Getting Started With Active Directory - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Getting Started With Active Directory

Description:

3 Books and over 100 articles and product reviews. Currently with Network Computing ... ADS Security Features - Review. Objects have an Access Control List (ACL) ... – PowerPoint PPT presentation

Number of Views:138
Avg rating:3.0/5.0
Slides: 38
Provided by: searchwini
Category:

less

Transcript and Presenter's Notes

Title: Getting Started With Active Directory


1
Getting Started With Active Directory
  • Or How to Bring Logic to Your Companys 437
    Domains

2
So Who is This Guy Anyway?
  • Founder and Chief Scientist Networks Are Our
    Lives, Inc!
  • Network and Directory services design
  • Security
  • Network Documentation
  • Systems management/monitoring deployment
  • Author
  • 3 Books and over 100 articles and product reviews
  • Currently with Network Computing
  • Contact
  • Networks Are Our Lives, Inc! hmarks_at_naol.com
  • 1201 Hudson St. Suite 1003s (866) 812-7611
  • Hoboken, NJ 07030 WWW.NAOL.COM

3
Why Youre Here
  • Functions and applications driving update
  • Just keeping up
  • With the market
  • Or the Joneses
  • Windows NT Timeline
  • Next week OEM and retail sales end
  • 1/1/2003 4 Hot-Fixes cost
  • 1/1/2004 5 Live support and hot fixes end
  • 1/1/2005 6 Online support ends
  • Easy way to get off helpdesk for 3 days

4
Our Objectives
  • Understand Active Directory
  • Components
  • Terminology
  • Structure
  • Features and benefits
  • Identify Best Practices
  • Implementation Tips

5
Our Real Objective
  • Make your life easier!

6
Assumptions
  • You know
  • Windows NT 4.0 Server
  • TCP/IP
  • You dont know
  • Active Directory
  • Group Policies Etc
  • You are
  • Planning a Windows 2000 server rollout
  • Have 50-10,000 users to support
  • Awake

7
ADS, then, is...
  • Extension of and replacement for Windows NT
    Domains
  • The directory service included in Windows 2000
  • Based on DNS, LDAP and X.500
  • Active Directory Services are
  • Secure
  • Distributed
  • Partitioned
  • Replicated

8
Before AD
  • Windows NT domains
  • Typical organization had master user domains and
    resource domains
  • Each domain needed
  • WINS for NetBIOS names
  • DNS for internet names
  • The browser
  • Email, Application and other directories
  • Other vendors had true Directory Services
  • Banyan Streetalk
  • Novell NDS (eDirectory)

9
Why Active Directory
  • Windows NT domains limited
  • Each domain an island
  • Trusts Stink
  • Too much work to set up
  • They Rot Away
  • Large organizations need thousands
  • Not Scalable
  • Single master replication
  • If PDC is down, or inaccessible, users cant
    change passwords
  • No delegation of administration
  • Microsoft is forcing us that way
  • Exchange 2000 requires AD

10
Basic Definitions
  • Forest
  • A group of domains joined into a common
    directory. The largest unit in AD.
  • All domains in forest share Schema, some
    administrators, 2 way trusts
  • Tree
  • Domains in a forest with common suffix
  • IEUS.AD.widget.com,EURO.AD.widget.com
  • Domain
  • Administrative and replication boundary
  • Conceptually the same as Windows NT but now
    corresponds to DNS domain
  • Domain controllers hold all the information about
    objects (users, groups, computers, Etc.) in their
    domain

11
More Definitions
  • Organizational Units (OU)
  • Administrative boundary smaller than domain
  • Contain objects for administrative,
    organizational purposes
  • Site
  • A group of systems with LAN ? 10Mbps
  • Site configuration effects replication
  • Defined by IP subnets
  • Global Catalog
  • A server that contains a subset of attributes for
    all objects in the forest
  • Think White Pages
  • Includes Email address, domain (so we can ask DC
    for more data)

12
Final Definitions
  • Kerberos
  • A Public Key Infrastructure based authentication
    system
  • Schema
  • All the attributes for all the objects are
    defined in the schema
  • Syntax defines the type of data that can be
    stored in the attribute
  • The schema definition for each object class
    identifies all the possible attributes for the
    object
  • The schema contains a default DACL for each
    object class
  • The default ACLs is used when an instance of the
    object is created in the directory

13
AD Design Choices
  • LDAP access
  • Protocol was becoming industry standard
  • X.500 data model
  • Object hierarchy permits subtree-scoped queries
  • Schema defines attributes and object classes
  • Attribute-level access control
  • Required for data sharing between applications
  • DNS-integrated object naming
  • Enables a globally unique namespace based on the
    de facto Internet locator service
  • Security
  • Multiple authentication paths, one authorization
    model
  • In-place or side-by-side upgrade
  • Learned from Novell offer upgrade flexibility!

