mcts chapter 4

MCTS Guide to Configuring Microsoft Windows Server 2008

Active Directory

Chapter 4: Active Directory Design and Security Concepts

MCTS Windows Server 2008 Active Directory 2

Objectives

2

• Work with organizational units

• Work with forests, trees, and domains

• Describe the components of a site


Working with Organizational Units

• Active Directory is based upon standards (LDAP and X.500)

• Lightweight Directory Access Protocol (LDAP)– Created by the Internet Engineering Task Force (IETF)– Based on the X.500 Directory Access Protocol (DAP)– Forms the base around which Active Directory is built, which

allows applications to use LDAP to integrate with Active Directory

• LDAP has presence on other operating systems as well, and can be used to integrate them with Active Directory


Working with Organizational Units (cont.)

• Benefits of using OUs:– You can create familiar hierarchical structures based on an

organizational chart to allow easy resource access– Delegation of administrative authority– Able to change OU structure easily– Can group users and computers for the purposes of assigning

administrative and security policies– Can hide AD objects for confidentiality or security reasons


OU Delegation of Control

• Delegation of control means a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks

• Allows specific control of what someone with delegated control may do

• Commonly delegated tasks include– Create, delete, and manager user accounts– Reset user passwords and force password change at next logon– Read all user information– Create, delete, and manage groups– Modify the membership of a group– Manage group policy links– Generate Resultant Set of Policy (Planning)– Generate Resultant Set of Policy (Logging)


OU Delegation of Control (cont.)

• Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritance.

• Knowledge of permissions and how they work is important regardless of whether you use custom tasks or not

• By default, the OU’s properties don’t show that another user has been delegated control

• Instead, to verify who has been delegated control of an OU, you must view the OU’s permissions.


Active Directory Object Permissions

• Three types of objects can be assigned permission to access an AD object: Users, groups, and computers. These object types are referred to as security principals

• AD object’s security settings are composed of three components:– Discretionary access control list (DACL)

• Each entry referred to as an access control entry (ACE)

– Object owner• Usually the user account that created the object or a group or user

who has been assigned ownership

– System access control list (SACL)• Defines the settings for auditing access to an object


Active Directory Permissions (cont.)

• Each object has a list of standard permissions and a list of special permission

• Each permission can be set to Allow or Deny, and five standard permissions are available for most objects:– Full control– Read– Write– Create all child objects– Delete all child objects


Active Directory Permissions (cont.)

• Users can be assigned permission to an object in three different ways:– User’s account is added to the object’s DACL, a method

referred to as explicit permission– A group the user belongs to is added to the object’s DACL– The permission is inherited from a parent object’s DACL to

which the user or group account has been added.

• A user’s effective permissions are a combination of the assigned permissions.

• Deny permissions override Allow permissions– Except: when the Deny permission is inherited from a parent

object, and the Allow permission is explicitly added to the object’s DACL, the Allow permission takes precedence


Using Deny in an ACE

• If a security principal isn’t represented in an object’s DACL, it doesn’t have access to the object

• Deny permissions are not required for every object to prevent access

• Deny permission usually used in cases of exception, such as when you don’t want a user to be able to delete child objects in an OU, but still want to grant access


Permission Inheritance in OUs

• Permission inheritance defines how permissions are transmitted from a parent object to a child object

• All objects in AD are child objects of the domain

• By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU


Advanced Features Option in Active Directory Users and Computers

• Default settings in AD Users and Computers hide some system folders and advanced features, but you can display them by enabling the Advanced Features option from the view menu. Afterwards, four new folders are shown:– LostAndFound– Program Data– System– NTDS (NT Directory Service)


Advanced Features Option in Active Directory Users and Computers (cont.)

• Properties dialog box of domain, folder, and OU objects will now have three new tabs:– Object

• Used to view detailed information about a container object

– Security• Used to view and modify an object’s permissions

– Attribute Editor• Used to view and edit an object’s attributes


Effective Permissions

• Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principal

• Can come from assignments made directly to a single user account or to a group the user belongs to

• Explicit permissions override inherited permissions, and can create some exceptions to the rule that Deny permissions override Allow permissions


Effective Permissions (cont.)

