Active Directory Presentation Windows 2000 Server
Breakdown…• What is Active Directory• Structure of Active Directory• Objects• Domains – Trees and Forests• Replication• Security• Kerberos• Trusts
Overview of Active Directory• Active Directory is a directory service, which means it both stores data about your network resources and provides methods of accessing and distributing that data. Directory service that stores data about users and groups, shared folders, and other network resources.• Active Directory lets you centrally manage your network.• Administrative tasks can be performed from a single location.
What Is Active Directory?• Active Directory is an essential and inseparable part of the Windows 2000 network architecture that improves on the domain architecture of the Windows NT 4.0 operating system to provide a directory service designed for distributed networking environments.
• Active Directory lets organizations efficiently share and manage information about network resources and users.• Active Directory acts as the central authority for network security, letting the operating system readily verify a user’s identity and control for his or her access to network resources.• It acts as an integration point for bringing systems together and consolidating management tasks.
How does Active Directory Work?• AD lets organizations store information in a hierarchical, object-oriented fashion, and provides multi-master replication to support distributed network environments.
Single Point of Administration• For all published resources, incl. Files, peripheral devices, host connections, databases, Web access, users, services…• It uses the Internet Domain Name Service (DNS) as its locator service.• No primary domain controller (PDC) or backup domain controller (BDC). Uses domain controllers (DCs).• Allows multiple domains to be connected into a tree structure.
What are the benefits of Active Directory• Simplifies management tasks.• Strengthens network security.• Makes use of existing systems through interoperability.
Simplifies Management• Single place to manage users, groups and network resources, as well as distribute software and manage desktop. – Eliminates redundant management tasks. – Reduces trips to the desktop. – Better maximizes IT resources. – Lowers total cost of ownership (TCO).
• Eliminates redundant management tasks. • Provides a single point of management for Windows user accounts, clients, servers, and applications.• Reduces trips to the desktop. • Automatically distributes software to users based on their role in the company, reducing or eliminating multiple trips that system administrators need to make for software installation and configuration.• Better maximizes IT resources. • Securely delegates administrative functions to all levels of an organization.• Lowers total cost of ownership (TCO). • Simplifies the management and use of file and print services by making network resources easier to find, configure, and use.
Simplifies ManagementDelegate ManagementTasks to Office Admins Company Users Machines Devices Applications Color PrinterMarketing Personnel in Building 6 Give ‘Personnel’ Members the Human Resources Application
Strengthens Security• Support for multiple authentication protocols such as Kerberos, X.509 certificates, and smart cards.• Flexible access control model – enables powerful and consistent security services for internal desktop users, remote dial-up users, and external commerce customers. • Improves password security and management. • Ensures desktop functionality. • Speeds e-business deployment. • Tightly controls security.
• Improves password security and management. • Providing single sign-on to network resources with integrated, high powered security services that are transparent to end users.• Ensures desktop functionality. • Locking-down desktop configurations and preventing access to specific client machine operations. Ex: software installations and registry editing.• Speeds e-business deployment. • Built-in support for secure Internet-standard protocols and authentication mechanisms. Ex: Kerberos, public key infrastructure (PKI), lightweight directory access protocol (LDAP).• Tightly controls security. • Setting access control privileges on directory objects and the individual data elements that make them up.
Extends Interoperability• Active Directory provides a set of standard interfaces for application integration and open synchronization mechanisms to ensure that Windows can interoperate with a wide variety of applications and devices.
It Does So By…• Taking advantage of existing investments and ensures flexibility.• Consolidating management of multiple application directories. Using open interfaces, connectors, and synchronization mechanisms. Incl. Novell’s NDS, LDAP, ERP, e-mail…• Allowing organizations to deploy directory-enabled networking. Assign quality of service and allocated network bandwidth to users based on their role in the company.• Allowing organizations to develop and deploy directory-enabled applications.
InteroperabilityApplication: Exchange Policy: Give ‘Personnel’Mailbox information Access to ‘Change Salary’ Menu options. Company Users Machines Devices Applications Finance Personnel Policy: Give ‘Finance’ more bandwidth at the end of the month.
Active Directory as a Service Provider• Used to locate all network services and information.• Fulfills a wide variety of naming, query, administrative and registration needs. Submit Exchange Mail DNS Mail Client Mail Microsoft.com Recipient referral Lookup Address Book http/shttp Server Admin/ browse Directory Service Replication SQL Server Register Service Credential Security management Query Dynamic Services
Directory Partitions• The data stored within AD is actually broken into three distinct areas called directory partitions.• Each partition records and stores a specific type of information.• The three directory partitions that exists: • Domain Partition • Schema Partition • Configuration Partition
• Domain Partition • Holds data regarding domain-specific objects, including users, groups, and computers.• Schema Partition • Contains data that defines which objects can be created within AD and specifies rules regarding these objects, such as mandatory properties.• Configuration Partition • Contains information about your AD structure, such as domain and DCs that exist.
