Transcript A Guide to Windows 2000 Server

Chapter 4
Chapter 4:
Planning the Active Directory
and Security
1
Learning Objectives
Chapter 4
 Explain the contents of the Active Directory
 Plan how to set up Active Directory elements
such as organizational units, domains, trees,
forests, and sites
 Plan which Windows 2000 security features to
use in an organization, including interactive
logon, object security, and services security
2
Learning Objectives (continued)
Chapter 4
Plan how to use groups, group policies,
and security templates
Plan IP security measures
3
Windows NT Domain Structure
Chapter 4
 Security Accounts Manager (SAM) database
holds data on user accounts, groups, and
security privileges
 One primary domain controller (PDC) has
master copy of the SAM
 One or more backup domain controllers
(BDCs) have regularly backed up copies of
the SAM
 If PDC Fails, BDC is promoted
4
Using a PDC, BDCs,
and the SAM database
Chapter 4
Domain
resources
Figure 4-1
Windows NT
SAM architecture
BDC
BDC
PDC
BDC
BDC
Backup
SAM
Backup
SAM
Primary
SAM
Backup
SAM
Backup
SAM
5
Windows 2000 Active Directory
Chapter 4
Domain objects including user accounts,
computers, servers, printers, groups,
security policies, domains, and other
objects compose the Active Directory
6
Windows 2000 Active Directory
Chapter 4
Made up of the following files
NTDIS.DIT single file of the database
EDB*.LOG Log files associated with
database transactions
EDB.CHK error tracking/correction info for
database
RES1.LOG and RES2.LOG reserve disk
space
7
Active Directory Objects
Chapter 4
Domain
objects
Figure 4-2
Domain objects in
the Active Directory
Active
Directory
8
Active Directory Objects
Chapter 4
Object Types
User Account
Computer Account
Domain Controller
Groups
Organizational Unit
Printers
9
Multimaster Replication
Chapter 4
Multimaster replication: In Windows
2000 there can be multiple servers,
called domain controllers (DCs), that
store the Active Directory and replicate it
to each other. Because each DC acts as
a master, replication does not stop when
one is down. Each DC is a master in its
own right.
10
Multimaster Replication
Chapter 4
• Can create account on any of the DCs
• Other DCs automatically updated
• Can be done for changed data only,
don’t have to replicate whole file
• If one DC fails, others are up-to-date and
system systems up
• Don’t have to stop to promote a BDC
11
Schema
Chapter 4
Schema: Elements used in the definition
of each object contained in the Active
Directory, including the object class and
its attributes
12
Example Schema Characteristics
of the User Account Class
Chapter 4
Unique object name
Globally unique identifier (GUID)
associated with each object name
Required attributes
Optional attributes
Syntax of how attributes are defined
Pointers to parent entities
13
Example User Account Attributes
Chapter 4
Username
User’s full name
Password
14
Schema Example
Chapter 4
Active Directory
Object
classes
User
account






Figure 4-4
Sample schema
information for
user accounts
Computer
Printer
Domain
Object name
GUID
Required attributes
Optional attributes
Syntax
Parent relationships



Username
User's full name
Password


Account description
Remote access OK
Schema
15
Default Object Classes
Chapter 4
Domain
User account
Group
Shared drive
Shared folder
Computer
Printer
16
Object Naming
Chapter 4
 Common name (CN): The most basic name
of an object in the Active Directory, such as
the name of a printer
E.g. HPLaserMain
 Distinguished name (DN): A name in the
Active Directory that contains all hierarchical
components of an object, such as that
object’s organizational unit and domain, in
addition to the object’s common name
CN=<object Name>, OU=<organizatoional unit,
O=<Organization>, C=<CountryCode>
17
Namespace
Chapter 4
Namespace: Can be set up as a DNS
server
18
Active Directory Elements
Chapter 4
Domains
Organizational units (OUs)
Trees
Forests
Sites
19
Active Directory Architecture
Chapter 4
Figure 4-5
Active Directory
hierarchical containers
Forest
Tree
Tree
Site A
Domain
Domain
Domain
Domain
Site C
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
Site B
20
Functions of a Domain
Chapter 4
Provide a security boundary for objects
in a common relationship
Establish a set of data to be replicated
among DCs
Expedite management of a set of
objects
21
Using a Single domain
Chapter 4
Internet
Security and
