SlideShare a Scribd company logo

Win2KServer Active Directory

Download as PPT, PDF
Phil Ashman, profile picture
Phil Ashman

Active Directory (AD) is a directory service integrated into Windows 2000 that centralizes network resource management, enhances security, and enables efficient user and resource management across multiple domains and trees in a hierarchical structure. It uses a multi-master replication model to maintain data consistency and supports various authentication protocols to strengthen network security. AD's architecture consists of logical and physical structures, including domains, organizational units, trees, and forests, which facilitate administrative tasks and user access control throughout a distributed network environment.

Technology
1 of 78
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Active Directory Presentation Windows 2000 Server
Breakdown… • What is Active Directory • Structure of Active Directory • Objects • Domains – Trees and Forests • Replication • Security • Kerberos • Trusts
Overview of Active Directory • Active Directory is a directory service, which means it both stores data about your network resources and provides methods of accessing and distributing that data. Directory service that stores data about users and groups, shared folders, and other network resources. • Active Directory lets you centrally manage your network. • Administrative tasks can be performed from a single location.
What Is Active Directory? • Active Directory is an essential and inseparable part of the Windows 2000 network architecture that improves on the domain architecture of the Windows NT 4.0 operating system to provide a directory service designed for distributed networking environments.
• Active Directory lets organizations efficiently share and manage information about network resources and users. • Active Directory acts as the central authority for network security, letting the operating system readily verify a user’s identity and control for his or her access to network resources. • It acts as an integration point for bringing systems together and consolidating management tasks.
How does Active Directory Work? • AD lets organizations store information in a hierarchical, object-oriented fashion, and provides multi-master replication to support distributed network environments.
Single Point of Administration • For all published resources, incl. Files, peripheral devices, host connections, databases, Web access, users, services… • It uses the Internet Domain Name Service (DNS) as its locator service. • No primary domain controller (PDC) or backup domain controller (BDC). Uses domain controllers (DCs). • Allows multiple domains to be connected into a tree structure.
What are the benefits of Active Directory • Simplifies management tasks. • Strengthens network security. • Makes use of existing systems through interoperability.
Simplifies Management • Single place to manage users, groups and network resources, as well as distribute software and manage desktop. – Eliminates redundant management tasks. – Reduces trips to the desktop. – Better maximizes IT resources. – Lowers total cost of ownership (TCO).
• Eliminates redundant management tasks. • Provides a single point of management for Windows user accounts, clients, servers, and applications. • Reduces trips to the desktop. • Automatically distributes software to users based on their role in the company, reducing or eliminating multiple trips that system administrators need to make for software installation and configuration. • Better maximizes IT resources. • Securely delegates administrative functions to all levels of an organization. • Lowers total cost of ownership (TCO). • Simplifies the management and use of file and print services by making network resources easier to find, configure, and use.
Simplifies Management Delegate Management Tasks to Office Admins Company Users Machines Devices Applications Color Printer Marketing Personnel in Building 6 Give ‘Personnel’ Members the Human Resources Application
Strengthens Security • Support for multiple authentication protocols such as Kerberos, X.509 certificates, and smart cards. • Flexible access control model – enables powerful and consistent security services for internal desktop users, remote dial-up users, and external commerce customers. • Improves password security and management. • Ensures desktop functionality. • Speeds e-business deployment. • Tightly controls security.
• Improves password security and management. • Providing single sign-on to network resources with integrated, high powered security services that are transparent to end users. • Ensures desktop functionality. • Locking-down desktop configurations and preventing access to specific client machine operations. Ex: software installations and registry editing. • Speeds e-business deployment. • Built-in support for secure Internet-standard protocols and authentication mechanisms. Ex: Kerberos, public key infrastructure (PKI), lightweight directory access protocol (LDAP). • Tightly controls security. • Setting access control privileges on directory objects and the individual data elements that make them up.
Extends Interoperability • Active Directory provides a set of standard interfaces for application integration and open synchronization mechanisms to ensure that Windows can interoperate with a wide variety of applications and devices.
It Does So By… • Taking advantage of existing investments and ensures flexibility. • Consolidating management of multiple application directories. Using open interfaces, connectors, and synchronization mechanisms. Incl. Novell’s NDS, LDAP, ERP, e-mail… • Allowing organizations to deploy directory-enabled networking. Assign quality of service and allocated network bandwidth to users based on their role in the company. • Allowing organizations to develop and deploy directory-enabled applications.
Interoperability Application: Exchange Policy: Give ‘Personnel’ Mailbox information Access to ‘Change Salary’ Menu options. Company Users Machines Devices Applications Finance Personnel Policy: Give ‘Finance’ more bandwidth at the end of the month.
Active Directory as a Service Provider • Used to locate all network services and information. • Fulfills a wide variety of naming, query, administrative and registration needs. Submit Exchange Mail DNS Mail Client Mail Microsoft.com Recipient referral Lookup Address Book http/shttp Server Admin/ browse Directory Service Replication SQL Server Register Service Credential Security management Query Dynamic Services
Directory Partitions • The data stored within AD is actually broken into three distinct areas called directory partitions. • Each partition records and stores a specific type of information. • The three directory partitions that exists: • Domain Partition • Schema Partition • Configuration Partition
• Domain Partition • Holds data regarding domain-specific objects, including users, groups, and computers. • Schema Partition • Contains data that defines which objects can be created within AD and specifies rules regarding these objects, such as mandatory properties. • Configuration Partition • Contains information about your AD structure, such as domain and DCs that exist.
The Structure of Active Directory • Active Directory is made up of two distinct structures: • The logical structure. • The physical structure. • Design of Active Directory implementation deals with the logical aspects. • Deciding where each component will be on your network deals with the physical aspects.
The Logical Structure • There are five logical components in Active Directory: • Domains • Organization Units (OUs) • Trees • Forests • Global Catalogs (GCs)
Domains • A domain is a security boundary. • Each domain has its own administrators that can be assigned full control over the domain. • Entity which has its own users and groups. • Users can be granted permissions in other domains. • Domains are used for replication purposes. • Can run in one of two modes: • Native (must be running to achieve full functionality) • Mixed
Organizational Units (OUs) • Organizational Units are container objects that are used to organize objects within the directory. • Commonly contain user and group objects. • They can also contain computers and other OUs. • Permissions can be assigned at the OU level both to grant container objects access to other network resources (or to deny them) and to assign specific users administrative privileges. • Administration of objects within an OU can be delegated. • Assign permissions to manage these objects to groups other than domain administrators.
