Chapter 4: Planning the Active Directory and Security - PowerPoint PPT Presentation

About This Presentation
Title:

Chapter 4: Planning the Active Directory and Security

Description:

Title: A Guide to Windows 2000 Server Subject: Chapter 4: Planning the Active Directory and Security Author: Michael Palmer Last modified by: tcom40 – PowerPoint PPT presentation

Number of Views:259
Avg rating:3.0/5.0
Slides: 78
Provided by: MichaelP221
Learn more at: http://kyser.org
Category:

less

Transcript and Presenter's Notes

Title: Chapter 4: Planning the Active Directory and Security


1
Chapter 4 Planning the Active Directory and
Security
2
Learning Objectives
  • Explain the contents of the Active Directory
  • Plan how to set up Active Directory elements such
    as organizational units, domains, trees, forests,
    and sites
  • Plan which Windows 2000 security features to use
    in an organization, including interactive logon,
    object security, and services security

3
Learning Objectives (continued)
  • Plan how to use groups, group policies, and
    security templates
  • Plan IP security measures

4
Windows NT Domain Structure
  • Security Accounts Manager (SAM) database holds
    data on user accounts, groups, and security
    privileges
  • One primary domain controller (PDC) has master
    copy of the SAM
  • One or more backup domain controllers (BDCs) have
    regularly backed up copies of the SAM
  • If PDC Fails, BDC is promoted

5
Using a PDC, BDCs, and the SAM database
Figure 4-1 Windows NT SAM architecture
6
Windows 2000 Active Directory
  • Domain objects including user accounts,
    computers, servers, printers, groups, security
    policies, domains, and other objects compose the
    Active Directory

7
Windows 2000 Active Directory
  • Made up of the following files
  • NTDIS.DIT single file of the database
  • EDB.LOG Log files associated with database
    transactions
  • EDB.CHK error tracking/correction info for
    database
  • RES1.LOG and RES2.LOG reserve disk space

8
Active Directory Objects
Figure 4-2 Domain objects in the Active Directory
9
Active Directory Objects
  • Object Types
  • User Account
  • Computer Account
  • Domain Controller
  • Groups
  • Organizational Unit
  • Printers

10
Multimaster Replication
  • Multimaster replication In Windows 2000 there
    can be multiple servers, called domain
    controllers (DCs), that store the Active
    Directory and replicate it to each other. Because
    each DC acts as a master, replication does not
    stop when one is down. Each DC is a master in its
    own right.

11
Multimaster Replication
  • Can create account on any of the DCs
  • Other DCs automatically updated
  • Can be done for changed data only, dont have to
    replicate whole file
  • If one DC fails, others are up-to-date and system
    systems up
  • Dont have to stop to promote a BDC

12
Schema
  • Schema Elements used in the definition of each
    object contained in the Active Directory,
    including the object class and its attributes

13
Example Schema Characteristics of the User
Account Class
  • Unique object name
  • Globally unique identifier (GUID) associated with
    each object name
  • Required attributes
  • Optional attributes
  • Syntax of how attributes are defined
  • Pointers to parent entities

14
Example User Account Attributes
  • Username
  • Users full name
  • Password

15
Schema Example
Figure 4-4 Sample schema information for user
accounts
16
Default Object Classes
  • Domain
  • User account
  • Group
  • Shared drive
  • Shared folder
  • Computer
  • Printer

17
Object Naming
  • Common name (CN) The most basic name of an
    object in the Active Directory, such as the name
    of a printer
  • E.g. HPLaserMain
  • Distinguished name (DN) A name in the Active
    Directory that contains all hierarchical
    components of an object, such as that objects
    organizational unit and domain, in addition to
    the objects common name
  • CNltobject Namegt, OUltorganizatoional unit,
    OltOrganizationgt, CltCountryCodegt

18
Namespace
  • Namespace Can be set up as a DNS server

19
Active Directory Elements
  • Domains
  • Organizational units (OUs)
  • Trees
  • Forests
  • Sites

20
Active Directory Architecture
Figure 4-5 Active Directory hierarchical
containers
21
Functions of a Domain
  • Provide a security boundary for objects in a
    common relationship
  • Establish a set of data to be replicated among
    DCs
  • Expedite management of a set of objects

