Win2KServer Active Directory

Active Directory Active Directory PresentationPresentation

Windows 2000 ServerWindows 2000 Server

Active Directory Active Directory PresentationPresentation

Windows 2000 ServerWindows 2000 Server

Active Directory Active Directory PresentationPresentation

Windows 2000 ServerWindows 2000 Server

Breakdown…Breakdown…

• What is Active Directory• Structure of Active Directory• Objects• Domains – Trees and Forests• Replication• Security• Kerberos• Trusts

Overview of Active DirectoryOverview of Active Directory

• Active Directory is a directory service, which means it both stores data about your network resources and provides methods of accessing and distributing that data. Directory service that stores data about users and groups, shared folders, and other network resources.

• Active Directory lets you centrally manage your network.

• Administrative tasks can be performed from a single location.

What Is Active Directory?What Is Active Directory?

• Active Directory is an essential and inseparable part of the Windows 2000 network architecture that improves on the domain architecture of the Windows NT 4.0 operating system to provide a directory service designed for distributed networking environments.

• Active Directory lets organizations efficiently share and manage information about network resources and users.

• Active Directory acts as the central authority for network security, letting the operating system readily verify a user’s identity and control for his or her access to network resources.

• It acts as an integration point for bringing systems together and consolidating management tasks.

How does Active Directory Work?How does Active Directory Work?

• AD lets organizations store information in a hierarchical, object-oriented fashion, and provides multi-master replication to support distributed network environments.

Single Point of AdministrationSingle Point of Administration

• For all published resources, incl. Files, peripheral devices, host connections, databases, Web access, users, services…

• It uses the Internet Domain Name Service (DNS) as its locator service.

• No primary domain controller (PDC) or backup domain controller (BDC). Uses domain controllers (DCs).

• Allows multiple domains to be connected into a tree structure.

What are the benefits of Active What are the benefits of Active DirectoryDirectory

• Simplifies management tasks.

• Strengthens network security.

• Makes use of existing systems through interoperability.

Simplifies ManagementSimplifies Management

• Single place to manage users, groups and network resources, as well as distribute software and manage desktop.– Eliminates redundant management tasks.

– Reduces trips to the desktop.

– Better maximizes IT resources.

– Lowers total cost of ownership (TCO).

• Eliminates redundant management tasks.• Provides a single point of management for Windows user accounts,

clients, servers, and applications.

• Reduces trips to the desktop.• Automatically distributes software to users based on their role in

the company, reducing or eliminating multiple trips that system administrators need to make for software installation and configuration.

• Better maximizes IT resources.• Securely delegates administrative functions to all levels of an

organization.

• Lowers total cost of ownership (TCO).• Simplifies the management and use of file and print services by

making network resources easier to find, configure, and use.

Marketing

Company

Users Machines Devices Applications

PersonnelColor Printerin Building 6

Delegate ManagementTasks to Office Admins

Give ‘Personnel’Members the HumanResources Application

Simplifies ManagementSimplifies Management

Strengthens SecurityStrengthens Security

• Support for multiple authentication protocols such as Kerberos, X.509 certificates, and smart cards.

• Flexible access control model – enables powerful and consistent security services for internal desktop users, remote dial-up users, and external commerce customers.

• Improves password security and management.

• Ensures desktop functionality.

• Speeds e-business deployment.

• Tightly controls security.

• Improves password security and management.• Providing single sign-on to network resources with integrated, high

powered security services that are transparent to end users.

• Ensures desktop functionality.• Locking-down desktop configurations and preventing access to

specific client machine operations. Ex: software installations and registry editing.

• Speeds e-business deployment.• Built-in support for secure Internet-standard protocols and

authentication mechanisms. Ex: Kerberos, public key infrastructure (PKI), lightweight directory access protocol (LDAP).

• Tightly controls security.• Setting access control privileges on directory objects and the

individual data elements that make them up.

Extends InteroperabilityExtends Interoperability

• Active Directory provides a set of standard interfaces for application integration and open synchronization mechanisms to ensure that Windows can interoperate with a wide variety of applications and devices.

It Does So By…It Does So By…

• Taking advantage of existing investments and ensures flexibility.

• Consolidating management of multiple application directories. Using open interfaces, connectors, and synchronization mechanisms. Incl. Novell’s NDS, LDAP, ERP, e-mail…

• Allowing organizations to deploy directory-enabled networking. Assign quality of service and allocated network bandwidth to users based on their role in the company.

