SlideShare a Scribd company logo

Active directory - an introduction

Download as PPT, PDF
P
pepoluan

The document provides an overview of Active Directory including key elements such as domain controllers, the schema, security groups, SYSVOL, group policy objects, sites and subnets. It discusses features of Active Directory such as authentication, privileges, policies, auditing, replication, and trust relationships. It also describes important Active Directory elements in more detail including the roles of domain controllers, importance of the schema, best practices for assigning security groups and permissions, and functions of SYSVOL and group policy objects.

Technology
1 of 20
Downloaded 38 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Eng Ing Eng ! <Insert tada.wav here>
About The Speaker • Name: Pandu Poluan • Email: pandu@poluan.info • Experience: – Senior Instructor (of instructors) for Cisco, Microsoft, Certified Ethical Hackers – IT Manager of Infrastructure, PT Panin Sekuritas Tbk • 25 branches, 500 employees, 1 domain – Systems Administration Manager, PT Carrefour Indonesia • 85 branches, 10’000+ employees, 2 domains
Active Directory An Introduction
What is Active Directory? • Directory • Authentication – Database of Objects in – Into the network the Domain – Uses “Kerberos” • Users mechanism • Computers • • Privileges Printers • Scanners – For network resources • Shares – For admin tasks • Refrigerators • Active • Coffee Makers • Toilet
Why called “Active” • Not just auth • Policies • Grouping (Many-to- – Restrictions Many) – Forced settings – Based on Org Struct – “Push” installation – Based on Functional • Audit Team • Replication – Based on Ad Hoc – One way & Two way needs – Bandwidth-adapting • Delegation • ‘Trust’ Relationship – Of admin tasks – Of management tasks
Overview of AD Elements • Domain Controllers – Writable & RODC • Schema • Security Groups • SYSVOL • Group Policy Objects (GPO) • Sites & Subnets • ... (and many others, but let’s just focus on the above for this “Introduction”)
Domain Controllers • Where AD database(s) are kept • Replicate between themselves – Two way with writeable DCs, One-way to RODCs – Also replicate “SYSVOL” • MUST be secured at all costs!! – Physical security – Logical security  RODC – Hardening: • Allow only special ‘elevated’ accounts ‘administrator-level’ access to the DCs
The AD “Schema” • Definition of Objects in AD – Properties/Attributes – ‘Nature’ of Object • E.g., container, custom container, leaf object • AMAT SANGAT VITAL SEKALI BANGET !!! – *IMMEDIATELY* replicated to other DCs – Feel free to commit suicide if someone gained Schema-editing ability … and botched the schema
Security Groups • Used to manage privileges/permissions practically, systematically, and healthily – Managing privileges per user in a big enterprise is not good for your health • Microsoft-recommended Best Practice: A G U DL P Account Global Universal Domain Local Permissions
A-P • The Worst privilege-assignment strategy – Imagine having to give 1’000 users the same privileges … – … to 100 network shares • Only suitable for … nothing
A-G-P • NEVER assign permissions directly to accounts • At least, assign permissions to Global SGs • Then, gather user Accounts into Gs • Only suitable for small domains
A-G-DL-P • Good Enough™ for Most organizations • In principle: – Gather Accounts into Groups – Assign Permissions onto Domain Locals – Associate Groups into Domain Locals A G DL P
A-G-U-DL-P • Necessary for huge organizations – Allows assignment of privileges for other ‘trusted’ domains • Similar to A-G-DL-P, but – Create Universal SGs spanning multi domains – Put Global SGs in a domain inside a U – Then, associate Us in DLs U A G DL P A G DL P
SYSVOL • The mysterious, enigmatic area where important AD thingies are kept – Group Policy Objects – Startup/Shutdown/Logon/Logoff Scripts – Other small-sized SysAdmin supporting files • Employs mysterious “Junctions” – Must be hosted on NTFS – Please please please for the love of all things holy: Do not delete any directory in here if you don’t understand its structure • Automatically replicated to other DCs – (Except SYSVOL on RODCs – won’t replicate, but will be overwritten instead) – FRS on Windows Server 2003, DFSR on Windows Server 2008 – Please do not put anything too big in SYSVOL … • else, your NetAdmin is going to find you and hurt you…
Group Policy Objects • A method to apply: – Common restrictions – Common settings – Common applications • Attached to one (or more) “Organizational Units” • Two kinds of policies – Machine policies – set on boot-complete – User policies – set on login • Machine policies *may* get re-applied when user login • Can be selectively applied
Sites and Subnets • Active Directory enables the definition of “sites” – Basically, a grouping of subnets in the enterprise – Also, a collection of DCs in those subnets • Features enabled by “sites” – Definition of replication topology – Definition of replication connection “costs” – Custom scheduling of replication – Nearest-DC (for login, SYSVOL access, etc.)
Other Important Things You Should Know If You Are A Windows Systems Administrator • FSMO Roles • Time Synchronization • Deployment tools • Management tools • Diagnostic tools
Tararengkiyu !
Sesi Tanya dan (semoga di-) Jawab
Active directory - an introduction

