Summary of Last Lecture• Where possible ensure all user workstations are given the same OS build / release.• Automate the process for speed, simplicity and repeatability. Network Design & Administration• Check hardware compatibility if upgrading• If upgrading – Backup!• If installing dual boot and Linux – Backup! 2
Overview• Originally, Microsoft provided only standalone PC’s – networks were sold by large vendors with thin client terminals connected to servers.• Windows for Workgroups allowed small numbers of PC Network Design & Administration users to work together sharing files and printers.• NT 3 / 4 provided a Domain concept, whereby certain servers on the network provided centralised directory services.• Active Directory took this further, by adding layers of hierarchy to cope with large corporate structures.• Similarly, Linux machines could be used alone, then in 3 loose connectivity, then using Directory Services.
What are Directory Services?• A database used to administer resources on a network.• Need to make the following basic assumptions: • The objects in the database are relatively small. • The database will be widely replicated and cached. Network Design & Administration • The information is mainly attributes. • Access is mainly read, with occasional writes. • Searching is likely to be a frequent operation.• IETF provided the Lightweight Directory Access Protocol (LDAP) as a way to access the database over a network but also specifies the data schema and search methods for a directory service. 4
Microsoft Domain vs. Workgroup Windows Server 2008 (Domain Controller)Windows Server 2008(Domain Controller) Replication Windows Server 2008 Windows Server 2008 Active Active Directory Directory Accounts Accounts Network Design & Administration Domain Windows 7 Client AccountsWindows 7 Client Workgroup Accounts Windows Windows Server 7 Client 2008 (Member Server - Windows 7 Client Print Server ) Accounts 5 Windows Server 2008 (Print Server )
Microsoft Workgroup• A collection of computers interacting informally with no centralised authority.• Each computer in the workgroup has its own set of local user account.• User accounts stored locally in a flat-file database called the Network Design & Administration Security Accounts Manager (SAM). • Password stored in hashed format. • Question: What’s a hash function?• If a user needs to access another computer they must have a valid account there too.• This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time. 6• Question: are there any limitations with workgroups?
Side bar: Hash Tables• Hash tables provide you with a way of storing mappings of one bit of data to another. • Some key would provide a value (e.g. h(“Pa$$word”) 76934856434)• For example, you could use a hash table to associate users names and with their accounts / passwords.• The names would be unique and somehow provide you with the associated data. 1 e.g. h(user name) user account 2 Network Design & Administration ACT#4534 3 Clark Kent 4 Jimmy Olsen ACT#5675 5 6 Lois Lane 7 Perry White ACT#6789 8 9 10• A hash table will need to provide: ? ACT#7898 11 7 • A hash function 12 • A bucket array/list (more on this in 3 slides)
Side bar: Hash Functions• Need to some way of converting a unique key to a value. • h(n) v• Easy way – use ASCII Network Design & Administration• To calculate the hash value, we do: 87*314 + 104*313 + 105*312 + 116*311 + 101*310 = 83549193 h(“White”) = 83549193 Why use a large number? h(x1) = α h(x2) = α 8• BUT! How do we access element 83,549,193 in our hash table?
Side bar: Compression functionThere are two methods:1. A simple “division method” using modulo arithmetic • Bucket array has a know size (e.g. 1000 places) • Position can be found by i % array length • h(“White”) = 83549193 Network Design & Administration • But, what happens when multiple hashes point to the same point in the hash table (i.e. collisions)? • Either use a better compression function and / or implement a hash table using a bucket list/array (next slide).2. More sophisticated method: MAD (multiply add and divide) • Would produce the position • Collisions can be handled by using: • Linear probing 9 • Quadratic probing Investigate in your own time!
Side bar: Bucket Arrays• A bucket array is just an array of N size.• However, instead of each element storing one bit of information, the element provides another array which can grow… 1 Lucy Lane 2 3 Clark Kent 4 ACT#4534 ACT#4535 Network Design & Administration Jack Kent 5 ACT#5675 ACT#5676 6 Jimmy Olsen 7 ACT#6789 Lois Lane 8 9 ACT#7898 Perry White 10 11 12 h(f) Better to use a linked list structure to store collisions 10 – will allow indefiniteNow back to workgroups…. number rather than say n=9
Microsoft Workgroup• A collection of computers interacting informally with no centralised authority.• Each computer in the workgroup has its own set of local user account.• User accounts stored locally in a flat-file database called the Network Design & Administration Security Accounts Manager (SAM). Note: Hashes values and • Password stored in hashed format. hash functions are used • Question: What’s a hash function? extensively within the OS.• If a user needs to access another computer they must have a valid account there too.• This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time. 11• Question: are there any limitations with workgroups?
