Suleyman Demirel University, 2012CHAPTER 1Overview of Active Directory
Suleyman Demirel University, 2012MCTS Course Overview• Chapter 1 - Overview of Active Directory• Chapter 2 - Domain Name System (DNS)• Chapter 3 - Planning and Installation of Active Directory• Chapter 4 - Installing and Managing Trees and Forests• Chapter 5 - Configuring Sites and Replication• Chapter 6 - Configuring Active Directory Server Roles• Chapter 7 - Administering Active Directory• Chapter 8 - Configuring Group Policy Objects• Chapter 9 - Planning Security for Active Directory• Chapter 10 - Active Directory Optimization and Reliability
Suleyman Demirel University, 2012Chapter 1 - Overview of Active Directory• The Industry before Active Directory• The Benefits of Active Directory• Understanding Active Directory’s Logical Structure• Understanding Active Directory Objects• Introducing Windows Server 2008 Server Roles• Introducing Identity and Access (IDA) in Windows Server 2008
Suleyman Demirel University, 2012The Industry before Active Directory• The Windows NT 4 Domain Model
Suleyman Demirel University, 2012THE BENEFITS OF ACTIVEDIRECTORY
Suleyman Demirel University, 2012The Benefits of Active Directory• Hierarchical organization• Extensible schema• Centralized data storage• Replication• Ease of administration• Network security• Client configuration management• Scalability• Search functionality
Suleyman Demirel University, 2012Hierarchical organization• Active Directory is based on a hierarchical layout. Through the use of various organizational components (or objects), a company can create a network management infrastructure and directory structure that mirrors the business organization.
Suleyman Demirel University, 2012Hierarchical organization• Active Directory also integrates with the network naming service, the Domain Name System (DNS).• DNS provides for the hierarchical naming and location of resources throughout the company and on the public Internet.• Example: stellacon.com • sales.stellacon.com • hr.stellacon.com sales.stellacon.com hr.stellacon.com
Suleyman Demirel University, 2012Extensible schema• It is very difficult to store all type of information in one storage repository.• That’s why Active Directory has been designed with extensibility in mind.
Suleyman Demirel University, 2012Extensible schema• The schema is the actual structure of the database— what data types it contains and the location of their attributes.• The schema is important because it allows applications to know where particular pieces of information reside.
Suleyman Demirel University, 2012Centralized data storage• All of the information within Active Directory resides within a single, distributed, data repository.• Users and systems administrators must be able to easily• access the information they need wherever they may be within the company.
Suleyman Demirel University, 2012Benefits of centralized data storage• The benefits of centralized data storage include reduced administrative requirements, less duplication, higher availability, and increased visibility and organization of data.
Suleyman Demirel University, 2012Replication• If server performance and reliability were not concerns, it might make sense to store the entire Active Directory on a single server.• Active Directory provides for this functionality.
Suleyman Demirel University, 2012Replication• What kind of problems can be occurred in replication? • Your idea…
Suleyman Demirel University, 2012Ease of administration• In order to accommodate various business models, Active Directory can be configured for centralized or decentralized administration.• This gives network and systems administrators the ability to delegate authority and responsibilities throughout the organization while still maintaining security.
Suleyman Demirel University, 2012Ease of administration• Furthermore, the tools and utilities used to add, remove, and modify Active Directory objects are available with all Windows Server 2008 domain controllers (except read- only domain controllers).
Suleyman Demirel University, 2012Network security• Through the use of a single logon and various authentication and encryption mechanisms, Active Directory can facilitate security throughout an entire enterprise.• Through the process of delegation, higher-level security authorities can grant permissions to other administrators. For ease of administration, objects in the Active Directory tree inherit permissions from their parent objects.
Suleyman Demirel University, 2012Network Security• Application developers can take advantage of many of these features to ensure that users are identified uniquely and securely.• Network administrators can create and update permissions as needed from within a single repository, thereby reducing chances of inaccurate or outdated configuration.
Suleyman Demirel University, 2012Client configuration management• One of the biggest struggles for systems administrators comes with maintaining a network of heterogeneous systems and applications.• A fairly simple failure—such as a hard disk crash—can cause hours of work in reconfiguring and restoring a workstation, especially an enterprise-class server.• The overall benefit is decreased downtime, a better end- user experience, and reduced administration.
