Enterprise Windows Decisions 2003
Download
Report
Transcript Enterprise Windows Decisions 2003
Hosted by
Active Directory:
Beyond The Basics
Howard Marks
Chief Scientist
Networks are Our Lives, Inc!
Hosted by
Agenda
Active Directory Security Issues
Replication and Bandwidth Management
New Features with Windows 2003 Server
Multiple forests
Hosted by
Active Directory Security Issues
Enterprise administrators can “elevate”
themselves to administrate a domain
Directory access can be controlled
Hosted by
Tree Security
Just as folders and files have ACL's, so do objects
in an ADS tree
A user’s permissions determine what the user or
group can do to an object
This is used to create administrative boundaries
within a tree
An all powerful Administrator is no longer
necessary, but advisable
Hosted by
Assigning Tree Permissions
ACL information on an object flows down
to the child objects of the container when
a new object is formed
Future ACL changes to a parent object
must be propagated to child objects to
affect changes down the tree
This is exactly how the file system works
Hosted by
Using Permissions Inheritance
Permissions Flow Down to Child Objects
OU
Full Control
OU
Full Control
OU
Allow inheritable permissions from parent to propagate to
this object.
OK
Cancel
Apply
Preventing Inheritance Stops the Flow of
Permissions
Full Control
Hosted by
Directory Attributes
An object’s DACL can contain ACEs that protect
individual attributes
• Access permissions include
Read attribute
Write attribute
Deny read
Deny write
Where appropriate, objects also have permissions
that control actions, such as
• The creation/deletion of Child objects
• Adding or removing an object from a group
Hosted by
Controlling Object Visibility
Most objects have a default explicit ACE
defined that allows the Authenticated
Users group to read the object
If you wish to limit the visibility of
objects, this ACE must be removed
Hosted by
Delegate Access Control at the OU
Delegate permissions to create and
delete all objects of a specific type
Users
OU
Object Type = User
Permissions = Create Child
Delete Child
OU
OU
OU OU
OU OU
Hosted by
Delegating Permissions and Rights at the
Object Property Levels
Delegate permissions to administer a specific
property for all objects of a certain type
Inherit Object Type = Group
Object Type = Group Membership
Permissions = Read Property
Write Property
Inheritance = Inherit Only
Groups
OU
OU
OU
OU OU
OU OU
Hosted by
Active Directory Sites
Replication
Controlled
Domain
Controller
Site
User Logs On
A site is one or more TCP/IP
subnets with good network
connectivity
Sites are used to isolate
replication traffic
Domain
Controller
Site
Types of Replication
Domain A
Controller
Hosted by
Domain B
Controller
Domain A
Controller
Intra-Site
Replication
Inter-Site
Replication
Site 1
Domain B
Controller
Domain C
Controller
Domain B
Controller
Domain A
Controller
Domain C
Controller
Site 2
Domain C
Controller
Domain A
Controller
Hosted by
Types of Replication
Intrasite replication
•
•
Frequent
Uses IP and RPCs
Intersite replication
•
Scheduled
Frequency
Allowable hours
•
•
Route controlled via assigned costs
Can use RPCs or SMTP
Hosted by
Examining Site Locations
If there is no domain controller
•
•
•
No replication traffic
No logon traffic to and from the business location
The business location does not need to be a separate site
If there is a domain controller
•
There is replication traffic to and from the business
location
•
•
There may not be any logon traffic
Determine whether the location should be a site
Hosted by
Determining Connectivity and
Available Bandwidth
Only subnets that are considered fast,
inexpensive, and reliable should be
combined into a site
Consider controlling replication traffic
and logon requests
An important consideration is available
bandwidth
Hosted by
Planning Sites to Control
Workstation Logon Traffic
Defining Sites
• Workstations always look to the local site for a
Domain Controller
Disadvantages of Multiple Sites in a
Single Location
• If a local site Domain Controller is not available, the
workstation may log onto a DC anywhere on the
WAN
Hosted by
Planning Sites to Control
Replication Traffic
Multiple Sites in Replication
• Replication time and the transport (RPC or SMTP)
can always be specified
•
Replication traffic is always compressed reducing
traffic 10% to 12%
Network Replication Traffic
• Only changed attributes on changed objects are
replicated
Hosted by
Planning Sites to Control Both
Logon and Replication Traffic
A balancing act between:
• The organization’s need to access directory
information quickly
•
Speed and reliability of network links
Decide if Domains are a better solution
• Refer to prior section
Hosted by
Windows 2003 Server AD Improvements
Domain Rename
Schema Redefine (Schema change undo)
Application mode
Improved Group Policy Management
Cross-Forest Trust
Improved Group Membership replication
Better branch office support
Hosted by
Domain Rename
You can now:
• Change DNS and/or NETBIOS name of domain
• Move domain position in forest
• Create new tree
You still can’t:
• Change which domain is the forest root
• Split off domain or Add domain to forest
• Reuse names
OK you can in 2 steps
•
Rename domains with Exchange 2000 servers in them
Hosted by
Domain Rename Limitations
All DCs must be on line
• DCs that can’t participate are ejected from domain
All DCs reboot in process
All stations must reboot Twice
• NT 4 stations must be rejoined manually
Forest must be in
Hosted by
Ownership Concept
In Windows NT Domains a single
“person” owned the whole pie
AD allows us to separate to 2 roles:
• Service owner
Responsible for service availability
•
Data owner
Responsible for data maintenance
Day to day administration ‘
Hosted by
The Forest Owner Role
Service owner
• Ultimately responsible for the delivery of directory
services in the forest
•
Set policy, process for changes to shared
configuration, schema
Gatekeeper for new domains
• Domain owners are service owners
• Must be carefully managed
Hosted by
Forest Model #1: Strong Central Control
Division 1
Division 2
Division 3
All business units share centralized DS
infrastructure
Hosted by
Model #2: Hybrid/Subscription
Division 1
Division 2
Division 3
Business units opt-in/opt-out of centralized
infrastructure
Hosted by
Model #3: Distributed Infrastructure
Division 1
Division 2
Division 3
Each business unit maintains separate DS
infrastructure
Hosted by
Assign Forests
Multiple
forests
Autonomy
Administrative
distributed
Multiple forests
with MMS
Subscription
forest
Single
forest
centralized
low
Collaboration
high
Hosted by
Identify Candidate Forest Owners
What IT groups are chartered to deliver NOS
directory services?
Common to find multiple groups
• Owners of Master User Domains (MUDs)
• Previously-deployed forests
The Anti-Social
Legal reasons
Create list of candidate forest owners
Hosted by
Forest Participation Criteria
Satisfied with terms of service
• Schema, config change control policies
• Disaster recovery
Security considerations
• Trust forest owner and all domain owners
• DCs placed in secure locations
Have clear forest ownership
• Attempting to share forest management may present
organizational challenges
•
Do not extend forest management across multiple
outsourcers
Hosted by
Inter-forest Implications
No automatic trust
• Explicit trust is one-way, non-transitive
• Fixable in 2003
Kerberos not available between forests
• No mutual authentication
Global catalog has forest scope
• Aggregate view across forests requires synchronization
technology
•
•
Microsoft Metadirectory Services (MMS)
Simple Sync