Chapter 4: Planning the Active Directory and Security Chapter 4

Learning Objectives  Explain the contents of the Active Directory  Plan how to set up Active Directory elements such as organizational units, domains, trees, forests, and sites  Plan which Windows 2000 security features to use in an organization, including interactive logon, object security, and services security Chapter 4

Learning Objectives (continued) Chapter 4  Plan how to use groups, group policies, and security templates  Plan IP security measures

Windows NT Domain Structure Chapter 4  Security Accounts Manager (SAM) database holds data on user accounts, groups, and security privileges  One primary domain controller (PDC) has master copy of the SAM  One or more backup domain controllers (BDCs) have backup copies of the SAM

Using a PDC, BDCs, and the SAM database Domain resources Chapter 4 Figure 4-1 Windows NT SAM architecture BDC Backup SAM BDC Backup SAM PDC Primary SAM BDC Backup SAM BDC Backup SAM

Windows 2000 Active Directory Chapter 4  Domain objects including user accounts, computers, servers, printers, groups, security policies, domains, and other objects compose the Active Directory

Active Directory Objects Domain objects Chapter 4 Figure 4-2 Domain objects in the Active Directory Active Directory

Multimaster Replication Chapter 4  Multimaster replication: In Windows 2000 there can be multiple servers, called domain controllers (DCs), that store the Active Directory and replicate it to each other. Because each DC acts as a master, replication does not stop when one is down. Each DC is a master in its own right.

Multimaster Architecture Domain objects Chapter 4 DC Active Directory Figure 4-3 Windows 2000 Active Directory architecture DC Active Directory DC Active Directory DC Active Directory

Schema Chapter 4  Schema: Elements used in the definition of each object contained in the Active Directory, including the object class and its attributes

Example Schema Characteristics of the User Account Class Chapter 4  Unique object name  Globally unique identifier (GUID) associated with each object name  Required attributes  Optional attributes  Syntax of how attributes are defined  Pointers to parent entities

Example User Account Attributes Chapter 4   Username User’s full name  Password

Schema Example Active Directory Object classes User account Computer Printer Domain Figure 4-4 Sample schema information for user accounts       Object name GUID Required attributes Optional attributes Syntax Parent relationships    Username User's full name Password   Account description Remote access OK Schema Chapter 4

Default Object Classes  Domain  User account  Group  Shared drive  Shared folder  Computer  Printer Chapter 4

Object Naming Chapter 4  Common name (CN): The most basic name of an object in the Active Directory, such as the name of a printer  Distinguished name (DN): A name in the Active Directory that contains all hierarchical components of an object, such as that object’s organizational unit and domain, in addition to the object’s common name

Object Naming (continued) Chapter 4  Relative distinguished name (RDN): An object name in the Active Directory that has two or more related components, such as the RDN of a user account name that consists of User (a container for accounts) and the first and last name of the actual user

Namespace Chapter 4  Namespace: A logical area on a network that contains directory services and named objects, and that has the ability to perform name resolution

Types of Namespaces Chapter 4  Contiguous namespace: A namespace in which every child object contains the name of its parent object  Disjointed namespace: A namespace in which the child object name does not resemble the name of its parent object

Active Directory Elements Chapter 4  Domains  Organizational units (OUs)  Trees  Forests  Sites

Active Directory Architecture Chapter 4 Figure 4-5 Active Directory hierarchical containers Forest Site A Domain Tree Domain Tree OU OU OU OU OU OU Domain Domain Site C OU OU Site B OU OU OU

Functions of a Domain  Provide a security boundary for objects in a common relationship  Establish a set of data to be replicated among DCs  Expedite management of a set of objects Chapter 4

Using a Single domain Internet Intranet 1 Intranet 2 Security and management boundary Chapter 4 Figure 4-6 Single domain DC Active Directory Domain DC Active Directory

