Anda di halaman 1dari 49

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

Chapter 4: Active Directory Design and Security Concepts

Objectives
Work with organizational units Work with forests, trees, and domains Describe the components of a site

MCTS Windows Server 2008 Active Directory

Working with Organizational Units


Active Directory is based upon standards (LDAP and X.500) Lightweight Directory Access Protocol (LDAP)
Created by the Internet Engineering Task Force (IETF) Based on the X.500 Directory Access Protocol (DAP) Forms the base around which Active Directory is built, which allows applications to use LDAP to integrate with Active Directory

LDAP has presence on other operating systems as well, and can be used to integrate them with Active Directory
MCTS Windows Server 2008 Active Directory 3

Working with Organizational Units (cont.)


Benefits of using OUs:
You can create familiar hierarchical structures based on an organizational chart to allow easy resource access Delegation of administrative authority Able to change OU structure easily Can group users and computers for the purposes of assigning administrative and security policies Can hide AD objects for confidentiality or security reasons

MCTS Windows Server 2008 Active Directory

OU Delegation of Control
Delegation of control means a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks Allows specific control of what someone with delegated control may do Commonly delegated tasks include
Create, delete, and manager user accounts Reset user passwords and force password change at next logon Read all user information Create, delete, and manage groups Modify the membership of a group Manage group policy links Generate Resultant Set of Policy (Planning) Generate Resultant Set of Policy (Logging)
5

MCTS Windows Server 2008 Active Directory

OU Delegation of Control (cont.)


Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritance. Knowledge of permissions and how they work is important regardless of whether you use custom tasks or not By default, the OUs properties dont show that another user has been delegated control Instead, to verify who has been delegated control of an OU, you must view the OUs permissions.
MCTS Windows Server 2008 Active Directory 6

Active Directory Object Permissions


Three types of objects can be assigned permission to access an AD object: Users, groups, and computers. These object types are referred to as security principals AD objects security settings are composed of three components:
Discretionary access control list (DACL)
Each entry referred to as an access control entry (ACE)

Object owner
Usually the user account that created the object or a group or user who has been assigned ownership

System access control list (SACL)


Defines the settings for auditing access to an object
MCTS Windows Server 2008 Active Directory 7

Active Directory Permissions (cont.)


Each object has a list of standard permissions and a list of special permission Each permission can be set to Allow or Deny, and five standard permissions are available for most objects:
Full control Read Write Create all child objects Delete all child objects

MCTS Windows Server 2008 Active Directory

Active Directory Permissions (cont.)


Users can be assigned permission to an object in three different ways:
Users account is added to the objects DACL, a method referred to as explicit permission A group the user belongs to is added to the objects DACL The permission is inherited from a parent objects DACL to which the user or group account has been added.

A users effective permissions are a combination of the assigned permissions. Deny permissions override Allow permissions
Except: when the Deny permission is inherited from a parent object, and the Allow permission is explicitly added to the objects DACL, the Allow permission takes precedence
MCTS Windows Server 2008 Active Directory 9

Using Deny in an ACE


If a security principal isnt represented in an objects DACL, it doesnt have access to the object Deny permissions are not required for every object to prevent access Deny permission usually used in cases of exception, such as when you dont want a user to be able to delete child objects in an OU, but still want to grant access

MCTS Windows Server 2008 Active Directory

10

Permission Inheritance in OUs


Permission inheritance defines how permissions are transmitted from a parent object to a child object All objects in AD are child objects of the domain By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU

MCTS Windows Server 2008 Active Directory

11

Advanced Features Option in Active Directory Users and Computers


Default settings in AD Users and Computers hide some system folders and advanced features, but you can display them by enabling the Advanced Features option from the view menu. Afterwards, four new folders are shown:
LostAndFound Program Data System NTDS (NT Directory Service)

MCTS Windows Server 2008 Active Directory

12

Advanced Features Option in Active Directory Users and Computers (cont.)


Properties dialog box of domain, folder, and OU objects will now have three new tabs:
Object
Used to view detailed information about a container object

Security
Used to view and modify an objects permissions

Attribute Editor
Used to view and edit an objects attributes

MCTS Windows Server 2008 Active Directory

13

Effective Permissions
Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principal Can come from assignments made directly to a single user account or to a group the user belongs to Explicit permissions override inherited permissions, and can create some exceptions to the rule that Deny permissions override Allow permissions

MCTS Windows Server 2008 Active Directory

14

Effective Permissions (cont.)


