An RDX Insights Series Presentation that analyzes the most significant areas of database vendor competition. Competitive evaluations include public vs private cloud, the three leading public cloud offerings, NoSQL vs relational, open source vs commercial and the traditional DBMS vendors vs all competitors.
Cloud's Hidden Impact on IT Support OrganizationsChristopher Foot
The rapid growth of cloud offerings are providing organizations with cost effective alternatives to on-premises systems. When calculating TCO and return on their cloud investment, savvy decision makers must also factor in costs that include staff training, new organizational roles and responsibilities, policy and procedure changes, modifications to application design, build and change management processes as well as the impact cloud applications will have on existing support toolsets.
The last slide includes a link to the YouTube Webinar of this presentation.
An RDX Insights Series Presentation that analyzes the most significant areas of database vendor competition. Competitive evaluations include public vs private cloud, the three leading public cloud offerings, NoSQL vs relational, open source vs commercial and the traditional DBMS vendors vs all competitors.
Cloud's Hidden Impact on IT Support OrganizationsChristopher Foot
The rapid growth of cloud offerings are providing organizations with cost effective alternatives to on-premises systems. When calculating TCO and return on their cloud investment, savvy decision makers must also factor in costs that include staff training, new organizational roles and responsibilities, policy and procedure changes, modifications to application design, build and change management processes as well as the impact cloud applications will have on existing support toolsets.
The last slide includes a link to the YouTube Webinar of this presentation.
A Crash Course in SQL Server Administration for Reluctant Database Administra...Chad Petrovay
Reluctant DBAs are those of us who aren’t formally trained in database administration, but manage through a combination of our wits, technical manuals, and online forums. This practical session will explore best practices for installing, configuring, and maintaining Microsoft SQL Server, and highlight some SQL Server features (and Easter eggs) that can improve your user experience and institutional ROI.
1. Windows Server overview
2. Key business solutions
3. Get the most out of your IT investment
4. Be prepared for the unexpected
5. Get scalable storage without spending a fortune
6. Enable remote access while protecting business data
7. Why pay more?
8. A great time to modernize your server
9. Get started
On March 13th & 14th , Eric Inch reviewed Exchange and Lync Server 2013 new features, discussed migration best practices, and hybrid scenarios with Office 365.
Download our slide deck (PDF, 2 MB) to take a deeper dive on Microsoft's Unified Communications.
And for more information on this or other topics, visit our blog at www.cdhtalkstech.com
In 2012 and 2013, Gartner positioned Office 365 as a "leader" in numerous Magic Quadrant reports. Today, Office 365 is the recognized industry leader in business productivity, with one in four enterprise customers using the service.
Whether you are considering a migration to the cloud or already have your Office 365 environment up and running, join us as we explore best practices when moving to Office 365, including:
Available features and SKUs
Deployment overview
Native vs. third party tools
Coexistence
Management
A Crash Course in SQL Server Administration for Reluctant Database Administra...Chad Petrovay
Reluctant DBAs are those of us who aren’t formally trained in database administration, but manage through a combination of our wits, technical manuals, and online forums. This practical session will explore best practices for installing, configuring, and maintaining Microsoft SQL Server, and highlight some SQL Server features (and Easter eggs) that can improve your user experience and institutional ROI.
1. Windows Server overview
2. Key business solutions
3. Get the most out of your IT investment
4. Be prepared for the unexpected
5. Get scalable storage without spending a fortune
6. Enable remote access while protecting business data
7. Why pay more?
8. A great time to modernize your server
9. Get started
On March 13th & 14th , Eric Inch reviewed Exchange and Lync Server 2013 new features, discussed migration best practices, and hybrid scenarios with Office 365.
Download our slide deck (PDF, 2 MB) to take a deeper dive on Microsoft's Unified Communications.
