SlideShare a Scribd company logo

6425 c 01

T
tanvutha
EducationTechnology
1 of 36
Download to read offline
Module 1 Introducing Active Directory® Domain Services
Module Overview • Overview of Active Directory, Identity, and Access • Active Directory Components and Concepts • Install Active Directory Domain Services
Lesson 1: Overview of Active Directory, Identity, and Access • Information Protection • Identity and Access • Authentication and Authorization • Authentication • Access Tokens • Security Descriptors, ACLs, and ACEs • Authorization • Stand-Alone (Workgroup) Authentication • Active Directory Domains: Trusted Identity Store • Active Directory, Identity, and Access • Active Directory IDA services
Information Protection • It’s all about connecting users to the information they require securely • IDA: Identity and Access • AAA: Authentication, Authorization, Accounting • CIA: Confidentiality, Integrity, Availability, and Authenticity
Identity and Access • Identity: User account • Resource: Shared Folder • Saved in an identity store • Secured with a security (directory database) descriptor • Security principal • DACL or ―ACL‖ • Represented uniquely by • ACEs or ―permissions‖ the SID
Authentication and Authorization A user presents The system creates a credentials that are security token that authenticated by using represents the user with the information stored the user’s SID and all with the user’s related group SIDs identity A resources is secured The user’s security with an ACL: token is compared with Permissions that pair a the ACL of the resource SID with a level of to authorize a requested access level of access
Authentication Authentication is the process that verifies a user’s identity Credentials: At least two components required • User name • Secret, for example, password Two types of authentication • Local (interactive) Logon– • Remote (network) Logon– authentication for logon to the authentication for access to local computer resources on another computer
Access Tokens User’s Access Token User SID Member Group SIDs Privileges (―user rights‖) Other access information
Security Descriptors, ACLs and ACEs Security Descriptor SACL DACL or ―ACL‖ ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask
Authorization Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource Three components required for authorization • Resource • Access Request • Security Token System finds first User’s Access Token ACE in the ACL that Security Descriptor allows or denies the User SID requested access SACL level for any SID in the user’s token DACL or ―ACL‖ Group SID ACE List of user Trustee (SID) rights Access Mask Other access ACE Trustee (SID) information Access Mask
Stand-Alone (Workgroup) Authentication • The identity store is the SAM database on the Windows system • No shared identity store • Multiple user accounts • Management of passwords is challenging
Active Directory Domains: Trusted Identity Store • Centralized identity store trusted by all domain members • Centralized authentication service • Hosted by a server performing the role of an AD DS domain controller
Active Directory, Identity, and Access An IDA infrastructure should:  Store information about users, groups, computers and other identities  Authenticate an identity • Kerberos authentication used in Active Directory provides single sign-on. Users are authenticated only once.  Control access  Provide an audit trail
Active Directory IDA Services Active Directory IDA services :  Active Directory Lightweight Directory Services (AD LDS)  Active Directory Certificate Services (AD CS)  Active Directory Rights Management Services (AD RMS)  Active Directory Federation Services (AD FS)
Lesson 2: Active Directory Components and Concepts • Active Directory as a Database • Active Directory Data Store • Domain Controllers • Demonstration: Active Directory Schema • Organizational Units • Domain • Forest • Tree • Replication • Sites • Global Catalog • Functional Levels • DNS and Application Partitions • Trust Relationships
Active Directory as a Database • Active Directory is a database  Each ―record‖ is an object • Users, groups, computers, and so on  Each ―field‖ is an attribute • Logon name, SID, password, description, membership, and so on  Identities (security principals or ―accounts‖) • Services: Kerberos, DNS, and replication • Accessing the database  Windows tools, user interfaces, and components  APIs (.NET, VBScript, Windows PowerShell)  LDAP
Active Directory Data Store • %systemroot%NTDSntds.dit • Logical partitions  Domain naming context  Schema  Configuration Schema  Global catalog (Partial Attribute Set)  DNS (application partitions) Configuration • SYSVOL *Domain*  %systemroot%SYSVOL  Logon scripts NTDS.DIT DNS  Policies PAS
Domain Controllers • Servers that perform the AD DS role  Host the Active Directory database (NTDS.DIT) and SYSVOL • Replicated between domain controllers  Kerberos KDC service: Performs authentication  Other Active Directory services • Best practices  Availability: At least two in a domain  Security: Server Core and RODCs
Demonstration: Active Directory Schema In this demonstration, you will see • How the Schema acts as a blueprint for Active Directory by exploring the following Attributes and Object classes: Attributes • objectSID • sAMAccountName • unicodePwd • member • Description Classes • User • Group
Organizational Units • Objects  Users  Computers • Organizational Units  Containers that can be used to group objects within a domain  Create OUs to: • Delegate administrative permissions • Apply Group Policy
