01 - en - ck - introducing active directory domain services
TRANSCRIPT
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
1/40
www.supinfo.com
Copyright SUPINFO. All rights reserved
Introducing ActiveDirectory Domain Services
http://www.supinfo.com/http://www.supinfo.com/ -
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
2/40
Course objectives
Overview of Active Directory,Identity, and Access
Active Directory Componentsand Concepts
Install Active Directory DomainServices
By completing this course, you will:
Introducing Active Directory Domain Services
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
3/40
Overview of ActiveDirectory, Identity, and
Access
Introducing Active Directory Domain Services
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
4/40
Preview
Information Protection in a Nutshell
Identity and Access
Authentication and Authorization
Authentication
Access Tokens
Security Descriptors, ACLs, and ACEs
Authorization
Stand-Alone (Workgroup) Authentication
Active Directory Domains: Trusted Identity Store
Active Directory, Identity, and Access
Active Directory and IDA services
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
5/40
Information Protection
Its all about connecting users to the information they
require securely IDA: Identity and Access
AAA: Authentication, Authorization, Accounting
CIA: Confidentiality, Integrity, Availability, and Authenticity
One focus :
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
6/40
Identity and Access
Overview of Active Directory, Identity, and Access
Identity: User account
Saved in an identity store(directory database)
Security principal
Represented uniquely bythe SID
Resource: Shared Folder
Secured with a securitydescriptor
DACL or ACL
ACEs or permissions
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
7/40
Authentication and Authorization
Overview of Active Directory, Identity, and Access
A user presents credentialsthat are authenticated byusing the information storedwith the usersidentity
The system creates a security token that
represents the user with the users SIDand all related group SIDs
A resources is secured withan ACL: permissions thatpair a SID with a level ofaccess
The users security tokenis compared with the ACLof the resource toauthorize a requestedlevel of access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
8/40
Authentication
Overview of Active Directory, Identity, and Access
Credentials : At least two components required (ex :User name + password
Two factor authentication from :What I am (biometric)
What I know (password)
What I own (smart card)
Two types of authentication :
Local
Remote
Authentication is the process that verifies a users identity
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
9/40
Access Tokens
Overview of Active Directory, Identity, and Access
Users Access Token equal to :
User SID
Member Group SIDsPrivileges (user rights)
Other access information
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
10/40
Security Descriptors, ACLs and ACEs
Overview of Active Directory, Identity, and Access
Security Descriptor
SACL : owner, audit
DACL or ACL : NTFS permissionACE : Trustee (by SID) + Access Mask
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
11/40
Authorization
Overview of Active Directory, Identity, and Access
Authorization is the process that determines whether togrant or deny a user a requested level of access to aresource
System finds first ACE in the ACL that allows or denies the requestedaccess level for any SID in the users token
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
12/40
Demonstration
The trainer will create a new user, give permission to him on a
local folder then delete this account.
Whats happened in NTFS permission?
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
13/40
Stand-Alone (Workgroup) Authentication
Overview of Active Directory, Identity, and Access
The identity store is the SAM database on the Windows system
No shared identity store
Multiple user accounts
Management of passwords is challenging
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
14/40
Active Directory Domains
Overview of Active Directory, Identity, and Access
Centralized identity store trusted by all domain members
Centralized authentication service
Hosted by a server performing the role of an AD DS domain controller
O i f A i Di Id i d A
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
15/40
Active Directory, Identity, and Access
Overview of Active Directory, Identity, and Access
An IDA infrastructure should:
Store information about users, groups, computersand other identities
Authenticate an identityKerberos authentication used in Active
Directory provides single sign-on. Users areauthenticated only once.
Control access
Provide an audit trail
O i f A i Di Id i d A
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
16/40
Active Directory and IDA Services
Overview of Active Directory, Identity, and Access
Active Directory IDA services :
Active Directory Lightweight Directory Services(AD LDS)
Active Directory Certificate Services (AD CS)
Active Directory Rights Management Services(AD RMS)
Active Directory Federation Services (AD FS)
O i f A ti Di t Id tit d A
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
17/40
Stop-and-think part 1
Have you got any question ?
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
18/40
Active Directory
Components and Concepts
Introducing Active Directory Domain Services
O i f A ti Di t Id tit d A
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
19/40
Preview
Active Directory as a Database
Demonstration: Active Directory Schema
Organizational Units
Policy-Based Management
Active Directory Data Store
Domain Controllers
Domain
Replication Sites
Forest
Tree
Overview of Active Directory, Identity, and Access
Global Catalog
Functional Levels
DNS and Application Partitions
Trust Relationships
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
20/40
Active Directory As a Database
Active Directory is a database Each record is an object
Users, groups, computers, and so on
Each field is an attribute
Logon name, SID, password, description, membership, and soon
Identities (security principals or accounts)
Services: Kerberos, DNS, and replication
Accessing the database
Windows tools, user interfaces, and components
APIs (.NET, VBScript, Windows PowerShell)
LDAP
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
21/40
Demonstration
The trainer will show you how the Schema acts as a blueprint
for Active Directory by exploring some Attributes and Objectclasses.