22
Using a Single domain
Figure 4-6 Single domain
23
Using Multiple Domains
Figure 4-7 Using multiple domains
24
Domain Creation Dos and Donts
25
Domain Creation Dos and Donts (continued)
26
Functions of an OU
  • Group related objects, such as user accounts and
    printers, for easier management
  • Reflect the structure of an organization
  • Group objects to be administered using the same
    group policies

27
Using OUs to Reflect Organizational Structure
Figure 4-8 OUs used to reflect the divisional
structure of a company
28
Design Tips for Using OUs
  • Limit OUs to 10 levels or fewer
  • OUs use less CPU resources when they are set up
    horizontally instead of vertically
  • Each request through an OU level requires CPU
    time in a search

29
OU Creation Dos and Donts
30
OU Creation Dos and Donts (continued)
31
Characteristics of a Tree
  • Member domains are in a contiguous namespace
  • chi.devry.edu tp.devry.edu under devry tree
  • Member domains can compose a hierarchy
  • Member domains use the same schema for common
    objects
  • Member domains use the same global catalog
    (encyclopedia of info about object)

32
Global Catalog
  • Global catalog A grand repository for all
    objects and the most frequently used attributes
    for each object in all domains. Each tree has one
    global catalog.

33
Global Catalog Functions
  • Authenticating users
  • Providing lookup and access to resources in all
    domains
  • Providing replication of key Active Directory
    elements
  • Keeping a copy of the most attributes for all
    objects

34
Hierarchical Domains in a Tree
Figure 4-9 Tree with hierarchical domains
35
Kerberos Transitive Trust
  • Kerberos Transitive Trust Relationship A set of
    two-way trusts between two or more domains in
    which Kerberos security is used.

36
Trusted and Trusting Domains
  • Trusted domain A domain that has been granted
    security access to resources in another domain
  • Trusting domain A domain that allows another
    domain security access to its resources and
    objects, such as servers

37
Tree Creation Dos and Donts
38
Tree Creation Dos and Donts (continued)
39
Planning Tip
  • Make sure each tree has at least one DC that is
    also configured as a global catalog
  • Locate global catalog servers in a network design
    architecture that enables fast user
    authentication (so that authentication does not
    have to be performed over a WAN link, for
    example)

40
Characteristics of a Forest
  • Member trees use a disjointed namespace (but
    contiguous namespaces within trees)
  • Member trees use the same schema
  • Member trees use the same global catalog

41
Single Forest
  • Single forest An Active Directory model in which
    there is only one forest with interconnected
    trees and domains that use the same schema and
    global catalog

42
Single Forest Architecture
Figure 4-10 A forest
43
Separate Forest
  • Separate forest An Active Directory model that
    links two or more forests in a partnership, but
    the forests cannot have Kerberos transitive
    trusts or use the same schema

44
Separate Forest Architecture
Figure 4-11 Separate forest model
45
Forest Creation Dos and Donts
46
Forest Creation Dos and Donts (continued)
47
Design Tip
  • When you create a separate forest structure
    remember that
  • Replication cannot take place between forests
  • The forests use different schema and global
    catalogs
  • The forests cannot be easily blended into a
    single forest in the future

48
Site
  • Site An option in the Active Directory to
    interconnect IP subnets so that it can determine
    the fastest route to connect clients for
    authentication and to connect DCs for replication
    of the Active Directory. Site information also
    enables the Active Directory to create redundant
    routes for DC replication.