management
boundary
Intranet 1
Figure 4-6
Single domain
Intranet 2
DC
DC
Active
Directory
Active
Directory
Domain
22
Using Multiple Domains
Chapter 4
DC
DC
AD
AD
DC
AD
DC
AD
DC
DC
AD
AD
DC
AD
DC
AD
Satellite dish
Domain for
South Carolina site
Satellite
Satellite dish
Figure 4-7
Using multiple
domains
DC
DC
AD
AD
DC
AD
DC
AD
DC
DC
AD
AD
Domain for
site in Japan
DC
AD
DC
AD
23
Domain Creation Dos and Don’ts
Chapter 4
Do’s
Create a domain in circumstances that
require special security measures between
organizational groupings, such as
departments, units, or divisions
Create a domain for specialized
management of particular resources (often
also related to the security and network
architecture)
Don’ts
Create domains that represent the organizational
structure, because frequent reorganizations result in
major restructuring of domains and the Active
Directory
Create domains along business process divisions,
which are often political divisions within an
organization, because new management may
redefine business process activities, resulting in a
major restructuring of domains and the Active
Directory
24
Domain Creation Dos and
Don’ts (continued)
Chapter 4
Do’s
Don’ts
Create a domain to migrate Windows NT
servers to Windows 2000
Create a domain when geography or WAN
links make it difficult to replicate DCs
between organizational groupings, such as
departments, units, or divisions
25
Functions of an OU
Chapter 4
Group related objects, such as user
accounts and printers, for easier
management
Reflect the structure of an organization
Group objects to be administered using
the same group policies
26
Using OUs to Reflect
Organizational Structure
Chapter 4
DC
DC
Active
Directory
Active
Directory
Manufacturing
Division OU
grocery.com
(domain)
DC
Active
Directory
Distribution
Division OU
Figure 4-8
OUs used to reflect
the divisional
structure of a company
DC
DC
Active
Directory
Active
Directory
DC
Active
Directory
DC
Active
Directory
Retail Division OU
27
Design Tips for Using OUs
Chapter 4
Limit OUs to 10 levels or fewer
OUs use less CPU resources when they
are set up horizontally instead of
vertically
Each request through an OU level
requires CPU time in a search
28
OU Creation Dos and Don’ts
Chapter 4
Do’s
Create OUs, as needed, to represent the
organizational structure of departments,
units, and divisions for different policies and
to delegate administration
Create OUs, as needed, to represent objects
in the Active Directory that have similar
policies, security, or other characteristics,
such as shared printers or shared disk drives
Don’ts
Create OUs more than 10 layers deep
Create more OUs than absolutely
necessary
29
OU Creation Dos and
Don’ts (continued)
Chapter 4
Do’s
Create OUs, as needed, to represent specific
project areas, such as for employees who are
temporarily helping with the installation of a
new client/server system
Create OUs, as needed, to represent the
business process or political functions in an
organization, such as an OU for the
president’s office, one for the business
office, and one for each research group in a
health research organization
Don’ts
Create OUs for major security
boundaries when this can be handled by
a domain or by sites (discussed later),
such as for IP traffic control
Create OUs for DC replication
30
Characteristics of a Tree
Chapter 4
 Member domains are in a contiguous
namespace
chi.devry.edu tp.devry.edu under devry tree
 Member domains can compose a hierarchy
 Member domains use the same schema for
common objects
 Member domains use the same global catalog
(encyclopedia of info about object)
31
Global Catalog
Chapter 4
Global catalog: A grand repository for all
objects and the most frequently used
attributes for each object in all domains.
Each tree has one global catalog.
32
Global Catalog Functions
Chapter 4
Authenticating users
Providing lookup and access to
resources in all domains
Providing replication of key Active
Directory elements
Keeping a copy of the most attributes
for all objects
33
Hierarchical Domains
in a Tree
Chapter 4
Two-way
trusts
tracksport.com
Tree
east.tracksport.com
west.tracksport.com
north.tracksport.com
south.tracksport.com
Figure 4-9 Tree with hierarchical domains
34
Kerberos Transitive Trust
Chapter 4
Kerberos Transitive Trust Relationship:
A set of two-way trusts between two or
more domains in which Kerberos
security is used.
