OU - TechTarget
Download
Report
Transcript OU - TechTarget
Hosted by
Getting Started With
Active Directory
Or How to Bring Logic to Your
Company’s 437 Domains
Hosted by
So Who is This Guy Anyway?
Founder and Chief Scientist
Networks Are Our Lives, Inc!
•
•
•
•
Network and Directory services design
Security
Network Documentation
Systems management/monitoring deployment
Author
3 Books and over 100 articles and product reviews
Currently with Network Computing
Contact:
Networks Are Our Lives, Inc!
[email protected]
1201 Hudson St. – Suite 1003s (866) 812-7611
Hoboken, NJ 07030
WWW.NAOL.COM
Hosted by
Why You’re Here
Functions and applications driving update
Just keeping up
With the market
Or the Joneses
Windows NT Timeline
Next week – OEM and retail sales end
1/1/2003 4 – Hot-Fixes cost $
1/1/2004 5 – Live support and hot fixes end
1/1/2005 6 – Online support ends
Easy way to get off helpdesk for 3 days
Hosted by
Our Objectives
Understand Active Directory
• Components
• Terminology
• Structure
• Features and benefits
Identify Best Practices
Implementation Tips
Hosted by
Our Real
Objective
Make your life easier!
Hosted by
Assumptions
You know:
• Windows NT 4.0 Server
• TCP/IP
You don’t know:
• Active Directory
• Group Policies Etc
You are:
• Planning a Windows 2000+ server rollout
• Have 50-10,000 users to support
Hosted by
ADS, then, is...
Extension of and replacement for
Windows NT Domains
The directory service included in
Windows 2000+
Based on DNS, LDAP and X.500
Active Directory Services are…
• Secure
• Distributed
Hosted by
Before AD
Windows NT domains
• Typical organization had master user domains and
resource domains
•
Each domain needed:
WINS for NetBIOS names
DNS for internet names
The browser
Email, Application and other directories
Other vendors had true Directory
Services:
• Banyan Streetalk
• Novell NDS (eDirectory)
Hosted by
Why Active Directory
Windows NT domains limited
• Each domain an island
• Trusts Stink
Too much work to set up
They “Rot Away”
Large organizations need thousands
•
•
Not Scalable
•
•
No delegation of administration
Single master replication
If PDC is down, or inaccessible, user’s can’t change
passwords
Microsoft is forcing us that way
Exchange 2000 requires AD
Hosted by
Basic Definitions
Forest
A group of domains joined into a common directory. The
largest unit in AD.
All domains in forest share Schema, some
administrators, 2 way trusts
Tree
Domains in a forest with common suffix
IE:US.AD.widget.com,EURO.AD.widget.com
Domain
Administrative and replication boundary
Conceptually the same as Windows NT but now
corresponds to DNS domain
Domain controllers hold all the information about objects
(users, groups, computers, Etc.) in their domain
Hosted by
More Definitions
Organizational Units (OU)
Administrative boundary smaller than domain
Contain objects for administrative, organizational
purposes
Site
A group of systems with LAN 10Mbps
Site configuration effects replication
Defined by IP subnets
Global Catalog
A server that contains a subset of attributes for all
objects in the forest
Think White Pages
Includes Email address, domain (so we can ask DC for
more data)
Hosted by
Final Definitions
Kerberos
•
A Public Key Infrastructure based authentication system
Schema
•
All the attributes for all the objects are defined in the
schema
Syntax defines the type of data that can be stored in
the attribute
•
The schema definition for each object class identifies all
the possible attributes for the object
•
The schema contains a default DACL for each object class
The default ACLs is used when an instance of the
Hosted by
AD Design Choices
LDAP access
• Protocol was becoming industry standard
X.500 data model
• Object hierarchy permits subtree-scoped queries
• Schema defines attributes and object classes
Attribute-level access control
• Required for data sharing between applications
DNS-integrated object naming
• Enables a globally unique namespace based on the de facto Internet
locator service
Security
• Multiple authentication paths, one authorization model
In-place or side-by-side upgrade
• Learned from Novell: offer upgrade flexibility!
Hosted by
Replication Design Choices
Multi-master
• Need local password update
• Approximately “last writer wins”
• Eventual convergence
Attribute granularity
• When attribute changes, replicate entire new value
• Reduces network traffic and lost updates versus
object granularity
State-based
• Send current state not a log
• Predictable storage overhead, needed anyway for full sync
• Implies tombstones for deletes
Transitive
• Communicate update to somebody not everybody
• Big win with mixed link speed - once per slow link
Hosted by
Logical Structure Relationships
Forest
SAAB.CO.SA
Tree
Chevy.GM.COM
NA.SAAB.CO.SA
Tree
Trucks.chevy.gm.com
OU
OU
OU OU
OU
OU OU
OU OU OU OU OU OU OU OU
Objects
Schema
Global Catalog
Hosted by
So What do We Get?