Most common settings for permission inheritance:
This object only
The permission setting isnt inherited by child (descendant) objects

This object and all descendant objects


The permission setting applies to the current object and is inherited by all child objects

All descendant objects


The permission setting doesnt apply to the selected object but is inherited by all child objects

Descendant [object type] objects


The permission is inherited only by specific child object types, such as user, computer, or group objects.

Permission inheritance is enabled by default on child objects, but can be disabled


MCTS Windows Server 2008 Active Directory 15

Working with Forests, Trees, and Domains


Smaller organizations will most likely be focused on OUs and their child objects, whereas larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests First domain controller creates more than just a new domain, it also creates the root of a new tree and the root of a new forest
May eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structure

MCTS Windows Server 2008 Active Directory

16

Active Directory Terminology


Directory Partitions Operations Master Roles Active Directory Replication Trust Relationships

MCTS Windows Server 2008 Active Directory

17

Directory Partitions
Each section of an Active Directory database is referred to as a directory partition. There are five directory partition types in the AD database:
Domain directory partition
Contains all objects in a domain, including users, groups, computers, OUs, and so forth

Schema directory partition


Contains information needed to define AD objects and object attributes

Global catalog partition


Holds the global catalog, which is a partial replica of all objects in the forest

Application directory partition


Used by applications and services to hold information that benefits from

Configuration partition
Holds configuration information that can affect the entire forest
MCTS Windows Server 2008 Active Directory 18

Operations Master Roles


Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function First domain controller in the forest generally takes on the role of the operations master If necessary, responsibility for these roles can be transferred to another domain controller

MCTS Windows Server 2008 Active Directory

19

Operations Master Roles (cont.)


There are five operations master roles, referred to as Flexible Single Master Operation (FSMO) roles in an AD forest:
Schema Master Infrastructure master Domain Naming master RID master PDC Emulator master

When removing DCs from a forest, be careful that these roles are not removed from the network accidentally
MCTS Windows Server 2008 Active Directory 20

Active Directory Replication


Replication is the process of maintaining a consistent database of information when the database is distributed among several locations Intrasite replication
Replication between domain controllers in the same site

Intersite replication
Occurs between two or more sites

Multimaster replication
Used by AD for replacing AD objects

Knowledge Consistency Checker (KCC) runs on all DCs


Determines the replication topology, which defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCs

MCTS Windows Server 2008 Active Directory

21

Active Directory Replication (cont.)

MCTS Windows Server 2008 Active Directory

22

Trust Relationships
In Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domain Since Windows 2000 AD, trust relationships are established automatically between all domains in the forest Trusts do not equal permissions

MCTS Windows Server 2008 Active Directory

23

The Role of Forests


All domains in a forest share some common characteristics:
A single schema Forestwide administrative accounts Operations masters Global Catalog Trusts between domains Replication between domains

MCTS Windows Server 2008 Active Directory

24

The Importance of the Global Catalog Server


First DC installed in a forest is automatically designated as a Global Catalog server, but additional global catalog servers can be configured as well Global Catalog servers perform the following vital functions:
Facilitates domain and forestwide searches Facilitates logon across domains; Users can log on to computers in any domain by using their user principal name (UPN) Hold universal group membership information
MCTS Windows Server 2008 Active Directory 25

Forest Root Domain


First domain is the forest root and is referred to as the forest root domain Imperative to the functionality of AD; if it disappears, the entire structure ceases to operate Functions the forest root domain usually handles:
DNS server Global catalog server Forestwide administrative accounts Operations masters

MCTS Windows Server 2008 Active Directory

26

Forest Root Domain (cont.)

MCTS Windows Server 2008 Active Directory

27

Forest Root Domain (cont.)


Due to the importance of the forest root domains functionality, some organizations choose a dedicated forest root domain The advantages of running a dedicated forest root domain include the following:
More secure More manageable More flexible

MCTS Windows Server 2008 Active Directory

28

Forest Root Domain (cont.)

MCTS Windows Server 2008 Active Directory

29

Choosing a Single or Multiple Forest Design


Most organizations operate under a single AD forest, which has a number of advantages:
A common Active Directory structure Easy access to network resources Centralized management

The advantages of single forest structure are also limitations in many aspects; diversity within an organization may make single forest design unfeasible. Multiple forest design includes the following advantages:
Differing schemas are possbile Security boundaries Separate administration

MCTS Windows Server 2008 Active Directory

30

Understanding Trusts
Trusts allow users in one domain to access resources in another domain, without requiring a user account on the other domain Types of trust:
One way and two way trusts Transitive trusts Shortcut trusts Forest trusts External trusts Realm trusts

MCTS Windows Server 2008 Active Directory

31

Understanding Trusts (cont.)