Hierarchical Organization • Active Directory uses objects to represent network resources such as users, groups, machines, devices, and applications. • It uses containers to represent organizations, such as marketing department, or collections of related objects, such as printers. • It organizes information in a hierarchical structure made up of these objects and containers, similar to the way the Windows Operating system uses folders and files to organize information on a computer.
Containers and Objects Company Users Machines Devices Applications Marketing Personnel = Container = Object
Objects in Active Directory • Objects within AD include users, groups, computers, servers, domains, and sites. • Since data is stored as objects, users can search through the directory for objects they wish to access. • Objects also have attributes which a user can use in his/her search. • In order to understand how data is defined within AD, you must be aware of the Schema.
The Schema • The Schema is a definition of all the objects and their attributes. • Since there is a single schema for an entire Windows 2000 forest, you can achieve consistency no matter how large the enterprise. • Two types of definitions can be stored in the schema. 1. Object Classes 2. Attributes
Object Classes • Object classes define the types of objects that can be stored within Active Directory. • Each class consists of a class name and a set of attributes that are associated with the object.
Attributes • Attributes are stored separately within the schema • Allows for further consistency within the database, because a single definition for the “last name” attribute can be used over and over again.
Object-Oriented Storage Company Users Machines Devices Applications Marketing Personnel Name: Bob Jones = Container Email: bob@abc.com = Object Phone: 555-1234 SSN: 456-7
Object-Oriented Storage • In this case, the system administrator has allowed global access to the Bob Jones object, but has locked access of the Social Security Number attribute.
Schema Security • To prevent it from being modified without permissions, each object is secured using Discretionary Access Control Lists (DACLs). • These DACLs ensure that only authorized users are able to access schema.
A little more about Schema • The file schema.ini contains the default schema’s definition, as well as the initial structure for the file ntds.dir (stores directory data). • The %systemroot%ntds directory contains the file schema.ini. • The file is in plain ASCII format.
Trees • Domains are combined to produce a tree. • A hierarchical representation of the Windows 2000 network. • First domain installed is called the root domain and all subsequent domains are installed beneath this root domain. • All domains is a tree share a common schema and GC.
Domain Tree • A domain tree exists when one domain is the child of another domain. • Ex. Root.com – since domains are DNS names. • If the administrator renames a part of the tree, all of the parent’s children are also implicitly renamed. • Ex. ntfaq.com renamed to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice.com
Domain Tree Diagram root.com child1.root.com child2.root.com These child domains continue to utilize the same contiguous name (root.com) while branching out with additional naming for organizational gran.child1.root.com purposes. Ex. child1.root.com
Domain Tree Advantages • All members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children. • Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree. • You can use one network logon at any workstation in the domain tree.
Forests • A forest is a collection of trees. • Tree in a forest do not have to share a contiguous namespace. • Must share a common schema and GC. • Forests allows users in two different trees to access resources in a different namespace. • Useful when a company has multiple root DNS addresses.
Forest Diagram Transitive Kerberos Trust Joining the two trees makes a forest root.com ntfaq.com child1.root.com child2.root.com legal.ntfaq.com ads.ntfaq.com gran.child1.root.com banner.ads.ntfaq.com
Benefits of a Forest • All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest. • All the trees contain a common schema. • Performing a search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses GC entries for the rest of the forest.
Global Catalogs (GCs) • A GC server is also a DC (Domain Controller). • It contains data about all objects within a forest. • GC contains the permissions list for all the objects, therefore can also grant access. • Stored locally on a DC – reduces network traffic. • Benefit: • To make the logical structure of the Windows 2000 network invisible to the users. • Reduction of network traffic.
Purpose of Global Catalog • Designed for high performance. • Allows users to easily find an object regardless of where it is in the tree – searching using selected attributes. • Attributes contained in a abbreviated catalog. • Technique known as partial replication.
Global Catalog Structure Domain 1 Partial Replicas Domain 2 Full Replicas Domain n The global catalog structure provides access to full and partial replication.
Physical Structure • Used to manage network traffic on the network. • Element that makes up the physical structure: • Domain controllers (DCs)
Domain Controllers (DCs) • A domain controller (DC) is a server on a Windows 2000 network that stores a replica of the Active Directory database. • Its job is to manage access to this data via searches and also accept and make changes to the data. • Replicates changes to all other DCs in the domain. • Manage authentication of users. • Assigning a security token that contains a list of group memberships and permissions to each user.
Replication • Replication ensures that data recorded in one copy is disseminated to all other copies in the domain. • Windows 2000 uses multi-master replication. • Each DC is a master of its copy of AD. • The DC can accept changes and will then propagate them out to other DCs. • Replication – updating information from one DC to another.
The Replication Process • Replication occurs when an update is made to a copy of AD. • Changes such as new user, deletion of an object, or modification to a single property of an object. • AD performs two types of updates: • Originating update – occurs only the first time a change is made to an AD replica. • Replicated update – occurs as a result of this change.
Multi-master Replication • Individual change made in one copy of the directory are automatically replicated to all other appropriate copies of the directory. • Active Directory uses Update Sequence Numbers (USNs). • Anytime a users writes something into an object in the directory, it gets a USN, which is held per computer and incremented any time a change is made. • A change cannot occur without the USN being incremented, therefore changes cannot be lost.
Update Sequence Number (USN) • These are stored in memory, in a table called the up- to-dateness table. • This table has an entry for every DC in the domain, along with the USN number at the time of the last originating update for that DC. • Ex. Entry for server A, changes caused the USN to increment to “130”, entry would be “A-130”. • USNs can be used to prevent unnecessary data being sent across the network. • Replication in AD is pulled only; data is never pushed across the wire.
USN Table • Each DC keeps track of the highest USNs of the DCs it replicates with. • This procedure lets a DC calculate which changes must replicate on a replication cycle. • At the start of a replication cycle, each server checks its USN table and queries the DCs it replicates with for the DCs latest USNs.
USN Table for Server A Domain Domain Domain • Server A queries the DC’s for Controller Controller Controller their current USNs and gets B C D the following information. 54 23 53 • From this information, Server Domain Domain Domain A can calculate the changes it Controller Controller Controller need from each server as B C D follows. 58 23 64 Domain Domain Domain • Server A then queries each Controller Controller Controller DC for the necessary changes. B C D 55-58 None 54-64
