active directory: beyond the basics
DESCRIPTION
Active Directory: Beyond The Basics. Howard Marks Chief Scientist Networks are Our Lives, Inc!. Agenda. Active Directory Security Issues Replication and Bandwidth Management New Features with Windows 2003 Server Multiple forests. Active Directory Security Issues. - PowerPoint PPT PresentationTRANSCRIPT
Hosted by
Active Directory:Beyond The Basics
Howard MarksChief ScientistNetworks are Our Lives, Inc!
Hosted by
Agenda
Active Directory Security IssuesReplication and Bandwidth ManagementNew Features with Windows 2003 ServerMultiple forests
Hosted by
Active Directory Security Issues
Enterprise administrators can “elevate” themselves to administrate a domain
Directory access can be controlled
Hosted by
Tree Security Just as folders and files have ACL's, so do objects
in an ADS tree A user’s permissions determine what the user or
group can do to an object This is used to create administrative boundaries
within a tree An all powerful Administrator is no longer
necessary, but advisable
Hosted by
Assigning Tree PermissionsACL information on an object flows down
to the child objects of the container when a new object is formed
Future ACL changes to a parent object must be propagated to child objects to affect changes down the tree
This is exactly how the file system works
Hosted by
Using Permissions Inheritance Permissions Flow Down to Child Objects
Preventing Inheritance Stops the Flow of Permissions
Full ControlOU
OU
OU
Full Control
Full Control
CancelOK Apply
Allow inheritable permissions from parent to propagate to this object.
Hosted by
Directory Attributes An object’s DACL can contain ACEs that protect
individual attributes • Access permissions include
Read attribute Write attribute Deny read Deny write
Where appropriate, objects also have permissions that control actions, such as• The creation/deletion of Child objects• Adding or removing an object from a group
Hosted by
Controlling Object Visibility
Most objects have a default explicit ACE defined that allows the Authenticated Users group to read the object
If you wish to limit the visibility of objects, this ACE must be removed
Hosted by
Delegate Access Control at the OU
OUOU
OUOU
OUOU OUOU
OUOU
OUOU OUOU
Object Type = UserPermissions = Create Child Delete Child
Users
Delegate permissions to create and delete all objects of a specific type
Hosted by
Delegating Permissions and Rights at the Object Property Levels
OUOU
OUOU
OUOU OUOU
OUOU
OUOU OUOU
Inherit Object Type = GroupObject Type = Group MembershipPermissions = Read Property Write PropertyInheritance = Inherit Only
Groups
Delegate permissions to administer a specific property for all objects of a certain type
Hosted by
Site
DomainController
User Logs On
Site
DomainController
Replication Controlled
Active Directory Sites
A site is one or more TCP/IP subnets with good network connectivity
Sites are used to isolate replication traffic
Hosted byTypes of Replication
Site 2
Domain AController
Domain BController
Intra-SiteReplication
Inter-SiteReplication
Site 1
Domain AController
Domain BController
Domain CController
Domain AController
Domain CController
Domain CController
Domain AController
Domain BController
Hosted by
Types of Replication Intrasite replication• Frequent • Uses IP and RPCs
Intersite replication• Scheduled
Frequency Allowable hours
• Route controlled via assigned costs• Can use RPCs or SMTP
Hosted by
Examining Site Locations If there is no domain controller
• No replication traffic• No logon traffic to and from the business location• The business location does not need to be a separate site
If there is a domain controller• There is replication traffic to and from the business
location• There may not be any logon traffic• Determine whether the location should be a site
Hosted by
Determining Connectivity and Available Bandwidth
Only subnets that are considered fast, inexpensive, and reliable should be combined into a site
Consider controlling replication traffic and logon requests
An important consideration is available bandwidth
Hosted by
Planning Sites to Control Workstation Logon Traffic
Defining Sites• Workstations always look to the local site for a
Domain Controller
Disadvantages of Multiple Sites in a Single Location• If a local site Domain Controller is not available, the
workstation may log onto a DC anywhere on the WAN
Hosted by
Planning Sites to Control Replication Traffic
Multiple Sites in Replication• Replication time and the transport (RPC or SMTP)
can always be specified• Replication traffic is always compressed reducing
traffic 10% to 12%
Network Replication Traffic• Only changed attributes on changed objects are
replicated
Hosted by
Planning Sites to Control Both Logon and Replication Traffic
A balancing act between:• The organization’s need to access directory
information quickly• Speed and reliability of network links
Decide if Domains are a better solution• Refer to prior section
Hosted by
Windows 2003 Server AD ImprovementsDomain RenameSchema Redefine (Schema change undo)Application mode Improved Group Policy ManagementCross-Forest Trust Improved Group Membership replicationBetter branch office support
Hosted by
Domain RenameYou can now:• Change DNS and/or NETBIOS name of domain• Move domain position in forest• Create new tree
You still can’t:• Change which domain is the forest root• Split off domain or Add domain to forest• Reuse names
OK you can in 2 steps• Rename domains with Exchange 2000 servers in them
Hosted by
Domain Rename Limitations
All DCs must be on line• DCs that can’t participate are ejected from domain
All DCs reboot in processAll stations must reboot Twice• NT 4 stations must be rejoined manually
Forest must be in
Hosted by
Ownership Concept
In Windows NT Domains a single “person” owned the whole pie
AD allows us to separate to 2 roles:• Service owner
Responsible for service availability• Data owner
Responsible for data maintenance Day to day administration ‘
Hosted by
The Forest Owner Role
Service owner• Ultimately responsible for the delivery of directory
services in the forest• Set policy, process for changes to shared
configuration, schema
Gatekeeper for new domains• Domain owners are service owners• Must be carefully managed
Hosted by
Forest Model #1: Strong Central Control
All business units share centralized DS infrastructure
Division 1Division 1 Division 3Division 3Division 2Division 2
Hosted by
Division 1Division 1 Division 3Division 3Division 2Division 2
Model #2: Hybrid/Subscription
Business units opt-in/opt-out of centralized infrastructure
Hosted by
Division 1Division 1 Division 3Division 3Division 2Division 2
Model #3: Distributed Infrastructure
Each business unit maintains separate DS infrastructure
Hosted by
Assign ForestsAd
min
istr
ativ
e
Auto
nom
ydistributed
centralized
low highCollaboration
SingleSingleforestforest
SubscriptionSubscriptionforestforest
Multiple forestsMultiple forestswith MMSwith MMSMultipleMultiple
forestsforestsLong term trend
Long term trend
Hosted by
Identify Candidate Forest Owners What IT groups are chartered to deliver NOS
directory services? Common to find multiple groups
• Owners of Master User Domains (MUDs)• Previously-deployed forests
The Anti-Social Legal reasons Create list of candidate forest owners
Hosted by
Forest Participation Criteria Satisfied with terms of service
• Schema, config change control policies• Disaster recovery
Security considerations• Trust forest owner and all domain owners• DCs placed in secure locations
Have clear forest ownership• Attempting to share forest management may present
organizational challenges• Do not extend forest management across multiple
outsourcers
Hosted by
Inter-forest Implications No automatic trust
• Explicit trust is one-way, non-transitive• Fixable in 2003
Kerberos not available between forests• No mutual authentication
Global catalog has forest scope• Aggregate view across forests requires synchronization
technology• Microsoft Metadirectory Services (MMS)• Simple Sync