• Allowing organizations to develop and deploy directory-enabled applications.

InteroperabilityInteroperability

Finance

Company

Users Machines Devices Applications

Personnel

Policy: Give ‘Personnel’Access to ‘Change Salary’Menu options.

Application: ExchangeMailbox information

Policy: Give ‘Finance’more bandwidth at theend of the month.

Active Directory as a Service ProviderActive Directory as a Service Provider• Used to locate all network services and information.• Fulfills a wide variety of naming, query, administrative and registration

needs.

Directory Service

ExchangeMail

Mail Client

DynamicServices

DNS

http/shttpServer

SQL Server

Security

Address Book

Submit Mail

Recipient Lookup

Replication

Query

Credential management

Register Service

Admin/browse

Microsoft.com referral

Directory PartitionsDirectory Partitions

• The data stored within AD is actually broken into three distinct areas called directory partitions.

• Each partition records and stores a specific type of information.

• The three directory partitions that exists:• Domain Partition

• Schema Partition

• Configuration Partition

• Domain Partition• Holds data regarding domain-specific objects, including

users, groups, and computers.

• Schema Partition• Contains data that defines which objects can be created

within AD and specifies rules regarding these objects, such as mandatory properties.

• Configuration Partition• Contains information about your AD structure, such as

domain and DCs that exist.

The Structure of Active DirectoryThe Structure of Active Directory

• Active Directory is made up of two distinct structures:

• The logical structure.

• The physical structure.

• Design of Active Directory implementation deals with the logical aspects.

• Deciding where each component will be on your network deals with the physical aspects.

The Logical StructureThe Logical Structure

• There are five logical components in Active Directory:

• Domains

• Organization Units (OUs)

• Trees

• Forests

• Global Catalogs (GCs)

DomainsDomains

• A domain is a security boundary.• Each domain has its own administrators that can be

assigned full control over the domain.• Entity which has its own users and groups.• Users can be granted permissions in other domains.• Domains are used for replication purposes.• Can run in one of two modes:

• Native (must be running to achieve full functionality)

• Mixed

Organizational Units (OUs)Organizational Units (OUs)

• Organizational Units are container objects that are used to organize objects within the directory.

• Commonly contain user and group objects.• They can also contain computers and other OUs.• Permissions can be assigned at the OU level both to

grant container objects access to other network resources (or to deny them) and to assign specific users administrative privileges.

• Administration of objects within an OU can be delegated.

• Assign permissions to manage these objects to groups other than domain administrators.

Hierarchical OrganizationHierarchical Organization

• Active Directory uses objects to represent network resources such as users, groups, machines, devices, and applications.

• It uses containers to represent organizations, such as marketing department, or collections of related objects, such as printers.

• It organizes information in a hierarchical structure made up of these objects and containers, similar to the way the Windows Operating system uses folders and files to organize information on a computer.

Containers and ObjectsContainers and Objects

Marketing

Company

Users Machines Devices Applications

Personnel

= Container

= Object

Objects in Active DirectoryObjects in Active Directory

• Objects within AD include users, groups, computers, servers, domains, and sites.

• Since data is stored as objects, users can search through the directory for objects they wish to access.

• Objects also have attributes which a user can use in his/her search.

• In order to understand how data is defined within AD, you must be aware of the Schema.

The The SchemaSchema

• The Schema is a definition of all the objects and their attributes.

• Since there is a single schema for an entire Windows 2000 forest, you can achieve consistency no matter how large the enterprise.

• Two types of definitions can be stored in the schema.

1. Object Classes

2. Attributes

Object ClassesObject Classes

• Object classes define the types of objects that can be stored within Active Directory.

• Each class consists of a class name and a set of attributes that are associated with the object.

AttributesAttributes

• Attributes are stored separately within the schema• Allows for further consistency within the database,

because a single definition for the “last name” attribute can be used over and over again.

Marketing

Object-Oriented StorageObject-Oriented Storage

Company

Users Machines Devices Applications

Personnel

= Container

= Object

Name: Bob JonesEmail: [email protected]: 555-1234SSN: 456-7

Object-Oriented StorageObject-Oriented Storage

• In this case, the system administrator has allowed global access to the Bob Jones object, but has locked access of the Social Security Number attribute.