Property Version Number • Multiple changes to an object’s property can occur. • Every property has a property version number, which helps detect collisions. • Property version numbers work like USNs. • Each time a property is modified, the property version number increases by one.
Collision • A collision occurs when the property number version numbers are the same for two or more property updates. • In this case, the timestamps helps resolve the conflict. • In the case where the property version numbers and the timestamps match, a binary buffer comparison occurs; the larger buffer size change takes precedence.
Object Security  Security Principal  Security ID (SID)  Security Descriptor  Discretionary Access Control List (DACL)  System Access Control List (SACL)  Access Control Entries (ACEs)  Access Tokens
Security Principal • This is an account to which permissions can be assigned-example, a user, a group, or a computer account. • Ex. • Bob, a member of the Accounting group on a computer with a domain computer account named System01, several security principals are involved that permissions could be applied toward-namely, the user “Bob”, the group “Accounting”, or the computer account “System01”
Security ID (SID) • Every security principal is issued a unique SID that is assigned once to an account and is never reused, even if the object is removed. A numeric value that is assigned automatically when an object is added to the directory. • The SID is a numeric value that is assigned automatically when an object is added to the directory.
Security Descriptor • Defines access control information for that object. • When a user attempts to access an object, the descriptor check its information against the user’s SID and then compares the SID against its access control list (ACL). • There are two types of ACLs: • DACLs • SACLs
Discretionary Access Control List (DACL) • List of access control entries (ACEs) that indicates security levels of Allow Access or Deny Access permissions. • Deny Access entries are placed first in the ACE. • The Deny will prove stronger than all the other options.
System Access Control List (SACL) • This is a list used for auditing object access based upon ACEs that indicates to the object when an account has accessed an object or has attempted to access an object.
Access Control Entries (ACEs) • ACEs are used by DACLs and SACLs. • When used with a DACL, the ACE determines the level of security access upon an object, through 4 types: • Access Denied • Access Allowed • Access Denied Object Specified • Access Allowed Object Specified • When used with a SACL, the ACE determines the level of security based upon: • System Audit • System Audit Object Specific
Access Tokens • When the user logs on, an access token is created and sent by the DC to the user’s machine. • This token is necessary for a user to access any network resource. • The access token is attached to that user and is needed to access any object, to run any application, and to use any system resources.
Access Permissions on AD Objects • The five standard permissions that can be applied to an object are: • Full Control • Write • Read • Create All Child Objects • Delete All Child Objects
• Full Control • Allows the user the ability to view objects and attributes, the owner of the object, and the AD permissions, along with the ability to change any of those settings. • Write • Enables the user to view objects and attributes, the owner of the object, and the AD permissions, also allows the user to change any of those settings. • Read • Enables the user to view objects and attributes, the owner of the object, and the AD permissions. • Create All Child Objects • Enables the user to create additional child objects to the OU (Organizational Unit). • Delete All Child Objects • Enables the user to delete existing objects from an OU.
The Flow of Permissions • The implementation of inheritance is utilized by Windows 2000. • Inheritance is automatic for child objects within parent containers; • Ex. If a parent object has permissions implemented upon it, the child objects beneath will automatically inherit the permissions from above.
The Flow of Inheritance Parent OU  When you create a child Parent object within a parent Permissions: container that holds certain Administrator: Full Control permissions, the child Users: Read object automatically Sales OU Research OU contains the permissions of its parent. Child Child Permissions: Permissions: Administrator: Full Control Administrator: Full Control Users: Read Users: Read
Kerberos v5 • Developed by a team at MIT • Named after the three-headed dog in Greek mythology that guarded the gates of Hades. • There are three sides to Kerberos authentication: • User • Server • Key Distribution Center (KDC)
Like its Greek Counterpart… • User • A client that has a need to access resources off a server. • Server • Offers a service, but only to those that can prove their identity. That proven identity doesn’t guarantee access to the service; it just proves that they even have a right to request a service. • Key Distribution Center (KDC) • An intermediary between the client and the server that provides a way of vouching that the client is really who it says it is.
Kerberos Trust The trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest. DC DC DC
• Kerberos is Windows 2000’s primary security protocol. • Verifies a user’s identity and a session’s integrity. • Each DC (Domain Controller) has Kerberos services on it and every Windows 2000 workstation has a Kerberos client.
A Kerberos Transaction 1. A user logs on to the domain by supplying a username, a password, and a domain choice. Kerberos steps in and checks the info. Against the DC’s KDC database to verify that it knows the user. 2. If the user is valid, the user is provided a ticket- granting ticket (TGT). This means the user is preauthorized to access other resources on the domain. • In future transactions, the client doesn’t have to re-authenticate; rather, it presents the TGT to the KDC. This speeds up the process.
1. If a client wants to access a server—for example, the internal mail server in order to obtain his/her email—he/she can now present that TGT to the KDC ticket-granting server (TGS). This server will give the client another ticket which although doesn’t grant permission to the mail server, rather, it authenticates the client to the mail server. 2. The email server checks to see if you have permission to read the mail. If so, the client will receive the mail.
The Four Steps of Kerberos KDC Print Server 3 4 2 1 KDC Client
Trusts • Trusts allow the domains to work with the user accounts from other domain in such a way that people in one domain can share resources with others. • The transitive concept enables smoother functionality. • Transitive means “by extension” • Under Win2000, the trust is automation between parents and children, and transitive between every other domain in the tree.
Transitive Trusts • Transitive trusts allow users in all connected domains to be validated as domain users. • Permissions are not transitive.
Two-way Transitive Trusts • If child domain a.corp.com trusts corp.com and corp.com trusts b.corp.com, then a.corp.com automatically trusts b.corp.com. corp.com a.corp.com b.corp.com
Few Points About Transitive Trusts  They are two-way agreements that are automatically created.  They exist between child domains and parents or the root domains of a forest.  The trusts are transitive because the trees and forests with connecting trusts make information available with no further trust configuration issues.  After trusts are established, permissions must be granted to an individual or group to allow them to access resources.
Summary of Features and Benefits • Support for open standards to facilitate cross- platform directory services, incl. DNS and standard protocols – LDAP. • Support for standard name formats to ensure ease of migration. • Fast lookup via the global catalog. • Multi-master replication. • Backward compatibility. • Interoperability with NetWare environments.
Installation of Active Directory • Installed using ‘dcpromo.exe’, which can be executed from the ‘Run’ dialog box. • ‘dcpromo.exe’ resides on the Windows 2000 partition. • ‘dcpromo.exe’ is an Active Directory installation wizard, which guides the user in a step by step installation. • Installation of Active Directory requires both a FAT and a NTFS partition.