Suleyman Demirel University, 2012Scalability• Large organizations often have many users and large quantities of information to manage.• Active Directory was designed with scalability in mind. Not only does it allow for storing millions of objects within a single domain, it also provides methods for distributing the necessary information between servers and locations.
Suleyman Demirel University, 2012Search functionality• For example, if we need to find a printer, we should not need to know the name of the domain or print server for that object.• Using Active Directory, users can quickly find information about other users or resources, such as printers and servers, through an intuitive querying interface.
Suleyman Demirel University, 2012Components and Mechanisms of ActiveDirectory• Data Store• Schema• Global Catalog• Searching Mechanisms• Replication
Suleyman Demirel University, 2012Data Store• The term data store is used to refer to the actual structure that contains the information stored within Active Directory.• The data store is implemented as a set of files that resides within the file system of a domain controller. This is the fundamental structure of Active Directory.
Suleyman Demirel University, 2012Schema• The Active Directory schema consists of rules on the types of information that can be stored within the directory.• The schema is made up of two types of objects: attributes and classes.
Suleyman Demirel University, 2012Schema SchemaAttribute Class
Suleyman Demirel University, 2012Attribute• An attribute is a single granular piece of information stored within Active Directory. First Name and Last Name, for example, are considered attributes, which may contain the values of Bob and Smith respectively.
Suleyman Demirel University, 2012Class• A class is an object defined as a collection of attributes. For example, a class called Employee could include the First Name and Last Name attributes.
Suleyman Demirel University, 2012Comparison of Attribute and Class Class Employee Att.Name Att.Surname Berik Serikov
Suleyman Demirel University, 2012Attributes and Classes Att.Name Class Employee Berik Any number of classes can use the same attributes. Att.Surname Class AwardWinners Serikov
Suleyman Demirel University, 2012Global Catalog• The Global Catalog is a database that contains all of the information belongs to objects within all domains in the Active Directory environment.• You can think of the Global Catalog as something like a universal phone book.
Suleyman Demirel University, 2012An Overview of Active Directory Domains• An Active Directory domain contains a logical partition of users, groups, and other objects within the environment. Domain
Suleyman Demirel University, 2012Group Policy and security permissions• Security for all of the objects within a domain can be administered based on policies.• These policies can apply to all of the users, computers, and objects within the domain. For more granular security settings, however, permissions can be granted on specific objects, thereby distributing administration responsibilities and increasing security.
Suleyman Demirel University, 2012Hierarchical object naming• All of the objects within an Active Directory container share a common namespace.• Example: • firstname.lastname@example.org • email@example.com • Common part of addresses is sdu.edu.kz
Suleyman Demirel University, 2012Hierarchical object naming• Example with different departments: • firstname.lastname@example.org • email@example.com • Common part of addresses sdu.edu.kz • Zhamanov – is on engineering faculty • Baribayev – is on philology faculty
Suleyman Demirel University, 2012Hierarchical inheritance• Containers called organizational units (OUs) can be created within a domain.• These units are used for creating a logical grouping of objects within Active Directory.• The specific settings and permissions assigned to an OU can be inherited by lower-level objects.
Suleyman Demirel University, 2012Hierarchical inheritance If we will make configuration to OU EN Lower-layer objects will inherit that configurations OU EN5B070400 5B070300 5B010900
Suleyman Demirel University, 2012Trust relationships Domain A Domain B Domain C Implicit trust between Domains A and C = Transitive two-way trust
Suleyman Demirel University, 2012Overview of an Active Directory Forest• Domain trees are hierarchical collections of one or more domains that are designed to meet the organizational needs of a business
Suleyman Demirel University, 2012Domain Tree eng.sdu.edu.kz sdu.edu.kz kz.en.sdu.edu.kz
Suleyman Demirel University, 2012Root Domain• First installed domain gets status of Root Domain• By default, trust relationships are automatically established between parent and child domains within a tree.
Suleyman Demirel University, 2012Active Directory Forest• Active Directory Forest - noncontiguous group of domains.
Suleyman Demirel University, 2012Objects• The Active Directory database is made up of units called objects.• Each object represents a single unique database entry.
Suleyman Demirel University, 2012Names and Identifiers of Objects Object identifiers GUID/SID DN
Suleyman Demirel University, 2012GUID/SID• GUID - globally unique identifier • Is used in Replication.• SID - security identifier • All rights and permissions of object placed into the SID not to account name.