Using Multiple Domains Chapter 4 DC AD DC AD Satellite dish DC AD DC AD DC AD Domain for South Carolina site DC AD DC AD DC AD Satellite Satellite dish Figure 4-7 Using multiple domains DC AD DC AD DC AD DC AD DC AD Domain for site in Japan DC AD DC AD DC AD

Domain Creation Dos and Don’ts

Do’s Don’ts

Create a domain in circumstances that require special security measures between Create domains that represent the organizational structure, because frequent reorganizations result in organizational groupings, such as departments, units, or divisions major restructuring of domains and the Active Directory Create a domain for specialized Create domains along business process divisions, management of particular resources (often which are often political divisions within an also related to the security and network organization, because new management may architecture) redefine business process activities, resulting in a major restructuring of domains and the Active Directory Chapter 4

Domain Creation Dos and Don’ts (continued)

Do’s

Create a domain to migrate Windows NT servers to Windows 2000 Create a domain when geography or WAN links make it difficult to replicate DCs between organizational groupings, such as departments, units, or divisions

Don’ts

Chapter 4

Functions of an OU  Group related objects, such as user accounts and printers, for easier management  Reflect the structure of an organization  Group objects to be administered using the same group policies Chapter 4

Using OUs to Reflect Organizational Structure Chapter 4 DC DC Active Directory Manufacturing Division OU Active Directory grocery.com

(domain) Figure 4-8 OUs used to reflect the divisional structure of a company DC Active Directory DC Active Directory DC Active Directory Retail Division OU DC Active Directory DC Active Directory Distribution Division OU

Design Tips for Using OUs Chapter 4  Limit OUs to 10 levels or fewer  OUs use less CPU resources when they are set up horizontally instead of vertically  Each request through an OU level requires CPU time in a search

OU Creation Dos and Don’ts

Do’s Don’ts

Create OUs, as needed, to represent the organizational structure of departments, units, Create OUs more than 10 layers deep and divisions for different policies and to delegate administration Create OUs, as needed, to represent objects in the Active Directory that have similar policies, security, or other characteristics, such as shared printers or shared disk drives Create more OUs than absolutely necessary Chapter 4

OU Creation Dos and Don’ts (continued)

Do’s Don’ts

Create OUs, as needed, to represent specific Create OUs for major security project areas, such as for employees who are boundaries when this can be handled by temporarily helping with the installation of a new client/server system a domain or by sites (discussed later), such as for IP traffic control Create OUs, as needed, to represent the business process or political functions in an organization, such as an OU for the president’s office, one for the business office, and one for each research group in a health research organization Create OUs for DC replication Chapter 4

Characteristics of a Tree Chapter 4  Member domains are in a contiguous namespace  Member domains can compose a hierarchy  Member domains use the same schema for common objects  Member domains use the same global catalog

Global Catalog Chapter 4  Global catalog: A grand repository for all objects and the most frequently used attributes for each object in all domains. Each tree has one global catalog.

Global Catalog Functions  Authenticating users  Providing lookup and access to resources in all domains  Providing replication of key Active Directory elements  Keeping a copy of the most attributes for all objects Chapter 4

Hierarchical Domains in a Tree Two-way trusts tracksport.com

Chapter 4 Tree east.tracksport.com

west.tracksport.com

north.tracksport.com

south.tracksport.com

Figure 4-9 Tree with hierarchical domains

Kerberos Transitive Trust  Kerberos Transitive Trust Relationship: A set of two-way trusts between two or more domains in which Kerberos security is used.