• Most common settings for permission inheritance:– This object only

• The permission setting isn’t inherited by child (descendant) objects

– This object and all descendant objects• The permission setting applies to the current object and is

inherited by all child objects

– All descendant objects• The permission setting doesn’t apply to the selected object but is

inherited by all child objects

– Descendant [object type] objects• The permission is inherited only by specific child object types,

such as user, computer, or group objects.

• Permission inheritance is enabled by default on child objects, but can be disabled


Working with Forests, Trees, and Domains

• Smaller organizations will most likely be focused on OUs and their child objects, whereas larger organizations might require an AD structure composed of several domains, multiple trees, and even a few forests

• First domain controller creates more than just a new domain, it also creates the root of a new tree and the root of a new forest– May eventually become necessary to add domains to the tree,

create new trees or forests, and add sites to the AD structure


Active Directory Terminology

• Directory Partitions

• Operations Master Roles

• Active Directory Replication

• Trust Relationships


Directory Partitions

• Each section of an Active Directory database is referred to as a directory partition. There are five directory partition types in the AD database:– Domain directory partition

• Contains all objects in a domain, including users, groups, computers, OUs, and so forth

– Schema directory partition• Contains information needed to define AD objects and object attributes

– Global catalog partition• Holds the global catalog, which is a partial replica of all objects in the forest

– Application directory partition• Used by applications and services to hold information that benefits from

– Configuration partition• Holds configuration information that can affect the entire forest


Operations Master Roles

• Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function

• First domain controller in the forest generally takes on the role of the operations master

• If necessary, responsibility for these roles can be transferred to another domain controller


Operations Master Roles (cont.)

• There are five operations master roles, referred to as Flexible Single Master Operation (FSMO) roles in an AD forest:– Schema Master– Infrastructure master– Domain Naming master– RID master– PDC Emulator master

• When removing DCs from a forest, be careful that these roles are not removed from the network accidentally


Active Directory Replication

• Replication is the process of maintaining a consistent database of information when the database is distributed among several locations

• Intrasite replication– Replication between domain controllers in the same site

• Intersite replication– Occurs between two or more sites

• Multimaster replication– Used by AD for replacing AD objects

• Knowledge Consistency Checker (KCC) runs on all DCs– Determines the replication topology, which defines the domain

controller path that AD changes flow through and ensures no more than three hops exist between any two DCs


Active Directory Replication (cont.)


Trust Relationships

• In Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domain

• Since Windows 2000 AD, trust relationships are established automatically between all domains in the forest

• Trusts do not equal permissions


The Role of Forests

• All domains in a forest share some common characteristics:– A single schema– Forestwide administrative accounts– Operations masters– Global Catalog– Trusts between domains– Replication between domains


The Importance of the Global Catalog Server

• First DC installed in a forest is automatically designated as a Global Catalog server, but additional global catalog servers can be configured as well

• Global Catalog servers perform the following vital functions:– Facilitates domain and forestwide searches– Facilitates logon across domains; Users can log on to

computers in any domain by using their user principal name (UPN)

– Hold universal group membership information


Forest Root Domain

• First domain is the forest root and is referred to as the forest root domain

• Imperative to the functionality of AD; if it disappears, the entire structure ceases to operate

• Functions the forest root domain usually handles:– DNS server– Global catalog server– Forestwide administrative accounts– Operations masters


Forest Root Domain (cont.)



• Due to the importance of the forest root domain’s functionality, some organizations choose a dedicated forest root domain

• The advantages of running a dedicated forest root domain include the following:– More secure– More manageable– More flexible


Choosing a Single or Multiple Forest Design

• Most organizations operate under a single AD forest, which has a number of advantages:– A common Active Directory structure

– Easy access to network resources

– Centralized management

• The advantages of single forest structure are also limitations in many aspects; diversity within an organization may make single forest design unfeasible. Multiple forest design includes the following advantages:– Differing schemas are possbile

– Security boundaries

– Separate administration


Understanding Trusts

• Trusts allow users in one domain to access resources in another domain, without requiring a user account on the other domain

• Types of trust:– One way and two way trusts– Transitive trusts– Shortcut trusts– Forest trusts– External trusts– Realm trusts


Understanding Trusts (cont.)


