Getting Started With Active Directory

1
Getting Started With Active Directory

• Or How to Bring Logic to Your Companys 437
  Domains

2
So Who is This Guy Anyway?

• Founder and Chief Scientist Networks Are Our
  Lives, Inc!
• Network and Directory services design
• Security
• Network Documentation
• Systems management/monitoring deployment
• Author
• 3 Books and over 100 articles and product reviews
  
• Currently with Network Computing
• Contact
• Networks Are Our Lives, Inc! hmarks_at_naol.com
• 1201 Hudson St. Suite 1003s (866) 812-7611
• Hoboken, NJ 07030 WWW.NAOL.COM

3
Why Youre Here

• Functions and applications driving update
• Just keeping up
• With the market
• Or the Joneses
• Windows NT Timeline
• Next week OEM and retail sales end
• 1/1/2003 4 Hot-Fixes cost
• 1/1/2004 5 Live support and hot fixes end
• 1/1/2005 6 Online support ends
• Easy way to get off helpdesk for 3 days

4
Our Objectives

• Understand Active Directory
• Components
• Terminology
• Structure
• Features and benefits
• Identify Best Practices
• Implementation Tips

5
Our Real Objective

• Make your life easier!

6
Assumptions

• You know
• Windows NT 4.0 Server
• TCP/IP
• You dont know
• Active Directory
• Group Policies Etc
• You are
• Planning a Windows 2000 server rollout
• Have 50-10,000 users to support
• Awake

7
ADS, then, is...

• Extension of and replacement for Windows NT
  Domains
• The directory service included in Windows 2000
• Based on DNS, LDAP and X.500
• Active Directory Services are
• Secure
• Distributed
• Partitioned
• Replicated

8
Before AD

• Windows NT domains
• Typical organization had master user domains and
  resource domains
• Each domain needed
• WINS for NetBIOS names
• DNS for internet names
• The browser
• Email, Application and other directories
• Other vendors had true Directory Services
• Banyan Streetalk
• Novell NDS (eDirectory)

9
Why Active Directory

• Windows NT domains limited
• Each domain an island
• Trusts Stink
• Too much work to set up
• They Rot Away
• Large organizations need thousands
• Not Scalable
• Single master replication
• If PDC is down, or inaccessible, users cant
  change passwords
• No delegation of administration
• Microsoft is forcing us that way
• Exchange 2000 requires AD

10
Basic Definitions

• Forest
• A group of domains joined into a common
  directory. The largest unit in AD.
• All domains in forest share Schema, some
  administrators, 2 way trusts
• Tree
• Domains in a forest with common suffix
• IEUS.AD.widget.com,EURO.AD.widget.com
• Domain
• Administrative and replication boundary
• Conceptually the same as Windows NT but now
  corresponds to DNS domain
• Domain controllers hold all the information about
  objects (users, groups, computers, Etc.) in their
  domain

11
More Definitions

• Organizational Units (OU)
• Administrative boundary smaller than domain
• Contain objects for administrative,
  organizational purposes
• Site
• A group of systems with LAN ? 10Mbps
• Site configuration effects replication
• Defined by IP subnets
• Global Catalog
• A server that contains a subset of attributes for
  all objects in the forest
• Think White Pages
• Includes Email address, domain (so we can ask DC
  for more data)

12
Final Definitions

• Kerberos
• A Public Key Infrastructure based authentication
  system
• Schema
• All the attributes for all the objects are
  defined in the schema
• Syntax defines the type of data that can be
  stored in the attribute
• The schema definition for each object class
  identifies all the possible attributes for the
  object
• The schema contains a default DACL for each
  object class
• The default ACLs is used when an instance of the
  object is created in the directory

13
AD Design Choices

• LDAP access
• Protocol was becoming industry standard
• X.500 data model
• Object hierarchy permits subtree-scoped queries
• Schema defines attributes and object classes
• Attribute-level access control
• Required for data sharing between applications
• DNS-integrated object naming
• Enables a globally unique namespace based on the
  de facto Internet locator service
• Security
• Multiple authentication paths, one authorization
  model
• In-place or side-by-side upgrade
• Learned from Novell offer upgrade flexibility!

14
Replication Design Choices

• Multi-master
• Need local password update
• Approximately last writer wins
• Eventual convergence
• Attribute granularity
• When attribute changes, replicate entire new
  value
• Reduces network traffic and lost updates versus
  object granularity
• State-based
• Send current state not a log
• Predictable storage overhead, needed anyway for
  full sync
• Implies tombstones for deletes
• Transitive
• Communicate update to somebody not everybody
• Big win with mixed link speed - once per slow
  link
• Automated topology generation (KCC)

15
Logical Structure Relationships
Forest
SAAB.CO.SA
Tree
Chevy.GM.COM
NA.SAAB.CO.SA
Tree
Trucks.chevy.gm.com
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
Schema
Objects
16
So What do We Get?