The Structure of Active Directory• Active Directory is made up of two distinct structures: • The logical structure. • The physical structure.• Design of Active Directory implementation deals with the logical aspects.• Deciding where each component will be on your network deals with the physical aspects.
The Logical Structure• There are five logical components in Active Directory: • Domains • Organization Units (OUs) • Trees • Forests • Global Catalogs (GCs)
Domains• A domain is a security boundary.• Each domain has its own administrators that can be assigned full control over the domain.• Entity which has its own users and groups.• Users can be granted permissions in other domains.• Domains are used for replication purposes.• Can run in one of two modes: • Native (must be running to achieve full functionality) • Mixed
Organizational Units (OUs)• Organizational Units are container objects that are used to organize objects within the directory.• Commonly contain user and group objects.• They can also contain computers and other OUs.• Permissions can be assigned at the OU level both to grant container objects access to other network resources (or to deny them) and to assign specific users administrative privileges.• Administration of objects within an OU can be delegated. • Assign permissions to manage these objects to groups other than domain administrators.
Hierarchical Organization• Active Directory uses objects to represent network resources such as users, groups, machines, devices, and applications.• It uses containers to represent organizations, such as marketing department, or collections of related objects, such as printers.• It organizes information in a hierarchical structure made up of these objects and containers, similar to the way the Windows Operating system uses folders and files to organize information on a computer.
Containers and Objects Company Users Machines Devices ApplicationsMarketing Personnel = Container = Object
Objects in Active Directory• Objects within AD include users, groups, computers, servers, domains, and sites.• Since data is stored as objects, users can search through the directory for objects they wish to access.• Objects also have attributes which a user can use in his/her search.• In order to understand how data is defined within AD, you must be aware of the Schema.
The Schema• The Schema is a definition of all the objects and their attributes.• Since there is a single schema for an entire Windows 2000 forest, you can achieve consistency no matter how large the enterprise.• Two types of definitions can be stored in the schema. 1. Object Classes 2. Attributes
Object Classes• Object classes define the types of objects that can be stored within Active Directory.• Each class consists of a class name and a set of attributes that are associated with the object.
Attributes• Attributes are stored separately within the schema• Allows for further consistency within the database, because a single definition for the “last name” attribute can be used over and over again.
Object-Oriented Storage Company Users Machines Devices ApplicationsMarketing Personnel Name: Bob Jones = Container Email: email@example.com = Object Phone: 555-1234 SSN: 456-7
Object-Oriented Storage• In this case, the system administrator has allowed global access to the Bob Jones object, but has locked access of the Social Security Number attribute.
Schema Security• To prevent it from being modified without permissions, each object is secured using Discretionary Access Control Lists (DACLs).• These DACLs ensure that only authorized users are able to access schema.
A little more about Schema• The file schema.ini contains the default schema’s definition, as well as the initial structure for the file ntds.dir (stores directory data).• The %systemroot%ntds directory contains the file schema.ini.• The file is in plain ASCII format.
Trees• Domains are combined to produce a tree.• A hierarchical representation of the Windows 2000 network.• First domain installed is called the root domain and all subsequent domains are installed beneath this root domain.• All domains is a tree share a common schema and GC.
Domain Tree• A domain tree exists when one domain is the child of another domain.• Ex. Root.com – since domains are DNS names.• If the administrator renames a part of the tree, all of the parent’s children are also implicitly renamed. • Ex. ntfaq.com renamed to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice.com
Domain Tree Diagram root.com child1.root.com child2.root.com These child domains continue to utilize the same contiguous name (root.com) while branching out with additional naming for organizationalgran.child1.root.com purposes. Ex. child1.root.com
Domain Tree Advantages• All members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children.• Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree.• You can use one network logon at any workstation in the domain tree.
Forests• A forest is a collection of trees.• Tree in a forest do not have to share a contiguous namespace.• Must share a common schema and GC.• Forests allows users in two different trees to access resources in a different namespace.• Useful when a company has multiple root DNS addresses.
Forest Diagram Transitive Kerberos Trust Joining the two trees makes a forest root.com ntfaq.com child1.root.com child2.root.com legal.ntfaq.com ads.ntfaq.comgran.child1.root.com banner.ads.ntfaq.com
Benefits of a Forest• All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest.• All the trees contain a common schema.• Performing a search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses GC entries for the rest of the forest.
Global Catalogs (GCs)• A GC server is also a DC (Domain Controller).• It contains data about all objects within a forest.• GC contains the permissions list for all the objects, therefore can also grant access.• Stored locally on a DC – reduces network traffic.• Benefit: • To make the logical structure of the Windows 2000 network invisible to the users. • Reduction of network traffic.
