Active Directory Lecture 3 – Domain Services Primer

Learning Goals

• I will be able to install a functionally operable domain server for a Windows Active Directory Domain

• I will be able to organize a Windows Domain to maximize logical design and Security

• I will be able to distinguish between different types of Domain Objects

What is AD

• A directory server – a common place for information about groups, people, workstations and security to reside

• One ring to rule them all – The borg collective – Once joined to the domain one trusts the domain and all the security settings that goes with it.

Why do we care?

• Single most effective tool for managing security in a distributed environment

• If setup correctly can control users, servers, workstations and audit everything

Evolution of AD

• Windows NT 4

• Windows 2000 – Domain Services – DNS

• Windows 2003 – Internet Integration

• Windows 2008 – Federated Management and Sharing

• Windows 2012 – The clouds are coming!

Standards

• Like the OSI model, AD is built on standards

• X.500

• LDAP Compatable

Understanding Domains

• Single Domain

• One spot for a organization

• Container for user and company records

• Trees including domains and sub domains organize different parts of the company together

Some Rules

• Domains are designed to be built around internet names – DNS is an important part of Active Directory

• Public namespace names should be avoided unless you actually own the domain name – otherwise name resolution problems will crop up

• DNS Management – Either create a new subdomain for AD (ad.company.com) and let AD run it. Or create a new DNS name and let AD run it.

AD Authentication Modes

• NTLM – Legacy system which included hashes of passwords being sent over the network

• Kerberos – No sending of hashes over the network

• Because of it’s ability to send usernames and passwords quickly, in a central store and securely AD becomes the favorite of any single sign on container

LDAP Naming Convention

Logical Flow

Trusting Relationships

Explicit Trust - Works between domains to create trust between the two Partners – External Entities Different organizations within the same forest

Shortcut Trusts

OU’s

• Units for Organizing Users and Objects in the Domain

• Security

• Organization

• Can create OU’s inside OU’s

Some More Rules

• OU’s should not follow a managerial or political structure of the organization.

• Organize for the user separation for top level departments

• Organize between different types of Objects (Computers, Servers and Users)

Groups

• Groups are created to manage security on a specific level

• Used for assigning permissions or distributing information (exchange email groups)

• Enterprises will have a TON of these – unrealistic for IT to manage

• Managers organize via political levels

• IT manages for permissions

• Managed Groups vs Standard Groups

Domain Controllers

• Domain Controllers Control the Domain – When a domain is created a database is installed that contains all the information about objects in the domain

• This database is replaced to all domain controllers inside the domain

• Domain controllers should be placed in physical locations of the same domain

• Remember to follow WAN Segments

• When the database is changed on one domain controller the changes are replicated on the other DC’s

• For security you may wish to install a domain controller as a “read only” domain controller. This would allow associated applications to read information without being able to make changes