2. Breakdown…
• What is Active Directory
• Structure of Active Directory
• Objects
• Domains – Trees and Forests
• Replication
• Security
• Kerberos
• Trusts
3. Overview of Active Directory
• Active Directory is a directory service, which means it both
stores data about your network resources and provides
methods of accessing and distributing that data. Directory
service that stores data about users and groups, shared folders,
and other network resources.
• Active Directory lets you centrally manage your network.
• Administrative tasks can be performed from a single location.
4. What Is Active Directory?
• Active Directory is an essential and inseparable part
of the Windows 2000 network architecture that
improves on the domain architecture of the
Windows NT 4.0 operating system to provide a
directory service designed for distributed
networking environments.
5. • Active Directory lets organizations efficiently share
and manage information about network resources and
users.
• Active Directory acts as the central authority for
network security, letting the operating system readily
verify a user’s identity and control for his or her
access to network resources.
• It acts as an integration point for bringing systems
together and consolidating management tasks.
6. How does Active Directory Work?
• AD lets organizations store information in a
hierarchical, object-oriented fashion, and
provides multi-master replication to support
distributed network environments.
7. Single Point of Administration
• For all published resources, incl. Files, peripheral
devices, host connections, databases, Web access,
users, services…
• It uses the Internet Domain Name Service (DNS) as
its locator service.
• No primary domain controller (PDC) or backup
domain controller (BDC). Uses domain controllers
(DCs).
• Allows multiple domains to be connected into a tree
structure.
8. What are the benefits of Active
Directory
• Simplifies management tasks.
• Strengthens network security.
• Makes use of existing systems through
interoperability.
9. Simplifies Management
• Single place to manage users, groups and network
resources, as well as distribute software and manage
desktop.
– Eliminates redundant management tasks.
– Reduces trips to the desktop.
– Better maximizes IT resources.
– Lowers total cost of ownership (TCO).
10. • Eliminates redundant management tasks.
• Provides a single point of management for Windows user accounts,
clients, servers, and applications.
• Reduces trips to the desktop.
• Automatically distributes software to users based on their role in
the company, reducing or eliminating multiple trips that system
administrators need to make for software installation and
configuration.
• Better maximizes IT resources.
• Securely delegates administrative functions to all levels of an
organization.
• Lowers total cost of ownership (TCO).
• Simplifies the management and use of file and print services by
making network resources easier to find, configure, and use.
11. Simplifies Management
Delegate Management
Tasks to Office Admins
Company
Users Machines Devices Applications
Color Printer
Marketing Personnel
in Building 6
Give ‘Personnel’
Members the Human
Resources Application
12. Strengthens Security
• Support for multiple authentication protocols such as
Kerberos, X.509 certificates, and smart cards.
• Flexible access control model – enables powerful
and consistent security services for internal desktop
users, remote dial-up users, and external commerce
customers.
• Improves password security and management.
• Ensures desktop functionality.
• Speeds e-business deployment.
• Tightly controls security.
13. • Improves password security and management.
• Providing single sign-on to network resources with integrated, high
powered security services that are transparent to end users.
• Ensures desktop functionality.
• Locking-down desktop configurations and preventing access to
specific client machine operations. Ex: software installations and
registry editing.
• Speeds e-business deployment.
• Built-in support for secure Internet-standard protocols and
authentication mechanisms. Ex: Kerberos, public key infrastructure
(PKI), lightweight directory access protocol (LDAP).
• Tightly controls security.
• Setting access control privileges on directory objects and the
individual data elements that make them up.
14. Extends Interoperability
• Active Directory provides a set of standard interfaces
for application integration and open synchronization
mechanisms to ensure that Windows can interoperate
with a wide variety of applications and devices.
15. It Does So By…
• Taking advantage of existing investments and ensures
flexibility.
• Consolidating management of multiple application
directories. Using open interfaces, connectors, and
synchronization mechanisms. Incl. Novell’s NDS,
LDAP, ERP, e-mail…
• Allowing organizations to deploy directory-enabled
networking. Assign quality of service and allocated
network bandwidth to users based on their role in the
company.
• Allowing organizations to develop and deploy
directory-enabled applications.
16. Interoperability
Application: Exchange Policy: Give ‘Personnel’
Mailbox information Access to ‘Change Salary’
Menu options.
