Hosted by Active Directory: Beyond The Basics Howard Marks Chief Scientist Networks are Our Lives, Inc!

Hosted by

Active Directory:Beyond The Basics

Howard MarksChief ScientistNetworks are Our Lives, Inc!

Hosted by

Agenda

Active Directory Security Issues

Replication and Bandwidth Management

New Features with Windows 2003 Server

Multiple forests

Hosted by

Active Directory Security Issues

Enterprise administrators can “elevate”

themselves to administrate a domain

Directory access can be controlled

Hosted by

Tree Security

Just as folders and files have ACL's, so do objects

in an ADS tree

A user’s permissions determine what the user or

group can do to an object

This is used to create administrative boundaries

within a tree

An all powerful Administrator is no longer

necessary, but advisable

Hosted by

Assigning Tree Permissions

ACL information on an object flows down

to the child objects of the container

when a new object is formed

Future ACL changes to a parent object

must be propagated to child objects to

affect changes down the tree

This is exactly how the file system works

Hosted by

Using Permissions Inheritance Permissions Flow Down to Child Objects

Preventing Inheritance Stops the Flow of Permissions

Full ControlOU

OU

OU

Full Control

Full Control

CancelOK ApplyApply

Allow inheritable permissions from parent to propagate to this object.

Hosted by

Directory Attributes

An object’s DACL can contain ACEs that protect individual attributes • Access permissions include

Read attribute Write attribute Deny read Deny write

Where appropriate, objects also have permissions that control actions, such as• The creation/deletion of Child objects

• Adding or removing an object from a group

Hosted by

Controlling Object Visibility

Most objects have a default explicit ACE

defined that allows the Authenticated

Users group to read the object

If you wish to limit the visibility of

objects, this ACE must be removed

Hosted by

Delegate Access Control at the OU

OUOU

OUOU

OUOU OUOU

OUOU

OUOU OUOU

Object Type = UserPermissions = Create Child Delete Child

Users

Delegate permissions to create and delete all objects of a specific type

Hosted by

Delegating Permissions and Rights at the Object Property Levels

OUOU

OUOU

OUOU OUOU

OUOU

OUOU OUOU

Inherit Object Type = GroupObject Type = Group MembershipPermissions = Read Property Write PropertyInheritance = Inherit Only

Groups

Delegate permissions to administer a specific property for all objects of a certain type

Hosted by

Site

DomainControllerDomain

Controller

User Logs OnUser Logs On

Site

DomainControllerDomain

Controller

Replication ControlledReplication Controlled

Active Directory Sites

A site is one or more TCP/IP subnets with good network connectivity

Sites are used to isolate replication traffic

Hosted byTypes of Replication

Site 2

Domain AControllerDomain AController

Domain BControllerDomain BController

Intra-SiteReplication

Intra-SiteReplication

Inter-SiteReplication

Inter-SiteReplication

Site 1

Domain AControllerDomain AController

Domain BControllerDomain BController

Domain CControllerDomain CController

Domain AControllerDomain AController

Domain CControllerDomain CController

Domain CControllerDomain CController

Domain AControllerDomain AController

Domain BControllerDomain BController

Hosted by

Types of Replication

Intrasite replication

• Frequent

• Uses IP and RPCs

Intersite replication

• Scheduled

Frequency

Allowable hours

• Route controlled via assigned costs

• Can use RPCs or SMTP

Hosted by

Examining Site Locations

If there is no domain controller

• No replication traffic

• No logon traffic to and from the business location

• The business location does not need to be a separate site

If there is a domain controller

• There is replication traffic to and from the business

location

• There may not be any logon traffic

• Determine whether the location should be a site

Hosted by

Determining Connectivity and Available Bandwidth

Only subnets that are considered fast,

inexpensive, and reliable should be

combined into a site

Consider controlling replication traffic

and logon requests

An important consideration is available

bandwidth

Hosted by

Planning Sites to Control Workstation Logon Traffic

Defining Sites• Workstations always look to the local site for a

Domain Controller

Disadvantages of Multiple Sites in a

Single Location• If a local site Domain Controller is not available, the

workstation may log onto a DC anywhere on the

WAN

Hosted by

Planning Sites to Control Replication Traffic

Multiple Sites in Replication• Replication time and the transport (RPC or SMTP)

can always be specified

• Replication traffic is always compressed reducing

traffic 10% to 12%

Network Replication Traffic• Only changed attributes on changed objects are

replicated

Hosted by

Planning Sites to Control Both Logon and Replication Traffic

A balancing act between:• The organization’s need to access directory

information quickly

• Speed and reliability of network links

Decide if Domains are a better solution• Refer to prior section

Hosted by

Windows 2003 Server AD ImprovementsDomain Rename

Schema Redefine (Schema change undo)

Application mode

Improved Group Policy Management

Cross-Forest Trust

Improved Group Membership replication

Better branch office support

Hosted by

Domain Rename

You can now:• Change DNS and/or NETBIOS name of domain

• Move domain position in forest

• Create new tree

You still can’t:• Change which domain is the forest root

• Split off domain or Add domain to forest

• Reuse names OK you can in 2 steps

• Rename domains with Exchange 2000 servers in them

Hosted by

Domain Rename Limitations

All DCs must be on line• DCs that can’t participate are ejected from domain

All DCs reboot in process

All stations must reboot Twice• NT 4 stations must be rejoined manually

Forest must be in

Hosted by

Ownership Concept

In Windows NT Domains a single

“person” owned the whole pie

AD allows us to separate to 2 roles:• Service owner

Responsible for service availability

• Data owner

Responsible for data maintenance

Day to day administration ‘

Hosted by

The Forest Owner Role

Service owner• Ultimately responsible for the delivery of directory

services in the forest

• Set policy, process for changes to shared

configuration, schema

Gatekeeper for new domains• Domain owners are service owners

• Must be carefully managed

Hosted by

Forest Model #1: Strong Central Control

All business units share centralized DS infrastructure

Division 1Division 1 Division 3Division 3Division 2Division 2

Hosted by

Division 1Division 1 Division 3Division 3Division 2Division 2

Model #2: Hybrid/Subscription

Business units opt-in/opt-out of centralized infrastructure

Hosted by

Division 1Division 1 Division 3Division 3Division 2Division 2

Model #3: Distributed Infrastructure

Each business unit maintains separate DS infrastructure

Hosted by

Assign ForestsA

dm

inis

trati

ve

Au

ton

om

y

distributed

centralized

low highCollaboration

SingleSingleforestforest

SubscriptionSubscriptionforestforest

Multiple forestsMultiple forestswith MMSwith MMSMultipleMultiple

forestsforestsLong term trend

Long term trend

Hosted by

Identify Candidate Forest Owners

What IT groups are chartered to deliver NOS directory services?

Common to find multiple groups• Owners of Master User Domains (MUDs)

• Previously-deployed forests

The Anti-Social

Legal reasons

Create list of candidate forest owners

Hosted by

Forest Participation Criteria

Satisfied with terms of service• Schema, config change control policies

• Disaster recovery

Security considerations• Trust forest owner and all domain owners

• DCs placed in secure locations

Have clear forest ownership• Attempting to share forest management may present

organizational challenges

• Do not extend forest management across multiple outsourcers

Hosted by

Inter-forest Implications

No automatic trust• Explicit trust is one-way, non-transitive

• Fixable in 2003

Kerberos not available between forests• No mutual authentication

Global catalog has forest scope• Aggregate view across forests requires synchronization

technology

• Microsoft Metadirectory Services (MMS)

• Simple Sync