Suleyman Demirel University, 2012Example of SIDFarida is Sales Manager and she is going to maternity leave. HR hire fortemporary work Manshuk and Manshuk needs the same permissions likeFarida had. System administrator changes Account name, but SID is thesame. Farida Manshuk
Suleyman Demirel University, 2012Distinguished Names• Unique Name for users• Example • Berik Serikov
Suleyman Demirel University, 2012Problem with DN• If two persons with same Name and Surname will work in one organization?
Suleyman Demirel University, 2012Question• How to distinguish them?
Suleyman Demirel University, 2012Answer• Full DN consist in this components: • O – Organization • DC – Domain Components - > en.sdu.kz, ph.sdu.kz • CN – Common Name• /O=Internet/DC=kz/DC=sdu/DC=en/CN=instructor/CN=Berik Serikov• /O=Internet/DC=kz/DC=sdu/DC=ph/CN=instructor/CN=Berik Serikov
Suleyman Demirel University, 2012Comparison of SID and DN• If you change structure of domain, DN will be changed, SID will not be changed.
Suleyman Demirel University, 2012Organizational Unit• OUs are container objects that can be hierarchically arranged within a domain.
Suleyman Demirel University, 2012Types of OUs OU Types Geographically Functionally Based Based
Suleyman Demirel University, 2012Geographically Based OU example
Suleyman Demirel University, 2012Functionally Based OU example
Suleyman Demirel University, 2012Security Features Security Features Group User Computer Objects
Suleyman Demirel University, 2012User Accounts• User accounts define the login information and passwords that individuals using your network need to enter to receive permissions to use network objects.
Suleyman Demirel University, 2012Computer Objects• Computer objects allow systems administrators to configure the functions that can be performed on client machines throughout the environment.
Suleyman Demirel University, 2012Group Objects Security Database Engineer Files Place Permissions Philology in to Economists Printers Users Groups Resource
Suleyman Demirel University, 2012Group Objects Group Objects Security Distribution groups groups
Suleyman Demirel University, 2012Security Groups• Security groups are used to administer permissions. All members of a security group receive the same security settings and are able to send email and other messages to several different users at once.• For security permissions.
Suleyman Demirel University, 2012Distribution Groups• Distribution groups are used only to send email and other messages to several different users at once. You don’t have to maintain security permissions when using distribution groups, but they can help you handle multiple users.• For mail distribution.
Suleyman Demirel University, 2012Delegation of Administrative Control• An OU is the smallest component within a domain to which administrative permissions and group policies can be assigned.• Delegation occurs when a higher security authority assigns permissions to a lower security authority.
Suleyman Demirel University, 2012INTRODUCING WINDOWSSERVER 2008 SERVER ROLES
Suleyman Demirel University, 2012Server Manager• Server Manager - Server Manager is a Microsoft Management Console (MMC) snap-in that allows an administrator to view information about server configuration, the status of roles that are installed, and links for adding and removing features and roles
Suleyman Demirel University, 2012Roles in Windows Server 2008 AD• Active Directory Certificate Services• Active Directory Domain Services• Active Directory Federation Services• Active Directory Lightweight Directory Services• Active Directory Rights Management Services
Suleyman Demirel University, 2012Active Directory Certificate Services• AD CS - allows administrators to configure services for issuing and managing public key certificates.• Companies can benefit from AD CS security by combining a private key with an object (such as users and computers), devices (such as routers), or services.
Suleyman Demirel University, 2012AD CS To Customer I can not use Support: I need to get private I am your subscriber Certificate now I Thank you, resources certificate andhave rights for I need to get resources resources To Customer: I know you, here is your CertificateCustomer Customer Support
Suleyman Demirel University, 2012AD CS Components AD CS Components Network Certification Online Web Device authorities Responderenrollment Enrollment (CAs) Service Service
Suleyman Demirel University, 2012Web Enrollment• This feature allows users to request certificates and retrieve certificate revocation lists (CRLs) through the use of a web browser.
Suleyman Demirel University, 2012Certification Authorities (CAs) AD CS Components Enterprise Stand Alone Root CAs CAs
Suleyman Demirel University, 2012Enterprise Root CAs• Enterprise Root CAs (automatically integrated with Active Directory) are the topmost trusted CAs of the hierarchy. They hold the certificates that you issue to the users within your organization.