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
22/40
Organizational Units
Containers Users
Computers
Organizational Units
Containers that also support the management and configurationof objects by using Group Policy
Create OUs to:
Delegate administrative permissions
Apply Group Policy
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
23/40
Policy-Based Management
Active Directory provides a single point of managementfor security and configuration through policies
Group Policy
Domain password and lockout policy
Audit policy
Configuration
Applied to users or computers by scoping a GPO containingconfiguration settings
Fine-grained password and lockout policies
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
24/40
Active Directory Data Store
%systemroot%\NTDS\ntds.dit
Logical partitions
Domain naming context
Schema
Configuration
Global catalog (Partial Attribute Set)
DNS (application partitions)
SYSVOL
%systemroot%\SYSVOL
Logon scripts
Policies
Overview of Active Directory, Identity, and Access
Schema
Configuration
Domain
DNS
PAS
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
25/40
Domain Controllers
Servers that perform the AD DS role Host the Active Directory database (NTDS.DIT) and SYSVOL
Replicated between domain controllers
Kerberos KDC service: Performs authentication
Other Active Directory services
Best practices
Availability: At least two in a domain
Security: Server Core and RODCs
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
26/40
Domain
Made up of one or more DCs
All DCs replicate the Domain naming context (DomainNC)
The domain is the context within which Users, Groups,
Computers, and so on are created Replication boundary
Trusted identity source: Any DC can authenticate anylogon in the domain
The domain is the maximumscope (boundary) for certainadministrative policies
Password
Lockout
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
27/40
Replication
Multimaster replication Objects and attributes in the database
Contents of SYSVOL are replicated
Several components work to create an efficient and
robust replication topology and to replicate granularchanges to AD
The Configuration partition
of the database stores information
about sites, network topology,
and replication
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
28/40
Sites
An Active Directory object that represents a well-connected portion of your network
Associated with subnet objects representing IP subnets
Intrasite vs. intersite replication
Replication within a site occurs very quickly (1545 seconds)
Replication between sites can be managed
Service localization
Log on to a DC in your site
Overview of Active Directory, Identity, and Access
Overview of Active Directory Identity and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
29/40
Forest
A collection of one or more Active Directory domain trees
First domain is the forest root domain
Single configuration and schemareplicated to allDCs in the forest
A security and replication boundary
Overview of Active Directory, Identity, and Access
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
30/40
Tree
One or more domains in a single instance of AD DS thatshare contiguous DNS namespace
Overview of Active Directory, Identity, and Access
supinfo.lan
nantes.supinfo.lan
supinfo-projects.lan
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
31/40
Global Catalog
Partial Attribute Set or Global Catalog
Contains every object in every domain in the forest
Contains only selected attributes
A type of index
Can be searched from any domain
Very important for many applications
Overview of Active Directory, Identity, and Access
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
32/40
Functional Levels
Domain functional levels
Forest functional levels
New functionality requires that domain controllers are running aparticular version of Windows
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Cannot raise functional level
while domain controllers are runningprevious Windows versions
Cannot add domain controllersrunning previous Windows versionsafter raising functional level
Overview of Active Directory, Identity, and Access
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
33/40
DNS and Application Partitions
Active Directory and DNS areclosely integrated
One-to-one relationship betweenthe DNS domain name and thelogical domain unit of ActiveDirectory
Complete reliance on DNS tolocate computers and servicesin the domain
A domain controller acting as aDNS server can store the zonedata in Active Directory itselfinan application partition
Overview of Active Directory, Identity, and Access
Schema
Configuration
Domain
DNS
PAS
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
34/40
Trust Relationships
Extends concept of trusted identity store to anotherdomain
Trusting domain (with the resource) trusts the identitystore and authentication services of the trusted domain
A trusted user can authenticate to, and be given accessto resources in, the trusting domain
Within a forest, each domain trusts all other domains
Trust relationships can be established with external
domains
O e e o ct e ecto y, de t ty, a d ccess
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
35/40
Stop-and-think part 2
Have you got any question ?
y, y,
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
36/40
Exercice 1 & 2
Now, its your turn to play !
y, y,
Overview of Active Directory, Identity, and Access
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
37/40
Lab quizz
What can you do with the Initial Configuration Tasks
console? What must you do before starting dcpromo wizard? Which tool is used to raise the domain functional level?
y, y,
External references
-
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
38/40
Review this with VTC videos :
Active Directory Overview
http://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htm
Improved with VTC videos
External references
http://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htm -
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
39/40
Review this with Microsoft Press book:
Chapitre 1
Improved with Microsoft Press book
Introducing Active Directory Domain Services
http://library.supinfo.com/BookDetails.aspx?type=cyberlibris&docId=45006345 -
8/6/2019 01 - En - CK - Introducing Active Directory Domain Services
40/40
On The Road Again