Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | walter-daniels |
View: | 230 times |
Download: | 1 times |
Active Directory Lecture 3 – Domain Services Primer
Learning Goals
• I will be able to install a functionally operable domain server for a Windows Active Directory Domain
• I will be able to organize a Windows Domain to maximize logical design and Security
• I will be able to distinguish between different types of Domain Objects
What is AD
• A directory server – a common place for information about groups, people, workstations and security to reside
• One ring to rule them all – The borg collective – Once joined to the domain one trusts the domain and all the security settings that goes with it.
Why do we care?
• Single most effective tool for managing security in a distributed environment
• If setup correctly can control users, servers, workstations and audit everything
Evolution of AD
• Windows NT 4
• Windows 2000 – Domain Services – DNS
• Windows 2003 – Internet Integration
• Windows 2008 – Federated Management and Sharing
• Windows 2012 – The clouds are coming!
Standards
• Like the OSI model, AD is built on standards
• X.500
• LDAP Compatable
Understanding Domains
• Single Domain
• One spot for a organization
• Container for user and company records
• Trees including domains and sub domains organize different parts of the company together
Some Rules
• Domains are designed to be built around internet names – DNS is an important part of Active Directory
• Public namespace names should be avoided unless you actually own the domain name – otherwise name resolution problems will crop up
• DNS Management – Either create a new subdomain for AD (ad.company.com) and let AD run it. Or create a new DNS name and let AD run it.
AD Authentication Modes
• NTLM – Legacy system which included hashes of passwords being sent over the network
• Kerberos – No sending of hashes over the network
• Because of it’s ability to send usernames and passwords quickly, in a central store and securely AD becomes the favorite of any single sign on container
LDAP Naming Convention
Logical Flow
Trusting Relationships
Explicit Trust - Works between domains to create trust between the two Partners – External Entities Different organizations within the same forest
Shortcut Trusts
OU’s
• Units for Organizing Users and Objects in the Domain
• Security
• Organization
• Can create OU’s inside OU’s
Some More Rules
• OU’s should not follow a managerial or political structure of the organization.
• Organize for the user separation for top level departments
• Organize between different types of Objects (Computers, Servers and Users)
Groups
• Groups are created to manage security on a specific level
• Used for assigning permissions or distributing information (exchange email groups)
• Enterprises will have a TON of these – unrealistic for IT to manage
• Managers organize via political levels
• IT manages for permissions
• Managed Groups vs Standard Groups
Domain Controllers
• Domain Controllers Control the Domain – When a domain is created a database is installed that contains all the information about objects in the domain
• This database is replaced to all domain controllers inside the domain
• Domain controllers should be placed in physical locations of the same domain
• Remember to follow WAN Segments
• When the database is changed on one domain controller the changes are replicated on the other DC’s
• For security you may wish to install a domain controller as a “read only” domain controller. This would allow associated applications to read information without being able to make changes