Company
Users Machines Devices Applications
Finance Personnel
Policy: Give ‘Finance’
more bandwidth at the
end of the month.
17. Active Directory as a Service Provider
• Used to locate all network services and information.
• Fulfills a wide variety of naming, query, administrative and registration
needs.
Submit
Exchange Mail
DNS Mail Client
Mail
Microsoft.com Recipient
referral Lookup Address Book
http/shttp
Server Admin/
browse
Directory Service Replication
SQL Server Register
Service
Credential
Security
management
Query Dynamic
Services
18. Directory Partitions
• The data stored within AD is actually broken
into three distinct areas called directory
partitions.
• Each partition records and stores a specific
type of information.
• The three directory partitions that exists:
• Domain Partition
• Schema Partition
• Configuration Partition
19. • Domain Partition
• Holds data regarding domain-specific objects, including
users, groups, and computers.
• Schema Partition
• Contains data that defines which objects can be created
within AD and specifies rules regarding these objects,
such as mandatory properties.
• Configuration Partition
• Contains information about your AD structure, such as
domain and DCs that exist.
20. The Structure of Active Directory
• Active Directory is made up of two distinct
structures:
• The logical structure.
• The physical structure.
• Design of Active Directory implementation
deals with the logical aspects.
• Deciding where each component will be on
your network deals with the physical aspects.
21. The Logical Structure
• There are five logical components in Active
Directory:
• Domains
• Organization Units (OUs)
• Trees
• Forests
• Global Catalogs (GCs)
22. Domains
• A domain is a security boundary.
• Each domain has its own administrators that can be
assigned full control over the domain.
• Entity which has its own users and groups.
• Users can be granted permissions in other domains.
• Domains are used for replication purposes.
• Can run in one of two modes:
• Native (must be running to achieve full functionality)
• Mixed
23. Organizational Units (OUs)
• Organizational Units are container objects that are
used to organize objects within the directory.
• Commonly contain user and group objects.
• They can also contain computers and other OUs.
• Permissions can be assigned at the OU level both to
grant container objects access to other network
resources (or to deny them) and to assign specific
users administrative privileges.
• Administration of objects within an OU can be
delegated.
• Assign permissions to manage these objects to groups other than
domain administrators.
24. Hierarchical Organization
• Active Directory uses objects to represent network
resources such as users, groups, machines, devices,
and applications.
• It uses containers to represent organizations, such as
marketing department, or collections of related
objects, such as printers.
• It organizes information in a hierarchical structure
made up of these objects and containers, similar to
the way the Windows Operating system uses folders
and files to organize information on a computer.
25. Containers and Objects
Company
Users Machines Devices Applications
Marketing Personnel
= Container
= Object
26. Objects in Active Directory
• Objects within AD include users, groups,
computers, servers, domains, and sites.
• Since data is stored as objects, users can
search through the directory for objects they
wish to access.
• Objects also have attributes which a user can
use in his/her search.
• In order to understand how data is defined
within AD, you must be aware of the Schema.
27. The Schema
• The Schema is a definition of all the objects and
their attributes.
• Since there is a single schema for an entire
Windows 2000 forest, you can achieve
consistency no matter how large the enterprise.
• Two types of definitions can be stored in the
schema.
1. Object Classes
2. Attributes
28. Object Classes
• Object classes define the types of objects that
can be stored within Active Directory.
• Each class consists of a class name and a set of
attributes that are associated with the object.
29. Attributes
• Attributes are stored separately within the schema
• Allows for further consistency within the database,
because a single definition for the “last name”
attribute can be used over and over again.
30. Object-Oriented Storage
Company
Users Machines Devices Applications
Marketing Personnel
Name: Bob Jones = Container
Email: bob@abc.com
= Object
Phone: 555-1234
SSN: 456-7
31. Object-Oriented Storage
• In this case, the system administrator has allowed
global access to the Bob Jones object, but has locked
access of the Social Security Number attribute.
32. Schema Security
• To prevent it from being modified without
permissions, each object is secured using
Discretionary Access Control Lists
(DACLs).
• These DACLs ensure that only authorized
users are able to access schema.
33. A little more about Schema
• The file schema.ini contains the default
schema’s definition, as well as the initial
structure for the file ntds.dir (stores directory
data).
