1 / 77

Chapter 4: Planning the Active Directory and Security

Chapter 4: Planning the Active Directory and Security. Learning Objectives. Explain the contents of the Active Directory Plan how to set up Active Directory elements such as organizational units, domains, trees, forests, and sites

Download Presentation

Chapter 4: Planning the Active Directory and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 4: Planning the Active Directory and Security

  2. Learning Objectives • Explain the contents of the Active Directory • Plan how to set up Active Directory elements such as organizational units, domains, trees, forests, and sites • Plan which Windows 2000 security features to use in an organization, including interactive logon, object security, and services security

  3. Learning Objectives (continued) • Plan how to use groups, group policies, and security templates • Plan IP security measures

  4. Windows NT Domain Structure • Security Accounts Manager (SAM) database holds data on user accounts, groups, and security privileges • One primary domain controller (PDC) has master copy of the SAM • One or more backup domain controllers (BDCs) have regularly backed up copies of the SAM • If PDC Fails, BDC is promoted

  5. Using a PDC, BDCs, and the SAM database Figure 4-1 Windows NT SAM architecture

  6. Windows 2000 Active Directory • Domain objects including user accounts, computers, servers, printers, groups, security policies, domains, and other objects compose the Active Directory

  7. Windows 2000 Active Directory • Made up of the following files • NTDIS.DIT single file of the database • EDB*.LOG Log files associated with database transactions • EDB.CHK error tracking/correction info for database • RES1.LOG and RES2.LOG reserve disk space

  8. Active Directory Objects Figure 4-2 Domain objects in the Active Directory

  9. Active Directory Objects • Object Types • User Account • Computer Account • Domain Controller • Groups • Organizational Unit • Printers

  10. Multimaster Replication • Multimaster replication: In Windows 2000 there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicate it to each other. Because each DC acts as a master, replication does not stop when one is down. Each DC is a master in its own right.

  11. Multimaster Replication • Can create account on any of the DCs • Other DCs automatically updated • Can be done for changed data only, don’t have to replicate whole file • If one DC fails, others are up-to-date and system systems up • Don’t have to stop to promote a BDC

  12. Schema • Schema: Elements used in the definition of each object contained in the Active Directory, including the object class and its attributes

  13. Example Schema Characteristics of the User Account Class • Unique object name • Globally unique identifier (GUID) associated with each object name • Required attributes • Optional attributes • Syntax of how attributes are defined • Pointers to parent entities

  14. Example User Account Attributes • Username • User’s full name • Password

  15. Schema Example Figure 4-4 Sample schema information for user accounts

  16. Default Object Classes • Domain • User account • Group • Shared drive • Shared folder • Computer • Printer

  17. Object Naming • Common name (CN): The most basic name of an object in the Active Directory, such as the name of a printer • E.g. HPLaserMain • Distinguished name (DN): A name in the Active Directory that contains all hierarchical components of an object, such as that object’s organizational unit and domain, in addition to the object’s common name • CN=<object Name>, OU=<organizatoional unit, O=<Organization>, C=<CountryCode>

  18. Namespace • Namespace: Can be set up as a DNS server

  19. Active Directory Elements • Domains • Organizational units (OUs) • Trees • Forests • Sites

  20. Active Directory Architecture Figure 4-5 Active Directory hierarchical containers

  21. Functions of a Domain • Provide a security boundary for objects in a common relationship • Establish a set of data to be replicated among DCs • Expedite management of a set of objects

  22. Using a Single domain Figure 4-6 Single domain

  23. Using Multiple Domains Figure 4-7 Using multiple domains

  24. Domain Creation Dos and Don’ts

  25. Domain Creation Dos and Don’ts (continued)

  26. Functions of an OU • Group related objects, such as user accounts and printers, for easier management • Reflect the structure of an organization • Group objects to be administered using the same group policies

  27. Using OUs to Reflect Organizational Structure Figure 4-8 OUs used to reflect the divisional structure of a company

  28. Design Tips for Using OUs • Limit OUs to 10 levels or fewer • OUs use less CPU resources when they are set up horizontally instead of vertically • Each request through an OU level requires CPU time in a search

  29. OU Creation Dos and Don’ts

  30. OU Creation Dos and Don’ts (continued)

  31. Characteristics of a Tree • Member domains are in a contiguous namespace • chi.devry.edu tp.devry.edu under devry tree • Member domains can compose a hierarchy • Member domains use the same schema for common objects • Member domains use the same global catalog (encyclopedia of info about object)

  32. Global Catalog • Global catalog: A grand repository for all objects and the most frequently used attributes for each object in all domains. Each tree has one global catalog.

  33. Global Catalog Functions • Authenticating users • Providing lookup and access to resources in all domains • Providing replication of key Active Directory elements • Keeping a copy of the most attributes for all objects

  34. Hierarchical Domains in a Tree Figure 4-9 Tree with hierarchical domains

  35. Kerberos Transitive Trust • Kerberos Transitive Trust Relationship: A set of two-way trusts between two or more domains in which Kerberos security is used.

  36. Trusted and Trusting Domains • Trusted domain: A domain that has been granted security access to resources in another domain • Trusting domain: A domain that allows another domain security access to its resources and objects, such as servers

  37. Tree Creation Dos and Don’ts

  38. Tree Creation Dos and Don’ts (continued)

  39. Planning Tip • Make sure each tree has at least one DC that is also configured as a global catalog • Locate global catalog servers in a network design architecture that enables fast user authentication (so that authentication does not have to be performed over a WAN link, for example)

  40. Characteristics of a Forest • Member trees use a disjointed namespace (but contiguous namespaces within trees) • Member trees use the same schema • Member trees use the same global catalog

  41. Single Forest • Single forest:An Active Directory model in which there is only one forest with interconnected trees and domains that use the same schema and global catalog

  42. Single Forest Architecture Figure 4-10 A forest

  43. Separate Forest • Separate forest: An Active Directory model that links two or more forests in a partnership, but the forests cannot have Kerberos transitive trusts or use the same schema

  44. Separate Forest Architecture Figure 4-11 Separate forest model

  45. Forest Creation Dos and Don’ts

  46. Forest Creation Dos and Don’ts (continued)

  47. Design Tip • When you create a separate forest structure remember that: • Replication cannot take place between forests • The forests use different schema and global catalogs • The forests cannot be easily blended into a single forest in the future

  48. Site • Site: An option in the Active Directory to interconnect IP subnets so that it can determine the fastest route to connect clients for authentication and to connect DCs for replication of the Active Directory. Site information also enables the Active Directory to create redundant routes for DC replication.

  49. Characteristics of a Site • Reflects one or more interconnected subnets (512 Kbps or faster) • Reflects the same boundaries as the LAN • Used for DC replication • Enables clients to access the closest DC • Composed of servers and configuration objects

  50. Site Links • Site link object: An object created in the Active Directory to indicate one or more physical links between two different sites • Site link bridge: An Active Directory object (usually a router) that combines individual site link objects to create faster routes when there are three or more site links

More Related