49
Characteristics of a Site
  • Reflects one or more interconnected subnets (512
    Kbps or faster)
  • Reflects the same boundaries as the LAN
  • Used for DC replication
  • Enables clients to access the closest DC
  • Composed of servers and configuration objects

50
Site Links
  • Site link object An object created in the Active
    Directory to indicate one or more physical links
    between two different sites
  • Site link bridge An Active Directory object
    (usually a router) that combines individual site
    link objects to create faster routes when there
    are three or more site links

51
Site Link Architecture
Figure 4-12 Site link bridge
52
Site Creation Dos and Donts
53
Site Creation Dos and Donts (continued)
54
Design Tip
  • Define sites in the Active Directory on networks
    that have multiple global catalog servers that
    reside in different subnets
  • Use sites to enhance network performance by
    optimizing authentication and replication

55
Active Directory Guidelines
  • Keep the Active Directory implementation as
    simple as possible
  • Implement the least number of domains possible
  • Implement only one domain on most small networks
  • Use OUs to reflect the organizational structure
    (instead of using domains for this purpose)

56
Active Directory Guidelines (continued)
  • Create only the number of OUs that are necessary
  • Do not create OUs more than 10 levels deep
  • Use domains for natural security boundaries
  • Implement trees and forests only as necessary

57
Active Directory Guidelines (continued)
  • Use trees for domains that have a contiguous
    namespace
  • Use forests for multiple trees that have
    disjointed namespaces between them
  • Use sites in situations where there are multiple
    IP subnets and geographic locations to improve
    performance

58
Basic Types of Active Directory Security
  • Account or interactive logon security
  • Object security
  • Services security

59
Interactive Logon Security
  • DC checks that the user account is in the Active
    Directory
  • DC verifies the exact user account name and
    password

60
Object Security
  • Security descriptor An individual security
    property associated with a Windows 2000 Server
    object, such as enabling the account MGardner
    (the security descriptor) to access the folder,
    Databases
  • Access control list (ACL) A list of all security
    descriptors that have been set up for a
    particular object, such as for a shared folder or
    a shared printer

61
Typical ACL Types of Information
  • User account(s) that can access an object
  • Permissions that determine the type of access
  • Ownership of the object

62
Typical Object Permissions
  • Deny No access to the object
  • Read Access to view or read the objects
    contents
  • Write Permission to change the objects contents
    or properties
  • Delete Permission to remove an object
  • Create Permission to add an object
  • Full Control Permission for nearly any activity

63
Example Special Permissions
Figure 4-13 Special permissions for a folder
64
Troubleshooting Tip
  • Deny permission supercedes other permissions,
    thus if there is a permissions conflict for one
    of your users, check the deny permissions
    associated with that users account

65
Services Security
  • Windows 2000 enables you to set up security on
    individual services, such as DHCP

66
Setting Services Security
Figure 4-14 DHCP security
67
Using Groups
  • Set up security groups of user accounts as a way
    to more easily manage security

68
Setting Up Members of a Group
Figure 4-15 DHCP Administrators group
69
Group Policies
  • Use group policies to manage security for local
    servers, OUs, and domains
  • Employ security templates when you need to manage
    several different group policies

70
Example Areas Covered by Group Policies
  • Account polices
  • Local server and domain policies
  • Event log tracking policies
  • Group restrictions
  • Service access security
  • Registry security
  • File system security

71
Setting Up Security Templates
Figure 4-16 Security Templates snap-in
72
IP Security
  • IP security (IPSec) A set of IP-based secure
    communications and encryption standards created
    through the Internet Engineering Task Force (IETF)

73
IP Security Policies
  • IP security (IPSec) can function in three roles
    relative to a client
  • Client (Respond Only) in which the server uses
    IPSec, if the client is using it first
  • Server (Request Security) in which the server
    uses IPSec by default, but will discontinue using
    IPSec if it is not supported by the client
  • Secure Server (Require Security) in which the
    server only communicates via IPSec

74
Configuring IPSec
Figure 4-17 IP Security Policy Wizard
75
Troubleshooting Tip
  • On a network that uses IPSec, if you are having
    trouble gathering network performance information
    from some older devices that do not support
    IPSec, omit the SNMP communications protocol from
    IPSec

76
Chapter Summary
  • Active Directory and security implementation are
    interrelated
  • The Active Directory is a set of services for
    managing Windows 2000 servers
  • Use Active Directory elements such as OUs,
    domains, trees, and forests to help manage server
    objects and resources

77
Chapter Summary
  • Use sites to configure network communications for
    better performance through taking advantage of
    existing subnets
  • Groups and group policies enable you to manage
    security
Write a Comment
User Comments (0)
About PowerShow.com