• The %systemroot%ntds directory contains the
file schema.ini.
• The file is in plain ASCII format.
34. Trees
• Domains are combined to produce a tree.
• A hierarchical representation of the Windows
2000 network.
• First domain installed is called the root
domain and all subsequent domains are
installed beneath this root domain.
• All domains is a tree share a common schema
and GC.
35. Domain Tree
• A domain tree exists when one domain is the
child of another domain.
• Ex. Root.com – since domains are DNS
names.
• If the administrator renames a part of the tree,
all of the parent’s children are also implicitly
renamed.
• Ex. ntfaq.com renamed to backoffice.com, the child
domain sales.ntfaq.com would change to
sales.backoffice.com
36. Domain Tree Diagram
root.com
child1.root.com child2.root.com
These child domains continue to utilize the same
contiguous name (root.com) while branching out
with additional naming for organizational
gran.child1.root.com purposes. Ex. child1.root.com
37. Domain Tree Advantages
• All members of a tree have Kerberos transitive trusts
with the domain’s parent and all the domain’s
children.
• Transitive trusts also let any user or group in a
domain tree obtain access to any object in the tree.
• You can use one network logon at any workstation in
the domain tree.
38. Forests
• A forest is a collection of trees.
• Tree in a forest do not have to share a
contiguous namespace.
• Must share a common schema and GC.
• Forests allows users in two different trees
to access resources in a different
namespace.
• Useful when a company has multiple root
DNS addresses.
39. Forest Diagram
Transitive Kerberos Trust
Joining the two trees makes
a forest
root.com ntfaq.com
child1.root.com child2.root.com legal.ntfaq.com ads.ntfaq.com
gran.child1.root.com banner.ads.ntfaq.com
40. Benefits of a Forest
• All the trees have a common Global Catalog
(GC) that contains specific information about
every object in the forest.
• All the trees contain a common schema.
• Performing a search in a forest initiates a deep
search of the entire tree in the domain you
initiate the request from and uses GC entries
for the rest of the forest.
41. Global Catalogs (GCs)
• A GC server is also a DC (Domain Controller).
• It contains data about all objects within a forest.
• GC contains the permissions list for all the objects,
therefore can also grant access.
• Stored locally on a DC – reduces network traffic.
• Benefit:
• To make the logical structure of the Windows 2000
network invisible to the users.
• Reduction of network traffic.
42. Purpose of Global Catalog
• Designed for high performance.
• Allows users to easily find an object regardless
of where it is in the tree – searching using
selected attributes.
• Attributes contained in a abbreviated catalog.
• Technique known as partial replication.
43. Global Catalog Structure
Domain 1
Partial Replicas Domain 2 Full Replicas
Domain n
The global catalog structure provides access to
full and partial replication.
44. Physical Structure
• Used to manage network traffic on the
network.
• Element that makes up the physical structure:
• Domain controllers (DCs)
45. Domain Controllers (DCs)
• A domain controller (DC) is a server on a Windows
2000 network that stores a replica of the Active
Directory database.
• Its job is to manage access to this data via searches
and also accept and make changes to the data.
• Replicates changes to all other DCs in the domain.
• Manage authentication of users.
• Assigning a security token that contains a list of group
memberships and permissions to each user.
46. Replication
• Replication ensures that data recorded in one
copy is disseminated to all other copies in the
domain.
• Windows 2000 uses multi-master replication.
• Each DC is a master of its copy of AD.
• The DC can accept changes and will then
propagate them out to other DCs.
• Replication – updating information from one
DC to another.
47. The Replication Process
• Replication occurs when an update is made to
a copy of AD.
• Changes such as new user, deletion of an
object, or modification to a single property of
an object.
• AD performs two types of updates:
• Originating update – occurs only the first time a change
is made to an AD replica.
• Replicated update – occurs as a result of this change.
48. Multi-master Replication
• Individual change made in one copy of the directory
are automatically replicated to all other appropriate
copies of the directory.
• Active Directory uses Update Sequence Numbers
(USNs).
• Anytime a users writes something into an object in
the directory, it gets a USN, which is held per
computer and incremented any time a change is
made.
• A change cannot occur without the USN being
incremented, therefore changes cannot be lost.
49. Update Sequence Number (USN)
• These are stored in memory, in a table called the up-
to-dateness table.
