hosted by getting started with active directory or how to bring logic to your company’s 437...
TRANSCRIPT
Hosted by
Getting Started With Active Directory
Or How to Bring Logic to Your Company’s 437 Domains
Hosted by
So Who is This Guy Anyway?
Founder and Chief Scientist
Networks Are Our Lives, Inc!
• Network and Directory services design
• Security
• Network Documentation
• Systems management/monitoring deployment
Author 3 Books and over 100 articles and product reviews
Currently with Network Computing
Contact:Networks Are Our Lives, Inc! [email protected]
1201 Hudson St. – Suite 1003s (866) 812-7611
Hoboken, NJ 07030 WWW.NAOL.COM
Hosted by
Why You’re Here
Functions and applications driving update
Just keeping up With the market Or the Joneses
Windows NT Timeline Next week – OEM and retail sales end 1/1/2003 4 – Hot-Fixes cost $ 1/1/2004 5 – Live support and hot fixes end 1/1/2005 6 – Online support ends
Easy way to get off helpdesk for 3 days
Hosted by
Our Objectives
Understand Active Directory• Components
• Terminology
• Structure
• Features and benefits
Identify Best Practices
Implementation Tips
Hosted by
Make your life easier!
Our Real Objective
Hosted by
Assumptions
You know:• Windows NT 4.0 Server
• TCP/IP
You don’t know:• Active Directory
• Group Policies Etc
You are:• Planning a Windows 2000+ server rollout
• Have 50-10,000 users to support
• Awake
Hosted by
ADS, then, is...
Extension of and replacement for Windows NT
Domains
The directory service included in Windows 2000+
Based on DNS, LDAP and X.500
Active Directory Services are…• Secure
• Distributed
• Partitioned
• Replicated
Hosted by
Before AD
Windows NT domains• Typical organization had master user domains and
resource domains
• Each domain needed: WINS for NetBIOS names DNS for internet names The browser Email, Application and other directories
Other vendors had true Directory Services:• Banyan Streetalk
• Novell NDS (eDirectory)
Hosted by
Why Active Directory Windows NT domains limited
• Each domain an island
• Trusts Stink Too much work to set up They “Rot Away” Large organizations need thousands
• Not Scalable
• Single master replication If PDC is down, or inaccessible, user’s can’t change
passwords
• No delegation of administration
• Microsoft is forcing us that way Exchange 2000 requires AD
Hosted by
Basic Definitions Forest
A group of domains joined into a common directory. The largest unit in AD.
All domains in forest share Schema, some administrators, 2 way trusts
Tree Domains in a forest with common suffix IE:US.AD.widget.com,EURO.AD.widget.com
Domain Administrative and replication boundary Conceptually the same as Windows NT but now
corresponds to DNS domain Domain controllers hold all the information about objects
(users, groups, computers, Etc.) in their domain
Hosted by
More Definitions Organizational Units (OU) Administrative boundary smaller than domain Contain objects for administrative, organizational
purposes
Site A group of systems with LAN 10Mbps Site configuration effects replication Defined by IP subnets
Global Catalog A server that contains a subset of attributes for all
objects in the forest Think White Pages Includes Email address, domain (so we can ask DC for
more data)
Hosted by
Final Definitions
Kerberos
• A Public Key Infrastructure based authentication system
Schema
• All the attributes for all the objects are defined in the schema
Syntax defines the type of data that can be stored in the
attribute
• The schema definition for each object class identifies all the
possible attributes for the object
• The schema contains a default DACL for each object class
The default ACLs is used when an instance of the object is
created in the directory
Hosted by
AD Design Choices LDAP access
• Protocol was becoming industry standard
X.500 data model• Object hierarchy permits subtree-scoped queries • Schema defines attributes and object classes
Attribute-level access control • Required for data sharing between applications
DNS-integrated object naming• Enables a globally unique namespace based on the de facto Internet
locator service
Security• Multiple authentication paths, one authorization model
In-place or side-by-side upgrade• Learned from Novell: offer upgrade flexibility!
Hosted by
Replication Design ChoicesMulti-master
• Need local password update
• Approximately “last writer wins”
• Eventual convergence
Attribute granularity• When attribute changes, replicate entire new value
• Reduces network traffic and lost updates versus object granularity
State-based• Send current state not a log
• Predictable storage overhead, needed anyway for full sync
• Implies tombstones for deletes
Transitive• Communicate update to somebody not everybody
• Big win with mixed link speed - once per slow link
• Automated topology generation (“KCC”)
Hosted by
Logical Structure Relationships
Global CatalogGlobal CatalogForest
Chevy.GM.COM
Trucks.chevy.gm.com
SAAB.CO.SA
NA.SAAB.CO.SA
OU
OU OU OU OU
OUOU
OU
OUOUOUOU
OU OU
OU
ObjectsSchema
Tree
Tree
Hosted by
So What do We Get?
