Mcts chapter 4

MCTS Guide to Configuring
Microsoft Windows Server 2008
Active Directory

Chapter 4: Active Directory Design and
Security Concepts

Objectives
• Work with organizational units
• Work with forests, trees, and domains
• Describe the components of a site

MCTS Windows Server 2008 Active Directory 2

Working with Organizational Units
• Active Directory is based upon standards (LDAP
and X.500)
• Lightweight Directory Access Protocol (LDAP)
– Created by the Internet Engineering Task Force (IETF)
– Based on the X.500 Directory Access Protocol (DAP)
– Forms the base around which Active Directory is built, which
allows applications to use LDAP to integrate with Active
Directory
• LDAP has presence on other operating systems as
well, and can be used to integrate them with Active
Directory

Working with Organizational Units (cont.)

• Benefits of using OUs:
– You can create familiar hierarchical structures based on an
organizational chart to allow easy resource access
– Delegation of administrative authority
– Able to change OU structure easily
– Can group users and computers for the purposes of assigning
administrative and security policies
– Can hide AD objects for confidentiality or security reasons


OU Delegation of Control
• Delegation of control means a person with higher security
privileges assigns authority to a person of lesser security
privileges to perform certain tasks
• Allows specific control of what someone with delegated
control may do
• Commonly delegated tasks include
– Create, delete, and manager user accounts
– Reset user passwords and force password change at next logon
– Read all user information
– Create, delete, and manage groups
– Modify the membership of a group
– Manage group policy links
– Generate Resultant Set of Policy (Planning)
– Generate Resultant Set of Policy (Logging)


OU Delegation of Control (cont.)
• Custom tasks can be created for delegation as
well, but you must fully understand the nature of
objects, permissions, and permission inheritance.
• Knowledge of permissions and how they work is
important regardless of whether you use custom
tasks or not
• By default, the OU’s properties don’t show that
another user has been delegated control
• Instead, to verify who has been delegated control
of an OU, you must view the OU’s permissions.


Active Directory Object Permissions
• Three types of objects can be assigned permission
to access an AD object: Users, groups, and
computers. These object types are referred to as
security principals
• AD object’s security settings are composed of three
components:
– Discretionary access control list (DACL)
• Each entry referred to as an access control entry (ACE)
– Object owner
• Usually the user account that created the object or a group or user
who has been assigned ownership
– System access control list (SACL)
• Defines the settings for auditing access to an object


Active Directory Permissions (cont.)
• Each object has a list of standard permissions and
a list of special permission
• Each permission can be set to Allow or Deny, and
five standard permissions are available for most
objects:
– Full control
– Read
– Write
– Create all child objects
– Delete all child objects


Active Directory Permissions (cont.)
• Users can be assigned permission to an object in
three different ways:
– User’s account is added to the object’s DACL, a method
referred to as explicit permission
– A group the user belongs to is added to the object’s DACL
– The permission is inherited from a parent object’s DACL to
which the user or group account has been added.
• A user’s effective permissions are a combination of
the assigned permissions.
• Deny permissions override Allow permissions
– Except: when the Deny permission is inherited from a parent
object, and the Allow permission is explicitly added to the
object’s DACL, the Allow permission takes precedence

Using Deny in an ACE
• If a security principal isn’t represented in an
object’s DACL, it doesn’t have access to the object
• Deny permissions are not required for every object
to prevent access
• Deny permission usually used in cases of
exception, such as when you don’t want a user to
be able to delete child objects in an OU, but still
want to grant access


Permission Inheritance in OUs
• Permission inheritance defines how permissions
are transmitted from a parent object to a child
object
• All objects in AD are child objects of the domain
• By default, permissions applied to the parent OU
with the Delegation of Control Wizard are inherited
by all child objects of that OU


Advanced Features Option in Active
Directory Users and Computers
• Default settings in AD Users and Computers hide
some system folders and advanced features, but
you can display them by enabling the Advanced
Features option from the view menu. Afterwards,
four new folders are shown:
– LostAndFound
– Program Data
– System
– NTDS (NT Directory Service)


Advanced Features Option in Active
Directory Users and Computers (cont.)
• Properties dialog box of domain, folder, and OU
objects will now have three new tabs:
– Object
• Used to view detailed information about a container object
– Security
• Used to view and modify an object’s permissions
– Attribute Editor
• Used to view and edit an object’s attributes


Effective Permissions
• Effective permissions for an object are a
combination of the allowed and denied permissions
assigned to a security principal
• Can come from assignments made directly to a
single user account or to a group the user belongs
to
• Explicit permissions override inherited permissions,
and can create some exceptions to the rule that
Deny permissions override Allow permissions