• This table has an entry for every DC in the domain,
along with the USN number at the time of the last
originating update for that DC.
• Ex. Entry for server A, changes caused the USN to increment to
“130”, entry would be “A-130”.
• USNs can be used to prevent unnecessary data being
sent across the network.
• Replication in AD is pulled only; data is never
pushed across the wire.
50. USN Table
• Each DC keeps track of the highest USNs of
the DCs it replicates with.
• This procedure lets a DC calculate which
changes must replicate on a replication cycle.
• At the start of a replication cycle, each server
checks its USN table and queries the DCs it
replicates with for the DCs latest USNs.
51. USN Table for Server A
Domain Domain Domain • Server A queries the DC’s for
Controller Controller Controller their current USNs and gets
B C D the following information.
54 23 53
• From this information, Server
Domain Domain Domain A can calculate the changes it
Controller Controller Controller need from each server as
B C D follows.
58 23 64
Domain Domain Domain • Server A then queries each
Controller Controller Controller DC for the necessary changes.
B C D
55-58 None 54-64
52. Property Version Number
• Multiple changes to an object’s property can
occur.
• Every property has a property version number,
which helps detect collisions.
• Property version numbers work like USNs.
• Each time a property is modified, the property
version number increases by one.
53. Collision
• A collision occurs when the property number
version numbers are the same for two or more
property updates.
• In this case, the timestamps helps resolve the
conflict.
• In the case where the property version
numbers and the timestamps match, a binary
buffer comparison occurs; the larger buffer
size change takes precedence.
54. Object Security
Security Principal
Security ID (SID)
Security Descriptor
Discretionary Access Control List (DACL)
System Access Control List (SACL)
Access Control Entries (ACEs)
Access Tokens
55. Security Principal
• This is an account to which permissions can be
assigned-example, a user, a group, or a
computer account.
• Ex.
• Bob, a member of the Accounting group on a computer with
a domain computer account named System01, several
security principals are involved that permissions could be
applied toward-namely, the user “Bob”, the group
“Accounting”, or the computer account “System01”
56. Security ID (SID)
• Every security principal is issued a unique SID
that is assigned once to an account and is
never reused, even if the object is removed. A
numeric value that is assigned automatically
when an object is added to the directory.
• The SID is a numeric value that is assigned
automatically when an object is added to the
directory.
57. Security Descriptor
• Defines access control information for that
object.
• When a user attempts to access an object, the
descriptor check its information against the
user’s SID and then compares the SID against
its access control list (ACL).
• There are two types of ACLs:
• DACLs
• SACLs
58. Discretionary Access Control List
(DACL)
• List of access control entries (ACEs) that
indicates security levels of Allow Access or
Deny Access permissions.
• Deny Access entries are placed first in the
ACE.
• The Deny will prove stronger than all the other
options.
59. System Access Control List (SACL)
• This is a list used for auditing object
access based upon ACEs that indicates to
the object when an account has accessed
an object or has attempted to access an
object.
60. Access Control Entries (ACEs)
• ACEs are used by DACLs and SACLs.
• When used with a DACL, the ACE determines the
level of security access upon an object, through 4
types:
• Access Denied
• Access Allowed
• Access Denied Object Specified
• Access Allowed Object Specified
• When used with a SACL, the ACE determines the
level of security based upon:
• System Audit
• System Audit Object Specific
61. Access Tokens
• When the user logs on, an access token is
created and sent by the DC to the user’s
machine.
• This token is necessary for a user to access any
network resource.
• The access token is attached to that user and is
needed to access any object, to run any
application, and to use any system resources.
62. Access Permissions on AD Objects
• The five standard permissions that can be
applied to an object are:
• Full Control
• Write
• Read
• Create All Child Objects
• Delete All Child Objects
63. • Full Control
• Allows the user the ability to view objects and attributes, the owner
of the object, and the AD permissions, along with the ability to
change any of those settings.
• Write
• Enables the user to view objects and attributes, the owner of the
object, and the AD permissions, also allows the user to change any
of those settings.
• Read
• Enables the user to view objects and attributes, the owner of the
object, and the AD permissions.
• Create All Child Objects
• Enables the user to create additional child objects to the OU
(Organizational Unit).
• Delete All Child Objects
• Enables the user to delete existing objects from an OU.