And for more information on this or other topics, visit our blog at www.cdhtalkstech.com
In 2012 and 2013, Gartner positioned Office 365 as a "leader" in numerous Magic Quadrant reports. Today, Office 365 is the recognized industry leader in business productivity, with one in four enterprise customers using the service.
Whether you are considering a migration to the cloud or already have your Office 365 environment up and running, join us as we explore best practices when moving to Office 365, including:
Available features and SKUs
Deployment overview
Native vs. third party tools
Coexistence
Management
Windows Server 2012 Active Directory Domain and Trust (Forest Trust)Serhad MAKBULOĞLU, MBA
Serhad Makbuloğlu tarafından verilecek bu web seminerinde, Windows Server 2012 Active Directory Domain and Trust (Forest Trust) konusu anlatılacaktır. Bu web semineri teknik içeriğe sahiptir. Ayrıca Web seminer sonundaki soru&cevap bölümünde de bu ürünle ilgili merak ettiğiniz soruların cevaplarını bulabilirsiniz.
Learn Windows 2003 with this online training course from experienced consultant and trainer Grant Moyle. In this Windows Server training course, you'll learn the entire gamut from installation all the way to clustering.
http://www.learnitfirst.com/Course/232/Windows-2003.aspx
http://www.learnitfirst.com/PDFs/232-Windows-2003-Training.pdf
Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool
Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
Cause 2013: A Flexible Approach to Creating an Enterprise Directoryrwgorrel
Leveraging Microsoft Active Directory LDS to create a flexible enterprise directory.
As UNCG sought to replace Novell Directory Services with the next generation enterprise authentication and directory services (LDAP), we examined OpenLDAP, Active Directory, and Active Directory Lightweight Domain Services. Hear why we picked a somewhat uncommon approach in the less known AD LDS product and the flexibility it afforded us a middle ground between OpenLDAP and the urge to use existing Active Directory domain. We will also discuss the ADAMSync tool used to populate this environment as well as the MSUserProxy object to centralize authentication.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
2. Breakdown…
• What is Active Directory
• Structure of Active Directory
• Objects
• Domains – Trees and Forests
• Replication
• Security
• Kerberos
• Trusts
3. Overview of Active Directory
• Active Directory is a directory service, which means it both
stores data about your network resources and provides
methods of accessing and distributing that data. Directory
service that stores data about users and groups, shared folders,
and other network resources.
• Active Directory lets you centrally manage your network.
• Administrative tasks can be performed from a single location.
4. What Is Active Directory?
• Active Directory is an essential and inseparable part
of the Windows 2000 network architecture that
improves on the domain architecture of the
Windows NT 4.0 operating system to provide a
directory service designed for distributed
networking environments.
5. • Active Directory lets organizations efficiently share
and manage information about network resources and
users.
• Active Directory acts as the central authority for
network security, letting the operating system readily
verify a user’s identity and control for his or her
access to network resources.
• It acts as an integration point for bringing systems
together and consolidating management tasks.
6. How does Active Directory Work?
• AD lets organizations store information in a
hierarchical, object-oriented fashion, and
provides multi-master replication to support
distributed network environments.
7. Single Point of Administration
• For all published resources, incl. Files, peripheral
devices, host connections, databases, Web access,
users, services…
• It uses the Internet Domain Name Service (DNS) as
its locator service.
• No primary domain controller (PDC) or backup
domain controller (BDC). Uses domain controllers
(DCs).
• Allows multiple domains to be connected into a tree
structure.
8. What are the benefits of Active
Directory
• Simplifies management tasks.
• Strengthens network security.
• Makes use of existing systems through
interoperability.
9. Simplifies Management
• Single place to manage users, groups and network
resources, as well as distribute software and manage
desktop.
– Eliminates redundant management tasks.
– Reduces trips to the desktop.
– Better maximizes IT resources.
– Lowers total cost of ownership (TCO).
10. • Eliminates redundant management tasks.
• Provides a single point of management for Windows user accounts,
clients, servers, and applications.