True Multi-Domain Integration
Transitive Trusts
Global Catalog
Group Policy Objects
Controllable Replication
Directory Security
Granular Administration
Hosted by
When to Use Multiple Trees
Public view requires different root domain
names• IE: Kraft Foods doesn’t want .PhillipMorris.com suffix
Politics require divisions to keep their
names
There is no technical advantage to
multiple trees
Hosted by
When to use multiple forests
When, and only when, the service owners of
multiple trees don’t trust each other
Multiple forest implementations do NOT:• Share a common global catalog
No exchange GAL
• Trust each other
You can set up old style trusts between domains in
different forests
Rule of thumb: 1 forest per CIO
Hosted by
Domain Controller Roles
Flexible Single Master Operations (FSMOs)
• 1 Per Forest:
Domain Naming Master
Schema Master
Time Reference Server
• 1 Per Domain:
PDC Emulator
RID (Relative ID)Master
Infrastructure Master
KCC/ ISTG (generates inter-site topology)
ISM (inter-site messaging)
Global catalog
Hosted by
Reasons for Creating Domains
Physical location
Network traffic
International differences
Administrative considerations• All users share restrictions (Password Length Etc)
Politics
NOT: Defining spheres of administration (OUs can
do that)
Hosted by
Break sponsored by
Hosted by
What are OUs
They are distinct units of administration
that can be delegated
They are containers that organize
objects and other containers
Examples are geographic locations,
projects, cost centers, business units,
and divisions
Hosted by
What OUs Can Contain
UsersUsersPrintersPrinters
ComputersComputers
Other OUsOther OUsSecurity PoliciesSecurity Policies
ApplicationsApplications
GroupsGroups
OUOUOUOU
OUOUOUOU
File SharesFile Shares
Hosted by
Reasons for Creating OUs
Enhancing administrative control
Maintaining a consistent number of objects
Controlling application of group policy objects
Holding other OUs
Replacing windows NT 4.0 resource domains
Hosted by
Remember:Domains are Expensive
Every domain Must have a
DC
Most should have 2-3 or
more
Logins require connectivity
to home DC
Logins more traffic than
replication
Hosted by
Hierarchical OU Models
Geographic
Object-based
Cost center
Project-based
Division or business unit
Administration
Hosted by
Define an OU Naming Convention
OUs are not part of the DNS namespace
OUs are identified by LDAP and canonical
names only
While domains are difficult to reorganize,
OUs within domains can be easily
renamed or moved
Hosted by
OU1OU1 DACL for “Group” objects
Jill can add usersJill can add users
Jill can add usersJill can add users
OU2OU2 DACL for “Group” objects
John can add usersJohn can add users
John can add usersJohn can add users
Group object
Group object
Delegating Administration
The ability to set ACLs for contained objects at OU level means that you can define “who can do what” to a particular object in the OU• Groups created in OU1 can be administered by Jill
• Groups created in OU2 can be administered by John
Hosted by
Delegation of Control Wizard
Good news• There is a delegation of control wizard
Bad news• There is no undelegation of control wizard
After of delegation of control, the users must be given
visibility permissions to the objects/containers they
control
Learn to edit and document ACL’s
Only delegate control to groups, not users
Hosted by
Delegation of Control Wizard
Hosted by
ADS Security Features - Review
Objects have an Access Control List (ACL)
Permissions can be delegated to users by a higher
authority
Inheritance allows permissions to be propagated
to all objects in child containers
Trusts are established among all domains in an
ADS forest• Explicit trusts can be established between domains in foreign
forests or legacy NT domains
Hosted by
Group Types
Security Groups• Allow you to assign permissions
• Allow you to use groups as an e-mail distribution list
• Windows NT uses only security groups
Distribution Groups• Do not allow you to assign permissions
• Allow you to use groups as an e-mail distribution list
Hosted by
Rules for Group Membership
Universal groups only available in native mode
GroupGroup Group membersGroup members Can be a member ofCan be a member ofCan be a member ofCan be a member of
Global User accounts and global
groups from the same domain
Universal and domain local groupsin any domain
Global groups in the same domain
Universal and domain local groupsin any domain
Global groups in the same domain
Domain Local
User accounts, universal, and global groups from any domain
Domain local groups from the same domain
Universal Universal User accounts, universal, and global groups from any domain
User accounts, universal, and global groups from any domain
Domain local groups in thesame domain
Domain local groups in thesame domain
Domain local or universal groupsin any domain
Domain local or universal groupsin any domain
Hosted by
Group Scopes
Domain Local GroupDomain Local GroupDomain Local GroupDomain Local Group
Open membership Use for access to resources in one
domain
Open membership Use for access to resources in one
domain
Global GroupGlobal GroupGlobal GroupGlobal Group
Limited membership Use for access to resources in any
domain
Limited membership Use for access to resources in any
domain
Universal GroupUniversal GroupUniversal GroupUniversal Group
Open membership Use for access to resources in any
domain
Open membership Use for access to resources in any
domain
Hosted by
How does AD use DNS?
Windows 2000 uses DNS as a domain locator and
name-to-IP translator• Domain controllers are registered in DNS
• Clients query DNS to locate DCs
Analogous to Internet mail (the MX record)
Better-scaling long-term replacement for
NetBIOS Name Services (aka WINS)
Requires DNS servers that support Dynamic
Updates (Windows or Bind 8+)
Hosted by
Migrating to AD
Single Domain• Migrate in place
• Clean up Later
2-3 Domains• Migrate “root” domain in place
• Use ADMT for additional domains You’re stuck with SIDHistory
Bigger Now• Redesign from scratch
• Use 3rd party tools from Aelita or NetIQ
Hosted by
Audience Response
Question?
Hosted by