More Related Content

PDF
IRJET- Research Paper on Active Directory
IRJET Journal
 
PPTX
Who Will Win the Database Wars?
Christopher Foot
 
PPTX
Cloud's Hidden Impact on IT Support Organizations
Christopher Foot
 
PPT
354 ch1
Amanda Winona Batayola
 
PDF
Building a Hybrid Platform as a Service
WSO2
 
PDF
Documentum introduction
otnawrup
 
PDF
EMC Documentum & Captiva
ITDogadjaji.com
 
PDF
Data in your SOA: From SQL to NoSQL and Beyond
WSO2
 
IRJET- Research Paper on Active Directory
IRJET Journal
 
Who Will Win the Database Wars?
Christopher Foot
 
Cloud's Hidden Impact on IT Support Organizations
Christopher Foot
 
354 ch1
Amanda Winona Batayola
 
Building a Hybrid Platform as a Service
WSO2
 
Documentum introduction
otnawrup
 
EMC Documentum & Captiva
ITDogadjaji.com
 
Data in your SOA: From SQL to NoSQL and Beyond
WSO2
 

What's hot (19)

DOC
zahidCvFinal(Updated Jan 17)-2
Zahid Ayub
 
PDF
Relational
dieover
 
PPTX
Migrating to office 365
Alan Richards
 
PDF
A Crash Course in SQL Server Administration for Reluctant Database Administra...
Chad Petrovay
 
PPTX
BanDADE
cerverojj
 
DOCX
sdonellan2016
Steven Donellan
 
DOCX
Choosing an IdM User Store technology
Michael J Geiser
 
PPTX
Active Directory 2008 R2 Updates
Amit Gatenyo
 
PDF
Windows Server 2012 R2: Your Path to the Modern Business
United Technology Group (UTG)
 
PDF
Windows Server 2008 Active Directory Components
Tũi Wichets
 
PPT
Thinkfree Office Live Introduction Material En
Benedict Ji
 
PDF
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
C/D/H Technology Consultants
 
PPTX
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
PDF
GWAVACon - Migration into Office 365 Cloud
GWAVA
 
PPTX
Enterprise Manager DBaaS
omnidba
 
PDF
Sql server2008 r2_mds_datasheet
Klaudiia Jacome
 
PPTX
Rl net scaler-ha&dr_xendesktop_set2012
Rui Lopes
 
PPTX
Best Practices for Securing Active Directory v2.0
Danny Wong
 
PDF
Best practices When Migrating to Office 365
Perficient, Inc.
 
zahidCvFinal(Updated Jan 17)-2
Zahid Ayub
 
Relational
dieover
 
Migrating to office 365
Alan Richards
 
A Crash Course in SQL Server Administration for Reluctant Database Administra...
Chad Petrovay
 
BanDADE
cerverojj
 
sdonellan2016
Steven Donellan
 
Choosing an IdM User Store technology
Michael J Geiser
 
Active Directory 2008 R2 Updates
Amit Gatenyo
 
Windows Server 2012 R2: Your Path to the Modern Business
United Technology Group (UTG)
 
Windows Server 2008 Active Directory Components
Tũi Wichets
 
Thinkfree Office Live Introduction Material En
Benedict Ji
 
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
C/D/H Technology Consultants
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
GWAVACon - Migration into Office 365 Cloud
GWAVA
 
Enterprise Manager DBaaS
omnidba
 
Sql server2008 r2_mds_datasheet
Klaudiia Jacome
 
Rl net scaler-ha&dr_xendesktop_set2012
Rui Lopes
 
Best Practices for Securing Active Directory v2.0
Danny Wong
 
Best practices When Migrating to Office 365
Perficient, Inc.
 
Ad

Viewers also liked (16)

PPT
Windows server 2003_r2
tameemyousaf
 
PPT
Dns
deshvikas
 
PDF
Active directory interview_questions
subhashmr
 
PPTX
Dhcp server in Windows Server 2003
Arief Fadilla
 
PPTX
Windows Server 2012 Active Directory Domain and Trust (Forest Trust)
Serhad MAKBULOĞLU, MBA
 
PDF
Installation of Active Directory on Windows 2000 Server
► Supreme Mandal ◄
 
PPTX
Windows Server 2003 --> Windows Server 2012 Active Directory Migration
Serhad MAKBULOĞLU, MBA
 