Schema Schema SecuritySecurity

• To prevent it from being modified without permissions, each object is secured using Discretionary Access Control Lists (DACLs).

• These DACLs ensure that only authorized users are able to access schema.

A little more about SchemaA little more about Schema

• The file schema.ini contains the default schema’s definition, as well as the initial structure for the file ntds.dir (stores directory data).

• The %systemroot%\ntds directory contains the file schema.ini.

• The file is in plain ASCII format.

TreesTrees

• Domains are combined to produce a tree.

• A hierarchical representation of the Windows 2000 network.

• First domain installed is called the root domain and all subsequent domains are installed beneath this root domain.

• All domains is a tree share a common schema and GC.

Domain TreeDomain Tree

• A domain tree exists when one domain is the child of another domain.

• Ex. Root.com – since domains are DNS names.

• If the administrator renames a part of the tree, all of the parent’s children are also implicitly renamed.

• Ex. ntfaq.com renamed to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice.com

Domain Tree DiagramDomain Tree Diagram

root.com

child1.root.com

gran.child1.root.com

child2.root.com

These child domains continue to utilize the same contiguous name (root.com) while branching out with additional naming for organizational purposes. Ex. child1.root.com

Domain Tree AdvantagesDomain Tree Advantages

• All members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children.

• Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree.

• You can use one network logon at any workstation in the domain tree.

ForestsForests

• A forest is a collection of trees.• Tree in a forest do not have to share a

contiguous namespace.• Must share a common schema and GC.• Forests allows users in two different trees

to access resources in a different namespace.

• Useful when a company has multiple root DNS addresses.

Forest DiagramForest Diagram

root.com

child1.root.com child2.root.com

gran.child1.root.com banner.ads.ntfaq.com

legal.ntfaq.com ads.ntfaq.com

ntfaq.com

Transitive Kerberos Trust

Joining the two trees makes a forest

Benefits of a ForestBenefits of a Forest

• All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest.

• All the trees contain a common schema.

• Performing a search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses GC entries for the rest of the forest.

Global Catalogs (GCs)Global Catalogs (GCs)

• A GC server is also a DC (Domain Controller).• It contains data about all objects within a forest.• GC contains the permissions list for all the objects,

therefore can also grant access.• Stored locally on a DC – reduces network traffic.• Benefit:

• To make the logical structure of the Windows 2000 network invisible to the users.

• Reduction of network traffic.

Purpose of Global CatalogPurpose of Global Catalog

• Designed for high performance.

• Allows users to easily find an object regardless of where it is in the tree – searching using selected attributes.

• Attributes contained in a abbreviated catalog.

• Technique known as partial replication.

Global Catalog StructureGlobal Catalog Structure

Partial Replicas Full Replicas

Domain 1

Domain 2

Domain n

The global catalog structure provides access to full and partial replication.

Physical StructurePhysical Structure

• Used to manage network traffic on the network.

• Element that makes up the physical structure:• Domain controllers (DCs)

Domain Controllers (DCs)Domain Controllers (DCs)

• A domain controller (DC) is a server on a Windows 2000 network that stores a replica of the Active Directory database.

• Its job is to manage access to this data via searches and also accept and make changes to the data.

• Replicates changes to all other DCs in the domain.

• Manage authentication of users.• Assigning a security token that contains a list of group

memberships and permissions to each user.

ReplicationReplication

• Replication ensures that data recorded in one copy is disseminated to all other copies in the domain.

• Windows 2000 uses multi-master replication.• Each DC is a master of its copy of AD.• The DC can accept changes and will then

propagate them out to other DCs.• Replication – updating information from one

DC to another.

The Replication ProcessThe Replication Process

• Replication occurs when an update is made to a copy of AD.

• Changes such as new user, deletion of an object, or modification to a single property of an object.

• AD performs two types of updates:• Originating update – occurs only the first time a change

is made to an AD replica.

• Replicated update – occurs as a result of this change.

Multi-master ReplicationMulti-master Replication

• Individual change made in one copy of the directory are automatically replicated to all other appropriate copies of the directory.

• Active Directory uses Update Sequence Numbers (USNs).

• Anytime a users writes something into an object in the directory, it gets a USN, which is held per computer and incremented any time a change is made.

• A change cannot occur without the USN being incremented, therefore changes cannot be lost.