64. The Flow of Permissions
• The implementation of inheritance is
utilized by Windows 2000.
• Inheritance is automatic for child objects
within parent containers;
• Ex. If a parent object has permissions
implemented upon it, the child objects beneath will
automatically inherit the permissions from above.
65. The Flow of Inheritance
Parent OU
When you create a child
Parent object within a parent
Permissions: container that holds certain
Administrator: Full Control permissions, the child
Users: Read
object automatically
Sales OU Research OU contains the permissions of
its parent.
Child Child
Permissions: Permissions:
Administrator: Full Control Administrator: Full Control
Users: Read Users: Read
66. Kerberos v5
• Developed by a team at MIT
• Named after the three-headed dog in Greek
mythology that guarded the gates of Hades.
• There are three sides to Kerberos
authentication:
• User
• Server
• Key Distribution Center (KDC)
67. Like its Greek Counterpart…
• User
• A client that has a need to access resources off a server.
• Server
• Offers a service, but only to those that can prove their
identity. That proven identity doesn’t guarantee access
to the service; it just proves that they even have a right
to request a service.
• Key Distribution Center (KDC)
• An intermediary between the client and the server that
provides a way of vouching that the client is really who
it says it is.
68. Kerberos Trust
The trust relationships that connect
members of a tree or forest are two-way,
transitive Kerberos trusts. Thus, all the
domains in a tree implicitly trust all the
other domains in the tree or forest.
DC
DC DC
69. • Kerberos is Windows 2000’s primary security
protocol.
• Verifies a user’s identity and a session’s
integrity.
• Each DC (Domain Controller) has Kerberos
services on it and every Windows 2000
workstation has a Kerberos client.
70. A Kerberos Transaction
1. A user logs on to the domain by supplying a
username, a password, and a domain choice.
Kerberos steps in and checks the info. Against the
DC’s KDC database to verify that it knows the user.
2. If the user is valid, the user is provided a ticket-
granting ticket (TGT). This means the user is
preauthorized to access other resources on the
domain.
• In future transactions, the client doesn’t have to re-authenticate;
rather, it presents the TGT to the KDC. This speeds up the
process.
71. 1. If a client wants to access a server—for
example, the internal mail server in order to
obtain his/her email—he/she can now
present that TGT to the KDC ticket-granting
server (TGS). This server will give the client
another ticket which although doesn’t grant
permission to the mail server, rather, it
authenticates the client to the mail server.
2. The email server checks to see if you have
permission to read the mail. If so, the client
will receive the mail.
72. The Four Steps of Kerberos
KDC
Print Server
3
4
2
1
KDC Client
73. Trusts
• Trusts allow the domains to work with the user
accounts from other domain in such a way that people
in one domain can share resources with others.
• The transitive concept enables smoother
functionality.
• Transitive means “by extension”
• Under Win2000, the trust is automation between
parents and children, and transitive between every
other domain in the tree.
74. Transitive Trusts
• Transitive trusts allow users in all connected
domains to be validated as domain users.
• Permissions are not transitive.
75. Two-way Transitive Trusts
• If child domain a.corp.com trusts corp.com
and corp.com trusts b.corp.com, then
a.corp.com automatically trusts b.corp.com.
corp.com
a.corp.com b.corp.com
76. Few Points About Transitive Trusts
They are two-way agreements that are automatically
created.
They exist between child domains and parents or the
root domains of a forest.
The trusts are transitive because the trees and forests
with connecting trusts make information available
with no further trust configuration issues.
After trusts are established, permissions must be
granted to an individual or group to allow them to
access resources.
77. Summary of Features and Benefits
• Support for open standards to facilitate cross-
platform directory services, incl. DNS and
standard protocols – LDAP.
• Support for standard name formats to ensure
ease of migration.
• Fast lookup via the global catalog.
• Multi-master replication.
• Backward compatibility.
• Interoperability with NetWare environments.
78. Installation of Active Directory
• Installed using ‘dcpromo.exe’, which can be
executed from the ‘Run’ dialog box.
• ‘dcpromo.exe’ resides on the Windows 2000
partition.
• ‘dcpromo.exe’ is an Active Directory
installation wizard, which guides the user in a
step by step installation.
• Installation of Active Directory requires both a
FAT and a NTFS partition.