Microsoft Domain• For larger networks (> approx. 10 computers), it is simpler to use a centralised Directory Service that contains a list of the resources available on a network.• The domain model is hierarchical, and Active Directory Domain Services holds the list that is trusted by all Network Design & Administration machines on the network.• Active Directory Domain Services includes: • Database of computers, users, etc. • LDAP services to mediate queries and responses • Kerberos security service • File replication service to ensure redundancy of domain information 12
Active Directory Data Storephysical structure LDAP: Lightweight directory access protocol REPL: Replication and domainInterfaces – LDAP, REPL, MAPI, SAM controller management interface MAPI: Messaging API SAM: Security Accounts Manager Network Design & Administration Ntdsa.dll Allows access to DB via 4 interface methods Access / mod of objects via read / write ops Directory Service Agent (DSA) General purpose DB engine Syntax checking (schema) Interface between DAS -> DB file Low level functions: indexing, transferring Maintain schema Database Layer Provides Low-level DB functionality & integrity checks (create, read, write, delete) Transaction based (i.e. ATOMIC) Esent.dll Extensible Storage Engine (ESE) 13
Active Directory DomainServices Logical Structure• This is comprised of the following: • Partitions • Domains • Network Design & Administration Domain trees • Forests • Sites • Organisational Units 14
AD DS PartitionsThe AD data store is divided up into a number oflogical partitions (also known as naming contexts): • Domain directory • Configuration directory Network Design & Administration • Schema directory • Global catalogue (covered in a later lecture) • Application directory 15
DomainsDomains act as an administrative boundary withinthe organisation and define the following: • Replication boundaries • Security policy boundaries Network Design & Administration • Resource access boundaries • Trust boundaries 16
Domain Trees• Multiple domains with contiguous DNS namespaces form a domain tree.• Aardvark.com is the Network Design & Administration aardvark.com parent (root domain) in which child domains are created. eu.aardvark.com us.aardvark.com 17
Forests Some kind of link! aardvark.com bison.com Network Design & Administration eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com• Highest level of AD DS logical structure hierarchy.• Forest can contain one or more domain trees and one or more domain namespaces. 18
Other Forest issues -Trust Relationships– Transitive Two-way Trust• Trust allows the resources of one domain to be accessible from another (can be parent-child or tree-root trusts).• By default, one-way trust (non-transitive trust) is enabled between domains.• Need to explicitly set two-way for transitive trust. Network Design & Administration Two-way trust (bison trusts aardvark) one-way trust aardvark.com bison.com U1 Account U2 U2 U1 Login Account Login 19 eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com
Shortcut Trusts• Two-way transitive trust between aardvark.com and bison.com 1 hop• Example: a user in the 2 hops eu.aardvark.com domain wants to aardvark.com access a shared resource in the us.bison.com domain. Network Design & Administration• User needs to be referred to each domain controller in trust path for eu.aardvark.com bison.com 3 hops authentication. Short cut• To reduce latency times, introduce a trust short cut trust relationship. (1 hop) us.bison.com• Short cut trust can be one-way or two-way but is not transitive (only the two domains trust each other, the rest don’t). 20
Forest Trusts trust trust aardvark.com bison.com giraffe.com Network Design & Administrationeu.aardvark.com us.aardvark.com man.bison.com nott.bison.com eu.giraffe.com us.giraffe.com • Forest trusts provide two way transitive trust between two connecting forest roots. • This means that there is transitive trust between: • aardvark.com bison.com • bison.com giraffe.com • But no default forest trust between aardvark.com and giraffe.com 21 • Only allows authentication to occur between forests - replication does not happen.