Chapter 4

Trusted and Trusting Domains  Trusted domain: A domain that has been granted security access to resources in another domain  Trusting domain: A domain that allows another domain security access to its resources and objects, such as servers Chapter 4

Tree Creation Dos and Don’ts

Do’s

Define main domains before defining a tree Plan the hierarchy of domains and use of OUs before creating a tree Define a tree when you have domains in different countries so that you can set up each domain to use a language native to the country where it resides Chapter 4

Don’ts

Define a tree prior to creating the first domain Define a tree if you can use a single domain structure (a better alternative than using trees, if possible) Define a tree if you must use a disjointed namespace

Tree Creation Dos and Don’ts (continued)

Don’ts Do’s

Define a tree if you are planning multiple domains that will be administered at different sites by different people Create a tree and multiple domains when WAN connectivity is slow between distant sites, because global catalog replication transfers less information and requires less bandwidth than DC replication Chapter 4

Planning Tip Chapter 4  Make sure each tree has at least one DC that is also configured as a global catalog  Locate global catalog servers in a network design architecture that enables fast user authentication (so that authentication does not have to be performed over a WAN link, for example)

Characteristics of a Forest  Member trees use a disjointed namespace (but contiguous namespaces within trees)  Member trees use the same schema  Member trees use the same global catalog Chapter 4

Single Forest  Single forest: An Active Directory model in which there is only one forest with interconnected trees and domains that use the same schema and global catalog Chapter 4

Single Forest Architecture partsplus.com

Chapter 4 2m.com

toronoto.partsplus.com

montreal.partsplus.com

detroit.partsplus.com

greenville.2m.com

florence.2m.com

atlanta.2m.com

chelos.com

mexicocity.chelos.

com oaxaca.chelos.

com monterrey.chelos.

com puebla.chelos.com

valencia.chelos.com

Forest partsplus.com

Figure 4-10 A forest

Separate Forest Chapter 4  Separate forest: An Active Directory model that links two or more forests in a partnership, but the forests cannot have Kerberos transitive trusts or use the same schema

Separate Forest Architecture health.books.com

cook.books.com

Forest books.com

Chapter 4 Figure 4-11 Separate forest model hardback.printers.com

Forest printers.com

paperback.printers.com

textbook.printers.com

Forest Creation Dos and Don’ts Chapter 4

Do’s Don’ts

Create a forest to join trees/domains Create forests when the member trees that can share schemas and global have little in common or cannot share catalogs the same schema Create a single forest when there is Create a single or separate forest no need to separate internal and until you understand the security external DNS resources between trees needs of all domains, trees, and potential forests

Forest Creation Dos and Don’ts (continued) Chapter 4

Do’s Don’ts

Create separate forests when the the name of the root domain or first domain in the first tree Create a separate forest when there is internal and external DNS resources a possibility that the forests may must be keep separate between two or more forests Establish a forest’s name by using merge into a single forest in the future Create a separate forest when the member forests must have a Kerberos transitive trust between them

Design Tip Chapter 4  When you create a separate forest structure remember that:  Replication cannot take place between forests  The forests use different schema and global catalogs  The forests cannot be easily blended into a single forest in the future

Site Chapter 4  Site: An option in the Active Directory to interconnect IP subnets so that it can determine the fastest route to connect clients for authentication and to connect DCs for replication of the Active Directory. Site information also enables the Active Directory to create redundant routes for DC replication.

Characteristics of a Site Chapter 4  Reflects one or more interconnected subnets (512 Kbps or faster)  Reflects the same boundaries as the LAN  Used for DC replication  Enables clients to access the closest DC  Composed of servers and configuration objects

Site Links Chapter 4  Site link object: An object created in the Active Directory to indicate one or more physical links between two different sites  Site link bridge: An Active Directory object (usually a router) that combines individual site link objects to create faster routes when there are three or more site links

Site Link Architecture Site A Link 1 Bridge link Router Link 1 Link 2 Site B Chapter 4 Site C Figure 4-12 Site link bridge

Site Creation Dos and Don’ts

Do’s Don’ts

Create sites to reflect interconnected Create sites for small networks that high-speed IP subnets have no IP subnets Chapter 4 Create sites on medium and large sized networks to enable fast connectivity for users and for DCs Create sites for IP links that have less than 128 Kbps of available bandwidth

Site Creation Dos and Don’ts (continued)

Do’s

Create additional sites on medium and large sized networks when user connectivity and DC replication is experiencing slow response Create sites to enable ring-based DC fault tolerance Create one or more sites for a domain that encompasses two more far reaching geographic locations