Effective Permissions (cont.)
• Most common settings for permission inheritance:
– This object only
• The permission setting isn’t inherited by child (descendant) objects
– This object and all descendant objects
• The permission setting applies to the current object and is
inherited by all child objects
– All descendant objects
• The permission setting doesn’t apply to the selected object but is
inherited by all child objects
– Descendant [object type] objects
• The permission is inherited only by specific child object types,
such as user, computer, or group objects.
• Permission inheritance is enabled by default on
child objects, but can be disabled

Working with Forests, Trees, and Domains

• Smaller organizations will most likely be focused on
OUs and their child objects, whereas larger
organizations might require an AD structure
composed of several domains, multiple trees, and
even a few forests
• First domain controller creates more than just a
new domain, it also creates the root of a new tree
and the root of a new forest
– May eventually become necessary to add domains to the tree,
create new trees or forests, and add sites to the AD structure


Active Directory Terminology
• Directory Partitions
• Operations Master Roles
• Active Directory Replication
• Trust Relationships


Directory Partitions
• Each section of an Active Directory database is referred to
as a directory partition. There are five directory partition
types in the AD database:
– Domain directory partition
• Contains all objects in a domain, including users, groups, computers, OUs,
and so forth
– Schema directory partition
• Contains information needed to define AD objects and object attributes
– Global catalog partition
• Holds the global catalog, which is a partial replica of all objects in the forest
– Application directory partition
• Used by applications and services to hold information that benefits from
– Configuration partition
• Holds configuration information that can affect the entire forest


Operations Master Roles
• Several operations in a forest require having a
single domain controller, called the operations
master, with sole responsibility for the function
• First domain controller in the forest generally takes
on the role of the operations master
• If necessary, responsibility for these roles can be
transferred to another domain controller


Operations Master Roles (cont.)
• There are five operations master roles, referred to
as Flexible Single Master Operation (FSMO) roles
in an AD forest:
– Schema Master
– Infrastructure master
– Domain Naming master
– RID master
– PDC Emulator master
• When removing DCs from a forest, be careful that
these roles are not removed from the network
accidentally

Active Directory Replication
• Replication is the process of maintaining a consistent
database of information when the database is distributed
among several locations
• Intrasite replication
– Replication between domain controllers in the same site
• Intersite replication
– Occurs between two or more sites
• Multimaster replication
– Used by AD for replacing AD objects
• Knowledge Consistency Checker (KCC) runs on all DCs
– Determines the replication topology, which defines the domain
controller path that AD changes flow through and ensures no more
than three hops exist between any two DCs


Active Directory Replication (cont.)


Trust Relationships
• In Active Directory, a trust relationship defines
whether and how security principals from one
domain can access network resources in another
domain
• Since Windows 2000 AD, trust relationships are
established automatically between all domains in
the forest
• Trusts do not equal permissions


The Role of Forests
• All domains in a forest share some common
characteristics:
– A single schema
– Forestwide administrative accounts
– Operations masters
– Global Catalog
– Trusts between domains
– Replication between domains


The Importance of the Global Catalog
Server
• First DC installed in a forest is automatically
designated as a Global Catalog server, but
additional global catalog servers can be configured
as well
• Global Catalog servers perform the following vital
functions:
– Facilitates domain and forestwide searches
– Facilitates logon across domains; Users can log on to
computers in any domain by using their user principal name
(UPN)
– Hold universal group membership information


Forest Root Domain
• First domain is the forest root and is referred to as
the forest root domain
• Imperative to the functionality of AD; if it
disappears, the entire structure ceases to operate
• Functions the forest root domain usually handles:
– DNS server
– Global catalog server
– Forestwide administrative accounts
– Operations masters


Forest Root Domain (cont.)


• Due to the importance of the forest root domain’s
functionality, some organizations choose a
dedicated forest root domain
• The advantages of running a dedicated forest root
domain include the following:
– More secure
– More manageable
– More flexible


Choosing a Single or Multiple Forest
Design
• Most organizations operate under a single AD forest, which
has a number of advantages:
– A common Active Directory structure
– Easy access to network resources
– Centralized management
• The advantages of single forest structure are also limitations
in many aspects; diversity within an organization may make
single forest design unfeasible. Multiple forest design
includes the following advantages:
– Differing schemas are possbile
– Security boundaries
– Separate administration


Understanding Trusts
• Trusts allow users in one domain to access
resources in another domain, without requiring a
user account on the other domain
• Types of trust:
– One way and two way trusts
– Transitive trusts
– Shortcut trusts
– Forest trusts
– External trusts
– Realm trusts


Understanding Trusts (cont.)


