Transcript How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation Presentation Outline  Demystifying Active Directory  Active Directory structure  Interoperability standards adherence 

How to Succeed with
Active Directory
Robert Williams, PhD
CEO
Secure Logistix Corporation
Presentation Outline
 Demystifying Active Directory
 Active Directory structure
 Interoperability standards adherence
 Common sense planning and deployment tips
What is a Directory Service?
 Stated simply, a directory service is a listing that
helps organize and locate information
 There are two primary components
• Directory store for data
• Services that act on the data
 Service functions include data replication, security
rule enforcement, data distribution … and more
What is Active Directory?
 Microsoft’s Windows 2000/.NET Server
implementation of directory services
 Networked object store and service that locates
and manages resources
 Authenticates authorized use of resource objects
by users according to defined rules
Specific Enterprise Functions of AD
 Stores data on every object and its attributes
 Security - ACL authentication and domain trusts
 Central point for enterprise administration
 Mechanism for OS interoperability
 Consolidation of divergent directory services
 System to replicate object data
Active Directory Relationships
 Active Directory treats everything as an object .. users,
files, computers, devices, etc.
 Access to object anywhere in enterprise is possible
(assuming permission)
 DNS resolves computer name during object query
 LDAP (Lightweight Directory Access Protocol) resolves
object locations
 MIT Kerberos provides user authentication
Administration of Active Directory
 Permits finite hierarchical management
 Supports delegation of admin functions
 Provides single point for enterprise management
 Supports open standards, APIs and scripting
 Provides backward compatibility with Windows
NT and Novell Directory Services
Active Directory Structure
Active Directory divides itself into Logical and
Physical Structures
 Logical Structures include components called
domains, trees, forests, organizational units and
the schema (containers for data)
 Physical Structures include network defined sites
and domain controllers (data locations & stores)
Logical Structure
 Base components are objects and their attributes
 Schema – mechanism for storing object classes
 Objects organized around hierarchical domain
model
 Each domain has its own security permissions and
relationship with other domains
Active Directory Domain
 Hierarchical infrastructure of networked
computers
 Domain – Computer systems and network
resources that share common security boundary
 Domain can cross physical locations and sites
 Viewed as grouping of resources that use a
common domain name (namespace)
Domain Trees
 Multiple domains share common schema, security
relationship, Global Catalog
 Identify domain tree by common, contiguous
namespace
• Sales.xyz.com and research.xyz.com = child domains to
xyz.com domain
•
Xyz.com is root domain for domain tree
Active Directory Domain Tree
 Users logon directly to a Windows 2000 Domain
tree
Root Domain
Domain.com
Child
Child
Products.Domain.com
Sales.Domain.com
Domain Forest
 Domain forests created when domain trees with
different namespaces form trust relationship
• Xyz.com & abc.com become tree when trust established
 All trees within forest share common Global
Catalog, configuration, and schema
 A forest has no unique name but is reference
point between trees
Active Directory Forest
 User logs-on to his/her domain, but can be
granted access to any forest resource
Root Domain
Root Domain
Domain.com
Domain2.com
Child
Child
Child
Products.Domain.com
Sales.Domain.com
Products.Domain2.com
Child
Sales.Domain2.com
Organizational Units (OUs)
 Domains can be divided into organizational units
 Organizational units can nest within one another
 Use OUs to reflect departmental divisions or units
with unique security and administrative rights
 Administrative delegation of resources easy to
apply to OU subsets
Active Directory OU
Organization Units (OU) are sub-units
within a domain
OU 1
Root Domain
OU 2 OU 3
OU 3 OU 4 OU 5
Domain.com
Child
Child
Products.Domain.com
Sales.Domain.com
Sales.Domain.com
OU 3.Sales.Domain.com
User logs on to OU3
Physical Structure
 Mechanism for data communication and
replication
 Two primary components
• Site – IP subnet network structural component
• Domain controller and Global Catalog – physical server that
stores and replicates data
Active Directory Site
 Physical network structure of Active Directory
 Purpose: provides method to regulate inter-subnet traffic
 Primary goal: rapid, economical data transmission
 Do not define sites by location boundaries; define by
reliable communications
 No formal relationship between site and domain … they can
cross each other
Domain Controller (DC)
 Server containing copy of Active Directory
 All domain controllers are peers that maintain replicated
versions of active directory
 DC locates resources and authenticates users
 Global Catalog is special domain controller that contains
abbreviated listing of objects for rapid indexing and
locating resources
 DC assigned to site at installation
Role of the Domain Controller
 Every domain controller maintains information as
part of Active Directory
• Data on every object and container object
• Metadata about other domains in tree or forest
• Listing of all domains in tree or forest
• Location of server with Global Catalog
Adherence to Industry Standards
 Greater interoperability = open standards adherence
• DNS Dynamic Update RFC 2052 2163
• Dynamic Host Configuration Protocol RFC 2131
• Kerberos v5 RFC 1510
• Lightweight Directory Access Protocol RFC 2251 1823
• LDAP Schema RFC 2247 2252 2256
• Simple Network Time Protocol RFC 1769
• Simple Mail Transfer Protocol RFC 821
• TCP/IP RFC 791 793
• X 509 v3 Certificates ISO X.509
Simplifying Planning/Deployment
 Active Directory planning/deployment is large
task … but not overwhelming
 Start by gathering organizational data
 Design domain model on organizational structure
 Design site & domain controller requirements
based upon network connectivity
Gathering Organizational Data
 Required data readily available
• Start with organization charts to help define domains & OUs
• Define what data resources are shared & restricted
• Ask HR for employee classifications for group policies
• Establish permissions based on common system needs
• Map physical locations & available connectivity
• Review where organizational shifts likely to occur
Domains vs. Organizational Units
 Single domain with OUs is easiest to manage
 Single domain model many not meet needs in
more complex organizations
 Generally, size & need for separate identity are
critical decision points
When to Use Domain Trees
 Desire for decentralized management
 Unique business activities dictate child domains
 Need to establish unique domain wide policies
 In large organizations, child domains lend
themselves to localized vs. centralized control
When to Use Domain Forest Model
 When separate domain names required
 When radically different business activities exist
 When acquired organizations require trusts
during initial merging of operations
 Joint venture or partnership arrangements where
resources & data must be shared
Restricting Domain Forest Trusts
 Trusts between domains within tree are bidirectional (transitive)
 Trusts in forest established in one direction at a
time; NOT automatically transitive
 Set all trusts in forest explicitly
Conclusion
 Active Directory is very powerful tool for
enhancing administration and security
 Understanding basic logical & physical structure is
fundamental
 Planning & deployment requires work but not as
overwhelming as press reports
Further Information
 Contact Robert Williams
• [email protected]
 References by Robert Williams
Forthcoming 2002
© Copyright Robert Williams 2002