• Reduces trips to the desktop.
• Automatically distributes software to users based on their role in
the company, reducing or eliminating multiple trips that system
administrators need to make for software installation and
configuration.
• Better maximizes IT resources.
• Securely delegates administrative functions to all levels of an
organization.
• Lowers total cost of ownership (TCO).
• Simplifies the management and use of file and print services by
making network resources easier to find, configure, and use.
11. Simplifies Management
Delegate Management
Tasks to Office Admins
Company
Users Machines Devices Applications
Color Printer
Marketing Personnel
in Building 6
Give ‘Personnel’
Members the Human
Resources Application
12. Strengthens Security
• Support for multiple authentication protocols such as
Kerberos, X.509 certificates, and smart cards.
• Flexible access control model – enables powerful
and consistent security services for internal desktop
users, remote dial-up users, and external commerce
customers.
• Improves password security and management.
• Ensures desktop functionality.
• Speeds e-business deployment.
• Tightly controls security.
13. • Improves password security and management.
• Providing single sign-on to network resources with integrated, high
powered security services that are transparent to end users.
• Ensures desktop functionality.
• Locking-down desktop configurations and preventing access to
specific client machine operations. Ex: software installations and
registry editing.
• Speeds e-business deployment.
• Built-in support for secure Internet-standard protocols and
authentication mechanisms. Ex: Kerberos, public key infrastructure
(PKI), lightweight directory access protocol (LDAP).
• Tightly controls security.
• Setting access control privileges on directory objects and the
individual data elements that make them up.
14. Extends Interoperability
• Active Directory provides a set of standard interfaces
for application integration and open synchronization
mechanisms to ensure that Windows can interoperate
with a wide variety of applications and devices.
15. It Does So By…
• Taking advantage of existing investments and ensures
flexibility.
• Consolidating management of multiple application
directories. Using open interfaces, connectors, and
synchronization mechanisms. Incl. Novell’s NDS,
LDAP, ERP, e-mail…
• Allowing organizations to deploy directory-enabled
networking. Assign quality of service and allocated
network bandwidth to users based on their role in the
company.
• Allowing organizations to develop and deploy
directory-enabled applications.
16. Interoperability
Application: Exchange Policy: Give ‘Personnel’
Mailbox information Access to ‘Change Salary’
Menu options.
Company
Users Machines Devices Applications
Finance Personnel
Policy: Give ‘Finance’
more bandwidth at the
end of the month.
17. Active Directory as a Service Provider
• Used to locate all network services and information.
• Fulfills a wide variety of naming, query, administrative and registration
needs.
Submit
Exchange Mail
DNS Mail Client
Mail
Microsoft.com Recipient
referral Lookup Address Book
http/shttp
Server Admin/
browse
Directory Service Replication
SQL Server Register
Service
Credential
Security
management
Query Dynamic
Services
18. Directory Partitions
• The data stored within AD is actually broken
into three distinct areas called directory
partitions.
• Each partition records and stores a specific
type of information.
• The three directory partitions that exists:
• Domain Partition
• Schema Partition
• Configuration Partition
19. • Domain Partition
• Holds data regarding domain-specific objects, including
users, groups, and computers.
• Schema Partition
• Contains data that defines which objects can be created
within AD and specifies rules regarding these objects,
such as mandatory properties.
• Configuration Partition
• Contains information about your AD structure, such as
domain and DCs that exist.
20. The Structure of Active Directory
• Active Directory is made up of two distinct
structures:
• The logical structure.
• The physical structure.
• Design of Active Directory implementation
deals with the logical aspects.
• Deciding where each component will be on
your network deals with the physical aspects.
21. The Logical Structure
• There are five logical components in Active
Directory:
• Domains
• Organization Units (OUs)
• Trees
• Forests
• Global Catalogs (GCs)
22. Domains
• A domain is a security boundary.
• Each domain has its own administrators that can be
assigned full control over the domain.