Purpose of Global Catalog• Designed for high performance.• Allows users to easily find an object regardless of where it is in the tree – searching using selected attributes.• Attributes contained in a abbreviated catalog.• Technique known as partial replication.
Global Catalog Structure Domain 1 Partial Replicas Domain 2 Full Replicas Domain nThe global catalog structure provides access tofull and partial replication.
Physical Structure• Used to manage network traffic on the network.• Element that makes up the physical structure: • Domain controllers (DCs)
Domain Controllers (DCs)• A domain controller (DC) is a server on a Windows 2000 network that stores a replica of the Active Directory database.• Its job is to manage access to this data via searches and also accept and make changes to the data.• Replicates changes to all other DCs in the domain.• Manage authentication of users. • Assigning a security token that contains a list of group memberships and permissions to each user.
Replication• Replication ensures that data recorded in one copy is disseminated to all other copies in the domain.• Windows 2000 uses multi-master replication.• Each DC is a master of its copy of AD.• The DC can accept changes and will then propagate them out to other DCs.• Replication – updating information from one DC to another.
The Replication Process• Replication occurs when an update is made to a copy of AD.• Changes such as new user, deletion of an object, or modification to a single property of an object.• AD performs two types of updates: • Originating update – occurs only the first time a change is made to an AD replica. • Replicated update – occurs as a result of this change.
Multi-master Replication• Individual change made in one copy of the directory are automatically replicated to all other appropriate copies of the directory.• Active Directory uses Update Sequence Numbers (USNs).• Anytime a users writes something into an object in the directory, it gets a USN, which is held per computer and incremented any time a change is made.• A change cannot occur without the USN being incremented, therefore changes cannot be lost.
Update Sequence Number (USN)• These are stored in memory, in a table called the up- to-dateness table.• This table has an entry for every DC in the domain, along with the USN number at the time of the last originating update for that DC. • Ex. Entry for server A, changes caused the USN to increment to “130”, entry would be “A-130”.• USNs can be used to prevent unnecessary data being sent across the network.• Replication in AD is pulled only; data is never pushed across the wire.
USN Table• Each DC keeps track of the highest USNs of the DCs it replicates with.• This procedure lets a DC calculate which changes must replicate on a replication cycle.• At the start of a replication cycle, each server checks its USN table and queries the DCs it replicates with for the DCs latest USNs.
USN Table for Server A Domain Domain Domain • Server A queries the DC’s forController Controller Controller their current USNs and gets B C D the following information. 54 23 53 • From this information, Server Domain Domain Domain A can calculate the changes itController Controller Controller need from each server as B C D follows. 58 23 64 Domain Domain Domain • Server A then queries eachController Controller Controller DC for the necessary changes. B C D 55-58 None 54-64
Property Version Number• Multiple changes to an object’s property can occur.• Every property has a property version number, which helps detect collisions.• Property version numbers work like USNs.• Each time a property is modified, the property version number increases by one.
Collision• A collision occurs when the property number version numbers are the same for two or more property updates.• In this case, the timestamps helps resolve the conflict.• In the case where the property version numbers and the timestamps match, a binary buffer comparison occurs; the larger buffer size change takes precedence.
Object Security Security Principal Security ID (SID) Security Descriptor Discretionary Access Control List (DACL) System Access Control List (SACL) Access Control Entries (ACEs) Access Tokens
Security Principal• This is an account to which permissions can be assigned-example, a user, a group, or a computer account.• Ex. • Bob, a member of the Accounting group on a computer with a domain computer account named System01, several security principals are involved that permissions could be applied toward-namely, the user “Bob”, the group “Accounting”, or the computer account “System01”
Security ID (SID)• Every security principal is issued a unique SID that is assigned once to an account and is never reused, even if the object is removed. A numeric value that is assigned automatically when an object is added to the directory.• The SID is a numeric value that is assigned automatically when an object is added to the directory.
Security Descriptor• Defines access control information for that object.• When a user attempts to access an object, the descriptor check its information against the user’s SID and then compares the SID against its access control list (ACL).• There are two types of ACLs: • DACLs • SACLs
Discretionary Access Control List (DACL)• List of access control entries (ACEs) that indicates security levels of Allow Access or Deny Access permissions.• Deny Access entries are placed first in the ACE.• The Deny will prove stronger than all the other options.
System Access Control List (SACL)• This is a list used for auditing object access based upon ACEs that indicates to the object when an account has accessed an object or has attempted to access an object.
