COMP091 OS1 Active Directory
Apr 01, 2015
COMP091 OS1
Active Directory
Some History
• Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still foreign)
– No central authentication
– Users invent workgroup names freely
• Workgroup names really just make it easier to find computers on the network
– Accounting
– Payroll
• No effective security role
Windows Domains
• More or less simultaneously, NT introduced real networking (tcp/ip)
• And windows domain concept
– Name resolution still based on primitive broadcast protocols
– And self-configuring WINS servers
• But a central directory was introduced to control access to domain resources and to authenticate users
Domain Controllers• With central authentication and access control, there
needs to be a central database
• Primary Domain Controllers and Backup Domain Controllers served that function in early NT systems
• Notice that centralised authentication calls for
– Authentication mechanism
– A database
– A backup authentication mechanism
– A database replication mechanism
• Domain Controllers offered primitive versions of these functions
NDS
• While windows was deploying NT Domain controller based networking, the competition was way ahead
• Novel's NDS had
– Flexible and extensible LDAP based directory
– Sophisticated replication strategy
– Authentication service
– Fine grained ACL
– All types of resources in the directory• Printers, computers, users, groups
NDS
• MS response originally called NTDS
– Maybe too similar to NDS
• Now called Active Directory
Active Directory• Active directory includes
– Flexible and extensible LDAP based directory
– Sophisticated replication strategy
– Authentication service
– Fine grained ACL
– All types of resources in the directory
• Printers, computers, users, groups• DNS based computer names
– But WINS servers still required
AD Data Structures• NT PDC/BDC intended to serve one domain
• So Accounting might have one, and Payroll too
• AD wants a unified database
– So an accounting login can have access to payroll resources
• AD extends this functionality to globally distributed organisations
• Geographically disparate AD installations can each house a partition of an enterprise AD database
– But trust relationships can be enterprise wide
AD Trust Relationships
• AD domains can “trust” other active directory domains
• This really means that an AD domain can trust the users in another domain
• Trusted users from the other domain can be given access to resources in the trusting domain
• Accounting users can be given access to files owned by the Payroll Department
• This is only possible because the two domains are part of the same AD database
Objects and Attributes• AD database contains information on many
different types of things
• Collectively called objects
• Some objects can be “containers” of other objects
– A domain can contain sub-domains
– Producing a hierarchical tree-like structure
• Objects are defined by values of attributes
• Objects of the same “class” have same attributes
– But different attribute values
Active DirectoryObjects and Attributes
Forests and Trees
• Container objects contain other objects, which may in turn contain objects
• The resulting hierarchy is called a tree, with root objects, branch objects and leaf objects
• An AD database can contain more than one tree
• The collection of trees in an AD database is called a Forest
Domain Tree
Forest of Trees
Organizational Units
• An alternative to breaking a domain down into sub-domains is to establish organizational units
– Think of departments
• These are also containers
– For users, files, computers etc.
• Administration can be delegated to an OU administrator
OU Container
Trusts
• Implicit Two-Way Transitive Trust
– Parent and child domains• Automatic
– If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C
– Hence all domains in tree trust each other
– Limited implicit trust between roots of trees in a forest
Trusts
• Explicit One-Way Non-transitive Trust
– Must be declared
– Domains in different trees or forests, or NT domains
– Only applies to explicitly declared domains
Two Types ofTrust Relationships
Trusting Everyone -- Replication
• In order to trust users in another domain, there needs to be access to the other domain's user list
• Some domain data is replicated to the global catalog
• Some domain controllers are designated as Global Catalog Servers
• The global catalog is replicated to all Global Catalog Servers
• Access to resources outside of your domain requires access to a global catalog server
Replication for Redundancy• Global catalog is replicated to ensure global access
• Entire domain database is replicated to ensure continuous availability
• Multiple controllers for each domain
• Multiple global catalog servers in the forest
• Replication configuration is complex
• Allows for fast replication of some data
– Within site
– New users
• Slower replication of other data
– Across slower links
– Less critical information
Assigning Permissions - Groups
• Access to resources can be assigned to each user individually
– Too much administrative overhead
• Instead, users can be assigned to groups
• And permissions then granted to the group
• Groups can contain groups
• Users get their own rights, plus the rights of their group, plus the rights of groups their group is in
Types of Groups• Global Group
– Members restricted to local domain
• Domain Local Group
– Rights restricted to resources in local domain
• Universal Group
– Any users, any resource
• Default groups
– Domain Admins
– Domain Guests
– Domain Users
– etc.
Group Policy
• Not the same groups as used to assign permissions
• Policy group is either:
– Computer, Site, Domain or OU
• Policies contain user and computer related configuration information
• Can apply to any arbitrary set of users if the set of users is a complete domain or OU
• But user is in only one OU, (unless contained in tree) so only one policy will apply
– Which sometimes makes sense
Group Policy Objects
• Create specific desktop configurations for particular groups of users.
• Collections of group policy settings.
• Computer has one local GPO and any number of AD-based GPOs.
• Local GPO can be overridden by other GPOs,
• Local GPO is the least influential in an Active Directory environment.
Group Policy Priority
• Local GPO:
– Computer has one GPO stored locally.
• Site GPOs:
– GPOs linked to site are processed next
– Administrator specifies the order of GPOs linked to a site.
Group Policy Priority
• Domain GPOs:
– Domain-linked GPOs are processed next
– Administrator specifies the order of GPOs linked to a domain.
• OU GPOs:
– GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and so on
Group Policy Settings
• Some apply to users
– Based on user's domain and OUs
– Applied when user logs in
• Some apply to computer
– Based on computer's domain and OUs
– Applied when the OS initializes
• Include Software Settings, Windows Settings, and Administrative Templates
GPO Contents
• Scripts
– Logon/Logoff and Startup/Shutdown
• Security Settings
– Applied after security template
• Other software settings e.g. IE parameters
• Administrative Templates
– HKEY_LOCAL_MACHINE (HKLM)
– HKEY_CURRENT_USER (HKCU)
Aligning Policy Groups with Security Groups
• Policy groups are based on Domains and OUs
• Security Groups can be arbitrary and users can belong to multiple security groups
• To have GPOs for a security group
– Creat GPO for each group
– Apply all GPOs at top level (Domain)
– Grant security group read access to the GPO that should be applied to its members
GPO for Security Group
Resources
• Old but authoritative
– http://technet.microsoft.com/en-us/library/bb742424.aspx
• A tutorial
– http://searchwindowsserver.techtarget.com/tutorial/Active-Directory-Tutorial
• A collection
– http://www.petri.co.il/ad.htm
• Wikipedia
– http://en.wikipedia.org/wiki/Active_Directory