Title: Getting Started With Active Directory
1Getting Started With Active Directory
- Or How to Bring Logic to Your Companys 437
Domains
2So Who is This Guy Anyway?
- Founder and Chief Scientist Networks Are Our
Lives, Inc! - Network and Directory services design
- Security
- Network Documentation
- Systems management/monitoring deployment
- Author
- 3 Books and over 100 articles and product reviews
- Currently with Network Computing
- Contact
- Networks Are Our Lives, Inc! hmarks_at_naol.com
- 1201 Hudson St. Suite 1003s (866) 812-7611
- Hoboken, NJ 07030 WWW.NAOL.COM
3Why Youre Here
- Functions and applications driving update
- Just keeping up
- With the market
- Or the Joneses
- Windows NT Timeline
- Next week OEM and retail sales end
- 1/1/2003 4 Hot-Fixes cost
- 1/1/2004 5 Live support and hot fixes end
- 1/1/2005 6 Online support ends
- Easy way to get off helpdesk for 3 days
4Our Objectives
- Understand Active Directory
- Components
- Terminology
- Structure
- Features and benefits
- Identify Best Practices
- Implementation Tips
5Our Real Objective
6Assumptions
- You know
- Windows NT 4.0 Server
- TCP/IP
- You dont know
- Active Directory
- Group Policies Etc
- You are
- Planning a Windows 2000 server rollout
- Have 50-10,000 users to support
- Awake
7ADS, then, is...
- Extension of and replacement for Windows NT
Domains - The directory service included in Windows 2000
- Based on DNS, LDAP and X.500
- Active Directory Services are
- Secure
- Distributed
- Partitioned
- Replicated
8Before AD
- Windows NT domains
- Typical organization had master user domains and
resource domains - Each domain needed
- WINS for NetBIOS names
- DNS for internet names
- The browser
- Email, Application and other directories
- Other vendors had true Directory Services
- Banyan Streetalk
- Novell NDS (eDirectory)
9Why Active Directory
- Windows NT domains limited
- Each domain an island
- Trusts Stink
- Too much work to set up
- They Rot Away
- Large organizations need thousands
- Not Scalable
- Single master replication
- If PDC is down, or inaccessible, users cant
change passwords - No delegation of administration
- Microsoft is forcing us that way
- Exchange 2000 requires AD
10Basic Definitions
- Forest
- A group of domains joined into a common
directory. The largest unit in AD. - All domains in forest share Schema, some
administrators, 2 way trusts - Tree
- Domains in a forest with common suffix
- IEUS.AD.widget.com,EURO.AD.widget.com
- Domain
- Administrative and replication boundary
- Conceptually the same as Windows NT but now
corresponds to DNS domain - Domain controllers hold all the information about
objects (users, groups, computers, Etc.) in their
domain
11More Definitions
- Organizational Units (OU)
- Administrative boundary smaller than domain
- Contain objects for administrative,
organizational purposes - Site
- A group of systems with LAN ? 10Mbps
- Site configuration effects replication
- Defined by IP subnets
- Global Catalog
- A server that contains a subset of attributes for
all objects in the forest - Think White Pages
- Includes Email address, domain (so we can ask DC
for more data)
12Final Definitions
- Kerberos
- A Public Key Infrastructure based authentication
system - Schema
- All the attributes for all the objects are
defined in the schema - Syntax defines the type of data that can be
stored in the attribute - The schema definition for each object class
identifies all the possible attributes for the
object - The schema contains a default DACL for each
object class - The default ACLs is used when an instance of the
object is created in the directory
13AD Design Choices
- LDAP access
- Protocol was becoming industry standard
- X.500 data model
- Object hierarchy permits subtree-scoped queries
- Schema defines attributes and object classes
- Attribute-level access control
- Required for data sharing between applications
- DNS-integrated object naming
- Enables a globally unique namespace based on the
de facto Internet locator service - Security
- Multiple authentication paths, one authorization
model - In-place or side-by-side upgrade
- Learned from Novell offer upgrade flexibility!
14Replication Design Choices
- Multi-master
- Need local password update
- Approximately last writer wins
- Eventual convergence
- Attribute granularity
- When attribute changes, replicate entire new
value - Reduces network traffic and lost updates versus
object granularity - State-based
- Send current state not a log
- Predictable storage overhead, needed anyway for
full sync - Implies tombstones for deletes
- Transitive
- Communicate update to somebody not everybody
- Big win with mixed link speed - once per slow
link - Automated topology generation (KCC)
15Logical Structure Relationships
Forest
SAAB.CO.SA
Tree
Chevy.GM.COM
NA.SAAB.CO.SA
Tree
Trucks.chevy.gm.com
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
Schema
Objects
16So What do We Get?