True Multi-Domain Integration
Transitive Trusts
Global Catalog
Group Policy Objects
Controllable Replication
Directory Security
Granular Administration
Hosted by
When to Use Multiple Trees
Public view requires different root
domain names
• IE: Kraft Foods doesn’t want .PhillipMorris.com
suffix
Politics require divisions to keep their
names
There is no technical advantage to
multiple trees
Hosted by
When to use multiple forests
When, and only when, the service owners
of multiple trees don’t trust each other
Multiple forest implementations do NOT:
• Share a common global catalog
No exchange GAL
•
Trust each other
You can set up old style trusts between domains
in different forests
Rule of thumb: 1 forest per CIO
Hosted by
Domain Controller Roles
Flexible Single Master Operations (FSMOs)
•
1 Per Forest:
Domain Naming Master
Schema Master
Time Reference Server
•
1 Per Domain:
PDC Emulator
RID (Relative ID)Master
Infrastructure Master
KCC/ ISTG (generates inter-site topology)
ISM (inter-site messaging)
Hosted by
Reasons for Creating Domains
Physical location
Network traffic
International differences
Administrative considerations
• All users share restrictions (Password Length Etc)
Politics
NOT: Defining spheres of administration
Hosted by
Break sponsored
by
Hosted by
What are OUs
They are distinct units of administration
that can be delegated
They are containers that organize objects
and other containers
Examples are geographic locations,
projects, cost centers, business units,
and divisions
Hosted by
What OUs Can Contain
Users
Computers
Printers
Groups
Applications
OU
OU
Other OUs
Security Policies
File Shares
Hosted by
Reasons for Creating OUs
Enhancing administrative control
Maintaining a consistent number of
objects
Controlling application of group policy
objects
Holding other OUs
Replacing windows NT 4.0 resource
Hosted by
Remember:Domains are Expensive
Every domain Must have a
DC
Most should have 2-3 or
more
Logins require connectivity
to home DC
Logins more traffic than
replication
Hosted by
Hierarchical OU Models
Geographic
Object-based
Cost center
Project-based
Division or business unit
Administration
Hosted by
Define an OU Naming Convention
OUs are not part of the DNS namespace
OUs are identified by LDAP and canonical
names only
While domains are difficult to reorganize,
OUs within domains can be easily
renamed or moved
Hosted by
Delegating Administration
OU1
DACL for “Group” objects
Jill can add users
OU2
DACL for “Group” objects
John can add users
Jill can add users
John can add users
Group object
Group object
The ability to set ACLs for contained objects at OU
level means that you can define “who can do
what” to a particular object in the OU
• Groups created in OU1 can be administered by Jill
• Groups created in OU2 can be administered by John
Hosted by
Delegation of Control Wizard
Good news
• There is a delegation of control wizard
Bad news
• There is no undelegation of control wizard
After of delegation of control, the users
must be given visibility permissions to
the objects/containers they control
Learn to edit and document ACL’s
Hosted by
Delegation of Control Wizard
Hosted by
ADS Security Features - Review
Objects have an Access Control List (ACL)
Permissions can be delegated to users by
a higher authority
Inheritance allows permissions to be
propagated to all objects in child
containers
Trusts are established among all domains
in an ADS forest
Hosted by
Group Types
Security Groups
• Allow you to assign permissions
• Allow you to use groups as an e-mail distribution
list
•
Windows NT uses only security groups
Distribution Groups
• Do not allow you to assign permissions
• Allow you to use groups as an e-mail distribution
list
Hosted by
Rules
forGroup
Group
Membership
Group
members
Can be a member of
Global
User accounts and global
groups from the same domain
Universal and domain local groups
in any domain
Global groups in the same domain
User accounts, universal, and
global groups from any domain Domain local groups in the
Domain Local Domain local groups from the same domain
same domain
Universal
User accounts, universal, and Domain local or universal groups
global groups from any domain in any domain
Universal groups only available in native mode
Hosted by
Group Scopes
Global Group
Limited membership
Use for access to resources in any
domain
Domain Local Group
Open membership
Use for access to resources in one
domain
Universal Group
Open membership
Use for access to resources in any
domain
Hosted by
How does AD use DNS?
Windows 2000 uses DNS as a domain
locator and name-to-IP translator
• Domain controllers are registered in DNS
• Clients query DNS to locate DCs
Analogous to Internet mail (the MX record)
Better-scaling long-term replacement for
NetBIOS Name Services (aka WINS)
Requires DNS servers that support
Dynamic Updates (Windows or Bind 8+)
Hosted by
Migrating to AD
Single Domain
• Migrate in place
• Clean up Later
2-3 Domains
• Migrate “root” domain in place
• Use ADMT for additional domains
You’re stuck with SIDHistory
Bigger Now
• Redesign from scratch
Hosted by
Audience Response
Question?