• Entity which has its own users and groups.
• Users can be granted permissions in other domains.
• Domains are used for replication purposes.
• Can run in one of two modes:
• Native (must be running to achieve full functionality)
• Mixed
23. Organizational Units (OUs)
• Organizational Units are container objects that are
used to organize objects within the directory.
• Commonly contain user and group objects.
• They can also contain computers and other OUs.
• Permissions can be assigned at the OU level both to
grant container objects access to other network
resources (or to deny them) and to assign specific
users administrative privileges.
• Administration of objects within an OU can be
delegated.
• Assign permissions to manage these objects to groups other than
domain administrators.
24. Hierarchical Organization
• Active Directory uses objects to represent network
resources such as users, groups, machines, devices,
and applications.
• It uses containers to represent organizations, such as
marketing department, or collections of related
objects, such as printers.
• It organizes information in a hierarchical structure
made up of these objects and containers, similar to
the way the Windows Operating system uses folders
and files to organize information on a computer.
25. Containers and Objects
Company
Users Machines Devices Applications
Marketing Personnel
= Container
= Object
26. Objects in Active Directory
• Objects within AD include users, groups,
computers, servers, domains, and sites.
• Since data is stored as objects, users can
search through the directory for objects they
wish to access.
• Objects also have attributes which a user can
use in his/her search.
• In order to understand how data is defined
within AD, you must be aware of the Schema.
27. The Schema
• The Schema is a definition of all the objects and
their attributes.
• Since there is a single schema for an entire
Windows 2000 forest, you can achieve
consistency no matter how large the enterprise.
• Two types of definitions can be stored in the
schema.
1. Object Classes
2. Attributes
28. Object Classes
• Object classes define the types of objects that
can be stored within Active Directory.
• Each class consists of a class name and a set of
attributes that are associated with the object.
29. Attributes
• Attributes are stored separately within the schema
• Allows for further consistency within the database,
because a single definition for the “last name”
attribute can be used over and over again.
30. Object-Oriented Storage
Company
Users Machines Devices Applications
Marketing Personnel
Name: Bob Jones = Container
Email: bob@abc.com
= Object
Phone: 555-1234
SSN: 456-7
31. Object-Oriented Storage
• In this case, the system administrator has allowed
global access to the Bob Jones object, but has locked
access of the Social Security Number attribute.
32. Schema Security
• To prevent it from being modified without
permissions, each object is secured using
Discretionary Access Control Lists
(DACLs).
• These DACLs ensure that only authorized
users are able to access schema.
33. A little more about Schema
• The file schema.ini contains the default
schema’s definition, as well as the initial
structure for the file ntds.dir (stores directory
data).
• The %systemroot%ntds directory contains the
file schema.ini.
• The file is in plain ASCII format.
34. Trees
• Domains are combined to produce a tree.
• A hierarchical representation of the Windows
2000 network.
• First domain installed is called the root
domain and all subsequent domains are
installed beneath this root domain.
• All domains is a tree share a common schema
and GC.
35. Domain Tree
• A domain tree exists when one domain is the
child of another domain.
• Ex. Root.com – since domains are DNS
names.
• If the administrator renames a part of the tree,
all of the parent’s children are also implicitly
renamed.
• Ex. ntfaq.com renamed to backoffice.com, the child
domain sales.ntfaq.com would change to
sales.backoffice.com
36. Domain Tree Diagram
root.com
child1.root.com child2.root.com
These child domains continue to utilize the same
contiguous name (root.com) while branching out
with additional naming for organizational
gran.child1.root.com purposes. Ex. child1.root.com
37. Domain Tree Advantages
• All members of a tree have Kerberos transitive trusts
with the domain’s parent and all the domain’s
children.
• Transitive trusts also let any user or group in a
domain tree obtain access to any object in the tree.
• You can use one network logon at any workstation in
the domain tree.