More Related Content

PDF
Hadoop operations
Marc Cluet
 
PPTX
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix
 
PPTX
Storage for VDI
Howard Marks
 
PPTX
Software defined storage real or bs-2014
Howard Marks
 
PPTX
Building Storage for Clouds (ONUG Spring 2015)
Howard Marks
 
PDF
Application Development with Apache Cassandra as a Service
WSO2
 
PPT
Deep dive hadoop
Jakub Stransky
 
PDF
DB12c: All You Need to Know About the Resource Manager
Maris Elsins
 
Hadoop operations
Marc Cluet
 
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix
 
Storage for VDI
Howard Marks
 
Software defined storage real or bs-2014
Howard Marks
 
Building Storage for Clouds (ONUG Spring 2015)
Howard Marks
 
Application Development with Apache Cassandra as a Service
WSO2
 
Deep dive hadoop
Jakub Stransky
 
DB12c: All You Need to Know About the Resource Manager
Maris Elsins
 

What's hot (20)

PPTX
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
Rajesh Kalyanam
 
PPTX
2015 deploying flash in the data center
Howard Marks
 
PDF
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Leighton Nelson
 
PPTX
Reaching the Cloud: The Architecture
Society of Women Engineers
 
PDF
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
Tobias Koprowski
 
PPT
Life After Sharding: Monitoring and Management of a Complex Data Cloud
OSCON Byrum
 
PDF
MongoDB webiner01
Creationline,inc.
 
PPTX
Cloud Computing101 Azure, updated june 2017
Fernando Mejía
 
PPTX
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
DataWorks Summit
 
PPTX
Extending your data to the cloud
Microsoft TechNet - Belgium and Luxembourg
 
PDF
The Power of Postgres Plus Cloud Database
EDB
 
PPTX
Docker y azure container service
Fernando Mejía
 
PDF
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
Tobias Koprowski
 
PDF
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 
PDF
Database as a Service on the Oracle Database Appliance Platform
Maris Elsins
 
PDF
KoprowskiT - SQLBITS X - 2am a disaster just began
Tobias Koprowski
 
PDF
5 Postgres DBA Tips
EDB
 
PDF
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Lars Platzdasch
 
PPTX
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
Maris Elsins
 
PDF
Scalability, Availability & Stability Patterns
Jonas Bonér
 
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
Rajesh Kalyanam
 
2015 deploying flash in the data center
Howard Marks
 
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Leighton Nelson
 
Reaching the Cloud: The Architecture
Society of Women Engineers
 
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
Tobias Koprowski
 
Life After Sharding: Monitoring and Management of a Complex Data Cloud
OSCON Byrum
 
MongoDB webiner01
Creationline,inc.
 