Domain • Requires one or more domain controllers • All domain controllers replicate the Domain naming context (Domain NC)  The domain is the context within which Users, Groups, Computers, and so on are created  ―Replication boundary‖ • Trusted identity source: Any domain controller can authenticate any logon in the domain • The domain is the maximum scope (boundary) for certain administrative policies  Password  Lockout
Forest • A collection of one or more Active Directory domain trees • First domain is the forest root domain • Single configuration and schema replicated to all domain controllers in the forest • A security and replication boundary
Tree • One or more domains in a single instance of AD DS that share contiguous DNS namespace treyresearch.net proseware.com antarctica.treyresearch.net
Replication • Multimaster replication  Objects and attributes in the database  Contents of SYSVOL are replicated • Several components work to create an efficient and robust replication topology and to replicate granular changes to AD • The Configuration partition of the database stores information about sites, network topology, and replication DC1 DC3 DC2
Sites • An Active Directory object that represents a well- connected portion of your network  Associated with subnet objects representing IP subnets • Intrasite vs. intersite replication  Replication within a site occurs very quickly (15–45 seconds)  Replication between sites can be managed • Service localization  Log on to a domain controller in your site Site B Site A
Global Catalog • Partial Attribute Set or Global Catalog Domain A • Contains every object in PAS every domain in the forest • Contains only selected attributes • A type of index Domain B • Can be searched from any domain PAS • Very important for many applications
Functional Levels • Domain functional levels • Forest functional levels • New functionality requires that domain controllers are running a particular version of Windows  Windows 2000  Windows Server 2003  Windows Server 2008  Windows Server 2008 R2 • Cannot raise functional level while domain controllers are running previous Windows versions • Cannot add domain controllers running previous Windows versions after raising functional level
DNS and Application Partitions • Active Directory and DNS are closely integrated • One-to-one relationship between the DNS domain name and the logical domain unit of Active Directory • Complete reliance on DNS to locate Schema computers and services in the domain • A domain controller acting as a DNS Configuration server can store the zone data in Active Directory itself—in an application partition Domain DNS PAS
Trust Relationships • Extends concept of trusted identity store to another domain • Trusting domain (with the resource) trusts the identity store and authentication services of the trusted domain • A trusted user can authenticate to, and be given access to resources in, the trusting domain • Within a forest, each domain trusts all other domains • Trust relationships can be established with external domains Trusted Domain Trusting Domain
Lesson 3: Install Active Directory Domain Services • Install and Configure a Domain Controller • Prepare to Create a New Forest with Windows Server 2008 R2
Install and Configure a Domain Controller 1 Install the Active Directory Domain Services role by using the Server Manager Run the Active Directory Domain Services 2 Installation Wizard 3 Choose the deployment configuration 4 Select the additional domain controller features Select the location for the database, log files, and 5 SYSVOL folder Configure the Directory Services Restore 6 Mode Administrator Password
Prepare to Create a New Forest with Windows Server 2008 R2 • Domain’s DNS name (contoso.com) • Domain’s NetBIOS name (contoso) • Whether the new forest will need to support domain controllers running previous versions of Windows (affects choice of functional level) • Details about how DNS will be implemented to support AD DS  Default: Creating domain controller adds DNS Server role as well • IP configuration for the domain controller  IPv4 and, optionally, IPv6 • User name and password of an account in the server’s Administrators group. Account must have a password. • Location for data store (ntds.dit) and SYSVOL  Default: %systemroot% (c:windows)
Lab: Install an AD DS Domain Controller to Create a Single Domain Forest • Exercise 1: Perform Post-Installation Configuration Tasks • Exercise 2: Install a New Windows Server 2008 Forest with the Windows Interface • Exercise 3: Raise Domain and Forest Functional Levels Logon information Virtual machine 6425C-NYC-SVR-D Logon user name Administrator Password Pa$$w0rd Estimated time: 30 minutes
Lab Scenario You have been hired to improve identity and access at Contoso, Ltd. The company currently has one server in a workgroup configuration. Employees connect to the server from their personal client computers. In anticipation of near-term growth, you need to improve the manageability and security of the company’s resources. You decide to implement an AD DS domain and forest by promoting the server to a domain controller. You have just finished installing Windows Server 2008 R2 from the installation DVD.
Lab Review • What can you do with the Initial Configuration Tasks console? • What must you do before starting the dcpromo wizard? • Which tool is used to raise the domain functional level?
Module Review and Takeaways • Review Questions • Common Issues Related to AD DS Installation • Best Practices Related to AD DS Installation • Tools