Update Sequence Number (USN)Update Sequence Number (USN)

• These are stored in memory, in a table called the up-to-dateness table.

• This table has an entry for every DC in the domain, along with the USN number at the time of the last originating update for that DC.

• Ex. Entry for server A, changes caused the USN to increment to “130”, entry would be “A-130”.

• USNs can be used to prevent unnecessary data being sent across the network.

• Replication in AD is pulled only; data is never pushed across the wire.

USN TableUSN Table

• Each DC keeps track of the highest USNs of the DCs it replicates with.

• This procedure lets a DC calculate which changes must replicate on a replication cycle.

• At the start of a replication cycle, each server checks its USN table and queries the DCs it replicates with for the DCs latest USNs.

DomainController

B

DomainController

C

DomainController

D54 23 53

DomainController

D

DomainController

C

DomainController

B642358

DomainController

D

DomainController

C

DomainController

B54-64None55-58

USN Table for Server AUSN Table for Server A

• Server A queries the DC’s for their current USNs and gets the following information.

• From this information, Server A can calculate the changes it need from each server as follows.

• Server A then queries each DC for the necessary changes.

Property Version NumberProperty Version Number

• Multiple changes to an object’s property can occur.

• Every property has a property version number, which helps detect collisions.

• Property version numbers work like USNs.

• Each time a property is modified, the property version number increases by one.

CollisionCollision

• A collision occurs when the property number version numbers are the same for two or more property updates.

• In this case, the timestamps helps resolve the conflict.

• In the case where the property version numbers and the timestamps match, a binary buffer comparison occurs; the larger buffer size change takes precedence.

Object SecurityObject Security

Security PrincipalSecurity ID (SID)Security DescriptorDiscretionary Access Control List (DACL)System Access Control List (SACL)Access Control Entries (ACEs)Access Tokens

Security PrincipalSecurity Principal

• This is an account to which permissions can be assigned-example, a user, a group, or a computer account.

• Ex.• Bob, a member of the Accounting group on a computer with

a domain computer account named System01, several security principals are involved that permissions could be applied toward-namely, the user “Bob”, the group “Accounting”, or the computer account “System01”

Security ID (SID)Security ID (SID)

• Every security principal is issued a unique SID that is assigned once to an account and is never reused, even if the object is removed. A numeric value that is assigned automatically when an object is added to the directory.

• The SID is a numeric value that is assigned automatically when an object is added to the directory.

Security DescriptorSecurity Descriptor

• Defines access control information for that object.

• When a user attempts to access an object, the descriptor check its information against the user’s SID and then compares the SID against its access control list (ACL).

• There are two types of ACLs:• DACLs• SACLs

Discretionary Access Control List Discretionary Access Control List (DACL)(DACL)

• List of access control entries (ACEs) that indicates security levels of Allow Access or Deny Access permissions.

• Deny Access entries are placed first in the ACE.

• The Deny will prove stronger than all the other options.

System Access Control List (SACL)System Access Control List (SACL)

• This is a list used for auditing object access based upon ACEs that indicates to the object when an account has accessed an object or has attempted to access an object.

Access Control Entries (ACEs)Access Control Entries (ACEs)

• ACEs are used by DACLs and SACLs.• When used with a DACL, the ACE determines the

level of security access upon an object, through 4 types:

• Access Denied• Access Allowed• Access Denied Object Specified• Access Allowed Object Specified

• When used with a SACL, the ACE determines the level of security based upon:

• System Audit• System Audit Object Specific

Access TokensAccess Tokens

• When the user logs on, an access token is created and sent by the DC to the user’s machine.

• This token is necessary for a user to access any network resource.

• The access token is attached to that user and is needed to access any object, to run any application, and to use any system resources.

Access Permissions on AD ObjectsAccess Permissions on AD Objects

• The five standard permissions that can be applied to an object are:

• Full Control

• Write

• Read

• Create All Child Objects

• Delete All Child Objects

• Full Control• Allows the user the ability to view objects and attributes, the owner

of the object, and the AD permissions, along with the ability to change any of those settings.

• Write• Enables the user to view objects and attributes, the owner of the

object, and the AD permissions, also allows the user to change any of those settings.

• Read• Enables the user to view objects and attributes, the owner of the

object, and the AD permissions.

• Create All Child Objects• Enables the user to create additional child objects to the OU

(Organizational Unit).