One Way and Two-Way Trusts

• One-way trust exists when one domain trusts another, but the reverse is not true– When domainA trusts domainB, users in domainB may access

resources in domainA but not vice versa.– In this case domainA is the Trusting domain and domainB is

the Trusted domain

• More common is the two-way trust, in which users from both domains can be given access to resources in the other domain


Transitive Trusts

• A transitive trust is named after the transitive rule of equality in mathematics: If A=B and B=C, then A=C

• If one domain trusts another domain, and that domain trusts a third domain, then the first domain has a transitive trust with the third domain

• In order to authenticate a user, a referral must be made to a domain controller in each domain in the path to the destination. This can cause substantial delays.


Transitive Trusts (cont.)


Shortcut Trusts

• A shortcut trust is configured manually between domains to bypass the normal referral process

• Shortcut trusts are transitive and can be configured as one way or two way trusts between domains in the same forest

• Shortcut trusts can reduce delays caused by referral processes


Shortcut trusts (cont.)


Forest Trusts

• A forest trust provides a one-way or two-way transitive trust between forests that allows security principals in one forest to access resources in any domain in another forest

• Are not possible in Windows 2000 forests

• They are transitive in the sense that all domains in one forest trust all domains in another forest, but the trust isn’t transitive from one forest to another


External Trusts

• An external trust is a one way or two way nontransitive trust between two domains that aren’t in the same forest. Generally used in these circumstances:– To create a trust between two domains in different forests– To create a trust with a Windows 2000 or Windows NT domain


Realm Trusts

• Can be used to integrate users of other OSs into a Windows Server 2008 domain or forest

• This requires the OS to be running the Kerberos V5 authentication system that AD uses

• Kerberos is an open-standard security protocol used to secure authentication and identification between parties in a network


Designing the Domain Structure

• Most small and medium businesses choose a single domain for reasons that include the following:– Simplicity– Lower costs– Easier management– Easier access to resources


Designing the Domain Structure (cont.)

• Using multiple domains makes sense or is even a necessity in the following circumstances:– Compatibility with a Windows NT domain– Need for differing account policies– Need for different name identities– Replication control– Need for internal versus external domains– Need for tight security


Understanding Sites

• AD site represents a physical location where DCs are placed and group policies can be applied

• First DC of a forest creates a site named Default-First-Site-Name once installed

• Three main reasons for establishing multiple sites:– Authentication efficiency– Replication efficiency– Application efficiency

• Sites are created using Active Directory Sites and Services


Understanding Sites (cont.)


Site Components

• Subnets– Each site is associated with one or more IP subnets, and a subnet can

only be associated with a single site

• Site Links– A site link is needed to connect two or more sites for replication

purposes

– Determine replication schedule and frequency between two sites

• Bridgehead Servers– Intersite replication occurs between bridgehead servers

– One DC designated as the Inter-Site topology Generator (ISTG), which then designates a bridgehead server to handle replication for each directory partition


Site Links

Intersite replication topology is determined by cost value associate with site links


Chapter Summary

• Active Directory is based on the X.500 and LDAP standards, which are standard protocols for defining, storing, and accessing directory service objects

• OUs, the building blocks of the AD structure in a domain, can be designed to mirror a company’s organizational chart. Delegation of control can be used to give users some management authority in an OU.


Chapter Summary (cont.)

• Large organizations might require multiple domains, trees, and forests

• Directory partitions are sections of the AD database that hold varied types of data and are managed by different processes

• The forest is the broadest logical AD component. All domains in a forest share some common characteristics, such as a single schema, the global catalog, and trusts between domains


Chapter Summary (cont.)

• Trusts permit domains to accept user authentication from another domain and facilitate cross-domain and cross-forest resource access with a single logon

• A domain is the primary identifying and administrative unit of AD. Each domain has a unique name, and there’s an administrative account with full control over objects in the domain.

• An AD site represents a physical location where domain controllers reside.

mcts chapter 4

Technology