35
Trusted and Trusting Domains
Chapter 4
Trusted domain: A domain that has
been granted security access to
resources in another domain
Trusting domain: A domain that allows
another domain security access to its
resources and objects, such as servers
36
Tree Creation Dos and Don’ts
Chapter 4
Do’s
Define main domains before defining a tree
Plan the hierarchy of domains and use of OUs before
creating a tree
Define a tree when you have domains in different
countries so that you can set up each domain to use a
language native to the country where it resides
Don’ts
Define a tree prior to creating the first
domain
Define a tree if you can use a single
domain structure (a better alternative
than using trees, if possible)
Define a tree if you must use a
disjointed namespace
37
Tree Creation Dos
and Don’ts (continued)
Chapter 4
Do’s
Don’ts
Define a tree if you are planning multiple domains that will
be administered at different sites by different people
Create a tree and multiple domains when WAN connectivity
is slow between distant sites, because global catalog
replication transfers less information and requires less
bandwidth than DC replication
38
Planning Tip
Chapter 4
 Make sure each tree has at least one DC that
is also configured as a global catalog
 Locate global catalog servers in a network
design architecture that enables fast user
authentication (so that authentication does
not have to be performed over a WAN link, for
example)
39
Characteristics of a Forest
Chapter 4
Member trees use a disjointed
namespace (but contiguous
namespaces within trees)
Member trees use the same schema
Member trees use the same global
catalog
40
Single Forest
Chapter 4
Single forest: An Active Directory
model in which there is only one forest
with interconnected trees and domains
that use the same schema and global
catalog
41
Single Forest Architecture
Chapter 4
partsplus.com
toronoto.partsplus.com
montreal.partsplus.com
detroit.partsplus.com
2m.com
greenville.2m.com
florence.2m.com
chelos.com
atlanta.2m.com
mexicocity.chelos.
com
oaxaca.chelos.
com
monterrey.chelos.
com
puebla.chelos.com
valencia.chelos.com
Forest
partsplus.com
Figure 4-10 A forest
42
Separate Forest
Chapter 4
Separate forest: An Active Directory
model that links two or more forests in a
partnership, but the forests cannot have
Kerberos transitive trusts or use the
same schema
43
Separate Forest Architecture
Chapter 4
health.books.com
Forest
books.com
cook.books.com
Figure 4-11
Separate forest
model
hardback.printers.com
Forest
printers.com
textbook.printers.com
paperback.printers.com
44
Forest Creation Dos and Don’ts
Chapter 4
Do’s
Create a forest to join trees/domains
that can share schemas and global
catalogs
Create a single forest when there is
no need to separate internal and
external DNS resources between trees
Don’ts
Create forests when the member trees
have little in common or cannot share
the same schema
Create a single or separate forest until
you understand the security needs of
all domains, trees, and potential
forests
45
Forest Creation Dos
and Don’ts (continued)
Chapter 4
Do’s
Create separate forests when the
internal and external DNS resources
must be keep separate between two or
more forests
Establish a forest’s name by using the
name of the root domain or first
domain in the first tree
Don’ts
Create a separate forest when there is
a possibility that the forests may
merge into a single forest in the
future
Create a separate forest when the
member forests must have a Kerberos
transitive trust between them
46
Design Tip
Chapter 4
When you create a separate forest
structure remember that:
Replication cannot take place between
forests
The forests use different schema and
global catalogs
The forests cannot be easily blended into a
single forest in the future
47
Site
Chapter 4
Site: An option in the Active Directory to
interconnect IP subnets so that it can
determine the fastest route to connect
clients for authentication and to connect
DCs for replication of the Active
Directory. Site information also enables
the Active Directory to create redundant
routes for DC replication.