Suleyman Demirel University, 2012Stand Alone CAs• The Stand Alone Root CAs hold the CAs that you issue to Internet users.
Suleyman Demirel University, 2012Certification Authorities (CAs)• The Enterprise or Stand Alone Root CAs give certificates to the Subordinate CAs, which in turn issue certificates to objects and services
Suleyman Demirel University, 2012Network Device Enrollment Service• The Network Device Enrollment Service allows network devices (such as routers) to obtain a certificate even though they do not have an account in the Active Directory domain.
Suleyman Demirel University, 2012Online Responder Service• Some applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), and smart cards may need to validate the status of a certificate.• The Online Responder service responds to certificate status requests, evaluates the status of the certificate that was requested, and answers the request with a signed response containing the certificate’s status information.
Suleyman Demirel University, 2012Read-Only Domain Controllers (RODCs)• Read-Only Domain Controllers are placed in small offices without security data centers.• Users or someone else don’t have permission to change Active Directory database.
Suleyman Demirel University, 2012Read-Only Domain Controllers (RODCs) Writable Windows Server In Secure Data Center RODC RODC RODC
Suleyman Demirel University, 2012Auditing in Windows Server 2008• In previous versions of Microsoft Windows Server, you had the ability to audit Active Directory by watching for successes or failures.• The problem with this was that, although you could view the Security Log and notice that someone accessed an object, you could not view what they might have changed in that object’s attributes.• In Microsoft Windows Server 2008, you can view the new and old values of the object and its attributes.
Suleyman Demirel University, 2012Fine-Grained Password Policies• Different passwords for different purposes, for same account.
Suleyman Demirel University, 2012Fine-Grained Password Policies Resources Read only Email distribution Full access User
Suleyman Demirel University, 2012Restartable Active Directory DomainServices• In Windows Server 2008 Active Directory we have new ability to turn off window Domain Service wile other services will still work.
Suleyman Demirel University, 2012Restartable Active Directory DomainServices Physical Server Includes logical services Logical Logical Logical DNS Service DHCP Service Active Directory Service
Suleyman Demirel University, 2012Active Directory Federation Services• AD FS gives users the ability to do a single sign-on (SSO) and access applications on other networks without needing a secondary password.
Suleyman Demirel University, 2012Active Directory Federation Services To ADFS A: ADFS A Yes To ADFS B: ADFS B I believe him! AD To Web Server: I need resources ADFS thinking: ToTo ADFS A: Web Server: To AD: Berik can access Can you prove that Give him what heIs it really Berik? this is really but I resources, Berik? want. have to prove Berik. Web Server
Suleyman Demirel University, 2012Active Directory Lightweight DirectoryServices• Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access• Protocol (LDAP) directory service. This type of service allows directory-enabled applications• to store and retrieve data without needing the dependencies AD DS requires.• To fully understand AD LDS, you must first understand the LDAP. LDAP is an application• protocol used for querying and modifying directory services.• Think of directory services as an address book. An address book is a set of names (your• objects) that you organize in a logical and hierarchical manner (names organized alphabetically).• Each name in the address book has an address and phone number (the attributes of your• objects) associated with it. LDAP allows you to query or modify this address book.
Suleyman Demirel University, 2012Active Directory Rights ManagementServices• Active Directory Rights Management Services (AD RMS), included with Microsoft Windows Server 2008, allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization.• This access can be used to secure email messages,• internal websites, and documents.
Suleyman Demirel University, 2012Strong Authentication• Another easy way to help with strong authentication is to enforce a strong password policy (minimum password lengths, unique characters, a combination numbers and letters, and mixed capitalization).
Suleyman Demirel University, 2012Federated Identities• AD FS gives users the ability to do a single sign-on (SSO) and access applications on other networks without a secondary password.• Federated Identities enables new models for cross-over SSO systems between organizations. SSO can be used for Windows and non-Windows environments.
Suleyman Demirel University, 2012Information Protection• Active Directory Rights Management Service (AD RMS) is what information protection is all about.• This service allows administrators or users to determine• what access (open, read, modify, etc.) they give to other users in an organization. This access can be used to secure email messages, internal websites, and documents.
Suleyman Demirel University, 2012Identity Lifecycle Management• Allow user to reset their own passwords. By using instruments like secret question.• Example of new service of www.homebank.kz• Helpdesk support technicians reportedly spend an average of one-third of their workdays resetting passwords.