Access Control Entries (ACEs)• ACEs are used by DACLs and SACLs.• When used with a DACL, the ACE determines the level of security access upon an object, through 4 types: • Access Denied • Access Allowed • Access Denied Object Specified • Access Allowed Object Specified• When used with a SACL, the ACE determines the level of security based upon: • System Audit • System Audit Object Specific
Access Tokens• When the user logs on, an access token is created and sent by the DC to the user’s machine.• This token is necessary for a user to access any network resource.• The access token is attached to that user and is needed to access any object, to run any application, and to use any system resources.
Access Permissions on AD Objects• The five standard permissions that can be applied to an object are: • Full Control • Write • Read • Create All Child Objects • Delete All Child Objects
• Full Control • Allows the user the ability to view objects and attributes, the owner of the object, and the AD permissions, along with the ability to change any of those settings.• Write • Enables the user to view objects and attributes, the owner of the object, and the AD permissions, also allows the user to change any of those settings.• Read • Enables the user to view objects and attributes, the owner of the object, and the AD permissions.• Create All Child Objects • Enables the user to create additional child objects to the OU (Organizational Unit).• Delete All Child Objects • Enables the user to delete existing objects from an OU.
The Flow of Permissions• The implementation of inheritance is utilized by Windows 2000.• Inheritance is automatic for child objects within parent containers; • Ex. If a parent object has permissions implemented upon it, the child objects beneath will automatically inherit the permissions from above.
The Flow of Inheritance Parent OU When you create a child Parent object within a parent Permissions: container that holds certain Administrator: Full Control permissions, the child Users: Read object automatically Sales OU Research OU contains the permissions of its parent. Child ChildPermissions: Permissions:Administrator: Full Control Administrator: Full ControlUsers: Read Users: Read
Kerberos v5• Developed by a team at MIT• Named after the three-headed dog in Greek mythology that guarded the gates of Hades.• There are three sides to Kerberos authentication: • User • Server • Key Distribution Center (KDC)
Like its Greek Counterpart…• User • A client that has a need to access resources off a server.• Server • Offers a service, but only to those that can prove their identity. That proven identity doesn’t guarantee access to the service; it just proves that they even have a right to request a service.• Key Distribution Center (KDC) • An intermediary between the client and the server that provides a way of vouching that the client is really who it says it is.
Kerberos Trust The trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest.DCDC DC
• Kerberos is Windows 2000’s primary security protocol.• Verifies a user’s identity and a session’s integrity.• Each DC (Domain Controller) has Kerberos services on it and every Windows 2000 workstation has a Kerberos client.
A Kerberos Transaction1. A user logs on to the domain by supplying a username, a password, and a domain choice. Kerberos steps in and checks the info. Against the DC’s KDC database to verify that it knows the user.2. If the user is valid, the user is provided a ticket- granting ticket (TGT). This means the user is preauthorized to access other resources on the domain. • In future transactions, the client doesn’t have to re-authenticate; rather, it presents the TGT to the KDC. This speeds up the process.
1. If a client wants to access a server—for example, the internal mail server in order to obtain his/her email—he/she can now present that TGT to the KDC ticket-granting server (TGS). This server will give the client another ticket which although doesn’t grant permission to the mail server, rather, it authenticates the client to the mail server.2. The email server checks to see if you have permission to read the mail. If so, the client will receive the mail.
The Four Steps of Kerberos KDC Print Server 3 4 2 1 KDC Client
Trusts• Trusts allow the domains to work with the user accounts from other domain in such a way that people in one domain can share resources with others.• The transitive concept enables smoother functionality.• Transitive means “by extension”• Under Win2000, the trust is automation between parents and children, and transitive between every other domain in the tree.
Transitive Trusts• Transitive trusts allow users in all connected domains to be validated as domain users.• Permissions are not transitive.
Two-way Transitive Trusts• If child domain a.corp.com trusts corp.com and corp.com trusts b.corp.com, then a.corp.com automatically trusts b.corp.com. corp.com a.corp.com b.corp.com
Few Points About Transitive Trusts They are two-way agreements that are automatically created. They exist between child domains and parents or the root domains of a forest. The trusts are transitive because the trees and forests with connecting trusts make information available with no further trust configuration issues. After trusts are established, permissions must be granted to an individual or group to allow them to access resources.
Summary of Features and Benefits• Support for open standards to facilitate cross- platform directory services, incl. DNS and standard protocols – LDAP.• Support for standard name formats to ensure ease of migration.• Fast lookup via the global catalog.• Multi-master replication.• Backward compatibility.• Interoperability with NetWare environments.
Installation of Active Directory• Installed using ‘dcpromo.exe’, which can be executed from the ‘Run’ dialog box.• ‘dcpromo.exe’ resides on the Windows 2000 partition.• ‘dcpromo.exe’ is an Active Directory installation wizard, which guides the user in a step by step installation.• Installation of Active Directory requires both a FAT and a NTFS partition.