Recommended

Active directory interview questions
Active directory interview questionsActive directory interview questions
Active directory interview questionsAnand Dhouni
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical ServicesJani Sabtriady
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain serviceFestus Oriaku
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory TrainingNishad Sukumaran
 
MCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationMCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationTarek Amer
 
Fundamentals
FundamentalsFundamentals
Fundamentalsvamsi1986
 
Active directory ii
Active directory iiActive directory ii
Active directory iideshvikas
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainNapoleon NV
 

Recommended

Active directory interview questions
Active directory interview questionsActive directory interview questions
Active directory interview questionsAnand Dhouni
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical ServicesJani Sabtriady
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain serviceFestus Oriaku
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory TrainingNishad Sukumaran
 
MCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationMCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationTarek Amer
 
Fundamentals
FundamentalsFundamentals
Fundamentalsvamsi1986
 
Active directory ii
Active directory iiActive directory ii
Active directory iideshvikas
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainNapoleon NV
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directorythebigredhemi
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and applicationaminpathan11
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Active Directory
Active Directory Active Directory
Active Directory Sandeep Kapadane
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structureJohn Carlo Catacutan
 
70 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 04100970 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 041009Coffeyville Community College
 
70 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 04100970 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 041009Coffeyville Community College
 
Active directory slides
Active directory slidesActive directory slides
Active directory slidesTimothy Moffatt
 
Active directory
Active directory Active directory
Active directory deshvikas
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2MICTT Palma
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directoryMuuluu
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
ActivedirecotryfundamentalsShekhar Singh
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services202066
 
MCITP
MCITPMCITP
MCITPNaqib Khan
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guidewebhostingguy
 
What is active directory
What is active directoryWhat is active directory
What is active directoryAdeel Khurram
 
70 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 04100970 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 041009Coffeyville Community College
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directoryanilinvns
 
Active Directory component
Active Directory componentActive Directory component
Active Directory componentkuldeep singh shishodia
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2MICTT Palma
 
unit 2
unit 2unit 2
unit 2Sangeetha Rangarajan
 

More Related Content

What's hot

Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directorythebigredhemi
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and applicationaminpathan11
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structureJohn Carlo Catacutan
 
Active directory
Active directory Active directory
Active directory deshvikas
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2MICTT Palma
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directoryMuuluu
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
ActivedirecotryfundamentalsShekhar Singh
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services202066
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guidewebhostingguy
 
What is active directory
What is active directoryWhat is active directory
What is active directoryAdeel Khurram
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directoryanilinvns
 

What's hot (20)

Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
 
Active Directory
Active Directory Active Directory
Active Directory
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structure
 
70 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 04100970 640 Lesson03 Ppt 041009
70 640 Lesson03 Ppt 041009
 
70 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 04100970 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 041009
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
Active directory
Active directory Active directory
Active directory
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directory
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
 
MCITP
MCITPMCITP
MCITP
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guide
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
70 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 04100970 640 Lesson04 Ppt 041009
70 640 Lesson04 Ppt 041009
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory Services
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directory
 
Active Directory component
Active Directory componentActive Directory component
Active Directory component
 

Viewers also liked

Checking the health of your active directory enviornment
Checking the health of your active directory enviornmentChecking the health of your active directory enviornment
Checking the health of your active directory enviornmentSpiffy
 