14
Replication Design Choices
  • Multi-master
  • Need local password update
  • Approximately last writer wins
  • Eventual convergence
  • Attribute granularity
  • When attribute changes, replicate entire new
    value
  • Reduces network traffic and lost updates versus
    object granularity
  • State-based
  • Send current state not a log
  • Predictable storage overhead, needed anyway for
    full sync
  • Implies tombstones for deletes
  • Transitive
  • Communicate update to somebody not everybody
  • Big win with mixed link speed - once per slow
    link
  • Automated topology generation (KCC)

15
Logical Structure Relationships
Forest
SAAB.CO.SA
Tree
Chevy.GM.COM
NA.SAAB.CO.SA
Tree
Trucks.chevy.gm.com
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
Schema
Objects
16
So What do We Get?
  • True Multi-Domain Integration
  • Transitive Trusts
  • Global Catalog
  • Group Policy Objects
  • Controllable Replication
  • Directory Security
  • Granular Administration

17
When to Use Multiple Trees
  • Public view requires different root domain names
  • IE Kraft Foods doesnt want .PhillipMorris.com
    suffix
  • Politics require divisions to keep their names
  • There is no technical advantage to multiple trees

18
When to use multiple forests
  • When, and only when, the service owners of
    multiple trees dont trust each other
  • Multiple forest implementations do NOT
  • Share a common global catalog
  • No exchange GAL
  • Trust each other
  • You can set up old style trusts between domains
    in different forests
  • Rule of thumb 1 forest per CIO

19
Domain Controller Roles
  • Flexible Single Master Operations (FSMOs)
  • 1 Per Forest
  • Domain Naming Master
  • Schema Master
  • Time Reference Server
  • 1 Per Domain
  • PDC Emulator
  • RID (Relative ID)Master
  • Infrastructure Master
  • KCC/ ISTG (generates inter-site topology)
  • ISM (inter-site messaging)
  • Global catalog

20
Reasons for Creating Domains
  • Physical location
  • Network traffic
  • International differences
  • Administrative considerations
  • All users share restrictions (Password Length
    Etc)
  • Politics
  • NOT Defining spheres of administration (OUs can
    do that)

21
Break sponsored by
22
What are OUs
  • They are distinct units of administration that
    can be delegated
  • They are containers that organize objects and
    other containers
  • Examples are geographic locations, projects, cost
    centers, business units, and divisions

23
What OUs Can Contain
24
Reasons for Creating OUs
  • Enhancing administrative control
  • Maintaining a consistent number of objects
  • Controlling application of group policy objects
  • Holding other OUs
  • Replacing windows NT 4.0 resource domains

25
RememberDomains are Expensive
  • Every domain Must have a DC
  • Most should have 2-3 or more
  • Logins require connectivity to home DC
  • Logins more traffic than replication

26
Hierarchical OU Models
  • Geographic
  • Object-based
  • Cost center
  • Project-based
  • Division or business unit
  • Administration

27
Define an OU Naming Convention
  • OUs are not part of the DNS namespace
  • OUs are identified by LDAP and canonical names
    only
  • While domains are difficult to reorganize, OUs
    within domains can be easily renamed or moved

28
Delegating Administration
OU1
DACL for Group objects
Jill can add users
Jill can add users
  • The ability to set ACLs for contained objects at
    OU level means that you can define who can do
    what to a particular object in the OU
  • Groups created in OU1 can be administered by Jill
  • Groups created in OU2 can be administered by John

29
Delegation of Control Wizard
  • Good news
  • There is a delegation of control wizard
  • Bad news
  • There is no undelegation of control wizard
  • After of delegation of control, the users must be
    given visibility permissions to the
    objects/containers they control
  • Learn to edit and document ACLs
  • Only delegate control to groups, not users

30
Delegation of Control Wizard
DEMO
31
ADS Security Features - Review
  • Objects have an Access Control List (ACL)
  • Permissions can be delegated to users by a higher
    authority
  • Inheritance allows permissions to be propagated
    to all objects in child containers
  • Trusts are established among all domains in an
    ADS forest
  • Explicit trusts can be established between
    domains in foreign forests or legacy NT domains

32
Group Types
  • Security Groups
  • Allow you to assign permissions
  • Allow you to use groups as an e-mail distribution
    list
  • Windows NT uses only security groups
  • Distribution Groups
  • Do not allow you to assign permissions
  • Allow you to use groups as an e-mail distribution
    list

33
Rules for Group Membership
  • Universal groups only available in native mode

34
Group Scopes
35
How does AD use DNS?
  • Windows 2000 uses DNS as a domain locator and
    name-to-IP translator
  • Domain controllers are registered in DNS
  • Clients query DNS to locate DCs
  • Analogous to Internet mail (the MX record)
  • Better-scaling long-term replacement for NetBIOS
    Name Services (aka WINS)
  • Requires DNS servers that support Dynamic Updates
    (Windows or Bind 8)

36
Migrating to AD
  • Single Domain
  • Migrate in place
  • Clean up Later
  • 2-3 Domains
  • Migrate root domain in place
  • Use ADMT for additional domains
  • Youre stuck with SIDHistory
  • Bigger Now
  • Redesign from scratch
  • Use 3rd party tools from Aelita or NetIQ

37
Audience Response
Hosted by
  • Question?
Write a Comment
User Comments (0)
About PowerShow.com