38. Forests
• A forest is a collection of trees.
• Tree in a forest do not have to share a
contiguous namespace.
• Must share a common schema and GC.
• Forests allows users in two different trees
to access resources in a different
namespace.
• Useful when a company has multiple root
DNS addresses.
39. Forest Diagram
Transitive Kerberos Trust
Joining the two trees makes
a forest
root.com ntfaq.com
child1.root.com child2.root.com legal.ntfaq.com ads.ntfaq.com
gran.child1.root.com banner.ads.ntfaq.com
40. Benefits of a Forest
• All the trees have a common Global Catalog
(GC) that contains specific information about
every object in the forest.
• All the trees contain a common schema.
• Performing a search in a forest initiates a deep
search of the entire tree in the domain you
initiate the request from and uses GC entries
for the rest of the forest.
41. Global Catalogs (GCs)
• A GC server is also a DC (Domain Controller).
• It contains data about all objects within a forest.
• GC contains the permissions list for all the objects,
therefore can also grant access.
• Stored locally on a DC – reduces network traffic.
• Benefit:
• To make the logical structure of the Windows 2000
network invisible to the users.
• Reduction of network traffic.
42. Purpose of Global Catalog
• Designed for high performance.
• Allows users to easily find an object regardless
of where it is in the tree – searching using
selected attributes.
• Attributes contained in a abbreviated catalog.
• Technique known as partial replication.
43. Global Catalog Structure
Domain 1
Partial Replicas Domain 2 Full Replicas
Domain n
The global catalog structure provides access to
full and partial replication.
44. Physical Structure
• Used to manage network traffic on the
network.
• Element that makes up the physical structure:
• Domain controllers (DCs)
45. Domain Controllers (DCs)
• A domain controller (DC) is a server on a Windows
2000 network that stores a replica of the Active
Directory database.
• Its job is to manage access to this data via searches
and also accept and make changes to the data.
• Replicates changes to all other DCs in the domain.
• Manage authentication of users.
• Assigning a security token that contains a list of group
memberships and permissions to each user.
46. Replication
• Replication ensures that data recorded in one
copy is disseminated to all other copies in the
domain.
• Windows 2000 uses multi-master replication.
• Each DC is a master of its copy of AD.
• The DC can accept changes and will then
propagate them out to other DCs.
• Replication – updating information from one
DC to another.
47. The Replication Process
• Replication occurs when an update is made to
a copy of AD.
• Changes such as new user, deletion of an
object, or modification to a single property of
an object.
• AD performs two types of updates:
• Originating update – occurs only the first time a change
is made to an AD replica.
• Replicated update – occurs as a result of this change.
48. Multi-master Replication
• Individual change made in one copy of the directory
are automatically replicated to all other appropriate
copies of the directory.
• Active Directory uses Update Sequence Numbers
(USNs).
• Anytime a users writes something into an object in
the directory, it gets a USN, which is held per
computer and incremented any time a change is
made.
• A change cannot occur without the USN being
incremented, therefore changes cannot be lost.
49. Update Sequence Number (USN)
• These are stored in memory, in a table called the up-
to-dateness table.
• This table has an entry for every DC in the domain,
along with the USN number at the time of the last
originating update for that DC.
• Ex. Entry for server A, changes caused the USN to increment to
“130”, entry would be “A-130”.
• USNs can be used to prevent unnecessary data being
sent across the network.
• Replication in AD is pulled only; data is never
pushed across the wire.
50. USN Table
• Each DC keeps track of the highest USNs of
the DCs it replicates with.
• This procedure lets a DC calculate which
changes must replicate on a replication cycle.
• At the start of a replication cycle, each server
checks its USN table and queries the DCs it
replicates with for the DCs latest USNs.
51. USN Table for Server A
Domain Domain Domain • Server A queries the DC’s for
Controller Controller Controller their current USNs and gets
B C D the following information.