- True Multi-Domain Integration
- Transitive Trusts
- Global Catalog
- Group Policy Objects
- Controllable Replication
- Directory Security
- Granular Administration
17When to Use Multiple Trees
- Public view requires different root domain names
- IE Kraft Foods doesnt want .PhillipMorris.com
suffix - Politics require divisions to keep their names
- There is no technical advantage to multiple trees
18When to use multiple forests
- When, and only when, the service owners of
multiple trees dont trust each other - Multiple forest implementations do NOT
- Share a common global catalog
- No exchange GAL
- Trust each other
- You can set up old style trusts between domains
in different forests - Rule of thumb 1 forest per CIO
19Domain Controller Roles
- Flexible Single Master Operations (FSMOs)
- 1 Per Forest
- Domain Naming Master
- Schema Master
- Time Reference Server
- 1 Per Domain
- PDC Emulator
- RID (Relative ID)Master
- Infrastructure Master
- KCC/ ISTG (generates inter-site topology)
- ISM (inter-site messaging)
- Global catalog
20Reasons for Creating Domains
- Physical location
- Network traffic
- International differences
- Administrative considerations
- All users share restrictions (Password Length
Etc) - Politics
- NOT Defining spheres of administration (OUs can
do that)
21Break sponsored by
22What are OUs
- They are distinct units of administration that
can be delegated - They are containers that organize objects and
other containers - Examples are geographic locations, projects, cost
centers, business units, and divisions
23What OUs Can Contain
24Reasons for Creating OUs
- Enhancing administrative control
- Maintaining a consistent number of objects
- Controlling application of group policy objects
- Holding other OUs
- Replacing windows NT 4.0 resource domains
25RememberDomains are Expensive
- Every domain Must have a DC
- Most should have 2-3 or more
- Logins require connectivity to home DC
- Logins more traffic than replication
26Hierarchical OU Models
- Geographic
- Object-based
- Cost center
- Project-based
- Division or business unit
- Administration
27Define an OU Naming Convention
- OUs are not part of the DNS namespace
- OUs are identified by LDAP and canonical names
only - While domains are difficult to reorganize, OUs
within domains can be easily renamed or moved
28Delegating Administration
OU1
DACL for Group objects
Jill can add users
Jill can add users
- The ability to set ACLs for contained objects at
OU level means that you can define who can do
what to a particular object in the OU - Groups created in OU1 can be administered by Jill
- Groups created in OU2 can be administered by John
29Delegation of Control Wizard
- Good news
- There is a delegation of control wizard
- Bad news
- There is no undelegation of control wizard
- After of delegation of control, the users must be
given visibility permissions to the
objects/containers they control - Learn to edit and document ACLs
- Only delegate control to groups, not users
30Delegation of Control Wizard
DEMO
31ADS Security Features - Review
- Objects have an Access Control List (ACL)
- Permissions can be delegated to users by a higher
authority - Inheritance allows permissions to be propagated
to all objects in child containers - Trusts are established among all domains in an
ADS forest - Explicit trusts can be established between
domains in foreign forests or legacy NT domains
32Group Types
- Security Groups
- Allow you to assign permissions
- Allow you to use groups as an e-mail distribution
list - Windows NT uses only security groups
- Distribution Groups
- Do not allow you to assign permissions
- Allow you to use groups as an e-mail distribution
list
33Rules for Group Membership
- Universal groups only available in native mode
34Group Scopes
35How does AD use DNS?
- Windows 2000 uses DNS as a domain locator and
name-to-IP translator - Domain controllers are registered in DNS
- Clients query DNS to locate DCs
- Analogous to Internet mail (the MX record)
- Better-scaling long-term replacement for NetBIOS
Name Services (aka WINS) - Requires DNS servers that support Dynamic Updates
(Windows or Bind 8)
36Migrating to AD
- Single Domain
- Migrate in place
- Clean up Later
- 2-3 Domains
- Migrate root domain in place
- Use ADMT for additional domains
- Youre stuck with SIDHistory
- Bigger Now
- Redesign from scratch
- Use 3rd party tools from Aelita or NetIQ
37Audience Response
Hosted by