How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation Presentation Outline Demystifying Active Directory Active Directory structure Interoperability standards adherence
Download
Report
Transcript How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation Presentation Outline Demystifying Active Directory Active Directory structure Interoperability standards adherence
How to Succeed with
Active Directory
Robert Williams, PhD
CEO
Secure Logistix Corporation
Presentation Outline
Demystifying Active Directory
Active Directory structure
Interoperability standards adherence
Common sense planning and deployment tips
What is a Directory Service?
Stated simply, a directory service is a listing that
helps organize and locate information
There are two primary components
• Directory store for data
• Services that act on the data
Service functions include data replication, security
rule enforcement, data distribution … and more
What is Active Directory?
Microsoft’s Windows 2000/.NET Server
implementation of directory services
Networked object store and service that locates
and manages resources
Authenticates authorized use of resource objects
by users according to defined rules
Specific Enterprise Functions of AD
Stores data on every object and its attributes
Security - ACL authentication and domain trusts
Central point for enterprise administration
Mechanism for OS interoperability
Consolidation of divergent directory services
System to replicate object data
Active Directory Relationships
Active Directory treats everything as an object .. users,
files, computers, devices, etc.
Access to object anywhere in enterprise is possible
(assuming permission)
DNS resolves computer name during object query
LDAP (Lightweight Directory Access Protocol) resolves
object locations
MIT Kerberos provides user authentication
Administration of Active Directory
Permits finite hierarchical management
Supports delegation of admin functions
Provides single point for enterprise management
Supports open standards, APIs and scripting
Provides backward compatibility with Windows
NT and Novell Directory Services
Active Directory Structure
Active Directory divides itself into Logical and
Physical Structures
Logical Structures include components called
domains, trees, forests, organizational units and
the schema (containers for data)
Physical Structures include network defined sites
and domain controllers (data locations & stores)
Logical Structure
Base components are objects and their attributes
Schema – mechanism for storing object classes
Objects organized around hierarchical domain
model
Each domain has its own security permissions and
relationship with other domains
Active Directory Domain
Hierarchical infrastructure of networked
computers
Domain – Computer systems and network
resources that share common security boundary
Domain can cross physical locations and sites
Viewed as grouping of resources that use a
common domain name (namespace)
Domain Trees
Multiple domains share common schema, security
relationship, Global Catalog
Identify domain tree by common, contiguous
namespace
• Sales.xyz.com and research.xyz.com = child domains to
xyz.com domain
•
Xyz.com is root domain for domain tree
Active Directory Domain Tree
Users logon directly to a Windows 2000 Domain
tree
Root Domain
Domain.com
Child
Child
Products.Domain.com
Sales.Domain.com
Domain Forest
Domain forests created when domain trees with
different namespaces form trust relationship
• Xyz.com & abc.com become tree when trust established
All trees within forest share common Global
Catalog, configuration, and schema
A forest has no unique name but is reference
point between trees
Active Directory Forest
User logs-on to his/her domain, but can be
granted access to any forest resource
Root Domain
Root Domain
Domain.com
Domain2.com
Child
Child
Child
Products.Domain.com
Sales.Domain.com
Products.Domain2.com
Child
Sales.Domain2.com
Organizational Units (OUs)
Domains can be divided into organizational units
Organizational units can nest within one another
Use OUs to reflect departmental divisions or units
with unique security and administrative rights
Administrative delegation of resources easy to
apply to OU subsets
Active Directory OU
Organization Units (OU) are sub-units
within a domain
OU 1
Root Domain
OU 2 OU 3
OU 3 OU 4 OU 5
Domain.com
Child
Child
Products.Domain.com
Sales.Domain.com
Sales.Domain.com
OU 3.Sales.Domain.com
User logs on to OU3
Physical Structure
Mechanism for data communication and
replication
Two primary components
• Site – IP subnet network structural component
• Domain controller and Global Catalog – physical server that
stores and replicates data
Active Directory Site
Physical network structure of Active Directory
Purpose: provides method to regulate inter-subnet traffic
Primary goal: rapid, economical data transmission
Do not define sites by location boundaries; define by
reliable communications
No formal relationship between site and domain … they can
cross each other
Domain Controller (DC)
Server containing copy of Active Directory
All domain controllers are peers that maintain replicated
versions of active directory
DC locates resources and authenticates users
Global Catalog is special domain controller that contains
abbreviated listing of objects for rapid indexing and
locating resources
DC assigned to site at installation
Role of the Domain Controller
Every domain controller maintains information as
part of Active Directory
• Data on every object and container object
• Metadata about other domains in tree or forest
• Listing of all domains in tree or forest
• Location of server with Global Catalog
Adherence to Industry Standards
Greater interoperability = open standards adherence
• DNS Dynamic Update RFC 2052 2163
• Dynamic Host Configuration Protocol RFC 2131
• Kerberos v5 RFC 1510
• Lightweight Directory Access Protocol RFC 2251 1823
• LDAP Schema RFC 2247 2252 2256
• Simple Network Time Protocol RFC 1769
• Simple Mail Transfer Protocol RFC 821
• TCP/IP RFC 791 793
• X 509 v3 Certificates ISO X.509
Simplifying Planning/Deployment
Active Directory planning/deployment is large
task … but not overwhelming
Start by gathering organizational data
Design domain model on organizational structure
Design site & domain controller requirements
based upon network connectivity
Gathering Organizational Data
Required data readily available
• Start with organization charts to help define domains & OUs
• Define what data resources are shared & restricted
• Ask HR for employee classifications for group policies
• Establish permissions based on common system needs
• Map physical locations & available connectivity
• Review where organizational shifts likely to occur
Domains vs. Organizational Units
Single domain with OUs is easiest to manage
Single domain model many not meet needs in
more complex organizations
Generally, size & need for separate identity are
critical decision points
When to Use Domain Trees
Desire for decentralized management
Unique business activities dictate child domains
Need to establish unique domain wide policies
In large organizations, child domains lend
themselves to localized vs. centralized control
When to Use Domain Forest Model
When separate domain names required
When radically different business activities exist
When acquired organizations require trusts
during initial merging of operations
Joint venture or partnership arrangements where
resources & data must be shared
Restricting Domain Forest Trusts
Trusts between domains within tree are bidirectional (transitive)
Trusts in forest established in one direction at a
time; NOT automatically transitive
Set all trusts in forest explicitly
Conclusion
Active Directory is very powerful tool for
enhancing administration and security
Understanding basic logical & physical structure is
fundamental
Planning & deployment requires work but not as
overwhelming as press reports
Further Information
Contact Robert Williams
• [email protected]
References by Robert Williams
Forthcoming 2002
© Copyright Robert Williams 2002