54 23 53
• From this information, Server
Domain Domain Domain A can calculate the changes it
Controller Controller Controller need from each server as
B C D follows.
58 23 64
Domain Domain Domain • Server A then queries each
Controller Controller Controller DC for the necessary changes.
B C D
55-58 None 54-64
52. Property Version Number
• Multiple changes to an object’s property can
occur.
• Every property has a property version number,
which helps detect collisions.
• Property version numbers work like USNs.
• Each time a property is modified, the property
version number increases by one.
53. Collision
• A collision occurs when the property number
version numbers are the same for two or more
property updates.
• In this case, the timestamps helps resolve the
conflict.
• In the case where the property version
numbers and the timestamps match, a binary
buffer comparison occurs; the larger buffer
size change takes precedence.
54. Object Security
Security Principal
Security ID (SID)
Security Descriptor
Discretionary Access Control List (DACL)
System Access Control List (SACL)
Access Control Entries (ACEs)
Access Tokens
55. Security Principal
• This is an account to which permissions can be
assigned-example, a user, a group, or a
computer account.
• Ex.
• Bob, a member of the Accounting group on a computer with
a domain computer account named System01, several
security principals are involved that permissions could be
applied toward-namely, the user “Bob”, the group
“Accounting”, or the computer account “System01”
56. Security ID (SID)
• Every security principal is issued a unique SID
that is assigned once to an account and is
never reused, even if the object is removed. A
numeric value that is assigned automatically
when an object is added to the directory.
• The SID is a numeric value that is assigned
automatically when an object is added to the
directory.
57. Security Descriptor
• Defines access control information for that
object.
• When a user attempts to access an object, the
descriptor check its information against the
user’s SID and then compares the SID against
its access control list (ACL).
• There are two types of ACLs:
• DACLs
• SACLs
58. Discretionary Access Control List
(DACL)
• List of access control entries (ACEs) that
indicates security levels of Allow Access or
Deny Access permissions.
• Deny Access entries are placed first in the
ACE.
• The Deny will prove stronger than all the other
options.
59. System Access Control List (SACL)
• This is a list used for auditing object
access based upon ACEs that indicates to
the object when an account has accessed
an object or has attempted to access an
object.
60. Access Control Entries (ACEs)
• ACEs are used by DACLs and SACLs.
• When used with a DACL, the ACE determines the
level of security access upon an object, through 4
types:
• Access Denied
• Access Allowed
• Access Denied Object Specified
• Access Allowed Object Specified
• When used with a SACL, the ACE determines the
level of security based upon:
• System Audit
• System Audit Object Specific
61. Access Tokens
• When the user logs on, an access token is
created and sent by the DC to the user’s
machine.
• This token is necessary for a user to access any
network resource.
• The access token is attached to that user and is
needed to access any object, to run any
application, and to use any system resources.
62. Access Permissions on AD Objects
• The five standard permissions that can be
applied to an object are:
• Full Control
• Write
• Read
• Create All Child Objects
• Delete All Child Objects
63. • Full Control
• Allows the user the ability to view objects and attributes, the owner
of the object, and the AD permissions, along with the ability to
change any of those settings.
• Write
• Enables the user to view objects and attributes, the owner of the
object, and the AD permissions, also allows the user to change any
of those settings.
• Read
• Enables the user to view objects and attributes, the owner of the
object, and the AD permissions.
• Create All Child Objects
• Enables the user to create additional child objects to the OU
(Organizational Unit).
• Delete All Child Objects
• Enables the user to delete existing objects from an OU.
64. The Flow of Permissions
• The implementation of inheritance is
utilized by Windows 2000.
• Inheritance is automatic for child objects
within parent containers;
• Ex. If a parent object has permissions
implemented upon it, the child objects beneath will
automatically inherit the permissions from above.
65. The Flow of Inheritance
Parent OU
When you create a child
Parent object within a parent
Permissions: container that holds certain
Administrator: Full Control permissions, the child
Users: Read
object automatically
Sales OU Research OU contains the permissions of
its parent.