Cloud Computing101 Azure, updated june 2017
Fernando Mejía
 
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
DataWorks Summit
 
Extending your data to the cloud
Microsoft TechNet - Belgium and Luxembourg
 
The Power of Postgres Plus Cloud Database
EDB
 
Docker y azure container service
Fernando Mejía
 
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
Tobias Koprowski
 
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 
Database as a Service on the Oracle Database Appliance Platform
Maris Elsins
 
KoprowskiT - SQLBITS X - 2am a disaster just began
Tobias Koprowski
 
5 Postgres DBA Tips
EDB
 
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Lars Platzdasch
 
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
Maris Elsins
 
Scalability, Availability & Stability Patterns
Jonas Bonér
 
Ad

Viewers also liked (8)

PPT
Active directory slides
Timothy Moffatt
 
PPT
Active directory and application
aminpathan11
 
PDF
MCSA 70-410 5 introduction to active directory and basic installation
Tarek Amer
 
PPT
Active directory
Muuluu
 
PPTX
Microsoft Offical Course 20410C_02
gameaxt
 
PPT
1.2 active directory
Muuluu
 
PPTX
Introduction to Active Directory
thoms1i
 
PPT
Active Directory
Sandeep Kapadane
 
Active directory slides
Timothy Moffatt
 
Active directory and application
aminpathan11
 
MCSA 70-410 5 introduction to active directory and basic installation
Tarek Amer
 
Active directory
Muuluu
 
Microsoft Offical Course 20410C_02
gameaxt
 
1.2 active directory
Muuluu
 
Introduction to Active Directory
thoms1i
 
Active Directory
Sandeep Kapadane
 
Ad

Similar to Active directory - an introduction (20)

PDF
Mtc learnings from isv & enterprise interaction
Govind Kanshi
 
PPTX
Mtc learnings from isv & enterprise (dated - Dec -2014)
Govind Kanshi
 
PDF
Docker in the Enterprise
Saul Caganoff
 
PPTX
Securing Windows with Group Policy
Josh Rickard
 
PDF
Storage Systems For Scalable systems
elliando dias
 
PPT
Drupal -Introduction to Drupal
Vibrant Technologies & Computers
 
PPTX
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
PDF
How to Build a Compute Cluster
Ramsay Key
 
PPTX
Drupal performance
Gabi Lee
 
PPTX
Nagios XI Best Practices
Nagios
 
PPTX
Hafslund SESAM - Semantic integration in practice
Lars Marius Garshol
 
PPTX
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
rwgorrel
 
PPTX
Operating OpenStack on a Budget
Samir Ibradzic
 
PPTX
Operating OpenStack on a Budget
Susan Wu
 
PPTX
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
PPTX
5 Things that Make Hadoop a Game Changer
Caserta
 
PPT
Drupal intro
Geetanjali Srivastava
 
PPT
Drupal intro
Antonio Perez
 
PPT
Introduction_to_Active_Directory and Windows Server
navneetyohaya
 
ODP
MySQL for Oracle DBAs
Ben Krug
 
Mtc learnings from isv & enterprise interaction
Govind Kanshi
 
Mtc learnings from isv & enterprise (dated - Dec -2014)
Govind Kanshi
 
Docker in the Enterprise
Saul Caganoff
 
Securing Windows with Group Policy
Josh Rickard
 
Storage Systems For Scalable systems
elliando dias
 
Drupal -Introduction to Drupal
Vibrant Technologies & Computers
 
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
How to Build a Compute Cluster
Ramsay Key
 
Drupal performance
Gabi Lee
 
Nagios XI Best Practices
Nagios
 
Hafslund SESAM - Semantic integration in practice
Lars Marius Garshol
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
rwgorrel
 
Operating OpenStack on a Budget
Samir Ibradzic
 
Operating OpenStack on a Budget
Susan Wu
 
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
5 Things that Make Hadoop a Game Changer
Caserta
 
Drupal intro
Geetanjali Srivastava
 
Drupal intro
Antonio Perez
 
Introduction_to_Active_Directory and Windows Server
navneetyohaya
 
MySQL for Oracle DBAs
Ben Krug
 

Recently uploaded (20)

PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

Active directory - an introduction

  • 1. Eng Ing Eng ! <Insert tada.wav here>
  • 2. About The Speaker • Name: Pandu Poluan • Email: pandu@poluan.info • Experience: – Senior Instructor (of instructors) for Cisco, Microsoft, Certified Ethical Hackers – IT Manager of Infrastructure, PT Panin Sekuritas Tbk • 25 branches, 500 employees, 1 domain – Systems Administration Manager, PT Carrefour Indonesia • 85 branches, 10’000+ employees, 2 domains
  • 3. Active Directory An Introduction
  • 4. What is Active Directory? • Directory • Authentication – Database of Objects in – Into the network the Domain – Uses “Kerberos” • Users mechanism • Computers • • Privileges Printers • Scanners – For network resources • Shares – For admin tasks • Refrigerators • Active • Coffee Makers • Toilet
  • 5. Why called “Active” • Not just auth • Policies • Grouping (Many-to- – Restrictions Many) – Forced settings – Based on Org Struct – “Push” installation – Based on Functional • Audit Team • Replication – Based on Ad Hoc – One way & Two way needs – Bandwidth-adapting • Delegation • ‘Trust’ Relationship – Of admin tasks – Of management tasks
  • 6. Overview of AD Elements • Domain Controllers – Writable & RODC • Schema • Security Groups • SYSVOL • Group Policy Objects (GPO) • Sites & Subnets • ... (and many others, but let’s just focus on the above for this “Introduction”)
  • 7. Domain Controllers • Where AD database(s) are kept • Replicate between themselves – Two way with writeable DCs, One-way to RODCs – Also replicate “SYSVOL” • MUST be secured at all costs!! – Physical security – Logical security  RODC – Hardening: • Allow only special ‘elevated’ accounts ‘administrator-level’ access to the DCs
  • 8. The AD “Schema” • Definition of Objects in AD – Properties/Attributes – ‘Nature’ of Object • E.g., container, custom container, leaf object • AMAT SANGAT VITAL SEKALI BANGET !!! – *IMMEDIATELY* replicated to other DCs – Feel free to commit suicide if someone gained Schema-editing ability … and botched the schema
  • 9. Security Groups • Used to manage privileges/permissions practically, systematically, and healthily – Managing privileges per user in a big enterprise is not good for your health • Microsoft-recommended Best Practice: A G U DL P Account Global Universal Domain Local Permissions
  • 10. A-P • The Worst privilege-assignment strategy – Imagine having to give 1’000 users the same privileges … – … to 100 network shares • Only suitable for … nothing
  • 11. A-G-P • NEVER assign permissions directly to accounts • At least, assign permissions to Global SGs • Then, gather user Accounts into Gs • Only suitable for small domains
  • 12. A-G-DL-P • Good Enough™ for Most organizations • In principle: – Gather Accounts into Groups – Assign Permissions onto Domain Locals – Associate Groups into Domain Locals A G DL P
  • 13. A-G-U-DL-P • Necessary for huge organizations – Allows assignment of privileges for other ‘trusted’ domains • Similar to A-G-DL-P, but – Create Universal SGs spanning multi domains – Put Global SGs in a domain inside a U – Then, associate Us in DLs U A G DL P A G DL P
  • 14. SYSVOL • The mysterious, enigmatic area where important AD thingies are kept – Group Policy Objects – Startup/Shutdown/Logon/Logoff Scripts – Other small-sized SysAdmin supporting files • Employs mysterious “Junctions” – Must be hosted on NTFS – Please please please for the love of all things holy: Do not delete any directory in here if you don’t understand its structure • Automatically replicated to other DCs – (Except SYSVOL on RODCs – won’t replicate, but will be overwritten instead) – FRS on Windows Server 2003, DFSR on Windows Server 2008 – Please do not put anything too big in SYSVOL … • else, your NetAdmin is going to find you and hurt you…
  • 15. Group Policy Objects • A method to apply: – Common restrictions – Common settings – Common applications • Attached to one (or more) “Organizational Units” • Two kinds of policies – Machine policies – set on boot-complete – User policies – set on login • Machine policies *may* get re-applied when user login • Can be selectively applied
  • 16. Sites and Subnets • Active Directory enables the definition of “sites” – Basically, a grouping of subnets in the enterprise – Also, a collection of DCs in those subnets • Features enabled by “sites” – Definition of replication topology – Definition of replication connection “costs” – Custom scheduling of replication – Nearest-DC (for login, SYSVOL access, etc.)
  • 17. Other Important Things You Should Know If You Are A Windows Systems Administrator • FSMO Roles • Time Synchronization • Deployment tools • Management tools • Diagnostic tools