Don’ts

Create extra sites to improve network performance without first determining what network congestion factors are causing poor performance Chapter 4

Design Tip  Define sites in the Active Directory on networks that have multiple global catalog servers that reside in different subnets  Use sites to enhance network performance by optimizing authentication and replication Chapter 4

Active Directory Guidelines Chapter 4  Keep the Active Directory implementation as simple as possible  Implement the least number of domains possible  Implement only one domain on most small networks  Use OUs to reflect the organizational structure (instead of using domains for this purpose)

Active Directory Guidelines (continued) Chapter 4  Create only the number of OUs that are necessary  Do not create OUs more than 10 levels deep  Use domains for natural security boundaries  Implement trees and forests only as necessary

Active Directory Guidelines (continued)  Use trees for domains that have a contiguous namespace  Use forests for multiple trees that have disjointed namespaces between them  Use sites in situations where there are multiple IP subnets and geographic locations to improve performance Chapter 4

Basic Types of Active Directory Security  Account or interactive logon security   Object security Services security Chapter 4

Interactive Logon Security  DC checks that the user account is in the Active Directory  DC verifies the exact user account name and password Chapter 4

Object Security   Security descriptor: An individual security property associated with a Windows 2000 Server object, such as enabling the account MGardner (the security descriptor) to access the folder, Databases Access control list (ACL): A list of all security descriptors that have been set up for a particular object, such as for a shared folder or a shared printer Chapter 4

Typical ACL Types of Information  User account(s) that can access an object  Permissions that determine the type of access  Ownership of the object Chapter 4

Typical Object Permissions Chapter 4  Deny: No access to the object   Read: Access to view or read the object’s contents Write: Permission to change the object’s contents or properties  Delete: Permission to remove an object  Create: Permission to add an object  Full Control: Permission for nearly any activity

Example Special Permissions Chapter 4 Figure 4-13 Special permissions for a folder

Troubleshooting Tip  Deny permission supercedes other permissions, thus if there is a permissions conflict for one of your users, check the deny permissions associated with that user’s account Chapter 4

Services Security  Windows 2000 enables you to set up security on individual services, such as DHCP Chapter 4

Setting Services Security Chapter 4 Figure 4-14 DHCP security

Using Groups Chapter 4  Set up security groups of user accounts as a way to more easily manage security

Setting Up Members of a Group Chapter 4 Figure 4-15 DHCP Administrators group

Group Policies Chapter 4  Use group policies to manage security for local servers, OUs, and domains  Employ security templates when you need to manage several different group policies

Example Areas Covered by Group Policies Chapter 4  Account polices  Local server and domain policies  Event log tracking policies  Group restrictions  Service access security  Registry security  File system security

Setting Up Security Templates Chapter 4 Figure 4-16 Security Templates snap-in

IP Security  IP security (IPSec): A set of IP-based secure communications and encryption standards created through the Internet Engineering Task Force (IETF) Chapter 4

IP Security Policies Chapter 4  IP security (IPSec) can function in three roles relative to a client:  Client (Respond Only) in which the server uses IPSec, if the client is using it first  Server (Request Security) in which the server uses IPSec by default, but will discontinue using IPSec if it is not supported by the client  Secure Server (Require Security) in which the server only communicates via IPSec

Configuring IPSec Chapter 4 Figure 4-17 IP Security Policy Wizard

Troubleshooting Tip Chapter 4  On a network that uses IPSec, if you are having trouble gathering network performance information from some older devices that do not support IPSec, omit the SNMP communications protocol from IPSec

Chapter Summary Chapter 4  Active Directory and security implementation are interrelated  The Active Directory is a set of services for managing Windows 2000 servers  Use Active Directory elements such as OUs, domains, trees, and forests to help manage server objects and resources

Chapter Summary  Use sites to configure network communications for better performance through taking advantage of existing subnets  Groups and group policies enable you to manage security Chapter 4