Tutorial on dhcp
Tutorial on dhcp Tutorial on dhcp
Tutorial on dhcp Salah Amean
 
RARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsRARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsPeter R. Egli
 
DHCP Server & Client Presentation
DHCP Server & Client PresentationDHCP Server & Client Presentation
DHCP Server & Client Presentationraini
 

Viewers also liked (7)

Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2
 
unit 2
unit 2unit 2
unit 2
 
Checking the health of your active directory enviornment
Checking the health of your active directory enviornmentChecking the health of your active directory enviornment
Checking the health of your active directory enviornment
 
Tutorial on dhcp
Tutorial on dhcp Tutorial on dhcp
Tutorial on dhcp
 
RARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsRARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE Protocols
 
DHCP Server & Client Presentation
DHCP Server & Client PresentationDHCP Server & Client Presentation
DHCP Server & Client Presentation
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
 

Similar to 6425 c 01

Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1AlexsCloud
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxMeriemBalhaddad
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptxAdiWidyanto2
 
ADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverBilalMehmood44
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxJavedAjmal1
 
Introduction to System and network administrations
Introduction to System and network administrationsIntroduction to System and network administrations
Introduction to System and network administrationsgirmayou1
 
ukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.pptukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.pptMartinCarrozzo
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptxsyedasadraza13
 
IBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveIBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveShradha Nayak Thakare
 
Win2KServer Active Directory
Win2KServer Active DirectoryWin2KServer Active Directory
Win2KServer Active DirectoryPhil Ashman
 
Azure SQL Database
Azure SQL Database Azure SQL Database
Azure SQL Database nj-azure
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...Amazon Web Services
 
AD Basic and Azure AD.pptx
AD Basic and Azure AD.pptxAD Basic and Azure AD.pptx
AD Basic and Azure AD.pptxSumTingWong8
 
Security and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web StudioSecurity and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web StudioAVEVA
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsAndré Braga
 

Similar to 6425 c 01 (20)

Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx
 
ADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side server
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
 
Introduction to System and network administrations
Introduction to System and network administrationsIntroduction to System and network administrations
Introduction to System and network administrations
 
ukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.pptukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.ppt
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
IBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveIBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep Dive
 
Final domain control policy
Final domain control policy Final domain control policy
Final domain control policy
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinal
 
Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
 
Win2KServer Active Directory
Win2KServer Active DirectoryWin2KServer Active Directory
Win2KServer Active Directory
 
MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03
 
Azure SQL Database
Azure SQL Database Azure SQL Database
Azure SQL Database
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
 
AD Basic and Azure AD.pptx
AD Basic and Azure AD.pptxAD Basic and Azure AD.pptx
AD Basic and Azure AD.pptx
 
Null talk
Null talkNull talk
Null talk
 
Security and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web StudioSecurity and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web Studio
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory Components
 

Recently uploaded

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...Amil baba
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 

Recently uploaded (20)