• Delete All Child Objects• Enables the user to delete existing objects from an OU.

The Flow of PermissionsThe Flow of Permissions

• The implementation of inheritance is utilized by Windows 2000.

• Inheritance is automatic for child objects within parent containers;

• Ex. If a parent object has permissions implemented upon it, the child objects beneath will automatically inherit the permissions from above.

The Flow of InheritanceThe Flow of Inheritance

Permissions:

Administrator: Full Control

Users: Read

Permissions:Administrator: Full ControlUsers: Read

Parent OU

Parent

Sales OU

Child

Research OU

Child

Permissions:Administrator: Full ControlUsers: Read

When you create a child object within a parent container that holds certain permissions, the child object automatically contains the permissions of its parent.

Kerberos v5Kerberos v5

• Developed by a team at MIT

• Named after the three-headed dog in Greek mythology that guarded the gates of Hades.

• There are three sides to Kerberos authentication:

• User

• Server

• Key Distribution Center (KDC)

Like its Greek Counterpart…Like its Greek Counterpart…

• User• A client that has a need to access resources off a server.

• Server• Offers a service, but only to those that can prove their

identity. That proven identity doesn’t guarantee access to the service; it just proves that they even have a right to request a service.

• Key Distribution Center (KDC)• An intermediary between the client and the server that

provides a way of vouching that the client is really who it says it is.

Kerberos TrustKerberos Trust

DC

DC

DC

The trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest.

• Kerberos is Windows 2000’s primary security protocol.

• Verifies a user’s identity and a session’s integrity.

• Each DC (Domain Controller) has Kerberos services on it and every Windows 2000 workstation has a Kerberos client.

A Kerberos TransactionA Kerberos Transaction

1. A user logs on to the domain by supplying a username, a password, and a domain choice. Kerberos steps in and checks the info. Against the DC’s KDC database to verify that it knows the user.

2. If the user is valid, the user is provided a ticket-granting ticket (TGT). This means the user is preauthorized to access other resources on the domain.

• In future transactions, the client doesn’t have to re-authenticate; rather, it presents the TGT to the KDC. This speeds up the process.

3. If a client wants to access a server—for example, the internal mail server in order to obtain his/her email—he/she can now present that TGT to the KDC ticket-granting server (TGS). This server will give the client another ticket which although doesn’t grant permission to the mail server, rather, it authenticates the client to the mail server.

4. The email server checks to see if you have permission to read the mail. If so, the client will receive the mail.

The Four Steps of KerberosThe Four Steps of Kerberos

1

2

3

4

KDC

KDC Client

Print Server

TrustsTrusts

• Trusts allow the domains to work with the user accounts from other domain in such a way that people in one domain can share resources with others.

• The transitive concept enables smoother functionality.

• Transitive means “by extension”• Under Win2000, the trust is automation between

parents and children, and transitive between every other domain in the tree.

Transitive TrustsTransitive Trusts

• Transitive trusts allow users in all connected domains to be validated as domain users.

• Permissions are not transitive.

Two-way Transitive TrustsTwo-way Transitive Trusts

• If child domain a.corp.com trusts corp.com and corp.com trusts b.corp.com, then a.corp.com automatically trusts b.corp.com.

corp.com

b.corp.coma.corp.com

Few Points About Transitive TrustsFew Points About Transitive Trusts

They are two-way agreements that are automatically created.

They exist between child domains and parents or the root domains of a forest.

The trusts are transitive because the trees and forests with connecting trusts make information available with no further trust configuration issues.

After trusts are established, permissions must be granted to an individual or group to allow them to access resources.

Summary of Features and BenefitsSummary of Features and Benefits

• Support for open standards to facilitate cross-platform directory services, incl. DNS and standard protocols – LDAP.

• Support for standard name formats to ensure ease of migration.

• Fast lookup via the global catalog.• Multi-master replication.• Backward compatibility.• Interoperability with NetWare environments.

Installation of Active DirectoryInstallation of Active Directory

• Installed using ‘dcpromo.exe’, which can be executed from the ‘Run’ dialog box.

• ‘dcpromo.exe’ resides on the Windows 2000 partition.

• ‘dcpromo.exe’ is an Active Directory installation wizard, which guides the user in a step by step installation.

• Installation of Active Directory requires both a FAT and a NTFS partition.