External Trusts aardvark.com bison.com Network Design & Administration trust eu.aardvark.com us.aardvark.com man.bison.com nott.bison.com• Used to allow a domain external from the forest to access resources.• Not the same as a forest trust as an external trust is only between two domains (i.e. non-transitive)• Usually, one way. 22
Realm Trusts• Used to connect a Windows Server 2008 domain to a non-Windows Kerberos realm.• Can be defined as one-way, two-way, transitive or non-transitive. Network Design & Administration aardvark.com trust tiger.com eu.aardvark.com us.aardvark.com• In this example, us.aardvark.com can access tiger.com resources using one- way, non-transitive trust but tiger.com not able to access shared resources in us.aardvark.com 23
Sites• Logical structure of AD DS is independent to the physical infrastructure of the network used within the organisation.• Need to consider when designing the organisational structure where users and resources are going to be located.• A site can be thought of as an area (e.g. Clifton campus) which Network Design & Administration has its own network, comprised of one or more DCs and a number of clients.• There are a number of reasons for using a site when managing network traffic: • Replication • Authentication • Site-aware network services 24
Organisational Units• Microsoft recommend organisations to have relatively few domains and manage the administration by use of OU’s.• OU’s are containers within domains and can be layered. Network Design & Administration• OU’s can contain different types of AD DS objects: • User • Group • Printers • Organisational units • Computers • Shared folders 25 • Contacts • inetOrgPerson
Organisational Units• Objects are known by their distinguished names (DN) and have attributes – both informative and administrative (e.g. for permissions).• The Schema sets out the rules to govern what objects Network Design & Administration can be used and how they are specified.• The objects in containers (such as users or computers) that cannot contain other objects are called leaf objects.• Rights & permissions are allocated to containers (and therefore the objects in them). 26
Domains and DomainControllers• When a server is promoted to become a Domain Controller, it hosts a replica of the AD DS database.• Typically, domains have 2+ DC’s for redundancy Network Design & Administration because the information is so critical to the workings of the network.• DC’s copy information between themselves to ensure changes are propagated – this is done via multi-master replication so no need to start from a designated Primary DC. 27
Integrating DNS & DHCPservices• Microsoft encourage the integration of DNS services onto DC’s.• This allows the DNS to make use of replication / redundancy features provided under Active Directory. Network Design & Administration• Provides additional security for DNS by use of group policies (see later).• Avoid need to manage DNS information separately.• When DC also does DHCP, DHCP inherits DC permissions on DNS records, so advised to configure DHCP server with credentials of a dedicated user account. 28
Domain Controller Issues• AD DS is so important that the domain controller functionality was designed to allow for controlled restoration from working DC’s.• A faulty DC can be brought into line with other up-to-date ones by following this sequence: Network Design & Administration • Reboot DC under Directory Services Restore Mode (will need to use DSRM password supplied during original DC setting). • Use backup to get (out of date) DS information. • Restart, indicating non-authoritative restoration to acquire changes from other DC’s. • Authoritative restores are required when deleted objects need to be forcibly restored from AD DS backup. 29
Why is the architectureimportant?• Active directory involves sharing information between domain controllers.• To let users/computers in one structure access facilities in another involves different degrees of Network Design & Administration exposure depending on domain / tree / forest.• In large structures with many users and computers, want to minimise replication of information in the global catalogue.• (will look at the global catalogue in more detail 30 in a later session when working with groups)
Other DC roles: OperationsMasters• Certain roles within AD DS hierarchy are not suited to the replication methods used for Domain Controllers.• These are called FSMO (Flexible Single Master Operations) or Operation Masters role.• Need to specify an authoritative server to handle certain Network Design & Administration directory operations to ensure that consistency is maintained.• Type of FSMO/Operations Masters roles: • Schema master • Domain naming master • RID master • PDC emulator • Infrastructure master 31• Roles must be carefully distributed to allow DC’s to take over after failure.
Other DC roles: Read-OnlyDomain Controllers• Same as a “normal” domain controller within a domain. i.e. provides the same functionality (authentication , authorisation, DNS).• But:- • Is limited Network Design & Administration • No credentials stored locally. • Authentication requires access to writeable DC to authenticate requests. • Can not configure RODC with an FSMO role.• Why use them? • Ideal when physical security of DC can not be guaranteed (e.g. in an open office with no dedicated machine room) 32 • When storing data on local storage will pose a security risk.
Linux integration• Microsoft Server 2008 includes Windows Security and Directory Services for Unix to allow Linux/Unix clients in a mixed environment to use AD DS Kerberos for authentication, and LDAP to Network Design & Administration retrieve authorisation information from either Unix or AD servers.• Pure Linux can use OpenLDAP to control/share system files and attributes. • e.g. etc/passwd, etc/group, etc/hosts• (Lab 3 will introduce adding Linux clients to an Active 33 Directory domain)
Summary• Domain services provides functionality to control the logical structure of an organisation.• Domains are used within a geographical boundary (e.g. in a single company).• Forests connect multiple domains together. Network Design & Administration• Forests provide a number of trust relationships for information to flow between domains.• Organisational units provide structure and act as containers for resources which can model the real-world company structure. 34
Next Time & References• Naming and Namespaces• Objects in Active Directory – computers, users and groups. Network Design & Administration “Unix and Linux Systems administration handbook”, Nemeth,E. et al, 4th Edition, Chapter 19.3. Windows Server 2008 Active Directory Resource Kit http://technet.microsoft.com/en-us/library/cc771613.aspx http://technet.microsoft.com/en-us/library/cc787034.aspx http://www.exchangeinbox.com/article.aspx?i=30 35