Child Child
Permissions: Permissions:
Administrator: Full Control Administrator: Full Control
Users: Read Users: Read
66. Kerberos v5
• Developed by a team at MIT
• Named after the three-headed dog in Greek
mythology that guarded the gates of Hades.
• There are three sides to Kerberos
authentication:
• User
• Server
• Key Distribution Center (KDC)
67. Like its Greek Counterpart…
• User
• A client that has a need to access resources off a server.
• Server
• Offers a service, but only to those that can prove their
identity. That proven identity doesn’t guarantee access
to the service; it just proves that they even have a right
to request a service.
• Key Distribution Center (KDC)
• An intermediary between the client and the server that
provides a way of vouching that the client is really who
it says it is.
68. Kerberos Trust
The trust relationships that connect
members of a tree or forest are two-way,
transitive Kerberos trusts. Thus, all the
domains in a tree implicitly trust all the
other domains in the tree or forest.
DC
DC DC
69. • Kerberos is Windows 2000’s primary security
protocol.
• Verifies a user’s identity and a session’s
integrity.
• Each DC (Domain Controller) has Kerberos
services on it and every Windows 2000
workstation has a Kerberos client.
70. A Kerberos Transaction
1. A user logs on to the domain by supplying a
username, a password, and a domain choice.
Kerberos steps in and checks the info. Against the
DC’s KDC database to verify that it knows the user.
2. If the user is valid, the user is provided a ticket-
granting ticket (TGT). This means the user is
preauthorized to access other resources on the
domain.
• In future transactions, the client doesn’t have to re-authenticate;
rather, it presents the TGT to the KDC. This speeds up the
process.
71. 1. If a client wants to access a server—for
example, the internal mail server in order to
obtain his/her email—he/she can now
present that TGT to the KDC ticket-granting
server (TGS). This server will give the client
another ticket which although doesn’t grant
permission to the mail server, rather, it
authenticates the client to the mail server.
2. The email server checks to see if you have
permission to read the mail. If so, the client
will receive the mail.
72. The Four Steps of Kerberos
KDC
Print Server
3
4
2
1
KDC Client
73. Trusts
• Trusts allow the domains to work with the user
accounts from other domain in such a way that people
in one domain can share resources with others.
• The transitive concept enables smoother
functionality.
• Transitive means “by extension”
• Under Win2000, the trust is automation between
parents and children, and transitive between every
other domain in the tree.
74. Transitive Trusts
• Transitive trusts allow users in all connected
domains to be validated as domain users.
• Permissions are not transitive.
75. Two-way Transitive Trusts
• If child domain a.corp.com trusts corp.com
and corp.com trusts b.corp.com, then
a.corp.com automatically trusts b.corp.com.
corp.com
a.corp.com b.corp.com
76. Few Points About Transitive Trusts
They are two-way agreements that are automatically
created.
They exist between child domains and parents or the
root domains of a forest.
The trusts are transitive because the trees and forests
with connecting trusts make information available
with no further trust configuration issues.
After trusts are established, permissions must be
granted to an individual or group to allow them to
access resources.
77. Summary of Features and Benefits
• Support for open standards to facilitate cross-
platform directory services, incl. DNS and
standard protocols – LDAP.
• Support for standard name formats to ensure
ease of migration.
• Fast lookup via the global catalog.
• Multi-master replication.
• Backward compatibility.
• Interoperability with NetWare environments.
78. Installation of Active Directory
• Installed using ‘dcpromo.exe’, which can be
executed from the ‘Run’ dialog box.
• ‘dcpromo.exe’ resides on the Windows 2000
partition.
• ‘dcpromo.exe’ is an Active Directory
installation wizard, which guides the user in a
step by step installation.
• Installation of Active Directory requires both a
FAT and a NTFS partition.