One Way and Two-Way Trusts
• One-way trust exists when one domain trusts
another, but the reverse is not true
– When domainA trusts domainB, users in domainB may access
resources in domainA but not vice versa.
– In this case domainA is the Trusting domain and domainB is
the Trusted domain
• More common is the two-way trust, in which users
from both domains can be given access to
resources in the other domain


Transitive Trusts
• A transitive trust is named after the transitive rule of
equality in mathematics: If A=B and B=C, then A=C
• If one domain trusts another domain, and that
domain trusts a third domain, then the first domain
has a transitive trust with the third domain
• In order to authenticate a user, a referral must be
made to a domain controller in each domain in the
path to the destination. This can cause substantial
delays.


Transitive Trusts (cont.)


Shortcut Trusts
• A shortcut trust is configured manually between
domains to bypass the normal referral process
• Shortcut trusts are transitive and can be configured
as one way or two way trusts between domains in
the same forest
• Shortcut trusts can reduce delays caused by
referral processes


Shortcut trusts (cont.)


Forest Trusts
• A forest trust provides a one-way or two-way
transitive trust between forests that allows security
principals in one forest to access resources in any
domain in another forest
• Are not possible in Windows 2000 forests
• They are transitive in the sense that all domains in
one forest trust all domains in another forest, but
the trust isn’t transitive from one forest to another


External Trusts
• An external trust is a one way or two way
nontransitive trust between two domains that aren’t
in the same forest. Generally used in these
circumstances:
– To create a trust between two domains in different forests
– To create a trust with a Windows 2000 or Windows NT domain


Realm Trusts
• Can be used to integrate users of other OSs into a
Windows Server 2008 domain or forest
• This requires the OS to be running the Kerberos V5
authentication system that AD uses
• Kerberos is an open-standard security protocol
used to secure authentication and identification
between parties in a network


Designing the Domain Structure
• Most small and medium businesses choose a
single domain for reasons that include the
following:
– Simplicity
– Lower costs
– Easier management
– Easier access to resources


Designing the Domain Structure (cont.)

• Using multiple domains makes sense or is even a
necessity in the following circumstances:
– Compatibility with a Windows NT domain
– Need for differing account policies
– Need for different name identities
– Replication control
– Need for internal versus external domains
– Need for tight security


Understanding Sites
• AD site represents a physical location where DCs
are placed and group policies can be applied
• First DC of a forest creates a site named Default-
First-Site-Name once installed
• Three main reasons for establishing multiple sites:
– Authentication efficiency
– Replication efficiency
– Application efficiency
• Sites are created using Active Directory Sites and
Services


Understanding Sites (cont.)


Site Components
• Subnets
– Each site is associated with one or more IP subnets, and a subnet can
only be associated with a single site
• Site Links
– A site link is needed to connect two or more sites for replication
purposes
– Determine replication schedule and frequency between two sites
• Bridgehead Servers
– Intersite replication occurs between bridgehead servers
– One DC designated as the Inter-Site topology Generator (ISTG), which
then designates a bridgehead server to handle replication for each
directory partition


Site Links

Intersite replication topology is determined
by cost value associate with site links


Chapter Summary
• Active Directory is based on the X.500 and LDAP
standards, which are standard protocols for
defining, storing, and accessing directory service
objects
• OUs, the building blocks of the AD structure in a
domain, can be designed to mirror a company’s
organizational chart. Delegation of control can be
used to give users some management authority in
an OU.


Chapter Summary (cont.)
• Large organizations might require multiple
domains, trees, and forests
• Directory partitions are sections of the AD
database that hold varied types of data and are
managed by different processes
• The forest is the broadest logical AD component.
All domains in a forest share some common
characteristics, such as a single schema, the global
catalog, and trusts between domains


Chapter Summary (cont.)
• Trusts permit domains to accept user
authentication from another domain and facilitate
cross-domain and cross-forest resource access
with a single logon
• A domain is the primary identifying and
administrative unit of AD. Each domain has a
unique name, and there’s an administrative
account with full control over objects in the domain.
• An AD site represents a physical location where
domain controllers reside.


Mcts chapter 4

More Related Content

What's hot (20)

Viewers also liked (9)

Similar to Mcts chapter 4 (20)

Recently uploaded (20)

Mcts chapter 4