PPT
Chapter10 Server Administration
Raja Waseem Akhtar
 
PDF
Windows Server 2003 Administration
LearnItFirst.com
 
PPT
Dhcp
tameemyousaf
 
PPTX
Introduction to Active Directory
thoms1i
 
PPT
Microsoft Active Directory
thebigredhemi
 
PPTX
Windows Server 2008 Active Directory
anilinvns
 
PPT
Windows Server 2008 R2 Overview
Alexander Schek
 
PPT
Active Directory
Sandeep Kapadane
 
PPT
Active Directory Training
Nishad Sukumaran
 
Windows server 2003_r2
tameemyousaf
 
Dns
deshvikas
 
Active directory interview_questions
subhashmr
 
Dhcp server in Windows Server 2003
Arief Fadilla
 
Windows Server 2012 Active Directory Domain and Trust (Forest Trust)
Serhad MAKBULOĞLU, MBA
 
Installation of Active Directory on Windows 2000 Server
► Supreme Mandal ◄
 
Windows Server 2003 --> Windows Server 2012 Active Directory Migration
Serhad MAKBULOĞLU, MBA
 
Chapter10 Server Administration
Raja Waseem Akhtar
 
Windows Server 2003 Administration
LearnItFirst.com
 
Dhcp
tameemyousaf
 
Introduction to Active Directory
thoms1i
 
Microsoft Active Directory
thebigredhemi
 
Windows Server 2008 Active Directory
anilinvns
 
Windows Server 2008 R2 Overview
Alexander Schek
 
Active Directory
Sandeep Kapadane
 
Active Directory Training
Nishad Sukumaran
 
Ad

Similar to Win2KServer Active Directory (20)

PPT
Active directoryfinal
Rafał Kucharski
 
PPTX
Active Directoryptx sunday.pptx
UtPearls
 
PPT
1-Active Directory System and Application.ppt
SrikanthKama2
 
PPTX
17 roles of window server 2008 r2
IGZ Software house
 
PPTX
Introduction to active directory and its services.pptx
erickmuzigaba
 
PPTX
Active-Directory-Domain-Services.pptx
JavedAjmal1
 
PPTX
Active-Directory-Domain-Services.pptx
MeriemBalhaddad
 
PDF
Cloud for share point
Rick Taylor
 
PPTX
Active Directory Domain Services.pptx
syedasadraza13
 
PPTX
Presentation on Server based Operating system.pptx
hamzamunawarkhan
 
PDF
KoprowskiT_session1_SDNEvent_WASDforBeginners
Tobias Koprowski
 
PPTX
04232015094601
Dinesh Senthil Kumar
 
PPTX
Server its functions and types.pptx
DrIrfanulHaqAkhoon
 
PDF
Dell active roles
Kenneth de Brucq
 
PPTX
02-Active Directory Domain Services.pptx
AdiWidyanto2
 
PPT
Directory Services Nma Unit-1
GPAPassedStudents
 
PPTX
Cloud Computing Basics, Models, Enablers
DrVSavithri
 
PDF
Null talk
Agam Jain
 
PPTX
AD Basic and Azure AD.pptx
SumTingWong8
 
PDF
Introduction to System and network administrations
girmayou1
 
Active directoryfinal
Rafał Kucharski
 
Active Directoryptx sunday.pptx
UtPearls
 
1-Active Directory System and Application.ppt
SrikanthKama2
 
17 roles of window server 2008 r2
IGZ Software house
 
Introduction to active directory and its services.pptx
erickmuzigaba
 
Active-Directory-Domain-Services.pptx
JavedAjmal1
 
Active-Directory-Domain-Services.pptx
MeriemBalhaddad
 
Cloud for share point
Rick Taylor
 
Active Directory Domain Services.pptx
syedasadraza13
 
Presentation on Server based Operating system.pptx
hamzamunawarkhan
 
KoprowskiT_session1_SDNEvent_WASDforBeginners
Tobias Koprowski
 
04232015094601
Dinesh Senthil Kumar
 
Server its functions and types.pptx
DrIrfanulHaqAkhoon
 
Dell active roles
Kenneth de Brucq
 
02-Active Directory Domain Services.pptx
AdiWidyanto2
 
Directory Services Nma Unit-1
GPAPassedStudents
 
Cloud Computing Basics, Models, Enablers
DrVSavithri
 
Null talk
Agam Jain
 
AD Basic and Azure AD.pptx
SumTingWong8
 
Introduction to System and network administrations
girmayou1
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation theory and applications.pdf
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Win2KServer Active Directory