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 

6425 c 01

  • 1. Module 1 Introducing Active Directory® Domain Services
  • 2. Module Overview • Overview of Active Directory, Identity, and Access • Active Directory Components and Concepts • Install Active Directory Domain Services
  • 3. Lesson 1: Overview of Active Directory, Identity, and Access • Information Protection • Identity and Access • Authentication and Authorization • Authentication • Access Tokens • Security Descriptors, ACLs, and ACEs • Authorization • Stand-Alone (Workgroup) Authentication • Active Directory Domains: Trusted Identity Store • Active Directory, Identity, and Access • Active Directory IDA services
  • 4. Information Protection • It’s all about connecting users to the information they require securely • IDA: Identity and Access • AAA: Authentication, Authorization, Accounting • CIA: Confidentiality, Integrity, Availability, and Authenticity
  • 5. Identity and Access • Identity: User account • Resource: Shared Folder • Saved in an identity store • Secured with a security (directory database) descriptor • Security principal • DACL or ―ACL‖ • Represented uniquely by • ACEs or ―permissions‖ the SID
  • 6. Authentication and Authorization A user presents The system creates a credentials that are security token that authenticated by using represents the user with the information stored the user’s SID and all with the user’s related group SIDs identity A resources is secured The user’s security with an ACL: token is compared with Permissions that pair a the ACL of the resource SID with a level of to authorize a requested access level of access
  • 7. Authentication Authentication is the process that verifies a user’s identity Credentials: At least two components required • User name • Secret, for example, password Two types of authentication • Local (interactive) Logon– • Remote (network) Logon– authentication for logon to the authentication for access to local computer resources on another computer
  • 8. Access Tokens User’s Access Token User SID Member Group SIDs Privileges (―user rights‖) Other access information
  • 9. Security Descriptors, ACLs and ACEs Security Descriptor SACL DACL or ―ACL‖ ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask
  • 10. Authorization Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource Three components required for authorization • Resource • Access Request • Security Token System finds first User’s Access Token ACE in the ACL that Security Descriptor allows or denies the User SID requested access SACL level for any SID in the user’s token DACL or ―ACL‖ Group SID ACE List of user Trustee (SID) rights Access Mask Other access ACE Trustee (SID) information Access Mask
  • 11. Stand-Alone (Workgroup) Authentication • The identity store is the SAM database on the Windows system • No shared identity store • Multiple user accounts • Management of passwords is challenging
  • 12. Active Directory Domains: Trusted Identity Store • Centralized identity store trusted by all domain members • Centralized authentication service • Hosted by a server performing the role of an AD DS domain controller
  • 13. Active Directory, Identity, and Access An IDA infrastructure should:  Store information about users, groups, computers and other identities  Authenticate an identity • Kerberos authentication used in Active Directory provides single sign-on. Users are authenticated only once.  Control access  Provide an audit trail
  • 14. Active Directory IDA Services Active Directory IDA services :  Active Directory Lightweight Directory Services (AD LDS)  Active Directory Certificate Services (AD CS)  Active Directory Rights Management Services (AD RMS)  Active Directory Federation Services (AD FS)
  • 15. Lesson 2: Active Directory Components and Concepts • Active Directory as a Database • Active Directory Data Store • Domain Controllers • Demonstration: Active Directory Schema • Organizational Units • Domain • Forest • Tree • Replication • Sites • Global Catalog • Functional Levels • DNS and Application Partitions • Trust Relationships
  • 16. Active Directory as a Database • Active Directory is a database  Each ―record‖ is an object • Users, groups, computers, and so on  Each ―field‖ is an attribute • Logon name, SID, password, description, membership, and so on  Identities (security principals or ―accounts‖) • Services: Kerberos, DNS, and replication • Accessing the database  Windows tools, user interfaces, and components  APIs (.NET, VBScript, Windows PowerShell)  LDAP
  • 17. Active Directory Data Store • %systemroot%NTDSntds.dit • Logical partitions  Domain naming context  Schema  Configuration Schema  Global catalog (Partial Attribute Set)  DNS (application partitions) Configuration • SYSVOL *Domain*  %systemroot%SYSVOL  Logon scripts NTDS.DIT DNS  Policies PAS
  • 18. Domain Controllers • Servers that perform the AD DS role  Host the Active Directory database (NTDS.DIT) and SYSVOL • Replicated between domain controllers  Kerberos KDC service: Performs authentication  Other Active Directory services • Best practices  Availability: At least two in a domain  Security: Server Core and RODCs
  • 19. Demonstration: Active Directory Schema In this demonstration, you will see • How the Schema acts as a blueprint for Active Directory by exploring the following Attributes and Object classes: Attributes • objectSID • sAMAccountName • unicodePwd • member • Description Classes • User • Group
  • 20. Organizational Units • Objects  Users  Computers • Organizational Units  Containers that can be used to group objects within a domain  Create OUs to: • Delegate administrative permissions • Apply Group Policy