MCTS Windows Server 2008 Active Directory

32

One Way and Two-Way Trusts


One-way trust exists when one domain trusts another, but the reverse is not true
When domainA trusts domainB, users in domainB may access resources in domainA but not vice versa. In this case domainA is the Trusting domain and domainB is the Trusted domain

More common is the two-way trust, in which users from both domains can be given access to resources in the other domain

MCTS Windows Server 2008 Active Directory

33

Transitive Trusts
A transitive trust is named after the transitive rule of equality in mathematics: If A=B and B=C, then A=C If one domain trusts another domain, and that domain trusts a third domain, then the first domain has a transitive trust with the third domain In order to authenticate a user, a referral must be made to a domain controller in each domain in the path to the destination. This can cause substantial delays.

MCTS Windows Server 2008 Active Directory

34

Transitive Trusts (cont.)

MCTS Windows Server 2008 Active Directory

35

Shortcut Trusts
A shortcut trust is configured manually between domains to bypass the normal referral process Shortcut trusts are transitive and can be configured as one way or two way trusts between domains in the same forest Shortcut trusts can reduce delays caused by referral processes

MCTS Windows Server 2008 Active Directory

36

Shortcut trusts (cont.)

MCTS Windows Server 2008 Active Directory

37

Forest Trusts
A forest trust provides a one-way or two-way transitive trust between forests that allows security principals in one forest to access resources in any domain in another forest Are not possible in Windows 2000 forests They are transitive in the sense that all domains in one forest trust all domains in another forest, but the trust isnt transitive from one forest to another

MCTS Windows Server 2008 Active Directory

38

External Trusts
An external trust is a one way or two way nontransitive trust between two domains that arent in the same forest. Generally used in these circumstances:
To create a trust between two domains in different forests To create a trust with a Windows 2000 or Windows NT domain

MCTS Windows Server 2008 Active Directory

39

Realm Trusts
Can be used to integrate users of other OSs into a Windows Server 2008 domain or forest This requires the OS to be running the Kerberos V5 authentication system that AD uses Kerberos is an open-standard security protocol used to secure authentication and identification between parties in a network

MCTS Windows Server 2008 Active Directory

40

Designing the Domain Structure


Most small and medium businesses choose a single domain for reasons that include the following:
Simplicity Lower costs Easier management Easier access to resources

MCTS Windows Server 2008 Active Directory

41

Designing the Domain Structure (cont.)


Using multiple domains makes sense or is even a necessity in the following circumstances:
Compatibility with a Windows NT domain Need for differing account policies Need for different name identities Replication control Need for internal versus external domains Need for tight security

MCTS Windows Server 2008 Active Directory

42

Understanding Sites
AD site represents a physical location where DCs are placed and group policies can be applied First DC of a forest creates a site named DefaultFirst-Site-Name once installed Three main reasons for establishing multiple sites:
Authentication efficiency Replication efficiency Application efficiency

Sites are created using Active Directory Sites and Services


MCTS Windows Server 2008 Active Directory 43

Understanding Sites (cont.)

MCTS Windows Server 2008 Active Directory

44

Site Components
Subnets
Each site is associated with one or more IP subnets, and a subnet can only be associated with a single site

Site Links
A site link is needed to connect two or more sites for replication purposes Determine replication schedule and frequency between two sites

Bridgehead Servers
Intersite replication occurs between bridgehead servers One DC designated as the Inter-Site topology Generator (ISTG), which then designates a bridgehead server to handle replication for each directory partition

MCTS Windows Server 2008 Active Directory

45

Site Links

Intersite replication topology is determined by cost value associate with site links
MCTS Windows Server 2008 Active Directory 46

Chapter Summary
Active Directory is based on the X.500 and LDAP standards, which are standard protocols for defining, storing, and accessing directory service objects OUs, the building blocks of the AD structure in a domain, can be designed to mirror a companys organizational chart. Delegation of control can be used to give users some management authority in an OU.

MCTS Windows Server 2008 Active Directory

47

Chapter Summary (cont.)


Large organizations might require multiple domains, trees, and forests Directory partitions are sections of the AD database that hold varied types of data and are managed by different processes The forest is the broadest logical AD component. All domains in a forest share some common characteristics, such as a single schema, the global catalog, and trusts between domains

MCTS Windows Server 2008 Active Directory

48

Chapter Summary (cont.)


Trusts permit domains to accept user authentication from another domain and facilitate cross-domain and cross-forest resource access with a single logon A domain is the primary identifying and administrative unit of AD. Each domain has a unique name, and theres an administrative account with full control over objects in the domain. An AD site represents a physical location where domain controllers reside.
MCTS Windows Server 2008 Active Directory 49