Title: Chapter 4: Planning the Active Directory and Security
1Chapter 4 Planning the Active Directory and
Security
2Learning Objectives
- Explain the contents of the Active Directory
- Plan how to set up Active Directory elements such
as organizational units, domains, trees, forests,
and sites - Plan which Windows 2000 security features to use
in an organization, including interactive logon,
object security, and services security
3Learning Objectives (continued)
- Plan how to use groups, group policies, and
security templates - Plan IP security measures
4Windows NT Domain Structure
- Security Accounts Manager (SAM) database holds
data on user accounts, groups, and security
privileges - One primary domain controller (PDC) has master
copy of the SAM - One or more backup domain controllers (BDCs) have
regularly backed up copies of the SAM - If PDC Fails, BDC is promoted
5Using a PDC, BDCs, and the SAM database
Figure 4-1 Windows NT SAM architecture
6Windows 2000 Active Directory
- Domain objects including user accounts,
computers, servers, printers, groups, security
policies, domains, and other objects compose the
Active Directory
7Windows 2000 Active Directory
- Made up of the following files
- NTDIS.DIT single file of the database
- EDB.LOG Log files associated with database
transactions - EDB.CHK error tracking/correction info for
database - RES1.LOG and RES2.LOG reserve disk space
8Active Directory Objects
Figure 4-2 Domain objects in the Active Directory
9Active Directory Objects
- Object Types
- User Account
- Computer Account
- Domain Controller
- Groups
- Organizational Unit
- Printers
10Multimaster Replication
- Multimaster replication In Windows 2000 there
can be multiple servers, called domain
controllers (DCs), that store the Active
Directory and replicate it to each other. Because
each DC acts as a master, replication does not
stop when one is down. Each DC is a master in its
own right.
11Multimaster Replication
- Can create account on any of the DCs
- Other DCs automatically updated
- Can be done for changed data only, dont have to
replicate whole file - If one DC fails, others are up-to-date and system
systems up - Dont have to stop to promote a BDC
12Schema
- Schema Elements used in the definition of each
object contained in the Active Directory,
including the object class and its attributes
13Example Schema Characteristics of the User
Account Class
- Unique object name
- Globally unique identifier (GUID) associated with
each object name - Required attributes
- Optional attributes
- Syntax of how attributes are defined
- Pointers to parent entities
14Example User Account Attributes
- Username
- Users full name
- Password
15 Schema Example
Figure 4-4 Sample schema information for user
accounts
16Default Object Classes
- Domain
- User account
- Group
- Shared drive
- Shared folder
- Computer
- Printer
17Object Naming
- Common name (CN) The most basic name of an
object in the Active Directory, such as the name
of a printer - E.g. HPLaserMain
- Distinguished name (DN) A name in the Active
Directory that contains all hierarchical
components of an object, such as that objects
organizational unit and domain, in addition to
the objects common name - CNltobject Namegt, OUltorganizatoional unit,
OltOrganizationgt, CltCountryCodegt
18Namespace
- Namespace Can be set up as a DNS server
19Active Directory Elements
- Domains
- Organizational units (OUs)
- Trees
- Forests
- Sites
20Active Directory Architecture
Figure 4-5 Active Directory hierarchical
containers
21Functions of a Domain
- Provide a security boundary for objects in a
common relationship - Establish a set of data to be replicated among
DCs - Expedite management of a set of objects
22Using a Single domain
Figure 4-6 Single domain
23Using Multiple Domains
Figure 4-7 Using multiple domains
24Domain Creation Dos and Donts
25Domain Creation Dos and Donts (continued)
26Functions of an OU
- Group related objects, such as user accounts and
printers, for easier management - Reflect the structure of an organization
- Group objects to be administered using the same
group policies
27Using OUs to Reflect Organizational Structure
Figure 4-8 OUs used to reflect the divisional
structure of a company
28Design Tips for Using OUs
- Limit OUs to 10 levels or fewer
- OUs use less CPU resources when they are set up
horizontally instead of vertically - Each request through an OU level requires CPU
time in a search
29OU Creation Dos and Donts
30OU Creation Dos and Donts (continued)
31Characteristics of a Tree
- Member domains are in a contiguous namespace
- chi.devry.edu tp.devry.edu under devry tree
- Member domains can compose a hierarchy
- Member domains use the same schema for common
objects - Member domains use the same global catalog
(encyclopedia of info about object) -
32Global Catalog
- Global catalog A grand repository for all
objects and the most frequently used attributes
for each object in all domains. Each tree has one
global catalog.
33Global Catalog Functions
- Authenticating users
- Providing lookup and access to resources in all
domains - Providing replication of key Active Directory
elements - Keeping a copy of the most attributes for all
objects
34Hierarchical Domains in a Tree
Figure 4-9 Tree with hierarchical domains
35Kerberos Transitive Trust
- Kerberos Transitive Trust Relationship A set of
two-way trusts between two or more domains in
which Kerberos security is used.