48
Characteristics of a Site
Chapter 4
 Reflects one or more interconnected subnets
(512 Kbps or faster)
 Reflects the same boundaries as the LAN
 Used for DC replication
 Enables clients to access the closest DC
 Composed of servers and configuration
objects
49
Site Links
Chapter 4
 Site link object: An object created in the Active
Directory to indicate one or more physical
links between two different sites
 Site link bridge: An Active Directory object
(usually a router) that combines individual site
link objects to create faster routes when there
are three or more site links
50
Site Link Architecture
Chapter 4
Site A
Site B
Link 1
Link 1
Link 2
Link 2
Bridge link
Router
Site C
Figure 4-12 Site link bridge
51
Site Creation Dos and Don’ts
Chapter 4
Do’s
Create sites to reflect interconnected
high-speed IP subnets
Create sites on medium and large
sized networks to enable fast
connectivity for users and for DCs
Don’ts
Create sites for small networks that
have no IP subnets
Create sites for IP links that have less
than 128 Kbps of available
bandwidth
52
Site Creation Dos
and Don’ts (continued)
Chapter 4
Do’s
Create additional sites on medium
and large sized networks when user
connectivity and DC replication is
experiencing slow response
Create sites to enable ring-based DC
fault tolerance
Create one or more sites for a domain
that encompasses two more farreaching geographic locations
Don’ts
Create extra sites to improve network
performance without first
determining what network congestion
factors are causing poor performance
53
Design Tip
Chapter 4
Define sites in the Active Directory on
networks that have multiple global
catalog servers that reside in different
subnets
Use sites to enhance network
performance by optimizing
authentication and replication
54
Active Directory Guidelines
Chapter 4
 Keep the Active Directory implementation as
simple as possible
 Implement the least number of domains
possible
 Implement only one domain on most small
networks
 Use OUs to reflect the organizational
structure (instead of using domains for this
purpose)
55
Active Directory
Guidelines (continued)
Chapter 4
Create only the number of OUs that are
necessary
Do not create OUs more than 10 levels
deep
Use domains for natural security
boundaries
Implement trees and forests only as
necessary
56
Active Directory
Guidelines (continued)
Chapter 4
Use trees for domains that have a
contiguous namespace
Use forests for multiple trees that have
disjointed namespaces between them
Use sites in situations where there are
multiple IP subnets and geographic
locations to improve performance
57
Basic Types of
Active Directory Security
Chapter 4
 Account or interactive logon security
 Object security
 Services security
58
Interactive Logon Security
Chapter 4
DC checks that the user account is in
the Active Directory
DC verifies the exact user account
name and password
59
Object Security
Chapter 4
 Security descriptor: An individual security
property associated with a Windows 2000
Server object, such as enabling the account
MGardner (the security descriptor) to access
the folder, Databases
 Access control list (ACL): A list of all security
descriptors that have been set up for a
particular object, such as for a shared folder
or a shared printer
60
Typical ACL Types
of Information
Chapter 4
User account(s) that can access an
object
Permissions that determine the type of
access
Ownership of the object
61
Typical Object Permissions
Chapter 4
 Deny: No access to the object
 Read: Access to view or read the object’s
contents
 Write: Permission to change the object’s
contents or properties
 Delete: Permission to remove an object
 Create: Permission to add an object
 Full Control: Permission for nearly any activity
62
Example Special Permissions
Chapter 4
Figure 4-13 Special permissions for a folder
63
Troubleshooting Tip
Chapter 4
Deny permission supercedes other
permissions, thus if there is a
permissions conflict for one of your
users, check the deny permissions
associated with that user’s account
64
Services Security
Chapter 4
Windows 2000 enables you to set up
security on individual services, such as
DHCP
65
Setting Services Security
Chapter 4
Figure 4-14 DHCP security
66
Using Groups
Chapter 4
Set up security groups of user accounts
as a way to more easily manage
security
67
Setting Up Members of a Group
Chapter 4
68
Figure 4-15 DHCP Administrators group
Group Policies
Chapter 4
Use group policies to manage security
for local servers, OUs, and domains
Employ security templates when you
need to manage several different group
policies
69
Example Areas Covered by
Group Policies
Chapter 4
Account polices
Local server and domain policies
Event log tracking policies
Group restrictions
Service access security
Registry security
File system security
70
Setting Up Security Templates
Chapter 4
71
Figure 4-16 Security Templates snap-in
IP Security
Chapter 4
IP security (IPSec): A set of IP-based
secure communications and encryption
standards created through the Internet
Engineering Task Force (IETF)
72
IP Security Policies
Chapter 4
 IP security (IPSec) can function in three roles
relative to a client:
Client (Respond Only) in which the server uses
IPSec, if the client is using it first
Server (Request Security) in which the server
uses IPSec by default, but will discontinue using
IPSec if it is not supported by the client
Secure Server (Require Security) in which the
server only communicates via IPSec
73
Configuring IPSec
Chapter 4
Figure 4-17 IP Security Policy Wizard
74
Troubleshooting Tip
Chapter 4
On a network that uses IPSec, if you are
having trouble gathering network
performance information from some
older devices that do not support IPSec,
omit the SNMP communications
protocol from IPSec
75
Chapter Summary
Chapter 4
Active Directory and security
implementation are interrelated
The Active Directory is a set of services
for managing Windows 2000 servers
Use Active Directory elements such as
OUs, domains, trees, and forests to help
manage server objects and resources
76
Chapter Summary
Chapter 4
Use sites to configure network
communications for better performance
through taking advantage of existing
subnets
Groups and group policies enable you
to manage security
77