Académique Documents
Professionnel Documents
Culture Documents
carrieclasses.wikispaces.com
Course Outline
Week #1: Introducing Active Directory Domain Services Week #2: Domain Controllers and Operations Masters
SECURELY!
IDA: Identity and Access
AAA: Authentication, Authorization, Accounting CIA: Confidentiality, Integrity, Availability ( & Authenticity)
(directory database)
descriptor
A resources is secured with an access control list (ACL): permissions that pair a SID with a level of access
The users security token is compared with the ACL of the resource to authorize a requested level of access
Authentication
Authentication is the process that verifies a users identity
Access Tokens
Security Descriptor
System ACL (SACL) Discretionary ACL (DACL or ACL)
ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask
Authorization
Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource
Security Token
Security Descriptor
System ACL (SACL) Discretionary ACL (DACL or ACL)
ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask
Centralized authentication
Hosted by a server
performing the role of an Active Directory Domain Services (AD DS) domain controller
Store information about users, groups, computers and other identities Authenticate an identity
Kerberos authentication used in Active Directory provides single sign-on. Users are authenticated only once.
Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) Active Directory Certificate Services (AD CS) Active Directory Rights Management Services (AD RMS)
Schema Demo
Identities (security principals or accounts) AD DS is, in the end, a database and the services that support or use that database
Windows tools, user interfaces, and components APIs (.NET, VBScript, Windows PowerShell) Lightweight Directory Access Protocol (LDAP)
Organizational Units
Containers
Users
Computers
Organizational Units
Containers that also support the management and configuration of objects using Group Policy Create OUs to
Policy-Based Management
Active Directory provides a single point of management for
Group Policy
Domain password and lockout policy Audit policy Configuration Applied to users or computers by scoping a GPO containing configuration settings
SYSVOL
NTDS.DIT
Domain Controllers
Servers that perform the AD DS role
Kerberos Key Distribution Center (KDC) service: authentication Other Active Directory services
Best practices
Available: at least two in a domain Secure: Server Core, Read-only domain controllers (RODCs)
Domain
Made up of one or more DCs All DCs replicate the Domain naming
The domain is the context within which Users, Groups, Computers, and so on are created Replication boundary
Trusted identity source: Any DC can The domain is the maximum scope
Password Lockout
Replication
Multimaster replication
Several components work to create an efficient and robust The Configuration partition of the database stores
replication topology and to replicate granular changes to AD information about sites, network topology, and replication
DC1 DC3
DC2
Sites
An Active Directory object that represents a well-
Replication within a site occurs very quickly (15-45 seconds) Replication between sites can be managed
Service localization
Site B
Site A
Tree
One or more domains in a single instance of AD DS that
treyresearch.net proseware.com
antarctica.treyresearch.net
Forest
A collection of one or more Active Directory domain trees First domain is the forest root domain
Global Catalog
Domain A PAS
Domain B PAS
any domain
many applications
Functional Level
Domain functional levels Forest functional levels
while DCs are running previous versions of Windows previous versions of Windows after raising functional level
integrated
domain name and the logical domain unit of Active Directory computers and services in the domain
server can store the zone data in Active Directory itselfin an application partition
Trust Relationships
Extends concept of trusted identity store to another domain Trusting domain (with the resource) trusts the identity store
A trusted user can authenticate to, and be given access to Within a forest, each domain trusts all other domains
Trusted domain
Trusting domain
Characteristics
Trust can be extended beyond the boundaries of your enterprise, as long as clients trust the CA of the certificates you present
Many uses
VPN
Wireless authentication and encryption Smart card authentication
Examples
Limit access to specified individuals View e-mail but do not forward or print View and print document but cannot change or e-mail
Requires
AD RMS
One AD DS/LDS directory; other side can be Active Directory or other platforms Port 443: transactions are secure and encrypted
Uses
Business-to-business: partnership
Single sign-on
2 Installation Wizard
Username and password of an account in the servers Location for data store (ntds.dit) and SYSVOL