• True Multi-Domain Integration
• Transitive Trusts
• Global Catalog
• Group Policy Objects
• Controllable Replication
• Directory Security
• Granular Administration

17
When to Use Multiple Trees

• Public view requires different root domain names
• IE Kraft Foods doesnt want .PhillipMorris.com
  suffix
• Politics require divisions to keep their names
• There is no technical advantage to multiple trees

18
When to use multiple forests

• When, and only when, the service owners of
  multiple trees dont trust each other
• Multiple forest implementations do NOT
• Share a common global catalog
• No exchange GAL
• Trust each other
• You can set up old style trusts between domains
  in different forests
• Rule of thumb 1 forest per CIO

19
Domain Controller Roles

• Flexible Single Master Operations (FSMOs)
• 1 Per Forest
• Domain Naming Master
• Schema Master
• Time Reference Server
• 1 Per Domain
• PDC Emulator
• RID (Relative ID)Master
• Infrastructure Master
• KCC/ ISTG (generates inter-site topology)
• ISM (inter-site messaging)
• Global catalog

20
Reasons for Creating Domains

• Physical location
• Network traffic
• International differences
• Administrative considerations
• All users share restrictions (Password Length
  Etc)
• Politics
• NOT Defining spheres of administration (OUs can
  do that)

21
Break sponsored by
22
What are OUs

• They are distinct units of administration that
  can be delegated
• They are containers that organize objects and
  other containers
• Examples are geographic locations, projects, cost
  centers, business units, and divisions

23
What OUs Can Contain
24
Reasons for Creating OUs

• Enhancing administrative control
• Maintaining a consistent number of objects
• Controlling application of group policy objects
• Holding other OUs
• Replacing windows NT 4.0 resource domains

25
RememberDomains are Expensive

• Every domain Must have a DC
• Most should have 2-3 or more
• Logins require connectivity to home DC
• Logins more traffic than replication

26
Hierarchical OU Models

• Geographic
• Object-based
• Cost center
• Project-based
• Division or business unit
• Administration

27
Define an OU Naming Convention

• OUs are not part of the DNS namespace
• OUs are identified by LDAP and canonical names
  only
• While domains are difficult to reorganize, OUs
  within domains can be easily renamed or moved

28
Delegating Administration
OU1
DACL for Group objects
Jill can add users
Jill can add users

• The ability to set ACLs for contained objects at
  OU level means that you can define who can do
  what to a particular object in the OU
• Groups created in OU1 can be administered by Jill
• Groups created in OU2 can be administered by John

29
Delegation of Control Wizard

• Good news
• There is a delegation of control wizard
• Bad news
• There is no undelegation of control wizard
• After of delegation of control, the users must be
  given visibility permissions to the
  objects/containers they control
• Learn to edit and document ACLs
• Only delegate control to groups, not users

30
Delegation of Control Wizard
DEMO
31
ADS Security Features - Review

• Objects have an Access Control List (ACL)
• Permissions can be delegated to users by a higher
  authority
• Inheritance allows permissions to be propagated
  to all objects in child containers
• Trusts are established among all domains in an
  ADS forest
• Explicit trusts can be established between
  domains in foreign forests or legacy NT domains

32
Group Types

• Security Groups
• Allow you to assign permissions
• Allow you to use groups as an e-mail distribution
  list
• Windows NT uses only security groups
• Distribution Groups
• Do not allow you to assign permissions
• Allow you to use groups as an e-mail distribution
  list

33
Rules for Group Membership

• Universal groups only available in native mode

34
Group Scopes
35
How does AD use DNS?

• Windows 2000 uses DNS as a domain locator and
  name-to-IP translator
• Domain controllers are registered in DNS
• Clients query DNS to locate DCs
• Analogous to Internet mail (the MX record)
• Better-scaling long-term replacement for NetBIOS
  Name Services (aka WINS)
• Requires DNS servers that support Dynamic Updates
  (Windows or Bind 8)

36
Migrating to AD

• Single Domain
• Migrate in place
• Clean up Later
• 2-3 Domains
• Migrate root domain in place
• Use ADMT for additional domains
• Youre stuck with SIDHistory
• Bigger Now
• Redesign from scratch
• Use 3rd party tools from Aelita or NetIQ

37
Audience Response
Hosted by

• Question?