site Intersite replication Occurs between two or more sites Multimaster replication Used by AD for replacing AD objects Knowledge Consistency Checker (KCC) runs on all DCs Determines the replication topology, which defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCs MCTS Windows Server 2008 Active Directory
Active Directory Replication (cont.) MCTS Windows Server 2008 Active Directory
Trust Relationships In Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domain Since Windows 2000 AD, trust relationships are established automatically between all domains in the forest Trusts do not equal permissions MCTS Windows Server 2008 Active Directory
The Role of Forests All domains in a forest share some common characteristics A single schema Forestwide administrative accounts Operations masters Global catalog Trusts between domains Replication between domains MCTS Windows Server 2008 Active Directory
The Importance of the Global Catalog Server First DC installed in a forest is automatically designated as a Global Catalog server, but additional global catalog servers can be configured as well Global Catalog servers perform the following vital functions: Facilitate domain and forestwide searches Facilitate logon across domains; users can log on to computers in any domain by using their user principal name (UPN) Hold universal group membership information MCTS Windows Server 2008 Active Directory
Forest Root Domain First domain is the forest root and is referred to as the forest root domain Imperative to the functionality of AD; if it disappears, the entire structure ceases to operate Functions the forest root domain usually handles: DNS server Global catalog server Forestwide administrative accounts Operations masters MCTS Windows Server 2008 Active Directory
Forest Root Domain (cont.) MCTS Windows Server 2008 Active Directory
Forest Root Domain (cont.) Due to the importance of the forest root domain’s functionality, some organizations choose a dedicated forest root domain The advantages of running a dedicated forest root domain include the following: More secure More manageable More flexible MCTS Windows Server 2008 Active Directory
Forest Root Domain (cont.) MCTS Windows Server 2008 Active Directory
Choosing a Single or Multiple Forest Design Most organizations operate under a single AD forest, which has a number of advantages: A common Active Directory structure Easy access to network resources Centralized management The advantages of single forest structure are also limitations in many aspects; diversity within an organization may make single forest design unfeasible Multiple forest design includes the following advantages: Differing schemas are possible Security boundaries Separate administration MCTS Windows Server 2008 Active Directory
Understanding Trusts Trusts allow users in one domain to access resources in another domain, without requiring a user account on the other domain Types of trust One-way and two-way trusts Transitive trusts Shortcut trusts Forest trusts External trusts Realm trusts MCTS Windows Server 2008 Active Directory
Understanding Trusts (cont.) MCTS Windows Server 2008 Active Directory
One-Way and Two-Way Trusts One-way trust exists when one domain trusts another, but the reverse is not true When domainA trusts domainB, users in domainB may access resources in domainA but not vice versa In this case, domainA is the Trusting domain, and domainB is the Trusted domain More common is the two-way trust, in which users from both domains can be given access to resources in the other domain MCTS Windows Server 2008 Active Directory
Transitive Trusts A transitive trust is named after the transitive rule of equality in mathematics: if A=B and B=C, then A=C If one domain trusts another domain and that domain trusts a third domain, then the first domain has a transitive trust with the third domain In order to authenticate a user, a referral must be made to a domain controller in each domain in the path to the destination; this can cause substantial delays MCTS Windows Server 2008 Active Directory
Transitive Trusts (cont.) MCTS Windows Server 2008 Active Directory
Shortcut Trusts A shortcut trust is configured manually between domains to bypass the normal referral process Shortcut trusts are transitive and can be configured as one-way or two-way trusts between domains in the same forest Shortcut trusts can reduce delays caused by referral processes MCTS Windows Server 2008 Active Directory
Shortcut Trusts (cont.) MCTS Windows Server 2008 Active Directory
Forest Trusts A forest trust provides a one-way or two-way transitive trust between forests that allows security principals in one forest to access resources in any domain in another forest Are not possible in Windows 2000 forests They are transitive in the sense that all domains in one forest trust all domains in another forest, but the trust isn’t transitive from one forest to another MCTS Windows Server 2008 Active Directory
External Trusts An external trust is a one-way or two-way nontransitive trust between two domains that aren’t in the same forest Generally used in these circumstances: To create a trust between two domains in different forests To create a trust with a Windows 2000 or Windows NT domain MCTS Windows Server 2008 Active Directory
Realm Trusts Can be used to integrate users of other OSs into a Windows Server 2008 domain or forest This requires the OS to be running the Kerberos V5 authentication system that AD uses Kerberos is an open-standard security protocol used to secure authentication and identification between parties in a network MCTS Windows Server 2008 Active Directory
Designing the Domain Structure Most small and medium businesses choose a single domain for reasons that include the following: Simplicity Lower costs Easier management Easier access to resources MCTS Windows Server 2008 Active Directory
Designing the Domain Structure (cont.) Using multiple domains makes sense or is even a necessity in the following circumstances: Compatibility with a Windows NT domain Need for differing account policies Need for different name identities Replication control Need for internal versus external domains Need for tight security MCTS Windows Server 2008 Active Directory
Understanding Sites AD site represents a physical location where DCs are placed and group policies can be applied First DC of a forest creates a site named Default-First-Site-Name once installed Three main reasons for establishing multiple sites: Authentication efficiency Replication efficiency Application efficiency Sites are created using Active Directory Sites and Services MCTS Windows Server 2008 Active Directory
Understanding Sites (cont.) MCTS Windows Server 2008 Active Directory
Site Components Subnets Each site is associated with one or more IP subnets, and a subnet can only be associated with a single site Site Links A site link is needed to connect two or more sites for replication purposes Determine replication schedule and frequency between two sites Bridgehead Servers Intersite replication occurs between bridgehead servers One DC is designated as the Inter-Site topology Generator (ISTG), which then designates a bridgehead server to handle replication for each directory partition MCTS Windows Server 2008 Active Directory
Site Links Intersite replication topology is determined by cost value associate with site links MCTS Windows Server 2008 Active Directory
Chapter Summary Active Directory is based on the X.500 and LDAP standards, which are standard protocols for defining, storing, and accessing directory service objects OUs, the building blocks of the AD structure in a domain, can be designed to mirror a company’s organizational chart; delegation of control can be used to give users some management authority in an OU MCTS Windows Server 2008 Active Directory
Chapter Summary (cont.) Large organizations might require multiple domains, trees, and forests Directory partitions are sections of the AD database that hold varied types of data and are managed by different processes The forest is the broadest logical AD component; all domains in a forest share some common characteristics, such as a single schema, the global catalog, and trusts between domains MCTS Windows Server 2008 Active Directory
Chapter Summary (cont.) Trusts permit domains to accept user authentication from another domain and facilitate cross-domain and cross-forest resource access with a single logon A domain is the primary identifying and administrative unit of AD; each domain has a unique name, and there’s an administrative account with full control over objects in the domain An AD site represents a physical location where domain controllers reside MCTS Windows Server 2008 Active Directory