  • 1. Active Directory Presentation Windows 2000 Server
  • 2. Breakdown… • What is Active Directory • Structure of Active Directory • Objects • Domains – Trees and Forests • Replication • Security • Kerberos • Trusts
  • 3. Overview of Active Directory • Active Directory is a directory service, which means it both stores data about your network resources and provides methods of accessing and distributing that data. Directory service that stores data about users and groups, shared folders, and other network resources. • Active Directory lets you centrally manage your network. • Administrative tasks can be performed from a single location.
  • 4. What Is Active Directory? • Active Directory is an essential and inseparable part of the Windows 2000 network architecture that improves on the domain architecture of the Windows NT 4.0 operating system to provide a directory service designed for distributed networking environments.
  • 5. • Active Directory lets organizations efficiently share and manage information about network resources and users. • Active Directory acts as the central authority for network security, letting the operating system readily verify a user’s identity and control for his or her access to network resources. • It acts as an integration point for bringing systems together and consolidating management tasks.
  • 6. How does Active Directory Work? • AD lets organizations store information in a hierarchical, object-oriented fashion, and provides multi-master replication to support distributed network environments.
  • 7. Single Point of Administration • For all published resources, incl. Files, peripheral devices, host connections, databases, Web access, users, services… • It uses the Internet Domain Name Service (DNS) as its locator service. • No primary domain controller (PDC) or backup domain controller (BDC). Uses domain controllers (DCs). • Allows multiple domains to be connected into a tree structure.
  • 8. What are the benefits of Active Directory • Simplifies management tasks. • Strengthens network security. • Makes use of existing systems through interoperability.
  • 9. Simplifies Management • Single place to manage users, groups and network resources, as well as distribute software and manage desktop. – Eliminates redundant management tasks. – Reduces trips to the desktop. – Better maximizes IT resources. – Lowers total cost of ownership (TCO).
  • 10. • Eliminates redundant management tasks. • Provides a single point of management for Windows user accounts, clients, servers, and applications. • Reduces trips to the desktop. • Automatically distributes software to users based on their role in the company, reducing or eliminating multiple trips that system administrators need to make for software installation and configuration. • Better maximizes IT resources. • Securely delegates administrative functions to all levels of an organization. • Lowers total cost of ownership (TCO). • Simplifies the management and use of file and print services by making network resources easier to find, configure, and use.
  • 11. Simplifies Management Delegate Management Tasks to Office Admins Company Users Machines Devices Applications Color Printer Marketing Personnel in Building 6 Give ‘Personnel’ Members the Human Resources Application
  • 12. Strengthens Security • Support for multiple authentication protocols such as Kerberos, X.509 certificates, and smart cards. • Flexible access control model – enables powerful and consistent security services for internal desktop users, remote dial-up users, and external commerce customers. • Improves password security and management. • Ensures desktop functionality. • Speeds e-business deployment. • Tightly controls security.
  • 13. • Improves password security and management. • Providing single sign-on to network resources with integrated, high powered security services that are transparent to end users. • Ensures desktop functionality. • Locking-down desktop configurations and preventing access to specific client machine operations. Ex: software installations and registry editing. • Speeds e-business deployment. • Built-in support for secure Internet-standard protocols and authentication mechanisms. Ex: Kerberos, public key infrastructure (PKI), lightweight directory access protocol (LDAP). • Tightly controls security. • Setting access control privileges on directory objects and the individual data elements that make them up.
  • 14. Extends Interoperability • Active Directory provides a set of standard interfaces for application integration and open synchronization mechanisms to ensure that Windows can interoperate with a wide variety of applications and devices.
  • 15. It Does So By… • Taking advantage of existing investments and ensures flexibility. • Consolidating management of multiple application directories. Using open interfaces, connectors, and synchronization mechanisms. Incl. Novell’s NDS, LDAP, ERP, e-mail… • Allowing organizations to deploy directory-enabled networking. Assign quality of service and allocated network bandwidth to users based on their role in the company. • Allowing organizations to develop and deploy directory-enabled applications.
  • 16. Interoperability Application: Exchange Policy: Give ‘Personnel’ Mailbox information Access to ‘Change Salary’ Menu options. Company Users Machines Devices Applications Finance Personnel Policy: Give ‘Finance’ more bandwidth at the end of the month.
  • 17. Active Directory as a Service Provider • Used to locate all network services and information. • Fulfills a wide variety of naming, query, administrative and registration needs. Submit Exchange Mail DNS Mail Client Mail Microsoft.com Recipient referral Lookup Address Book http/shttp Server Admin/ browse Directory Service Replication SQL Server Register Service Credential Security management Query Dynamic Services
  • 18. Directory Partitions • The data stored within AD is actually broken into three distinct areas called directory partitions. • Each partition records and stores a specific type of information. • The three directory partitions that exists: • Domain Partition • Schema Partition • Configuration Partition
  • 19. • Domain Partition • Holds data regarding domain-specific objects, including users, groups, and computers. • Schema Partition • Contains data that defines which objects can be created within AD and specifies rules regarding these objects, such as mandatory properties. • Configuration Partition • Contains information about your AD structure, such as domain and DCs that exist.
  • 20. The Structure of Active Directory • Active Directory is made up of two distinct structures: • The logical structure. • The physical structure. • Design of Active Directory implementation deals with the logical aspects. • Deciding where each component will be on your network deals with the physical aspects.
  • 21. The Logical Structure • There are five logical components in Active Directory: • Domains • Organization Units (OUs) • Trees • Forests • Global Catalogs (GCs)
  • 22. Domains • A domain is a security boundary. • Each domain has its own administrators that can be assigned full control over the domain. • Entity which has its own users and groups. • Users can be granted permissions in other domains. • Domains are used for replication purposes. • Can run in one of two modes: • Native (must be running to achieve full functionality) • Mixed
  • 23. Organizational Units (OUs) • Organizational Units are container objects that are used to organize objects within the directory. • Commonly contain user and group objects. • They can also contain computers and other OUs. • Permissions can be assigned at the OU level both to grant container objects access to other network resources (or to deny them) and to assign specific users administrative privileges. • Administration of objects within an OU can be delegated. • Assign permissions to manage these objects to groups other than domain administrators.
  • 24. Hierarchical Organization • Active Directory uses objects to represent network resources such as users, groups, machines, devices, and applications. • It uses containers to represent organizations, such as marketing department, or collections of related objects, such as printers. • It organizes information in a hierarchical structure made up of these objects and containers, similar to the way the Windows Operating system uses folders and files to organize information on a computer.