36Trusted and Trusting Domains
- Trusted domain A domain that has been granted
security access to resources in another domain - Trusting domain A domain that allows another
domain security access to its resources and
objects, such as servers
37Tree Creation Dos and Donts
38Tree Creation Dos and Donts (continued)
39Planning Tip
- Make sure each tree has at least one DC that is
also configured as a global catalog - Locate global catalog servers in a network design
architecture that enables fast user
authentication (so that authentication does not
have to be performed over a WAN link, for
example)
40Characteristics of a Forest
- Member trees use a disjointed namespace (but
contiguous namespaces within trees) - Member trees use the same schema
- Member trees use the same global catalog
41Single Forest
- Single forest An Active Directory model in which
there is only one forest with interconnected
trees and domains that use the same schema and
global catalog
42Single Forest Architecture
Figure 4-10 A forest
43Separate Forest
- Separate forest An Active Directory model that
links two or more forests in a partnership, but
the forests cannot have Kerberos transitive
trusts or use the same schema
44Separate Forest Architecture
Figure 4-11 Separate forest model
45Forest Creation Dos and Donts
46Forest Creation Dos and Donts (continued)
47Design Tip
- When you create a separate forest structure
remember that - Replication cannot take place between forests
- The forests use different schema and global
catalogs - The forests cannot be easily blended into a
single forest in the future
48Site
- Site An option in the Active Directory to
interconnect IP subnets so that it can determine
the fastest route to connect clients for
authentication and to connect DCs for replication
of the Active Directory. Site information also
enables the Active Directory to create redundant
routes for DC replication.
49Characteristics of a Site
- Reflects one or more interconnected subnets (512
Kbps or faster) - Reflects the same boundaries as the LAN
- Used for DC replication
- Enables clients to access the closest DC
- Composed of servers and configuration objects
50Site Links
- Site link object An object created in the Active
Directory to indicate one or more physical links
between two different sites - Site link bridge An Active Directory object
(usually a router) that combines individual site
link objects to create faster routes when there
are three or more site links
51Site Link Architecture
Figure 4-12 Site link bridge
52Site Creation Dos and Donts
53Site Creation Dos and Donts (continued)
54Design Tip
- Define sites in the Active Directory on networks
that have multiple global catalog servers that
reside in different subnets - Use sites to enhance network performance by
optimizing authentication and replication
55Active Directory Guidelines
- Keep the Active Directory implementation as
simple as possible - Implement the least number of domains possible
- Implement only one domain on most small networks
- Use OUs to reflect the organizational structure
(instead of using domains for this purpose)
56Active Directory Guidelines (continued)
- Create only the number of OUs that are necessary
- Do not create OUs more than 10 levels deep
- Use domains for natural security boundaries
- Implement trees and forests only as necessary
57Active Directory Guidelines (continued)
- Use trees for domains that have a contiguous
namespace - Use forests for multiple trees that have
disjointed namespaces between them - Use sites in situations where there are multiple
IP subnets and geographic locations to improve
performance
58Basic Types of Active Directory Security
- Account or interactive logon security
- Object security
- Services security
59Interactive Logon Security
- DC checks that the user account is in the Active
Directory - DC verifies the exact user account name and
password
60Object Security
- Security descriptor An individual security
property associated with a Windows 2000 Server
object, such as enabling the account MGardner
(the security descriptor) to access the folder,
Databases - Access control list (ACL) A list of all security
descriptors that have been set up for a
particular object, such as for a shared folder or
a shared printer
61Typical ACL Types of Information
- User account(s) that can access an object
- Permissions that determine the type of access
- Ownership of the object
62Typical Object Permissions
- Deny No access to the object
- Read Access to view or read the objects
contents - Write Permission to change the objects contents
or properties - Delete Permission to remove an object
- Create Permission to add an object
- Full Control Permission for nearly any activity
63Example Special Permissions
Figure 4-13 Special permissions for a folder
64Troubleshooting Tip
- Deny permission supercedes other permissions,
thus if there is a permissions conflict for one
of your users, check the deny permissions
associated with that users account
65Services Security
- Windows 2000 enables you to set up security on
individual services, such as DHCP
66Setting Services Security
Figure 4-14 DHCP security
67Using Groups
- Set up security groups of user accounts as a way
to more easily manage security
68Setting Up Members of a Group
Figure 4-15 DHCP Administrators group
69Group Policies
- Use group policies to manage security for local
servers, OUs, and domains - Employ security templates when you need to manage
several different group policies
70Example Areas Covered by Group Policies
- Account polices
- Local server and domain policies
- Event log tracking policies
- Group restrictions
- Service access security
- Registry security
- File system security
71Setting Up Security Templates
Figure 4-16 Security Templates snap-in
72IP Security
- IP security (IPSec) A set of IP-based secure
communications and encryption standards created
through the Internet Engineering Task Force (IETF)
73IP Security Policies
- IP security (IPSec) can function in three roles
relative to a client - Client (Respond Only) in which the server uses
IPSec, if the client is using it first - Server (Request Security) in which the server
uses IPSec by default, but will discontinue using
IPSec if it is not supported by the client - Secure Server (Require Security) in which the
server only communicates via IPSec
74Configuring IPSec
Figure 4-17 IP Security Policy Wizard
75Troubleshooting Tip
- On a network that uses IPSec, if you are having
trouble gathering network performance information
from some older devices that do not support
IPSec, omit the SNMP communications protocol from
IPSec
76Chapter Summary
- Active Directory and security implementation are
interrelated - The Active Directory is a set of services for
managing Windows 2000 servers - Use Active Directory elements such as OUs,
domains, trees, and forests to help manage server
objects and resources
77Chapter Summary
- Use sites to configure network communications for
better performance through taking advantage of
existing subnets - Groups and group policies enable you to manage
security