  • 21. Domain • Requires one or more domain controllers • All domain controllers replicate the Domain naming context (Domain NC)  The domain is the context within which Users, Groups, Computers, and so on are created  ―Replication boundary‖ • Trusted identity source: Any domain controller can authenticate any logon in the domain • The domain is the maximum scope (boundary) for certain administrative policies  Password  Lockout
  • 22. Forest • A collection of one or more Active Directory domain trees • First domain is the forest root domain • Single configuration and schema replicated to all domain controllers in the forest • A security and replication boundary
  • 23. Tree • One or more domains in a single instance of AD DS that share contiguous DNS namespace treyresearch.net proseware.com antarctica.treyresearch.net
  • 24. Replication • Multimaster replication  Objects and attributes in the database  Contents of SYSVOL are replicated • Several components work to create an efficient and robust replication topology and to replicate granular changes to AD • The Configuration partition of the database stores information about sites, network topology, and replication DC1 DC3 DC2
  • 25. Sites • An Active Directory object that represents a well- connected portion of your network  Associated with subnet objects representing IP subnets • Intrasite vs. intersite replication  Replication within a site occurs very quickly (15–45 seconds)  Replication between sites can be managed • Service localization  Log on to a domain controller in your site Site B Site A
  • 26. Global Catalog • Partial Attribute Set or Global Catalog Domain A • Contains every object in PAS every domain in the forest • Contains only selected attributes • A type of index Domain B • Can be searched from any domain PAS • Very important for many applications
  • 27. Functional Levels • Domain functional levels • Forest functional levels • New functionality requires that domain controllers are running a particular version of Windows  Windows 2000  Windows Server 2003  Windows Server 2008  Windows Server 2008 R2 • Cannot raise functional level while domain controllers are running previous Windows versions • Cannot add domain controllers running previous Windows versions after raising functional level
  • 28. DNS and Application Partitions • Active Directory and DNS are closely integrated • One-to-one relationship between the DNS domain name and the logical domain unit of Active Directory • Complete reliance on DNS to locate Schema computers and services in the domain • A domain controller acting as a DNS Configuration server can store the zone data in Active Directory itself—in an application partition Domain DNS PAS
  • 29. Trust Relationships • Extends concept of trusted identity store to another domain • Trusting domain (with the resource) trusts the identity store and authentication services of the trusted domain • A trusted user can authenticate to, and be given access to resources in, the trusting domain • Within a forest, each domain trusts all other domains • Trust relationships can be established with external domains Trusted Domain Trusting Domain
  • 30. Lesson 3: Install Active Directory Domain Services • Install and Configure a Domain Controller • Prepare to Create a New Forest with Windows Server 2008 R2
  • 31. Install and Configure a Domain Controller 1 Install the Active Directory Domain Services role by using the Server Manager Run the Active Directory Domain Services 2 Installation Wizard 3 Choose the deployment configuration 4 Select the additional domain controller features Select the location for the database, log files, and 5 SYSVOL folder Configure the Directory Services Restore 6 Mode Administrator Password
  • 32. Prepare to Create a New Forest with Windows Server 2008 R2 • Domain’s DNS name (contoso.com) • Domain’s NetBIOS name (contoso) • Whether the new forest will need to support domain controllers running previous versions of Windows (affects choice of functional level) • Details about how DNS will be implemented to support AD DS  Default: Creating domain controller adds DNS Server role as well • IP configuration for the domain controller  IPv4 and, optionally, IPv6 • User name and password of an account in the server’s Administrators group. Account must have a password. • Location for data store (ntds.dit) and SYSVOL  Default: %systemroot% (c:windows)
  • 33. Lab: Install an AD DS Domain Controller to Create a Single Domain Forest • Exercise 1: Perform Post-Installation Configuration Tasks • Exercise 2: Install a New Windows Server 2008 Forest with the Windows Interface • Exercise 3: Raise Domain and Forest Functional Levels Logon information Virtual machine 6425C-NYC-SVR-D Logon user name Administrator Password Pa$$w0rd Estimated time: 30 minutes
  • 34. Lab Scenario You have been hired to improve identity and access at Contoso, Ltd. The company currently has one server in a workgroup configuration. Employees connect to the server from their personal client computers. In anticipation of near-term growth, you need to improve the manageability and security of the company’s resources. You decide to implement an AD DS domain and forest by promoting the server to a domain controller. You have just finished installing Windows Server 2008 R2 from the installation DVD.
  • 35. Lab Review • What can you do with the Initial Configuration Tasks console? • What must you do before starting the dcpromo wizard? • Which tool is used to raise the domain functional level?
  • 36. Module Review and Takeaways • Review Questions • Common Issues Related to AD DS Installation • Best Practices Related to AD DS Installation • Tools