  • 25. Containers and Objects Company Users Machines Devices Applications Marketing Personnel = Container = Object
  • 26. Objects in Active Directory • Objects within AD include users, groups, computers, servers, domains, and sites. • Since data is stored as objects, users can search through the directory for objects they wish to access. • Objects also have attributes which a user can use in his/her search. • In order to understand how data is defined within AD, you must be aware of the Schema.
  • 27. The Schema • The Schema is a definition of all the objects and their attributes. • Since there is a single schema for an entire Windows 2000 forest, you can achieve consistency no matter how large the enterprise. • Two types of definitions can be stored in the schema. 1. Object Classes 2. Attributes
  • 28. Object Classes • Object classes define the types of objects that can be stored within Active Directory. • Each class consists of a class name and a set of attributes that are associated with the object.
  • 29. Attributes • Attributes are stored separately within the schema • Allows for further consistency within the database, because a single definition for the “last name” attribute can be used over and over again.
  • 30. Object-Oriented Storage Company Users Machines Devices Applications Marketing Personnel Name: Bob Jones = Container Email: bob@abc.com = Object Phone: 555-1234 SSN: 456-7
  • 31. Object-Oriented Storage • In this case, the system administrator has allowed global access to the Bob Jones object, but has locked access of the Social Security Number attribute.
  • 32. Schema Security • To prevent it from being modified without permissions, each object is secured using Discretionary Access Control Lists (DACLs). • These DACLs ensure that only authorized users are able to access schema.
  • 33. A little more about Schema • The file schema.ini contains the default schema’s definition, as well as the initial structure for the file ntds.dir (stores directory data). • The %systemroot%ntds directory contains the file schema.ini. • The file is in plain ASCII format.
  • 34. Trees • Domains are combined to produce a tree. • A hierarchical representation of the Windows 2000 network. • First domain installed is called the root domain and all subsequent domains are installed beneath this root domain. • All domains is a tree share a common schema and GC.
  • 35. Domain Tree • A domain tree exists when one domain is the child of another domain. • Ex. Root.com – since domains are DNS names. • If the administrator renames a part of the tree, all of the parent’s children are also implicitly renamed. • Ex. ntfaq.com renamed to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice.com
  • 36. Domain Tree Diagram root.com child1.root.com child2.root.com These child domains continue to utilize the same contiguous name (root.com) while branching out with additional naming for organizational gran.child1.root.com purposes. Ex. child1.root.com
  • 37. Domain Tree Advantages • All members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children. • Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree. • You can use one network logon at any workstation in the domain tree.
  • 38. Forests • A forest is a collection of trees. • Tree in a forest do not have to share a contiguous namespace. • Must share a common schema and GC. • Forests allows users in two different trees to access resources in a different namespace. • Useful when a company has multiple root DNS addresses.
  • 39. Forest Diagram Transitive Kerberos Trust Joining the two trees makes a forest root.com ntfaq.com child1.root.com child2.root.com legal.ntfaq.com ads.ntfaq.com gran.child1.root.com banner.ads.ntfaq.com
  • 40. Benefits of a Forest • All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest. • All the trees contain a common schema. • Performing a search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses GC entries for the rest of the forest.
  • 41. Global Catalogs (GCs) • A GC server is also a DC (Domain Controller). • It contains data about all objects within a forest. • GC contains the permissions list for all the objects, therefore can also grant access. • Stored locally on a DC – reduces network traffic. • Benefit: • To make the logical structure of the Windows 2000 network invisible to the users. • Reduction of network traffic.
  • 42. Purpose of Global Catalog • Designed for high performance. • Allows users to easily find an object regardless of where it is in the tree – searching using selected attributes. • Attributes contained in a abbreviated catalog. • Technique known as partial replication.
  • 43. Global Catalog Structure Domain 1 Partial Replicas Domain 2 Full Replicas Domain n The global catalog structure provides access to full and partial replication.
  • 44. Physical Structure • Used to manage network traffic on the network. • Element that makes up the physical structure: • Domain controllers (DCs)
  • 45. Domain Controllers (DCs) • A domain controller (DC) is a server on a Windows 2000 network that stores a replica of the Active Directory database. • Its job is to manage access to this data via searches and also accept and make changes to the data. • Replicates changes to all other DCs in the domain. • Manage authentication of users. • Assigning a security token that contains a list of group memberships and permissions to each user.
  • 46. Replication • Replication ensures that data recorded in one copy is disseminated to all other copies in the domain. • Windows 2000 uses multi-master replication. • Each DC is a master of its copy of AD. • The DC can accept changes and will then propagate them out to other DCs. • Replication – updating information from one DC to another.
  • 47. The Replication Process • Replication occurs when an update is made to a copy of AD. • Changes such as new user, deletion of an object, or modification to a single property of an object. • AD performs two types of updates: • Originating update – occurs only the first time a change is made to an AD replica. • Replicated update – occurs as a result of this change.
  • 48. Multi-master Replication • Individual change made in one copy of the directory are automatically replicated to all other appropriate copies of the directory. • Active Directory uses Update Sequence Numbers (USNs). • Anytime a users writes something into an object in the directory, it gets a USN, which is held per computer and incremented any time a change is made. • A change cannot occur without the USN being incremented, therefore changes cannot be lost.
  • 49. Update Sequence Number (USN) • These are stored in memory, in a table called the up- to-dateness table. • This table has an entry for every DC in the domain, along with the USN number at the time of the last originating update for that DC. • Ex. Entry for server A, changes caused the USN to increment to “130”, entry would be “A-130”. • USNs can be used to prevent unnecessary data being sent across the network. • Replication in AD is pulled only; data is never pushed across the wire.
  • 50. USN Table • Each DC keeps track of the highest USNs of the DCs it replicates with. • This procedure lets a DC calculate which changes must replicate on a replication cycle. • At the start of a replication cycle, each server checks its USN table and queries the DCs it replicates with for the DCs latest USNs.
  • 51. USN Table for Server A Domain Domain Domain • Server A queries the DC’s for Controller Controller Controller their current USNs and gets B C D the following information. 54 23 53 • From this information, Server Domain Domain Domain A can calculate the changes it Controller Controller Controller need from each server as B C D follows. 58 23 64 Domain Domain Domain • Server A then queries each Controller Controller Controller DC for the necessary changes. B C D 55-58 None 54-64
  • 52. Property Version Number • Multiple changes to an object’s property can occur. • Every property has a property version number, which helps detect collisions. • Property version numbers work like USNs. • Each time a property is modified, the property version number increases by one.
