Basic Active Directory Fundamentals

8/8/2019 Basic Active Directory Fundamentals

1/85

1: Active Directory

PresenterPresenterPawan SharmaPawan Sharma || ConsultantConsultant || HCL ComnetHCL Comnet


2/85

Introduction

Trainer introduction & background

Pawan Sharma

Consultant, HCL

Goals of the learning event:

Solid foundation in Active Directory

AD structure

Administrative tools, best practices

Security recommendations

Group policy understanding

Ground rules

Cell phones and pagers silent

Hold questions until Q&A session


3/85

What is Active Directory?

Active Directory is the Windows directory service

A store of useful information about objects of interest on the network

Uses database underpinnings (SQL server) for performance, recoverability and

scalability

Addresses weakness of NT domain structure

Competes with NDS (Novell) and others

Like NDS, it is X.500 based


4/85

Benefits of Active Directory

A multipurpose directory service

Extensible

AD enabled applications available

Best example is Exchange server

Highly scalable

Flexible design and administration

Based on external standards (ish)

Policy based administration

aims to reduce TCO


5/85

NT domain weaknesses

Not scalable (40,000 object maximum)

Minimal delegation capability

Minimal control over replication

Netbios limitations

multi-domain structures

Trust relationship problems

Non-transitive

Manually created

Could fail and need management


6/85

Components of AD

Domain

Organizational Unit (OU)

Site

Domain naming and Trees

Forests

Database components and Domain Controllers

Global Catalog Servers


7/85


8/85


9/85

DomainNaming and Trees

Every domain has a name that follows DNS rules

Names do not have to be registerable

You can have multiple domains that have the same DNS root this is called

a Tree

e.g. child.parent.com

Can have many trees in a forest

With different namespaces

No security component to this

Just naming

xyz.com

west.xyz.com east.xyz.com


10/85

Forest

A forest is a single Active Directory structure not connected by default to

anything else

All the domains in a forest share:

Schema

Configuration

Global Catalog

Transitive trust relationships between all domains

Forest root domain

Enterprise administrators group


11/85

Forest designs

There are only three forest designs:

Single domain forest

Single tree forest (multiple domains)

Multi tree forest (multiple domains)

xyz.com

west.xyz.com east.xyz.com

abc.net

us.abc.net


12/85

Site

Sites are used to control the network traffic associated with domains

Logon traffic from clients

Replication traffic between domain controllers

There is a single site by default

Site structure mirrors your physical network

A site consists of one or more IP subnets

Generally there will be one site per physical location (LAN or group of

LANs)


13/85

Database components

Active Directory database is stored and maintained on Domain Controllers

(DCs)

DCs only store information about their own domain

NTDS.dit is the name of the database file

Partitions = Naming Contexts

Active directory database has at least three partitions:

Schema common to entire forest

Configuration common to entire forest

Domain specific to that domain

Application partition data related to a particular application

Sysvol folder also gets replicated within the domain


14/85

Schema partition

Active Directory is made up of Objects and Attributes

Objects may be container or leaf objects

The definition of all objects and attributes is stored in the schema partition of

the database

The schema can be extended to meet the needs of an organization or to

support a directory enabled application

Care should be taken before modifying the schema

Schema is the same for all domains in the forest and changes are replicated

to all domain controllers


15/85

Configuration partition

Configuration partition stores the structure (both logical and physical) of

Active Directory

So that all domains are aware of trust relationships and the site structure

It is replicated to all domain controllers in the forest automatically

It is the same for all domains

It will change when the structure or configuration of Active Directory

changes

May also store data related to AD-enabled apps such as Exchange server


16/85

Domain partition

Stores complete replicas of all objects in the domain

Can be modified on any domain controller

Changes are synchronized automatically through the replication process

Each domain controller in a domain stores a complete copy of its domain

partition (in addition to the schema and configuration partitions common to

the forest)

Is replicated in partial form to Global Catalog servers

Most day to day changes occur in the domain partition


17/85

Application partition

New in Windows Server 2003

Store application data

Cannot contain security principals

Created by the application that uses them, or less often by

administrators

Only default examples are the 2 application partitions created for

DNS Defines a list of DCs that should store and replicate that partition


18/85


19/85

DNS support for AD

DNS services are required for Active Directory to function

Support for service (SRV) records is required

BIND or Windows DNS can support this

Other DNS features are highly desirable:

ADI zones (for security and redundancy)

IXFR (Incremental Zone Transfer)

Unicode support (for International characters)

Dynamic update


20/85

Summary AD basics

Active Directory introduction

Components of Active Directory

Components of the database

Domain controllers and global catalog servers

DNS and AD


21/85

AD design considerations

Factors influencing the design

Overview of the design process

Forest, Domain, OU, Site design


22/85

Factors driving the design

Organizational goals

Reduce TCO

Simplify administration

Administrative style

Centralized, decentralized or hybrid

Technical constraints

Hardware, network bandwidth, services

Security needs


23/85

Design process overview

Forest design first

Then domain/tree design

OU design

Site/physical design

Generally design accomplished by a team

Single individual does not usually have the necessary information

Technical issues

Organizational issues


24/85

Forest considerations

A Forest shares:

Schema, configuration, global catalog, trusts, enterprise admins group

If you dont want to share these multiple forests is the only answer

More forests = more cost, complexity

Other business needs may also apply


25/85

Domain considerations

Fewer domains generally better

Desired naming will impact domain structure

Domains are a unit of incremental cost

One major consideration is account policy

Others include replication, international, administrative, possibly

security


26/85

Dedicated Forest root domain

Basically an empty domain

Benefits are:

Long term AD structure flexibility

Isolation of Enterprise/Schema Admins

Not originally a best practice

Now very widely implemented

More expensive, but not excessively so considering the alternatives


27/85

OU considerations

OUs generally allow for:

Delegation of administration

Application of group policy

Organization of objects

Easy to get carried away and create too many OUs

But easy to fix if necessary

1 domain/many OUs far superior to multiple domains


28/85

Physical design

Sites, subnets, servers (DCs)

Also locations (printers etc.)

Less discussion, more mechanical

Used to control or concentrate network traffic associated with AD

Authentication

Query

Replication


29/85

U of M design

2 domain, 2 tree forest

For naming reasons (shorter FQDNs)

Dedicated forest root

Allows flexibility for later changes

Virtual organization hosting

Allows for creation of new domains

Or the upgrade of NT4 domains

Allows distribution of load away from DCs in the joinable domain to

the DCs in the root


30/85

OU structure

Key points:

All users in same OU

Each LSP has own OU

Common OU structure

OUs by delegation

Then object type

Possibly additional OUs

(graphic lifted from DPS document)

U M .M EM H IS .E D U

Ser ices

Sha res

s

ai

tr ller

s

eople

LSP

Ser ers

LSP Groups,

Temp Accts

LSP

Svc accts

File, Print

Shares

Single OU -

All Users

Labs LabMachines

PO

L ibrar


31/85

Active Directory Administration

OU structure should facilitate delegation

Recommendations: Delegate to groups not users

Delegate at container/OU level

Not recommended: Setting permissions on individual objects

Removing default permissions

Permissions granted can be broad: Full control over an OU hierarchy

Or very narrow (or in between): Specific attributes of specific objects


32/85

How to administer

MMC tools typically work locally or remotely

Remote desktop also useful

Fewer limitations

Puts load on server

Readily securable


33/85

Types of permission

Full control (allows further delegation)

Broad permissions to a specific object (create, manage, delete)

Limited permissions to existing objects (reset password, unlock

account)

Permissions to specific attributes of specific objects (write to

organizational information)


34/85

Object naming

Every AD object has a DN (distinguished name)

CN = common name (**)

OU = organizational unit

DC = domain component

DN must be unique in the directory

Indicates the name and location of object

Like a file path

** also used for AD default containers


35/85

Object creation - GUI

GUI = Active Directory Users & Computers

Create various object types:

Users, computers, groups, OUs, folders, printers etc.