  • 53. Collision • A collision occurs when the property number version numbers are the same for two or more property updates. • In this case, the timestamps helps resolve the conflict. • In the case where the property version numbers and the timestamps match, a binary buffer comparison occurs; the larger buffer size change takes precedence.
  • 54. Object Security  Security Principal  Security ID (SID)  Security Descriptor  Discretionary Access Control List (DACL)  System Access Control List (SACL)  Access Control Entries (ACEs)  Access Tokens
  • 55. Security Principal • This is an account to which permissions can be assigned-example, a user, a group, or a computer account. • Ex. • Bob, a member of the Accounting group on a computer with a domain computer account named System01, several security principals are involved that permissions could be applied toward-namely, the user “Bob”, the group “Accounting”, or the computer account “System01”
  • 56. Security ID (SID) • Every security principal is issued a unique SID that is assigned once to an account and is never reused, even if the object is removed. A numeric value that is assigned automatically when an object is added to the directory. • The SID is a numeric value that is assigned automatically when an object is added to the directory.
  • 57. Security Descriptor • Defines access control information for that object. • When a user attempts to access an object, the descriptor check its information against the user’s SID and then compares the SID against its access control list (ACL). • There are two types of ACLs: • DACLs • SACLs
  • 58. Discretionary Access Control List (DACL) • List of access control entries (ACEs) that indicates security levels of Allow Access or Deny Access permissions. • Deny Access entries are placed first in the ACE. • The Deny will prove stronger than all the other options.
  • 59. System Access Control List (SACL) • This is a list used for auditing object access based upon ACEs that indicates to the object when an account has accessed an object or has attempted to access an object.
  • 60. Access Control Entries (ACEs) • ACEs are used by DACLs and SACLs. • When used with a DACL, the ACE determines the level of security access upon an object, through 4 types: • Access Denied • Access Allowed • Access Denied Object Specified • Access Allowed Object Specified • When used with a SACL, the ACE determines the level of security based upon: • System Audit • System Audit Object Specific
  • 61. Access Tokens • When the user logs on, an access token is created and sent by the DC to the user’s machine. • This token is necessary for a user to access any network resource. • The access token is attached to that user and is needed to access any object, to run any application, and to use any system resources.
  • 62. Access Permissions on AD Objects • The five standard permissions that can be applied to an object are: • Full Control • Write • Read • Create All Child Objects • Delete All Child Objects
  • 63. • Full Control • Allows the user the ability to view objects and attributes, the owner of the object, and the AD permissions, along with the ability to change any of those settings. • Write • Enables the user to view objects and attributes, the owner of the object, and the AD permissions, also allows the user to change any of those settings. • Read • Enables the user to view objects and attributes, the owner of the object, and the AD permissions. • Create All Child Objects • Enables the user to create additional child objects to the OU (Organizational Unit). • Delete All Child Objects • Enables the user to delete existing objects from an OU.
  • 64. The Flow of Permissions • The implementation of inheritance is utilized by Windows 2000. • Inheritance is automatic for child objects within parent containers; • Ex. If a parent object has permissions implemented upon it, the child objects beneath will automatically inherit the permissions from above.
  • 65. The Flow of Inheritance Parent OU  When you create a child Parent object within a parent Permissions: container that holds certain Administrator: Full Control permissions, the child Users: Read object automatically Sales OU Research OU contains the permissions of its parent. Child Child Permissions: Permissions: Administrator: Full Control Administrator: Full Control Users: Read Users: Read
  • 66. Kerberos v5 • Developed by a team at MIT • Named after the three-headed dog in Greek mythology that guarded the gates of Hades. • There are three sides to Kerberos authentication: • User • Server • Key Distribution Center (KDC)
  • 67. Like its Greek Counterpart… • User • A client that has a need to access resources off a server. • Server • Offers a service, but only to those that can prove their identity. That proven identity doesn’t guarantee access to the service; it just proves that they even have a right to request a service. • Key Distribution Center (KDC) • An intermediary between the client and the server that provides a way of vouching that the client is really who it says it is.
  • 68. Kerberos Trust The trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest. DC DC DC
  • 69. • Kerberos is Windows 2000’s primary security protocol. • Verifies a user’s identity and a session’s integrity. • Each DC (Domain Controller) has Kerberos services on it and every Windows 2000 workstation has a Kerberos client.
  • 70. A Kerberos Transaction 1. A user logs on to the domain by supplying a username, a password, and a domain choice. Kerberos steps in and checks the info. Against the DC’s KDC database to verify that it knows the user. 2. If the user is valid, the user is provided a ticket- granting ticket (TGT). This means the user is preauthorized to access other resources on the domain. • In future transactions, the client doesn’t have to re-authenticate; rather, it presents the TGT to the KDC. This speeds up the process.
  • 71. 1. If a client wants to access a server—for example, the internal mail server in order to obtain his/her email—he/she can now present that TGT to the KDC ticket-granting server (TGS). This server will give the client another ticket which although doesn’t grant permission to the mail server, rather, it authenticates the client to the mail server. 2. The email server checks to see if you have permission to read the mail. If so, the client will receive the mail.
  • 72. The Four Steps of Kerberos KDC Print Server 3 4 2 1 KDC Client
  • 73. Trusts • Trusts allow the domains to work with the user accounts from other domain in such a way that people in one domain can share resources with others. • The transitive concept enables smoother functionality. • Transitive means “by extension” • Under Win2000, the trust is automation between parents and children, and transitive between every other domain in the tree.
  • 74. Transitive Trusts • Transitive trusts allow users in all connected domains to be validated as domain users. • Permissions are not transitive.
  • 75. Two-way Transitive Trusts • If child domain a.corp.com trusts corp.com and corp.com trusts b.corp.com, then a.corp.com automatically trusts b.corp.com. corp.com a.corp.com b.corp.com
  • 76. Few Points About Transitive Trusts  They are two-way agreements that are automatically created.  They exist between child domains and parents or the root domains of a forest.  The trusts are transitive because the trees and forests with connecting trusts make information available with no further trust configuration issues.  After trusts are established, permissions must be granted to an individual or group to allow them to access resources.
  • 77. Summary of Features and Benefits • Support for open standards to facilitate cross- platform directory services, incl. DNS and standard protocols – LDAP. • Support for standard name formats to ensure ease of migration. • Fast lookup via the global catalog. • Multi-master replication. • Backward compatibility. • Interoperability with NetWare environments.
  • 78. Installation of Active Directory • Installed using ‘dcpromo.exe’, which can be executed from the ‘Run’ dialog box. • ‘dcpromo.exe’ resides on the Windows 2000 partition. • ‘dcpromo.exe’ is an Active Directory installation wizard, which guides the user in a step by step installation. • Installation of Active Directory requires both a FAT and a NTFS partition.