Also can manage Exchange server related attributes/tasks

MMC snap-in

Can be used in a custom console


36/85

Printers

Printers on Windows print servers are created automatically

Generally hidden in AD

Can be displayed, and moved to increase visibility

Can manually create printers also


37/85

Object creation - CLI

New Windows Server 2003 tools

DS___ tools

Dsadd, dsmove, dsrm, dsquery, dsget, dsmod

Use DN

General command structure:

Ds -

Can be batched together in a file


38/85


39/85

Object creation mass

Import and export tools

CSVDE & LDIFDE

Differ in file format

Differ in capabilities

Csvde creates objects only

Ldifde can create, modify and delete objects


40/85

Searching for objects

ADUC find tool

Common queries

Saved queries

Dsquery

Dsget

Dsquery and dsget compared


41/85

Chris Alberts/ExecuTrain of Austin

Object management

Common tasks include:

Reset user password/force change

Manipulating printers

Rename accounts

Reset computer account

Delete/readd computer to domain

Modify object attribute

Mass changes

Can be done graphically or not


42/85

Session wrap up

Intro to AD

Structure and terminology

AD design considerations

Factors influencing design

AD administration

Tools, commands


43/85

2: Security & Group Policy

Components of Security

Recommendations

Group policy


44/85


45/85

Recommendations

DCs should be physically secure (all servers)

Minimal data on workstations

Educate users about the importance of maintaining security

Use features of Windows to implement security

Group policy

Security templates/ sec. configuration & analysis

IPSec

Windows Firewall (SP1)


46/85

Introduction to Group Policy

Introduced with Windows 2000

Can be used with or without AD

Major factor in reducing TCO

Ensures compliance with organizational policy

Underutilized feature generally

Needs to be done right thoroughly tested before implementation

Powerful tool, being expanded constantly


47/85

Benefits ofGroup Policy

Understand that security is heavily reliant upon user activities

GP exists to restrict user activities

Can restrict administrators, but better to avoid regular users having

administrative rights

Configuration management

Enforce security settings consistently

Restrict users access to parts of the interface

Wide range of settings, customizable


48/85


49/85

Basic Structure ofGP

GP enforces registry settings

Like the registry, contains computer and user related settings

Most basic security is under Computer

Windows\Security settings node

Most user restrictions are under User

Administrative Templates node


50/85

How is GPapplied?

With Active Directory

Policy set on AD containers

Site, Domain and OU

Enforced automatically based on the location of the user/computer in

AD

Complicated inheritance/conflicts

Without AD

Set manually, or secedit script on boot

Fewer options available (eg. s/w dist)


51/85

Policy application (detail)

Site, Domain, OU (basic rule)

Local policy applied first

May be many policies applying

If settings compatible all apply (inheritance)

If settings conflict setting from the policy closest to the user/computer

is the overriding policy

Last writer wins


52/85

Exceptions to the basic rule

Block inheritance (container setting)

No override/enforce (policy setting)

Account policy only honored at the domain level

Policy filtering using permissions

WMI filtering

Loopback


53/85


54/85

GPand the boot process

First time = thoroughly evaluates policy

afterwards = checks GPOlist

Only reapplies if list has changed

Not individual settings

Policy refreshed dynamically

Every 90 mins + offset for non-DCs

Can be controlled

Designed to minimize impact on boot and logon


55/85

Security settings withinGP

Wide range of settings:

Service settings (auto/manual/disabled)

Restricted groups

Security options

IE restrictions

Software restriction

IPSec

many, many more


56/85

Managing computer security by role

Computers should be organized into roles for appropriate

application of security

In AD this will impact your OU structure

Examples Standard desktops

Notebooks, workstations

Domain controllers

Application servers Network Infrastructure servers etc.

Kiosks


57/85

Security templates

Templates fit in with the idea of role based security

A template is a file (.adm) containing security settings

Templates can be imported into local or group policy or applied

using secedit

MS supplies some with Windows (see help)

Can edit those or create your own

Use the security templates tool


58/85


59/85

Testing security policy settings

Inappropriately applied policy can render a computer unusable

Important to test before applying

Easier in an AD environment

Dummy OU, spare computer

Tougher in a standalone environment

Maintain a rollback template


60/85

Other policy settings

Software installation and maintenance

Windows updates

Software restriction

Scripts

Certificate enrollment

Folder redirection

Administrative Templates


61/85

Software installation

GP can deploy software

Also patch, update and remove (cleanly)

If installed by GP

Uses Windows Installer service

Uses .msi files

User does not require install rights

Can be deployed in 3 ways

Assign to computer

Assign to user

Publish to user

Must be thoroughly tested

Repackage with WinInstall LE

Wi d A U d


62/85

Windows Auto Update

System control panel settings

Can be controlled through policy

Point users to internal SUS server

Prevent them bypassing

SUS server is your box

Synchronized from MS Windows Update servers

Allows testing before applying

SUS WSUS (was WUS) soon

S ft R t i ti P li


63/85

Software RestrictionPolicy

New in 2003 (& XP)

Allows or prevents software from running in Windows

Basic policy (allow or restrict)

Rules for exceptions Path (folder or registry

Hash (specific file)

Certificate

Internet zone (.msi files only)

Computer or user based

Needs thorough testing

S i t


64/85

Scripts

4 types

Startup (computer)

Login (user)

Logoff (user)

Shutdown (computer)

Now the recommended way to assign scripts

Old way (ADUC) still works

Scripts are used for?

C tifi t li i


65/85

Certificate policies

Can be used to auto enroll

Specify trusted root authorities

Certificates useful for:

User authentication (smart cards)

IPSec

SSL/TLS/SecureMIME

Computer authentication

Code signing

F ld di ti


66/85

Folder redirection

Redirect special folders

My Documents

Application Data

Desktop

Start Menu

Part of user profile

Provides consistent environment

Keeps data off the client computer

Ad i i t ti T l t


67/85

Administrative Templates

Hundreds of settings (mostly user)

Impact the interface and operation of:

Windows

Windows components (IE, WMP)

Applications (with addl .adm files)

Can be misinterpreted by users

Dont get carried away

The implicit deal

GP t t l


68/85

GP management tools

Built in tools

ADUC

GP object editor

Security Templates

Security configuration & analysis

Group Policy Management Console

Downloadable

Aka GPMC


69/85

Adding the GP snap in


70/85

Adding the GP snap in

GP editing interface


71/85

GP editing interface

Security options


72/85

Chris Alberts/ExecuTrain of Austin

Security options

Security Templates tool


73/85

Security Templates tool

Template detail


74/85

Template detail

Security config & analysis tool


75/85

Security config & analysis tool

Tool detail


76/85

Tool detail

Results of analysis


77/85

Results ofanalysis

GPMC


78/85

GPMC

Downloadable (search for GPMC.msi)

Adds lots of functionality:

Copy/import policies

Backup and restore policies

A big picture view

RSoP

Multi forest administration

The recommended way to go

Policy Monitoring


79/85

Policy Monitoring

RSoP introduction

Different modes

RSoP in ADUC

RSoP in Windows Help & Support

Gpresult.exe

GPMC

RSoP


80/85

RSoP

RSoP = Resultant Set of Policy

= the net effect of all policies affecting a user/computer

Takes account of inheritances

Used to explain what the user sees and where it is coming from

Useful troubleshooting/predicting tool

Can be delegated permission to use RSoP

RSoP Modes


81/85

RSoP Modes

RSoP can be in two modes

Planning (or Modelling)

Speculative

Allows prediction of the effect of a change

What if type modelling

Logging (or Results)

Based on actual data

Queries the registry of a computer

Mode names differ based on interface used


82/85

Windows Help & Support Center


83/85

Windows Help & Support Center

Users can use this to see a simplified view of RSoP

A useful tool if youre at the users station

Start | Help and Support | Tools | Advanced System Information |

View GP settings applied

Gpresult exe


84/85

Gpresult.exe

Command line tool

Changed since W2k

Command line version of RSoP

Various switches /v /z

Built in tool (XP )

GPMC


85/85

GPMC

Gives graphical (HTML) report

Much neater, easier to read

Summary + detail

Allows drill down

Tabs can show any logged events related to policy (results mode)

Or the query you ran (modelling)

Basic Active Directory Fundamentals

Documents

Transcript of Basic Active Directory Fundamentals